Interview with an Account Cracker - What Makes a Site Secure?
As part of my research project on cyber-crime and hacking I met online with an account cracker to get some in depth information about what makes a website secure or insecure.
I found a cracker selling accounts on a popular Telegram Group named Redd and he agreed to meet with me for an interview about cracking. He runs a channel with over 100 people, where sells goods from Walmart, Starbucks, and other stores.
He reveals some of the sites with the worst security (Office Depot) and what security features can scare off most crackers. These features include 2FA, Captcha, and Akamai.
Interview:
Philip:
Ok cool, I won't ask anything about your background or stuff, just jump into the technical aspects.
I'll add you to my list first though
Redd:
Cool
Philip:
Ok, cool added
I guess the main aspects I'm curious about looking at in this interview is how varied security is for everything from:
serial numbers, giftcards, coupon codes, ect.
Redd:
Okay
Philip:
Are those the main things people try to crack?
Redd:
Not really. Mostly accounts and gift cards
Serial numbers arent cracked to my knowledge
Well depends
Philip:
And when we're talking about "cracking" do you mean brute force style methods or using combo lists?
Redd:
Combo lists brute force is rarely done anymore
I make configs
Philip:
Well for brute force style, I've heard of giftcards that simply incriment by 1 for example
Redd:
Yeah, so a lot of companies dont go by that anymore usually its a certain format that crackers crack. Programs like OpenBullet (only modded versions) if i recall correctly allow you to kind of generate randomized codes following a pattern
Say
L = letter N = Number
A pattern would be
NNNLLLLNNLLL
And they would be able to generate large lists of combinations following the pattern
And check them via the program
Now, this is only for sites without PIN PIN codes are a little harder
Philip:
Interesting, I've heard certain restraunts have had huge problems due to bad security and no pin
like PF Changs
what do you mean by modded version? I know openbullet, but I haven't heard of mods.
Redd:
A lot of people make modded versions that are simply better, one example is black bullet and open bullet anomaly
Yeah that is true (about PF Chang), though a lot of restaurants have caught on
Philip:
The people working there kind of thing? Or they added security on their websites?
I heard for PF Chang people use to go in with just a number and no printed PDF and now they don't allow that.
Redd:
Both i believe.
And yeah I have done that a couple times but now they dont allow
A number of people have been cracking with PIN now
Which is difficult and more expensive
As usually they have captcha
Philip:
What makes it more expensive? More computer power and time kind of thing?
Redd:
No they need to buy anti captcha services that bypass captcha
Philip:
right like anti-captcha or 2captcha (can't remember the name)
Redd:
Yeah exactly
Some people do manage to code it themselves
Philip:
code anti-captcha?
Redd:
Yeah
Don't know the specifics of it
Philip:
I saw there was an exploit in the past where you could use the audio version for blind people
and then feed it to audio to text, but they fixed that exploit
what makes black bullet and open bullet anomaly different from the normal version?
Redd:
They have some different features which i dont have off the top of my head. Some of them they are smoother
Philip:
Very interesting stuff
Without revealing any of your best sources, since you won't want competition.
Can you say what are some of the worst companies for security you've seen cracked?
Also what are some of the best ones?
Redd:
Worst security hands down is OfficeDepot
Philip:
what makes it so bad?
Redd:
No captcha, no security protection
The best security i've seen is maybe JetBlue, though it has been cracked. Also StockX and Chiptole now that they fixed their shit
Philip:
sounds bad, I think ones that let the person change name and email without any verification by email are super bad too.
Kind of crazy that, letting someone change your email without first verifying with your current email
damn, so even though JetBlue is one of the best is was still cracked?
Redd:
Yep
Anything can be cracked
And i know the person who can crack anything
Even stuff with high security there are ways around it
Which it is hard to prevent
Philip:
Is there a security feature that when you see, you just move on because it's going to be way too hard?
Maybe 2FA or captcha?
Redd:
For me, yeah. Akamai
Philip:
I have heard of them, they provide anti-bot protection right?
Redd:
2FA is pretty pointless to crack but people get email access accounts for that
Yes
Philip:
Very interesting because I just heard of Akamai 2 days ago
Redd:
Yeah
Very good cybersec on certain sites
But still bypassable
Philip:
Someone told me he knows a guy that sometimes makes cracks for AKamai, and sells for $1000 but the bypass only works for like 2-3 days
Redd:
People crack 2FA accounts by getting email access accounts and using a program to login to the email and search for sites
Nah akamai bypass can work for a while but yeah they run upwards of 1k
Philip:
oh wow, haven't heard of that. Do you know the program?
Redd:
I think its called woxy.
Philip:
Thanks, this has been a great interview
Do you have any lasts thoughts and/or a service you want to plug?
Redd:
Join t.me/reddstore, an all-around shop for your bitcoin, config, and method needs!
If this interview was of interest to you, be sure to check out the early reader program for my book about cyber-crime.
Want to get in touch? You can find me on Twitter or email kirkins and gmail dot com.