Re: Identity theft scam against eBay users

From: Patrick Bryant <pi(at)pbryant.com>
Date: Tue Feb 11 2003 - 13:56:24 EST

('binary' encoding is not supported, stored as-is)
In-Reply-To: <0HA400DDKNXSHX@smtp2.clear.net.nz>

Hello Nick,

Federal law enforcement was notified by my firm yesterday, and provided with all of the information I have on the incident.

I presume eBay's position will be that they are victims as well, which is understandable, and that they have no obligation to do anything (which may be true in a strictly legal sense). My personal opinion however is that this problem was exacerbated by eBay's past practice of sending out similar looking e-mails requesting users to connect to their site to update personal information. In my opinion, that practice is naive, and sets eBay users up for a scam such as has just occurred. A better practice would have been to simply prompt registered users to update their information whenever they (manually) initiated a new connection to the eBay web site -- rather than send out preemptive emails that gradually make users complacent about the email's authenticity and that have the potential to be spoofed. While I'm not casting blame at eBay, hopefully they will reconsider their own practice of prompting users to update their account information via email.

I concur with your recommeded steps to shut down the site. The site that really needs to be shut down is the redirector.

>Whilst it might be "nice" of you to inform eBay (I'm sure they see

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Feb 11 14:29:00 2003