There’s a BBC article about eBay “facing up to online fraud”.

In an interview with Radio 5 Live, eBay would not reveal exactly how many accounts had been hijacked, although a company spokesman refused to deny that possibly tens of thousands had been compromised.

Link here.

eBay is appalling in its apparent lack of aggressiveness toward fraud.  Maybe they have a huge staff of security people, but I don’t see the results.  Basic antiphishing starts with having a massive amount of honeypots to get all the scams out there and then going after each site with a vengeance through the various channels and options available.  Perhaps we need some legislation to make it easier to get ISPs to shut a site down, but there are other ways as well to knock a site off the radar.  Get to the site before your grandma clicks on it.  Because that’s who is going to suffer.

I’ve gone to eBay’s security website numerous times to report obvious fraud, and it’s a painful experience, where you have to click through like some idiot through a bunch of options (compare that to PayPal, where you can simply forward an email to “spoof(at)paypal.com”). I’ve seen phishing sites still up far longer than they should be (max life for these sites shouldn’t be more than a few hours).

Back in October, I wrote about one bank that had a massive attack plan to go against phishers—and it was working

You have to hit phishing HARD.  I’m not talking about illegal DoS.  Phishing sites are lame little sites that should be easy to take down. 

I know it’s controversial, but I experimented with one phishing site using phishfighting.com and was able to take the phishing site down in about a day, just me. This site had been around for a while and was gone with a simple effort. (Before the comment storm: I know the arguments for and against phishfighting.com well.  Needless to say, only the most advanced users should play with this site.  I won’t go into the other arguments about philosophy, etc.  Frankly, we shouldn’t need to have a site like this, the banks and companies like eBay should take the phishing sites down with a vengeance, leaving people like me to spend time writing about other things).

We can’t wait until users get IE 7 with its built-in antiphishing tools or get yet another browser add-on that alerts you to bad sites.

Simple message: eBay, get it together. 

Alex Eckelberry