Weak eBay Security

Lhappylime on 04/08/2018 - 11:59
Last edited 04/08/2018 - 13:17

Hi,

Just wanted to share how my identity information was used in attempts to gain access to my bank accounts and what role ebay security played here.

Someone broke into my house and took my passport along with other things.

About a week later I received a very strange SMS from my bank asking me to come to their branch. They said that someone called and tried to get details about my account but they couldn't. As a part of security process bank asked them a number of questions and they answered correctly to most of them except my phone number. Bank then asked to provide info about recent transactions on the account. Thieves then provided some transactions info which didn't match with what my bank account had which is good. But what struck me the most is that these were valid transactions from my other bank account. A person with whom I spoke at the bank recommended to check my ebay and paypal accounts. I tried to login to my ebay account straight away and couldn't. Wrong password.

Essentially what happened is thieves called ebay and managed to get my user ID and reset my password over the phone. They then tried to use recent transactions from my ebay account as a part of authorisation process for bank. I called ebay as soon I realised what have happened and changed my password. I use password manager and very strong passwords on all my online accounts. I haven't received any email message or SMS that there was a password reset on my ebay account. The only place where this was mentioned is ebay internal messaging system. Later I called ebay again trying to investigate HOW they managed to reset my password without having access to my phone and email address. I didn't get enough details from them. All they said that someone called and requested password reset and successfully went through security check. They said the only way they were able to reset my password is if they had access to my email account. I have a pretty high confidence that none was able to access my email account. I have a very strong password, 2 factor authentication and I didn't see any suspicious activity in my emails. For sure they would exploit access to my email if they had it.

Key takeaways:

Hide and protect your identity information and documents as much as possible.

Don't rely on false sense of security when you use strong passwords and two factor authentication. Anyone with enough info about you can port your number and have access to your account.

Check your ebay account and make sure you have max security enabled such as security questions and 2FA. I stopped using ebay completely and considering not using it anymore. I believe they have very bad security checks.

Stay safe people!

General Discussion

Related Stores

eBay Australia
eBay Australia
Marketplace

Comments

  • whooah1979 on 04/08/2018 - 12:09
    -1

    I believe they have very bad security checks.

    This is from someone that left a primary id unsecured enough for someone to steal. The thieves then managed to answer almost every challenge questions.

    • happylime on 04/08/2018 - 12:37
      +1

      My id was inside a filing cabinet in a locked house at the time they broke in. I learned my lesson and it is now in a more secure location. But you never know.. you can loose your wallet with drivers license in it and it could be enough for someone to brake into most of your online accounts and more. I just didn't realise how easy it is to do it in Australia.

      I guess my main point is not about how bad ebay security is but more about sharing my experience.

      • dcep on 04/08/2018 - 12:58

        the amount of information given out during homeloan application is crazy as well , especially if dealing with 3rd party broker .

        i get asked for things like mother's maiden name, digital photo, electronic signature … everything on me is out there stored in a system that can be accessed by someone else.

        i still regret not going for local big 4s branch which require much less docs.

  • shaybisc on 04/08/2018 - 13:39
    +1

    If that is an accurate account eBay's security protocols over the phone are appalling.

    • cwongtech on 04/08/2018 - 15:07
      +1

      That's what social engineering is for.
      Pretend to be "You" and if the operator is not viligant, they could provide your details..
      Worst case is when you lose your wallet, full of information.
      Other one is photocopies of your ID lying around that aren't secure (like in an office)

  • 4892 on 04/08/2018 - 23:45

    Sorry to hear.

    With all the past dealings with ebay that I have had in regards to changing details etc it has always been confirmed through email. I don't even think ebay can just change your password themselves over the phone, they would have to send a link to the email address on file and you would then click the link etc.

    I would call up ebay, ask to speak to a supervisor and get the logs of the conversation and procedures that took place. They should be able to provide these. Make sure you get a supervisor though as a lot of the time the general help staff don't have access or the power to access this.

    Hopefully you can find out how this was achieved and if it was a flaw in their phone support make it known to them (and everyone else).

  • HighAndDry on 06/08/2018 - 16:53

    While eBay got social-engineered, physical access is basically the holy grail for black hats so really the moment your identity documents were physically stolen, I would've started locking down everything from eBay to Paypal to obviously all my bank accounts. Also might be a good idea to look into freezing your credit for a few months at least - because your ID docs may well let whoever stole them apply for credit in your name.

Login or Join to leave a comment
Login Join