| Pages: 1 [2] 3 :: one page |
| Author |
Thread Statistics | Show CCP posts - 0 post(s) |
EBANK Ricdic
Eve-Tech Savings n Loans
   |
Posted - 2008.03.05 05:23:00 -
[31]
damnit i am slow,
|
EBANK Ricdic
Eve-Tech Savings n Loans
|
Posted - 2008.03.05 05:31:00 -
[32]
Edited by: EBANK Ricdic on 05/03/2008 05:34:13
 Originally by: Treelox
and sadly special me (in the short yellow bus fashion), accidentally closed mine when I had just intended to make it a really really small ammount outstanding.
If you want it reopened, just re-request the balance and it shall be done.
edit: A line of credit is really awesome in Eve as it allows you to just grab funds needed without needing to go through hoops. Need an extra 1b for this trade run you see, just action a withdrawal on pre-accepted funds.
I guess the next step we in EBANK need to determine, is a way to get funds to clients faster. I have been thinking about this, things such as having 3rd party brokers available who can action an EBANK withdrawal through a specific party and have it automatically credited to their EBANK account. Something like that. But I think the affiliates system should definetly allow this functionality.
|
LaVista Vista
Conservative Shenanigans Party
|
Posted - 2008.03.05 06:51:00 -
[33]
Originally by: EBANK Ricdic
I guess the next step we in EBANK need to determine, is a way to get funds to clients faster. I have been thinking about this, things such as having 3rd party brokers available who can action an EBANK withdrawal through a specific party and have it automatically credited to their EBANK account. Something like that. But I think the affiliates system should definetly allow this functionality.
Extremely interesting idea. But why would an affiliate actually do that?
|
Kwint Sommer
Lothian Quay Industries
|
Posted - 2008.03.05 07:09:00 -
[34]
Originally by: EBANK Ricdic
Quote:
I for one would have happily taken out a 2 or 3 billion line of credit for this month if I had the option.
You do  Contact me on MSN however as I am unable to log into eve at the moment due to having no DSL access at home.
That's great. I'm going to sleep now but expect to here from me tomorrow. 
5% Mining & Manufacturing Implants |
EBANK Ricdic
Eve-Tech Savings n Loans
|
Posted - 2008.03.05 09:41:00 -
[35]
Originally by: LaVista Vista
Extremely interesting idea. But why would an affiliate actually do that?
Well lets assume the person in question keeps large sums of cash on hand, such as Shadarle. The system is kinda in place already with player to player transfers. Consider this scenario:
Mining Bunnz wants to withdraw 500m from his EBANK account. He speaks with Shadarle who will forward him the isk once it is transferred from Mining Bunnz EBANK account to Shadarle's EBANK account.
Now, the P2P system gives an idea on how it's possible but it isn't flawless in that regard. The flaws I see are as follows :
1) EBANK charges a transfer fee for P2P transfers (I believe it's 0.1% of transaction value)
2) The person recieving the isk needs an incentive to do so. This may be in the form of that 0.1% broker fee, or some completely different fee.
3) There is no current mechanism to avoid a scam (ie Bunnz transfers Shadarle funds through EBANK account, and Shadarle doesn't pay him the funds). Obviously it's unlikely it would happen with these individuals but I want to make an affiliate broker a position anyone can have to earn a few extra isk with capital lying around on hand.
See, the idea behind the affiliate system is as follows:
1) Buyer requests item
2) Buyer transfers isk to sellers EBANK account (but funds in locked state)
3) Seller confirms receipt of isk and sends item in question
4) Now, buyer has two options here
a) He can accept receipt of product and inside his EBANK account he can mark this transaction as successfull. By marking as successful those EBANK funds are unlocked to the seller)
b) He can dispute the transaction. He has 7 days to dispute a transaction (this is the max amount EBANK will lock funds where no dispute is in force). He can feel assured that the isk is locked down long enough for the EBANK Complaints team to investigate the transaction and make a decision on the outcome.
So, that's how affiliation through EBANK is supposed to work (assuming it goes through like this)
Now, lets assume broker affiliation using the same above scenario.
Shadarle offers the ability to buy isk using EBANK $$$. This is the exact same money, ie 1m isk is 1,000,000 EBANK isk. However it's just structured in a way where somebody can contact Shadarle and request to buy say 500m isk.
The buyer wires 500m from his EBANK account to Shadarle's EBANK account (in a locked state). Shadarle then sends the ISK. If Shadarle doesn't send the isk then it can be disputed as above. Therefore the isk remains in a locked state pending resolution of issue.
Basically the affiliates system is planning on being a way to do the following:
a) Allow the ability to use your isk in your EBANK account without needing to always withdraw it.
b) (using above example) Facilitate the ability to have far faster withdrawals (ie picture a list of EBANK affiliated loanee's ingame where you can just find one online and request a certain amount of isk from your EBANK account.
Now, I don't like the idea of EBANK profiting off customers using the affiliated loanee's to have withdrawals actioned. I am still a little undecided on what approach we should take. But it needs to be of some profit to the affiliate. Even if EBANK itself pays the affiliate. Anyway, most of the above is my ideas on where the affiliates program should be heading and may or may not be implemented and may or may not be accepted by the board.
Take it more as an idea of the way I want to see us allow almost instant access to your EBANK account at times of withdrawal without needing 50 EBANK tellers with isk spread all over the place.
|
LaVista Vista
Conservative Shenanigans Party
|
Posted - 2008.03.05 10:10:00 -
[36]
I personally think that it wont be a too big issue anymore, now that we have more active tellers.
Also, as i wrote on the frontpage of EBank, for the time being, im the point of contact, due to connectivity issues of Ricdic.
|
Randy West
Caldari
Deep Core Mining Inc.
|
Posted - 2008.03.06 00:20:00 -
[37]
Originally by: LaVista Vista
I personally think that it wont be a too big issue anymore, now that we have more active tellers.
Also, as i wrote on the frontpage of EBank, for the time being, im the point of contact, due to connectivity issues of Ricdic.
BTW thanks for handling my withdraw request of one billion today so quickly and efficiently. I will be redeposting back what I don't use in the next day or two depending. My question was does my account close if I empty it out altogether?? Or do I still have an account even if the balance is 0??
|
Hexxx
Minmatar
|
Posted - 2008.03.06 00:43:00 -
[38]
Originally by: Randy West
Originally by: LaVista Vista
I personally think that it wont be a too big issue anymore, now that we have more active tellers.
Also, as i wrote on the frontpage of EBank, for the time being, im the point of contact, due to connectivity issues of Ricdic.
BTW thanks for handling my withdraw request of one billion today so quickly and efficiently. I will be redeposting back what I don't use in the next day or two depending. My question was does my account close if I empty it out altogether?? Or do I still have an account even if the balance is 0??
The only "accounts" that ever deactivate are loan accounts.
Director | www.eve-bank.net
|
Sikozu Prioris
Suns Of Korhal
deadspace society
|
Posted - 2008.03.06 01:36:00 -
[39]
I was just wondering, with the shared accounts is there a fee for moving money to and from it?
All I can see in the t&c is a 0.5% fee for moving between players.
Lol |
EBANK Ricdic
Eve-Tech Savings n Loans
Zzz
|
Posted - 2008.03.15 17:02:00 -
[40]
We wanted to put this in a new thread however CCP Mitnal has been locking them as he wants us to only deal with one thread. So please don't take this as our trying to cover this up.
Today Jensius Duo of Digital Fury Corporation [D-F-C] attempted to hack into our EBANK systems. I will let Hexxx provide the details behind it, however he didn't manage to steal anything (information nor isk).
We are releasing this information as we feel the public have the right to know. We have Jensius's IP address and have blacklisted his EBANK account. We will also be disallowing his corporation from becomming EBANK customers unless he is removed from the corporation.
We want to reiterate. Your account details are completely safe. No funds were stolen in any way, and measures have been put in place to ensure this cannot happen again.
Hexxx will follow up with his technical talk explaining what happened.
Thank you for your time.
|
Ayami Sakura
Science and Trade Institute
|
Posted - 2008.03.15 17:19:00 -
[41]
Originally by: EBANK Ricdic
Edited by: EBANK Ricdic on 15/03/2008 17:09:09
PENDING ANNOUNCEMENT
Oooohhh, I'm feeling all tingly.
|
EBANK Ricdic
Eve-Tech Savings n Loans
Zzz
|
Posted - 2008.03.15 17:27:00 -
[42]
We wanted to put this in a new thread however CCP Mitnal has been locking them as he wants us to only deal with one thread. So please don't take this as our trying to cover this up.
Today Jensius Duo of Digital Fury Corporation [D-F-C] attempted to hack into our EBANK systems. I will let Hexxx provide the details behind it, however he didn't manage to steal anything (information nor isk).
We are releasing this information as we feel the public have the right to know. We have Jensius's IP address and have blacklisted his EBANK account. We will also be disallowing his corporation from becomming EBANK customers unless he is removed from the corporation.
We want to reiterate. Your account details are completely safe. No funds were stolen in any way, and measures have been put in place to ensure this cannot happen again.
Hexxx will follow up with his technical talk explaining what happened.
Thank you for your time.
|
Hexxx
Sebiestor tribe
|
Posted - 2008.03.15 17:43:00 -
[43]
Hey guys,
First let me say this; no isk was stolen and from what I've been able to tell only one account had it's information compromised (we've been in contact with this person and they're aware of the issue).
I've disabled EBANK logins for a little bit to make sure I've properly fixed the issue. I'll enable them again once I feel comfortable that the problem has been solved.
So, that said, let's talk a little bit about what happened.
The attacker got lucky with some blind SQL injection and thought they were able to withdraw from someone's account...however, I had written a "double check" on account withdraws a long while back and that prevented the withdraw from getting routed to the attacker. The attack was about 90% blind "guessing" on the attackers part. The victim in this case saw a withdraw that he didn't initiate and contacted us.
We then locked things down and reviewed every withdraw and account that was withdrawn from in the past 5 days. We contacted one or two people where we thought there might be an issue and determined that there was no theft of isk anywhere.
One last note, the system we use for handeling withdraws is completely seperate from the one that handles player-to-player and intra-account transfers. They don't share any code at all. I'll be reviewing that as well however to just check up on things.
We're looking at a projected downtime of a few hours here, complicated by the fact that this is St. Patricks here in the US and I've also got my family around and while I do take my EBANK obligations very seriously, I also take my family obligations VERY seriously.
So, in summary...we experienced an "incident" but the damage was very minimal and we expect to be up and running just fine once we've completed our review. 
Director | www.eve-bank.net
|
Athre
The HIgher Standard
|
Posted - 2008.03.15 17:49:00 -
[44]
silly hackers, dont try the white hats :D
|
Hexxx
Sebiestor tribe
|
Posted - 2008.03.15 17:53:00 -
[45]
Edited by: Hexxx on 15/03/2008 17:56:37
Originally by: Athre
silly hackers, dont try the white hats :D
My first job out of graduate school was as an Attack and Pentration specialist. "Pen Testing" is essentially hacking under a mutually agreed upon contract.
I'm surprised they were able to pull this off, but I work under the assumption that I do make mistakes sometimes which is why I wrote a redundant "check" in the first place.
It turned out to do exactly what it was supposed to do; a last line of defense against any SQL injection attacks.
edit: EBANK utilizes a Data Abstraction Layer (DAL) that strongly types all SQL values, cutting of a very large amount of possible SQL injection attacks. When I say this guy got lucky, he REALLY did get lucky.
Director | www.eve-bank.net
|
Adria DelMonaco
Procrastinati
|
Posted - 2008.03.15 18:33:00 -
[46]
Appreciate the information and quick response.
|
Minerva Vulcan
The Nexus Foundation
Endless Horizon
|
Posted - 2008.03.15 18:51:00 -
[47]
Don't **** with a Jedi Master, son.
|
Selene D'Celeste
The D'Celeste Trading Company
|
Posted - 2008.03.15 19:20:00 -
[48]
Go team EBANK go! =D
|
Imperius Blackheart
KIA Corp
KIA Alliance
|
Posted - 2008.03.15 19:49:00 -
[49]
Heh, this was inevitable really, I often wondered how long it would take for someone to attempt to hack Ebank and how sucessful they would be. I knew it would have to happen sooner or later, if you consider the amount of security that real banks use on their web frontends I wondered how well Ebank had prepaired for such a situation and how well you would deal with it.
Seem you guys did well once again :) congrats really impressive responce to the situation.
Makes me feel all warm and fuzzy inside about letting you look after some of my money
[/url]
Proud member of the Caldari Death Squad
|
LaVista Vista
Conservative Shenanigans Party
|
Posted - 2008.03.15 19:56:00 -
[50]
Originally by: Imperius Blackheart
Heh, this was inevitable really, I often wondered how long it would take for someone to attempt to hack Ebank and how sucessful they would be. I knew it would have to happen sooner or later, if you consider the amount of security that real banks use on their web frontends I wondered how well Ebank had prepaired for such a situation and how well you would deal with it.
Seem you guys did well once again :) congrats really impressive responce to the situation.
Makes me feel all warm and fuzzy inside about letting you look after some of my money
This was actually one of the things which was discussed extremely much, at least around the first few version of ebank that was done before Mr. Horizontal did(Who made A LOT of difference!). We wanted to make sure that even if someone DOES manage to break into our system, that everything is read only, beyond your own account. This means the ONLY way is actually really do harm, at least in theory, we could have loopholes, is to change a flag on our database to aquire admin, which is pretty damn unlikely, as admins are set manually, thus no automated way that i know of, one can aquire admin rights. And even admins cant do anything which can cause great harm. So you gotta hack every users account, and wire isk to your own account.
And if someone does manage to hack in, they cant actually get any isk doing it, due to the simple fact that we will notice if anything weird happens, and no isk leaves any wallets before we make sure everything is right.
I must admit im quite amazed how he managed to do it. And its hard to think it will never happen again. But worst case scenario isnt the end of the world.
We aim to please.
|
Kushion
Anti Sweden Defense Force
|
Posted - 2008.03.15 20:08:00 -
[51]
Interesting. Will any RL steps be taken over this? I.E, is what he did illegal?
--
Taggart Transdimensional corporation - | Capitalism | Objectivism | 0.0 | No taxes | No mandatory ops | Join channel TAGGART for more |
Hexxx
Sebiestor tribe
|
Posted - 2008.03.15 20:16:00 -
[52]
Originally by: Kushion
Interesting. Will any RL steps be taken over this? I.E, is what he did illegal?
EBANK tracks IP's on logins. We also have some functionality that automatically shows us country and city of that IP. We know what country he lives in and we know the city, but disclosing the city or the IP would breach CCP's forum rules.
That said, Russia has comparitively weak laws regarding computer crime and honestly...it isn't worth trying anything against him in game or out of game.
Director | www.eve-bank.net
|
Hexxx
Sebiestor tribe
|
Posted - 2008.03.15 20:18:00 -
[53]
Originally by: Imperius Blackheart
Heh, this was inevitable really, I often wondered how long it would take for someone to attempt to hack Ebank and how sucessful they would be. I knew it would have to happen sooner or later, if you consider the amount of security that real banks use on their web frontends I wondered how well Ebank had prepaired for such a situation and how well you would deal with it.
Seem you guys did well once again :) congrats really impressive responce to the situation.
Makes me feel all warm and fuzzy inside about letting you look after some of my money
Also, I haven't forgotten your Bond issue...I'm still working on fixing it. It's something of a mystery right now since it works for me but not for you....and I have no idea why. 
Director | www.eve-bank.net
|
Hexxx
Sebiestor tribe
|
Posted - 2008.03.15 22:00:00 -
[54]
Ok...logins are turned back on.
Withdraws will start being processed in a bit. EBANK apologizes for any inconvenience this interuption in service has caused and further apologizes for those people who are experiencing delays in their withdraws due to recent events.
EBANK would like to thank our account holders for their patience and positive support.
Please report any problems to us, we've changed some code around and while I've tested it quite a bit, I'll be keeping a close eye on things for the next day or so.
Director | www.eve-bank.net
|
Smarty James
Galactic Production Dynamics
Twilight Trade Cartel
|
Posted - 2008.03.15 23:02:00 -
[55]
Nice Work
Thanks for the info.
CCP can take EBANK as an example
|
Imperius Blackheart
KIA Corp
KIA Alliance
|
Posted - 2008.03.16 02:26:00 -
[56]
Originally by: Hexxx
Originally by: Imperius Blackheart
Heh, this was inevitable really, I often wondered how long it would take for someone to attempt to hack Ebank and how sucessful they would be. I knew it would have to happen sooner or later, if you consider the amount of security that real banks use on their web frontends I wondered how well Ebank had prepaired for such a situation and how well you would deal with it.
Seem you guys did well once again :) congrats really impressive responce to the situation.
Makes me feel all warm and fuzzy inside about letting you look after some of my money
Also, I haven't forgotten your Bond issue...I'm still working on fixing it. It's something of a mystery right now since it works for me but not for you....and I have no idea why.
Cool, well I know you fellas know about it and its only a front end issue/bug so i'm not overly concerned, just think that if its happening for me it may happen for others or others in the future.
I've reset my password back to something more secure but if you want to login as me again let me know and i'll change it to what I PM'ed you.
[/url]
Proud member of the Caldari Death Squad
|
Melinda Bettin
Hedion University
|
Posted - 2008.03.16 04:25:00 -
[57]
Originally by: Hexxx
EBANK utilizes a Data Abstraction Layer (DAL) that strongly types all SQL values, cutting of a very large amount of possible SQL injection attacks. When I say this guy got lucky, he REALLY did get lucky.
That this is explained away as luck, and people simply accept this response is the real crime here. If one account is compromised, you have to assume they are all comprimised! Database manipulation is not rocket science. You need to close down shop and get someone to audit your codebase. The fact that this vulnerability made it to release is very troubling.
Your next wave of attackers will be more discrete and have already learned a great deal about your system. By telling us what you have done, speaks volumes about what you havn't. For shame.
|
Melinda Bettin
Hedion University
|
Posted - 2008.03.16 05:01:00 -
[58]
Originally by: Stellarr
And what will they do?
As long as people check their EBANK account everyday, I suppose even discrete player to player transfers won't go unnoticed. Kinda defeats purpose of "passive income" though.
|
EBANK Ricdic
Eve-Tech Savings n Loans
Zzz
|
Posted - 2008.03.16 05:26:00 -
[59]
Originally by: Melinda Bettin
Originally by: Stellarr
And what will they do?
As long as people check their EBANK account everyday, I suppose even discrete player to player transfers won't go unnoticed. Kinda defeats purpose of "passive income" though.
We definetly don't expect people to check their accounts daily.
EBANK are responsible for issues that occur as a result of hackers and the likes. We know roughly how many withdrawals a day are normal, and how much isk generally flows through player to player transfer.
It's extremely easy for us to see inconsistencies in these values and determine if something like syphoning of isk was occuring. On the off chance that it does somehow happen EBANK hold full responsibility. There will be no customer losses.
I assure you all we would see within minutes if a hacker tried diverting funds to his account. Hell, customers would also be able to track this via our statistics page. You can see our transfers fee's are quite low. This means they are easily tracked, and a large spike would be seen in very little time.
|
LaVista Vista
Conservative Shenanigans Party
|
Posted - 2008.03.16 07:36:00 -
[60]
Edited by: LaVista Vista on 16/03/2008 07:43:25
Originally by: Melinda Bettin
Originally by: Hexxx
EBANK utilizes a Data Abstraction Layer (DAL) that strongly types all SQL values, cutting of a very large amount of possible SQL injection attacks. When I say this guy got lucky, he REALLY did get lucky.
That this is explained away as luck, and people simply accept this response is the real crime here. If one account is compromised, you have to assume they are all comprimised! Database manipulation is not rocket science. You need to close down shop and get someone to audit your codebase. The fact that this vulnerability made it to release is very troubling.
Your next wave of attackers will be more discrete and have already learned a great deal about your system. By telling us what you have done, speaks volumes about what you havn't. For shame.
I think that Hexxx's comment in the first place, wasnt quite exact. All calls to the database ARE filtered for any kind of SQL injection, beyond the fact they are all strongly typed. As such from what i see, it doesnt seem like a SQL injection in the first place. And actually, from the technical details i was given by Hexxx, its definately not the case either.
I wont comment exactly on what happened. But as i wrote in one of my other posts, SHOULD anyone get access in SOME shape, way or form, they will PURELY gain read-only access. This means the worst case scenario is that the person can see the loans which are in the system, and what people have of isk in their accounts.
I can assure you, that we are taking all measures to prevent this to happen. We have several developers on the project who are professionals and work with this in real life.
But of course, Melinda Bettin, if you really think you can do it better beyond pointing being a hypocrite, feel free to contact Ricdic or myself, and im sure we can sort something out
|
| |
|
| Pages: 1 [2] 3 :: one page |
| First page | Previous page | Next page | Last page |