A Cheap ped Buyer ANd scammed avatars (explanation)

ktpsmf

Prowler
Joined
Mar 19, 2011
Posts
1,022
Society
just a visitor
Avatar Name
not playing
Hello all,
just entered calypso forum and checked how people is crying about stole accounts in eu.
That is something new for me, because earlier was no people massively posting that they was hacked or something.
After reading that posts i saw that all of "victims" in one or other way was connected with one "cheap ped" selling site.

i checked out that site and really there found they say that sell ped 50% cheaper than it is . Well, all really know that it is impossible because since 1 usd = 10 ped why enyone would like to sell it cheaper.

in quick buy selection you have to pay and enter your email and password as registration, and put your avatar name.

so .
At first i want to explain people : there is no cheaper or more expensive dollars. Dollar = dollar. And if 1Dollar = 10 PED, it cannot be 1USD = 20 PED. Because it has no sense.
So basically if some People are Dump enough to believe that 1 USD = 2 USD, so seems they are dump enough to give away their usernames and passwords of eu in same request FORM.

Second, and most important thing that not everyone understands, and mostly those people who believe that 1 usd can be equal to 2usd , who is that person who lost an avatar or money in it ??

We all like to believe that people who lost his avatar or peds is an victim and we all fell sorry for him, believing that Mindark should trey to restore his account, to work on his avatar more than 1 hour to search how was possible that he lost his own password and how to prevent this to repeat in future.

In all this posts where was talking about Hacked avatars. People feel sorry for that people , and mad at Mindark that they not return PED , or searching reasons how to blame Mindark for Lack of security and ect.

So i want to explain how our Lawyers explained similar situation about this.

1. Mindark offers additional security (golden card) , that makes people to choose what level of security he wants (free or more secured) . In all Europe banks there is 2 type of securities (static code card and code generator) both security types need to pay, if there was a free way to open bank account it would be an (user/password) type account.
explanation : if DUMP ped buyer from site would be asked to enter 20 static code card numbers , it probably would wrote that down to get peds.

2.What is person that bought peds from forbidden site, gave his secure data to 3rd party persons and got scammed?
In this case, looking to all documentation and common sence - scammed person is nothing more than EULA violator that violated game rules like 3 times and writing to forum in person type like ( i bought a stolen car from a thief, and police arrested me and took away MY car.)
(in this situation according to eula violation mindark should make actions to make judge punishment job , not saveguard)


In this conclusion people still blames Mindark for not giving back their scammed money, even when Mindark :
a) offered more security (gold card) for money
b) made rules that clearly not let people give away passwords or buy PED from 3rd party


in one of my support i asked for Mindark about their pricelist. For people who don’t know if that exists i can say that there is such.
if you lost your item and dont remember where you put it , you can order Mindark support to find it for you, it costs 40 usd /h or 400ped/h.

How many hours Mindark need to spend and pay for support employee, to find your >1000 ped worth stuff ?

for people who will trey to deny my post trying to say that Mindakr need to make more free security options i only can add that Google security system implementation coasted about 5.6 Mil usd, and still they got gmail hacked and ect. Same with icloud. Not mentioning such games like wow and other who had been leacked even with "mobile authenticators" and ect.

in all Eu history we never had any database leaks that made our secure data visable for 3rd persons.

So in end , maybe my post will change some people minds, what is Victim here and who we have to blame here, or at least what suspect from company which has nothing to do with you foolish actions giving away your "bank account/wallet"
 
Last edited:
This of course makes sense as a way of explaining how their account info was obtained, but it assumes that the hacked accounts actually did this, and I haven't seen any of them say they have.
 
This of course makes sense as a way of explaining how their account info was obtained, but it assumes that the hacked accounts actually did this, and I haven't seen any of them say they have.

Ofcourse i understand you but readling posts and collecting all to one place, it still seems that all account hacking and scam situations was made only when "cheap ped" sites started to advertise in chat and forums.

And according to all (even 10 year) timeline of posts there was no quincidences of similar posts , so i dont even dare to think about other option to get user/password of eu account only this one.

and scammed people who choose to deny for Mindark that they did not know how information was given away just makes more job to mindark resolving that same thruth which can be told in first support .(faithing that Mindark will own this problem as their and gives away items that was stoled)
 
Ofcourse i understand you but readling posts and collecting all to one place, it still seems that all account hacking and scam situations was made only when "cheap ped" sites started to advertise in chat and forums.

And according to all (even 10 year) timeline of posts there was no quincidences of similar posts , so i dont even dare to think about other option to get user/password of eu account only this one.

I agree those two coincidences are highly suspect.
 
(...)
In all Europe banks there is 2 type of securities (static code card and code generator) both security types need to pay, if there was a free way to open bank account it would be an (user/password) type account.
(...)

This is not true... i have FREE account in my bank and they offer sms verification for EVERY transaction that is not between my sub accounts.
Also i have small % on money that are hold on the account so i actually get paid for having cash there (not that it coutners inflation tbh).

@topic:
MA can't refund TT value of items victims have lost due to this simple reason:
there is no way to distinguish actual victim of hackers attack or fake victim that could be a way to steal money from MA.

To increase security MA should add those two (optional) security measures that can be and should be free:
- sms notification similar to gold card verification (same security level but much cheaper and mroe convinient).
- adding machines based on fingerprint, MAC or whatever they find suitable to safe list (verification is one time per machine through e-mail).

Both options are very cheap to maintain and other games are already using them not without a reason. Gold card system is not convinient and pretty old security system.

Falagor
:bandit:
 
This is not true... i have FREE account in my bank and they offer sms verification for EVERY transaction that is not between my sub accounts.
Also i have small % on money that are hold on the account so i actually get paid for having cash there (not that it coutners inflation tbh).

@topic:
MA can't refund TT value of items victims have lost due to this simple reason:
there is no way to distinguish actual victim of hackers attack or fake victim that could be a way to steal money from MA.

To increase security MA should add those two (optional) security measures that can be and should be free:
- sms notification similar to gold card verification (same security level but much cheaper and mroe convinient).
- adding machines based on fingerprint, MAC or whatever they find suitable to safe list (verification is one time per machine through e-mail).

Both options are very cheap to maintain and other games are already using them not without a reason. Gold card system is not convinient and pretty old security system.

Falagor
:bandit:

1. you are right - bank choose how to get peyd for its services, same as youi open account free but you need to pay for transactions and held some money ion accoun or even pay monthly fee for account holding.
It costs to you but not dirreclty, mindark cannot do it because you can create asn many as you want accounts and ccount is not dirreclty connected to your identity, that is why 1 person can make 1000 of accounts on different emails, and that would make mindark to have wortless fees for unused avatar additional security.


2. sms verification is free only for 1 country operator, that means if mindark has like 10000 users that connects 5 times a day, that (small fee) will grow to HUGE money and will not bring wanted result that happens only 1 time in a year.

3. Mac/ machine / ip restictions - is not convinient for user.
a) mac - every network card has different and even notebook has 2 nwtwork cards including 3/4g broadbands that has allmost same mac adresses
b) mochine numbers- cpu serial number which was used as main pc identificator was removed byintel few ears ago that is why even Microsoft cant validate windows for unique user. (that is why started to add certificates to bios starting from windows vista os)
c) ip adress - alot mobile broadbands, some low isp's still use dynamic ip adresses
 
Last edited:
how about?
Some victims could have used the same username as one of the 3 avatar names..
hackers use bruteforce for the password, then, script it all in order to use it on EU website?
 
how about?
Some victims could have used the same username as one of the 3 avatar names..
hackers use bruteforce for the password, then, script it all in order to use it on EU website?


Code:
with speed of 1,000,000,000 Passwords/sec, cracking a 8 character password composed using 96 characters takes 83.5 days


in entropia password reply with 100mb/s line and predictable reply speed it would be 400 years to solve 8 character (all low caps) password.

so nearly impossible to believe it.



p.s.

there is some information about bruteforcing local passwords that is 1000 times faster than tcp or udp protocol reply from server :

Possible? yes, but what brute force recovery duration is accepted as possible? Some numbers for 8 chars PW if randomly chosen from a 94 character set:

WiFi (PBKDF2/SHA1:4096) using an 8 GPU recovery system: 98 year on average
7ZIP (PBKDF2/SHA256:262144) using an 8 GPU recovery system: 26 centuries

So it is 'possible' for certain cases for us, may be yes in all above cases for some agencies.
 
Last edited:
... Gold card system is not convinient and pretty old security system.
Please explain this?

IMO when it comes to security there is a sliding scale, on the one hand you have convenient but loose, on the other you have inconvenient but tight. Gold Card seems to be somewhere in the middle, about perfect if you ask me.

AFAIK there is not a single case of the Gold Card security being breeched since they were implemented (around 2007?), if it works, the fact that its old is neither here nor there.
 
Code:
with speed of 1,000,000,000 Passwords/sec, cracking a 8 character password composed using 96 characters takes 83.5 days


in entropia password reply with 100mb/s line and predictable reply speed it would be 400 years to solve 8 character (all low caps) password.

so nearly impossible to believe it.



p.s.

there is some information about bruteforcing local passwords that is 1000 times faster than tcp or udp protocol reply from server :

Yeah, but how strong are the passwords people are using? If you narrow down the bruteforce approach to, for example, dictionary words, you will often get a hit in a much quicker time.

It should be obvious to people that if you dont have a GC you must have a strong password, but I guess its not. None of which is MindArk's fault.
 
After reading that posts i saw that all of "victims" in one or other way was connected with one "cheap ped" selling site.

The fact that you are so naive to think that this is all happening from one website makes the rest of your discussion pointless.

If one group of people are doing it, 10 others groups are too.

We are seeing a rise in the public awareness of this game, and all the shit that will come along with it, including MULTIPLE scamming sites and more importantly, MULTIPLE scamming styles. To lump everyone into one group and saying that they are all tied to ONE FUCKING WEBSITE is borderline crazy...you think there is only one thing to watch out for??? You think that it is all the victims fault??? You do a major disservice to everyone by making such narrow-minded assertions.

Sure, warn people, that is fine, tell them to get a gold card, that is great, but do NOT try to tell people it is all from one site. Jesus.
 
There was no brute force attack regardless. The MA ticket stated that there was never an incorrect password despite 10 attempts/day.
 
Please explain this?

IMO when it comes to security there is a sliding scale, on the one hand you have convenient but loose, on the other you have inconvenient but tight. Gold Card seems to be somewhere in the middle, about perfect if you ask me.

AFAIK there is not a single case of the Gold Card security being breeched since they were implemented (around 2007?), if it works, the fact that its old is neither here nor there.

he sayd unconvenient , because there is alot of new systems like android app (code generator) , sms validators, that not need to wait 1 or 2 weeks to receive it and carry all time with you.

Old? Yes , it was mane by Todos AB that is like 10 or more years old.

but it is best a security choice so far, because even banks use it.
 
The fact that you are so naive to think that this is all happening from one website makes the rest of your discussion pointless.

If one group of people are doing it, 10 others groups are too.

We are seeing a rise in the public awareness of this game, and all the shit that will come along with it, including MULTIPLE scamming sites and more importantly, MULTIPLE scamming styles. To lump everyone into one group and saying that they are all tied to ONE FUCKING WEBSITE is borderline crazy...you think there is only one thing to watch out for??? You think that it is all the victims fault??? You do a major disservice to everyone by making such narrow-minded assertions.

Sure, warn people, that is fine, tell them to get a gold card, that is great, but do NOT try to tell people it is all from one site. Jesus.

ofc if you post your user/password on this forum , there will be few trying to connect it too, dont you think ?

i am talking not about 1 site , but about free way to give away your data to 3rd person/site/action and how it should be understood


You think that it is all the victims fault???.

If a person receives a call from a fake police man and says that his son made accident, killed a child and need to pay 4000 usd to solve problem without going to jail. Than person pays 4000 to fake policeman. and who is he now ? Victim that was cheated and lost 4000usd or a criminal that tryed to give a bribe to avoid justice ?

everyone has his own opinion here, but written laws is same as EULA, Black letters on white paper.
 
Last edited:
1. you are right - bank choose how to get peyd for its services, same as youi open account free but you need to pay for transactions and held some money ion accoun or even pay monthly fee for account holding.
It costs to you but not dirreclty, mindark cannot do it because you can create asn many as you want accounts and ccount is not dirreclty connected to your identity, that is why 1 person can make 1000 of accounts on different emails, and that would make mindark to have wortless fees for unused avatar additional security.


2. sms verification is free only for 1 country operator, that means if mindark has like 10000 users that connects 5 times a day, that (small fee) will grow to HUGE money and will not bring wanted result that happens only 1 time in a year.

3. Mac/ machine / ip restictions - is not convinient for user.
a) mac - every network card has different and even notebook has 2 nwtwork cards including 3/4g broadbands that has allmost same mac adresses
b) mochine numbers- cpu serial number which was used as main pc identificator was removed byintel few ears ago that is why even Microsoft cant validate windows for unique user. (that is why started to add certificates to bios starting from windows vista os)
c) ip adress - alot mobile broadbands, some low isp's still use dynamic ip adresses

1) You missunderstood me - i have absolutly ZERO account costs. I can have empty account and wont pay anything, i dont need to fill it with new money each month, and i dont pay anything for any transactions. Yet i have sms protocol security (aside login+password) AND i GET % for holding money there (like quasi investment account). @edit: i also have no fees for withdrawing from ATMs in all Europe ;).
To sum up: I pay nothing for my banking services. I get payed for holding money in their bank ;).

2) you are probably righ - yet some games already provide it. It is just a matter of negotiations made with proper operators.

3) There are at least two main game platforms that use it: Battle.net and Steam. So it is doable and i feel much safer with this option knowing that hacker needs my e-mail acount hacked too to have access to my game account.

Falagor
:bandit:
 
Last edited:
Please explain this?

IMO when it comes to security there is a sliding scale, on the one hand you have convenient but loose, on the other you have inconvenient but tight. Gold Card seems to be somewhere in the middle, about perfect if you ask me.

AFAIK there is not a single case of the Gold Card security being breeched since they were implemented (around 2007?), if it works, the fact that its old is neither here nor there.

Gold card vs Sms verification.

with Sms you get same protection (espetially if you do not use phone with OS but rather old ones where you just can't get viruses) and:
- you do not need to remember to take GC with you if you travel. You almost always take your phone with you.
- you do not need to worry if the battery dies on GC reader. Recharging phones is usually not a problem.
- you do not need to worry if your GC or reader malfunction. If your phone breaks - as long you still have yoru SIM card you can have access to Entropia imideitly after putting it to new phone (even borrowed).
- SMS is "virtual" so does not need additional devices (except phone that like 99.9% already have) - less cost of usage.

Falagor
:bandit:
 
Hello all,
just entered calypso forum and checked how people is crying about stole accounts in eu.
That is something new for me, because earlier was no people massively posting that they was hacked or something.
After reading that posts i saw that all of "victims" in one or other way was connected with one "cheap ped" selling site.

Nope, any other ideas?
 
fake ID thread. walk away. My money is on Sunsout
 
Last edited:
Nope, any other ideas?

since there is no othere possible way connecting all eu users only giving away user/password through other websites or same secure data used in other website/forums. Keylogger or virus is hardly possible too because too low "globalness" of game that could make interest.


Orcourse that 1% chance giving away password without knowing it is most likely used in same sites as mining log or ect that after ( The SSL 3.0 Vulnerability – POODLE Bug) oficial US named Alert (TA14-290A) . that could be using it and 1 % of leaking all user database with passowrds that could be same as entropia users data, but hardly believable, because in this way we could have like 100 tiems more scammed avatars.
 
MA did say the hackers used brute force. Quote from my ticket:

"Also start thinking of an password for your entropia account not related to close with the last one, these hackers use brute forcing, if you leave a password similar to the old one then it is just a question of time before they might hack your account again."

https://www.planetcalypsoforum.com/...t-was-hacked&p=3334739&viewfull=1#post3334739

Ah, the other thread said they had not, which shows a different modus operandi in the two hacks.

So tying to try them all together may be wrongheaded.
 
Ah, the other thread said they had not, which shows a different modus operandi in the two hacks.

So tying to try them all together may be wrongheaded.

or support just writes all to trye calm down people and dont know what programmers of eu really knows from logs and what they doing.

btw, capcha adding to login shows that they could be effected by brute force attack or showed concern to add more security for login.
 
MA did say the hackers used brute force. Quote from my ticket:

"Also start thinking of an password for your entropia account not related to close with the last one, these hackers use brute forcing, if you leave a password similar to the old one then it is just a question of time before they might hack your account again."

https://www.planetcalypsoforum.com/...t-was-hacked&p=3334739&viewfull=1#post3334739

Your constant bringing up of the possibility of a brute force attack makes me a bit suspicious that you feel guilty over something... :silly2:
 
I agree with most in the OP. No way MA has to pay for the stupidity of some.

One thing, though, is incorrect. It is actually quite well possible that someone would sell PED cheaper...as part of a money laundring operation.

ABout 20 years ago, in my country, there were classified ads in the newspapers, where someone wanted to buy Lottery tickets with a prize of HFL 50 - HFL 999 (approximately € 22 - 450). They offered to buy these tickets for 125%. SO instead of turning them in and getting HFL 100, you'd get HFL 125.

Why? Because these buyers were criminals, and by paying for these tickets, they could turn them in (or pay people with them) and suddenly, it would be legal money....

But even then...you;d better not get involved, because you;d still be doing illegal stuff, which would be stupid considering the (risk-and-punishment)-to-gain-ratio.
 
Until we develop mindreading abilities we can only guess what exactly happened. However, only the appearance of "Cheap Ped's" sellers doesn't prove the hacked accounts had anything to do with it. They do things we can all see and they might do things that are not so obvious on the first glance. If some cyber criminals set their eyes on a Target, in that case Entropia Universe, they might use brute force as well and other methods to obtain login data from entropia accounts.

Just throwing "fred5283 email" into google gives me a lot of results, no hacks needed.
 
why do we have gold cards? :wise:

is a nice golden card :cool:
is a card put out gold:yay:
for prepairing snow:xmas:
for open a door:idea:
as opener for beer:drink:
to get better loot:tower:
to make MA more rich:tongue4:
as memory stick for my tablet:lam:
as pre paid card for my shoes:love:
to clean my feets and hands:nurse:
to clean my a....:jawdrop:

Ah only for prodect my eu account to be 99.999999 sure it get not hacked!:woohoo:
 
why do we have gold cards? :wise:

is a nice golden card :cool:

Actually... it's got a black front, and a white back... Only thing slightly resembling gold is the chip.

But YAY for protectioN!
 
Actually... it's got a black front, and a white back... Only thing slightly resembling gold is the chip.

But YAY for protectioN!

There have been several designs over the past 10+ years. Mine IS gold in colour. :)
 
There have been several designs over the past 10+ years. Mine IS gold in colour. :)
Same... Cheers for the old gold card club! :beerchug:
 
Old GC club yea!

aboud old, just wondering that my 8 or 9 year old reader work with the first battery.
 
Old GC club yea!

aboud old, just wondering that my 8 or 9 year old reader work with the first battery.

I had a LCD temperature sensor that was on 24 hours a day and the batteries lasted about 15 years, so a device that is used for 30 seconds a day should be good for 20 I would have thought. :)
 
Back
Top