Knobcloud.com - a free vst-marketplace
-
- KVRist
- Topic Starter
- 174 posts since 1 Aug, 2007
-
- KVRist
- Topic Starter
- 174 posts since 1 Aug, 2007
We are about to make "Connect with PayPal" mandatory. We are doing this as a safety measure. This might shrink our userbase, but it will make the place safer and ensure that those who have scammed others will remain outside once excluded. We also have had our first encounter with a scammer. We sent emails out to all who were affected. The scammers username was alekseevstudio, I hope he is not doing business here, and btw. here he is selling his stuff on audiosex.pro:
https://audiosex.pro/threads/selling-be ... 21/page-10
He was basically using an in-house-creditcard from Sweetwater and he was singled out by their Fraudulent Purchases team. He is now of course banned from our site.
This experience shows us that we need to focus on safety, and we will take further steps to tackle this issue properly. We will be calling the scammers out on kvr and other places to contribute to the safety of the community.
https://audiosex.pro/threads/selling-be ... 21/page-10
He was basically using an in-house-creditcard from Sweetwater and he was singled out by their Fraudulent Purchases team. He is now of course banned from our site.
This experience shows us that we need to focus on safety, and we will take further steps to tackle this issue properly. We will be calling the scammers out on kvr and other places to contribute to the safety of the community.
Knobcloud.com - marketplace for audio software
-
- KVRAF
- 35437 posts since 11 Apr, 2010 from Germany
What exactly do you mean by "Connect with Paypal"? I hope it's not like on other sites, where you connect your Paypal with your user account, which makes it easy to do payments when the site's account was taken over or "hacked"...
-
- KVRist
- Topic Starter
- 174 posts since 1 Aug, 2007
We are linking the existing KC account to a personal Paypal-Account. This does not mean that we have access to the PayPal-Password, neither is it stored on our server. If our server was hacked, the hacker would have the personal PayPal Id, but this is the information that you give away with any PayPal-transaction that you do anyway. I don´t see how that could be used to make payments without the password. Also it is very unlikely that our place will be hacked. First of all, it is not generic (like wordpress-based). Second we have implemented several safety - measures to make sure this does not happen.
Knobcloud.com - marketplace for audio software
-
- KVRian
- 619 posts since 4 Feb, 2017
I still don't want any random person to see this PayPal ID or some other PayPal information. It's all personal info. I have a special password for Paypal. Many people use the same password for everything. Stupid but it happens. People can also fall victim to fishing attempts. So don't be lighthearted about it.Grottengeier wrote: ↑Wed Aug 12, 2020 12:10 pmIf our server was hacked, the hacker would have the personal PayPal Id, but this is the information that you give away with any PayPal-transaction that you do anyway.
I don´t see how that could be used to make payments without the password. Also it is very unlikely that our place will be hacked. First of all, it is not generic (like wordpress-based). Second we have implemented several safety - measures to make sure this does not happen.
Your safety measures of course mean nothing. Especially not on self built systems. You don't stop hackers.
By connecting to a PayPal ID you wouldn't prevent situation like with alekseevstudio. Someone can still use an in-house PayPal account for example.
Finally, you're to late to inform your users. Only 2 days in advance. And that in the middle of the holiday season. Bad timing at the least.
-
- KVRist
- Topic Starter
- 174 posts since 1 Aug, 2007
Other people won´t see your PayPal ID. What do you mean an in-house PayPal account? About the timing, its not too late to make PayPal claims, those can be made 180 days after the purchase. I don´t know what you mean by "2 days in advance".Rivanni wrote: ↑Wed Aug 12, 2020 1:07 pmI still don't want any random person to see this PayPal ID or some other PayPal information. It's all personal info. I have a special password for Paypal. Many people use the same password for everything. Stupid but it happens. People can also fall victim to fishing attempts. So don't be lighthearted about it.Grottengeier wrote: ↑Wed Aug 12, 2020 12:10 pmIf our server was hacked, the hacker would have the personal PayPal Id, but this is the information that you give away with any PayPal-transaction that you do anyway.
I don´t see how that could be used to make payments without the password. Also it is very unlikely that our place will be hacked. First of all, it is not generic (like wordpress-based). Second we have implemented several safety - measures to make sure this does not happen.
Your safety measures of course mean nothing. Especially not on self built systems. You don't stop hackers.
By connecting to a PayPal ID you wouldn't prevent situation like with alekseevstudio. Someone can still use an in-house PayPal account for example.
Finally, you're to late to inform your users. Only 2 days in advance. And that in the middle of the holiday season. Bad timing at the least.
You make a good point about the sensitivity of the data, but simply saying that everything can be hacked is not really enlightening. We are trying to make it harder for scammers, and I believe this will help our user community.
Knobcloud.com - marketplace for audio software
-
- KVRer
- 7 posts since 9 Jun, 2020
For all hackers, nerds and tech-heads:
We are storing passwords and PayPal emails in our database using a strong one-way hashing algorithm. Even if someone could eventually stole our user database a brute force attack would take several computer-years for decrypting a single password. The only data that we are storing in our database coming from PayPal is the user email, no refresh tokens, no passwords and no personal data is sent to us. The PayPal email is an information you have to share anyway if you buy or sell something.
Anything can be hacked, it happens all the time even to very big fishes like Adobe, Canon, Microsoft, etc. But it's worth to spend years computer power just to steal an email address when you can simply get it by pressing a "buy now" button?
So, this change doesn't compromise the security of our site in any way.
We are storing passwords and PayPal emails in our database using a strong one-way hashing algorithm. Even if someone could eventually stole our user database a brute force attack would take several computer-years for decrypting a single password. The only data that we are storing in our database coming from PayPal is the user email, no refresh tokens, no passwords and no personal data is sent to us. The PayPal email is an information you have to share anyway if you buy or sell something.
Anything can be hacked, it happens all the time even to very big fishes like Adobe, Canon, Microsoft, etc. But it's worth to spend years computer power just to steal an email address when you can simply get it by pressing a "buy now" button?
So, this change doesn't compromise the security of our site in any way.
-
- addled muppet weed
- 105875 posts since 26 Jan, 2003 from through the looking glass
sadly, hacking and fraud are a fact of life.
this is not the fault of site owners who do their best for security.
if you are using the imternet at all for financial transactions, you are at risk, whether is a small site like knobcloud or huge like amazon.
it is your responsibility as a user to also do everything you can to lessen this risk.
different passwords. regularly changing them.
write them down on a piece of paper. house burglars and internet fraudsters, rarely the same entity.
use your credit card, just pay it straight off, no point adding interest, but cc payments (at least here) are covered by insurance for fraud, so you dont lose out.
this is not the fault of site owners who do their best for security.
if you are using the imternet at all for financial transactions, you are at risk, whether is a small site like knobcloud or huge like amazon.
it is your responsibility as a user to also do everything you can to lessen this risk.
different passwords. regularly changing them.
write them down on a piece of paper. house burglars and internet fraudsters, rarely the same entity.
use your credit card, just pay it straight off, no point adding interest, but cc payments (at least here) are covered by insurance for fraud, so you dont lose out.
-
- KVRAF
- 2063 posts since 14 Sep, 2004 from $HOME
Nope. Only change passwords when you know they’ve been compromised , e.g. by checking with https://haveibeenpwned.com/
Regularly changing passwords doesn’t make sense. Different passwords, yes. Long passwords, definitely , as long as the service allows (think passphrases).
Passwords should be a thing of the past anyway, sadly very few sites implement FIDO2...
-
- addled muppet weed
- 105875 posts since 26 Jan, 2003 from through the looking glass
if youre worried about passwords being compromised then it would make sense
just an extra layer, a suggestion
just an extra layer, a suggestion
-
- KVRist
- Topic Starter
- 174 posts since 1 Aug, 2007
We added the review function, you can now leave written reviews about the users that you have a transaction with. And you can edit them if something happens that changes your mind.
Knobcloud.com - marketplace for audio software
-
- addled muppet weed
- 105875 posts since 26 Jan, 2003 from through the looking glass