Plenty of Fish? Might as well rename it plenty of passwords.
The worst part is Markus stores his passwords in plaintext, or slightly better reversible encryption.
POF will mail a person their password. This is a security nightmare because basic precautions were not taken.
I just checked and POF is still able to reproduce and email me my password. I also checked the email I use for POF and there is no mention of this in any of their emails. If markus took this seriously at all he'd be resetting everyones password and have instructions to reset their email password.
"We have reset all users passwords and closed the security hole that allowed them to enter." This is a lie, I just logged in with my username and password. I wasn't even asked on login to change it.
I don't know what it's like now, since I haven't used POF since 2008 or so when I met my current girlfriend (though I only remembered to kill the account a few months back), but back then they would actually send you reminders every so often - I want to say once a week - that included your plain text password as a reminder.
I think this is just the kick in the ass I needed to go through all my accounts around the internet and make sure they all have unique, reasonably complex passwords. My email and banking passwords have always been unique, but I know I've been slack elsewhere. I won't let that happen again.
If there is an option to use some kind of hardware token with your banking then I would strongly advise you to take that.
Having just a password to protect your bank account sounds pretty scary to me. That's about as juicy as it gets. I'm paranoid enough about my servers having 'just' a password to protect them (oh, and an ACL), if my bank accounts would have only a password I wouldn't sleep.
Every time I log on I have to use my chipcard in a little electronic device with an LCD display and a bunch of buttons on it, the chipcard generates a unique ID every time I log in. When I want to do an actual transaction I have to authorize it using 1, 2 or 3 challenges depending on the amount and destination of the transaction. It's less convenient than a password protected system but it's fairly secure.
It's also protected against the most common form of theft called 'skimming' because it uses the chip and not the magnetic stripe so a thief using the data on a skimmed card could only use that to use an ATM but not to access the internet banking section of the website of my bank.
In Denmark the currently-being-phased-in solution is a low-tech version of two-factor authentication. Instead of a hardware dongle, the centrally-administered "NemID" system issues you with a physical code card with some numerical codes on it. You enter your NemID password, your CPR number (Denmark's citizen-ID number), and the next unused code on the card. When there's fewer than 20 unused codes, the system notices and mails you a new card.
The downside is that there's now a single point of failure, albeit with more factors. If you get someone's CPR number, their NemID password, and their current NemID card with some indication on it of which the next unused code is (most people mark off the used codes), you can log into everything: all Danish banks, the tax authority, the municipal authorities, your library account, etc., etc.
They do try to minimize it by writing strongly worded warnings everywhere not to store your NemID password in your wallet. A typical wallet contains a Danish health card with CPR number, and the NemID code card, so it's fairly important that the NemID password not also be there.
The upside is that the NemID system gets the average citizen to a point where his/her family (and close friends) are the largest security problem. It is much more difficult for hackers in Argentina and Russia to get into your bank account when they need access to a piece of paper.
If is impossible to protect against your own family: the have hardware access to your computer, they can intercept all your paper mail, they know all details about your life, etc. So they are the perfect identity thieves.
Some Danes think they are clever and scan the paper card and store it as an image on their computer. Some people are just impossible to make a secure access system for.
The upside of the downside is that if anybody gets hold of your login details, then there is a single place to stop them instead of having to change 20 logins.
BTW. "NemID" translated to English is "EasyID". Within the next year, a hardware dongle will be available (e.g. for users who often login and uses up all the codes on a paper card in no time).
If there is one thing I would like it would be the option to specifically authorize a set of IP addresses allowed to access my bank account rather than the implicit way it is done right now.
I totally agree with this. I even had the SSH firewall rule of my Mumble voice server for my WoW guild set to only allow my home connection. One downside is if I'm ever given a different IP address by my ISP, I'd have to go to work and change it. Minor inconvenience but this isn't a crucial service.
Chase bank requires me to authenticate via a texted or emailed code if I log in to my bank via a browser I haven't used before. Not exactly the same, but a helpful additional precaution.
1. UserID is your date of birth and some random-ish number appended
2. It asks for three random characters from your password and your PIN
3. For any transaction you have the chip-card-plus-calculator-looking-device (and you need to know the pin for that.)
Personally I'm happy enough with the German system (username, password, random TAN from a piece of paper). At least I will be until my kids grow up :-).
This resembles the most common way of authentication for online banking in Germany (a PIN and a list of transaction codes, so-called TANs).
Do you always have to pick the next one-time code in the printed sequence? In Germany, you used to be free to pick any of the unused TANs, which made phishing really simple. Nowadays it's more common for a bank to challenge you to a randomly chosen TAN.
When I use NemID, it asks for code number NNNXXX, where NNN is the sequential number of the codes (to make it easy to find) and XXX is a "check" to prevent phishing.
Are you European? I only ask because my friend in London is the only person I've ever heard of using such a device.
Unfortunately, such a thing seems all but unheard of here in Canada.
Our debit and credit cards are being replaced with cards with chips embedded, which could be a sign that such devices are coming, but for now I'm afraid my password is my only real line of defense online. I have noticed that when I login from a new computer (for example, when I visit my parents), the site uses one of my challenge questions to ensure it's really me. I guess that's something, although I really don't know the exact circumstances that trigger the challenge.
The weird thing is that Blizzard will cheerfully sell you a $7 hardware token to protect your imaginary WoW gold and equipment, but I don't know of any US banks that offer one to protect your actual money.
Don't quote me on this, but I think banks are starting to lean on "possession of a trusted mobile device" as their two-factor authentication. The basic theory is that I give them a number I can receive SMSes at, and then any time they want to verify that the person operating my web browser is really me, they say "We just sent you a one-time password via SMS. Enter it, resend it, or talk to customer service."
This has significant advantages over dongles from the perspective of the bank: they don't have to get into dongle distribution, and people are probably better at keeping cell phones available than they are at keeping dongles available.
Most banks use the "you only get to try three times before your account is locked" method of security. It's pretty hard to bruteforce a password with only three attempts before you have to call customer service. At that point, you might as well print out a fake driver's license, walk into a branch, and ask to close "your" account.
E*TRADE offers this for free if you have a high enough balance ($5K?) between accounts. Unfortunately, our good friends at Mint.com have no way to deal with two-factor auth, so in my informal polls, all my friends who were using two factor switched back to password only so they could use Mint's reporting features.
The chips are most likely for EMV[1], which essentially puts some intelligence on the card in the form of an IC chip, and allows the card to make approve/deny decisions based on rules of the issuing bank. With EMV cards, the transaction is more like a negotiation, and the card may reject at any point.
Of course, like anything, there will be vulnerabilities, and in the interests of usability, some issuing banks will relax restrictions.
Because of the crypto involved in the back and forth communication between hardware and card, EMV transactions piss off a lot of customers, it can easily take 2-3 times more time to process a transaction when compared to a mag-swipe.
Though it does reduce the chance of your card getting skimmed. (Skimming is where your details are captured during the swipe. Yes, a swipe through the appropriate device reveals all the information required to completely duplicate the card.)
Actually, in Norway there are some banks that use the credit card chip for two factor authentication (the same which is used for EMV). You put the card into a small "reader" with a display, and out pops a number that you use when logging into the online bank. Most banks however use a dedicated device with a time-based one time password.
I'm not sure why, but I've seldom seen EMV transactions take longer than a regular swipe, but this might be because both 1 second * 3 is still not that big of a deal. (Or for all I know, it might be because they are only validating the credit card number..)
The interesting thing is that skimming is still possible, at least in Norway. It still happens that there is some kind of communication problem with the EMV system, and swiping the card is the fallback option. I guess this option will be turned off as soon as it works "all the time" and they can remove the magnetic stripe.
Correct, in fact there already are. Most of those will require at a minimum a hardware hack or access to transactions 'in progress' (modified terminals) and will usually only gain access to the data that is stored on the magnetic stripe, not to the other data stored on the chip (the chip contains a duplicate of the stripe data and some other data only available on the chip and not sent out over the wire used in challenge/response fashion).
The system is not 100% secure but is a bit better than just having a password and the fact that it requires access to the original card makes it a lot harder still (those cards can be stolen though, and combined with a bit of hardware and a 'yes' card (a card that always responds 'transaction authorized') you could fool online payment terminals).
But that's still a step removed from gaining complete control of a bank account using web based banking and a password.
> Our debit and credit cards are being replaced with cards with chips embedded
Do you want to know something scary about that. We've had Chip and PIN as the de-facto standard in the UK for some years now (although I do remember it coming in).
The really scary thing is; my parents remember it being widely used in Germany in the late 80's.
It is true that paying in stores with my German ATM card and its PIN was nothing new when I got my first bank account in the mid-90s. However, that system used the magnetic stripe of the card (which is why skimming is still so attractive here); smart-card chips on bank cards were introduced a lot more recently.
I only have my parents recollections about this (we lived in Germany in the late 80's, but I was 0 & so can't recall ;)) - possibly it was swipe & pin, I'd have to ask.
But when the Chip 'n Pin system came in here in the UK my Dad's first comment was "oh, they were using that in Germany in '87/88"
> Unfortunately, such a thing seems all but unheard of here in Canada.
That sucks!
> Our debit and credit cards are being replaced with cards with chips embedded, which could be a sign that such devices are coming, but for now I'm afraid my password is my only real line of defense online.
Ok.
> I have noticed that when I login from a new computer (for example, when I visit my parents), the site uses one of my challenge questions to ensure it's really me.
So the bank likely either keeps a record of 'known' IP addresses for you or they keep a cookie on the computer that they use to identify a computer that you've used at least once.
How annoying. It's interesting how we berate POF for not following 'best practices' but even institutions such as banks could do a whole lot better to protect their and their customers best interests.
Are you liable for fraud committed with your account online?
Or would the bank indemnify you if your password were used to clean out your accounts?
With one bank I must use the hardware token solution (and I am able to use any device, not just the one issued to me). With another bank I must register my mobile telephone number with them and they send me a text with an authorisation token whenever I need one.
I much prefer the hardware solution even though it is a major inconvenience when travelling light.
>Are you liable for fraud committed with your account online?
Not with TD Canada Trust, to an extent:
"As set out in our account agreements, you are responsible for maintaining the care, control and confidentiality of your Access Card number, Connect ID, and passwords. TD Bank Financial Group is not responsible for unauthorized access to accounts online or losses that occur as a result of you voluntarily disclosing your Access Card number, Connect ID, or passwords, or the careless or improper handling, storing or disclosure by you of this information. In the event of loss, theft, misuse or compromise of your Access Card, Connect ID, and/or passwords, you must notify TD Bank Financial Group immediately."[1]
The "Known IP" is a bit more complicated. I was travelling through South America recently, and could always access it from my phone. However, accessing from a hostel or internet cafe required answering a security question.
The system we use here has it's own vulnerabilities (after all, if your card is stolen and the pin is known then any token can be used to authorize transactions, and there are known ways to attack the card electronically) but it makes it at least a little bit harder.
On top of that we do have indemnification.
Combating electronic banking fraud is an ever lasting game of leap frog, it looks like the banks are at least one step too far behind. At least they have the extra challenge question, I hope you made them hard enough :)
Its really ridiculous how many sites still store passwords that way. SurveyMonkey still sends forgot password requests in plaintext email. You'd think with $100M of funding they'd have sorted that out by now.
1. He provides emails - I think Mark(Guy from Plenty of Fish), really needs to get those voice recordings of Chris threatening his wife online to be more credible.
2. Mark tells a complicated story - A story with mafia and all that, really? If we follow Occam razor, Chris story sounds more realistic. He saw a flaw and reported it. Everything was going dandy until he saw ads for Plenty of Fish data. At this point Mark decides to try ruin Chris by fabricating a story, since he believe it is him trying to sell the data. It is a simpler story.
3. Why isn't Mark contacting the authorities? - A week and Chris is not in jail and responding freely on his blog?
Mark does have some valid points though,he did hack pirate bay: http://torrentfreak.com/the-pirate-bay-hacked-users-exposed-...
But Chris claimed again, proof of concept and he has no bad intentions.[What is the appropriate way to expose vulnerabilities?]
In my opinion, he[Mark] should release the voice recording to add more credibility because right now he is sounding shaky.
A key point here is that he didn't use a proxy and doesn't seem to hide his identity during the sniffing around, which means he's either:
a) stupid.
b) not intending to do anything malicious.
I think a. is unlikely, because he did actually manage to break in, although, the hole itself might've been trivial and therefore this might not count. I don't think so, though.
Which leaves b.
I think it's pretty obvious from both sides of the story that what Chris intended to do was (c) demonstrate the existence of a vulnerability in order to hard-sell his security consultancy.
Reading between the lines, it looks like his sales tactics were heavy on the FUD (he pointedly hasn't denied making any claims about Russian conspiracies), leaving Frind paranoid and angry. And probably also embarrassed if the security flaws were as basic as is being suggested.
The hacker's story certainly has less holes, however the style of writing out numbers as words is suspicious; I have only ever seen it in 419 scams: "28,000,000 (twenty eight million users)".
While we were creating the legal documents in order to proceed, Markus Frind got progressively more aggressive and unresposive with us, and told us to speak with their employees, Kate and Jay, because there was a serial killer, murdering people from the website.
If you ask me, both of them sound crazy and deluded. Marcus' story doesn't make much sense if you read the email on that site[1], but carrying on about serial killers doesn't help your case much either. And that freelancer link is just a red herring - I can't see what it's got to do with the case at hand.
[1] Update: Or even if you read his own post: "I listened in the background and I closed the breach if indeed there was one while my wife was on the phone". Er, was there a breach or not? And why are you calling his mother and not the police?
Mate, before you milk that 'interview' for eye-balls, just go back to the PoF article above and read the new comments.
Chris Russo is there commenting, and it calls your ability to judge character into question. For starters, he has never denied the story about Russians holding his computer hostage and threatening to kill him. He just ignored it. Then he goes for the "race" card and says PoF are suspicious of his intent just because he is in Argentina.
Why haven't you denied the puppies kidnapping, mahmud? I can overlook the Yakuza. I have seen some movies about them and they look cool, but kidnapping puppies?
I believe the PoF guy simply because he has more to lose. You can already see this Russo character writing his own "If I Did It"[1] account of the tale. Looks like his attempt at getting a gig backfired.
I just spoke directly with Chris Russo over Skype.
He is extremely upset about the whole situation.
I don't want to put any words on his mouth.
He tells his own version of the events on the link above which he allowed me to post on his behalf.
I think that document raises a lot more questions than it answers, and some of those questions would have me 'extremely upset' too if I was on the receiving side of them.
The fact that a well known site like POF was hacked is eclipsed by the fact that they both store unencrypted passwords, and the bizarre tone of this article.
I managed to stumble through the first part of the article, but lost interest when Russo claimed that "he can see what the Russians are doing because they took over his computer." This sounds technologically implausible at best.
Maybe the official post in the morning will make more sense.
Is it implausible? Could you not set up some kind of honeypot machine and then monitor it's activity once it's been zombie'd? (Genuine question - I'm definitely no expert on the topic).
Certainly! That part alone is not only plausible, but also quite common. Antivirus companies, security researchers and various other interested parties have been known to use such tactics.
However, it doesn't make sense then those who hacked his supposed honeypot would be aware of his oversight ("they are trying to kill him"), while still using the honeypot to perform whatever illegal shenanigans they were up to ("they are currently downloading plentyoffish’s database").
"Roberto Alsina
Just a small clarification about this bit:
"They then start talking about money because they need to incorporate a company that can deal with companies outside of Argentina and that will cost $15,000. They also needed to know if they were going to make over $100k/year or 500k/year as that would require different registrations…"
I am from Argentina, and I own a company. Yes, in order to bill services to foreign customers, you need to register your company as an "exporter of services". And to do that you have to put money on escrow (but not $15000, only $7500), or your company has to demonstrate assets for over $12500.
If Russo has been working without an incorporated company (he could be a "monotributista", which is a way to bill as a physical person). A monotributista can export services, but... he's personally liable, so doing security consulting that way is insane.
That's probably why Russo could be asking for money up-front: if he didn't, he would have been doing business illegally."
Many freelancers work as monotributistas or responsables inscriptos, exporting services that way. And it's perfectly legal. For a single person shop this would be the first case I hear of, of an incorporate company setup that way.
Yes, it's perfectly legal, but is incredibly stupid in this case because of the liability.
If you work on security this way, you are going to get sued eventually. If you are a monotributista or responsable inscripto, you will lose everything. A SRL (like a LLC) is the logical way to handle this kind of work.
What I meant by illegally is that it would be illegal if he was already incorporated as a SRL and exporting services (he needs to do the escrow to do that legally).
I wonder if Markus realizes that e-mails have been going out non-stop to customers lately from spam profiles using their 'wants to meet you' "feature". On the one hand, I feel bad for PoF becoming the target of an attack and drama, but from the tone of the post, it wasn't handled right on their side either. PoF really needs to get its act together on the security side. It's sad to because it was a fairly well executed concept when it first arrived on the scene, and has since just turned into what amounts to a spam/ad farm.
As the lead developer on a dating site myself, I can say that it's ridiculously hard to keep out spam profiles. We block by country, Project Honeypot entries, and HTTP header profiling, use captchas, and use other bot-sniffing tricks, but in the end we still have to manually ban IP addresses every day.
We don't store passwords in plaintext though, sheesh.
Edit: I just upgraded the hashing algorithm on the site from SHA1 to Bcrypt. Paranoia for the win.
I read "closed the security hole", but I never read "reinstalled everything from scratch using clean data sources" - isn't that what he should have been doing?
I still feel icky because of the sourceforge hack and wonder if I should reinstall everything. I probably should :-(
I'm on plentyoffish and they do weekly send you your password in plaintext (there are plenty of other sites that do this). Thankfully I change my passwords each month to a random string of 12 characters and don't really care. Perhaps if hackers get into my account, my account can finally get a date!
I don't understand why the victim of a crime is being given a hard time.
Scenario: I own a safe with all my personal information locked inside of it; a Safe Cracker (let's call him...Chris) comes along a cracks me safe. Chris call me as says to me 'yeah, I cracked your safe if you don't hire my company to fix you safe's vulnerability maybe your personal information might get out.'
Who is the bad guy in that situation the dope with the safe, with a 1-2-3-4 combination or the guy who takes the dopes information and attempts to use it for his own personal gain.
NOTE: To anyone who still thinks the dope is more to blame; please send me your address i'll rob your apartment/house then sell your things back to you (don't worry I'll also sell you new locks).
It is mind boggling that the young 23yo Chris Russo was smart enough to hack PlentyOfFish but not make any sense with his crazy requests and compulsive lies.
This morning Markus Frind CEO of PlentyOfFish plans to do and official statement about the events.
Fun Fact: Markus Frind graduated the same year as I did from BCIT in Vancouver. I took Mechanical Design and Mark took Computer Science. Do I regret not taking CS, hmm maybe?
It is mind boggling that you contact Chris Russo, get his version of the events, publish it receiving page views and ad revenue and then immediately claim he "does not make any sense with his crazy requests and compulsive lies" without any demonstration of these claims. Now, you might be right, he might be a compulsive liar, but if he is why are you publishing his version of the events on your site then quietly labeling him crazy on HN without some measure of proof? You do realise such claims are libelous right?
My apologies. I got his version of the events after I read Marcus blog post. My opinion at that point was based only on the information I had a the moment.
Then Chris Russo himself emailed me his version of the events which I posted on my blog with his permission.
Lesson, don't take sides until you hear both sides of the story, understood.
A pure statistical reason since I am willing to bet there are way more CS students building websites than Mechanical Designers.
But everything is possible, I have also built websites albeit a billion times less successful.
To be honest I was just expressing my envy because although we went to the same school Mark build the largest dating site on the world and today is a millionaire and I am not, sniff.
Grumo media looks pretty cool. Maybe you shouldn't regret it? I'm doing a startup in Vancouver as well. Your videos look awesome but are out of my current budget. :(
I just checked your profile, do you also do iPhone apps? We're a cool startup in Vancouver and we're looking for help with our iPhone development, maybe we can chat
Thanks dude! I know, I know, startups are inherently strapped for cash but when you raise your first round don't forget me!
Give me shout anytime and tell me about your startup, love to meet entrepreneurs ;)
From Markus' account, it sure looks like that; but note that a "chris russo" says, in the comments, that he's only given a proof of concept and that the web server logs will show that he didn't make a full dump.
Of course, sending a PoC with an offer to fix the security does have a "nice website you have there, it'd be a shame if something happened to it" vibe to it; still, it's factually different from trying to extort money from a company by dangling a dump of their customer database.
That's a technicality in my opinion. If the website owner would ask you to fix it that would be one thing, to hack them and then to 'offer to fix it' (presumably for a fee) is across the line. It's a fine one but it's definitely there.
Hacked a site?
Send them a message about it, give them time to respond and time to fix. If they don't respond after a reasonable time has passed go public with it, don't try to translate it in to paid work.
Trying to turn a PoC into paid work is indeed sketchy; but I do understand that security researchers/whitehat hackers would like to get paid for their work.
It would be good if more companies set up bug bounties, and even better if they'd set the reward a bit closer to (reputed) black-market prices.
> Extortion, outwresting, and/or exaction is a criminal offense which occurs when a person unlawfully obtains either money, property or services from a person(s), entity, or institution, through coercion.
Where is the coercion? Is there a threat here to do something? I can't see it. In fact, the opposite - the damage is already done.
The coercion would exist only if there was a threat to do something bad from the extorter, which really, I can't see at all.
Telling someone they should lock their door, and that you could do it for them (but not necessarily that noone else could, I mean what kind of developer can't fix a SQL injection attack in a couple of hours max?) doesn't seem like extortion to me. Now, if the claims about a stolen data dump held as collateral and threatening media reports are true, it borders on extortion.
I'll ignore the issues with the plaintext/reversible passwords since that's a trope that has been bandied about enough lately and ask if anyone has technical details on the hack itself, I'm quite curious if it was a simple SQL injection or something more artful.
I'd tend to lean towards injection, given that it took Russo (apparently?) 2 days to produce a working exploit with what amounts to fiddling around, but if anyone knows where I can read a write-up on it I'd appreciate it.
(Professional curiosity, I'm a web dev and like to be apprised of what catches the more popular sites. Sometimes you get lucky and it's subtle/neat.)
Apparently the above is unpopular - I was just trying to point out that posting your password (or enough of it that one could bruteforce the rest) has its downsides.
The worst part is Markus stores his passwords in plaintext, or slightly better reversible encryption.
POF will mail a person their password. This is a security nightmare because basic precautions were not taken.
I just checked and POF is still able to reproduce and email me my password. I also checked the email I use for POF and there is no mention of this in any of their emails. If markus took this seriously at all he'd be resetting everyones password and have instructions to reset their email password.
"We have reset all users passwords and closed the security hole that allowed them to enter." This is a lie, I just logged in with my username and password. I wasn't even asked on login to change it.