Scammer Alert - Affiliates Read This
 

Just had this conversation...

EDITED (02:00 PM) : hello, i'm working for EDITED, my login "EDITED" dosen't work.

Chris (02:00 PM) : Let me check it for you then. One sec.

EDITED (02:00 PM) : thanks

Chris (02:00 PM) : What is your affiliate ID number?

EDITED (02:01 PM) : i have to ask my boss, i'll contact you later

Chris (02:01 PM) : okay, I will be here


(THIS IS WHERE I START WONDERING WTF?)


Chris (02:02 PM) : Do you have any other info I could look you up with? Last name? Email address on the account?

EDITED (02:02 PM) : EDITED EDITED (first last)

EDITED (02:03 PM) : [email protected]

Chris (02:04 PM) : And what is the problem? You can't log in?

EDITED (02:04 PM) : i can't login

Chris (02:04 PM) : What username and password are you using?

EDITED (02:05 PM) : username is EDITED

EDITED (02:05 PM) : i don't have the password here.

EDITED (02:06 PM) : can i contact you by email later? for you give me info

Chris (02:07 PM) : Well, sorry to be the one to tell you this. But some of the information you gave me does not match up. And you have to give me the proper password for me to reset it at this point. So one of two things is happening here: ONE - YOU are a scammer and I am telling you to FUCK OFF and stay away from my affiliates. Or TWO - this is just a miscommunication and I will need to contact your ?boss?.

Chris (02:07 PM) : If it is TWO, then you understand why I keep the information so private.

Chris (02:08 PM) : Any response to that sir?


It has been 10 minutes and no reply. This is the second one like this I have got in the last 3 days. Someone is out there with a list of affiliate names I think trying to get access to other peoples accounts to most likely change their payment information. A particular account like this gets paid out some very good money EVERY week.

Heads up guys, thats all.

It's the FTC!!! lol :winkwink:

lol 5678

Heh, I had to edit it all out for the real affiliate...

Yea ... makes it hard for honest affiliates that forget their passwords !

I forgot my pgonzo pass and it was a headache to receive it

Good catch :thumbsup

We are going to have to incorporate some new password system to prevent this. It seems like the only solution worth merit. Anyone have any suggestions?

Maybe something along the lines of a secret question/secret answer? Is that stuff even worth while?

Perhaps respond in person to those requests with a phone call to the number listed on the account details?

I put a little thought into that as well, but the fact is most affiliates don't put in their phone number. And its Funny, alot of them have the same number "123456789". They must all live at the same house. :) I think they think we want to telemarket stuff to them. lol

I really wish more did, it would be easily solved that way.

Well, can't say I didn't try....

AND provide them with a phone number to call you.

AaronM tries once a week. You think he would know I have caller ID here by now.

We have a password retrieval function. If you do not have access to your original email address however we require some security questions, the last thing you want is your payout sent to some scammer's Epassporte.

Change the payment information and leave a complete traceable trail ... Brilliant.

Best practices:

Encrypt the password in the DB using something sweet like MD5 or SH1.

#1, Then when someone types in their password, the login script encrypts what they wrote and checks it with what is in the DB. If both encrypted passwords match, the person typed in the right unencrypted password in the form.

#2, Make your password for the affiliate. If you did #1 correctly and someone can't decrypt your stolen DB, it doesn't matter because they stole the unencrypted DB of your competition and guess what, 85% of webmasters use the same password EVERYWHERE.

#3, Have them create a secret question that must be answered with a phrase. Don't use stupid questions like, what is your favorite color. 70% of the world prefers blue and 98% prefer a primary or secondary color. That leaves only 9 colors to play with and you are in on EVERY account. A better question would be, What is the best part of your lover: and it should be answered with a phrase. She has a great ass. The script would check for a minimum of 3 spaces and a length of atleast 16 characters. This way you know it was a phrase...

#4 Answering it correctly would send an email to the email they signed up with. They should not just get direct access to the account.

#5 Emails must be from ISP's, not free accounts or domains owned by the affiliate. Hack their server and you get to read all their email.

I understand mate but I find the unwillingness of some people in this industry to use the phone to be amazing. It's the fastest way I know of to get a problem resolved.

We had a minor hassle with a host we use in Holland so we emailed them - two minutes later he rang us and 30 seconds after that the problem was solved.

Try getting that sort or resolution by exchanging emails ...

There is no quicker and surer way to overcome problems but by verbal communication - emails and instant messaging leave too much to chance because important things like the tone of voice are missing.

We did actually have one sponsor call us one day - and it was one of the most helpful and informative contacts we've ever had with a sponsor. It sure beat newsletters and emails.

In our business we often call clients who are about to pay for orders just so they know that they are dealing with real people - it's amazing the difference a phone call can make.

You must have been talking to Mike the Bike..

Those are some great suggestions. I am going to pass them on to my programmer. Thanks a lot!

:)

Chris...

hope you'll take a suggestion from me... (no bad blood and all)

Although V knows his stuff, his #3 idea is good but might cause more problems.. I am sure he has his reasons, but I have yet to find a reason why a simple email system is a problem. Meaning:

Simply have them type in the username and the email they signed up with. If the info is correct, send a new password (or the old one if you do not store it encrypted) to their email address on file.

I understand the idea behind the secret question, but like V said, you have to make it COMPLICATED to make it secure. No wonder Paris's Sidekick account was hacked.

The only reason some places have a secret question setup is so that they do NOT have to send an email out on requests. They just let them enter the password again then.

As long as you do not display the password somewhere but email it to the account on file, I see no problem with this kind of stuff.

V, your input on my oppinion would be appreciated.

my middle name is Edited, gimme your IDs, passwords, and while you're at it CC numbers + the CVVs, thanks

No bad blood at all, and your imput is appreciated. You solution is essentially what I am doing now, so that makes me feel like I'm going the right direction so far.

I'm just blown away that this has happened 2 times in one week!

You are right, its scary enough that people try at all.. but twice in a week.. scary...

Anyway, unless V has some valid point against this simpler system, I would definately go with that, I have not seen any flaw in it yet...