Scammer Alert - Affiliates Read This - GoFuckYourself.com

iBanker · 07-29-2005, 02:19 PM

Just had this conversation...

EDITED (02:00 PM) : hello, i'm working for EDITED, my login "EDITED" dosen't work.

Chris (02:00 PM) : Let me check it for you then. One sec.

EDITED (02:00 PM) : thanks

Chris (02:00 PM) : What is your affiliate ID number?

EDITED (02:01 PM) : i have to ask my boss, i'll contact you later

Chris (02:01 PM) : okay, I will be here

(THIS IS WHERE I START WONDERING WTF?)

Chris (02:02 PM) : Do you have any other info I could look you up with? Last name? Email address on the account?

EDITED (02:02 PM) : EDITED EDITED (first last)

EDITED (02:03 PM) : [email protected]

Chris (02:04 PM) : And what is the problem? You can't log in?

EDITED (02:04 PM) : i can't login

Chris (02:04 PM) : What username and password are you using?

EDITED (02:05 PM) : username is EDITED

EDITED (02:05 PM) : i don't have the password here.

EDITED (02:06 PM) : can i contact you by email later? for you give me info

Chris (02:07 PM) : Well, sorry to be the one to tell you this. But some of the information you gave me does not match up. And you have to give me the proper password for me to reset it at this point. So one of two things is happening here: ONE - YOU are a scammer and I am telling you to FUCK OFF and stay away from my affiliates. Or TWO - this is just a miscommunication and I will need to contact your ?boss?.

Chris (02:07 PM) : If it is TWO, then you understand why I keep the information so private.

Chris (02:08 PM) : Any response to that sir?

It has been 10 minutes and no reply. This is the second one like this I have got in the last 3 days. Someone is out there with a list of affiliate names I think trying to get access to other peoples accounts to most likely change their payment information. A particular account like this gets paid out some very good money EVERY week.

Heads up guys, thats all.

pawsregd · 07-29-2005, 02:21 PM

It's the FTC!!! lol

polish_aristocrat · 07-29-2005, 02:21 PM

Quote:

Originally Posted by pawsregd

It's the FTC!!! lol

lol 5678

iBanker · 07-29-2005, 02:25 PM

Heh, I had to edit it all out for the real affiliate...

Doctor Dre · 07-29-2005, 02:34 PM

Yea ... makes it hard for honest affiliates that forget their passwords !

I forgot my pgonzo pass and it was a headache to receive it

TMM_John · 07-29-2005, 02:36 PM

Good catch

iBanker · 07-29-2005, 03:13 PM

We are going to have to incorporate some new password system to prevent this. It seems like the only solution worth merit. Anyone have any suggestions?

Maybe something along the lines of a secret question/secret answer? Is that stuff even worth while?

The Other Steve · 07-29-2005, 03:30 PM

Perhaps respond in person to those requests with a phone call to the number listed on the account details?

iBanker · 07-29-2005, 04:30 PM

Quote:

Originally Posted by The Other Steve

Perhaps respond in person to those requests with a phone call to the number listed on the account details?

I put a little thought into that as well, but the fact is most affiliates don't put in their phone number. And its Funny, alot of them have the same number "123456789". They must all live at the same house.

I think they think we want to telemarket stuff to them. lol

I really wish more did, it would be easily solved that way.

Donny · 07-29-2005, 04:30 PM

Well, can't say I didn't try....

Murderous · 07-29-2005, 04:30 PM

AND provide them with a phone number to call you.

iBanker · 07-29-2005, 04:47 PM

Quote:

Originally Posted by DonovanPhillips

Well, can't say I didn't try....

AaronM tries once a week. You think he would know I have caller ID here by now.

David - PG · 07-29-2005, 06:04 PM

Quote:

Originally Posted by Doctor Dre

I forgot my pgonzo pass and it was a headache to receive it

We have a password retrieval function. If you do not have access to your original email address however we require some security questions, the last thing you want is your payout sent to some scammer's Epassporte.

emthree · 07-30-2005, 12:55 AM

Change the payment information and leave a complete traceable trail ... Brilliant.

V_RocKs · 07-30-2005, 01:13 AM

Best practices:

Encrypt the password in the DB using something sweet like MD5 or SH1.

#1, Then when someone types in their password, the login script encrypts what they wrote and checks it with what is in the DB. If both encrypted passwords match, the person typed in the right unencrypted password in the form.

#2, Make your password for the affiliate. If you did #1 correctly and someone can't decrypt your stolen DB, it doesn't matter because they stole the unencrypted DB of your competition and guess what, 85% of webmasters use the same password EVERYWHERE.

#3, Have them create a secret question that must be answered with a phrase. Don't use stupid questions like, what is your favorite color. 70% of the world prefers blue and 98% prefer a primary or secondary color. That leaves only 9 colors to play with and you are in on EVERY account. A better question would be, What is the best part of your lover: and it should be answered with a phrase. She has a great ass. The script would check for a minimum of 3 spaces and a length of atleast 16 characters. This way you know it was a phrase...

#4 Answering it correctly would send an email to the email they signed up with. They should not just get direct access to the account.

#5 Emails must be from ISP's, not free accounts or domains owned by the affiliate. Hack their server and you get to read all their email.

The Other Steve · 07-30-2005, 01:40 AM

Quote:

Originally Posted by iBanker

I put a little thought into that as well, but the fact is most affiliates don't put in their phone number. And its Funny, alot of them have the same number "123456789". They must all live at the same house.

I think they think we want to telemarket stuff to them. lol

I really wish more did, it would be easily solved that way.

I understand mate but I find the unwillingness of some people in this industry to use the phone to be amazing. It's the fastest way I know of to get a problem resolved.

We had a minor hassle with a host we use in Holland so we emailed them - two minutes later he rang us and 30 seconds after that the problem was solved.

Try getting that sort or resolution by exchanging emails ...

There is no quicker and surer way to overcome problems but by verbal communication - emails and instant messaging leave too much to chance because important things like the tone of voice are missing.

We did actually have one sponsor call us one day - and it was one of the most helpful and informative contacts we've ever had with a sponsor. It sure beat newsletters and emails.

In our business we often call clients who are about to pay for orders just so they know that they are dealing with real people - it's amazing the difference a phone call can make.

V_RocKs · 07-30-2005, 03:43 AM

You must have been talking to Mike the Bike..

iBanker · 07-30-2005, 11:41 AM

Quote:

Originally Posted by V_RocKs

Best practices:

Encrypt the password in the DB using something sweet like MD5 or SH1.

#1, Then when someone types in their password, the login script encrypts what they wrote and checks it with what is in the DB. If both encrypted passwords match, the person typed in the right unencrypted password in the form.

#2, Make your password for the affiliate. If you did #1 correctly and someone can't decrypt your stolen DB, it doesn't matter because they stole the unencrypted DB of your competition and guess what, 85% of webmasters use the same password EVERYWHERE.

#3, Have them create a secret question that must be answered with a phrase. Don't use stupid questions like, what is your favorite color. 70% of the world prefers blue and 98% prefer a primary or secondary color. That leaves only 9 colors to play with and you are in on EVERY account. A better question would be, What is the best part of your lover: and it should be answered with a phrase. She has a great ass. The script would check for a minimum of 3 spaces and a length of atleast 16 characters. This way you know it was a phrase...

#4 Answering it correctly would send an email to the email they signed up with. They should not just get direct access to the account.

#5 Emails must be from ISP's, not free accounts or domains owned by the affiliate. Hack their server and you get to read all their email.

Those are some great suggestions. I am going to pass them on to my programmer. Thanks a lot!

Nathan · 07-30-2005, 11:47 AM

Chris...

hope you'll take a suggestion from me... (no bad blood and all)

Although V knows his stuff, his #3 idea is good but might cause more problems.. I am sure he has his reasons, but I have yet to find a reason why a simple email system is a problem. Meaning:

Simply have them type in the username and the email they signed up with. If the info is correct, send a new password (or the old one if you do not store it encrypted) to their email address on file.

I understand the idea behind the secret question, but like V said, you have to make it COMPLICATED to make it secure. No wonder Paris's Sidekick account was hacked.

The only reason some places have a secret question setup is so that they do NOT have to send an email out on requests. They just let them enter the password again then.

As long as you do not display the password somewhere but email it to the account on file, I see no problem with this kind of stuff.

V, your input on my oppinion would be appreciated.

Antonio · 07-30-2005, 11:50 AM

my middle name is Edited, gimme your IDs, passwords, and while you're at it CC numbers + the CVVs, thanks

iBanker · 07-30-2005, 11:50 AM

Quote:

Originally Posted by Nathan

Chris...

hope you'll take a suggestion from me... (no bad blood and all)

Although V knows his stuff, his #3 idea is good but might cause more problems.. I am sure he has his reasons, but I have yet to find a reason why a simple email system is a problem. Meaning:

Simply have them type in the username and the email they signed up with. If the info is correct, send a new password (or the old one if you do not store it encrypted) to their email address on file.

I understand the idea behind the secret question, but like V said, you have to make it COMPLICATED to make it secure. No wonder Paris's Sidekick account was hacked.

The only reason some places have a secret question setup is so that they do NOT have to send an email out on requests. They just let them enter the password again then.

As long as you do not display the password somewhere but email it to the account on file, I see no problem with this kind of stuff.

V, your input on my oppinion would be appreciated.

No bad blood at all, and your imput is appreciated. You solution is essentially what I am doing now, so that makes me feel like I'm going the right direction so far.

I'm just blown away that this has happened 2 times in one week!

Nathan · 07-30-2005, 12:00 PM

Quote:

Originally Posted by iBanker

No bad blood at all, and your imput is appreciated. You solution is essentially what I am doing now, so that makes me feel like I'm going the right direction so far.

I'm just blown away that this has happened 2 times in one week!

You are right, its scary enough that people try at all.. but twice in a week.. scary...

Anyway, unless V has some valid point against this simpler system, I would definately go with that, I have not seen any flaw in it yet...

07-29-2005, 02:36 PM	#6
TMM_John Confirmed User Industry Role: Join Date: May 2004 Posts: 6,664	Good catch __________________ Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

07-29-2005, 03:13 PM	#7
iBanker Confirmed User Join Date: Dec 2004 Location: San Diego, moving to Portland. Posts: 2,758	We are going to have to incorporate some new password system to prevent this. It seems like the only solution worth merit. Anyone have any suggestions? Maybe something along the lines of a secret question/secret answer? Is that stuff even worth while? __________________ www.JasonandAlex.com Christopher's ICQ: 268-843-170

07-29-2005, 03:30 PM	#8
The Other Steve Confirmed User Join Date: Dec 2001 Location: Sunny Queensland - perfect one day and better the next. Posts: 2,106	Perhaps respond in person to those requests with a phone call to the number listed on the account details? __________________ Left intentionally blank ... just like my brain

07-30-2005, 12:55 AM	#14
emthree Dialer Kingpin Join Date: Jun 2003 Location: New York Posts: 10,816	Change the payment information and leave a complete traceable trail ... Brilliant. __________________ • Sell Patches & Pills •

07-30-2005, 11:47 AM	#19
Nathan Confirmed User Industry Role: Join Date: Jul 2003 Posts: 3,108	Chris... hope you'll take a suggestion from me... (no bad blood and all) Although V knows his stuff, his #3 idea is good but might cause more problems.. I am sure he has his reasons, but I have yet to find a reason why a simple email system is a problem. Meaning: Simply have them type in the username and the email they signed up with. If the info is correct, send a new password (or the old one if you do not store it encrypted) to their email address on file. I understand the idea behind the secret question, but like V said, you have to make it COMPLICATED to make it secure. No wonder Paris's Sidekick account was hacked. The only reason some places have a secret question setup is so that they do NOT have to send an email out on requests. They just let them enter the password again then. As long as you do not display the password somewhere but email it to the account on file, I see no problem with this kind of stuff. V, your input on my oppinion would be appreciated. __________________ "Think about it a little more and you'll agree with me, because you're smart and I'm right." - Charlie Munger

07-29-2005, 02:21 PM	#2
pawsregd Confirmed User Join Date: Jun 2005 Location: Montreal eh Posts: 2,290	It's the FTC!!! lol

07-29-2005, 02:25 PM	#4
iBanker Confirmed User Join Date: Dec 2004 Location: San Diego, moving to Portland. Posts: 2,758	Heh, I had to edit it all out for the real affiliate... __________________ www.JasonandAlex.com Christopher's ICQ: 268-843-170

07-29-2005, 04:30 PM	#10
Donny As you wish... Industry Role: Join Date: May 2002 Posts: 13,754	Well, can't say I didn't try....

07-29-2005, 04:30 PM	#11
Murderous Confirmed User Join Date: Oct 2003 Location: Pennsylvania Posts: 3,938	AND provide them with a phone number to call you.

07-30-2005, 01:13 AM	#15
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,421	Best practices: Encrypt the password in the DB using something sweet like MD5 or SH1. #1, Then when someone types in their password, the login script encrypts what they wrote and checks it with what is in the DB. If both encrypted passwords match, the person typed in the right unencrypted password in the form. #2, Make your password for the affiliate. If you did #1 correctly and someone can't decrypt your stolen DB, it doesn't matter because they stole the unencrypted DB of your competition and guess what, 85% of webmasters use the same password EVERYWHERE. #3, Have them create a secret question that must be answered with a phrase. Don't use stupid questions like, what is your favorite color. 70% of the world prefers blue and 98% prefer a primary or secondary color. That leaves only 9 colors to play with and you are in on EVERY account. A better question would be, What is the best part of your lover: and it should be answered with a phrase. She has a great ass. The script would check for a minimum of 3 spaces and a length of atleast 16 characters. This way you know it was a phrase... #4 Answering it correctly would send an email to the email they signed up with. They should not just get direct access to the account. #5 Emails must be from ISP's, not free accounts or domains owned by the affiliate. Hack their server and you get to read all their email.

07-30-2005, 03:43 AM	#17
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,421	You must have been talking to Mike the Bike..

07-30-2005, 11:50 AM	#20
Antonio Too lazy to set a custom title Join Date: Oct 2001 Location: Spartaaaaaaaaa Posts: 14,136	my middle name is Edited, gimme your IDs, passwords, and while you're at it CC numbers + the CVVs, thanks