I recently got an email notifying me that I had won an auction on some cookie cutters. WTF, over? I've made no bids on anything on EBay for many months.
Shortly thereafter I got an email "invoice" from the seller.
I notified both seller and EBay that I had not bid on the item and did not want it. I initially suspected the seller, but upon visit to EBay it did look like I'd bid and the seller has plenty of positive feedback.
EBay stonewalled me. My inquiry was first met with all the ways it could be my bad: other members of my household, using a public computer at school, library or internet cafe, yada yada. Yeah, OK, I told them none of the above applied. Their response to that was much of the same canned stuff from the first response.
Meanwhile, the seller accepted the notion that I'd been hacked and said forget it, he'd repost, suggested that I cancel my account and open a new one. I posted positive feedback for him on EBay for being an honorable gentleman and A1 EBay citizen.
Hokay, that matter parked with honor and civility among gentlemen, back to EBay. They'd told me twice to vet my household and change my password. I told them that my household is provably secure, skipping details since they demonstrably don't read or believe my responses. There are only the two of us. Mary has held credentials and clearances the pencilneck dweebs at Ebay never heard of. Her trustworthyness is a matter of federal record after thorough vetting by the FBI and Lord knows what other agency checks. Ditto me.
Cancelling the account would too easily let EBay off the hook they're trying so hard to avoid with fancy dancing.
In my last response, I told them that I'd changed my password to one produced by one of the several encryption algorithms generally recognized as robust, nevermind which one. Mean time to crack by hack at 100 tries per second would be many millions of years -- nevermind how many millions as a clue to sequence length other than it is ten or less.
Any random password of given length would meet this test; it was just easiest to generate it using an encryption algorithm since I had one handy. Random is random, however done. I can blow smoke too.
I mentioned that if my identity is hacked again it would be clear evidence that an insider at EBay is responsible. I cc'd the MN Attorney General's office on that post.
I've received no smoke-o-grams from EBay in response to my last, not even a roger. Go figure....
BTW, PayPal is a subsidiary of EBay. PayPal demands personal financial info they shouldn't need to do what they purport to do. Pick yer pony, take yer ride.
I use Firefox for my browser, and a couple days ago, I got a little pop up window that a web site I had stumbled across had downloaded a Javascript virus that was scanning my system for passwords. I don't know if it was successful, but I went out & changed the few important passwords I had saved. Several virus scans later, there is no sign of it, so I don't know if it ran successfully and erased itself, or was blocked by my software. The pop-up window didn't have another program name associated with it, so I assume it was Firefox & not my virus software or my firewall that spotted it. For all I know, it was looking for IE & Outlook files & got nowhere.
I don't know if this could be what happended to you, but I thought I would mention it. The 'Net is getting to be an increasingly nasty place to wander around. In the future, I'm no longer going to allow my browser to store any critical passwords. I already make it a policy not to let any merchant save my credit card info.
Speaking of Ebay, apparently a scam on sellers is happening (aps if this is old news). Someone bids way over the price wanted and sends a cheque/check for it. They want you to use a certain shipper to ship the goods to them ASAP. Apparently includes emails & phone calls from both (purchaser and shipping agent) wanting you to get your act together.
You have to watch your butt on eBay transactions - I recently bid on a hot water pressure washer, and didn't meet the reserve (which was over $2000). Then I got an email saying that the seller decided to sell it to me at my highest bid. I sent them my phone number so we could discuss picking it up. They kept emailing me back wanting a western union money order payment. I told them I'd bring the funds with me when I picked it up as it was within driving distance. They still wanted the advance payment. I finally realized it was a total scam - these weren't the sellers of the pressure washer - just some scammers looking for unsold eBay items and contacting bidders. I never would have sent the cash, but I'm pissed at myself for supplying my phone number.
And I might note that you don't always get "total protection" by delaying delivery of the goods for ten days or so after you've deposited the check. If it's a fraudulent check written against a real account with adequate funds in it, it can take a month or more before the checking account holder realizes that their account has been debited for a check they never wrote or signed and starts complaining to their bank about it.
When that check eventually bounces its way back to your bank they'll probably debit your account for it and leave you having to fight them over it. In most states the laws basically come down to "Bank wins, you lose".
I do use PayPal for eBay purchases, but I opened up a separate savings account in a small local bank I drive by every day, one in which we have no other accounts. I can easily zip by the drive up window and plop some funds into it when I want to pay for something through PayPal, but there's never more than a couple of hundred bucks in it, limiting my exposure if my PayPal account is hacked. I picked a "different" bank 'cause I heard that some banks will try and grab funds from any of several accounts you may have with them under the same tax ID number if any one of those accounts gets in trouble.
If it's any consolation Don, I had my identity swiped about four years ago by some young swine in New York who went around opening up "instant" charge accounts in several New York City department stores during the Xmas holiday season. That's the time of year when stores have folks at desks at their entrances trying to get you to open an account with them so they can get your business before some other store does.
Since my identity and social security number had to be given to G-d knows how many banks and brokerage firms over the past few years, it's no big suprise that someone in one of their back rooms had ample opportunity to sell that data for pennies a pound to those grisly guys who do that wicked work.
It wasn't 'till April of the following year that I got a call from Macy's credit department asking me why I hadn't paid my bill for a couple of grand for three months. The perp had used our real (Boston) address as his "previous address" and gave Macy's the address of a bagel shop in Brooklyn as his current one. That "previous address" is how Macy's eventually tracked me down. I told Macy's our account with them was current, as it had been for over 25 years, and I feared they'd been scammed They were about as helpful to me about it as eBay was to Don.
I told them I couldn't do anything about the problem until they sent me copies of the original credit application and also the charge slips for the jewelry purchased from them the day after the account was opened. Why they were silly enough to do that I don't know, but when they arrived, I had a good laugh. On the credit application the perp had clearly misspelled my last name and also the name of the street we live on and then corrected those errors by writing over them. He also listed his age as about 45 years younger than mine, to match his appearance. (Don't I wish that was true.)
To make a short story longer and more boring, I pulled fresh credit reports from the three main bureaus and spotted several more chain store accounts we knew nothing about; all reported as being in arrears.
I got most everything calmed down with just a few well written letters, save for Macy's, whose credit people must have all been injected with some serum which turns them into total idiots. I finally got them to give up only after they had me get certified copies of our utility bills for the previous two years to "prove" we lived in Boston, not Brooklyn. All in all, I spent more time getting Macy's off my back than the other stores (and New York Bell too, the perps had also gotten a phone in my name at a Brooklyn address and run up one hell of a long distance bill before they bailed out of the place.)
The story had a funny ending though. SWMBO was reading some ladies' magazine and came across an article on identity fraud. She said, "Come read this!" There was a bit in it about a woman in New York who got so pissed at Macy's for letting someone open an account in her name that she sued them for the time and trouble it caused her.
I couldn't resist that temptation, so I sent Macy's credit department a bill for $500 for four hours of my preemptive time spent straightening out something that never should have happened if they'd taken a modicum of caution; listing as what they'd missed:
I'm the only person named Jeff Wisnia in the USA and already HAD an account with Macy's which had been active for over 25 years, (Thanks mainly to SWMBO's frequent retail therapy sessions.)
2, The perp couldn't even spell my name correctly when he filled out his credit application, and then corrected the mistake by writing over it.
My DOB is known to the credit bureaus, the perp's listed DOB was off by more than 40 years.
Not unexpectedly, they didn't bother to respond to that letter or pay my bill, so I dropped a small claims suit in against their Massachusetts' regional office. That got almost immediate results in the form of a phone call from their local counsel. In less than three minutes we'd become friends, had a laugh over it, and settled the matter for a credit of $250 to our "real" Macy's account, which was placed there two days later. Ha!
Or, as good as avoiding social engineering/phishing schemes that _look like_ they come from one place but don't. Many people use the same password for everything. Don doesn't seem like that sort, but it's not uncommon.
A spyware scan is definately in order. Keyloggers were created for just this purpose, and they're quite common on Windows machines. adaware from
formatting link
is probably the best spyware scanner to start with. AVG antivirus from
I do the same, hasn't been a problem. My theory is that people who buy machine tools and parts are probably not the class of citizen who screws strangers. So far that's proven sound.
Never say never, but it's highly unlikely. I've only had this puter for two weeks, and I've never made a bid on Ebay with it. I did regular spyware sweeps on the previous computer.
First, in my auctions, I say (lie) that items paid for with checks, will ship only after the check clears. This is untrue. I have no time to deposit checks, check if they cleared etc. Sometimes I deposit checks, but most of the time, with small enough checks, I do not. Right now I have a $200 check that I need to deposit after shipping the item. Amusingly, they are the transistors from the UPS that you could get for free if you took it:)
Second, I deal with items that are unlikely to attract interest of scammers. Electronic test equipment, industrial stuff, parts etc.
Third, even though it is possible that one day I will encounter a scammer, I think that the chance is low enough that it makes saving time worthwhile.
So far, not a single check that I received, bounced.
Basically, if you're at XP Service pack 1, your unhacked life expectancy when connected to the internet is measured in minutes. Four minutes, in this case.
PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.