Author

Topic: How I believe Crytpostocks.com accounts are being hacked (Read 660 times)

newbie
Activity: 6
Merit: 0
How do you suppose it was hacked?  Did the criminal just guess your password on Cryptostocks.com?  Did you share an account with someone else?  You did state that you did not have 2FA on the account.

Check out this web site: https://howsecureismypassword.net/   Enter the password you had on the account at the time and see how secure it was or wasn't.

Danny
420
hero member
Activity: 756
Merit: 500
WTF

my account was hacked and stolen funds. My email was NOT compromised

no 2FA
newbie
Activity: 6
Merit: 0
I am an investor on Cryptostocks.com.  I do not have a listing there nor do I intend to start one; however, I do have several BTC invested in several stocks. Over the last couple months I have read multiple "ANNOUNCEMENTS" concerning accounts being compromised and prices of stocks manipulated and funds stolen.  

The basic situation is that someone compromises an issuer's email account and then once they have access to that account request a password reset on Cryptostocks.com.  The reset link is sent to the email address and now the criminal has access to anything and everything related to the fund account.  The claim made by the fund issuer is that there is a serious security flaw in Crytpostocks.com system.  I beg to differ. While there is a problem with the way Cryptostocks.com sets up accounts, it is easily overcome with some very basic security precautions.

In order for a "hacker" to compromise a system, all they need is a username and password. Unfortunately, the first part is easy to discern about any issuer of stock on the site.  Cryptostocks requires an email address on each listing.  That is a good requirement (for investors to be able to contact the issuer) except that they require the email address to be on the domain of the issuer's web site that is also required.  If I start ABCMiningCo and want to issue on CS I have to set up ABCMiningCo.com (or org or io or whatever) and then have an address @ABCMiningCo.com.  I've just given a prospective thief a username for my email.

Next step is to use a brute force attack (http://en.wikipedia.org/wiki/Brute-force_attack) on the email account.  This is the weakness in the system. The very same GPU's we use for mining are exceptionally good at this type of hack.  Looking at the domains created by most companies on CS they are leasing hosting on someone else's server (for example, GoDaddy.com).  The mail feature on most of these domains do not lock out accounts that have multiple failed attempts, so my brute force software can take it's sweet time trying every single combination of keys that the software will use (whether dictionary or simply going through every combination of keys.)  

The first security issue is the password itself. I believe this is the biggest threat in this system.  The fix is to have longer passwords that include upper and lowercase letters, numbers, and symbols.  If you use all three types you have 255 possible characters for each character in your password.  This makes the chance of guessing each character correctly 1 in 255 for each character.  If you have an 8 character password that's 255^35th power (1.6939723419747636865968422807304e+84) which seems like a lot, but a desktop computer can figure that out in 275 days and that's if it's not using a R9290 GPU to do the processing, then the time comes down to weeks instead of months.

Check this out....any standard windows password in 6 hours. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/  I imagine a professional criminal organization or government that has an interest in stealing or destabilizing a cryptocurrency would have the resources to acquire a device that can hack passwords in short order.

Make your passwords 16 characters.  Use 4 four letter words that together have no meaning (not a sentence).  Use symbols and numbers and upper and lowercase letters.  For example:

L0ngL3g5H()53hot!  (Long Legs Hose Hot!) would take 931 Trillion Years for a desktop computer to hack. The aforementioned super password hacking computer listed above would still take 83, 885, 760,000 years to hack this password (formula is to convert the 931 trillion years to seconds and then divide by the 350 billion guesses per second the hacking computer is capable of doing).  This is far longer than a hacker is going to work on your account before moving on to easier prey.

The second security issue is the lack of a lock out feature on the leased domain's email server.  The fix for this weakness is to have email hosted by a service that will provide this feature (a redirect to the mail server can be configured in the domain set up).

Finally, a couple more things to consider. First, 2 factor authorization on your email account is an added layer of security. Even if the account password is cracked, a second password is now required.  Both the Google Authenticator and YubiCo Key offer one time passwords. Second, under no circumstances use the same password for your email account as you use for your financial instruments.  If you do, the thief doesn't even have to request a password reset first!

This is intended for issuer's of stock but is also applicable to stock holders since if the issuer's account gets compromised, the hacker now has your email address and has some idea of how invested in stocks you are.  Protect yourself!

Danny
1Kqn7t29wSsxhwvLyBEnKHRPX6mWPCatvW

Jump to: