adding mail confirmations for withdraw will be solution
If the 'hacker' has access to the account, this means your email address could got compromised as well if he knows what your email address which is linked to the PD account is. The simplest solution to this is to force a 2FA for every account , this is the simplest yet the toughest thing to break for the hacker
yes if they hacked highly possible their mail got hacked too but at least they will see confirmation mail on their mail or they will see their mail password changed too so they wont doubt someone at pd staff got their coins
It would seem to me it would be very difficult to hack, considering the captcha on the login now, just noticed that.
I would suspect the user may have a keylogger type virus on their system, and not know it. While the keylogger would be relatively useless for things like a BTC wallet on your local machine, because they wouldnt have access to it, it would allow them to get into sites they log into.
When I ran my business years back, my staff abused the hell out of AIM and other chat application. Writing up didnt work. Installed a baracudda system, costing $8000, didnt stop them. So, one night, after consulting our lawyers of course-- and that it was ok to do so, we installed a paid for program to log specifically mouse movements, in what programs, what windows, and capture screenshots every 10 seconds.
Only for one reason, the abuse of employees not working and chatting literally all day was costing a fortune.
The program was incredibly stealth, it did not show up on the hard drive, it did not show up anywhere using any detection method as a running service. It was impossible to see.
The only way you could "get" into it, was to type your "keycode" into notepad, which was something obscure... like 4f8behe9e$$b6b4b
Then a window would appear. My point- it was undetectable. Even with Windows defender. MS Security Essentials. Etc.
It literally emailed out the data on a interval basis, over a vpn, so even if the user analyzed the traffic, it was encrypted first, then sent encrypted again over an obscure port via VPN.
That said: If a user has a keylogger on their computer. They could gain access to the users PD Account. Then they could find the deposit address.
With the deposit address, using Blockchain.info, set up a watch, with audio alarm- the second a deposit hits, pre-confirmation.
So they hear it, then wait for confirm. Login, and the moment it hits, withdraw.
I'm totally freaked out by keyloggers. For that reason, I sandbox nearly everything I run, and run VMs. My root system I keep highly protected.
There are so many viruses out there. Its insane.
Be safe guys, and be very careful what you install. As well as the websites you visit.
Cheers!
Strato
With this said, email confirmation will be useless as well if there is this undetectable keylogger. However putting 2FA on your phone up will be the most secure thing even if you got a keylogger on your computer. The only way to stop this from happening again is to force 2FA to all accounts which has made deposits before
I know this is a late follow up, but I'd just say this in regards to your comments on my post.
So the program I installed on our workstations at our firm, was a legitamate program, we paid for it, it had serials, etc. The install process was very specific. It required that the install be done in a certain way.
Myself not being a programmer, I have no idea how easy this would be to automate as some sort of virus that could emulate those steps, specifically UAC built into windows.
I will say, that after installed, the keylogger was 100% undetectable. Defender, MS Security Essentials, still do not detect it at all. The folder where logs are stored is invisible, so much so that even using special tools you can't see the folder. It's also encrypted, based on the "access code" you set when installing. No clue on what encryption method, but once you enter that code string into any window that accepts text, the console appears, and the folder is then visible.
If you go to the folder, it's all just garbage, not readable. You have to access the logs using the console.
It's legal in my jurisdiction in terms of running this on our company computers, and secondly, all employees sign in their employment agreements to expect no level of privacy using company systems and company communication systems.
We only went to this because of a real problem in our business where employees were simply wasting immense amounts of time and money playing rather than working. It was never used for the purpose to snoop or capture information. In fact, we really only accessed and used the screen shot function, to see what they were doing.
But the keylogging it offered was intense. Each key pressed, tied to what window, clipboard information, as well as mouse click points on the screen. Pair that with screenshots. A hacker could literally own you if they were to get a software application like this installed on a users system.
Cheers!
Strato
really feeling bad for it.
