OnePlus Credit Card Hack

As all of you might have read, One Plus, makers of a line of mobile devices, has been compromised. Hackers apparently made off with 40,000 or more customer accounts to include credit card data, login data and personal data.

A few questions and thoughts on this... Why was your personal data not encrypted? Encryption in today's tech society is free and given the level of technology, the know how of Web Security and Counter Security, encryption should be automatic. Encrypting a database, ensures that even if a database full of your personal identifying details is stolen or compromised, the data remains useless. BUT let's say that the database WAS encrypted as any company whom maintains personal payment data is normally required by law then this hack was much worse than simply fooling a website into revealing weaknesses in programming to grant you access. This would mean that a thief acquired either physical access to the machine or acquired access at such a level they had free range to tour the entire directory of the machine to find the hidden encryption keys. So now we have a security problem where a company is lazy with their security and stingy.

Lets go with this idea though. What if the credit card data is not the target? Given common known behaviors in today's internet users, what if the thieves actually had a list of your user data required to log into your Coin Exchanges and Coin trading platforms? Not only could they log in, in cases where lazy users, continue to use the same credentials across every aspect of their internet lives, but now the thieves could potentially acquire your identity and lock you out. In talking with most people I find that when they hear Yahoo got hacked, Citibank or any other huge data hoarder, I hear them think about all of the emails that these hackers must want. Often what really happens is the list of data is compiled and organized and then sold on the Dark Net. Another hacker will buy this list and then say, go over to Gatehub and test the user data against the login page to see which accounts get a hit. Once an email is verified to exist, then they can try the password. A list of 1 million user data, may turn up 30 accounts or more in some cases, but how much money is in those accounts? What other accounts in the world does this same user data work on?

If you are a customer of One Plus then get on over to your Coin Exchange or wherever you are storing your gat and change those passwords and 2FA.

Here is how you must be managing your security so to combat these keyboard clowns:

  1. Never use the same Username or Password Twice.
  2. Never answer any security question with the the truth. Often a hacker can just go look on your Facebook account for the answers. Treat the security questions as passwords. Enter answers that are in-decipherable or at least mix them up. It is best just to use another password format of 12 characters or better as an answer.
  3. For your Coin accounts, I recommend using an email that is only for those accounts.
  4. Adopt your own rotational password policy. Every X number of days like 60-90, change your passwords. When your passwords are of good format and 12 characters or better (17+) then if a thief has your username and is only trying to get the password and is using computers to literally test every single possibility, it will take at least that long to get anywhere. Changing your passwords around, will destroy any progress the hacker has made in any brute-force attempt.

These techniques are quite simple and should be know parts of everyday life now. Our problems are that we have no idea how our online service providers are securing our data. Let me give you a recent example.... the company of one of my customers commissioned a firm to build a new Ecommerce website for them. Sites this large can range $100,000 or more. It was found out that the company stores User Password data as MD5 hashes only, at least in this project. My guess is that if in this project then every project. So now we have an entire firm of clowns charging you for websites that are already broken on the first day. If they are lazy with that simple requirement, then what is the quality of their programming? How are the storing the credit card data?

So keep in mind, a hacker does not have to hack Gatehub or Bitstamp or whereever when the can go hack any other firm, email provider, online shop or porn site to get your user data their and go on over and test it by simply logging in.

To tell you how Blacksite Wallet combats this and provides you security:

  1. I refuse to use only the industry accepted standards. Obviously that is not really working out for most. I require you to use a password which I have issued to you. This password is of acceptable quality to secure you and guarantees that you have not used it anywhere else.
  2. You can not use your publicly known email to log in. You email is using in your Social Media accounts, printed on your business cards and tweeted across the universe. Why would I allow the hackers to already have half of the log in credentials to your accounts?
  3. You are required to change your password every X number of days.
  4. Our entire database is encrypted. Every single piece of data is encrypted. This means that any hacker will be required to get physical access or extreme root access to acquire the encryption key to decode your data.
  5. This number one method to secure your personal data from being hacked out of a system is to make sure it is not even there.

There are many other outstanding little magic tricks that we use to secure your wallets. The number one magic trick of them ALL is, your wallets are not even connected to the internet. Even if our databases are compromised and a thief logs into your account, they can not transfer any coins out. This means that a thief will require physical access to our machines to get to your wallet and even then, of course those machines are secured themselves. Since our login credentials can not be accidentally used across any other website, unless you do it to yourself on purpose stealing this data will not grant them access to any other of your accounts. Yes I know this makes things inconvenient for you and even makes our processes slow, but if you want convenience, walk your butt down to the next little Slushy Mart and get yourself a drink. If you want to pay me for going through extremes to make sure that your wallets are properly and even excessively secured, then come on over :) I am happy to have you as a member.

credit card # one plus # hack # password # username #
Share Post: