How to secure your eBay account
By glblguy
Photo by: leafar
This morning I received an email from eBay stating that my email address had been changed. I often get email from eBay, Paypal, and various banks stating things like this, along with requests to update my personal information, and even claims my identify has been stolen and I need to login immediately. Most of these emails come with a convenient link that will take me to wherever I need to go, to do whatever the email is wants me to do. Since I work in the computer industry, I am all too familiar with the phishing techniques used by crooks to trick you into giving them your id, password, and personal information. My initial response to this email was that it was just another phishing email and just about deleted it. Fortunately I didn’t…
The email looked as follows:
Dear [[my eBay ID]],
Thank you for submitting your change of email address request. Instructions on completing the change have been sent to your new email address. Once the process is completed, your eBay-related email will no longer be routed to this email address.
If you did not make this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, get help here:
http://pages.ebay.com/help/confidence/isgw-account-theft-reporting.htmlChange of email address request was made from:
IP Address: XX.XXX.XX.XXX
ISP Host: XX.XX.XX.XXXThank you,
eBay
This email caught my attention for three reasons:
- There is no link to eBay asking me for information or prompting me to do anything. The only link to eBay is to a help page.
- The email contains IP addresses. This of course could still indicate it’s a phishing email, but I’ve not seen phishing emails contain IP addresses like this before.
- The email says “Instructions on completing the change have been sent to your new email address“. I didn’t receive an email.
Suspicious, I logged into my eBay account just to check things out. When I logged in, eBay automatically takes me to “My Ebay” page and I noticed immediately that I had two Indy 500 tickets for sale! First off, I’m not an Indy car fan at all and second I certainly don’t have any Indy car tickets to sell. Hmmmm…
I then checked my personal information, and noticed my email had been changed. I immediately went over to my settings and changed my password. I next contacted eBay “live support” to report that someone had breached my account. Ten minutes later, the Indy tickets were removed from my account and my email address back like it should be. Compliments to eBay, as it was a very smooth process, which made me realize this must occur fairly frequently. This became even more evident when I asked them if they were going to follow-up on the “thief”, and they kindly told me no that due to the large amount of reports they receive, they can’t possibly follow-up on every request.
I researched the IP address that eBay stated changed my email address, and I contacted their Internet Service Providers abuse email to report the issue. Their initial response was less than hopeful. They told me to get a warrant issued from the international police (the ISP is in Canada). I replied expressing “my concerns” with their reply, and they are now being a little more helpful, although I doubt they will really do anything.
What baffles me, is how this happened. My wife and I are the only one’s that use my eBay account. Again, given I work in Information Technology (IT), I am very aware of phishing and have educated my wife as well. Further more, she rarely uses my eBay account. I use it fairly frequently to buy things, including supplies and equipment for my saltwater fish tank, but don’t recall even receiving any emails from eBay in the past few weeks.
I guess it’s possible my password could have just been cracked, but I’m even skeptical of that, as it’s a pretty secure password. I’m going to continue to review past emails and try to think through how this may have happened. I’ll let you know if I find anything out.
Tips from eBay on securing your account
Here are a few tips I learned today on how to secure your eBay account:
- Don’t use the same passwords for your personal mail account and your eBay account. Even better, don’t use the same passwords for any sites. To make this easier, use a password management program like MySecurityVault PRO.
- Be aware of “spoof” emails and websites that pretend to look like eBay, but aren’t. These sites try to trick you into logging in and/or providing personal information by looking exactly like the real eBay site. Don’t ever click on links from emails, always go straight to the site my navigating using a bookmark or by keying in the web address directly. eBay does have a technology called SecureGuard that runs inside of the eBay toolbar. The toolbar will warn you when you are on a spoof site. Always forward potential spoof emails or spoof websites to eBay’s spoof email, Google Calendar to remind yourself to do this.
- Install and run security software on your computer. This includes anti-virus software, spyware protection, and firewall software. Norton Internet Security 2008 is an excellence choice.
- Monitor your account for suspicious activity. Check your account information and preferences periodically to insure they haven’t been modified. If you do see anything unusual, report it immediately.
- Consider a Paypal Security Key as an extra layer of security when logging onto eBay and/or Paypal. After the experience I had today, I ordered mine earlier this evening.
Have you ever had your eBay or PayPal account compromised? Have you ever received a spoof email? Share your story, add a comment.
April 23rd, 2008 at 6:13 am
Scary stuff. I had my Yahoo account cracked when I was hosting with them. They were less than helpful, a lot less and I ended up having to switch hosts. I will have to check out MySecurityVaultPro as I have trouble remembering the passwords especially if I don’t log into the account daily. What a pain!
April 23rd, 2008 at 7:34 am
I use Password Safe, which works pretty well for passwords too.
What cracks me up is that I always get phishing emails sent to an email address that isn’t even affiliated with my ebay account. Not sure how that happened.
Glad ebay was helpful.
April 23rd, 2008 at 7:36 am
That sucks. I recently had this happen with my Gmail — and I have 1400 messages stored with them! Ack!
April 23rd, 2008 at 8:58 am
I fell for a phishing expedition once and the perp changed my password, all my personal contact info, and listed a Hummer for sale from my account within a matter of minutes. Of course eBay delisted the Hummer and set things back to normal, but it was a good lesson in not clicking links from emails purportedly from eBay!
April 23rd, 2008 at 10:24 am
Wes had his ebay account hijacked this week too, except that the culprite was buying things and having them shipped internationally to a 3rd world country. They bid on 180 items! He didn’t know until he started getting emails confirming the bids and wins. None of his payment information was stored in any account, so they were obviously paying with their own (likely stolen) credit cards. They’ve gotten it all cleared up, but with him working in Internet Security for as many years as he has, it still caught us by surprise. It wasn’t a phishing attack that helped them crack his account.
April 23rd, 2008 at 11:22 am
I had a similar issue with my ebay account, someone was selling a product using my ebay name. When I get these emails, I forward them to [email protected]. Thanks for the great post.
April 24th, 2008 at 11:27 pm
Had the same thing happen to me 18 months ago (and I also am sure that it wasn’t from phishing – someone out there has figured out how to crack e-bay accounts). Only the person (somewhere in Asia) was supposedly selling expensive handbags.
Interestingly, after Amazon fixed the problem, the same thing happened again about 6 hours later. Turned out that the person was STILL logged into the account when the E-bay rep was removing stuff, so they waited and then relisted the stuff and changed my password again.
It was a total nightmare. The worst part? They only changed my pay to information, but not the e-mail so I had hordes of angry women e-mailing me for weeks about their handbags.
Good luck!
April 28th, 2008 at 6:38 am
these are excellent pointers and I’m just so sorry that someone breached your account security. The internet is great but it does also have the draw back that it makes fraud more difficult to detect when it occurs. Last year someone used my credit card to make a $400 purchase. They had intercepted my details via a transaction I made on Amazon. But I got it refunded. It’s just so fustrating.
November 26th, 2012 at 6:54 pm
hi, this happen to me 4 month ago,
I got that email about password change.
And I couldn’t log in cos they changed my ebay password.
My friend check my items for sale and I had hard drives, phones etc.
I called ebay and they said there is nothing they can do because two people can confirm account details and they are confused and they won’t help me. next day I called again, spoke with a different assistant and everything went back to normal.
what I think. It is enough to know somebodys name and address to mess it up. The hackers called ebay, gave them my details and they gave my account to hackers, probably same happened to you. totaly ebays fault. they are giving away account to anyone who have your basic details. I opened spare ebay account and I change my passwords weekly. I hope that helps