Hopefully you saw the recent announcement from John Canfield about some new security measures we're putting in place to combat the fraudsters who try to break into eBay member accounts (usually after a successful phishing attempt). You can read the whole text here, but in a nutshell, we're going to start noting which computers members typically use to sell and buy. Then, around June, when a seller goes to list an item, we'll make sure they're using a trusted computer. If they're using one we've never noted before, we'll take a step or two to confirm their identity. This will usually be done via an automated phone call to a registered phone number. (As John mentioned, we hope sellers will take time to update their registered contact information and consider registering a cell phone as a secondary number - just in case we need to confirm their identity while they're on the road.)

This type of authentication is being used by other online industries, as well. For example, I need to answer security questions every time I access my bank account online from a computer the bank doesn't "recognize." And I know several friends who've received phone calls from their banks to verify their identity when they used their credit cards for an unusually large amount.

We've been doing some checking around our forums, and the reaction to the news has been pretty positive - a lot of "this is a step in the right direction" and "glad eBay is doing something about security"-type comments. We also saw some good questions, so we sent them over to John Canfield so he could provide some more detail.

John was part of this morning’s Town Hall event, and answered a few questions about this initiative – the archives will be available soon at www.ebay.com/townhall if you want to listen in.  His team will also be hosting an online workshop on May 6th to go over the program in more detail - stay tuned to the Announcement Board for the exact time. And without further ado, here are John's responses:

Q: What if I use multiple computers for my business - will I have to verify my identity every time I use one or the other?

A: We will definitely support multiple computers. During this information-gathering stage (now through June, roughly) we'll be able to tell which computer(s) you typically use to buy or sell, and as long as you're using one of these, you won't need to verify your identity. You also will be able to access multiple, different accounts from the same computer (such as in the case where a business has multiple IDs).

Q: How will you track which computer I'm using?

A: We generate a unique ID that identifies the computer you've used to connect to eBay. This unique ID is stored on your computer using cookies and Flash objects so that the next time you visit eBay, we're able to confirm that you're using the same computer. 

This unique ID doesn't include any personal information, such as your email address or eBay transactions, and won't be shared with anyone else.

Q: Will people who do not have a cell phone, or other alternate number that can be used when away from home, be able to verify their identity in some other way?

A: If you're away from your normal computer, you will be able to enter the telephone number where you are as part of the identity confirmation process. However, you'll also need to to answer your secret question to do so, as part of an additional security step. If you're not able to provide another number (for example, because you don't have a phone handy), you can use our Live Chat function so that one of our Customer Support Reps can verify your identity.

Q:  Why not just use a "challenge question" instead of phone calls?

A: Some businesses use challenge questions, some use phone calls, and some use a combination. We chose the phone method because we felt it provided the right level of convenience and security for the eBay Marketplace.

Q: What about ISPs that assign a different IP address for each session, or those that change the IP address each time the modem is rebooted?

A: We use a number of different variables to note what computer you buy and sell from. You won't need to verify your identity as long as you're using your normal computer(s), even if your IP address changes.

Q: How will listings submitted through a 3rd party listing service be handled?

A: You should not be affected unless you need to authorize 3rd party access to your eBay account. During that process, you will need to go through identity verification if we do not recognize that computer.

Q: Are you going to put similar security measures on bidders?

A: Right now this will only affect selling. But depending on the results of this initiative and changing fraud patterns, we may apply this program to other eBay activity in the future.

Q: Won't bad guys just change the phone number as soon as they take over an account so they then receive the phone call?

A: If we see that you've just changed your contact details (or basically any time we feel that the phone number may not actually be the seller's), we will ask you to answer your secret question as an additional security measure. This will prevent fraudsters from changing your account details and using the new info to confirm an identity.