More Fraud on Amazon Marketplace

Fancy a roll of sellotape for £215.62? Amazon has this and 708,032 other products listed by a seller called linkedeu, who’s full range can be found here:
https://www.amazon.co.uk/s?merchant=AA722TCREQZHH.

This isn’t the first time sellers like this have appeared, and it won’t be the last. However, this time I’ve reported it to Amazon and I intend to time their response. How could they let some fraudster list nearly quarter of a million items without anyone checking?

The seller does have a business address in California, but I suspect this is fake too, and the name and address may well be a legitimate company.

 

Chip and Pin is Definitely Not Safe

I’ve always had my doubts about Chip and Pin (or EMV to give it its proper name). We’ve all heard stories of people having cards stolen and used, when this should be impossible without the PIN. There are also credible stories of phantom withdrawals. The banks, as usual, stonewall; claiming that the victim allowed their PIN to be known, and that it was impossible for criminals to do this while you still had the card so someone close to you must be “borrowing” it.

In the old days it was very easily  to copy a card’s magnetic strip – to “clone” the card. Then all the criminals needed was the PIN, which could be obtained by looking over someone’s shoulder while they entered it. Cash could then be withdrawn with the cloned card, any time, any place, and the victim wouldn’t know anything about it. Chip and Pin was designed to thwart this, because you can’t clone a chip.

Well, it turns out that you don’t have to clone the card. All you need to do is send the bank the same code as the card would, and it will believe you’re using the card. In theory this isn’t possible, because the communications are secure between the card and the bank. A team of researchers at Cambridge University’s Computer Lab has just published a paper explaining why this communication isn’t secure at all.

I urge to you read the paper, but be warned, it’s unsettling. Basically, the problem is this:

The chip contains a password, which the bank knows (a symmetric key) and a transaction counter which is incremented each time the card is used. For an ATM withdrawal this data is encrypted and sent to the bank along with the details of the proposed transaction and the PIN, and the bank sends back a yes or no depending on whether it all checks out. It would be fairly easy to simply replay the transaction to the bank and have it send back the signal to dispense the money, except that a  random number (nonce) is added before its encrypted so no two transactions should be the same. If they are, the bank knows it’s a replay and does nothing.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

What the researchers found was that with some ATMs, the random number was not random at all – it was predictable. All you need do is update your transaction with the next number  and send it to the bank, and out comes the dough. It’s not trivial, but its possible and criminals are known to be very resourceful when it comes to stealing money from ATMs.

What’s almost as scary is how the researchers found all this out: partly by examining ATM machines purchased on eBay! (I checked, there are machines for sale right now). There’s a bit of guidance on what random means in the latest EMV specification; the conformance test simply requires four transactions in a row to have different numbers.

It’s inconceivable to me that no one at the banks knew about this until they were tipped off by the researchers earlier this year. Anyone with the faintest clue about cryptography and security looking at code for these ATMs would have spotted the flaw. This begs the question, who the hell was developing the ATMs?

In the mean time, banks have been trying to pretend to customers than phantom withdrawals on their accounts must be their fault and refusing to refund the money, claiming that Chip and Pin is secure. It’s not, and a day of reckoning can’t come too soon.

Credit for the research goes to  Mike Bond, Omar Choudary, Steven J. Murdoch,Sergei Skorobogatov, and Ross Anderson at Cambridge. Unfortunately they’re probably not the first to discover it as it appears the criminals have know about it for some time already.

 

eBay are now worse than whores – ask any business seller

eBay are whores”. That’s was the verdict of an American friend and regular eBay business seller.

“How so?”, I asked. He went on to explain that eBay and PayPal would do anything for money, and everything imaginable had price attached which you had to pay if you sold through them. My friend was a typical right-leaning free market American, and I had to smile at his complaints about big business doing what it does best. If he wanted to sell his collectable items in an on-line auction it had to be  through eBay, because eBay has an effective monopoly on buyers. eBay was simply obeying the laws of supply and demand; charging the customer (that’s the seller) the maximum they were willing and able to pay without scaring too many away. With an effective monopoly it’s hard to scare them that much.

Since then eBay’s use of its monopoly power has taken a very dark turn indeed, in response to one of their biggest problems: Criminals use eBay. Most of us have bought something through eBay and discovered the seller was less than honest, and eBay feels that this situation is going to adversely affect their revenue in to the future. Recently they’ve declared war on rogue traders, but it such a clumsy manner their actions are immoral and possibly bordering on the illegal.

A few years ago I started hearing complaints from eBay sellers who’d given up moaning about high commission rates in favour of how eBay was making it very easy for buyer’s to defraud them. This started with PayPal, the no-longer-so-optional money transfer system now owned by eBay that sellers are pressured in to using. If a criminal orders something, pays using PayPal and once they’ve got the goods decides to complain (or claim the goods never arrived), PayPal takes the money back from the seller, with no effective mechanism for appealing. As I understand it, the seller has to prove that the buyer received the goods before they get their money, and this just isn’t realistically possible in many circumstances.

PayPal and eBay hardly invented mail order fraud, but they’ve made it very easy for the criminals. Banks would investigate in the case of such a dispute, but by all accounts, eBay does not. All the seller could do was leave negative feedback against the buyer, so future sellers were forewarned and could make up their own minds about dealing with someone.

In the latest twist, sellers can no longer leave negative feedback about buyers, effectively allowing buyers to lie and cheat as much as they wish with no risk of exposure or other consequences. Sellers have to quietly absorb the loss while the criminal selects his next victim.

You may think this is as bad as it could get, but now eBay has implemented what it calls “Detailed seller ratings”, aka DSR. Basically buyers can (anonymously) rate sellers out of five for things like accurate description and delivery time. If a seller gets, on average, less that 4.6 out of 5 then they encounter difficulties with eBay. Sellers have told me that they receive letters saying that they “need to improve”, followed shortly afterwards with having their accounts suspended indefinitely “to protect buyers”. Does everyone apart from eBay see the problems here?

Firstly, there are some very strange people out there. If they don’t like what they bought they’re going to give the seller a bad rating for everything.

Secondly, many people are unlikely to give anyone 5/5. At one time, my job was reviewing things. I did it every day, and I’d never give anything 100% unless it was incapable of improvement. With eBay the next step down is 80%, which by normal standards is very good indeed. However, on eBay’s DSR system, if someone gets to many 80% ratings their account gets suspended!  At one time I didn’t know that, so I’d routinely give everyone a score of 4 unless there was something extra-special about the service. Most people writing a review would do the same.

Finally, this is a recipe for scamming. Supposing you and a competitor were both selling the same thing into a niche market. eBay was excellent at niche market products, once. Unfortunately, in this cut-throat  online market place, if you’re not the cheapest you’ll lose the business, but if you sell at rock bottom you make no profit. So what can you do? eBay has the answer – simply ask a few of your friends to buy items from your competitor and then give them consistently bad DSR scores. eBay will shut them down for you, with no right of appeal, and the way is now clear for you return to your full profitable prices. In the good old days you had to hire a bunch of thugs to beat up your competitors and burn down their premises  now you can get the same effect with a few clicks of a mouse. If someone else appears selling the same thing, they’ll have a “unknown” rating anyway, so a couple of bogus purchases and they’re out of business. This works; I’ve seen the victims and I’ve seen eBay’s attitude to doing anything about it.

Sellers are in a very difficult place. If eBay closes their account, they’re out of business. It’s high time eBay was taken to court over this matter, that of putting British companies out of business for no reason. Unfortunately eBay is hiding behind a flag of convenience. Although it says “ebay.co.uk” on the web site, they’re operating through Luxembourg (and challening the profits through Switzerland to avoid UK corporation tax). Taking them to court isn’t going to be easy.

In the USA, where the jurisdictional is less murky,  there have been several class actions against eBay In response, eBay has altered it’s user terms and conditions such that everyone has to agree not do this any more.

I think it’s high time that eBay developed a sense of responsibility towards the countries that are allowing it to operate. It enjoys a effective monopoly position, yet companies needing to use it are ruined at the whim of a some faceless functionary within eBay, who might be in any part of the world. Power without responsibility is always a bad thing. If that’s not enough to make our government take action, they should consider industrial-scale tax avoidance scheme eBay is employing.

 

 

 

Bank of England Fraudulant Accounts scandal

So, the Government/Bank of England lent £61,000,000,000 to prop up the Scottish banks last year and didn’t think we should know about it. It didn’t appear with any clarity in the accounts, and I’ve just been listening to “Lord” Myners, Gordon Brown’s “Treasury Minister” defending this on Today, saying that “…no retail bank customers lost out.” So that’s alright then?

As usual, he was let off lightly. The Bank of England is publishing cooked books, and the justification is that it’s for the greater good. What I’d like to know is: what’s the point of publishing accounts if they’re deliberately misleading? Or more accurately, dishonest.

The government seems to think it’s okay to lie to us whenever it feels that we’re better off not knowing something. And you can hardly call £61,000,000,000 a trivial issue that’s easily overlooked by mistake, can you? Well perhaps it is to Gordon Brown and his banking mates. No wonder they fail to see any problems with their expense claims.

According to Myners, the board of Lloyds was made aware of the loan at the time they were merging with HBOS in those murky circumstances. So what? Lloyd’s isn’t owned by the board – the Lloyds shareholders had every right to know, but they decided to keep quiet about it. They were tricked into voting for a merger with a bank that was only propped up by a massive secret loan.

Paul Myners is, of course, a New Labour Lord, given a peerage by Gordon Brown after donating £12,700 towards his leadership campaign in 2008. He hasn’t been elected by anyone other than the Labour Leadership.

The fundamental issue here is that if any company published cooked books, concealing a £61,000,000,000 transaction, they’d have the serious fraud office all over them – and rightly so. This government, on the other hand, thinks it knows best and will only tell us what it thinks we should know. Sounds familiar?

Of course, plenty of people must have known about it and kept quiet. So why has the news come out now? Presumably someone was about to spill the beans and they’ve published as the least-worst option.