Epassporte now too. WTF!

[After Shock Media]

Ok I think it is becoming more obvious that someone is really trying to break into my accounts. I have had a few password reminder emails from sponsors over the past week.

Now I get sent an email from epassporte that is the following.

Dear David,

Thank You for your email.

In regards to your concern, please be informed that we have removed your
security question and reset your password and you can view it along with
your user ID addressed to you in your external email address which you
registered with ePassporte.

I hope this has answered your query.

If you have any further concerns, please do not hesitate to contact our
Customer Service from the details listed below.

Best Regards,
Kushal.C

ePassporte Account Holder Services
[email protected]
Fax: +1.310.564.1751
Phone: +1.310.301.2001

----- guess this is the mail they are quoting---------

> Some one change my Security Questions and my password pllease help me as
> soon as possible and i will attach u all my docs

Then of course I get mailed a new password in a separate mail.

I am not an idiot and there was no links to even click aside from mail to: ones anyways. So I head over to epassporte in a new browser window and yes indeed my old password no longer works. When I do get inside, yup all of my previous extra opt in security questions and image etc has been reset.

Seriously WTF is the point of this added layer of security if someone can get it reset via an email and obviously a spoofed email at that. Only thing I am even glad of is that it seems the client support at epassporte at least do not hit the reply to button on the email and did send to the proper email on file.

I have sent in a request asking for the headers of the email. Also left Michael a message too.

[uno]

That's just scary.

[Trax]

not good

[After Shock Media]

PS when they reset your password it goes to a letter and a few numbers. Better than a random word but still fairly fucking stupid.

Still trying to wrap head around why they would just reset shit from an email though. I need to send them DNA data to get a withdraw increase yet some ass clown can get them to reset all of my data with a fake email.

[mikesinner]

Your gonna get anally raped

[Antonio]

please send $10 000 from your epass account to my epass account to make sure that its still working properly

[After Shock Media]

Quote:

Originally Posted by mikesinner

Your gonna get anally raped

I feel OK as my passwords are typically crazy random and as long as allowed. It is the system itself or worse yet the human element that does have me concerned. I guess those potential weak links in the whole security chain.

Just wish whoever decided to target me would pick another fucking target. It is getting annoying as hell.

[papill0n]

That would be fucking annoying. Glad they didnt get access to your account ASM.

[After Shock Media]

Quote:

Originally Posted by RageCash-Ben

That would be fucking annoying. Glad they didnt get access to your account ASM.

In effect though in my eyes it still was compromised.
An email should not be able to get a password and all security questions reset. If so what is the point of having security questions in the first place.

This extra layer of security they added was due to hacked accounts, and seeing how easy it is to bypass is just fucking wrong.

[seeandsee]

that's not good

[DickDarkness]

[papill0n]

Quote:

Originally Posted by After Shock Media

In effect though in my eyes it still was compromised.
An email should not be able to get a password and all security questions reset. If so what is the point of having security questions in the first place.

This extra layer of security they added was due to hacked accounts, and seeing how easy it is to bypass is just fucking wrong.

yeah I am with you man, something is seriously wrong there

[u-Bob]

not good, not good at all

[Horny Joe]

Ouch.... any words from epass?

[Klen]

And then people are suprised when i say how epassporte still have bad security.

[kesha1]

It seems that they don't even try to help for real, huh?

[fluffygrrl]

Quote:

Originally Posted by After Shock Media

I feel OK as my passwords are typically crazy random and as long as allowed. It is the system itself or worse yet the human element that does have me concerned. I guess those potential weak links in the whole security chain.

Just wish whoever decided to target me would pick another fucking target. It is getting annoying as hell.

I would say a certain Kushal C. idiot needs to be shot, an that's all.

[Michael O]

ASM

I am emailing you now.

[Manowar]

that's fucked up

[CaptainHowdy]

: / ...

[fastboy]

damn, scary shit

[Enemator]

So basically you're saying their security measures WORK and that they have effect.
They emailed the email address they had on file(instead of just replying) to make sure you actually were the one that requested the change and if not, you had a chance to intervene.

SO WHY FUCKING COMPLAIN?

[Hotrocket]

It amazes me that people continue to risk their income with this company...how many 100's of threads have we all seen like this about epass?..its a daily occurrence and these are just the situations we DO hear about.

Michael O deserves kudos for his customer service skills and in my opinion is the only reason epass has survived to date, that being said there will come a day when this company is going to crash and burn, they are going to take a lot of people with them and Michael O won't be able to save anyones day...

[Nikki_Licks]

So much for secure accounts

or should I say a secure system.....

[After Shock Media]

Quote:

Originally Posted by Enemator

So basically you're saying their security measures WORK and that they have effect.
They emailed the email address they had on file(instead of just replying) to make sure you actually were the one that requested the change and if not, you had a chance to intervene.

SO WHY FUCKING COMPLAIN?

You seem to have failed to notice that the first email I got was that my password had been reset and all my security questions had been reset.

They only happened to email me to let me know they had followed "my" request, which by that time it was to late to intervene. If I had not been up around when it happened it only was now secure by a few numbers and a letter.

Though I am currently dealing with Michael as per the emails. He is waiting for some details, yet says protocol would of required a phone call and answering 4-6 security questions. Which I find very hard to believe really happened at this point, however I am not saying it is impossible at this moment. Though I will say epassporte has more information about me than nearly all other sponsors out there combined. So if they really did ask some questions it better have been some serious ones from documents that they had made special requests for. Oddly the quoted email also does not mention a phone call at all though either.

[After Shock Media]

Quote:

Originally Posted by Hotrocket

It amazes me that people continue to risk their income with this company...how many 100's of threads have we all seen like this about epass?..its a daily occurrence and these are just the situations we DO hear about.

Michael O deserves kudos for his customer service skills and in my opinion is the only reason epass has survived to date, that being said there will come a day when this company is going to crash and burn, they are going to take a lot of people with them and Michael O won't be able to save anyones day...

I really do not risk my income with this company. I am a check person. I just happen to have an epassporte account for mostly secondary reasons, like paying people who perform services who have a hard time getting funds any other way. It is not that often where I will even have much money in there at all.

[CyberHustler]

Thats fucked

[GigoloShawn]

I'd be happy to see a policy change for this.

My question is, since they obviously know your email - do they have access to it? That's why I like not using any free email hosts for anything that needs some sense of security.

[After Shock Media]

Quote:

Originally Posted by GigoloShawn

I'd be happy to see a policy change for this.

My question is, since they obviously know your email - do they have access to it? That's why I like not using any free email hosts for anything that needs some sense of security.

Nah my email is secure and I change up the password to that weekly with the same PW standards I use everywhere else.

Technically if I did not use a public mail, my ISP mail would be just as easy if not easier to crack since it is web accessable as well. Servers would just as likely stand same chance of them being gotten into. Really see no extra security in using any other mail type.

[GigoloShawn]

Quote:

Originally Posted by After Shock Media

Technically if I did not use a public mail, my ISP mail would be just as easy if not easier to crack since it is web accessable as well. Servers would just as likely stand same chance of them being gotten into. Really see no extra security in using any other mail type.

That somewhat depends on who handles your mail. I don't even have a 'real' email address. I forward my email as an alias to one that nobody would even attempt on without a brute force attack on any publically-accessable MTA, and just set my mailto and reply-to to the alias. For my personal email, I block access by class C, and also change the password often. You can't do either of those with public mail servers.

[ladida]

Quote:

Originally Posted by GigoloShawn

That somewhat depends on who handles your mail. I don't even have a 'real' email address. I forward my email as an alias to one that nobody would even attempt on without a brute force attack on any publically-accessable MTA, and just set my mailto and reply-to to the alias. For my personal email, I block access by class C, and also change the password often. You can't do either of those with public mail servers.

All of that fails if the server your mail is on is compromissed, and that's usually the target, not your, or anyone elses email in particular. That's why using public big mails like gmail is a good thing in many cases.

Why they go "personal" with AMP is the case that someone got his personal information from somewhere, along with documents (or can forge them in a good manner) and they are trying to cash in on that (they mention in the email they would send the proper docs). So they got your personal info (name, address, phone etc etc) from somewhere.

[NinjaSteve]

Quote:

Originally Posted by Hotrocket

It amazes me that people continue to risk their income with this company...how many 100's of threads have we all seen like this about epass?..its a daily occurrence and these are just the situations we DO hear about.

Michael O deserves kudos for his customer service skills and in my opinion is the only reason epass has survived to date, that being said there will come a day when this company is going to crash and burn, they are going to take a lot of people with them and Michael O won't be able to save anyones day...

What is the alternative?

[After Shock Media]

Quote:

Originally Posted by ladida

All of that fails if the server your mail is on is compromissed, and that's usually the target, not your, or anyone elses email in particular.

Why they go "personal" with AMP is the case that someone got his personal information from somewhere, along with documents (or can forge them in a good manner) and they are trying to cash in on that (they mention in the email they would send the proper docs). So they got your personal info (name, address, phone etc etc) from somewhere.

Actually they just offered to send in docs. Does not appear they ever did.
I am almost 100% certain that my personal information was not used to access the account. Aside from epassporte who demands your personal information and documents, sponsors for instance just have company name, tax id number, and such.

If a company just relies on simple personal data (name, address, phone) then they have serious problems anyways. Every content provider would already be compromised in that instance due to 2257 (phone aside). Yet hell that still would be common whois information if one did not keep domains private.

So again unless they left shit out of the email and email quote. I do not see a request for a phone call, or a in reference to our phone call your info has been reset. Nor do I see a we received your documents, or after reviewing your documents we reset your information. The email is pretty cut and dry - please help - ok your reset.

[bbm]

You are too suspicious!

[GrouchyAdmin]

Quote:

Originally Posted by ladida

Why they go "personal" with AMP is the case that someone got his personal information from somewhere, along with documents (or can forge them in a good manner) and they are trying to cash in on that (they mention in the email they would send the proper docs). So they got your personal info (name, address, phone etc etc) from somewhere.

I agree; someone's got his data and is screwing with him.

[woj]

that's pretty shitty

[GigoloShawn]

Quote:

Originally Posted by After Shock Media

Actually they just offered to send in docs. Does not appear they ever did.

I've had this experience with every employee of ePassporte, aside from Michael O. Hit up Michael directly; he should be able to get you IPs and server logs. Again, those may not be horribly useful, but when compiled with the other 'password reset' requests you have, there might be enough information from the sponsors to track it down to some degree.

Highly unlikely, but it's also unlikely that I'm going to let Vietfraud send me joins on stolen cards because they use the name "Joseph Smith" for their affiliate account.

[After Shock Media]

Quote:

Originally Posted by GrouchyAdmin

I agree; someone's got his data and is screwing with him.

What really makes you think someone has my data? Nothing in the email chain goes that direction.

Quote:

Originally Posted by GigoloShawn

I've had this experience with every employee of ePassporte, aside from Michael O. Hit up Michael directly; he should be able to get you IPs and server logs. Again, those may not be horribly useful, but when compiled with the other 'password reset' requests you have, there might be enough information from the sponsors to track it down to some degree.

Already have contacted him and Michael is awaiting on epassporte, and phone records (if any) as he stated that is the protocol. Though he is also making sure protocol was followed. I also made requests for the email headers, etc.

[Nikki_Licks]

Quote:

Originally Posted by GigoloShawn

Hit up Michael directly

Without the help of MichaelO, this company would be doomed. He is the only asset this company has, it seems the rest of the company is out to lunch....just my

[After Shock Media]

Quote:

Originally Posted by bbm

You are too suspicious!

Eh huh?

I get a copy of an email I did not send requesting a full reset which was granted and I am being to suspicious?

[GrouchyAdmin]

Quote:

Originally Posted by After Shock Media

What really makes you think someone has my data? Nothing in the email chain goes that direction.

I meant that someone has your name and email, nothing more.

[After Shock Media]

Quote:

Originally Posted by GrouchyAdmin

I meant that someone has your name and email, nothing more.

That is pretty damn common though which really is fucking stupid if that is all it takes.

Though I am still waiting on what Michael comes up with assuming full protocol was indeed used. Which would mean they would need to be able to answer as he put it 4-6 security questions.

I know my previous and now new questions on epassporte are not questions used elsewhere. I am pretty careful about not repeating those things.

Which leaves info epass could have to ask about, which could be DL #, last 4 of some of the load cards, maybe middle name from ID, so forth. I just do not have that info sitting with other sponsors or such where it could get shared. Exceptions being middle name maybe, address, phone number. I do not use middle name anywhere really but I am sure it can be found online.

Of course I have also checked and constantly check my computer for key loggers, virus, spy ware, etc.

[GrouchyAdmin]

Quote:

Originally Posted by After Shock Media

That is pretty damn common though which really is fucking stupid if that is all it takes.

Some people are incredibly lazy; it'll be interesting to see the official statement.

[ladida]

Quote:

Originally Posted by After Shock Media

Actually they just offered to send in docs. Does not appear they ever did.
I am almost 100% certain that my personal information was not used to access the account. Aside from epassporte who demands your personal information and documents, sponsors for instance just have company name, tax id number, and such.

I never said they actually sent them in, but this is the first part in the scam. Im quite sure they know how the verifications at epassporte go, so if they have offered to send in the docs, im sure they would have sent something. You cought it fast enough so it won't work, but if you did not catch it in time, epass did the first move, reset all your info. Next part was them sending in the documents so they can take control of the account. So either they got your docs from somewhere, or know enough of your personal info to forge docs that look legit, and match with what you have on epass.

Here's one scenario from the top of my head.
You run a porn site. They hack in there, get your personal info from the database, maybe even personal pictures and shit if you keep it on server (many people keep personal things), find out your epass username, and the game begins...

You can be sure they have something, what, i dont know, but they have some info that they were gona use to persuade epass to send them the new login (after it got reset).

[After Shock Media]

Quote:

Originally Posted by ladida

I never said they actually sent them in, but this is the first part in the scam. Im quite sure they know how the verifications at epassporte go, so if they have offered to send in the docs, im sure they would have sent something. You cought it fast enough so it won't work, but if you did not catch it in time, epass did the first move, reset all your info. Next part was them sending in the documents so they can take control of the account. So either they got your docs from somewhere, or know enough of your personal info to forge docs that look legit, and match with what you have on epass.

Here's one scenario from the top of my head.
You run a porn site. They hack in there, get your personal info from the database, maybe even personal pictures and shit if you keep it on server (many people keep personal things), find out your epass username, and the game begins...

You can be sure they have something, what, i dont know, but they have some info that they were gona use to persuade epass to send them the new login (after it got reset).

I am of course not rulling anything at all out until I get the info back from epass.

As for your scenario, again highly unlikely. I know what info I have outside and what I do not. For instance aside from maybe 5-10 pictures on Fubar that have me in them, or silly fucking general pictures of crap, I do not keep anything online. Hell I do not even email friend and family pictures.

Databases should just contain business info which is different than what epass has.

I really am leaning more towards it just being pure human error with client services and the proper protocols were not followed, but we shall see. Even if I have to eat crow and say yes indeed something was compromised of mine and what it was I will keep this updated as I feel it could effect others and is the only reason I am doing this thread along with private communications with epassporte. If it can happen to someone who is as careful about security as I am, then it is very important to find out the how's and whys as I know many if not most people are not as tight with their security.

[Jarmusch]

I was under the impression that the only way you can contact epassporte support is through their message center after you log in. If this is really the case, then they should know which member sent them that email?

[After Shock Media]

Quote:

Originally Posted by Jarmusch

I was under the impression that the only way you can contact epassporte support is through their message center after you log in. If this is really the case, then they should know which member sent them that email?

Thats not true as they tell you on the site itself to contact CS@epassporte all over the place. Specially if you have any issues.

[ladida]

Quote:

Originally Posted by After Shock Media

Databases should just contain business info which is different than what epass has.

Well they might be going with those informations. I'd be looking at your sluttydollar servers next (if that's yours).
Or if you are an affiliate of someone, in those databases you usually put your name, surname, address, birthdate, ip, email .....
They might be trying with that aswell.

[After Shock Media]

Quote:

Originally Posted by ladida

Well they might be going with those informations. I'd be looking at your sluttydollar servers next (if that's yours).
Or if you are an affiliate of someone, in those databases you usually put your name, surname, address, birthdate, ip, email .....
They might be trying with that aswell.

I run their affiliate program. My details in there are very limited - again just business info etc. Like I would have at any affiliate program.

In those I put my company name - for payouts etc. Yes my address, and email (see above) and birthdays are not to damn hard to find out publicly again.

I still am leaning to the most obvious and likely reason, well ahead of any super strange and even harder to explain could of been reasons. After all perhaps I taunted the wrong person in some supernatural thread and they indeed are psychic or a ghost did tell them the answers. May as well go there too, instead of first thinking it was just human error at client support?

Though feel free to keep posting the what if's and could of been's. According to epassporte I should have some answers by Monday and we will see who was right or where to go from there.

[ladida]

Quote:

Originally Posted by After Shock Media

I still am leaning to the most obvious and likely reason, well ahead of any super strange and even harder to explain could of been reasons. After all perhaps I taunted the wrong person in some supernatural thread and they indeed are psychic or a ghost did tell them the answers. May as well go there too, instead of first thinking it was just human error at client support?

Doh. I tried to help you narrow it down and tell you how this stuff goes and you're here passing jokes on my account? You mentioned they tried other things aswell as epass. Well, that'll teach me.

It's human error.