Discussion Forum: All Replies to Message 1460652 |
|
|
| | Author: | waltzking | Posted: | Mar 21, 2024 19:16 | Subject: | Re: WARNING! Login from new device phishing emai | Viewed: | 65 times | Topic: | Problem | |
|
| As someone not in any LEGO groups (or at least not using my BL email address),
and am still getting the scam emails, I am certain it related to either the hack
or fake contact/orders on BL that can harvest seller emails. Had a lot of these
orders, immediate cancel request, and no contact there after a few months back.
I know it was to phish my seller info as often as the pattern was repeated exactly.
But even messages we reply to can do this as the system still lonks our email
to those. It really should not do this unless an order is placed, or even confirmed
as paid by the system (instant or seller marked). Simply put, contact info should
remain better protected until a transaction is deemed legit. BL is largely an
open book for all seller info if the party wanting to phish it knows how the
site works.
Waltzking
|
|
|
| | | | | |
| | | | Author: | chetzler | Posted: | Mar 21, 2024 19:34 | Subject: | Re: WARNING! Login from new device phishing emai | Viewed: | 69 times | Topic: | Problem | |
|
| In Problem, waltzking writes:
| As someone not in any LEGO groups (or at least not using my BL email address),
and am still getting the scam emails, I am certain it related to either the hack
or fake contact/orders on BL that can harvest seller emails. Had a lot of these
orders, immediate cancel request, and no contact there after a few months back.
I know it was to phish my seller info as often as the pattern was repeated exactly.
But even messages we reply to can do this as the system still lonks our email
to those. It really should not do this unless an order is placed, or even confirmed
as paid by the system (instant or seller marked). Simply put, contact info should
remain better protected until a transaction is deemed legit. BL is largely an
open book for all seller info if the party wanting to phish it knows how the
site works.
Waltzking
|
Is there any need at all for buyers/sellers to see each other's email contact
info even on legitimate orders? Maybe I've been using instant checkout and
the pay now button for so long I have forgotton, but it has been a while since
a buyer has made a payment directly to my email address. Since BrickLink implemented
sales tax collection, all (at least all of my) payments are negotiated through
PayPal Marketplace.
Maybe other payment methods require an email address.
I know some people send photos via email (if only we could attach photos to a
BL message!).
I'd be perfectly happy to have "public-facing email address" be an
option that I can enable/disable at will.
|
|
|
| | | | | | | | | |
| | | | | | Author: | waltzking | Posted: | Mar 21, 2024 20:06 | Subject: | Re: WARNING! Login from new device phishing emai | Viewed: | 62 times | Topic: | Problem | |
|
| In Problem, chetzler writes:
| In Problem, waltzking writes:
| As someone not in any LEGO groups (or at least not using my BL email address),
and am still getting the scam emails, I am certain it related to either the hack
or fake contact/orders on BL that can harvest seller emails. Had a lot of these
orders, immediate cancel request, and no contact there after a few months back.
I know it was to phish my seller info as often as the pattern was repeated exactly.
But even messages we reply to can do this as the system still lonks our email
to those. It really should not do this unless an order is placed, or even confirmed
as paid by the system (instant or seller marked). Simply put, contact info should
remain better protected until a transaction is deemed legit. BL is largely an
open book for all seller info if the party wanting to phish it knows how the
site works.
Waltzking
|
Is there any need at all for buyers/sellers to see each other's email contact
info even on legitimate orders? Maybe I've been using instant checkout and
the pay now button for so long I have forgotton, but it has been a while since
a buyer has made a payment directly to my email address. Since BrickLink implemented
sales tax collection, all (at least all of my) payments are negotiated through
PayPal Marketplace.
Maybe other payment methods require an email address.
I know some people send photos via email (if only we could attach photos to a
BL message!).
I'd be perfectly happy to have "public-facing email address" be an
option that I can enable/disable at will.
|
Indeed, there is very little reason it needs to be shared at all. eBay and Amazon
(and other sites too) never share seller address with a buyer, and especially
not their emails. Email addresses can be handy at times (pics, custom instruction
files, etc.), but should be a voluntary thing to give, not granted without our
active consent to each case. It is a BIG security issue (and one I've brought
up to support numerous times) and what leads to all the recent spam and phishing.
If such non-imperative info was hidden, there would be no way to harvest it
for these attacks, baring an actual database hack. Sadly it all seems to fall
on def ears with the community suffering the consequences.
Waltzking
|
|
|
| | | | | | | | | |
| | | | | | Author: | randyf | Posted: | Mar 22, 2024 03:06 | Subject: | Re: WARNING! Login from new device phishing emai | Viewed: | 59 times | Topic: | Problem | |
|
| In Problem, chetzler writes:
| In Problem, waltzking writes:
| As someone not in any LEGO groups (or at least not using my BL email address),
and am still getting the scam emails, I am certain it related to either the hack
or fake contact/orders on BL that can harvest seller emails. Had a lot of these
orders, immediate cancel request, and no contact there after a few months back.
I know it was to phish my seller info as often as the pattern was repeated exactly.
But even messages we reply to can do this as the system still lonks our email
to those. It really should not do this unless an order is placed, or even confirmed
as paid by the system (instant or seller marked). Simply put, contact info should
remain better protected until a transaction is deemed legit. BL is largely an
open book for all seller info if the party wanting to phish it knows how the
site works.
Waltzking
|
Is there any need at all for buyers/sellers to see each other's email contact
info even on legitimate orders? Maybe I've been using instant checkout and
the pay now button for so long I have forgotton, but it has been a while since
a buyer has made a payment directly to my email address. Since BrickLink implemented
sales tax collection, all (at least all of my) payments are negotiated through
PayPal Marketplace.
Maybe other payment methods require an email address.
I know some people send photos via email (if only we could attach photos to a
BL message!).
I'd be perfectly happy to have "public-facing email address" be an
option that I can enable/disable at will.
|
You have some very good points here. The whole communication architecture on
BrickLink is definitely in need of some upgrades. They may want to start looking
into it sooner rather than later.
For example, every transaction I have on eBay has everything done through the
eBay platform. There is never any communication outside of the platform between
myself and anyone that I purchase something from. In that way, the user on the
other end remains completely anonymous. It would be a good model to look into.
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | Author: | yorbrick | Posted: | Mar 22, 2024 03:21 | Subject: | Re: WARNING! Login from new device phishing emai | Viewed: | 62 times | Topic: | Problem | |
|
| |
You have some very good points here. The whole communication architecture on
BrickLink is definitely in need of some upgrades. They may want to start looking
into it sooner rather than later.
For example, every transaction I have on eBay has everything done through the
eBay platform. There is never any communication outside of the platform between
myself and anyone that I purchase something from. In that way, the user on the
other end remains completely anonymous. It would be a good model to look into.
|
That is partly so they can monitor communication and partly (probably mostly)
to stop deals being done outside of eBay. Anonymity is just a by-product. Here,
any businesses selling on ebay (or elsewhere) are required to have their identity
and address shown before a buyer decides to buy.
|
|
|
|
|
|
|