Mid-morning I received a text from the bank about a suspicious set of purchases on my credit card from my ebay account. I rang them back, and they cancelled three transactions of escalating value – a classic fraudster tactic – made from ebay today. I have two-factor authentication enabled, so to access ebay they must have hacked my gmail as well as they didn’t sent texts to my phone when buying, presumably counting on someone not checking their emails as often. Password changed on my email, and ebay. Ebay themselves don’t want to know it would appear as that is all they suggest doing. Bank are issuing new credit card and I’ve stopped all ebay transactions with them until I feel everything is safe again.
Anything else I should be doing from those with a bit more knowledge of this.
Comments
Leave a Reply
You must be logged in to post a comment.

Perhaps a tip for others is to have TFA on your phone via text rather than email, as once your emails are hacked they don’t need a device.
And very disturbing to see on your ebay account someone else’s searches.
I’ve just set up TFA on my eBay account. Thanks for the reminder, and sorry to hear that the bastards have hacked your account.
If somone else’s searches are present on your account after being hacked, if you’re not an EBay seller, just a buyer, close that account and open a new one. With TFA via text.
Agree with the point about having TFA as an SMS rather than an email.
It seems to be rife at the moment, I’ve had suspicious activity flagged on my primary email, gmail and Google accounts. One of the login attempts was in Kent, which seems unlikely.
I’m not aware of having a CoOp account, but I might have had an old M&S login.
Not great if you can’t access your phone for some reason. I was travelling in UK once and managed to drop my phone into the toilet! Needed to access my Gmail account for boarding passes etc. Tried to log in on a shared computer in hotel but it wouldn’t let me, and would only send a text to verify it was me to my phone! And of course I couldn’t call anyone to help.
If you want security, there are downsides. Bluntly, if you can access an authentication message from anywhere in the world, on any device, so can someone else.
I made my last EBay purchase about 6 weeks ago. I felt something wasn’t quite right as when I tried to reset my password it got complicated and at one stage I had a message saying I’d receive a link but the (part) phone numbers and email address shown weren’t mine. I subsequently did manage to change my password and there haven’t been any unknown purchases made but I made the decision to close my account down nevertheless
Also, use a password creator. The ones standard with Apple and Android will generate and store unique passwords that should mean that only the leaked service will be a problem. They are a pain but its a good habit to have.
Its one of the advantages of picking an ecosystem and using it (the apple password manager prompts passwords across all of my devices). The safer optionbecomes the easiest/laziest).
I never really got password managers.
Can you explain them? Is it that it creates a really unique complicated password for each and every account. But because they “ store” them I don’t have to remember them?
If so, where are they stored?
You can have them just remember your passwords but you can also have them generate complicated random ones. They will store them and when you open the app or visit the web page it requires your Apple ID or Google ID.
On my iPhone, it needs works by facial recognition whereas on my MacBook, it does a fingerprint scan. It’s easier than typing but way more secure. On the Apple version, it will also create a unique one off email address if you are registering to a not very well known website which keeps your real email hidden.
I use face recognition and fingerprint on any platform I access if they have it.
I have yet to be scammed by using these protections.
They are a pain but worth it.
Bloody hell I thought, what is TFA and why don’t I have it?
Ah, 2FA – got that, use it all the time.
Well done for keeping up.
The Pasword Manager. That was a Harold Pinter play I once saw. There weren’t enough characters was my view.
I saw that but it kept pausing.
I’ve found the Apple password manager a bit unreliable in that if you generate the password on your phone it doesn’t necessarily make it over to the desktop or vice versa, even though iCloud is properly set up. So I often end up having to change it anyway.
I have noticed it a couple of times. Occasionally I get asked if I want to save it to Password Manager and I suspect I sometimes accidently hit no with my fat fingers. It seems to be when adding a new password on my phone.
I assume its the same fat finger than orders random items on the Sainsburys order because I must have scrolled on the phone via the add 1 button.
As I understand it, a Password Manager is a member of one’s staff who simply writes down one’s passwords in a secret notebook and then presents the book to one when one requires it.
This is the case , is it not?
It is not. A Password Manager is a polite term for a big, burly chap who stands at the entrance to a drug den, ensuring that no narcs or coppers enter.
“Swordfish!”
I have one of these. It has a nice magnetic closure and a fancy graphic on the cover. It sits next to my computer and has every one of my passwords written in it except those that I’ve auto-generated from my browser and had the browser remember. It doesn’t need a ‘master’ password in order to open it and use it, because all I have to do is to reach over to my left. It’s what was once known as a ‘notebook’.
Right. I have one too. How creative are you on your passwords?
I have a couple of mental algorithms that generate pretty tough passwords with really minimal thought.
You can base them on a phrase or sentence that comes easily to your mind and which is unlikely to be guessed by any malfeasant swine, then have a standard set of embellishments to add to the generated password using keyboard characters that are not standard letters or numbers.
Once you get used to the procedure, you can rattle off a new secure password in seconds.
Never less than ten characters in length. A mixture of upper case and lower case letters, numbers and keyboard characters. A different password for every site and change the ones for sensitive sites every couple of months.
I use combinations of wacky Oz place names separated by numbers and symbols. The theory is that these would fox Chinese or Russian teenagers, and so far it seems to work.
I found using pseudonyms of musicians was useful Wingedeelfingerling and Bloomdidobaddegrasse, no spaces
With all the publicity on online safety over the past few years, probably the safest password to use these days is “password” – not one would ever expect anyone to use that (would they ?)
Don’t forget to add 123 at the end to enhance security.
Hopefully it doesn’t get lost or stolen
I.m happy that apple knows my passwords, via my fingerprint (MacBook) and face (phone), although I have seen enough thrillers around chopped off fingers and dead peoples faces being enough. The only problem is that apple don’t save the apple password, and I can never remember that fucker, needing “forgotten your password” to navigate around that one.
Pop it on a post-it note and stick it on your laptop.
Thanks everyone. Most important takeaway is have your email as a unique password not used elsewhere, use 2FA via text etc. and don’t store your credit card on a browser. And buy things on a credit card online rather than a debit card. All standard moneybox live stuff.
Fully agree.
I have preached this to anyone that would listen for years – the moment your email is compromised then you are exposed to having your password reset on any account (a lot of folks don’t have 2FA). Your email should be your most secure account and yet a lot have a simple password and no added security as email providers don’t often prompt on security like the bank / Amazon / etc etc.
Why should you not store credit cards on a browser? Assuming your devices remain secure, what’s the problem?
Storing it on a browser is actually storing it in the retailers data centre. So, if your retailer has a data breach, it could be your data that’s breached. If you use apple pay, or google pay, the card details aren’t shared with the retailer and you have a second form of authentication (face or fingerprint) along with the card details.
Gotcha
Good call: I use Apple Pay, google pay and PayPal, wherever I can.
Me too. I wish it was more readily available than it is at present.
Apple Pay is fast becoming ubiquitous, I’ve found.
Aren’t the details scrambled though?
Possibly. Which is not the best answer.
A timely reminder. I had 2FA set up, but the phone number was out of date.
Phone number out of date? Is it the case that one gets a new one when changing providers? In Canada if you change providers they transfer your number over so it never changes unless you choose to. Also different here is that it has an area code based on where you live like landlines, unlike European cell numbers.
I thought I would just log in to eBay after reading the above and check my settings. All good, except that I had an email saying there had been a log in in Perry Barr, Birmingham and checking it was me. Seeing as I am in Devon, that doesn’t really work, does it?
In the past few days I’ve had reports of logins from both southern Kent and Hull, yet I’m fairly sure from the time stamps that they were me (in Cambridge).
I’ve changed all my passwords just to be sure, but something weird is going on.
It may sometimes depend on your ISP as to where you are seen to be logging in from. VPNs could confuse them as well.
And yesterday it was Worcester. On my own PC, not work’s VPN.
I barely leave the house, all very strange.
I had one of those too, somewhere down south.
Even better, have a different password on every single site you use.
E2A this was supposed to be a response to @moseleymoles
Just wait until the bastards have a quantum computer.
If you have a quantum jump computer, simply use “Taumatawhakatangiangakoauauotamateaturipukakapikimaungahoronukupokaiwhenuakitanatahu” as your password.
But you need a number and a special character, so here is my suggestion:
T@um@t@wh@k@t@ng1@ng@k0@u@uot@m@t3@tur1puk@k@p1k1m@ung@h0r0nukup0k@1wh3nu@k1t@n@t@hu
(Yes, I do know you are making a jest around a popular song.)
Th£L0n£R@ng£r
Good passwords need to be both hard to guess and difficult to crack with brute force software. An IT guy at work said that simple 8 or 9 character passwords (like “afterword”) can be cracked in seconds, and showed me on an app how something like “afterword!z!x” takes 2 days, or “@ft3rw0rd!z!x” 13 days. The winner was the shorter “ft3rw0rd!z!x” at 125 years.