eBay’s Web Security is a Mess

I was having dinner when I got an email from eBay saying that an iPad was being shipped to me.

I open the email and find: “Confirmed …your iPad is being shipped to 300 Murchison Dr Apt 113.”

That’s not my address. I didn’t order an iPad. I don’t want an iPad. I don’t live there!

Here’s how it came about:

  1. Someone hacked into my account from a computer that eBay had never seen before, from an area I had never logged in from before
  2. They changed the shipping address on my account to a new address far away from me
  3. They placed a spontaneous order for a $600 iPad

And eBay didn’t ask a single question about it.

I immediately call eBay. They’re friendly and assure me that if I call my bank, they’ll report an unauthorized transaction and send the money back. In the meanwhile, they’ll document the fraudulent transaction.

I call Chase Bank and they send me $594 and say they’ll take care of it. But later they reversed the charge. It’s enough for Chase that the seller of the iPad (nandle2011) can document that they successfully shipped an iPad to some address to close the case.

Just because a merchant shipped something doesn’t mean that I purchased it. The liability shouldn’t be on the merchant — it’s on eBay’s security team. But see how eBay gets off scott-free here.

In this day and age, the fact that web security for a major e-commerce site is so poor should be outright illegal. eBay has no way to prevent your account from being hacked and purchases made on your behalf.

But here’s another problem. The combined powers of your bank and eBay cannot protect you from unauthorized transactions made on eBay.

Documenting that merchants have delivered unauthorized items, and then calling it a day, is not enough. If someone steals your credit card and makes a purchase at Tiffany’s, you don’t ask Tiffany’s to document that they really delivered the thief’s purchase. It wouldn’t help you at all. You solve the credit card theft problem.

…But what if eBay has your credit card?

Chase told me to take this to court with the seller of the iPad. If I did that and won, the merchant would have to pay me, even though it probably wasn’t their fault. eBay would face no consequences.

It doesn’t make sense for ordinary people to have to go through this. It’s the sole function of companies like eBay and Chase to make sure that transactions are handled safely — and they have billions of dollars to support that function.

We need to fix web security in a standard way, so that big companies like eBay, Amazon and Google follow best practices — so that ordinary people like us don’t become victims. But we also need to do it in a way that new companies can leverage the same technologies and best practices when creating eCommerce platforms.