How to secure your eBay account
Photo by: leafar
This morning I received an email from eBay stating that my email address had been changed. I often get email from eBay, Paypal, and various banks stating things like this, along with requests to update my personal information, and even claims my identify has been stolen and I need to login immediately. Most of these emails come with a convenient link that will take me to wherever I need to go, to do whatever the email is wants me to do. Since I work in the computer industry, I am all too familiar with the phishing techniques used by crooks to trick you into giving them your id, password, and personal information. My initial response to this email was that it was just another phishing email and just about deleted it. Fortunately I didn’t…
The email looked as follows:
Dear [[my eBay ID]],
Thank you for submitting your change of email address request. Instructions on completing the change have been sent to your new email address. Once the process is completed, your eBay-related email will no longer be routed to this email address.
If you did not make this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, get help here:
Change of email address request was made from:
IP Address: XX.XXX.XX.XXX
ISP Host: XX.XX.XX.XXX
This email caught my attention for three reasons:
- There is no link to eBay asking me for information or prompting me to do anything. The only link to eBay is to a help page.
- The email contains IP addresses. This of course could still indicate it’s a phishing email, but I’ve not seen phishing emails contain IP addresses like this before.
- The email says “Instructions on completing the change have been sent to your new email address“. I didn’t receive an email.
Suspicious, I logged into my eBay account just to check things out. When I logged in, eBay automatically takes me to “My Ebay” page and I noticed immediately that I had two Indy 500 tickets for sale! First off, I’m not an Indy car fan at all and second I certainly don’t have any Indy car tickets to sell. Hmmmm…
I then checked my personal information, and noticed my email had been changed. I immediately went over to my settings and changed my password. I next contacted eBay “live support” to report that someone had breached my account. Ten minutes later, the Indy tickets were removed from my account and my email address back like it should be. Compliments to eBay, as it was a very smooth process, which made me realize this must occur fairly frequently. This became even more evident when I asked them if they were going to follow-up on the “thief”, and they kindly told me no that due to the large amount of reports they receive, they can’t possibly follow-up on every request.
I researched the IP address that eBay stated changed my email address, and I contacted their Internet Service Providers abuse email to report the issue. Their initial response was less than hopeful. They told me to get a warrant issued from the international police (the ISP is in Canada). I replied expressing “my concerns” with their reply, and they are now being a little more helpful, although I doubt they will really do anything.
What baffles me, is how this happened. My wife and I are the only one’s that use my eBay account. Again, given I work in Information Technology (IT), I am very aware of phishing and have educated my wife as well. Further more, she rarely uses my eBay account. I use it fairly frequently to buy things, including supplies and equipment for my saltwater fish tank, but don’t recall even receiving any emails from eBay in the past few weeks.
I guess it’s possible my password could have just been cracked, but I’m even skeptical of that, as it’s a pretty secure password. I’m going to continue to review past emails and try to think through how this may have happened. I’ll let you know if I find anything out.
Tips from eBay on securing your account
Here are a few tips I learned today on how to secure your eBay account:
- Don’t use the same passwords for your personal mail account and your eBay account. Even better, don’t use the same passwords for any sites. To make this easier, use a password management program like MySecurityVault PRO.
- Be aware of “spoof” emails and websites that pretend to look like eBay, but aren’t. These sites try to trick you into logging in and/or providing personal information by looking exactly like the real eBay site. Don’t ever click on links from emails, always go straight to the site my navigating using a bookmark or by keying in the web address directly. eBay does have a technology called SecureGuard that runs inside of the eBay toolbar. The toolbar will warn you when you are on a spoof site. Always forward potential spoof emails or spoof websites to eBay’s spoof email, Google Calendar to remind yourself to do this.
- Install and run security software on your computer. This includes anti-virus software, spyware protection, and firewall software. Norton Internet Security 2008 is an excellence choice.
- Monitor your account for suspicious activity. Check your account information and preferences periodically to insure they haven’t been modified. If you do see anything unusual, report it immediately.
- Consider a Paypal Security Key as an extra layer of security when logging onto eBay and/or Paypal. After the experience I had today, I ordered mine earlier this evening.
Have you ever had your eBay or PayPal account compromised? Have you ever received a spoof email? Share your story, add a comment.