Fortune Affiliates Warning

[inspiration]

Just a heads up that my affiliate account was hacked and the hacker added a secondary account (which is a basic option at FA) and stole my commissions.

You will hardly notice this as your password remains the same only thing he changes is the neteller / moneybookers account to his.

 

[AussieDave]

Given the number of affiliate accounts hacked these days, it's about time all affiliate programs implemented additional security functions. EG - secret questions or a pin. Even so far as not being able to change payment details. To do so you have to request your AM to change this data.

 

[inspiration]

I would like to add that the situation has been resolved, the account is now secure and the AM will help to retrieve the stolen money.
Will keep you updated.

 

[Vladi]

This is what happens when they restrict you to a 10 character password which they did for many years. The majority of affiliate accounts there would have short, weak passwords, and many would be crackable within minutes if a hacker got hold of a database dump. I see that they have changed their systems to allow longer passwords now, so everyone should go pick a longer one.

 

[bonustreak]

This is BS it is still happening to affiliates!!! Was it the dude in Vietnam? He got us a yr ago...

 

[AussieDave]

This is what happens when they restrict you to a 10 character password

Not so much now but it just isn't the character limit per se but the type of characters accepted.
A password like this: !z[1Y^v*Q9 (is 10 characters - doubt could be hacked from a db dump).

Where as this: zYsbG3dE9 maybe be hacked. However generally it's weak passwords. Dictionary db dumps will and usually hit pay-dirt on p/w like someones dog's name etc.

What would make more sense is if aff programs set login limits and delays. Each time a wrong p/w was entered after 3 unsuccessful tries. It would lock-up for 5 min. Any further attempts would increase each next attempt by 30 min. So three wrong guesses equals a 30 minute wait time between trys.

Would totally screw brute force logins or anyone who wasn't the legit account holder.

Or better yet, if after 3 failed attempts to gain access, the account is locked down.

 

[CaseyM]

That guy was never caught though right? The Vietnam one

 

[inspiration]

yes it is the same guy

Email lyducthien84@gmail.com
Street 1 -
Street 2 -
City Ho Chi
Region Minh
Zip / Post 70000
Country VN
Phone 84908622001

 

[CygX1]

Did anyone ever bother reporting these crooks to authorities if their contact details/ IP/ payment details etc. are known? I would not let them go easily if this happened to me.

 

[slotplayer]

I got hit in 2008 by a guy from Vietnam. I contacted all the programs I promoted back then and questioned their security measures. Rival was the worst. CR had the best but most of them didn't seem too concerned.

 

[bonustreak]

When we got hit it was bad we now since then have really long passwords that are generated by a machine it is a pain in the ass but necessary.. I said back then and I say again these affiliate programs need more security! If an affiliate changes
payment methods & wire to a completely different name you need to make a call to the affiliate! That is how we were told about this man.. I even found him on facebook back then and messaged him he was GOING DOWN! Mess with my money
and your in for it! I dug and had friends in other countries dig for me we found the bank he uses and my friend who is in the banking industry called the Singapore(where he routes money) bank manager and the account was closed. I am sure he is all set up with new banks now... I wanted to fly to choke his ass out personally, it is a terrible feeling to have your earnings taken from you!

We never could figure out how the hell he is getting passwords...

 

[CygX1]

I figure many programs can be easily hacked through brute force as affiliate accounts are not automatically locked when a wrong password is entered too many times. If this simple security measure was changed I am quite sure these hackers would not be much of an issue anymore.

 

[Vladi]

Yeah I have little confidence in the security of most affiliate programs. Never mind being hacked via the internet, think about how often your account details get traded to other programs or stolen when an account manager moves to a new one. You don't even know if they are encrypting your password in their databases or whether the affiliate manager can see your password. If an attacker gets hold of a copy of the full database then they have as long as they want to crack the passwords, there is no 3 attempt limit. That is why you need a super long and random one that is different on every single site instead of a mickey mouse 10 character one with names or words from the dictionary in it.

 

[slotplayer]

I lucked out as I never actually lost any money, the first program replaced the money and the second I caught just as the AM was finishing up adding the payment details to the worksheet that got submitted payments. It was that close, glad he read my "urgent" email.

 

[TheGooner]

Or better yet, if after 3 failed attempts to gain access, the account is locked down.

This is standard financial account practice - any site not doing this to protect account details and potential money transactions is outside accepted guidelines and probably legally culpable in most western jurisdictions (if the case went to court).

UPDATE EDIT :
Well it's the standard for financial institutions and banking site guidelines anyway - of course most affiliate programs do not belong to an industry association and have licenses with zero controls or enforcement ... so my statement does not really hold.

It's just unbelievably bad practice to allow bulk password retries - even forums have limits before lockout.

 

[3joker]

Thanks for the heads up, hope affiliate programs take note.