« : March 14, 2016, 12:43:45 PM »
The goal of this message is to:
1. expose possible ways of fraud based on registration process vulnerabilities to game community.
2. denounce the player known as "dess" who is a fraud
3. induce Achat developers to review and upgrade Achat's registration process and security measures.
During a login process on the 2nd of Februay 2016 I received a notice stating that my account name and password are invalid.
With no hesitation I contacted the support team in regards of the account control issue and the response was:
"Hi,
this user was renamed as you asked for it earlier.
Regards,
AChat support"
All the payment sources were and are assigned to me.
I didn't send and requests for name change and neither the support team sent me any confirmation requests when the incident took place.
Technically the support team passed my cridentials to a stranger without any notice to the account owner - me. I had no access to my account for 10 days.
On February 12 the account has been returerned to me with no additional comments or explanations. My inquiry for any sort of explanation and request applications details found no response.
The fraud removed all of my friends and deleted all of my stored messages and notifications.
Accounting history has also been removed from the website, however I have not found any sort of button to do that. When I asked who and why cleared the payment log it was ignored as well.
Now I use my account under the supports "watchful eye" as they called it and I have a fear that if it blinks once the fraud will steal my account again processing a payment after the stealing and using it as an excuse, since that will be the only logged transaction. And no one cares that I have been a subscriber for 5 years and spent a sufficient ammount of money on the subscription and in-game goods.
After a while the support team apologized to me and offered 10K A$ as a bribe to forget the incident.
I rejected the offer and suggested to improve the registration process and security measures in or.der to eliminate their flaws which were used by the fraud. My suggestion also didn't meet any response, they just promised me to "watch attentively".
The fraud is commonly known as "dess" and possesses many accounts and I am aware that some of them are stolen.
The first attempt to seal my account was performed a year ago. That time the support team inquired transaction data from me as a reaction to the fraud's email with request to change the cridentials on behalf of me. When I confirmed the ownership I assumed the case is closed and that was the first time the support team ensured me that they will have an eye for frauds.
During the past year two of my friends lost their accounts to the fraud and those are only the cases I am aware of, there's no reason to think those were the only victims of dess.
Please note, that I am aware of those insidents without security being my scope.
It is odd and outrageous that the support team takes no action in regards of such incidents, instead improving the security measures.
The fraud stated it in public in the winter location that they paid for the subscription, the chat logs have been saved and there are evidence.
Hence, it means:
1) The fraud admitted the stealing act of the account which is being hid by the support team.
2) the fraud confirmed the transaction for automatic account-email binding.
All of the above means that the scheme has been tested and proved working using the flaws of the security system.
The following evidence has been probided by another player.
WHen asked about the date of registration for the Lapo4ka account dess said - a year ago.
After that being claimed lies they excused - the account was sold by the support team since it has not been used for a yIear (no comments)
The persons who witnessed those chats can confirm that and I will ask them to do so.
I registered the account Lapo4ka and I can confirm the ownership since I own and control the emails that were used for transactions. The fraud has no idea about those accounts excisting if the support team has not provided that info to them.
Nonetheless I have a many friends in-game, and some of them know me since the first days. I have an image and it doesn't match the one the fraud posed out after stealing the account.
Thereby any dess' attempt to claim the ownership of "Lapo4ka" is lies and may be considered a fraud confession.
The current registration process and security measures have these obvious flaws.
1. FUll access control over an account belongs to the support team only. There is no way for a user possessing the email used for the account registration to restore its ownership without applying to the support team which the team priveleges to pass accounts to any strangers without the users being notified
2. There is no strict email binding for accounts plus the majority of players even has no idea how it happens.
3. Accounts are automatically binded to the emails which were used during the most recent transaction for the account. That was the method used by the fraud.
4. Since many players buy their subscriptions for gifted A$ instead of dollar payments, no ownership can be proved for those accounts. If a password is missing for a such account it cannot be restored. I have known a few of such cases.
To avoid such cases in the future I suggest the developars to take following actions:
1. Any account registered should be bound to the email address used for the registration.
2. Credentials changes should take place only through email confirmation.
Such functions as automatical password reset and password generation with them being emailed to the initial email address used for registration proved themselves reliable and are commonly used for the most existing online services.
The emails nowadays have several security levels such as using cell phones for verifications, which makes them hardly possible to hack or steal.
I regret to say that, but despite the flaws I explained above being obvious the support team ignores the issue. Personally I spent a whole month emailing with the team for no result.
AChat Forum
