Memo to Meg Whitman, eBay and PayPal CEO

Dear Meg –

I have been considering for the past half year to join eBay and PayPal. But since September I have been receiving a steady stream of sophisticated phishing attack eMails sent in the guise of valid eBay documents. The image below is typical of the phishers attack emails. I have been co-operating sending as soon as I receive them the phisher emails to spoof@eBay.com. Since I am online all the time that means within 10-20 seconds after receiving the spoofing email. This should allow eBay to get at the attackers inside the 3-5 hour timeline they generally stay online. This also should allow eBay to identify third parties supporting the phishers and prosecute them.

With this immediate notice I expected the 1-3 attacks a week of late November and December would start to decrease. False hopes.

I am now getting attacks from both eBay and PayPal each about 3 times per week. And they are becoming more sophisticated – disarming email forwarding, including dangerous attachments and other planted trip ups.

Now you can imagine how likely it is that I will ever join either eBay or PayPal as long as these phishing attacks continue. And as for websites which offer PayPal services or eBay web services – well lets just say they are currently regarded as persona non grata. In fact, Meg, I am amazed that eBay can continue to run increasingly profitable quarters when the fundamental security and trust in eBay and PayPal are under direct frontal attack and things are getting only worse – not better.

So dont take my note seriously – nor the increasing waves of phishing attacks. Change your spoof@ebay.com response to a completely automated system. Do not have any report to clients or to victims of the phishing attacks. Leave them in the dark on the status of eBays efforts to clean up these attacks(or equivalently bury them on some back page). Do not have a clear security section on your home page – where victims of the attacks can find out what to do next. Believe that this problem can be automated away without diverting too much effort and endangering the bottom line and pretending everything is just okey-dokee at eBay. Or conversely what better time to raise fees – as eBay girds itself to attack the hackers and phishers. Be reactive and let others lead the charge. And certainly do not proclaim a dedication, a policy or a timeline to get the problem licked. And continue to have a set of Spoof emails tutorials buried on your site. And make them look Mickey Mouse, demeaning of the users intelligence , and as confusing and meandering as possible. In short, imply that this is the price of doing business with eBay. And finally certainly do not have any published policy for what happens to an eBay user who falls victim to an attack.

In sum, let me repeat – convince all parties that this phishing problem is really not serious and in due time it will all go away. Come to think of it let me give eBay an outstanding mark for negligence so far.

Sincerely

JBSurveyer
editor – theOpenSourcery.com