Interview with an Account Cracker - What Makes a Site Secure?

in #hacking5 years ago (edited)

As part of my research project on cyber-crime and hacking I met online with an account cracker to get some in depth information about what makes a website secure or insecure.

I found a cracker selling accounts on a popular Telegram Group named Redd and he agreed to meet with me for an interview about cracking. He runs a channel with over 100 people, where sells goods from Walmart, Starbucks, and other stores.

He reveals some of the sites with the worst security (Office Depot) and what security features can scare off most crackers. These features include 2FA, Captcha, and Akamai.

Interview:


Philip:
Ok cool, I won't ask anything about your background or stuff, just jump into the technical aspects.

I'll add you to my list first though

Redd:
Cool

Philip:
Ok, cool added

I guess the main aspects I'm curious about looking at in this interview is how varied security is for everything from:

serial numbers, giftcards, coupon codes, ect.

Redd:
Okay

Philip:
Are those the main things people try to crack?

Redd:
Not really. Mostly accounts and gift cards

Serial numbers arent cracked to my knowledge

Well depends

Philip:
And when we're talking about "cracking" do you mean brute force style methods or using combo lists?

Redd:
Combo lists brute force is rarely done anymore

I make configs

Philip:
Well for brute force style, I've heard of giftcards that simply incriment by 1 for example

Redd:
Yeah, so a lot of companies dont go by that anymore usually its a certain format that crackers crack. Programs like OpenBullet (only modded versions) if i recall correctly allow you to kind of generate randomized codes following a pattern

Say

L = letter N = Number

A pattern would be

NNNLLLLNNLLL

And they would be able to generate large lists of combinations following the pattern

And check them via the program

Now, this is only for sites without PIN PIN codes are a little harder

Philip:
Interesting, I've heard certain restraunts have had huge problems due to bad security and no pin

like PF Changs

what do you mean by modded version? I know openbullet, but I haven't heard of mods.

Redd:

A lot of people make modded versions that are simply better, one example is black bullet and open bullet anomaly

Yeah that is true (about PF Chang), though a lot of restaurants have caught on

Philip:
The people working there kind of thing? Or they added security on their websites?

I heard for PF Chang people use to go in with just a number and no printed PDF and now they don't allow that.

Redd:

Both i believe.

And yeah I have done that a couple times but now they dont allow

A number of people have been cracking with PIN now

Which is difficult and more expensive

As usually they have captcha

Philip:

What makes it more expensive? More computer power and time kind of thing?

Redd:

No they need to buy anti captcha services that bypass captcha

Philip:

right like anti-captcha or 2captcha (can't remember the name)

Redd:
Yeah exactly

Some people do manage to code it themselves

Philip:
code anti-captcha?

Redd:
Yeah

Don't know the specifics of it

Philip:
I saw there was an exploit in the past where you could use the audio version for blind people

and then feed it to audio to text, but they fixed that exploit

what makes black bullet and open bullet anomaly different from the normal version?

Redd:

They have some different features which i dont have off the top of my head. Some of them they are smoother

Philip:
Very interesting stuff

Without revealing any of your best sources, since you won't want competition.

Can you say what are some of the worst companies for security you've seen cracked?

Also what are some of the best ones?

Redd:
Worst security hands down is OfficeDepot

Philip:
what makes it so bad?

Redd:
No captcha, no security protection

The best security i've seen is maybe JetBlue, though it has been cracked. Also StockX and Chiptole now that they fixed their shit

Philip:
sounds bad, I think ones that let the person change name and email without any verification by email are super bad too.

Kind of crazy that, letting someone change your email without first verifying with your current email

damn, so even though JetBlue is one of the best is was still cracked?

Redd:
Yep

Anything can be cracked

And i know the person who can crack anything

Even stuff with high security there are ways around it

Which it is hard to prevent

Philip:
Is there a security feature that when you see, you just move on because it's going to be way too hard?

Maybe 2FA or captcha?

Redd:
For me, yeah. Akamai

Philip:
I have heard of them, they provide anti-bot protection right?

Redd:
2FA is pretty pointless to crack but people get email access accounts for that

Yes

Philip:
Very interesting because I just heard of Akamai 2 days ago

Redd:
Yeah

Very good cybersec on certain sites

But still bypassable

Philip:
Someone told me he knows a guy that sometimes makes cracks for AKamai, and sells for $1000 but the bypass only works for like 2-3 days

Redd:
People crack 2FA accounts by getting email access accounts and using a program to login to the email and search for sites

Nah akamai bypass can work for a while but yeah they run upwards of 1k

Philip:
oh wow, haven't heard of that. Do you know the program?

Redd:
I think its called woxy.

Philip:
Thanks, this has been a great interview

Do you have any lasts thoughts and/or a service you want to plug?

Redd:
Join t.me/reddstore, an all-around shop for your bitcoin, config, and method needs!


If this interview was of interest to you, be sure to check out the early reader program for my book about cyber-crime.


Want to get in touch? You can find me on Twitter or email kirkins and gmail dot com.

Coin Marketplace

STEEM 0.21
TRX 0.25
JST 0.038
BTC 96989.50
ETH 3378.64
USDT 1.00
SBD 3.23