eBay to Hide ALL Bidder IDs

[gmarguli]

This should be interesting. Now no one will be able to see who they are bidding against.

 

 

***A Message From Matt Halprin – Protecting Bidders & Combating Online Fraud***

 

March 03, 2008 | 09:32AM PST/PT

 

Matt Halprin

 

Hello...This is Matt Halprin, eBay's Vice President in charge of Global Trust & Safety. As eBay continues to grow into a global online marketplace we are a natural target for online criminals. As you may know, fraud related to fake Second Chance Offers has been a significant challenge to the safety of our marketplace. Fraudsters send these authentic-looking, malicious emails to bidders on auction-style listings in an effort to convince them to send them funds. Unsuspecting bidders get fooled into thinking they are dealing with a legitimate seller, and agree to send funds (often by an unapproved method like Western Union, a major red flag that fraud is involved) in exchange for receiving an item like the one they had recently hoped to win.

 

Combating fraud by protecting our Community’s identities

In January 2007, the Safeguarding Member IDs project was launched on eBay.com for auction-style listings of $200 or greater to reduce the negative impact that these fraudsters have on the marketplace. Last August we also made enhancements to bring back more of the transparency to the bidding process, which our Community told us was important. These changes did not reduce bidding on auction listings above $200 and virtually eliminated fraudsters' attempts at this price level.

 

How Safeguarding Member IDs works

Bidder User IDs are "masked," so that scammers can't tell who is bidding on a listing and therefore cannot target them with official-looking spoof email. The masked User ID's consist of two random characters from the member's User ID – for example, a***b. This method of identifying a bidder (whose feedback score is also visible) gives legitimate members a sense of who is bidding, while protecting the bidders' identities. (Please note that sellers who are logged in can see all the actual User IDs for the bidders on their listings.)

 

I'd like to address a common question we hear - How do scammers get a bidder's email address? Unfortunately, a high percentage of eBay members have registered an email address that is very close or identical to their User ID. Fraudsters attempt to send emails to the bidders they are targeting by using the User ID, plus several of the most common domain names – i.e. userid@yahoo.com , userid@gmail.com, userid@hotmail.com, userid@aol.com. This combination yields a very high success rate for them. Subsequently, too many eBay bidders get fooled – and lose their money - as an unfortunate result.

 

The state of fake Second Chance Offers (or attempts by criminals to tempt you into a false transaction) today

For over a year, these masked User IDs have proven to be very successful on these higher-end listings. In fact, we saw the volume of fake Second Chance Offers for $200 or more drop significantly. We've also worked to educate members about the importance of unique email addresses, and we have aggressively targeted members who have risky User ID/email combinations to encourage them to change. Please note - If your User ID matches your email address, please protect yourself by changing your User ID so your user ID doesn't match your email address. Please also review our Password Tips.

 

While these efforts are important, we must do more to stop this type of fraud. Despite all our previous efforts, criminals have adjusted their methods and the overall problem persists. By increasing the volume of fake Offers that they send now to buyers of lower priced items, they hope they can make the same returns they'd been making on higher-end items.

 

Protecting buyer's identities as they bid on all auction-style listings

To protect the Community from this growing safety threat, we have made the decision to mask User IDs for bidders on all auction-style listings on eBay.com and Motors. This change will go into effect later this week. Even with all this history and need, we understand that masking User IDs on all auction-style listings is a significant change, and it this is not a step we are taking lightly. However, in light of today's environment - and the damage fake email offers pose to our members and to overall buyer trust in the marketplace – it's imperative we act now to make this change.

 

I appreciate your support – working together, our efforts are helping keep the marketplace a safe place to buy and sell.

 

Sincerely,

 

Matt Halprin

Vice President, Global Trust & Safety

 

[MunkyMan95]

Bidding against? After May 1st, there won't be any bidders!

 

[pendragon1998]

I suppose it makes no sense at all to just eliminate the second chance offers, period? For their next performance, eBay will eliminate internet spam by eliminating PayPal passwords.

[CHABSENTIA]

E B AY is a target for online criminals so they mask the identity of buyers?I have mentioned this many times before but will mention it again. Ebay is only interested in doing things that cost little or no money.

 

They have been told time and time again that their weakest point is Automation. Automation would clear up most if not all their problems including detecting not only certain patterns of bidding but certain bidders.

 

EBAY does not want to spend the Money to correct its weakest and most important area and instead makes it worse by initiating various procedures which actually makes it worse.

[MikeInFL]

Talk about shill central.

[PerryHall]

Talk about shill central.

Yup. Shills won't even have to hide their activities anymore.

[physics-fan3.14]

I like seeing people's ID's. I really don't like the hidden ID thing. Will Ebay never learn that making people unhappy is bad for business?

[DC Dawg]

I suppose it makes no sense at all to just eliminate the second chance offers, period?

Michael, I noted the sarcasm. However, eBay will not eliminate second chance offers. It is a quick hit money maker for them. There is more incentive for them to keep it than eliminate it!

 

For their next performance, eBay will eliminate internet spam by eliminating PayPal passwords.

Interestingly, if everyone ordered the Security Key, there would be no problems with passwords either on PayPal or eBay. The Security Key is a plastic device that fits on your key ring. Every 30 seconds it generates a number. When you log into either eBay or PayPal, you enter your password followed by the number of the Security Key. This way, your password always changes to something that is known between you and PayPal and eBay. Even if someone was to find out your password and the security key, they would have 30-seconds to use it. If you used it, before the crook does, then the number is invalid--the numbers can only be used once.

 

For us InfoSec geeks, we call it two-factor authentication meaning that there are two things necessary to login: something you know (your password) and something you have (the Security Key). Two-factor authentication is considered a strong defense mechanism. IMHO, it is worth the $5 for the Security Key.

 

I like seeing people's ID's. I really don't like the hidden ID thing. Will Ebay never learn that making people unhappy is bad for business?

I know a lot of people do, but I understand the risks. This is a good mitigation to those risks and I agree with the policy.

 

However, it is not fool-proof. If you click on the hidden user's feedback score then press on the "View Items For Sale" link on the right side of the upper score section, you can see whether the user has items for sale. If that user does, click on the item and you will see the user's name in the auction listing. This can be automated--I've discussed this with a friend who prototyped such a program--but I will not discuss that publicly, yet. A paper that describes the details of the hack and a mitigation is being written for a forthcoming technical conference.

 

Scott

[James_OldeTowne]

I'm just waiting for the announcement that the will be hiding all seller id's!

[BillJones]

The more I read about eBay's new policies, the less interest I have in bothering with it at all.

 

I think they must of hired a consultant to come with all this stuff. Perhaps the program could be called, "How to drive away ALL customers and go into the Yahoo auctions marketing Hall of Fame."

[MTHead-migration]

I'm just waiting for the announcement that the will be hiding all seller id's!

 

Do you (or anyone else) see a time when only registered e-bayers will be able to view auctions?

Access denied to the casual non-member just looking?

[Zoins]

I think they must of hired a consultant to come with all this stuff.

That wouldn't be all that surprising. Are they known to be working with anyone? Enron had a lot of help from consultants....

[Conder101]

Michael, I noted the sarcasm. However, eBay will not eliminate second chance offers. It is a quick hit money maker for them. There is more incentive for them to keep it than eliminate it!

Really? Does any one actually use the second chance offers anymore? With all the fraud that was going on with it I was under the impression from all the sellers that were putting in their auctions that they do no do second chance that the program had pretty much fallen into disuse. Another reason I thought it had died out was because I don't get fake second chance offers anymore and haven't for quite some time. I used to get a lot of them and I assumed they stopped because no one was doing second chance anymore.

 

Interestingly, if everyone ordered the Security Key, there would be no problems with passwords either on PayPal or eBay. The Security Key is a plastic device that fits on your key ring. Every 30 seconds it generates a number. When you log into either eBay or PayPal, you enter your password followed by the number of the Security Key. This way, your password always changes to something that is known between you and PayPal and eBay. Even if someone was to find out your password and the security key, they would have 30-seconds to use it. If you used it, before the crook does, then the number is invalid--the numbers can only be used once.

Frankly I can't understand how this could possibly be secure. I can't see how paypal could know if the number you put in was generated by the security key or just some number you made up. Unless there is some way for Paypal to run the number through an algorithm to confirm that it came from the security key that was sent to you. And in that case it would seem that the number would be valid no matter when it was used (as long as it hasn't been used before) unless you could work in some kind of time index into the generation of the number as well (And then what happens if the clocks in the device and the Paypal clock get out of sync?)

 

And I would agree that this new policy will turn eBay into Shill City. It will make it even more imperative that any bidding be done by sniping.

[jackson64]

I agree...I don't think this is about second chance offers at all...I haven't gotten one in ages and never replied to them...

 

my speculation..and it is purely cynical speculation---is that this is an effort to abet the shill bidding, I mean..Ebay makes more money the higher an item sells for right?

[Conder101]

my speculation..and it is purely cynical speculation---is that this is an effort to abet the shill bidding, I mean..Ebay makes more money the higher an item sells for right?

Could be, in which case rather than fighting fraud, eBay has now joined the other side.

[gmarguli]

Really? Does any one actually use the second chance offers anymore? With all the fraud that was going on with it I was under the impression from all the sellers that were putting in their auctions that they do no do second chance that the program had pretty much fallen into disuse. Another reason I thought it had died out was because I don't get fake second chance offers anymore and haven't for quite some time. I used to get a lot of them and I assumed they stopped because no one was doing second chance anymore.

I still use the Second Chance offers. It's a fairly easy way to move some generic items at near the original selling price. Before eBay made the change to hide IDs above $200 I was having very poor results with 2nd chance. However, since this change, I've had much better results. I did (20) 2nd chances for auctions I had closing this past Sunday. (11) people accepted the Second Chance offers and another contacted me saying they wanted it, but waiting too long and the offer expired. That's dramatically improved from the previous times.

 

While I dislike the idea of not knowing who I am bidding against, I do think it will help with 2nd chance offers.

 

 

Frankly I can't understand how this could possibly be secure. I can't see how paypal could know if the number you put in was generated by the security key or just some number you made up. Unless there is some way for Paypal to run the number through an algorithm to confirm that it came from the security key that was sent to you. And in that case it would seem that the number would be valid no matter when it was used (as long as it hasn't been used before) unless you could work in some kind of time index into the generation of the number as well (And then what happens if the clocks in the device and the Paypal clock get out of sync?)

I'm not exactly sure how it works, but they do seem to work and the number appears only value for a very short period of time. I use these at work to get into systems which contain sensitive date and/or allows me to move money from peoples accounts and they work just fine. I hit the button and get a number. I can hit it again and get a new number and the old number is no longer valid. Not sure how the system knows what numbers are valid.

 

Supposedly you can still access your eBay and PayPal accounts without these keys, but you need to answer some security questions.

[gmarguli]

my speculation..and it is purely cynical speculation---is that this is an effort to abet the shill bidding, I mean..Ebay makes more money the higher an item sells for right?

Could be, in which case rather than fighting fraud, eBay has now joined the other side.

 

If eBay wanted to, they could easily "join the other side" by making shill bidding OK per their rules.

[BillJones]

I'm just waiting for the announcement that the will be hiding all seller id's!

 

Do you (or anyone else) see a time when only registered e-bayers will be able to view auctions?

Access denied to the casual non-member just looking?

 

If they do that, eBay will be an exclusive society ... built on a dung heap.

[James_OldeTowne]

I agree...I don't think this is about second chance offers at all...I haven't gotten one in ages and never replied to them...

 

my speculation..and it is purely cynical speculation---is that this is an effort to abet the shill bidding, I mean..Ebay makes more money the higher an item sells for right?

I don't think it's cynical, and had similar thoughts. If you as a bidder can't tell that an item's being shilled, there's nothing you can complain about, right? So eBay's brilliant solution could be to make it impossible for you to discern shill bidding.

 

I have no doubt whatsoever that shill bidding runs rampant all over eBay.

 

my speculation..and it is purely cynical speculation---is that this is an effort to abet the shill bidding, I mean..Ebay makes more money the higher an item sells for right?

Could be, in which case rather than fighting fraud, eBay has now joined the other side.

It should be noted that years ago, when I was first selling on eBay, eBay both permitted and recommended shill bidding. There was a time when you could bid on your own item, using your seller's ID!

[DC Dawg]

Michael, I noted the sarcasm. However, eBay will not eliminate second chance offers. It is a quick hit money maker for them. There is more incentive for them to keep it than eliminate it!

Really? Does any one actually use the second chance offers anymore?

I recently received a second chance offer on an old postcard. I've been buying post cards that are related to my past and this was one I had not seen. I bought it without hesitation.

 

Interestingly, if everyone ordered the Security Key, there would be no problems with passwords either on PayPal or eBay. The Security Key is a plastic device that fits on your key ring. Every 30 seconds it generates a number. When you log into either eBay or PayPal, you enter your password followed by the number of the Security Key. This way, your password always changes to something that is known between you and PayPal and eBay. Even if someone was to find out your password and the security key, they would have 30-seconds to use it. If you used it, before the crook does, then the number is invalid--the numbers can only be used once.

Frankly I can't understand how this could possibly be secure. I can't see how paypal could know if the number you put in was generated by the security key or just some number you made up. Unless there is some way for Paypal to run the number through an algorithm to confirm that it came from the security key that was sent to you. And in that case it would seem that the number would be valid no matter when it was used (as long as it hasn't been used before) unless you could work in some kind of time index into the generation of the number as well (And then what happens if the clocks in the device and the Paypal clock get out of sync?)

Without getting into a technical description: while all of the Security Keys (SK) use the same algorithms (math) to generate the six digit number, each SK starts at a different place in the sequence. The number is predictable if you know the algorithm and the starting place. In order for PayPal to know which SK you have, you register the serial number of your device with PayPal. So when you register your SK, the appropriate information is noted in your online account record.

 

Once the SK is registered to your account, you can only login using the SK. When you enter your password, you will either append the 6-digit number displayed on the device to your password or you will be prompted to enter the number on a different page. Once PayPal receives the number, they look up your registered serial number and use the internal tables to calculate what should be on the readout. If that number does not match, it does not let you login. You cannot enter just any number, it has to be the one displaying on the SK. If you do not enter that number, you will not be allowed to login.

 

As you surmised, the number displayed is based on time. Every 30-seconds, the number is changed to the next one in the sequence. When you register your SK, the system knows the algorithm used, the initial starting point, and the clock sequence the devices was programmed with. From that information, PayPal can calculate where your SK is in its sequence. And, as you also guessed, there is some danger of clock drift. The problem is not with PayPal[*] but the SK device--because it is battery powered, it is more susceptible to clock drift. The makers of the SK device (RSA Security) uses the first digit of the device to tell the remote server the position of its internal clock. The PayPal server will make the calculation adjustment accordingly.

 

[*] PayPal syncs their system clocks with the atomic clock at the US National Observatory (see tycho.usno.navy.mil). This is required by the Payment Card Industry (PCI) security standards. And if PayPal wants to continue to process credit cards, they have to be compliant with PCI.

 

SK is an adaptation of well known technologies from RSA called SecurID (see their web site for more information). It is a proven, mature product that many companies and government agencies rely on for two-factor (strong) authentication. In addition to the SK, I also have two SecurID devices--one for my company's network and one provided by the government agency I do work for. SecurID has proven itself over the course of years. Attempts to crack SecurID have failed. It is considered a defacto mitigation to the risk of a password attack (stealing, social engineering, cracking, etc.). It works!

 

I signed up for the SK during its beta period. As long as it worked, I knew that using the device would make my account safer by providing a changing password. I am pleased with the SK and encourage others to pay the $5 to get one and register it with both PayPal and eBay!

 

Scott

[MikeInFL]

SK/SecurID is not foolproof either, Scott, as I'm sure you realize (for instance someone could steal your fob). It is a big leap ahead in security, however, as you point out, and something people particuarly worried/paranoid should consider...Mike

 

p.s. I'm not so sure that SecurID hasn't been hacked - I seem to recall reading something about that... I'll see if I can dig it up.

[DC Dawg]

SK/SecurID is not foolproof either, Scott, as I'm sure you realize (for instance someone could steal your fob). It is a big leap ahead in security, however, as you point out, and something people particuarly worried/paranoid should consider...Mike

 

p.s. I'm not so sure that SecurID hasn't been hacked - I seem to recall reading something about that... I'll see if I can dig it up.

I never said it was foolproof. I said it was an excellent solution.

 

I did not want to get that technical with this discussion, but as with anything dealing with the human aspects of security, whether it is your house keys, passwords, key cards, or the codes you use on cipher locks, they are subject to various forms of social engineering attacks. However, since my Security Key is on my keyring, I am more worried about an attacker stealing my car or entering my house than if they have my Security Key. I protect my keyring because of that and the Security Key gets the same protection.

 

As for the SecurID hack... it was another area I did not want to get into because the hack is very esoteric and requires an experts knowledge--something that has been proven to be rare amongst identification thieves. The hack you may be talking is the "man in the middle" attack where the someone taps the line between the computer and the server and uses the information to themselves. The use of the information is called a replay attack. However, the man-in-the-middle attack is mitigated by using an encrypted (SSL) connection. Even if you are using Internet Explorer, which is vulnerable to attacks on SSL, the window for the successful SecurID attack is 60 seconds, which is technically impossible to accomplish. To mitigate the man-in-the-middle attack, you configure the server to use any key value once. So even if you do capture the number from the SecurID key during my login, my using it marks it as used and can never be used again.

 

BTW: The Security Key window is 90 seconds with the display available for 30 seconds. And the PayPal system is configured to mark the value used when received. IMHO, this does not add a significant additional risk and is a little more user friendly (I leave that as an exercise to the reader rather than get into the technical discussion).

 

When assessing risks and managing them, we know that no countermeasure can reduce all of the risks to zero--except for turning off the computer. We look to lower the risks to a manageable level. Using the Security Key lowers the risk to a manageable level. It is up to the user to protect themselves by not losing the SK fob. There is only so much we can do and the rest is up to the user--especially in an environment where control is difficult, like PayPal.

 

Regardless of the esoteric risks that may or may not exist with the use of the PayPal security key, it is better than just a password-based system and I will continue to recommend its use by anyone who cares to really protect their information.

 

Scott

[MikeInFL]

Thanks for the clarification/education Scott. (thumbs u

[pendragon1998]

What happens if the battery dies in the gizmo? Can you not log into your paypal account until you replace it?

[gmarguli]

The batteries are supposed to last for 5 years.

 

You can still get into your account without it by answering security questions.

[DC Dawg]

Like Greg said, the batteries last at least 5 years. I have an old SecurID that is 2 years expired and still has a display (although the display says "expired"). These are very low power devices.

 

If something happens to your Security Key, you will click a link and Paypal will call the telephone number you have on record to give you instructions how to login without the security key. Once you login, you can disassociate the Security Key with your account.

 

Scott

[bsshog40]

So now when you look at the bidders list of an item you are watching or bidding on, this is what you get!

 

Bidder Bid Amount Bid Time

 

****g( 3 ) US $34.00 Mar-08-08 12:00:04 PST

 

o***e( 84) US $33.00 Mar-05-08 06:49:16 PST

 

****g( 3 ) US $32.00 Mar-08-08 11:59:48 PST

 

e***n( 69) US $29.09 Mar-06-08 14:24:33 PST

 

r***6( 230) US $9.99 Mar-06-08 11:51:45 PST

 

And when you click on the bidders name!

 

 

Bidder Information

Bidder: ****g( 3 )

Feedback: 100%Positive

Item description: SCARCE! 1878CC CARSON CITY MORGAN SILVER DOLLAR COIN

Bids on this item: 2

 

Now no one will even be able to contact a buyer if they are buying a counterfiet or altered coin, or some other kind of trash.

 

[Conder101]

Of course not, that would prevent ebay from getting their piece of the fraud pie. Ebay isn't against fraud, just fraud that they don't profit from as well.