The INFORM Consumers act is back in the news as large retail chains push for online marketplaces to help combat the sale of stolen goods sold on their platforms by requiring them to collect, verify, and disclose certain information about third-party sellers.
Home Depot VP Asset Protection Scott Glenn seems to be taking a leading role in the debate, arguing that Amazon, eBay and Facebook should have the same responsibilities to vet their vendors as Home Depot does.
"We don't want people to be selling anonymously," said Scott Glenn, who leads asset protection at Home Depot. "If we as Home Depot have to understand who our suppliers are, then Amazon, eBay, whoever is selling should also have to understand who their sellers are."
In an interview with CNBC, Mike Carson, director of eBay's regulatory policy group, defended eBay's track record and pointed to the PROACT (Partnering with Retailers Offensively Against Crime and Theft) department as their top crime fighting initiative.
As PROACT team lead, Carson says eBay takes reports of stolen items very seriously.
The key is getting that intelligence to recognize when an item is stolen...
...if people are hearing stories about stolen goods being sold on eBay, if their receiving stolen goods, and then get contacted by law enforcement, we're certainly going to lose customers but we also have risk models that will detect things that look suspicious.
It's great to hear that eBay recognizes the serious harm to their brand reputation caused by stolen goods on the marketplace, but I have to wonder where that "go get 'em" attitude was from PROACT 2 years ago when I attempted to get their assistance with over $160,000 in goods stolen from my then employer and sold on eBay.
The only difference is rather than being a brick and mortar smash and grab, the theft was the result of a very sophisticated triangulation fraud scheme.
Triangulation fraud occurs when a buyer makes a genuine purchase on a third-party marketplace, but the seller fraudulently drop ships the product from another merchant using a stolen credit card.
Here's how it works:
First, fraudsters create listings on eBay for hot, in demand items they do not have in their possession, often at prices well below regular retail.
In my experience, the selling accounts used for this fraud appear to be once legitimate accounts that have been hacked/hijacked and taken over by the bad actors running this scheme.
Then, an unsuspecting buyer sees the listing and purchases from that eBay listing.
The fraudster goes to a legitimate ecommerce website selling the item, places an order to ship to the unsuspecting buyer, and uses a stolen credit card for this transaction.
The ecommerce site ships the order, not realizing it was fraud until weeks later when they receive a chargeback from the actual credit card holder. In most cases, the credit card company will side with the account holder and take the money back from the merchant - leaving them without the money or the product.
Cyber security expert Brian Krebs did a fantastic breakdown of triangulation fraud on eBay back in 2015 . Interestingly, the graphic used in this article actually came from an eBay help page at the time - which shows eBay has been well aware of this issue for years.
When this type of fraud hit the company I worked for in 2020, I personally reported over 150 suspected hijacked accounts involved to eBay. The reports were met with promises of action but only about 2/3 of them were ever shut down. Some are still actively selling today over 2 years later. 🤯
I submitted a report about the fraud to my state Attorney General's office, who responded:
In regard to eBay, our office has set up a complaint process with the company. Therefore, we are forwarding your correspondence to a representative of the company and asking them to respond to both you and our office upon its review.
That complaint process turned out to be PROACT. eBay responded to the AG's office saying they would reach out to me and that was apparently enough to get a rubber stamped "case closed."
Unfortunately, despite eBay's promises to help, PROACT turned out to be anything but proactive - they stonewalled, pretended to send emails that "must have gone to the spam folder" (they didn't), and then eventually the agent assigned to my case just stopped responding at all.
I had done a very deep dive investigating this fraud in my role for the company in an effort to try to stop the losses and offered everything I had found to PROACT on a silver platter - including a list of tracking numbers for all the fraudulent purchases in a 6 month timeframe that eBay could have easily cross referenced in their systems to identify potentially hundreds of hijacked accounts used for fraud on their platform.
To my absolute and utter astonishment, PROACT declined to accept any of the information I offered, assuring me they had their own proprietary algorithms to flag fraudulent activity on accounts and appropriate action would be taken, which clearly never happened.
What happened to the "partnering with retailers" part of that acronym?
I've since moved on from that position, so I'm not sure if the fraud continues against that specific company, but I've had several merchants reach out to me personally after they have experienced the same nightmare scenario.
Here's what Scott Glenn from Home Depot and any other merchants big or small needs to know - triangulation fraud is widespread and ongoing on eBay and any business with an online presence is a potential target.
Glenn told CNBC brick and mortar theft to resell online is so prevalent that Home Depot must lock up any power tools in the store over $100 to try to deter criminals. I have bad news for him - those same tools are being stolen off Home Depot's virtual selves by triangulation fraud, and likely in far greater numbers.
The company I worked for sold car care and detailing products, including buffers made by Dewalt and Milwaukie. Several of the fraudulent accounts I found selling those items also had other power tools listed and feedback from buyers specifically stating an item they purchased had been shipped to them from Home Depot using a stolen credit card.
Here's a report from a user on the eBay sub-reddit who I believe also likely experienced triangulation fraud that targeted Home Depot.
If either Mr. Glenn or Mr. Carson is interested in more information about this kind of fraud still operating on eBay targeting Home Depot and others, I'd be more than happy to discuss my experiences - contact info here.
As I said back in December, I believe the INFORM Consumers act is a good step in holding marketplaces accountable for illegal activity on their sites.
However, by focusing exclusively on requiring transparency and disclosure of accountholder information, they've missed an important piece of the puzzle - in some cases the account may be hacked/compromised or using stolen identity information and therefore the person whose name and contact information is being used may actually be a victim, not an accomplice.
For example, the UK already has regulations requiring eBay to disclose the name, address and contact information for business accounts. I've seen many UK scam listings where the fraudster has compromised and taken over an account, created thousands of fraudulent listings and every single one of them still has the legitimate accountholder's contact information at the bottom of the listing.
Requiring a legitimate businessperson to provide and disclose contact information doesn't protect anyone if the account has been hacked and is being used fraudulently in the commission of a crime. Hacked accounts can be used to fence goods stolen from brick and mortar retail stores just as easily as they can be used for other types of online fraud.
Stricter vetting and Know Your Customer requirements are a good step, but by no means a cure-all for online crime. These marketplaces must be held accountable not just for vetting seller information, but also for the safety and security of their own websites to prevent hijacked accounts being used for all manner of fraud and criminal activity.