More than half a dozen eBay users last week alerted the online auction company to an identity theft and a series of fraudulent auctions allegedly stemming from Ukraine. However, the victims of the scam are accusing eBay of being slow to respond because of its 30-day waiting policy for accepting fraud complaints online.
Tim Bass, CEO of security consulting firm The Silk Road Group, and a longtime member of the Internet security community, first noticed that there was a problem after he won an auction for a Sony Picture Book, a combination laptop and digital camera. Bass's suspicions were raised after a good Samaritan online user in Germany notified him that the alleged seller claimed to live in Quebec, used a Russian e-mail account and requested that the funds be transferred via Western Union to the Ukraine.
Fortunately for Bass, he never sent the US$1,150 for the Sony system. However, he soon received e-mails from several other eBay users who claimed to have been the targets of the same individual.
Among them was Brian Murphy, an auction seller who discovered that his identity as a reliable seller on e-Bay had been stolen. Murphy and other victims of the scam believe that a Ukrainian cybercriminal, or criminals, stole Murphy's eBay account information and used it to run nine auctions worth thousands of dollars. Bass, Murphy and at least half a dozen other users have since contacted eBay but claim that the company has dragged its feet on the investigation. They have also notified the FBI.
"I contacted eBay immediately, but eBay has been slow and worthless [in] helping me," wrote Murphy on Sept. 29 in an e-mail to the other eBay users swindled in the scam. Murphy, who has a rating of "excellent" for reliability among eBay users, first notified the company of the theft of his account on Sept. 18. However, the auctions still started the next day, and "eBay paid no attention to this, despite my e-mails every day. They are impossible to reach other than slow, indirect e-mail."
Kevin Pursglove, a spokesman for San Jose-based eBay Inc., said the company will accept fraud complaints at any time through its Web site but that further investigation is initiated only when the investigation team finds that it is warranted. They're "handled on a first-come, first-service basis, and we get several thousand e-mails per week," he said.
As for the 30-day waiting policy, Pursglove said it only applies to insurance claims that are filed by users for items that are delivered damaged or not delivered at all.
However, in an e-mail response to one of the victims, eBay's Safe Harbor Investigation Team said the company was "very sorry" to hear about the situation. "If members do not protect their passwords, or use passwords that are easy to guess, this type of thing can happen," the eBay statement read. "Also note that the online fraud complaint does take 30 days to file, however the fraud complaint can be reported immediately for review."
As a remedy, eBay suggested that users contact their credit card companies, adding that they "should be able to dispute the charges."
"I immediately tried to contact eBay to submit a fraud report, but eBay forms said that we had to wait 30 days," said Bass. "We need to get eBay to change the fraud-reporting rules. Suspected frauds must be reportable immediately."
EBay's Safe Harbor division eventually responded to Murphy's calls for help, according to users familiar with the case. However, the company's solution was to issue him a new password and not to investigate the identity theft.
Other eBay users have already lost thousands of dollars as a result of the fraudulent auctions, suggesting that the criminals have been operating unchecked for some time.
Jerry Auerbach, a designer and wholesaler of teddy bear gifts, based in Tenafly, N.J., and Hong Kong, is a frequent eBay user. He paid $1,725 for a nonexistent IBM ThinkPad. Auerbach said in an e-mail that he agrees with other users that "eBay's fraud delay policy is wrong." Auerbach said he expects eBay to send him a refund for allowing the fraudulent activity to continue.
"Had eBay acted with care, these fraudulent auctions could have been monitored, permitting authorities to more easily capture the perpetrators, or eBay could have halted the auctions," Auerbach said in an e-mail. "It is clear to me that eBay's current fraud policy was designed to save costs, permitting thieves sufficient time to conduct multiple fraudulent auctions. The 30-day waiting period to notify eBay of fraud is wrong, and eBay's failure to post its phone number on its site to permit members to alert eBay of irregularities is yet another irresponsible cost-saving mistake."
EBay members rely on the company's published Sellers Rating Feedback Profile as a guide to gauge a seller's historical performance. Murphy's performance record was excellent. In addition, Murphy's profile also showed that he has never sold a computer on eBay.
"Most consumers would not notice this, but eBay would, had they looked," said Auerbach. "Murphy's eBay profile shows that he was a seller of sports collectibles with an average value of $30, not $1,500 computers.