Back |
Whitman Fiddles as ebaY Burns
13 Mar 2007
|
|
Whilst Meg Whitman stood and played her fiddle at the
Visa Security Summit, confidence in ebaY's security continued
to burn to the ground. Adding fuel to the fire is Vladuz,
defeating every ebaY effort to keep him from posting as
an ebaY employee on ebaY's boards.
Meg Whitman blamed everyone but ebaY for the huge security
hole that has made ebaY the plaything of Chinese hijackers,
selling their counterfeit merchandise to the markets ebaY
attempted, and failed, to deny them. Meg Whitman blamed
Microsoft, Yahoo, the victims of the hijacks, Vladuz and
probably The Auction Guild, for the flaws that are no doubt
the fault of ebaY's bloated, patched, corrupt and insecure
coding. She thinks every other company but ebaY, should
spend their dollars, hire personnel, fix their security,
and build tools for ebaY to use for free, so that ebaY
users can't get scammed, and user confidence in ebaY continue
to turn to ash. She does not mention, and definitely wont
implement, even the most basic things that ebaY could do
to assist themselves in curtailing their own problems (more
on this later). Meg Whitman does not want to spend a penny,
as that might adversely affect ebaY's ability to continually
fool potential ebaY stock buyers that ebaY is a good investment,
and a safe and fun place to sell and buy merchandise. There
should be no misconception. ebaY is not safe and secure,
has not been able to secure their own site, and potential
investors should not waste their money on ebaY stock, until
ebaY demonstrates the ability to secure the site.
ebaY keeps saying that Vladuz had a one time access to
an employee account that contained old screenshots, and
that ebaY shut his access down. Yet for the third time
since he was allegedly shut down, Vladuz again posted to
the ebaY Germany and US boards today, with an ebaY employee
account.
A search of the ID yielded the following screenshots,
showing the poster's profile and user ID history.
In and of itself, access to ebaY employee accounts is
possibly not important. But the fact that ebaY can't secure
even their own employee accounts is definitely indicative
of more serious security flaws. These other security flaws
are being demonstrated by Chinese counterfeiters listing
upwards of 3 million items each and every day on ebaY,
using fresh cherry picked accounts each time. The counterfeiters
are also receiving payment through PayPal, and TAG wonders
if ebaY continues to allow this, since this is the only
money ebaY is earning on the transactions. Since the listings
are on hijacked accounts, ebaY is not making anything in
listing or final value fees, but PayPal takes its cut before
the money is sent to the account holder.
Other indications of security flaws are the ability to
override ebaY's listing parameters. Scammers and counterfeiters
have been able to list items with titles longer than ebaY
allows, add information to running legitimate listings,
list items on NARU (no longer a registered user - closed
or suspended accounts), list items on accounts that are
only set up for buying, (buyer and seller accounts require
different financial information) access accounts without
having the password, and the ability to sell hundreds of
items on accounts that don't meet the criteria for use
of certain functions such as Buy It Now. In addition the
listings appear to index in search immediately, and long
before normal listings do. All these are indicators that
the scammers and counterfeiters have a level of access
and the ability to manipulate the ebaY system far beyond
what they would have if they had only hijacked a regular
users account via a stolen password using phishing. ebaY
needs to explain how these things are happening, if all
the blame is to fall on ebaY users.
This is a screenshot of an active listing on a NARU account.
Unfortunately we did not get a screenshot of the sellers
list of 205 items on this NARU account.
There are things ebaY could do right now to cut way back
on these problems, without actually fixing their bloated,
patched, corrupt and insecure kludge coding. These would
only be stopgap measures until real fixes were put in place.
Of course to do this, they would have to hire personnel
and spend money, which at ebaY appears to be a crime of
the first order, and a thing they wont do until their hand
is forced.
1. Delete all accounts that have been inactive for a year.
That is DELETE, as in remove totally from the database,
not put into some accessible hole that the scammers can
access. If they don't want to just delete inactive accounts,
then send an email to the account holder asking the holder
to go through their normal links to confirm they still
want the account. Account holders should have to confirm
unused accounts annually.
2. Require every account to be funded, either by cash,
check or credit card. Even a minimal deposit of five or
ten dollars for each account registered would cut down
on the millions of superfluous accounts that are just sitting
around waiting for the scammers to use them. Delete every
account not funded (see1. for what delete means) This would
also help cut down on some other problems, such as accounts
registered for deadbeat bidders to use to wreak havoc on
sellers they don't like or just or the fun of it.
3. Require a secure password consisting of letters, numbers
and characters. This is such a basic security feature it
amazes TAG that ebaY does not require it.
4. Require that sellers of items that are normally counterfeited
be bonded. This is probably a good idea for all sellers
who habitually sell high ticket items, including ebaY Motors.
Reasonable limits could be set, so that anyone selling
over X dollars a month of these items must be bonded.
5. Eliminate 1 day listing, and possibly 3 day listings.
There is no reason for these to exist, and though Buy It
Now and store listings amount to the same thing, they at
least have some restrictions in place. Of course it appears
the scammers have the ability to subvert all restrictions,
but getting rid of all 1 day listings might filter some
of the garbage out.
It would behoove Meg Whitman to implement these stop gap
measure, expending her employee's energy on these measures
as opposed to deleting postings and threads about the problems,
suspending users who talk about the problems, lying about
the extent of the security hole, and adding sites that
publicize these issue, such as The Auction Guild and Falle-Internet.de,
to the blacklists on sites such as AOL, Yahoo and the phishreport.net
organization. And if ebaY actually plans to continue to
be a marketplace, they need to hire some programmers and
rebuild the entire program infrastructure from scratch,
so that holes such as that exploited by the Vladuz's of
the world are closed.
If you want to read more about these issues, and get the
latest as it happens, keep your eye on these sites:
ebaY
Motors Sucks
FireMeg
Falle-Internet
Articles at -
http://redtape.msnbc.com/2007/03/how_far_has_vla.html
http://www.eweek.com/article2/0,1895,2100808,00.asp
http://www.eweek.com/slideshow/0,1206,a=202474,00.asp
Some information for this article came from -
http://news.zdnet.com/2100-1009_22-6165628.html?tag=nl.e550
And
from several TAGnotes subscribers and information providers
who choose to remain anonymous, but whose efforts we
appreciate immensely