How scammers run rings round eBay

[R.A. Hettinga]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<http://www.theregister.co.uk/2004/11/16/petty_fraudsters_ebay/print.html>

The Register


 Biting the hand that feeds IT

The Register B; Internet and Law B; Wild Wild Web B;

 Original URL: http://www.theregister.co.uk/2004/11/16/petty_fraudsters_ebay/

How scammers run rings round eBay
By Ken Young (robin.lettice at theregister.co.uk)
Published Tuesday 16th November 2004 16:15 GMT

Everyone knows that buying and selling on eBay is precarious. Even eBay
admits this and gives basic advice on its site that it believes helps
eliminate most fraud.

But there appears to be a basic weakness in eBay's system that fraudsters
and petty thieves are exploiting. It occurs when buyers pay sellers direct
into the sellers' bank account by cheque or cash. The following is a real
example that occurred in September this year (names withheld for legal
reasons). Let's call the buyer Tom and the seller Harry.


Tom won the bid for a mobile phone and agreed to pay Harry (who lives 80
miles away from Tom) B#185 plus B#6 insurance using cash at a branch of
Harry's bank. A few days later a box arrived. It contained a battery
charger and an earplug, but no phone. Tom informed Harry who said that he
believed someone at the post office must have stolen the phone and that he
would look into it.

Days passed and Tom then asked Harry to claim on the insurance. Harry said
he had lost the insurance slip and would instead refund 50 per cent of the
B#185. A week passed and Tom called Harry to say no payment had been
received and that he was losing his patience and would report the matter to
eBay.

Harry made more excuses and stopped answering his mobile phone. Over the
next few weeks they spoke occasionally but Harry refused to send any money
and blamed Tom for his removal from eBay (subsequent to Tom informing eBay
of his loss). Tom contacted Harry's bank but the bank refused to provide
Harry's address. Tom only knows Harry's mobile phone number and Hotmail
email address.

In summary, Tom spent B#196 on a phone that never arrived and he is not
alone. As a result of basic research for this story we have been contacted
by five people who have experienced similar scams (their stories, in
emails, are copied below). The fact is it appears far too easy for this
scam to be perpetrated.

Pattern of fraud

The pattern is all too predictable. Buyers and sellers agree not to go
through the more secure PayPal system because it costs more to do so. So
buyers take the risk of sending the money to the seller who either doesn't
send the goods or sends shoddy or fake goods. The sellers protect
themselves against prosecution by claiming loss, or disputing the buyer's
version of events. The amounts involved - though not insignificant to the
buyer - are too small for eBay to want to take the matter further.

There is one other common factor in all these stories. Though the buyers
report the matter to eBay they are invariably frustrated at standard email
responses and being steered towards a mediation system which costs the
buyer B#15 and even then may or may not lead to resolution. Alternatively,
sellers can claim compensation through eBay and may get a maximum of B#105 -
if they claim between 30 and 90 days after the event and meet the criteria
for payment. In our example above Tom made a claim last month and is still
waiting.

A common refrain is: "Should I report this to the police? eBay are not
replying to my emails about this and I don't know if the police are aware
or not. What should I do?"

eBay declined an interview in relation to this story but instead issued a
statement:

"eBay takes the issue of fraud very seriously and investigates every case
of fraud reported to it. eBay currently has over 1,000 people worldwide
with backgrounds in law enforcement, customer support, advanced computer
engineering and analysis dedicated to making eBay one of the safest places
to trade online and, in the UK, employs an ex-Scotland Yard officer as
liaison point for law enforcement agencies.

"The majority of transactions on the eBay site are completely secure and
without incident. Approximately 0.01 per cent of transactions end in a
confirmed case of fraud."

This means that for every million transactions, 100 are 'confirmed'
fraudulent, though the criteria for this confirmation are not available.
Any security consultant will say that is an acceptable level of risk and
way below fraud levels on credit cards. Not surprisingly, eBay therefore
does not advise people specifically not to pay by cheque or cash payment
into a seller's bank account.

Top tips

On the eBay website its 'top tips' state that sellers should ideally use
secure payment systems like PayPal (which offers greater levels of
protection, though still limited if the seller has little or no track
record) and should NOT use money transfer services "like Western Union".

But aside from telling buyers to be wary it does not tell buyers NOT to
send cheques or pay directly into sellers' bank accounts (either by money
transfer or using cash at a bank branch). Clearly it believes that most
such transactions are safe and therefore if the buyer assesses the risk as
low, then why not?

Many eBay users may agree - it's 'caveat emptor' applied to the world of
online car boot sales. But when Steve Gold, a security consultant,
celebrity ex-hacker (he co-hacked the Duke of Edinburgh's Prestel mailbox),
and former accountant also gets hit by such a scam you begin to wonder how
the mass of eBay's users are avoiding getting stung and whether the 0.01
per cent figure is an accurate reflection of the amount fraud occurring.

Gold, an experienced eBay user, reports that he bought a hard drive for B#63
from a man who never sent the item. After weeks of the usual hassle he used
192.com to track the man down to confront him. The seller - somewhat
shocked to see his 'victim' - pleaded poverty and illness and apologized
profusely. Gold admitted defeat safe in the knowledge that at least he had
confronted his fraudster and learnt a useful - if painful - lesson.

Pants down

He now says he uses a mixture of web tools to check out sellers. He pays
192.com B#25 per 100 enquiries to get addresses from phone numbers; he uses
maporama.com to check out locations of sellers; and he admits he is more
cautious than ever.

"eBay is caught with its pants down," he says. "They are neglecting their
customers; they should make a shed load of information available to help
people to avoid this." Like others Gold says he hit a brick wall when he
tried to get other bodies involved: "I went to trading standards - they
weren't interested. I even compiled a dossier on the seller and sent it to
his local police force. Subsequently they told me they were aware of eBay
fraud but don't deal with it." Gold believes the level of fraud on eBay is
higher than the 0.01 per cent figure given: "But how can we tell? eBay
won't reveal the real figures so we have no way of knowing."

He has a point. Credit card fraud has been reduced over the years by
greater public awareness over the levels and types of fraud occurring. eBay
is relying on sellers to be 'careful' but the question for the regulatory
authorities remains: Is eBay doing enough to protect its users? Those who
lose out as a result of this type of scam certainly think not.

Clearly eBay cannot be held responsible for dishonesty among sellers but
perhaps it could do a lot more to warn people how easy it is for petty
criminals to exploit our desire for a bargain. Maybe it is time for an
independent body to track complaints against the system so that buyers can
get a better picture of the types and frequency of frauds occurring. B.

Below are a selection of emails from others defrauded via eBay. Names have
been omitted for legal reasons:

I was cheated out of B#200 when I tried to buy an ipod. I corresponded with
the seller, who seemed friendly until I sent my money and he clammed up. I
got emails from another apparent victim, who also was a bit shy of giving
out his contact details. I suspect the second person was the first in
disguise. Top cap it all, the seller gave a bank account for me to deposit
the money, which I did, but it turned out that his identity was totally
fake - in fact it was someone else's ID. So he had used a real ID (not his
own), to open not one but three accounts at Nationwide to use for fake eBay
transactions. I contacted the police but the trail went cold. I did manage
to get Nationwide to close the accounts down They said he had been taking
money out as soon as it hit the account. I tried to contact eBay with the
details, saying the guy wasn't returning my emails, they responded with an
email saying "why don't you try our arbitration service." I emailed them
asking how I could do that if the guy won't respond to me. They replied
saying they were sorry about that but maybe I should try their arbitration
service. I then asked how I could claim on their insurance policy to
reimburse defrauded customers, and they simply replied advising me to try
their arbitration service.

I bought a couple of Tiffany items - from different sellers - for my niece
last Christmas. One item was fine - the other was a fake. The girl who sold
it handled it perfectly. She was very chatty (by email) and was 'touched'
when I told her the thing was intended as a gift for my niece etc.....
Anyway, when my niece received the item, it was obviously a fake. We did
consult Tiffany, who confirmed that they hadn't ever manufactured a piece
in that style. I got back on to her and her response was something not so
far short of f off - but without the swear words. I was furious. I
contemplated forms of retribution. I did, however, go thru the Safe Harbour
system but with no success. I later made a claim from eBay but it was such
a long-winded process that i kind of forgot to finish it off. So I just
lost the money. From my experience I'd suggest eBay needs to sort out its
claims policy. It's such a hassle that it really is off-putting. I still
use eBay but without the same enthusiasm.

I have a reseller friend who was a victim of an eBay scam, and to add
insult to injury not only did they steal his card details on a non-existent
transaction, they sent him a brick through the post to rub salt into that
wound.


- --
- -----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-----BEGIN PGP SIGNATURE-----
Version: 1308

iQA/AwUBQZttm8PxH8jf3ohaEQJupACffXM/FxKtkOvURxpHZ/rdHqcdT1UAoIb5
Xrp51MUU1m32O0RrnG/yCr65
=p97f
-----END PGP SIGNATURE-----