Elance Fail

I signed up for elance a few years ago when I was looking for work and thought of doing a little consulting. I never really saw any decent paying work on their site and really kinda forgot about them until I received this e-mail today.

Dear xxxx,

We recently learned that certain Elance user information was accessed without authorization, including potentially yours. The data accessed was contact information — specifically name, email address, telephone number, city location and Elance login information (passwords were protected with encryption). This incident did NOT involve any credit card, bank account, social security or tax ID numbers.

We have remedied the cause of the breach and are working with appropriate authorities. We have also implemented additional security measures and have strengthened password requirements to protect all of our users.

We sincerely regret any inconvenience or disruption this may cause.

If you have any unanswered questions and for ongoing information about this matter, please visit this page in our Trust & Safety center: http://www.elance.com/p/trust/account_security.html

For information on re-setting your password, visit: http://help.elance.com/forums/30969/entries/47262

Thank you for your understanding,

Michael Culver
Vice President

I commend them for going public with this rather embarrassing story, a lot of companies hide these events. However, I’m annoyed that all these companies that retain this kind of data really only care about security after this kind of thing happens.

9 Replies to “Elance Fail”

  1. Here some additional information:

    Elance lied in their email (something I hate). They lost also the creditcard numbers too. My creditcard (details see blog.red-database-security.com) was stolen from their website and 1 day later abused. Mastercard locked my card already.

  2. Luckily for me I hadn’t entered my CC information. 🙂 Hopefully the CC company doesn’t give you too much grief!

  3. I am sorry that you didn’t have any success with Elance however I strongly suggest that you give them another go-around. I personally have completed over 700 projects to date and I know many providers that are making good money with Elance.

    The thing about Elance is that it caters to quality providers and buyers and you really have to market yourself effectively to make it work for you.

    Here are some tips:

    -Always submit individualized proposals that address the buyer’s specific requests. Highlight your skills effectively and don’t be afraid to provide additional information via the private message board.
    -Only submit proposals for reputable buyers that have a proven history of paying their contractors and awarding projects.
    – Don’t be afraid to ask for 1/2 down and the balance upon project completion.
    -Protect yourself with a written contract.
    – Know your worth and remain competitive. If you have to lowball in order to get your first project, establish a reputation or get a long term gig, then don’t be embarrassed. Many Elance providers have done that in the past – just don’t consistently undervalue your work. It affects your morale, drive and lowers buyers’ expectations.

    Lastly but most importantly, HAVE FUN and NEVER GIVE UP!

  4. Another point –

    Elance takes security very seriously and I think it was very professional and smart for them to quickly inform users of the problems and then fix the security issue FAST! Don’t you?

  5. Kristi: You obviously work for elance. However, I chose not to flag your comments as spam, even though they clearly are.

    Elance has a tough battle ahead after not one but TWO security failures last summer. I hope they’ve hired a good security officer and are putting better protection in place. I will likely never use them again.

  6. Elance Fail is something I can relate to.

    Don’t get me wrong… in amongst the chaff, there is wheat — actually interesting projects that pay if not well, at least reasonable for someone between jobs and looking for some supplementary income in the meantime. If you’re willing to work, and are professional, you can make more than $25 on Elance. I’ve been a consultant before, and I kinda like someone else doing all my billing for me.

    However, that’s where the problem starts. Because any payments from customers are held in elance escrow, the vendor has to do something to get the money somewhere where it can be used. There are lots of options. The one that was the fastest but didn’t involve Paypal, is ACH Direct Deposit. You know, that RELIABLE way that your paycheck gets into your bank account? Same thing. Various locations on their site claimed 1 day or 1-2 days time for ACH “withdrawl” processing, vs 10 days for something like wire transfer.

    I set up my bank account details a week before I planned to do the withdrawl, instructing it to use my contact details as my bank account name and address details, received no errors, and within a few days, the account showed up in the possible list of accounts to withdraw elance funds to. I put in the request for withdrawl on Feb 23. So far so good.

    Tick tock, tick tock, the days clicked by. As of Feb 28, with bills due Feb 29, I contacted them to ask why my withdrawl had not yet gone through. The messaged back through their support system that the problem was that *I* didn’t fill in a country in the bank account details, and that was why the transaction hadn’t processed yet. They told me to go fill in a country. Clear implication: user, you screwed up, it’s your own problem, now go fix it.

    Suitably chastened yet puzzled (why accept details without country if it’s required?), I skulked back to my account details page… where I saw that I could not enter a country there. I had not in fact entered ANY address details there, instead telling that account to use my main elance contact details, so there wasn’t even a country input field on that page. I viewed the elance contact details page. Ooops, I couldn’t enter a country there either: it displayed as “United States” and was a non-editable text field.

    I called customer support again to tell them that I could not comply with the instruction and that since the country was already pre-set, I didn’t understand why it was not picked up along with all of the other information on that page. The customer support person claimed she “went into your record to edit it, then saved it, and the country’s in your bank account details now”. It doesn’t sound like she entered country anywhere, just re-saved something. In any event, as a normal user, I wouldn’t have had access to change country anyway.

    Because neither of us completely believed this would solve the problem, we decided to guard against more “use contact details as bank account details” problems by entering a custom address for the bank account.

    I entered exactly the name and address in my contact details, into the custom address fields for the bank account, and tried to save it. Yeah, there’s a key word for you: “tried”. The bank account custom address page and the contact details page validate items differently. While an apostrophe in the name and a # (for a unit number) were acceptable in the contact details, they were errors for the bank account details. I could not save the information until I’d removed the apostrophe and replaced # with APT. Then, it let me save.

    Due to a significant delay as a result of one or more elance software bugs, I requested my withdrawl to be processed immediately, but customer support informed me that they only run withdrawls once at day, 8am US West Coast time.

    Problem is: that would be Feb 29, the same day all my bills are due.

    They would not make any sort of exception on this nor would they propose an alternate way to get me cash IMMEDIATELY to reduce the significant delay in my receiving funds due to one or more bugs in their software.

    As of Feb 29, the cash has left my account, but is somewhere in the ACH ether, hopefully reappearing soon in my account so that I can make some payments.

    In the interim, I still had a bit of cash left in my elance account, so I figured, I’ll paypal that to a friend with a paypal credit card, and he can use his paypal credit card to partially pay my bills. Ooops, no can do. You can only set up a Paypal account as pay AND receive. You cannot just send money to an arbitrary paypal account as usual. It has to be YOUR paypal account that YOU have to fully log into.

    OK, fine, I thought… I’ll just paypal myself, send money to him from there, and then he can use his paypal credit card to help me. I entered my Paypal details and was greeted with the information that for unspecified “security reasons” they have a 5 day hold on using Paypal accounts for withdrawls (which does not apply when using Paypal to put money INTO the elance escrow service, only when taking money OUT of it). This is an elance policy, NOT a Paypal policy.

    Because they’d screwed up my direct deposit, I requested a waiver of this. Surely the security risk of a Paypal account name identical to my full email address they’d been using to correspond with me is extremely minimal. (?)

    No, said customer service, our Terms of Service state 5 day hold. I replied, your Terms of Service also state 1-2 day processing time on Direct Deposits, and seeing as you’ve violated that at my expense, it would seem a fair customer “make good” to waive the 5 day restriction on Paypal to allow me to gain access to funds I require in order not to miss a bill that will cause me a $25,000 personal loss if I miss it. They wouldn’t budge.

    I phoned PR and let them know I’d be starting to discuss it on the web unless a solution was found immediately. PR forwarded my situation to the Director of Customer Relations. I directed the PR person that my matter was NOT to be sent back to customer service (as he’d originally offered to do), who was unable/unwilling to assist. I said that due to customer service’s inability to resolve it, it required assistance at a higher level where policy decisions could be made in light of the potentially catastrophic impact their system errors could have on me.

    When I received a response, you bet, it was from the same customer service person who’d clearly professed multiple times that their policies were their policies and that she couldn’t change them and tough luck on me.

    This is NOT good customer service, particularly when it threatens someone’s livelihood and ability to meet their household bills. I may confine myself to the likes of odesk from now on and give elance a miss. In case I do lose that $25,000 I stand to lose without the bill paid, I will be contacting lawyers to review my options for recovery directly from elance for their failure to honor their stated and publicized terms.

    I still do not know whether (1) “missing country due to some system problem that prevented the existing country name being copied into the bank account details” was really the error, or if (2) the error had to do with re-using contact details name and address information that would not pass the bank account deatils validation, and some server app dealt with it by removing country from my request record so that the transaction would not be attempted, but not raising any errors to alert staff (or elance users) when it did so.

    I also think it is a problem that the transaction was allowed to queue on business days Feb 23, Feb 24, Feb 27 and Feb 28 apparently waiting for the poor elance user affected to notice it hadn’t completed and complain.

    Why didn’t their system flag the error and either email the user, or customer service, regarding the problem and suggested resolution?

    Why doesn’t elance have a queue monitor that at least sends email to the elance users whose withdraw transactions have queued for longer than the SLA for that withdraw type, telling them there may be problems and requesting that they call customer service for assistance?

    I’m still waiting for answers. And, oh yeah…. my cash from elance please. Not tomorrow, not in 2-3 days. Certainly not in 10. I mean NOW. I requested it on Feb 23.

  7. Kristi certainly does work for Elance.
    My question is, has anyone had unsatisfactory dealings with net-ARB? Their relationship with Elance is unclear, but very suspicious. Elance has a long-term, exclusive relationship with net-ARB as its provider of arbitration services, but net-ARB consists, as far as anyone I know can tell (and I’ve researched this personally), one person, a guy named Marty Lavine, who operates out of Dekalb County Georgia. Net-ARB will reveal zero about itself — and why would Elance not only get so heavily involved with it, but become defensive about it when I inquire? Both net-ARB and Elance Dispute Assistance operate solely by email — try calling them; you can’t — and will give out absolutely no names or initials or any identifying information at all; again, try getting anything. Why this secrecy?

  8. Net-Arb apparently has 3 employees (https://www.chamberofcommerce.com/atlanta-ga/27720444-net-arb-inc). This confirms the suspicion of many individuals that Marty Lavine, the CEO, CFO, and Secretary, runs the business out of his basement, making all decisions on his own and utilizing two other individuals – whom I hope are attorneys – when customers pay for a “panel” of arbitrators (http://corp.sos.state.ga.us/corp/soskb/Corp.asp?406361). It would seem as though the same individual arbitrator and panel are used every time, thus falsifying, or, at the very least, weakening, net-ARB’s claim that “Our staff will review the description of the dispute you provided during registration and assign arbitrators that understand the subject matter of the dispute.” (https://www.net-arb.com/how_arbitration_works.php).

Comments are closed.