Sunday, November 06, 2005

Thievery

I have been dealing with a little Internet fraud over the last week or so. Initially, I got a couple of emails from P telling me that my E userID was not functioning correctly while they were trying to update logos...I ended up in this long discussion with them via email trying to get them to understand that I should not have any logos...I am strictly a buyer (and only an occasional buyer at that).

Anyhow, after a few rounds of email tag with them, I decided to log into my E account to check out the deal. Now I just used the account this summer so I knew it was pretty up to date but for some reason, I could not get in.

I contacted E about this problem, and they kept emailing me back that my email address (the one I was writing from) was not the one associated with my account and that I needed to write to them from that address before I could be helped. I kept explaining to them that I had had an account with them since 1999 and the email address I was using was the only one that had ever been associated with my account. I just assumed there was some kind of computer glitch that had reset my email address....little did I know.

Turns out, after a week of proving myself to E, I found out that my account had been hacked. The password, shipping address and email address had all been changed to this person in Indonesia. Fortunately, I don't have any credit cards or bank accounts associated with that account, but I do have a history with E as a good customer and I didn't want that ruined. I also had my full name, and a physical address listed. Fortunately for me, E has this new feature where you can read all coorespondence that has occured between users and E and between other users.

I delved into the message box and found out that the person somehow did a request of UserID on October 1 (which should have been sent to my email address of record but wasn't), then it took them 21 days to hack my password (one of the harder ones out there too). After they got into my account, they proceeded to change the shipping address to Indonesia, and the email address to their own. They also changed the password, basically locking me out of my account. From the messages it looks like they spent most of the 21st-23rd trying to get sellers to sell them some kind of electronics (laptops, PCs, phones...etc) and ship them directly to Indonesia. They claimed it was a gift for their daughter. Most people didn't fall for it, and the conversations stopped there. E even sent a message to "me" telling "me" that trying to buy or sell outside of E was not allowed and the amount of email traffic that they noticed was making them question whether that is what "I" was trying to do. From these messages, I was able to get the IP addresses that they were using when they made requests of E, the name and shipping address of the person in Indonesia, and the yahoo email account that they had changed my account to when they hacked in.

At this point, it looks like no damage was done. E said I will not be held liable for any but I was kind of surprised that, in their email to me, they didn't take any responsibility for this breach, told me that it was probably due to a virus on my system, or an easy password (both of which are not possible). I think it has to do with a security hole on their part. They didn't even apologize for all the grief they gave me while I was trying to get back into my own account.

I did send an "abuse report" email to E, Yahoo, and the ISP that those IP addresses belong too and I sent a nice little note to the email user as well so they would know that I have their number. I am sure that no one in Indonesia will do anything to pursue this but I hope that E does, and I know that Yahoo will close down their account, so at least I will have a little gratification.

The whole thing makes me nervous though, because while my passwords are difficult and considered "strong security", I don't change them as often as I should, and I probably have too many that are similar. It has opened my eyes a bit to how fragile our security on the "net" can be, and makes me more diligent to keep my information up to date, and as vague as possible.

2 comments:

Ian said...

My sister had eBay problems too. Seems someone hacked into her eBay and Hotmail account and was using her unername info to sell things under her name - money going into a different account, of course. Luckily they spotted it and shut it down, but still...

Mishka said...

Thing that got me is that acted like it was my fault, when in fact, I think it is a security issue with how they deal with lost passwords and user IDs...