Consumers visit eBay to bid on everything from abacuses to zithers.
Now it turns out that some site users are getting hijacked by scammers.
Some product listings have redirected eBay visitors to sites where criminals harvest their passwords. As a result, some users have been locked out of their own eBay accounts.
According to the BBC, legitimate sellers took to Twitter and other social media to complain that they were locked out of their virtual stores and losing sales.
Other said they had been charged for purchases they claimed they never made.
eBay removed some “for sale” posts that appeared to be part of the phishing scheme.
Hackers were apparently able to mislead eBay customers because eBay allows sellers to use Flash and Javascript in their eBay listings.
In a so-called “cross-site scripting attack,” eBay visitors were sent to a spoof site that looked like the genuine eBay site. Visitors were then sent through a series of other sites and on to a page asking for their eBay log-on names and passwords.
A legitimate eBay “PowerSeller” was apparently the first to detect the scam and alert eBay.
Earlier Attacks on eBay Data
Earlier this year, hackers stole private information from up to 233 million eBay users. The stolen data included names, passwords, physical and email addresses, birthdates, phone numbers, and other personal information.
StubHub, eBay’s event ticket reseller platform, was attacked by hackers this summer. In that case, hackers managed break into 1,000 accounts and steal actual tickets, which they resold at a profit, reportedly earning more than $1 million.
In fact, this latest attack appears to be the 11th that eBay and its related companies have suffered in 2014.
eBay is being investigated by the UK information commissioner, the European data authorities, and at least three US states over this pattern of data breaches.
The company was criticized for being slow to tell users that their data had been compromised.
In another BBC story, Hugh Boyes from the Institution of Engineering and Technology questioned why eBay had so much personal information in the first place: “organisations should keep the minimum information necessary so why do eBay need to hold and store dates of birth and addresses?”
Good question.
Not only does data security need to be far better than the current pitiful “standard practice,” organizations need to stop collecting (or need to get rid of) personal information that benefits criminals far more than it serves any legitimate business purpose.
To learn more about what companies could be doing to protect customer data, please click here.