Comments on: Once your PC is hacked, your ecommerce passwords go on sale at $2 a pop http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html Brain candy for Happy Mutants Wed, 22 May 2013 13:46:00 +0000 hourly 1 http://wordpress.org/?v=3.4.1 By: Halloween_Jack http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1617035 Halloween_Jack Sat, 29 Dec 2012 05:05:00 +0000 http://boingboing.net/?p=202853#comment-1617035  It could be linked to an alternative payment system such as PayPal, or possibly the complete credit card info is stored in plaintext. Which sounds kind of crazy, I know, but who knows?  It could be linked to an alternative payment system such as PayPal, or possibly the complete credit card info is stored in plaintext. Which sounds kind of crazy, I know, but who knows?

]]> By: Tracy_Flick http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1616494 Tracy_Flick Fri, 28 Dec 2012 17:20:00 +0000 http://boingboing.net/?p=202853#comment-1616494  But it says that accounts with credit card info attached go for a higher price. So doesn't that imply that the ones they're selling for the lower price don't have credit card info attached?  But it says that accounts with credit card info attached go for a higher price. So doesn’t that imply that the ones they’re selling for the lower price don’t have credit card info attached?

]]> By: Charlie B http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1616416 Charlie B Fri, 28 Dec 2012 16:17:00 +0000 http://boingboing.net/?p=202853#comment-1616416 Seems like lately it's trojans - usually java trojans.  Yet another reason to avoid Java on ythe endpoint, if Oracle's ownership wasn't enough. Seems like lately it’s trojans – usually java trojans.  Yet another reason to avoid Java on ythe endpoint, if Oracle’s ownership wasn’t enough.

]]> By: Bob Harvey http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1616025 Bob Harvey Thu, 27 Dec 2012 18:36:00 +0000 http://boingboing.net/?p=202853#comment-1616025 How do I sell them. I could make a living making emails and selling the passwords. How do I sell them. I could make a living making emails and selling the passwords.

]]> By: bolamig http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615746 bolamig Thu, 27 Dec 2012 06:19:00 +0000 http://boingboing.net/?p=202853#comment-1615746 So what's the most common way of stealing passwords from an infected PC these days? Are they still using keyloggers or can they now crack the browser password cache? So what’s the most common way of stealing passwords from an infected PC these days? Are they still using keyloggers or can they now crack the browser password cache?

]]> By: Halloween_Jack http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615659 Halloween_Jack Thu, 27 Dec 2012 02:37:00 +0000 http://boingboing.net/?p=202853#comment-1615659 Because lots of people have their credit card information stored online with Amazon (and other e-tailers), to facilitate things like one-click shopping. Because lots of people have their credit card information stored online with Amazon (and other e-tailers), to facilitate things like one-click shopping.

]]> By: Tracy_Flick http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615634 Tracy_Flick Thu, 27 Dec 2012 01:18:00 +0000 http://boingboing.net/?p=202853#comment-1615634 I have a stupid question. Why is a username and password without credit card info attached valuable? Why would anyone care that I'm catlady123 at Amazon, and my password is 1stinkyhouse!, if they can't use that to order anything? I have a stupid question. Why is a username and password without credit card info attached valuable? Why would anyone care that I’m catlady123 at Amazon, and my password is 1stinkyhouse!, if they can’t use that to order anything?

]]> By: angusm http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615602 angusm Wed, 26 Dec 2012 23:10:00 +0000 http://boingboing.net/?p=202853#comment-1615602 It does say <strong>working</strong> accounts, so presumably they have some way to verify that the username/password combination works before they list it for sale. If you did have some way to feed the bad guys fake user/pass combos, you might set things up so that the password gets set to a new random password every 2-3 days, increasing the chances of it going 'bad' between the time it's tested and the time of sale. The bad guys could work around that pretty easily, though ("New passwords, guaranteed less than six hours old"). A possible approach might be for retailers to release 'tripwire' accounts: a given username/password combo would appear to work, but any time that it was used, no goods would be shipped and the attacker's details would be captured. Any other transactions originating from the same IP (or with the same browser fingerprint) would be flagged for review. Again, the bad guys could get around this by using botnets or Tor routers. This particular arms race is very hard to win. It does say working accounts, so presumably they have some way to verify that the username/password combination works before they list it for sale.

If you did have some way to feed the bad guys fake user/pass combos, you might set things up so that the password gets set to a new random password every 2-3 days, increasing the chances of it going ‘bad’ between the time it’s tested and the time of sale. The bad guys could work around that pretty easily, though (“New passwords, guaranteed less than six hours old”).

A possible approach might be for retailers to release ‘tripwire’ accounts: a given username/password combo would appear to work, but any time that it was used, no goods would be shipped and the attacker’s details would be captured. Any other transactions originating from the same IP (or with the same browser fingerprint) would be flagged for review. Again, the bad guys could get around this by using botnets or Tor routers.

This particular arms race is very hard to win.

]]> By: Eark_the_Bunny http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615598 Eark_the_Bunny Wed, 26 Dec 2012 22:35:00 +0000 http://boingboing.net/?p=202853#comment-1615598 I am wondering if it would be possible to "hack" these SOB's back by spewing out thousands of false usernames and passwords.  Thus diluting the value of the information.  Maybe even get those turkeys in trouble with their customers for selling bad product.  Sort of like releasing sterilized male mosquitoes who mate with fertile females but their eggs never hatch. I am wondering if it would be possible to “hack” these SOB’s back by spewing out thousands of false usernames and passwords.  Thus diluting the value of the information.  Maybe even get those turkeys in trouble with their customers for selling bad product.  Sort of like releasing sterilized male mosquitoes who mate with fertile females but their eggs never hatch.

]]> By: oasisob1 http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615578 oasisob1 Wed, 26 Dec 2012 21:37:00 +0000 http://boingboing.net/?p=202853#comment-1615578 I do, but since I don't have a credit card processor, you just have to send it to me, and trust that I will only spend $5 with it. I do, but since I don’t have a credit card processor, you just have to send it to me, and trust that I will only spend $5 with it.

]]> By: Finnagain http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615577 Finnagain Wed, 26 Dec 2012 21:35:00 +0000 http://boingboing.net/?p=202853#comment-1615577  Do you take visa?  Do you take visa?

]]> By: Patrick Kelly http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615573 Patrick Kelly Wed, 26 Dec 2012 21:31:00 +0000 http://boingboing.net/?p=202853#comment-1615573 I do not have the capacity to do this, but if someone would create it I would buy if. There should be a program were a person could enter all of their potential usernames and passwords and it does a search of the internet and tells you every e-commerce accounts (or any account for that matter) opened up by you at any time. That way you could go through and close accounts you forgot about and make sure you passwords are being updated to account for new advances  in password cracking software. Internet it is yours. Go forth, be fruitful and create. I do not have the capacity to do this, but if someone would create it I would buy if. There should be a program were a person could enter all of their potential usernames and passwords and it does a search of the internet and tells you every e-commerce accounts (or any account for that matter) opened up by you at any time. That way you could go through and close accounts you forgot about and make sure you passwords are being updated to account for new advances  in password cracking software. Internet it is yours. Go forth, be fruitful and create.

]]> By: oasisob1 http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615574 oasisob1 Wed, 26 Dec 2012 21:31:00 +0000 http://boingboing.net/?p=202853#comment-1615574 Sure, for $5 I can tell you how to get ALL your passwords back in one shot. Sure, for $5 I can tell you how to get ALL your passwords back in one shot.

]]> By: Finnagain http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615571 Finnagain Wed, 26 Dec 2012 21:28:00 +0000 http://boingboing.net/?p=202853#comment-1615571 Can I buy my passwords back? Can I buy my passwords back?

]]> By: tyger11 http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615566 tyger11 Wed, 26 Dec 2012 21:17:00 +0000 http://boingboing.net/?p=202853#comment-1615566 It's capitalism, baby! It’s capitalism, baby!

]]> By: Funk Daddy http://boingboing.net/2012/12/26/once-your-pc-is-hacked-your-e.html#comment-1615558 Funk Daddy Wed, 26 Dec 2012 20:38:00 +0000 http://boingboing.net/?p=202853#comment-1615558 $2 !... I feel as a victim I am being under-valued by my assailant  $2 !…

I feel as a victim I am being under-valued by my assailant 

]]>