WARNING: thefts due to password reuse

News updates about the Prohashing pool
Forum rules
The News forum is only for updates about the Prohashing pool.

Replies to posts in this forum should be related to the news being announced. If you need support on another issue, please post in the forum related to that topic or seek one of the official support options listed in the top right corner of the forums page or on prohashing.com/about.

For the full list of PROHASHING forums rules, please visit https://prohashing.com/help/prohashing- ... rms-forums.
User avatar
Steve Sokolowski
Posts: 4585
Joined: Wed Aug 27, 2014 3:27 pm
Location: State College, PA

WARNING: thefts due to password reuse

Post by Steve Sokolowski » Wed May 31, 2017 8:55 am

I wanted to raise a warning today. Last night alone, we noticed six instances where customers who reused passwords from other sites have had money stolen from them.

The huge surge in these incidents indicates that some site has had its database breached recently. If the site was careless, then the plaintext passwords are probably being tried at other sites. If the site hashed the passwords, then a brute force attack is probably going on against the contents of the database to find which passwords the hashes correspond to. Studies show that in such cases, hackers can often obtain 60% or more of the passwords in a hacked database through brute force.

The criminals then try the found passwords at other sites. In this case, the scam seems to be that they log in, change the users' payout addresses, and then impersonate the customer and request a password reset after the owner figures out the scheme and changes them back.

So far, over $8000 has been stolen by the thieves at Prohashing alone. Fortunately, one of the thieves appears to have made a mistake which has allowed us to contact the police, but an arrest will not directly recover the funds, the victims will still have to pursue legal action to sue the attackers, and there may be no money left to recover.

All of this can be prevented by a single golden rule: never, under any circumstances, use the same password on two different websites. The "LastPass" software is quick, easy, and free to manage large numbers of unique uncrackable passwords. We strongly suggest that customers download LastPass, generate a new random password, and change their passwords to one of these randomly generated ones. Do this as soon as possible, because the attackers continue to target additional users every day.

----------------

Edited on June 1:

After some research I found that the source of these attacks may be Verizon Wireless. The cell phone provider will perform many customer service requests in exchange for information that is easily obtainable on the Internet, like billing address.

A customer, for example, can be targeted to switch a number to a new phone, which can then be used to validate SMS authentication at E-Mail providers, which can then be used to listen in on conversations with other people to deduce more information, and to reset passwords at other sites, and so on until enough information is obtained to steal money.

I'm not sure what can be done about that problem, as nobody has control over Verizon Wireless's customer service policies. However, using a unique password and LastPass would not be vulnerable, as long as the password was never transmitted to any other site or through E-Mail or text.
Last edited by Steve Sokolowski on Thu Jun 01, 2017 2:12 pm, edited 1 time in total.
pilottage
Posts: 15
Joined: Fri May 12, 2017 3:25 pm

Re: WARNING: thefts due to password reuse

Post by pilottage » Wed May 31, 2017 9:35 am

incredible... I was lucky to change mine... but something weird happened.... there was a swapping in my password at first that I didnt requested... then I updated to third different one! thanks!
UPSoft
Posts: 27
Joined: Wed May 24, 2017 10:58 am
Location: Moscow RU

Re: WARNING: thefts due to password reuse

Post by UPSoft » Wed May 31, 2017 11:40 am

its time to add google 2 factor authentication
piet
Posts: 21
Joined: Fri Feb 10, 2017 2:31 pm

Re: WARNING: thefts due to password reuse

Post by piet » Wed May 31, 2017 12:14 pm

Steve Sokolowski wrote: In this case, the scam seems to be that they log in, change the users' payout addresses, and then impersonate the customer and request a password reset after the owner figures out the scheme and changes them back.
yes, re-using passwords is stupid but i think this is 2-way traffic.
Its 2017, where talking about a lot of money floating around on PH, you should also take your responsibility.

Offer your customers some options to protect their accounts / money even if another site, database or password is hacked!

You could offer 2FA or a separate PIN that customers must create when registering. (and use it when changing important settings)

Some exchanges even send me a mail when my account logs in from another ip-address as usual, great service!

Just my 0.00000002 cents
GregoryGHarding
Posts: 646
Joined: Sun Apr 16, 2017 3:01 pm

Re: WARNING: thefts due to password reuse

Post by GregoryGHarding » Wed May 31, 2017 1:26 pm

yeah guys i mentioned 2FA to them already they said it was on the list but it might be time to fast track that wish list item.
i really urge you guys to look into integrating Authy as the 2FA provider it would be a good fit for here.

just curious... what was the thief's mistake? not using a proxy?
User avatar
Steve Sokolowski
Posts: 4585
Joined: Wed Aug 27, 2014 3:27 pm
Location: State College, PA

Re: WARNING: thefts due to password reuse

Post by Steve Sokolowski » Wed May 31, 2017 8:38 pm

UPSoft wrote:its time to add google 2 factor authentication
This is definitely a feature we want to add in the future.

But thinking about this specific instance, I don't think that two-factor authentication is the solution to this problem. Adding two-factor authentication will split customers into two groups: users who use two-factor authentication and who are likely to already have used unique passwords, and users who are less careful with security and therefore wouldn't use either two-factor authentication or unique passwords.

The only way two-factor authentication would have resolved this specific instance is if we mandated it for all users. Therefore, I think that we need to address other weaknesses first if we want to prevent this sort of thing from continuing.
GregoryGHarding
Posts: 646
Joined: Sun Apr 16, 2017 3:01 pm

Re: WARNING: thefts due to password reuse

Post by GregoryGHarding » Wed May 31, 2017 9:42 pm

what other security weaknesses are we looking at? 2FA is the end all for account scamming and impersonation, knowing their pw or not they cant get in my password can be 1234 and it just ain't gonna happen. unless you guys have a security hole you know of that needs patching in the back end, i dont think any security feature is more important. if people refuse to use 2FA you can simply disclaim that youre not responsible for their losses for not securing their account. making that noticeable will persuade even the guy with the secure pw to use 2FA. cuz they will be thinking "well jeez i dont wanna lose my hard earned mining money".

end of the day my opinion would be to integrate 2FA ASAP then work on other methods of security or improvements in user auth.
User avatar
Steve Sokolowski
Posts: 4585
Joined: Wed Aug 27, 2014 3:27 pm
Location: State College, PA

Re: WARNING: thefts due to password reuse

Post by Steve Sokolowski » Thu Jun 01, 2017 2:07 pm

Steve Sokolowski wrote:I wanted to raise a warning today. Last night alone, we noticed six instances where customers who reused passwords from other sites have had money stolen from them.

The huge surge in these incidents indicates that some site has had its database breached recently. If the site was careless, then the plaintext passwords are probably being tried at other sites. If the site hashed the passwords, then a brute force attack is probably going on against the contents of the database to find which passwords the hashes correspond to. Studies show that in such cases, hackers can often obtain 60% or more of the passwords in a hacked database through brute force.

The criminals then try the found passwords at other sites. In this case, the scam seems to be that they log in, change the users' payout addresses, and then impersonate the customer and request a password reset after the owner figures out the scheme and changes them back.

So far, over $8000 has been stolen by the thieves at Prohashing alone. Fortunately, one of the thieves appears to have made a mistake which has allowed us to contact the police, but an arrest will not directly recover the funds, the victims will still have to pursue legal action to sue the attackers, and there may be no money left to recover.

All of this can be prevented by a single golden rule: never, under any circumstances, use the same password on two different websites. The "LastPass" software is quick, easy, and free to manage large numbers of unique uncrackable passwords. We strongly suggest that customers download LastPass, generate a new random password, and change their passwords to one of these randomly generated ones. Do this as soon as possible, because the attackers continue to target additional users every day.
I edited this post with information about Verizon Wireless, which may be the source of these problems.
lilbob
Posts: 20
Joined: Mon May 22, 2017 8:49 am

Re: WARNING: thefts due to password reuse

Post by lilbob » Thu Jun 01, 2017 2:42 pm

bloody verizon, they were open already in 1998.

Edit, i believe this password systemic is older than we want to believe
piet
Posts: 21
Joined: Fri Feb 10, 2017 2:31 pm

Re: WARNING: thefts due to password reuse

Post by piet » Fri Jun 02, 2017 7:46 am

How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com

https://medium.com/@CodyBrown/how-to-lo ... 75fb8d0bac
Locked