AuctionBytes Blog
Covering auctions, collectibles and marketplace selling.

AuctionBytes Blog The AuctionBytes Blog has been giving a voice to online merchants since its launch in 2005. Named one of the world's top 30 blogs in 2008 by "Blogging Heroes." Weigh in with your thoughts on the joys and pitfalls of selling online.
Thu Apr 9 2009 10:45:24

eBay, Online Sellers: Beware of Fraudulent Payment Attacks

By: Ina Steiner

Sponsored Link

In today's AuctionBytes Newsflash newsletter, I report on a baffling case of online fraud affecting a merchant using eBay's PayPal service. What struck me about this case was the fact that it appeared any merchant could be halted in their tracks if a fraudster decides to include them in a scam. In this particular case, the merchant was unable to use PayPal on his website for 2 weeks.

In researching the article, I found some features that might have helped this merchant. It behooves eBay and online sellers who use PayPal to become familiar with "PayPal Account Optional" specifically (explained in the article), but also about how to manage their risk (more on that is coming in Part 2 of the story).

PayPal's Sara Gorman wrote to us this morning:

"This was a rare occurrence, as we discussed, with a new type of fraud.  Our fraud models worked as they should in detecting the bad payments, which is why they were limited, but I understand that it was frustrating for (the merchant) as we worked to stop the payments from coming through.  
 
One thing I wanted to make sure to point out is that the vulnerability in our PayPal Account Optional feature has since been closed, so we've already fixed the issue that allowed these payments to go through.  So, it wouldn't be accurate to advise that merchants turn off this feature to protect against this going forward.  Of course, merchants always have that option if they'd prefer to do so."

My research highlighted how difficult it is for all online payment processors to keep up with fraud - every company deals with combating fraud on an ongoing basis, not just PayPal. While these firms make it easy for merchants to get up and running and accept payments, sellers should not assume they are 100 percent foolproof. Organized criminals from all over the world are working fulltime to find and exploit vulnerabilities.

The lessons I came away with is that merchants should be always on the lookout for fraudulent attacks (not just the occasional fraudulent customer), and should always be prepared to the extent possible in case of such an attack. Merchants should also become familiar with the settings and features of their payment accounts. This page explains settings available to you as a PayPal merchant.

We'd like to hear from merchants about cases in which they've been the victims of fraud or have had their accounts suspended through no fault of their own. Learning about what can happen may help sellers avoid similar circumstances or at least help them think about coping strategies should they actually experience such situations.





Comments (35) | Permalink

Readers Comments

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Merchant's Fault

Thu Apr 9 11:23:14 2009

WHY would you alert paypal to this problem? they are NOT on your side and in fact are anti-seller. Leave the fake funds untouched, let paypal do their job. Your own fault for telling them.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: I Hate Fraud

Thu Apr 9 11:46:46 2009

One time, someone in the UK accessed my paypal account (I'm in the States) and withdrew about $150. I don't know how they did it. I'm very careful about phishing attacks and the like. My account was frozen when I alerted them about the issue. paypal did get my money back, and I had to destroy my paypal credit card; they, in turn, sent me a new card. It all took about two weeks. Didn't lose any money, but lost two weeks of purchasing power because of the inconvenience of a frozen account.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Patricia

Thu Apr 9 11:57:39 2009

I'm not understanding the purpose of a merchant attack like this.  The merchant knew the transactions were phony - the perpetrator didn't get any goods.  About the only thing it seems to have showed was the obvious frailty of Paypal's system...and we all kinda knew that (shrug)

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Alex V.

Thu Apr 9 12:42:46 2009

This is pretty interesting. So essentially the solution that PayPal came up with was to shut down a merchant's account because of their own vulnerability. I can imagine what a mess this would be for any seller that was doing high-volume business - to have their PP account frozen for several weeks would severely impact their businesses. It certainly wouldn't POSITIVELY affect their DSRs. Thanks for the vigilance, Ina!

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Chuck

Thu Apr 9 12:51:59 2009

NEVER go to PayPal for a problem like this. They are impossible to deal with and will just freeze your account. My experience is all you ever get from Paypal is double talk.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: ebay + paypal = fraud

Thu Apr 9 13:26:22 2009

Once again ebay/paypal expresses their total incompetence and complete disinterest in combating fraud.

Fraud makes them far too much money to *bother* with.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Elizabeth Van Pelt

Thu Apr 9 14:27:58 2009

How very bizarre. A fraud where the fraudster deposits funds into a Paypal account that they cannot access, and they get no goods or services in return.

There has to be an underlying reason to this, but I guess my brain just doesn't work like a crook, and I can't see how this scam could work, other than flummoxing the receiver. :-)

It's just disturbing and weird.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: kw

Thu Apr 9 14:37:05 2009

Sorry, but I'm not convinced Paypal cares very much about fraud.  If they did care the merchant would not have been shut out of processing payments for 2 whole weeks.  Merchants pay Paypal for a service, and part of that service includes resolving problems with minimal disruption to a merchant's business.  Two weeks?  If Paypal itself were shut down for two weeks they would feel the pain like small businesses do.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Sue

Thu Apr 9 14:56:35 2009

Fraudsters run tests all the time to check the vulnerabilies of credit cards and paper checks.  They use the results of their tests for future fraudulent transactions, sometimes the same day.

Since eBay/Paypal is a multinational corporation (with a growing bad karma, an ongoing topic on these blogs) easily targeted by ''international organized crime networks,'' the fraudsters may have been testing a weakness in the Paypal system to see how they might exploit it in the future.  From what someone else said here, they have already figured out how to get $ out of some Paypal accounts without using the  obvious forms of phishing.  

What better scam than to fill up an innocent account first using stolen credit cards, then phish for the money later.  If it is an account that isn't checked regularly (like at least every day), the Paypal account holder may never know they were used in the scam, especially if the transactions take place over a short period of time.

This is why you should never leave $ in a Paypal account, and should make sure that any checking account associated with it is dedicated to Paypal and always with a zero balance or just enough funds to avoid bank fees. You should alway check your Paypal account for transactions every day, including weekends.  And if the Paypal account is no longer needed, you should close it or at least set it so that it will not accept deposits or withdrawals.

Rather than criticizing and punishing  the merchant (shutting down his account for weeks) who reported the strange deposits for not knowing how to set all the account options, Paypal should commend him for reporting the problem.  

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Jim Sanderson

Thu Apr 9 17:24:21 2009

I have found Paypal to be very responsive to problems via telephone or email.  As an eBay Education Specialist, instructor, I suggest eBay and PayPal buyers and sellers educate themselves with the security information provided by ebay and Paypal.  The addition of a PayPal security key may help to prevent unauthorized withdrawals from an account or hi-jacking of an eBay ID.  Every seller, on-line or brick and mortar should understand and know how to deal with risks.  eBay, PayPal, Amazon, AmExpress, Visa, Master Card, the US Treasury, your bank burdens sellers to assume part of the risk in accepting payment on the front line.  You are the FRONT LINE.....Jim/Tampa,FL

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Karcass76

Thu Apr 9 17:50:09 2009

Ina, this case is bizarre. Is there a 2nd known case like this? I wonder if this seller (selling web scripts?...hmmm) is on the up and up. This seems like such an isolated case...

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Mitch weiner, San Jose, CA

Thu Apr 9 18:20:45 2009

Yup, as usual a paypal stooge runs over & tries to blame the seller that discovered this, not their own poor security. Why doesn't Paypal have a dedicated & hidden username only known to seller and completely different from the email used for payments? That would add another level of protection. Many messageboards can handle that, but not a place we are supposed to trust with our money.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Harriet

Thu Apr 9 20:13:20 2009

It is very scary that a company that handles such a vast amount of money all over the world would have a breach of security like that.

Billions of dollars and other currencies are running through PayPal.

They could well afford to hire the very best of the best to secure the site.

They ought to be ashamed.

And then they treated the poor person whose account was used like dirt.

What a company!!!

Get your house in order, PayPal.

Is there no international oversight for PayPal?

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: ebaysucks

Thu Apr 9 20:34:53 2009

First off never leave any money in Paypal for more than 24hrs!!  If you think Paypal is a safe place to keep your money then that's your first mistake.  Once you transfer the funds into your bank account don't leave it in your bank for more than 24hr's!!  If you think your money is safe in any major or minor banks then that's your second mistake.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

This user has validated their user name. by: Ina

Thu Apr 9 21:30:19 2009

"I wonder if this seller (selling web scripts?...hmmm) is on the up and up."

Actually, I think it's a fair question to ask, and PayPal itself has to be concerned about sellers acting in cahoots with scam buyers. I am always skeptical, but I can confidently say that's not an issue in this particular case.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Paypal Security dept is staffed by monkeys

Fri Apr 10 00:15:29 2009

Yeah, these idiots at Poopal want you to provide them:
as seller:
Your suppliers info
your utilities bills
your Social security number
as buyer & seller:
Name & address
Bank account number & password with permission to withdraw funds
Just to use the least safe payment method known to man on Greedbay?
How is my data safe with them? You are giving ALL the info required to destroy your credit to a underpaid lackey in a third world country. PP Cust servicve is in the Phillipnes & India. Google PP employee theft, and see just how safe it is to give all that info away. Paypal has NO PROTECTION in case of them going bellyup, you will lose every cent they have, there is NO insurance & they fight tootrh & nail to avoid regulation. All their funds are OUTSIDE THE USA, so when they default, you will get bupkis.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Steve

Fri Apr 10 15:01:04 2009

My bet is a competitor or disgruntled customer did it. He does sell 'code snippets' so they could possibly be cyber scumbags. It was an effective way to screw up his business. Can't think of any other reason.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Ebay No More

Fri Apr 10 15:04:35 2009

I find a couple of issues with Paypal's response.

#1 ''We're sorry the customer was frustrated,'' she said.''
Sorry? An apology? This seller had a two week freeze on his Paypal account. If this was the seller's primary source of income how could Paypal justify a two week freeze? Two weeks is too long for Paypal to take dealing with any seller's account issues. This is how people earn a living. They pay their bills, pay mortgages/rent, and put food on the table. Paypal needs to speed this process along. This is exactly why I would never allow Paypal to be my primary payment processor. Their response times stink. When you stop and realize that Paypal doesn't have technical support on the weekends it's mind boggling. This is a global  company with billions in revenue and they can't hire a techie to work weekends to provide support to their merchants?

#2 ''upgrade to Advanced Risk Filters for an additional monthly fee'' Sorry this should be a free service with a paid account like Pro or Virtual Terminal. It should be an option with a basic account only. Again it comes down to money and Paypal chooses profits over support and customer service to their customers.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: Disillusioned SuperSeller

Fri Apr 10 17:27:25 2009

eBay and PayPal have horrible customer service. The longer you use either, you will find out that nothing is on a case by case basis. Everyone gives you different answers from all sides. No matter how many times you explain the "situation" all anyone ever does is apologize. Nothing actually gets done. If anything gets accomplished it is because  you ask, and ask, and ask, and ask, and ask, and wait, and wait, and wait, and ask again and then wait some more. As soon as you allow a 3rd party to monitor your auctions or keep track of your money - you will run into issues. I've found that nobody cares about your payments, stores, or items as much as you do. You are just a $ number. There is no equality or good customer service for the honest vs. the dishonest. Both eBay and PayPal will shut your accounts down or make it impossible for you to get your funds if given the chance. After being a long time ebay member and paypal member - I've been shocked over and over. You'll be lucky to make any money with eBay after all the fees - what eBay doesn't get, PayPal will...and should you have problems with either account because of someone else - if you're honest, you'll get the shaft. It's the way these companies work.

eBay, Online Sellers: Beware of Fraudulent Payment Attacks   eBay, Online Sellers: Beware of Fraudulent Payment Attacks

by: dimes

Fri Apr 10 18:17:41 2009

Ina, was there any similarity in the payment types (ie, were they primarily MC, Visa, or paypal credit cards)?

Click to view more comments
1 2  [Next Page]


Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.