Posts tagged ‘paypal’

The Hacker Factor Blog: We Know You’re A Dog

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Usually when I read about “new” findings in computer security, they are things that I’ve known about for years. Car hacking, parasitic file attachments, and even changes in phishing and spamming. If you’re active in the computer security community, then most of the public announcements are probably not new to you. But Wired just reported on something that I had only learned about a few months ago.

I had previously mentioned that I was looking for alternate ways to ban users who violate the FotoForensics terms of service. Specifically, I’m looking at HTTP headers for clues to identify if the web client is using a proxy.

One of the things I discovered a few months ago was the “X-UIDH” header that some web clients send. As Wired and Web Policy mentioned, Verizon is adding this header to HTTP requests that go over their network and it can be used to track users.

Miswired

As is typical for Wired, they didn’t get all of the details correct.

  • Wired says that the strings are “about 50 letters, numbers, and characters”. I’ve only seen 56 and 60 character sequences. The data appears to be a base64-encoded binary set. If you base64 decode the sequence, then you’ll see that it begins with a text number, like “379612345″ and it is null-terminated. I don’t know what this is, but it is unique per account. It could be the user’s account number. After that comes a bunch of binary data that I have not yet decoded.

  • Wired says that the string follows the user. This is a half-truth. If you change network addresses, then only the first part of the base64 X-UIDH value stays the same. The rest changes. If services only store the X-UIDH string, then they will not be tracking you. But if they decode the string and use the decoded number, then services can track you regardless of your Verizon-assigned network address.
  • Wired makes it sound like Verizon adds the header to most Verizon clients. However, it isn’t added by every Verizon service. I’ve only seen this on some Verizon Wireless networks. User with FIOS or other Verizon services do not get exposed by this added header. And even people who use Verizon Wireless may not have it added, depending on their location. If your dynamically assigned hostname says “myvzw.com”, then you might be tagged. But if it isn’t, then you’re not.
  • The X-UIDH header is only added when the web request uses HTTP. I have not seen it added to any HTTPS headers. However, most web services use HTTP. And even services like eBay and Paypal load some images with HTTP even when you use HTTPS to connect to the service. So this information will be leaked.

The Wired article focused on how this can be used by advertisers. However, it can also be used by banks as part of a two-part authentication: something you know (your username and password) and something you are (your Verizon account number).

Personally, I’ve been planning to use it for a much more explicit purpose. I’ve mentioned that I am legally required to report people who upload child porn to my server. And while I am usually pro-privacy, I don’t mind reporting these people because there is a nearly one-to-one relationship between people who have child porn and people who abuse children. So… wouldn’t it be wonderful if I could also provide their Verizon account number along with my required report? (Let’s make it extremely easy for the police to make an arrest.)

Unique, and yet…

One other thing that Wired and other outlets failed to mention is that Verizon isn’t the only service that does this kind of tracking. Verizon adds in an “X-UIDH” header. But they are not alone. Two other examples are Vodafone and AT&T. Vodafone inserts an X-VF-ACR header and AT&T Mobility LLC (network AS20057) adds in an “x-acr” header. These headers can be used for the same type of user-specific tracking and identification.

And it isn’t even service providers. If your web antivirus software performs real-time network scanning, then there’s a good chance that it is adding in unique headers that can be used to track you. I’ve even identified a few headers that are inserted by specific nation-states. If I see the presence of certain HTTP headers, then I immediately know the country of origin. (I’m not making this info public yet because I don’t want Syria to change the headers. Oops…)

Business as usual

For over a decade, it has been widely known in the security field that users can be tracked based on their HTTP headers. In fact, the EFF has an online test that determines how unique your HTTP header is. (The EFF also links to a paper on this topic.) According to them, my combination of operating system, time zone, web browser, and browser settings makes my system “unique among the 4,645,400 tested so far.” Adding in yet-another header doesn’t make me more unique.

When I drive my car, I am in public. People can see my car and they can see me. While I believe that the entire world isn’t watching me, I am still in public. My car’s make and model is certainly not unique, but the various scratches and dents are. When I drive to my favorite restaurant, they know it is me before I get out of the car. By the same means, my HTTP header is distinct. For some uses, it is even unique. When I visit my favorite web sites, they can identify me by my browser’s HTTP header.

Continuing with this analogy, my car has a license plate. Anyone around me can see it and it is unique. With the right software, someone can even identify “me” from my license plate. Repainting my car doesn’t change the license plate. These unique tracking IDs that are added by various ISPs are no different from a license plate. The entire world may not be able to see it, but anywhere you go, it goes with you and it is not private.

The entire argument that these IDs violate online privacy is flawed. You never had privacy to begin with. Moreover, these unique tags do not make you any more exposed or any more difficult to track. And just as you can take specific steps to reduce your traceability in public, you still have options to reduce your traceability online.

TorrentFreak: Mega Demands Apology Over “Defamatory” Cyberlocker Report

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Yesterday the Digital Citizens Alliance released a new report that looks into the business models of “shadowy” file-storage sites.

Titled “Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,” the report attempts to detail the activities of some of the world’s most-visited hosting sites.

While it’s certainly an interesting read, the NetNames study provides a few surprises, not least the decision to include New Zealand-based cloud storage site Mega.co.nz. There can be no doubt that there are domains of dubious standing detailed in the report, but the inclusion of Mega stands out as especially odd.

Mega was without doubt the most-scrutinized file-hosting startup in history and as a result has had to comply fully with every detail of the law. And, unlike some of the other sites listed in the report, Mega isn’t hiding away behind shell companies and other obfuscation methods. It also complies fully with all takedown requests, to the point that it even took down its founder’s music, albeit following an erroneous request.

With these thoughts in mind, TorrentFreak alerted Mega to the report and asked how its inclusion amid the terminology used has been received at the company.

Grossly untrue and highly defamatory

mega“We consider the report grossly untrue and highly defamatory of Mega,” says Mega CEO Graham Gaylard.

“Mega is a privacy company that provides end-to-end encrypted cloud storage controlled by the customer. Mega totally refutes that it is a cyberlocker business as that term is defined and discussed in the report prepared by NetNames for the Digital Citizens Alliance.”

Gaylard also strongly refutes the implication in the report that as a “cyberlocker”, Mega is engaged in activities often associated with such sites.

“Mega is not a haven for piracy, does not distribute malware, and definitely does not engage in illegal activities,” Gaylard says. “Mega is running a legitimate business alongside other cloud storage providers in a highly competitive market.”

The Mega CEO told us that one of the perplexing things about the report is that none of the criteria set out by the report for “shadowy” sites is satisfied by Mega, yet the decision was still taken to include it.

Infringing content and best practices

One of the key issues is, of course, the existence of infringing content. All user-uploaded sites suffer from that problem, from YouTube to Facebook to Mega and thousands of sites in between. But, as Gaylard points out, it’s the way those sites handle the issue that counts.

“We are vigorous in complying with best practice legal take-down policies and do so very quickly. The reality though is that we receive a very low number of take-down requests because our aim is to have people use our services for privacy and security, not for sharing infringing content,” he explains.

“Mega acts very quickly to process any take-down requests in accordance with its Terms of Service and consistent with the requirements of the USA Digital Millennium Copyright Act (DMCA) process, the European Union Directive 2000/31/EC and New Zealand’s Copyright Act process. Mega operates with a very low rate of take-down requests; less than 0.1% of all files Mega stores.”

Affiliate schemes that encourage piracy

One of the other “rogue site” characteristics as outlined in the report is the existence of affiliate schemes designed to incentivize the uploading and sharing of infringing content. In respect of Mega, Gaylard rejects that assertion entirely.

“Mega’s affiliate program does not reward uploaders. There is no revenue sharing or credit for downloads or Pro purchases made by downloaders. The affiliate code cannot be embedded in a download link. It is designed to reward genuine referrers and the developers of apps who make our cloud storage platform more attractive,” he notes.

The PayPal factor

As detailed in many earlier reports (1,2,3), over the past few years PayPal has worked hard to seriously cut down on the business it conducts with companies in the file-sharing space.

Companies, Mega included, now have to obtain pre-approval from the payment processor in order to use its services. The suggestion in the report is that large “shadowy” sites aren’t able to use PayPal due to its strict acceptance criteria. Mega, however, has a good relationship with PayPal.

“Mega has been accepted by PayPal because we were able to show that we are a legitimate cloud storage site. Mega has a productive and respected relationship with PayPal, demonstrating the validity of Mega’s business,” Gaylard says.

Public apology and retraction – or else

Gaylard says that these are just some of the points that Mega finds unacceptable in the report. The CEO adds that at no point was the company contacted by NetNames or Digital Citizens Alliance for its input.

“It is unacceptable and disappointing that supposedly reputable organizations such as Digital Citizens and NetNames should see fit to attack Mega when it provides the user end to end encryption, security and privacy. They should be promoting efforts to make the Internet a safer and more trusted place. Protecting people’s privacy. That is Mega’s mission,” Gaylard says.

“We are requesting that Digital Citizens Alliance withdraw Mega from that report entirely and issue a public apology. If they do not then we will take further action,” he concludes.

TorrentFreak asked NetNames to comment on Mega’s displeasure and asked the company if it stands by its assertion that Mega is a “shadowy” cyberlocker. We received a response (although not directly to our questions) from David Price, NetNames’ head of piracy analysis.

“The NetNames report into cyberlocker operation is based on information taken from the websites of the thirty cyberlockers used for the research and our own investigation of this area, based on more than a decade of experience producing respected analysis exploring digital piracy and online distribution,” Price said.

That doesn’t sound like a retraction or an apology, so this developing dispute may have a way to go.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: U.S. Government Wants Kim Dotcom’s Cash and Cars

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

megauploadActing on a lead from the entertainment industry, the U.S. Government shut down Megaupload early 2012.

Since then the case hasn’t progressed much. Kim Dotcom’s extradition hearing has been delayed until 2015 and most of the recent court proceedings dealt with how the seized assets should be handled.

Dotcom tried to regain his possessions but this effort failed last month. Meanwhile, both the MPAA and RIAA have protected their claims on the Megaupload millions, and now the U.S. Government has joined in as well.

In a complaint submitted at a federal court in Virginia the Department of Justice asks for a forfeiture of the bank accounts, cars and other seized possessions, claiming they were obtained through copyright and money laundering crimes.

The filing starts with a brief summary of the indictment that was brought against Dotcom and his colleagues. According to the Government, Megaupload was a criminal organization set up to profit from copyright infringement.

“The members of the Mega Conspiracy described themselves as ‘modern day pirates’ and virtually every aspect of the Mega Sites was carefully designed to encourage and facilitate wide-scale copyright infringement,” the U.S. attorney writes.

The Government wants the seized properties to be handed over to the authorities, and claims it’s permitted under U.S. law. This includes the bank account that was used by Megaupload for PayPal payouts.

The account, described as “DSB 0320,” had a balance of roughly $4.7 million (36 million Hong Kong Dollars) at the time of the seizure, but processed more than $160 million over the years.

“Records indicate that from August 2007 through January 2012 there were 1,403 deposits into the DBS 0320 account totaling HKD 1,260,508,432.01 from a PayPal account. These funds represent proceeds of crime and property involved in money laundering as more fully set out herein,” the complaint reads.

One of Megaupload’s bank accounts
bankkd

More than a dozen bank accounts are listed in total including some of the property they were used for to buy.

The list of assets further includes several luxury cars, such as a 2011 Mercedes-Benz G55 AMG with a “Wow” license plate, TVs including a 108″ Sharp LCD TV and artwork in the form of Olaf Mueller photographs.

The Government claims that the possessions can be forfeited since they were obtained through criminal copyright infringement and money laundering, but Megaupload’s lawyer Ira Rothken disagrees.

“Kim Dotcom and Megaupload will vigorously oppose the US Department of Justice’s civil forfeiture action,” Rothken tells TF.

“The DOJ’s efforts to use lopsided procedures over substance to destroy a cloud storage company is both offensive to the rights of Megaupload and to the rights of millions of consumers worldwide who stored personal data with the service,” he adds.

According to Rothken the U.S. ignores several crucial issues, including the Sony Doctrine and the fact that criminal secondary copyright infringement no longer exists.

“The DOJ’s forfeiture complaint ignores the US Supreme Court’s protection called the Sony Doctrine provided to dual use technologies like cloud storage, ignores substantial non infringing uses of such cloud storage including by DOJ users themselves, and ignores the fact that Congress removed criminal secondary copyright infringement from the copyright statute in 1976,” Rothken says.

Which side the District Court judge will agree with has yet to be seen, but with so many parties claiming their cut of the Megaupload assets it’s certainly not getting easier for Dotcom to reclaim his property.

To be continued.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Uptobox Bans Americans After Visa and MasterCard Pressure

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

uptoboxAfter failed attempts to introduce tougher anti-piracy legislation in the United States, Hollywood and the major record labels focused their efforts on strangling revenue of so-called rogue sites.

Payment services are among the key intermediaries and the entertainment industries previously helped negotiate an anti-piracy agreement between VISA, MasterCard, PayPal, PaySafeCard and several other key players.

As a result several major file-hosting services have had trouble accepting payments from their users. The popular cyberlocker Uptobox is among the latest casualties of this effort, TorrentFreak has learned.

“Our payment processors have received a notification from Visa and MasterCard telling them to stop accepting credit card payments for our service, subject to penalties,” Uptobox operator Guillaume informs us.

“These measures are the result of pressure from movie studios on Visa and Mastercard,” he adds.

Uptobox is currently still able to accept credit card payments through a reseller, but decided to cut all ties with the United States to prevent the situation from deteriorating further.

This means that U.S. visitors are no longer allowed to access the site. Instead they receive the following notice. “Sorry, Uptobox.com is not available in your country.”

Uptobox block

uptobox-block

Uptobox will consider lifting the ban if a European payment provider is willing to directly accept credit card payments for them. However, considering Visa and MasterCard’s tight grip on the situation this may prove to be difficult.

According to Guillaume, MasterCard previously complained to payment processors Hipay and Allopass as well, following a request from Disney. In addition, PayPal has rejected Uptobox’s requests to become an authorized file-hosting service.

According to statistics released last year more than 1,500 “pirate” merchants were cut off from payment providers between 2011 and 2013, and this list continues to expand week after week.

Despite the setbacks Uptobox is determined to keep its business going. The cyberlocker is currently exploring several alternative payment methods including Bitcoin.

“Processing payments for our users is hard right now, but we are sure we will find a suitable payment processor. We’re also considering to support Bitcoin and other payment methods such as SMS,” Guillaume tells us.

“For now, the service is not in danger, we still have a bright future ahead of us,” the Uptobox operator concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: CashU Payment Method Starts Banning VPN Services

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

cashuPayment services are increasingly taking action against VPN providers, and as of today CashU can be added to the list.

CashU is a popular payment service in the Middle East and North Africa, where it’s the leading alternative to credit cards. Thousands of merchants accept CashU payments including many VPN providers who are quite popular in the region.

As of recently, however, CashU has stopped connecting new VPN providers to its payment service. The company sees it as a problem that VPN services allow users to browse the Internet anonymously and uncensored, as this could potentially be abused.

VPN provider TorGuard was informed about the new policy after their application was turned down.

“Please note that since VPN Services can support anonymity when being misused, CASHU, as a financial institution, is prohibited from supporting such services as is it going through a transitional stage. Therefore, kindly note that we cannot accept your merchant account registration,” A CashU representative wrote.

The response from CashU suggests that an external party is prohibiting the company from accepting VPN services. It’s unclear who is behind this but TorGuard CEO Ben Van Pelt believes it may be the result of censorship forces in the region.

“Privacy online is a basic human right and fundamental building block of any free, democratic society. Unfortunately, CashU’s Middle Eastern underwriting banks are not located in such a place. Censorship laws enforced by the United Arab Emirate’s Telecom Regulatory Authority borderline on draconian as they decide what content is or is not acceptable,” Van Pelt tells TorrentFreak.

“It seems that this new anti VPN ‘transitional stage’ for CashU is part of a larger issue of increased government censorship and regulation in the region,” he adds.

It’s worth nothing that CashU still accepts payments for VPN providers who have signed up previously. It will be interesting to see whether these merchants can keep their accounts or if they will be disconnected in the future.

For TorGuard this isn’t the only payment method they’re having problems with. The company was also rejected by Alipay, a Chinese based payment solution that is popular among VPN users in Asia. TorGuard is still waiting for an official reply as to why this application was turned down.

In recent years it has become harder and harder for VPN services to get a wide range of payment options. Previously Paysafecard stopped accepting anonymity services and Visa, MasterCard and Paypal have also caused trouble for some anonymity providers.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Darknet - The Darkside: eBay Hacked – 128 Million Users To Reset Passwords

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

The big news this week is that the massive online auction site eBay has been hacked, the compromise appears to have taken place a few months around February/March but has only come to light recently when employee login credentials were used. This is 3 times bigger than the massive 42 Million passwords leaked by Cupid [...]

The post eBay Hacked…

Read the full post at darknet.org.uk