by Karl Denninger, Market Ticker:
I have recently become aware of an utterly enormous fraud vector problem with both of these related (used to be that PayPal was owned by Ebay) sites.
On every reputable site around the Internet, no matter what it is, when you sign up for an account you have to verify that you own the email address that you give them before they will let you do anything.
That’s true everywhere. It’s true for banks. It’s true for forums like mine, Garmin’s or anyone else’s. It’s true in every instance I’m aware of; you sign up, you get a link in your email, you click the link which is only known to you and then, and only then, can you do anything.
Except with eBAY and PayPal.
I do not know when this changed, but it has. Someone (and I know who it is) used a very old email address that belongs to me and is not used for any of these sorts of things (but has a legitimate purpose) to sign up for an eBAY account and pay for items using PayPal.
They never confirmed the address because it’s mine, and has two-factor authentication turned on. In other words they can’t confirm the address because they can’t get into the account. eBAY allowed them to do this anyway and so has PayPal; I have now received multiple notifications of items bought and shipped.
What’s worse is that neither firm has any means accessible I can find to tell them that someone has used my email address, possibly for a nefarious purpose, and the accounts in question are fraudulent on their face since the email address isn’t theirs. There is literally no place I can report that — and no longer is there a “general” email address you can contact these firms via, or a form you can contact them for this sort of thing either. I cannot sign into the bogus account, obviously — and any attempt to use “contact support” on Ebay requires you log in first.
eBay, in short, has specifically chosen to make it impossible to report this circumstance to them.
I have no idea who’s credit card was used, since only the last four digits display in the confirmations I am getting, and it’s not the last four of any of my cards.
Folks, these companies appear to be scraping the bottom so hard that they’re willing to allow people to “sign up” for “accounts” using someone else’s email and yet they not only let them use their system without confirming it they give the person who has their account used this way no means to dispute it and tell them to shut it down because it’s bogus.
Woe be to you if you’re the seller of an item to such a person, they used a stolen card and it gets charged back.
You’re going to eat that one for certain.