Crushing the Web's dark forces


"Normal people don't get up in the morning and wonder how they can steal or trick someone.

"I won't rest until we can eliminate wrongdoing," says Alastair MacGibbon, Trust and Safety director at eBay Australia and New Zealand.

After 15 years with the Australian Federal Police, including a stint as director of the Australian High Tech Crime Centre, MacGibbon joined one of the world's largest Internet auction sites. In an interview with ZDNet Australia , he discusses eBay's fight against fraudsters, its relationship with law enforcement agencies and steps taken to educate users against the perils of identity theft.

In your capacity dealing with trust and security at eBay, describe a normal day at work?
MacGibbon: One of the constants in my job is liaison with a number of people and groups. This includes regular meetings and contact with law enforcement agencies, government and various departments within eBay. There are over 1,000 Trust and Safety employees at eBay and PayPal, all dedicated to making eBay one of the safest place in the world to trade and I make it a priority to keep up to date with developments from around the world.

eBay has received a considerable amount of attention from the media (including broadcast) with regards to online auction scammers. Do you think these victims are shooting the messenger -- ie eBay -- instead of heeding the numerous warnings about payment procedures and security?
MacGibbon: Firstly, it's important to put fraud on eBay in perspective. The overwhelming majority of transactions on eBay are completed successfully. In fact, less than 1/100th of one percent of all items listed result in a confirmed case of fraud.

eBay is committed to providing a safe and secure environment for our members. Our Trust and Safety people, systems and technology are there to help minimise risk. We are also committed to providing ongoing consumer information, such as our Safe Trading Guidelines to educate Australian consumers on how they can protect themselves online. The Safe Trading Guidelines can be found in the Security Centre on eBay.com.au.

What is eBay doing to educate buyers on the dangers of online auction fraud?
MacGibbon: According to independent research commissioned by eBay, 67 percent of Australian Internet users believe that online shopping is becoming safer. The survey also revealed that Australians still hold a number of concerns, particularly over the security of personal and financial information. By comparison, online auction fraud was rated down the list in the survey.

That said, eBay undertakes many measures to educate consumers on how to protect themselves online.

Most recently we launched the e-Commerce Safety Guide, a comprehensive resource which is packed with useful information for consumers. The Guide is available from the eBay Security Centre and information covered includes:

  • Avoiding fraud
  • What to do if you think fraud has occurred
  • Sensible precautions for online shopping
  • Preventing identity fraud
  • Phishing, spoof and spam
  • Protecting your home PC (this section was contributed by AusCERT - the national Computer Emergency Response Team for Australia)
  • Eight reasons to feel confident buying on eBay.com.au
  • Recommended Australian resources
eBay recognises the importance of educating Australians on shopping safely online. There is a large amount of material on eBay, in the Security Centre, on trading safely. We also send our members regular updates and reminders on paying safely, avoiding fraud and other useful tips to help them have a safe and fun experience.

How much (in dollar terms) and how many subscribers have made claims to eBay's buyer protection program?
MacGibbon: I cannot put a dollar amount on this figure [but I can only tell you that less than 1/100th of 1 percent of all items listed result in a confirmed case of fraud].

eBay, like many other online properties, has been a target of phishing scams. What is eBay doing to nab these phishers?
MacGibbon: eBay works closely with law enforcement agencies around the world, as well as ISPs to combat phishers. Importantly, we also provide members with tools to protect themselves from phishing threats. This includes:

  • the eBay Toolbar featuring Account Guard (free to download) - which helps you to make sure you are on a legitimate eBay site. The toolbar helps recognise, reject and report potential spoof sites. The Account Guard feature turns green if you are on an eBay website, grey for unknown and red when users should use caution.
  • eBay's spoof reporting service - whereby if someone receives a suspicious email purporting to come from eBay it can be sent to spoof@eBay.com.au and we will confirm within 48 hours if it is a legitimate eBay email. PayPal has a similar service where people can send suspicious emails to spoof@PayPal.com
In February, eBay and PayPal together with Microsoft and Visa launched the Phish Report Network. The Phish Report Network allows any company being victimised by phishing attacks to immediately and securely report fraudulent Web sites to a central database operated by WholeSecurity (the leading provider of behavioural, on-demand endpoint security solutions). Other companies subscribing to the Phish Report Network can then access the database or receive real-time notifications of known phishing sites, enabling them to more effectively protect consumers by blocking these sites in their user-facing security applications.

eBay's Fraud Investigations Team -- does every country eBay operates in have one?
MacGibbon: There are over 1,000 Trust and Safety employees at eBay and PayPal operating in the 33 markets around the world.

What elements of law enforcement are entailed in your duties at eBay? For instance, Joseph Sullivan is the senior director of law enforcement relations at eBay in the US. Does eBay Australia have a similar post or do you play that role as well?
MacGibbon: This role is part of my existing responsibilities.

In what circumstance would you refer a case to the AFP (including AHTCC)?
MacGibbon: eBay refers federal or multi-jurisdictional (as in multiple Australian states) matters to the AHTCC. The AHTCC has its own case categorisation and prioritisation models for whether they take on an investigations referral, or pass it to one of their partner agencies. We regularly talk with the AHTCC on a range of issues as we engage government.

How does eBay weed out unscrupulous sellers on your site?
MacGibbon: We have zero tolerance for wrongdoing and are committed to making eBay as safe as possible for our members. We also work closely with law enforcement agencies to help them to bring offenders to justice.

eBay invests in the top people, systems and state of the art technology. As you will understand, we can't give out details of our security systems in order to stay ahead of criminals.

In reality, eBay is not a good place for people to attempt wrongdoing. Being an online business, activity on eBay is highly transparent and attempts to commit wrongdoing on the site can be easily spotted.

We also enlist the help of our 157 million members around the world. Our members inform us of any suspicious activity on site -- much like a neighbourhood watch program.

How many registered members does eBay Australia have and how many auctions are conducted daily on ebay.com.au?
MacGibbon: eBay has over two million Australian members, with just over three million unique visitors in March 2005 according to AC Nielsen NetRatings Netview.

eBay Australia's growth continues to be impressive. Some of our key highlights include:

  • According to AC Nielsen NetRatings Netview, eBay.com.au had approximately 3.6 million unique visitors in June 2005
  • There were over two million Australian eBay members as at October 2004, or one in every seven adult Australians
  • According to online measurement company Hitwise, eBay.com.au was Australia's third most popular Web site in June 2005 ranked by visits
  • Gross merchandise volume -- the total value of goods traded on eBay Australia -- was $600 million in 2004, up 110 percent on the previous year
  • There are over 2,000 Australians that make a full-time living selling on eBay.com.au (Kinergy, July 2004).
There are over 2,000 Australians that make a full-time living selling on eBay.com.au.

There's been numerous stories about the security aspects of browsers. Would you recommend Internet Explorer or other browsers such as Firefox and Opera for eBay members?
MacGibbon: eBay does not endorse any particular browser.

Is Linux really more secure than Windows?
MacGibbon: eBay does not endorse any particular platform.

What is the most challenging part of your job? What keeps you up at night?
MacGibbon: Wrongdoing upsets me. It did when I was in the Australian Federal Police for 15 years and upsets me still: normal people don't get up in the morning and wonder how they can steal or trick someone. I won't rest until we can eliminate wrongdoing.

Last updated 2 August 2005 10:50AM

< Prev 1 2 3 4 5 6 Next >
Advertisement

Print feature brought to you by Adobe

Talkback 24 comments

    cool dr G -- 01/08/05 (in reply to #120119713)

    this is awesome! well done!

    fghjk Anonymous -- 28/05/08 (in reply to #120119714)

    My favorite megaupload files search engine is http://megauploadfiles.com
    it’s the most powerful and easy to use.

    <a href="http://megauploadfiles.com "> megaupload files</a>
    provides relevant search results.

    open abt stats marketing guru -- 02/08/05 (in reply to #120119723)

    surprising to see how open AM is abt stats given ebay is a listed company. interesting...

    this guy is so PR tony -- 02/08/05

    for a veteran of 15 years, he has some really good marketing skills/speak

    Please choose a better interviewee for the others Craig Burton -- 02/08/05

    It is pretty clear this security person is executing the policy "don't give away more information than you have to".
    This doesn't make for a very useful or interesting article as it has neither a human element or any technical value.
    In fact, this approach is rather dubious as the world moves rapidly to open systems and standards. Can I ask if you can interview someone who provides security for a more "open" organisation?
    Best,
    Craig.

    Just PR for eBay Anonymous -- 02/08/05

    This might be interesting for people who know nothing about security.

    I felt it was more about making people "warm and fuzzy" about eBay and their online auctions.

    Where's Alastair MacGibbon? He's departed to don his Superman Cape and undies!

    pirated software - ebay security? PS -- 02/08/05

    Check this thread on ebay's forums about their allowing of masses of pirated software sold on ebay, and they call this security?
    http://forums.ebay.com.au/thread.jspa?threadID=100071539&tstart=0&mod=1122954689382

    New Zealanders know more than Australians Anonymous -- 02/08/05

    "eBay recognises the importance of educating Australians on shopping safely online"

    That must mean eBay doesn't think they need to educate New Zealanders. Which does fit the statistics.

    How the hell did Alastair get choosen as no.1 or at all... Craig S Wright -- 03/08/05

    I have known and dealt with Alistair from his time in the Feds, from the high tech crime days etc

    And.. Sorry Alistair, but you are ok-good as a manager, but there is no way I would ever think of classifying you as a security person in any sense of the word.

    Being an Ex cop has not given you the necessary skills in security.

    I agree. Anonymous -- 26/08/05 (in reply to #120119789)

    You'll notice that these guys seem to stay in a position for about 2 years.

    That's the length of time that passes until their BS starts to catch up with them and.. hey presto!, it's off to the new job!

    I know this guy too, from the AHTCC.... he is absolutely clueless.

    His skillset seems to consist of "Buzzword generation 101" and "Get as many tickets to present at conferences as possible so Industry thinks I know what I'm talking about and hire me for the big bux".

    Same goes for the Vectra woman... CLUELESS, it's all PR-speak, smoke and mirrors!

    Only decent one out of the lot is the ex FBI woman.

    Alistair email request David Jason -- 26/10/06 (in reply to #120119789)

    I need to contact Alistair MacGibbon Urgently and would ask for his email address or contact phone number.
    Thanks

    Why oh why. Anonymous -- 09/08/05

    Jo Stewart.
    Top 5 .. Missing 8%.
    There's down to 1% listed, so missing 8% is quite alot....
    "dont use internet banking"... How many internet banking transaction are there each second, and just how many are corrupted?
    See things in perspektive please.

    McAdam - Thank you. About time that there is some more focus on the ignorance problem in all of IT. No matter how good a security company, banking what ever you are, you cant really do anything about a user that opens malicious code from a email.
    Basicly the email asks
    "Is it Ok to open this potentielle computer deadly virus"
    And without giving it a second thought users presses
    "I'll give it a try"
    ........

    Soon the biggest threat is not crackers(Not hackers), but those wannabee IT "professionels" selling expensive solutions to unknowning companies.
    ........

    heh Anonymous -- 26/08/05 (in reply to #120119986)

    soon this is the biggest threat? this is what IT is based on. now give me some money.

    Crushing the Web - Day 3 Anonymous -- 10/08/05

    Support comments from anon on Aug 9 - especially the comment "those wannabee IT "professionals" selling expensive solutions to unknowning companies".

    I dont think Rattray has much experience based on the quesiton responses, it sounds more like marketing speak and look at me than real security speak.

    Yep. Anonymous -- 27/08/05 (in reply to #120120015)

    Ratray would have no idea.

    In fact, only Day2 and DAy5 appear to have any idea at all.

    This story is a farce.

    None of these clowns would be permitted into the carpark of where I work.

    And yes, we do know of 3 of those people, and their reputations amongst those "in the know" are very poor.

    ZDnet, next time try to find some real IT Security experts, not jst the first 5 glossy brochures you got in the mail that morning.

    Agreed Jane B -- 12/09/05 (in reply to #120120464)

    I work within the B&F industry and it appears like many service providers, Jo and the others interviewed have limited practical security experience. The responses given appear to be very research orientated not experience based. Agree with other comments, Please consider better people for interviws ZDNet.

    what a load of cynical PR speak!!!!! Anonymous -- 19/08/05

    what a load of cynical PR speak!!!!! This is why we have all learned to mistrust the talk from big business.....its so predictable and like the complaint mechanisms on Ebay it just goes around in every diminishing circles.

    Oh Please...... Michael Davies -- 15/09/05

    Dont use the internet for banking or credit cards for purchases....Oh please....You must not sleep at all then....

    Her recommendation must be to go back to non technology based businesses and use piggy banks and bank books for saving our money and no doubt use cash for everything.

    Why not discuss how to manage the risk then? That would be more interesting.

    Dissappointing artcle.

    Laura Chappell is one of the most talented security experts - Great Interview Robert Becker -- 24/10/05

    I have had the pleasure to attend a few of Laura Chappell's training sessions, and can tell you that she is by far the most knowledgeable and experienced Digital security professional I have ever met. If you ever get the chance to attend one of her sessions, do - Laura is an experience. If you need to learn how to protect your computer infrastructure, Laura's training is invaluable, and the best bang for your buck. If Laura is fighting against Internet predators and child pornography, then you can bet that she will make a difference.

    Ms. Chappell Ron L Jennings -- 25/10/05 (in reply to #120122394)

    I want to extend a huge thank you to MS.Chappell. I have tried to start a group called Kid Safe Internet for two years. That is why the article caught my eye. I hate people who abuse kids and pets and I will do everything within my power to stop or catch anyone who abuses them.
    Perhaps I should tell a little about my self so this post will have all the dots connected when I am done.
    This post may be a bit long, so if you are one of those who can't stay intrested for more than 60 seconds, you might want to stop reading now. Otherwise, I would like to thank you for reading my post on how I helped catch a sexual predator. I will do my best to describe months of work in as few words as possible.
    I am not as well trained as some but I have worked hard to train myself and find the best books on computer crimes.
    I belong to CSI and I have Microisoft, Cisco, etc. training in computer security. In the mid seventies my Uncle owned a bounty hunting business. He thaught me how to think like the people we were hunting.
    It was that training that lead me to this scum bags favorite place to lure children. It started out with me tracking a hack in my system. I was very new to computers at the time and my hack knew this. He would leave a trail just to show me I was unable to catch him.
    I had a lot to learn if I was going to get anything on this guy. His vaintiy and lack of respect was enough to keep me going. I found he would hide his program in MSFT Office file downloads and wait for e-mails to be sent to certain businesses. I never tried to just get him out of my system .I needed to learn how he was getting the data he wanted. He would even send email and IM's to me bragging on how he could steal information from Doctor lists, Drug Stores, CPA firms etc. Thats when I decided to try to befriend him. I told him gthat being a goodguy was not paying well and that I would like to learn from someone as good as him about how to steal information. He was so blind in his vainity that he never suspected a thing. To make a very long story short, he lead me to an underground part of the net I had never seen before. There were rooms for trading children pics doing anything and everything. Rooms were parents wanted to trade kids and would describe the child they had to offer and what they were looking for. I was shocked at how many members these rooms had. The biggest shock was how many members were women.
    I called the police deparment and was only told that I was eithier a part of it
    or I should just stop going there. I could not believe what I was hearing.
    My hacker would ask me if I had ever "caught fresh white meat?"
    That is when I knew I had to do something. I knew I should CMA, so I told a few people what I was doing and why. Then I logged on onto a different computer, went to where I thought this creep would be "trolling" as he callled it. I then prented to be a shy young girl who was unhappy with my homelife. He fell for it.
    He asked me to go into a private chat that was hosted by a well known ISP.
    Thats when I used what little computer protocols I knew to contact the milatry or anyone with authourity that was listening. He is now in a federal prision. Believe it or not that creep was in the service.
    I hope to one day be half as good as Ms. Chappell. Working toghter we can keep our kids safe
    they count on us to protect them. Let's not let them down.

    Dull read Anonymous -- 27/07/06

    This story was dull, and the questions terrible lame.
    It gave us no information at all, and security 'experts' just stonewalling with 'no comments' is not worth the pixels it is written on.
    Do better than this PLEASE!

    You are arguing the other party's case! Anonymous -- 21/04/08

    If fraud makes up only 1/100th of 1%, why are you breaching trade practices? You talk about stamping out wrongdoings, yet you yourself have set in motion a serious violation of law... third line forcing is unlawful, and no amount of sabre-rattling will change the fact that you are attempting to operate outside the law!

    So what happened to ethics? Anonymous -- 26/06/08

    I see fraud does little to stop notoriety. Ms Steward Rattray should learn to write her own material and not steal copyright.

    The article “by” Jo Stewart-Rattray titled “Information Security Governance: the nuts and bolts”.
    http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf is a perfect example.

    I quote “by” as this publication is significantly plagiarized. Over 25% of the document is directly copied and a large amount is paraphrased without accreditation. I have read the majority of it as the article in Information Systems Control Journal, Volume 5, 2001, “Harnessing IT for Secure, Profitable Use” by Erik Guldentops, CISA. Basically, the article is stolen. She has claimed the work of another as her own. So much for running a security company.

    Whatever happened to ethics in IT Security?

    Plagiarism is theft. It is a criminal copyright breach. This is fraud.

Add your opinion

Back to top

Featured