Ebay - Account breached

[Matthew31 1]

Hey, just wanting to know where I stand.

 

Let me start with saying i'm no newbie to computers and this wasn't a case of me giving away my login details via some [problem]/phishing email.

 

 

I have more than 20 years computer/internet experience under my belt and even have no use for anti-virus software (put it this way, I know to avoid anything which might gain me a virus and know the system registry and background tasks like the back of my hand).

 

My ebay account has been up and running for just over 15 years without a problem.

 

eBay has always been fine for me.

 

 

To cut it short, the past few days the money in my bank didn't quite add up.

Something was pending for £30. I guessed it might just be their systems catching up.

 

I had a look at my eBay account and shocking to me was a purchase done a few days ago for a computer game priced at £30.

 

I knew it wasn't me or anyone else I knew who made that purchase.

Some cheeky sod has well and truly defrauded me out of money.

 

 

They bought the game (which includes a download code and a disc).

 

 

They read the eBay inbox message with the download code,

redeemed it and got the disc

(which is useless as the code has been redeemed)

dispatched to my old address that was still saved on my account.

 

They even tried to hide the fact by paying for it,

not out of my linked PayPal account direct

(which shows on my PayPal account transactions),

but via my debit card saved on my eBay account

(that processes through PayPal but doesn't show up in my PayPal transactions history).

 

 

The only way I can imagine this happened was because of ebay's 2014 data breach and now how frequently they require someone to change their password. About a week ago I logged into my eBay account (via a typed address) and was forced to change my password. My current password was secure (7 digits long, 2 capital and 1 non capital letter), but as I would struggle to remember another similar password, I used a basic password I used to use 10 years ago. It's possible that login/password combo was saved by a bot all those years ago and was detected as being my new password and the account was accessed.

 

 

Where do I stand now?

 

It shows on my bank account as card payment to paypal. The bank have cancelled my card and i'm guessing they could do a chargeback that will likely cause me fees with PayPal and a suspended account.

 

Will PayPal/eBay refund this? Considering the voucher would have been redeemed by now.

 

Thanks

[unclebulgaria67 29,129]

First report to Action Fraud which i think you can do online

 

Second report to Ebay and ask them what they can do to help.

 

You don't want to do any chargeback, as you will just get Ebay treating you as a debtor. Ebay won't refund, unless there is any evidence of them being at fault.

 

Before you do the above. If you think about this, why have you been targetted in this way and only for £30. You need to check with Ebay to make sure no other attempts to use your details have been made. Have you ever given away an old computer/laptop to a friend/relative or sold/traded in an old one ? Have you ever used someone elses computer to use Ebay and have forgotten about it ? I have a gut feeling that this is not an Ebay hack, but it might just be someone has used an old computer you have used for Ebay and they have found your Ebay log in. To test it out, they have made a £30 purchase. If it were a criminal, i suspect they might have made a higher cost purchase or this was just a tester with more transactions to follow.

[Matthew31 1]

Thank you for the reply.

 

The thing is, I only had that much left in my bank so it was the only thing they could take.

 

The only thing I can imagine it being is a few years ago I lost my mobile phone. It didn't have a lock on the screen. It was reported to my phone provider and all they could do was cancel the sim. I think this was linked to my google+ account (Which stores passwords and updated passwords).

 

If someone recently found this phone, charged it up and got into my eBay account, they might have made the purchase.

 

Whoever did it, knew what they were doing.

 

As soon as they got access to the account they changed the password and notification settings (So I wouldn't receive an email if they bought something).

 

Thank you, I will report it to actionfraud

[stu007 2,558]

I agree with UB.

 

I think you also need to be careful as you mentioned you have no need for antivirus software due to your computer knowledge.

 

I can appreciate what you are saying but how can you be 100% sure there is no infection in your device?

 

Are you using any protection on your device i.e. anti-spyware, firewall etc)

[Matthew31 1]

100% because I am an expert. Over 20 years experience and a wide computer knowledge. Viruses come in several forms including crypto (ransomware) and keylogger.

 

Anti-virus software is mostly just there as insurance. It allows people to carry on with their normal activities but gets them out of a potentially bad situation if they download something they shouldn't have.

 

The most common ways of compromising someones account these days doesn't even require the host system to download a virus. It's through the spoof emails people get that pretend to be from a certain company requiring them to enter their password. The user is then redirected to a page that looks exactly like the website (except the url wouldn't be correct) where they enter their password and the fraudster can then access their account.

 

The other is via dodgy email attachments that can either be keylogging software (tracks username and password entries, sends them back to fraudster) or ransomware (password encrypts the users most important folders like "my pictures" and demands payment within 48 hours for the code to unlock the folder again).

 

Even "hacking" doesn't exist on the scale it's mentioned in the media. Normally what happens is someone falls for a spoof email, they give their details away, end up becoming a victim to fraud and the report is along the lines of they were "hacked". Hacking these days is an overused term and really the only 2 ways of "hacking" that are common are DDos attacks (sending excess traffic to a website via many "host" infected systems) that overload servers so the website goes offline, and brute force hacking (running software that generates millions of password that tries each password until they get in). Although the brute force method is becoming more and more uncommon due to account servers only allowing a certain amount of attempts before locking the account or requiring CAPTCHA codes.

 

 

15 years ago I stopped using anti-virus software when my computer knowledge got to an expert level. Since all this software did was slow down my system with routine scans and never found any viruses.

 

Today, just to confirm what I already knew I downloaded Norton anti-virus. I have a premium licence that was included with my ISP package that I never used before.

 

I activated it, did a full system scan and the results as expected were no viruses were found. So the only ways this could have happened:

 

 

1) Someone found my long lost phone and got into my eBay account via the connected google account which automatically syncs any password changes.

 

2) The forced password change. As said, quite recently when logging into my account, I was forced to change my password due to when they were compromised in 2014 and user details were leaked. As I couldn't think of any new password I would remember, I changed it back to an old password I used to use. So maybe if that password was on the compromised list, someone might have tried it recently.

 

 

 

So far I have reported it to actionfraud and also to PayPal. PayPal have told me there is no unathorised activity logged on my account (and they even told me, that instead, if I am unhappy with the item I "purchased", I should contact the seller to arrange for a refund). Ebay have been very difficult to contact

[unclebulgaria67 29,129]

The strange thing about any device used to make this payment to Ebay is that normally the 3 digit security code from the back of the card is missing in the relevant data field, so if someone gets hold of your device they can't make an unauthorised payment. They could guess, but difficult.

 

Ebay can confirm what data was used to make this purchase. If they interrogate the data, they might also be able to confirm what device was used to make the payment. When you process any debit card transaction online, loads of other data is sent and in these type of circumstances it can be useful.

[PIXeL_92 66]

>Pastebins of comprimised accounts from other websites that you are registered to

>Brute force using Rainbow tables

>Hidden software on your PC that an AV wouldn't pick up Norton is bad for this

 

An IT expert using this - "syncs any password changes," I don't understand why people use these save passwords options etc, if your browser, account or whatever you are storing passwords gets compramised then that's it they get all your saved passwords that can be exported to clear text using varities of free software.

 

For an expert you don't seem to demonstrate much care for a secure system. There are alot of optimized and well maintaned A/Vs out there that don't slow down your system or throttle your internet connection.

[GrumpyToSayTheLeast 480]

I'm sorry, but I must agree pixel, you make yourself sound quite tech "unsavvy" the way you are speaking.

 

For a tech, the absolute minimum is changing passwords often and keeping an up to date antivirus.

And there are many more ways of getting viruses on your pc than what you have quoted.

 

I'm sorry, but not changing passwords, not having any antivirus, not keeping tech secure and then not changing passwords after you have lost said unsecured tech is a fine way to fall foul of hackers /[problematic]/id thieves.

 

How do you know that a government website wasn't hacked, you then logged on their to do something and downloaded a virus from there without even realising.

 

Also, virus scanning AFTER an event is often useless as a lot of viruses will shred themselves to avoid detection once it has what it wants.

 

Personally, id write of the £30, get a decent antivirus and move on.

[think about it 1,608]

I agree with Grumpy and Pixel, to use a crude analogy it's like visiting a certain part of Amsterdam without a 'raincoat' because you know the signs, symptoms and transmission routes of STI's and think that the knowledge itself protects you. You've just been charged £30 to find out the hard way that your expert status offers no more protection from cyber crime than a cotton tshirt does during a storm.

[Matthew31 1]

As it turned out, this breach wasn't anything to do with anti-virus, ebay or Paypal. It was to do with someone accessing my email account and using it to change my password on ebay.

 

What they did was accessed my email, set filters to incoming ebay and paypal emails so it's diverted to my deleted folder (So I wouldn't see any future emails from ebay in case they did flag it as suspicious.

 

 

 

People say about changing your password frequently, but, there is actually no way to change your password via orange's webmail system. For anyone who knows what webmail platform I am talking about, it's email.orange.co.uk.

 

See it this way, a fraudster gains access to someones account. Bingo! The first thing they would do is change the password right? Of course they would. Even the fraudster didn't change my email password because there is no way for them to change it.

 

 

I personally spoke to orange's support earlier and had this out with them.

 

 

Here goes.....

 

 

The email address in question was provided to me when I lived at my old address with the internet connection I had there. When I moved, I cancelled the internet connection and as I was using the email address still, they kept this email address active.

 

Normally, to change your password for this email, you log in to your broadband account using the email address, then change your password there (which also changes it for the email address). That is the only way to change your password.

 

In my case, I had no broadband account active to log into. So there has been no direct way to change my password.

 

I was told, most people either change email address when they change ISP, or, use the pop3 settings through a mail reader like outlook (which, rather than store emails in the webmail, pushes them to the device and stores them there).

 

They told me, in future, if I still want to use my email address via the webmail platform and want to change my password frequently, I will need to select "forgot password" and change it via that method.

 

Orange/EE have as a result of this offered a form of compensation.

 

 

 

As for eBay, they have now logged it as unathorised access to my account and told me I am to contact either my bank or PayPal to get a refund of the full amount.

 

 

 

Attachment show the filters the fraudster set on my email account so I wouldn't see incoming ebay and paypal emails and also that there is indeed no way to change the password via webmail

 

[unclebulgaria67 29,129]

How did they get hold of your Orange email address and do this ?

 

Surely Ebay have details of the IP address location of where this happened.

 

If this relates to information on the lost mobile phone, what other account information have they obtained and tried to use ?

[ericsbrother 3,537]

not needed as it is set as a DD not a distance payment.

There are specific frauds that only work on ebsy, one of those is putting a flase page over the top of a genuine one so when you go to the real item you are interested in the fake page masks it but appears identical to the viewer. If you the enter anything into this page-ie show an interest in buying the item for example the mask then follows your activity and harvest your data so you username, pw and links to paypal accoutns are compromised. sometime the thieves do the same with a walk through vis just a few pixels on the genuine page so hover over a small are of the item for sale for example and you will connect to the fake page. Again this allows the bad uns to harvest certain information they will then use to oredr stuff at your expense, oftem non tangible items like gaming codes but they sometimes buy their own listed items. Coin seller in China use to use that trick.

The strange thing about any device used to make this payment to Ebay is that normally the 3 digit security code from the back of the card is missing in the relevant data field, so if someone gets hold of your device they can't make an unauthorised payment. They could guess, but difficult.

 

Ebay can confirm what data was used to make this purchase. If they interrogate the data, they might also be able to confirm what device was used to make the payment. When you process any debit card transaction online, loads of other data is sent and in these type of circumstances it can be useful.