WARNING: thefts due to password reuse

[Steve Sokolowski]

I wanted to raise a warning today. Last night alone, we noticed six instances where customers who reused passwords from other sites have had money stolen from them.

The huge surge in these incidents indicates that some site has had its database breached recently. If the site was careless, then the plaintext passwords are probably being tried at other sites. If the site hashed the passwords, then a brute force attack is probably going on against the contents of the database to find which passwords the hashes correspond to. Studies show that in such cases, hackers can often obtain 60% or more of the passwords in a hacked database through brute force.

The criminals then try the found passwords at other sites. In this case, the scam seems to be that they log in, change the users' payout addresses, and then impersonate the customer and request a password reset after the owner figures out the scheme and changes them back.

So far, over $8000 has been stolen by the thieves at Prohashing alone. Fortunately, one of the thieves appears to have made a mistake which has allowed us to contact the police, but an arrest will not directly recover the funds, the victims will still have to pursue legal action to sue the attackers, and there may be no money left to recover.

All of this can be prevented by a single golden rule: never, under any circumstances, use the same password on two different websites. The "LastPass" software is quick, easy, and free to manage large numbers of unique uncrackable passwords. We strongly suggest that customers download LastPass, generate a new random password, and change their passwords to one of these randomly generated ones. Do this as soon as possible, because the attackers continue to target additional users every day.

----------------

Edited on June 1:

After some research I found that the source of these attacks may be Verizon Wireless. The cell phone provider will perform many customer service requests in exchange for information that is easily obtainable on the Internet, like billing address.

A customer, for example, can be targeted to switch a number to a new phone, which can then be used to validate SMS authentication at E-Mail providers, which can then be used to listen in on conversations with other people to deduce more information, and to reset passwords at other sites, and so on until enough information is obtained to steal money.

I'm not sure what can be done about that problem, as nobody has control over Verizon Wireless's customer service policies. However, using a unique password and LastPass would not be vulnerable, as long as the password was never transmitted to any other site or through E-Mail or text.

[pilottage]

incredible... I was lucky to change mine... but something weird happened.... there was a swapping in my password at first that I didnt requested... then I updated to third different one! thanks!

[UPSoft]

its time to add google 2 factor authentication

[piet]

In this case, the scam seems to be that they log in, change the users' payout addresses, and then impersonate the customer and request a password reset after the owner figures out the scheme and changes them back.

yes, re-using passwords is stupid but i think this is 2-way traffic.
Its 2017, where talking about a lot of money floating around on PH, you should also take your responsibility.

Offer your customers some options to protect their accounts / money even if another site, database or password is hacked!

You could offer 2FA or a separate PIN that customers must create when registering. (and use it when changing important settings)

Some exchanges even send me a mail when my account logs in from another ip-address as usual, great service!

Just my 0.00000002 cents

[GregoryGHarding]

yeah guys i mentioned 2FA to them already they said it was on the list but it might be time to fast track that wish list item.
i really urge you guys to look into integrating Authy as the 2FA provider it would be a good fit for here.

just curious... what was the thief's mistake? not using a proxy?

[Steve Sokolowski]

its time to add google 2 factor authentication

This is definitely a feature we want to add in the future.

But thinking about this specific instance, I don't think that two-factor authentication is the solution to this problem. Adding two-factor authentication will split customers into two groups: users who use two-factor authentication and who are likely to already have used unique passwords, and users who are less careful with security and therefore wouldn't use either two-factor authentication or unique passwords.

The only way two-factor authentication would have resolved this specific instance is if we mandated it for all users. Therefore, I think that we need to address other weaknesses first if we want to prevent this sort of thing from continuing.

[GregoryGHarding]

what other security weaknesses are we looking at? 2FA is the end all for account scamming and impersonation, knowing their pw or not they cant get in my password can be 1234 and it just ain't gonna happen. unless you guys have a security hole you know of that needs patching in the back end, i dont think any security feature is more important. if people refuse to use 2FA you can simply disclaim that youre not responsible for their losses for not securing their account. making that noticeable will persuade even the guy with the secure pw to use 2FA. cuz they will be thinking "well jeez i dont wanna lose my hard earned mining money".

end of the day my opinion would be to integrate 2FA ASAP then work on other methods of security or improvements in user auth.

[Steve Sokolowski]

I wanted to raise a warning today. Last night alone, we noticed six instances where customers who reused passwords from other sites have had money stolen from them.

The huge surge in these incidents indicates that some site has had its database breached recently. If the site was careless, then the plaintext passwords are probably being tried at other sites. If the site hashed the passwords, then a brute force attack is probably going on against the contents of the database to find which passwords the hashes correspond to. Studies show that in such cases, hackers can often obtain 60% or more of the passwords in a hacked database through brute force.

The criminals then try the found passwords at other sites. In this case, the scam seems to be that they log in, change the users' payout addresses, and then impersonate the customer and request a password reset after the owner figures out the scheme and changes them back.

So far, over $8000 has been stolen by the thieves at Prohashing alone. Fortunately, one of the thieves appears to have made a mistake which has allowed us to contact the police, but an arrest will not directly recover the funds, the victims will still have to pursue legal action to sue the attackers, and there may be no money left to recover.

All of this can be prevented by a single golden rule: never, under any circumstances, use the same password on two different websites. The "LastPass" software is quick, easy, and free to manage large numbers of unique uncrackable passwords. We strongly suggest that customers download LastPass, generate a new random password, and change their passwords to one of these randomly generated ones. Do this as soon as possible, because the attackers continue to target additional users every day.

I edited this post with information about Verizon Wireless, which may be the source of these problems.

[lilbob]

bloody verizon, they were open already in 1998.

Edit, i believe this password systemic is older than we want to believe

[piet]

How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com

https://medium.com/@CodyBrown/how-to-lo ... 75fb8d0bac