1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Got A Merchant Account? Lock your stuff down!

Discussion in 'BlackHat Lounge' started by BassTrackerBoats, May 3, 2017.

  1. BassTrackerBoats

    BassTrackerBoats Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 10, 2010
    Messages:
    16,691
    Likes Received:
    30,711
    Occupation:
    Selling CPA Sites
    Location:
    Not England
    Home Page:
    This AM we got 2 messages inside of 10 minutes with a password reset from 2CO.

    This was not the primary username on the account but clearly there is someone trying to get into accounts there.

    Our accounts there only use hosted emails and those emails have some wacky passwords so there was no issue but it did give me cause to change the usernames on those accounts to something wacky as well.

    Also, I am sure that 2CO is not the only payment processor that they are attempting to break into and the security issue is not on 2CO, it is on those of us that have accounts there.

    Be smart and use wild and wacky usernames and passwords on all your stuff and if you can add two-step authentication to your accounts, do it.

    [​IMG]
     
    • Thanks Thanks x 1
  2. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    626
    Likes Received:
    585
    I don't want to be a party pooper, however, there was an article about how two step authentication make you less secure. It was some time back and it dealt with how Clinton campaign Chairman, John Podesta , had his email account hacked. It was through social engineering and two step authentication.
     
  3. BassTrackerBoats

    BassTrackerBoats Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 10, 2010
    Messages:
    16,691
    Likes Received:
    30,711
    Occupation:
    Selling CPA Sites
    Location:
    Not England
    Home Page:
    I remember reading about that and it was actually human error as opposed to two step authentication. He was sent a phishing email, asked his IT/Techie/assistant if it was legit and the guy said it was but it was actually not.

    Without a doubt 2 step authentication is more secure.

    For me to log onto BHW for instance I have to get a code sent to either one of my email accounts or one of my mobile phones in addition to keying in my password.

    That is just one example of how it is more secure.
     
    • Thanks Thanks x 2
  4. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    626
    Likes Received:
    585
    I have to disagree. I could find more links to make my point but this is the one that is easiest to find:
    https://arstechnica.com/security/20...ank-accounts-by-abusing-ss7-routing-protocol/
     
  5. ContentExpert

    ContentExpert Jr. VIP Jr. VIP

    Joined:
    Jan 16, 2017
    Messages:
    424
    Likes Received:
    305
    Gender:
    Female
    Occupation:
    Your Content Writer
    Home Page:
    I didn't know we had a two-step authentication option here on the forum. I might have to enable this as last week I was writing content for another member here whose account was hacked (a MOD has already taken care of it).

    @JustUs

    As you're disagreeing with @BassTrackerBoats, I'm actually disagreeing with your statement that two-step authentication isn't safer.

    A very simple example is the two-step authentication that I have enabled on a couple of my IG accounts.

    Even if a hacker were to guess my password to the account, they would need access to my phone/number in order to get the access code to get into the account. I'd always recommend using this feature regardless of what platform you're using it on (BHW, IG etc.).
     
    • Thanks Thanks x 1
  6. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    626
    Likes Received:
    585
    You are certainly free to disagree. If you feel 2FA makes you safer, I won't gainsay how it makes you feel. But if you claim that it actaully makes you safer, then I wopuld have to say that you do not understand the issue:
    The way I dealt with this issue is with an agreement with the bank that any transfer over $50 is to be voice verified via the bank. Also, any transfer outside of certain geographical areas is to have my prior authorization.
     
  7. BassTrackerBoats

    BassTrackerBoats Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 10, 2010
    Messages:
    16,691
    Likes Received:
    30,711
    Occupation:
    Selling CPA Sites
    Location:
    Not England
    Home Page:
    That article says they did that by knowing the phone number and having access to the phone some how.

    I have 3 mobile phones, do not use them to talk on, and they are not in my name so they would have to see the phone tied to the account.

    I suppose there is a possibility that a hacker could access my 2CO account AND the phone tied to it but they would have to have some pretty solid game.

    It is harder though, no doubt, to be able to access both.

    Granted, nothing is 100% safe and secure, and I'll certainly agree with you there but the more hoops the bad guy has to jump through without the fire touching them, the better as to security.
     
  8. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    626
    Likes Received:
    585
    Point is that access to the phone is not needed, only the number is needed. The flaw is a fundamental security failure in SS7. It is not even required that you use the phone for telephone calls, only that the number be active and able to receive SMS. Programming knowledge is not required. The scripts have been written so that any skiddie can run the script.
    To give a quote from Motherboard:
    Otherwise, I agree that nothing is really secure.
     
    • Thanks Thanks x 1
    Last edited: May 4, 2017
  9. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,612
    Likes Received:
    11,239
    Occupation:
    Pusillanimous Knitter
    Location:
    Buenos Aires
    @JustUs

    There's always the TOTP method for 2FA, which has involves no transmission of information and so no interception is possible. You just install any supported TOTP app like Google Authenticator, done.
     
  10. SunnyLeon

    SunnyLeon Jr. VIP Jr. VIP

    Joined:
    Oct 13, 2013
    Messages:
    516
    Likes Received:
    178
    Gender:
    Male
    Location:
    Outside the Matrix
    Honest question: Did you ever receive an official email from a valid authority or legal entity that starts with "Dear"?:) Is it just me that finds the wording really funny in spam emails ? :D
     
    • Thanks Thanks x 1
  11. rafark

    rafark Regular Member

    Joined:
    Jan 15, 2013
    Messages:
    439
    Likes Received:
    220
    Gender:
    Male
    Occupation:
    Moderador
    Location:
    Noble and Heroic MC
    Why is that? Instead of:

    "Dear SunnyLeon,

    We have received your..."

    How'd you say it?
     
  12. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,612
    Likes Received:
    11,239
    Occupation:
    Pusillanimous Knitter
    Location:
    Buenos Aires
    Dear Rafark is commonly used, so it's fine. I've never ever seen a legit email addressing me as "Dear" without a name or name + surname.
     
  13. SunnyLeon

    SunnyLeon Jr. VIP Jr. VIP

    Joined:
    Oct 13, 2013
    Messages:
    516
    Likes Received:
    178
    Gender:
    Male
    Location:
    Outside the Matrix
    I`m talking about the straigh up "Dear,"
    It feels like it`s my soulmate trying to cheer me up or something.. might be just me, though :)

    jazzc has written it first, mods have fast writing hack, it's a fact!
     
    • Thanks Thanks x 1
  14. rafark

    rafark Regular Member

    Joined:
    Jan 15, 2013
    Messages:
    439
    Likes Received:
    220
    Gender:
    Male
    Occupation:
    Moderador
    Location:
    Noble and Heroic MC
    [​IMG]
     
  15. rafark

    rafark Regular Member

    Joined:
    Jan 15, 2013
    Messages:
    439
    Likes Received:
    220
    Gender:
    Male
    Occupation:
    Moderador
    Location:
    Noble and Heroic MC
    Oh, I see it! I thought Bass-Tracker-Boats had erased his name from the email. :)

    Yes, it sounds a bit awkward, generic, impersonal, cold.
     
    • Thanks Thanks x 1
  16. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,612
    Likes Received:
    11,239
    Occupation:
    Pusillanimous Knitter
    Location:
    Buenos Aires
    Most probably. I've received quite a number of spam (I go through the spam folder religiously) that use "Dear" alone, so it didn't ring a "huh?" bell.
     
    • Thanks Thanks x 3
  17. SunnyLeon

    SunnyLeon Jr. VIP Jr. VIP

    Joined:
    Oct 13, 2013
    Messages:
    516
    Likes Received:
    178
    Gender:
    Male
    Location:
    Outside the Matrix
    I thought I was the only one :) It`s funnier than most memes :D It`s hard to be a Nigerian prince these days, you have to share the spam folder with all those FBI directors, lawyers of dead people and cute girls :)
     
    • Thanks Thanks x 1
  18. BassTrackerBoats

    BassTrackerBoats Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 10, 2010
    Messages:
    16,691
    Likes Received:
    30,711
    Occupation:
    Selling CPA Sites
    Location:
    Not England
    Home Page:
    I did erase the name that the email was addressed to as it is not a real person's name and just one I use for managing some of my accounts.

    Didn't want it out there for public consumption.
     
    • Thanks Thanks x 1
  19. Setox

    Setox Regular Member

    Joined:
    Apr 30, 2015
    Messages:
    483
    Likes Received:
    193
    Occupation:
    CPA Hunter - Web Dev - Design
    Location:
    MA
    Home Page:
    Does 2CO support 2FA ??