Angus Kidman30 April 2008, 10:11 PM
Despite eBay claiming forcing people onto PayPal will make things safer, here's a clear example of eBay fumbling and tripping over its own tail when my eBay account was hacked.
A central element of eBay's controversial push to make PayPal compulsory is the notion that it can more effectively manage security than other finance providers. However, when problems arise, the auction giant's security department may well be as clueless as everyone else.
I learnt this the hard way last year when there was an unexpected, and still unexplained, intrusion into my account. After more than a month of questions and some shameless exertion of my status as a journalist, the best response eBay could come up with was "We have no idea what happened".
The problems began on August 20 2007 when a message was sent to my eBay account, noting that I'd changed my password. I didn't see this message until I logged into eBay on August 27 (I'm a regular user, but no addict).
The message disturbed me for two reasons. Firstly, I hadn't changed my password, which was self-evident as I'd logged in using the old one. Secondly, it hadn't been copied to my regular email address, unlike most eBay correspondence.
As a result, I assumed that perhaps something was going haywire with eBay's own communications system, and I send a brief note to eBay's internal support system to that effect. I looked around a bit, bid on an item, and logged out again (always a sensible idea even if, like me, you have a PC no-one else routinely uses).
However, when I tried to log in again later that day, I was told that my password was not in fact valid. Support replied to my email later still, suggesting I contact Live Help, eBay's chat-based support system.
After I confirmed my identity and explained the problem, the agent was quick to roll out an explanation. "Our records indicate that your Ebay account password was potentially compromised. In order to prevent any fraudulent activity, we reset your password and temporarily placed a hold on your account. We were able to restrict your account before any unauthorized bids or listings took place."
Oh, really? In that case, why was I able to log in with my old password and place a bid? I tried to put the point gently: "I'm a bit confused as to how the hold process works, given that I got the alert but was still able to bid after that."
The agent responded quickly but not very reassuringly: "Well normally it would block all bidding and buying but because nothing was bid or bought we took a bit longer then normal to block the account."
In other words, even though eBay thought there was a problem with the account, no block was put in place until after a bid had been made. Rather like shutting the stable door after the horse had bolted, I figured, and not a sufficient explanation. I got my password changed (again), but decided further investigation was needed.
So what happened?
Taking advantage of being a journalist, I contacted eBay and asked for a chat with trust and safety director Alastair MacGibbon, who I'd interviewed on several previous occasions (and who has since become the face of the current make-PayPal-compulsory campaign ). MacGibbon promised to investigate, and we had a brief phone chat the next day.
MacGibbon said that there appeared to have been some unauthorised access to my account from a European IP address around August 13, but nothing else was evident other than my own trail of complaints. I pointed out that clearly that wouldn't explain much of the problem, since the alleged password change didn't take place until a week later.
And the big question remained: if eBay could detect a problem on August 13, why could I make an unblocked bid a fortnight later? MacGibbon said that would require further investigation, and promised to get back to me.
That promise took a long time to come to fruition. I nagged eBay for a response on September 3, September 12, and September 28, but it wasn't until the last time that I got a reply by email. And it was not much of a response. MacGibbon wrote:
"We passed your case to our engineering team for analysis. As I mentioned when we spoke, this is a very rare incident. We have not seen any case like this previously. Unfortunately, eBay automatically purges some of its diagnostic logs on a regular basis, so we do not have enough data to reproduce and diagnose what seems to be an anomalous case. We see no reason for you to not to use your account as it was such a rare occurrence."
The uncharitable way of interpreting this is that eBay was stalling and hoping I'd shut up about the problem, and then had to spout this non-explanation when I wouldn't give in. The charitable interpretation is that eBay was trying to investigate but the purge happened before that process finished, which is not very reassuring for anyone else involved in a dispute. But one conclusion is clear: though it may be uncommon, eBay's systems can be manipulated to allow multiple passwords to log into a single account, and probably eBay itself won't be able to tell what happens if that does occur.
Now, I accept that no security system is perfect. Nonetheless, I find it hard to swallow the notion that eBay making PayPal compulsory will dramatically increase system security, because I know that one half of the equation is, to put it kindly, capable of leaking.
And it's worth bearing in mind that I was only able to get the problem investigated to this extent (albeit uselessly) because I'm in the media. Regular customers are stuck with eBay's basic complaints service, which might go some way to explaining why public meetings to discuss the recent PayPal changes are heavily oversubscribed.
Despite the problems, I've kept using both eBay and PayPal-- but I've learnt to keep a very careful eye on what happens, and I'd definitely like the opportunity not to be totally dependent on eBay-owned services if a problem occurs again. Whether I get that choice now seems down to the ACCC.