Chapter 10: eBay, PayPal, Escrow and Your Security

eBay will undoubtedly be one of your channels. I tell you how to minimize everyone’s risk through escrow, spoof prophylactics, PayPal verification, and so on.

With the unbelievable market size and growth rate of new customers, eBay will be one of your important sales channels—if not the most important channel. In fact, it is arguable that your website should support your eBay sales—instead of the other way around!

eBay is the subject of many books—10,643 on Amazon, to be exact[1]! And there are hundreds of active categories. Here is an example:

As you can see, the main categories are titles like “Antiques,” “Computers & Networking,” and “Music.” Underneath the Antiques category are subcategories, including Architectural, Asian, Furniture, Rugs, and so on. Scroll down the page and click on “See All Categories.”

eBay Basics—Being an eBay Category Killer

There are lots of eBay books out there, and as we discussed in Chapter 1, Maui CEO is really targeted and specific. To be an “eBay Category Killer” means to be the dominate seller in that category or subcategory. You are able to dominate because you have set up a low-price structure to be the low-price leader in the category. You offer reasonable customer service and reasonable product choices, but market-leading low prices. It is that simple.

Instead of covering the topic generally, here are my specific suggestions:

Outsource the development of your eBay selling format just as you did your website. Have the fonts, colors, logos, and structure match your website. The auction text must look professional.

Integrate interactivity and functionality into your auction text. For instance, have someone on eLance create a java script (or one that takes advantage of Adobe AIR, see below) that calculates shipping to each and every state.

Start your auctions out at $100, and sell with no reserve. Remember, no one can touch your cost. Selling with no reserve gets more bids on the auction, which raises the final sales price. Also, selling lots of expensive, big items bumps up both the number and credibility of your positive feedback score. Your goal is to be an eBay PowerSeller[2], because PowerSellers clearly get higher product margin.

Pay attention to the day and time of auction ending. Depending on the product you’re selling, I believe that you could consistently get better action on certain days. When I ran my last business, I liked auctions to start and end at 11:00 a.m. PST, so that all primary U.S. time-zones were in play; everyone has ready access to the web at work or home; and buyers aren’t busy picking up kids from school.

eBay Data-Mining

Now, as a result of modern advances, we can analyze actual eBay sales data to give sellers empirically-based advice on auction data. Let’s look at historical sales data on “grandfather clocks” between Apr 6 and July 4, 2007[3]. Here’s just some of the information that is available:

<grandfatherclocks.tif>

Pretty neat, huh? Now, knowing the average sale price was $723.68 helps your knowledge of what’s happening—and where you stand from a competitive standpoint. Let’s look at what else I could provide you:

Featured Listing: Paying eBay $19.95 to have your grandfather clock was a bad investment. In fact, not one of the grandfather clocks sold during this 90-day time-frame paid for either “Featured” or “Gallery Featured” options. I just saved you some money, right?
Multi-Listing: Paying to have your item “multi-listed” was probably a bad investment as well. In this data set, of the 202 sellers who chose this option, only 78 auctions ended in a sale. This sell-through percentage of 38.61% is just barely higher than the category average of 33.53%. OK, I just saved you two listing fees and more! However, IF the data went the other way, namely, sales data seemed to justify the additional expense of multi-listing, I could tell you that the two categories with the highest sell-through percentage were Antiques (where you listed it originally) and Collectibles, where the sell-through percentage was a nice 69.91%.
Sell on eBay Stores or via eBay Auction? As it turns out, only 12.35% of grandfather clocks sold through the eBay Store, but the lion’s share of sales happened via Bid Auctions (84.74%). Buy It Now (11.21%) and Live Auctions (9.48%) weren’t productive, but giving customers a second-chance offer was a winner at 100% redemption.
Auction Duration: the eBay data-mining tells us that listing your grandfather clock for either five or seven days had about the same success (54%), but three day auctions increased the sell-through (61.33%) while ten-day auctions lessened your chances of success (26.79%).
Best day and time to have auctions close: by crunching the data, in my category and with the product of choice, I can affirmatively tell you that your grandfather clock auctions should close on Sunday between 6:00-7:00 p.m.. That is, holding all else constant, grandfather clocks had the highest sales success rate if they end within this time window.

Wow! If I only had this kind of data, well, my life would’ve been much easier. I actually had to pay two employees about three weeks of pay each to gather this kind of information manually (and then I still didn’t have the granularity available now).

To see what kind of eBay data-mining is available, visit mauiceo.com, and click on the eBay Data Mining link. Our data license costs five-figures, not counting our evaluation, strategy and formatting time, so we have to charge for this service. However, for the first 100 buyers of this book, we provide a one-time discount of 50%. Enter promo code 91176.

What a summary could look like:

<bestwaytolist.tif>

eBay’s New Interface

Success on eBay is based on a combination of factors, and like a river, is constantly flowing.

Note that at time of printing, eBay is changing their entire front-end interface. Called “San Dimas,” the interface runs like a desktop application as opposed to a browser. San Dimas will provide a new search interface, different ways to bid, access to your personal eBay history, and so on. Written on top of a cool Adobe application, this will change your approach in the following ways:

Watch your Google advertising spend very, very closely when eBay decides to launch this beyond the Beta testing period. Google and eBay really don’t like each other, but depend on each other in many ways. For instance, it’s rumored that eBay is the biggest paying advertiser on Google. San Dimas theoretically gives eBay more security (because it’s not running in the oft-attacked browser), but I see ways that neither Google nor Microsoft’s interests are furthered by San Dimas’ success. So just watch your Google ad spending tightly at time of San Demas GA launch.
Any automation software, whether in-house or in-market, might not work correctly.
Look to take advantage of the new platform’s capabilities—and circumnavigate or mitigate its weaknesses. For instance, the platform—called Adobe Integrated Runtime (“AIR”), enables very rich application development. When I saw a demo in June 2007, the platform really emphasized the visual. So, have your eLance developer do something cool and useful with it. There is a Software Development Kit already available, but of course if your developer didn’t know this, use a different developer for this project. I mentioned weaknesses earlier, and since the final product hasn’t been released, it’s difficult for me to say exactly what the weakness will be. However, if this is good for buyers, it may not be good for sellers. For instance, if the application allows “competing” products to be shown on the same page, this may or may not be a benefit to you—haven’t sellers already been cannibalized and commoditized enough?

Academics would characterize the majority of eBay auctions as a “B to C” model, or business to consumer. My brother calls eBay an “S to S” model, or shyster to sucker. As buyers have learned, fraud is rampant. There are at least three ways to protect yourself and business: escrow, spoof prophylactics, and verification. I will discuss each of these in turn.

Escrow

Online escrow is very similar to offline escrow. Buyers send money to a third-party (the escrow company), and receive undamaged merchandise before the seller is paid. For sellers, escrow can be considered as a cost of doing business, and theoretically helps protect sellers from credit card fraud.

Instead of explaining the process here, let me refer you to the current online market leader for this service: Escrow.com.

Once familiar with the details, let me give you a few suggestions:

Make escrow part of every transaction, by default. This adds a connotation of security to your site and processes.

Try to get customers to opt-out of the escrow by offering them a 5% discount in the checkout process. Escrow has a “time value of money” cost to you as the seller, and you’d rather get payment through an online bank wire anyway.

If an escrow transaction is used, make sure outbound shipping is not refundable, and set up a reasonable charge for return shipping.

These terms are setup by you as account defaults with Escrow.com. Of course, if you worry about a customer for any reason, consider escrow. My experience shows, however, that from a legitimate seller’s perspective, escrow heavily favors the buyer’s interest.

Returns Policy

I talk about returns here because the use of escrow requires a well-defined return policy. Spend a couple hours thinking through your return policy. An old rule of thumb states that a return costs a business three times what was spent to ship the item. Since your Jacuzzi will cost $400 to ship, for instance, you can see that too many returns will quickly kill your business.

One idea is to require the buyer to pay half of outbound shipping in a return. For instance, if you charged them $500 for shipping the product from your warehouse to their door, the buyer would have to pay $250 to return the item. This policy balances the risk between the parties and provides some pre-purchase comfort to the buyer.

Spoofing

Spoofing is when someone pretends to be someone else. Spoofing is usually done through email. These emails may appear to be from legitimate companies that you do business with — such as your Citibank, eBay, PayPal, or your Internet service provider. You are often asked to validate or confirm your personal information by sending a reply, clicking on a link, or opening an attachment. Take it from someone who has been a victim of spoofing—and lost over $30,000–be aware!

How can you be alert to spoofing? By using spoof prophylactics, you can help protect your business.

First, tell customers that they will receive e-mail contact only from a certain e-mail account(s). In other words, on your home page and where also appropriate, you should say “Panda will only send you e-mail from ‘info@panda.com’ or ‘status@panda.com.’ Why bother? Spoofers will pretend to be you in order to get money from your customers or potential customers. A new tactic will be to create an e-mail account that looks like you, but of course is not you. For instance, the criminal mind will create an account called panda@hotmail.com, infopanda@aol.com, or anything that closely resembles your true e-mail account. Therefore, by clearly articulating exactly which e-mail account(s) customers will be contacted through, and only through that account, then you can help reduce spoofing.

Second, you should create a spoof verification e-mail account. This account should be formatted like spoof@[bizname.com]. If a client has any questions about the legitimacy of a communication from you, the client can send an inquiry to this account. Note that eBay uses an automated process now to respond to spoof inquiries. If your business has the need, installing an automated process to examine forwarded customer e-mails may be worth the license fee.

Third, your business needs to clearly articulate that you do not send or receive money through Western Union. Western Union is the most common channel used by villains spoofing legitimate businesses. I do not intend to demonize the company, but the verification process does not match today’s on-line security needs.

Fourth, you should list all auctions as “private.” eBay initially instituted private auctions to protect the identity of bidders in certain types of auctions (such as adult videos). This connotation has not carried on to the present, because many automobile sellers currently sell their cars in private auctions. Yet again, why bother? Because your bidders will be targets of fake emails. Someone will attempt to be you and collect money from unsuspecting bidders. Specifically, bad characters will send the second and third bidders from an unauthorized eBay “second chance offer,” implying that the first bidder has backed out of the auction. By listing your auction as private, bidders identities are not visible to anyone but you the seller.

Fifth, download and install the eBay Toolbar. eBay Toolbar is a free add-in that gives you access to eBay from your desktop. Most importantly for our purposes, eBay has built-in spoof protection. According to the eBay website, the ‘Account Guard’ feature “warns you when you are on a potentially fraudulent (spoof) Website. It also lets you report such sites to eBay[4].” If anyone from eBay is listening, please don’t bundle Yahoo (or anyone else) with the toolbar!

Finally, here’s a plug for one of my former employers: if you’re buying a new PC, consider one with either Intel® vPro^TM (desktop) or Intel® Centrino Pro^TM (notebook) processor technology. These PCs have hardware-based security features built-in, which are always more secure than software, and are sold by all the top PC OEMs.

Reporting Cyber-crimes

If you and/or any of your customers are subject to cyber crime, it should be reported to Internet Crime Complaint Center at www.nw3c.org. Almost anything is fair game, including theft of intellectual property rights, computer intrusion, economic espionage, online extortion, and money laundering.

Of course, fraud schemes such as identity theft, phishing, spam, reshipping, auction fraud, payment fraud, counterfeit goods, and even non-delivery of goods also are in their scope. The Internet Crime Complaint Center serves as a clearinghouse and repository of cyber crime complaints from private citizens and industry. They refer complaints to law enforcement agencies for investigation and prosecution. In 2006, these referrals resulted in almost 300 search warrants and 400 arrests[5].

Verification

I spoke with the Chief Information Security Officer from PayPal in June 2007, and he identified three areas they focus on: 1) brute-force attacks; 2) phishing; and 3) malware. PayPal has made good strides in dealing with the brute-force attacks, and about educating the public about phishing. Of these three categories, he was most worried about malware. Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent, which includes computer viruses, worms, Trojan horses, spy ware, dishonest ad ware, and other malicious and unwanted software [6]. Root-kit detection is critical to prevent malware, so when you update your anti-virus software, make sure you choose the version with “root-kit” protection.

There are several types of “verification” that you will come across, but let’s focus on two: verifying you, and verifying the payer.

Verifying the Seller — You

eBay and PayPal have joined up to help verify your identify with a security key. This is basically a key-chain with a small LCD. Once synced with your eBay or PayPal accounts, it adds an extra layer of protection.

<paypalsecuritykey.tif>

This key makes an assumption: that your ID and password could already be compromised. That is, someone out there may already have these two items and could be waiting for the right moment to use them. So, drop everything right now and change your eBay and PayPal passwords—and make that a habit! I’m taking my own advice and just changed my own password.

Use of the security key is free and the key itself is cheap–$5 at time of writing. After entering in your ID and password, the key generates a new six-digit code—which you enter on the website. You’re in! Once used, a security key code expires. In this way, you now have yet another layer of security protection around identity verification.

Verifying the Buyer / Payer

eBay and PayPal have a verification process that helps authenticate identities. For instance,

A person or organization registers with PayPal;
PayPal makes two small deposits into the PayPal member’s bank account;
The member then completes the circle by identifying the exact deposit amounts.

This process means that the PayPal member has access to, and provided identification for, the legitimate bank account. Additionally, the member has registered a valid credit card.

Verification increases the trust of everyone involved. Your business should obviously become verified, a process available on the PayPal website. Additionally, if someone pays with PayPal, you should strongly consider a policy whereby you ship only to the verified address. I had a friend in grad school that shipped a Tag Heuer watch to Indonesia…only to find that the PayPal payment was recaptured/rejected after the watch had already been shipped. This would have been avoided had he shipped only to the “verified PayPal address.”

There are situations where legitimate buyers have genuine reasons for wanting to take delivery elsewhere. For illustration, a Dad may want to buy a pool table for his son at an out-of-state college. In this situation, I recommend taking payment by wire-transfer, or imposing a five business-day hold on PayPal funds before shipment.

Security and Outsourcing

Traditional businesses have financial and banking controls. These are for security as well as legal reasons. In our new world, here are some things to consider:

Set up two-account systems when it makes sense. For instance, have two bank accounts, where all of your bank wires come into account #1, and then have “auto-sweep” enabled at the end of every day. This will sweep all funds into account #2, your primary account. When you provide customers your bank wiring instructions, don’t give them your primary account information!
Similar to the previous point, you should have two credit cards: one for you, and one for everyone else. I’ll talk about outsourcing in a subsequent chapter, but you don’t want to have your own debit card number provided to employees or, even worse, outsourcing firms in far-flung locales.
If you have someone primarily responsible for collecting payment or at least verifying that payment has come in…give that person read-only access. How you set up your labor strategy will determine your financial and banking control system. In other words, the strategy could be different if you have two employees sitting in your hometown versus outsourcing payroll to a local firm and email to India.
Have a master password, if possible, and keep this to yourself.

It is now appropriate to talk about your labor strategy—organizational design, if you please—so let’s move to that now.

[1] Why else do you think I have “eBay” in my book title? The number of book titles with “eBay” in the title was based on a search done July 2, 2007 at 8:12 p.m. See www.amazon.com.

[2] See http://pages.ebay.com/services/buyandsell/welcome.html.

[3] Search analyzed on July 8, 2007 at 2:12 p.m. PST with eBay.com data.

[4] www.ebay.com/ebay_toolbar

[5] See www.ic3.gov.

[6] As defined by Wikipedia on July 8, 2007.