Greenwood2
Member of DD Central
Posts: 4,241
Likes: 2,686
|
Post by Greenwood2 on Feb 10, 2020 17:21:04 GMT
I hope that it was just a fake "front end" engineered to grab user id and password. Anybody who signed in through the .eu website should realise that their e-mail and password has been compromised. How would the email be compromised? The email address (used to register the account) would be known, sure - but why compromised? Unless you're using the same password for multiple requirements. But no one does that, do they ....  Probably means your email address could be on a list somewhere (on the dark web) and you may get targeted for scams.
|
|
Greenwood2
Member of DD Central
Posts: 4,241
Likes: 2,686
|
Post by Greenwood2 on Feb 10, 2020 17:26:01 GMT
I hope that it was just a fake "front end" engineered to grab user id and password. Anybody who signed in through the .eu website should realise that their e-mail and password has been compromised. But no harm can be done if the 2FA is still intact which unless I’m mistaken it will be. There was also a contact us if you have a problem, I guess they could arrange a problem (failed log in or 2FA) and try to get other details such as bank account details and 2FA details etc, to be able to rob your real account. I don't know how difficult it was to change Bank Accounts on Assetz (I bet it's pretty difficult as of now).
|
|
|
|
Post by brightspark on Feb 10, 2020 17:45:58 GMT
A spoof website does not have to look totally convincing. It only needs to fool a few or even one non-IT savvy person. I have been nagging AC for a while to change its way of communicating with investors. When e-mailing them it should always ask recipients to log in separately rather than asking them to log in from within a received e-mail.e.g. on voting or visiting new offerings. Yes this is only the first level of security protection further complemented by harder to crack IFA but once these spoofers have a foot through the door they are part way there.
|
|
iRobot
Member of DD Central
Posts: 1,656
Likes: 2,449
|
Post by iRobot on Feb 10, 2020 19:30:06 GMT
But no harm can be done if the 2FA is still intact which unless I’m mistaken it will be. 2FA is designed to protect the user’s identity to prevent someone else getting in the real website. It would require clever coding but it doesn’t protect here if as you log in to the .eu website, it logs into the real website, pretending to be you, gets asked for the 2FA (from the real site), prompts you for the answer, you provide it, it relays that answer to the real site which then permits access to your real account to the program running on the .eu site. Interesting concept. Wonder if AC check for multiple account access from the same IP address (range) and/or use IP blacklists - and I'm thinking multiple in terms of more than the low single digits that may be found in households with partners both having standard and IFISA accounts. (Something of a rhetorical question - wouldn't expect chris to let on what AC's defences included )
|
|
|
|
Post by chris on Feb 10, 2020 19:44:47 GMT
2FA is designed to protect the user’s identity to prevent someone else getting in the real website. It would require clever coding but it doesn’t protect here if as you log in to the .eu website, it logs into the real website, pretending to be you, gets asked for the 2FA (from the real site), prompts you for the answer, you provide it, it relays that answer to the real site which then permits access to your real account to the program running on the .eu site. Interesting concept. Wonder if AC check for multiple account access from the same IP address (range) and/or use IP blacklists - and I'm thinking multiple in terms of more than the low single digits that may be found in households with partners both having standard and IFISA accounts. (Something of a rhetorical question - wouldn't expect chris to let on what AC's defences included ) We've looked at it in the past but ran into enough theoretical problems with people on holiday or preferring to connect via anonymising VPNs that we never built it in. We may include it as a lender option in the future though. Off the top of my headI'm also not 100% sure whether or not the 2FA passthrough would work full stop, because of how data is passed behind the scenes, but it does feel plausible even if it would be far more sophisticated than this current clone. I'll run it past the team as a thought experiment, see if we can code a website that bypasses our own security in that way. We do ID check designated bank accounts too, amongst other layers of protection, so there's other protections in place that they'd need to somehow work around. As ever please all be vigilant, make sure the URL you are connecting to is the one you intended, etc.
|
|
MT
P2P Blogger
Posts: 10
Likes: 7
|
Post by MT on Feb 10, 2020 21:25:16 GMT
AC's opportunity to clean out our accounts and blame it on the clone.
Part of an IT department's due diligence is to buy up all similar domain names and park them.
AC's incompetence shines through, with every error.
I read this and at first felt that this comment was a bit unfair given there are so many domain extensions now. However, this was before I noticed that Assetz Capital has failed to register the dot UK version of their domain name. Whilst investors are unlikely to be fooled by a dot eu domain name, I imagine many would be fooled by a dot UK domain name. chris - suggest you arrange for this name to be registered before it falls into the wrong hands.
|
|
|
|
Post by dan1 on Feb 11, 2020 0:56:19 GMT
|
|
lobster
Member of DD Central
Posts: 636 
Likes: 467
|
Post by lobster on Feb 11, 2020 7:36:12 GMT
How would anyone stumble onto the .eu site in the first place ? I'm assuming that the vast majority of users have a "favourites" link to AC, which will obviously access the correct .co.uk website ?
|
|
Greenwood2
Member of DD Central
Posts: 4,241
Likes: 2,686
|
Post by Greenwood2 on Feb 11, 2020 7:52:34 GMT
How would anyone stumble onto the .eu site in the first place ? I'm assuming that the vast majority of users have a "favourites" link to AC, which will obviously access the correct .co.uk website ? There were apparently links on social media. They may also have been mainly hoping for new sign ups who might have been conned into depositing funds, hopefully it was found before too much damage was done and it seems to be gone now.
|
|
|
|
Post by gramsky on Feb 11, 2020 9:16:47 GMT
How would anyone stumble onto the .eu site in the first place ? I'm assuming that the vast majority of users have a "favourites" link to AC, which will obviously access the correct .co.uk website ? I never store favourites or have apps for important websites, such as where I keep money, on my PC or phone because if someone does access my PC or phone they would immediately know where to start looking to steal my money. I also use secret mode in my internet browser so no information such as passwords or cookies are stored.
|
|
|
|
Post by investor1925 on Feb 11, 2020 11:18:47 GMT
How would anyone stumble onto the .eu site in the first place ? I'm assuming that the vast majority of users have a "favourites" link to AC, which will obviously access the correct .co.uk website ? I never store favourites or have apps for important websites, such as where I keep money, on my PC or phone because if someone does access my PC or phone they would immediately know where to start looking to steal my money. I also use secret mode in my internet browser so no information such as passwords or cookies are stored. You could also: Have on your favourites list all the major UK banks & all the main P2P sites. Which do you chose if you get in ? Have all your passwords on a memory stick, so it's not on your PC anywhere, with a back-up of course Clear all your cookies when you go away for a holiday etc, so your browsing history, emails etc is gone. Have your PC hard wired into your hub & turn off the wifi. When I turn on my ipad, it lists every wifi hub in my street if I look for them. Never use any hub that you don't know the pedigree e.g. hotels, coffee shops etc etc I do all of this, although if you're using your laptop, phone, ipad etc you can't do it all. I only use my PC for any financials. It may not be perfect, but it just adds more layers that they have to penetrate to get in & hopefully they won't find all the keys. Y'know, we could make an industry out of this. Oh damn, too late again.
|
|
capucino
Member of DD Central
Posts: 89
Likes: 38
|
Post by capucino on Feb 11, 2020 16:52:51 GMT
@assetz, whe are you going to process withdrawals?
|
|
|
|
Post by stuartassetzcapital on Feb 11, 2020 22:26:05 GMT
I understand all security checks are complete and withdrawals are already live again.
|
|
sl75
Posts: 2,092
Likes: 1,245
|
Post by sl75 on Feb 13, 2020 20:49:48 GMT
How would anyone stumble onto the .eu site in the first place ? I'm assuming that the vast majority of users have a "favourites" link to AC, which will obviously access the correct .co.uk website ? I just clicked on the link to the clone website that AC helpfully sent out in their email telling me about it. (I was curious - but I was a few hours too late as the site content had been taken down by then).
It later turned out when I viewed it in a different program that AC had attempted to not make it a hyperlink, and it was my mobile device's email client that had helpfully recognised a domain name and converted it to a hyperlink for me, but the effect was the same.
|
|
angrysaveruk
Member of DD Central
binomial
Posts: 995
Likes: 638
|
Post by angrysaveruk on Feb 13, 2020 21:45:45 GMT
I have setup an account on the new website and gone all in on the m****** trade financials provider looks like a great investment and plan to retire early.
|
|
