Back |
ebaY on Vladuz Deny & Lie
|
|
23 Feb 2007
TAG has been deeply concerned over the completely open
ebaY back end, which has allowed the hackers and the
counterfeiters complete access to unlimited ebaY accounts
and listings. All ebaY has done, so far as we can tell,
is to disappear threads on their site discussing the
subject, and attempt to intimidate and threaten websites
that have recorded the incidents, and provided access
to this information to the public.
On the first of February, TAG wrote to Rob Chesnut, Senior Vice President of
Trust and Safety at ebaY, in a futile attempt to get some reassurance that ebaY
was actually doing something to close this hole. We referenced the articles on
the TAG website we have written on this subject and asked what we consider the
most basic question:
If as ebaY claims, the Vladuz back door program does not exist, then HOW are
the Chinese counterfeit sellers hijacking thousands of accounts and using those
accounts to sell their merchandise and get their payment through PayPal, all
without needing passwords on those accounts?
Unfortunately Rob did not see his way clear to respond - on or off the record
- and instead shunted the email off to a new and inexperienced ebaY PR person.
We can just imagine how the folks at ebaY were probably laughing in their coffee
cups about sticking this ingénue with responding to bid bad TAG.
The email we received said:
I have to say we were rather disappointed that you didn't try and contact us
prior to writing the piece as when we read your article we have noticed it contains
many inaccuracies.
We can hopefully address your 'concerns about the Vladuz problem' with the facts
below. Once you've had a look at these, it would be great if we can chat about
whether you will amend your current article.
- Some messages were published on a community board on the eBay.de (Germany)
web site by a person who gained access to a small number of employee email accounts.
- Our corporate email system operates on an entirely separate database and server
system than those that store customer information.
- At no point did he have access to our corporate networks, tools, financial
databases, or desktops, and at no point was any user information exposed.
There is no way of gaining access to our internal networks without a securid
token issued by IT.
- By policy, our Customer Support Reps cannot store or include any personal data
of any user in their email account.
- We take these incidents very seriously, and we are working closely with US
and International authorities to investigate it further.
We responded with:
Are you just a PR person or do you actually understand how ebaY works? I have
been intimately acquainted with the ebaY system since 1997 and been writing about
it since 1999. How long have you been with them?
Since ebaY usually refuses to talk to me, I rarely contact them in the first
place. On the very rare occasions I have talked to someone at ebaY on the record,
all I have gotten is information that is less than the truth, definitely less
than the whole truth, and usually just corprospeak babble. ebaY lies so frequently,
it is hard to tell the rare time they might actually be speaking the truth.
This is simple – give me a realistic explanation of how the Chinese hackers
have unlimited access to US ebaY accounts so that they can cherry pick the ones
they want, in alphabetical order, with specific profiles, without the need for
passwords, with the ability to redirect PayPal payments to themselves, with the
ability to change information within actively running legitimate listings, and
I MIGHT believe what you have to say about there being no access to your corporate
networks, tools, financial database or desktops.
How much of this information is available because of the tools Vladuz is selling,
remains to be seen, but the research I have done does point to Chinese hackers
being aware of the Vladuz tools. One could theorize that they have used his tools
and improved on them, so that they now have their unlimited access to ebaY user
accounts.
Now admittedly, this is not exactly friendly or diplomatic, but it was bluntly
honest, our normal mode of communication.
ebaY's Public Relations response was:
I must say that I was quite surprised by your response to us. As a new member
to the eBay PR team, I was in good faith trying to reach out and build a new
relationship with you, because we as a team were hoping to engage with you in
the same manner we do with all other journalists and bloggers. We wanted to create
a successful working relationship based on honesty, trust and mutual respect.
But, it's obvious from the tone of your email below that you do not wish to start
a productive and positive working relationship with us, which is a shame.
I have already provided you with the facts for the story you have already published.
As I mentioned before, we would expect you to amend your story to reflect the
accurate facts, however, I shall leave that to your own judgment about what is
most valuable for your readers to know.
Given your apparent disinterest in helping your readers by developing a productive
relationship with us that is based on the qualities we value, we have decided
it would not benefit any of us to continue the effort with future responses to
any of your inquiries.
We tried again and responded with:
In the past I have tried friendly discourse with ebaY, and have received no valid
answers to my questions. In the past I have been aggressive and have received
no valid answers to my questions. My approach has made no difference in getting
valid answers out of ebaY. There is also a history of ebaY acting in a bad faith
way against me – so there is a good reason why my attitude is not one based
on mutual respect.
I would be happy to open a new channel and start fresh with you, if you would
give me valid answers to my valid questions.
In my email to Rob I did not ask about Vladuz hijacking pink accounts to play
games on the German boards. This is a non-issue as far as I am concerned, except
that it demonstrates additional vulnerabilities. What I did ask about was the
FACT that Chinese hackers have unlimited access to US ebaY accounts so that they
can cherry pick the ones they want, in alphabetical order, with specific profiles,
without the need for passwords, with the ability to redirect PayPal payments
to themselves, and with the ability to change information within actively running
legitimate listings.
This is happening every day and I have records of dozens of screenshots of this
activity on ebaY. Can you please address this very important issue?
At present, all the facts I have do not in any way agree with the things you
say are facts. The evidence is to the contrary. There is not evidence, for instance,
that even though ebaY might end listings on these hijacked accounts, they have
any way to prevent the items from being listed again, or can in any way limit
the 1 to 2 million or so listings a day being posted by these Chinese hijackers.
It would be wonderful if ebaY were to turn over a new leaf and develop a relationship
with their community that was based on honesty, truth and mutual respect. As
the person who has been writing about ebaY the longest, with a firmly established
position in the industry as being forthright, trustworthy, and ethical, if you
could actually develop a rapport with me, where honesty and openness ruled, it
would be a great accomplishment indeed. This would reflect well on you, and on
ebaY, and I challenge you to change the current climate between TAG and ebaY,
and in turn with the entire industry.
Needless to say, the ebaY PR wonk did not respond. We were amused by the phrase
that said, " I have already provided you with the facts for the story you have
already published. As I mentioned before, we would expect you to amend your story
to reflect the accurate facts"
Of course ebaY did not in any way discuss the issue of the nearly 2 million listings
daily on hijacked accounts. The listings that are relisted as fast as ebaY can
remove them - sometimes 3 or 4 times a day. This image is a pictorial view of
what is happening on ebaY every day.
They did not discuss
the ongoing fake second chance offers that continue to
be sent to bidders on high priced items, despite ebaY's
now hiding the bidder IDs. ebaY did not discuss that
Vladuz has posted on several ebaY chat boards using ebaY
employee IDs or creating his/her own ebaY employee IDs,
such as his latest posting on the ebaY DE board
In fact all ebaY has
done is deny and lie.
They say Vladuz, "...gained access to a small number
of employee email accounts" when it is obvious that Vladuz
can access whatever ebaY employee accounts, whenever
he/she wants, on whichever ebaY site he/she chooses.
They say, "...no one can access an ebaY account without
a password" though we have proved this is not true. ebaY
says, "...the hijacked accounts are due to people responding
to phishing email", though we have proved this also is
not always true, and can not be true where hundreds of
accounts are cherry picked, in alphabetical order, and
new accounts are used day after day. ebaY denies that
anyone has access to their back end, and refuses to acknowledge
or provide a single answer as to how the counterfeiters
are using these hundreds of hand picked hijacked accounts
to sell millions of counterfeit items, and get paid via
PayPal through ebaY. TAG is convinced that if ebaY could
fix this open back end problem, they would have already
done so. The only logical conclusion is that they can't.
Surely it is time for ebaY to come clean on this, and
reassure those who use ebaY that they know about the
problems and are working on fixing them. They should
set up a special team to monitor their own site to prevent
these listings from even indexing on the site. As we
said in our final email to that ebaY PR person, " It
would be wonderful if ebaY were to turn over a new leaf and develop a relationship
with their community that was based on honesty, truth and mutual respect."
Don't worry; we are not holding our breath whilst waiting for this change.