eBay and the ID thieves

NEWS When Deborah Fraser's credit card number was stolen, the thief didn't use it to buy a new car or a high-end laptop. Instead, the number was used to buy something potentially much more valuable - a domain name with the word 'ebay' in it. In Fraser's case, that was the domain name 'change-ebay.com', a scam website where an unknown number of eBay users may have been tricked into handing over their eBay username and passwords. "Somebody fraudulently used my credit card [on Thursday] to buy the domain name that ended in 'ebay'," said Fraser, a pharmacy technician in New York state, who until midday on Thursday was listed as the registrant and administrative contact for the domain. "It's very upsetting to think that someone had my credit card. I don't know if I'm ever going to go on eBay again because I don't know if it had anything to do with purchasing something there, or what." While Fraser's credit card number could have been filched anywhere, the fact remains that con artists are using stolen numbers to set up a growing number of increasingly convincing scams intended to part eBay buyers and sellers from their usernames and passwords. Once a con artist has commandeered an account, the process of defrauding buyers while evading detection becomes that much easier. These scam emails often tell recipients that someone has tampered with their account or that some unspecified fraud is suspected. The email then tells the recipient to click on a link leading to a site where visitors can enter or change their username and password. Vexing the issue further is the fact that eBay is sending out its own share of legitimate appeals, urging some users whose accounts have been tampered with to change their passwords. Even savvy users have a hard time telling the difference between scam spam and the real deal. "They are really getting sophisticated out there," said Ina Steiner, publisher of AuctionBytes.com, a website with a pair of auction-focused newsletters. "People that I talk to are experienced internet and eBay users and they got fooled." eBay and other web auction sites have long been happy hunting grounds for con artists of all types. Some web auction fraud mirrors the techniques of traditional auction cons, such as the 'shill bidding' method by which an auctioneer bids on his or her own auction to inflate the price. Other web auction fraud is more specific to the medium, such as the ability of sellers to vanish into the ether once payment is received. Since February, eBay has seen the identify theft variety flare. Some of these bogus websites are easier to discern than others. Thousands of domain names with the word 'ebay' have been registered, and web-savvy scam artists can dress up a web address to look like it resolves to 'ebay.com'. Many of these bogus sites follow the 'change-ebay.com' pattern, springing up for a matter of hours or days after being registered with a stolen credit card - just for the purpose of snaring a few unsuspecting users' passwords before shutting down or getting unplugged by a domain name registrar or internet service provider, eBay representatives say. eBay is hardly alone in grappling with username and password theft online. AOL Time Warner's AOL proprietary service for years has warned its users prominently that company representatives will never ask for an account password. eBay said it was tackling the problem in a similar way, educating users about what to look for in a potentially fraudulent eBay web address and urging caution before parting with sensitive data. "To protect yourself, remember that eBay will never ask you for your private information, such as credit card information or your account password, in an email," eBay warned users in a recent email alert. "eBay will never send you any request or solicitation from a non-eBay email account or provide a link outside of eBay for entering credit card or other private information." But critics say eBay needs to go further in its fraud prevention efforts, not only by cracking down on criminals and increasing education efforts but by changing the way it communicates its legitimate alerts. "I was surprised that eBay linked to a website where people can update their information," said AuctionByte.com's Steiner. "I don't think they should do that - they should tell people to go to the site on their own and log in. People really need to know that they should never click in a URL in an email from any vendor, that they should go to the site the way they always do and log on." Scam artists are taking advantage of eBay's deadline-heavy pace in their schemes, knowing that an eBay user facing a ticking clock is less likely to think twice before handing over a username and password. "One person was out of town and panicked when he got home and saw email saying his auctions wouldn't be kept live unless he made these changes," Steiner said. "So he went in and gave them all this personal information. If they catch you at the right time, you can be fooled." Because eBay for the most part obscures its members' email addresses, questions have arisen about the methods scammers are using to target eBay users. Some eBay critics blame the recent rash of scams in part on the auction site for inadvertently displaying the email addresses of its users next to their high bids. But the company said the exposure, which happened on 13 November, probably played a minor part in the crime wave, which began in February. Though eBay prohibited the use of an email address as a username 18 months ago, "a good number" of people who had such a username prior to that policy change were grandfathered in with the name. Another way the scammers target eBay users, according to the company, is by the sheer volume of easily available spam email lists. When asked why eBay identity theft has become such a vogue this year, Pursglove speculated that the success of the company's general anti-fraud efforts were driving demand for the comparative safety of a stolen eBay identity. But Pursglove acknowledged another, less cheerful explanation. Like winter colds and successful software marketing, the identity thievery may be viral. "Perhaps the word's spreading around to the internet's darker corners," Pursglove said. "We've had a lot more of it the past four or five months than at the beginning of the year. The scam is out there." Paul Festa writes for CNET News.com.