SP&T News Sécurité Québec Security Pages Focus On Security Expo Security Bookstore

Auction site eBay takes the fight to online fraudsters

October 27, 2009 Written by  Rosie Lombardi
Web businesses such as eBay have successfully extended the reach of sellers and buyers across the globe. But unfortunately, they’ve also extended the reach of the bad guys who resell stolen items on these sites.
“It’s a huge problem. And retail isn’t the only sector that’s affected by online fraud — any company that has a product that can be resold is susceptible,” says Peter Martin, president at AFI International Group Inc., a Toronto-based security firm.

eBay’s site was designed to make it to make it easy to connect sellers and buyers, not to counter fraud, says Cynthia Navarro, principal at Finnegan’s Way, a San Francisco-based investigative firm.  “There were many disgruntled companies and tons of complaints initially. But eBay’s grown over the years, and has instituted many programs to combat fraud on its site.”


What eBay is doing
Online businesses are evolving, and are growing increasingly co-operative when it comes to combating crime. As the largest online auction platform, eBay is taking the lead in implementing security mechanisms that make it easier to investigate and prosecute criminals.

One example is eBay’s VeRO program to report infringements of intellectual property rights to authorities, says Navarro. “When eBay first came out with VeRO, it wanted no responsibility for removing listings, but it’s come around now.”

In addition, eBay recently instituted its PROACT outreach program to help loss prevention and security managers set up undercover accounts, build geo-map searches, investigate leads, and learn about other ways to support their investigations.

“We have 2,000 people in our Fraud Investigations Team who are responsible for responding to people who report fraud and reviewing items kicked out by our fraud analytics,” says Paul Jones, Washington-based director of retail partnerships at eBay.

He points out that eBay was designed to allow buyers to check potential sellers and their histories on their own, so there are many public search and reporting features available. “We often find that LP and security people aren’t familiar with our advanced searches and how to program them to automatically produce reports. They should sign up and sell something on eBay to learn how these internal mechanisms work.”

In terms of practicalities, security staff need to focus on stolen items resold in bulk, as law enforcement is unlikely to get involved in smaller sell-offs. “When people are moving large numbers of stolen goods, they’re not going to sell pieces individually on eBay,” says Martin.

To assist in the investigations of large-scale theft, Jones says eBay is happy to take data feeds from victimized companies — be it a simple Excel file or a more complex program — and use internal tools to scan the site for them.


But Martin believes eBay could be doing more in validating where large supplies come from to begin with. “Someone who’s selling 300 brand-name sweatshirts should be able to produce legitimate receipts showing where they were purchased if they were challenged by eBay.”

Even so, eBay does more in co-operating with law enforcement than other sites if credible evidence is provided, says Jones. The company offers training programs to help police investigate crime on its site, and has trained about 500 officers in Canada over the past five years. “We have senior officials on the ground in Asia, Rumania, Korea and other places, and supports in place so police don’t get lost in the system.”

The company also has policies in place to cut through red tape in investigations. “Unlike other e-commerce companies, eBay is one of the only ones that provides law enforcement with information on a simple request instead of requiring a subpoena. This is stated in our privacy policy.”

But eBay can only co-operate to the extent that local privacy laws in various jurisdictions permit them to disclose information about sellers and buyers, he adds.

This is a major stumbling block. Privacy laws are very fragmented across states in the U.S., and provinces such as Ontario have strong privacy regulations, so a victimized Canadian company looking to get information will face difficulties, says Martin. “It all depends on the origin of the person selling the stolen product. And getting law enforcement agencies to co-operate across jurisdictions is also difficult.”


Inventory control
Although it may seem an impossible task to track thieves online who can change their identities and e-mail addresses in a flash, Navarro says they nevertheless have consistent patterns. “They tend to use the same verbiage and pictures in their postings. We often find them popping up repeatedly under different names and e-mails, but we can still identify them because the rest of the posting is exactly the same.”

But even the best online sleuthing will be stymied if companies can’t prove the items being resold on eBay were stolen from them, says Martin. “Inventory control is the start and end of it. The first thing police will ask is, ”˜How do you know those items are yours?’ Being able to identify the items and show proof of loss is paramount.”

If a shipment of items is stolen from a truck, it’s important that companies have a physical inventory of the actual items that were loaded on the truck, he says. “So if the items show up eBay, security people can buy one and validate it came from stolen shipment.”

This is where many retailers and manufacturers fall down, he says. Companies need to get their own house in order before they can successfully investigate online fraud. But it takes time and money to log items properly so they can be tracked, and many companies are cutting back in these areas.

“This is particularly true in retail due to their small margins. It’s taken years for the industry to finally accept the fact it needs to put EAS (electronic article surveillance) tags on merchandise so it doesn’t unlawfully walk out the front door. But there are no beeps or EAS readers for stuff that goes out the back door.”

Add comment


Security code
Refresh