I would simply call or email him...

Yeah, just email Todd directly and make an offer; he's super responsive

You and your friend sound like a blast. The next time you’re in the Asbury Park area let me know.

I bought things at his last sales and just picked them up last Monday. It was a great time! Todd is truly legendary! He’s added some hurtles to register because he had a surprising amount of people make offers and jack up the prices and then when they won they said they didn’t have any money and didn’t actually plan on buying anything.

Since your post received some downvotes, I'd like to point out that your friend is correct in that there is no SSL certificate on that site. So, any information you enter will be sent in the clear and readable by anyone. Name, address, username, password--none of that is being encrypted in transit from your browser and over the internet to whatever server the site is hosted on. So basically, if you were standing in a crowded room, you would be shouting your username and password for anyone to hear.

SSL certificates are fairly inexpensive. You can get one for as little as $20-$30 for 1 year.

Personally, I would not submit any personal information to a site without a secure connection.

Would it be a target for hackers? Eh, *probably* not. At least, not initially. Hackers tend to go for slightly bigger targets, not custom niche websites. But it doesn't take too long before a site gets crawled by bots and search engines, and ends up on a target list somewhere meeting some initial criteria (ie, unsecured website with a submission form that matches some keywords like "name" and "address" and "password").

So, an SSL certificate protects data while its being transmitted--but what about the database on the server? Normally, passwords are "salted and hashed" and then saved as an unreadable jumble of characters using a specific algorithm. This is a repeatable process that happens in only one direction. When a password is "salted and hashed", it means that a specific string of text is added onto the password, and then the whole thing is converted into a jumbled string of characters so that it is not a plain text password readable by humans. So in theory, that jumbled string of characters would be useless for anyone who might manage to hack into the server and/or read the database. It's very difficult to reverse a hash to spit out the original password.

So whenever you send your password to the server, it then adds that known "salt" to the password, then "hashes" it, and compares the two hashes. If they match, the server logs you in.

Then, on top of that, some databases or database fields are also encrypted as an additional security measure to protect the data.

Some website database breaches that have occurred in the past either stored passwords in the clear without being salted, hashed or encrypted; or, have used a very weak and easily crackable hash algorithm (such as MD5).

Once your username and password are out in the open (or are crackable having been hashed insecurely), hackers try using those on a variety of common/major websites to see if you used the same username and password anywhere else. Unfortunately, a lot of people do, so inevitably, login information extracted from a less secure website can be used to gain access to accounts in other more secure websites that have good security measures in place (such as a banking website, DMV, insurance websites). After that, they can steal your account and take over your identity, drain your funds, apply for credit cards or loans, issue driver's licenses, etc.

In summary--yes, the site is insecure to some degree. Since the back end is not freely accessible, it's not clear how secure or insecure it is.

Would I submit personal information to this site like this in its current state? No.

If I absolutely had to use an insecure website, this would be what I would do:
1) Get a PO box, and submit that as the address information.
2) Use a completely new and unique email address that you have not used *anywhere* else.
3) Use a completely new and unique username that you have not used *anywhere* else.
4) And finally, a completely new and unique password that you have not used *anywhere* else.
5) Then, never ever use that email, username, or password on any other websites anywhere.

So, if the website is compromised, and someone else gains access to that information, the information would be largely inactionable since you did not use it anywhere else. And also, since you are using a PO box rather than your home address, your home address wouldn't be published for the world to see.

If you think that if your home address getting out in the open doesn't matter much, keep in mind that hackers are also sometimes pranksters. They could send glitter bombs, dog poop, order a pizza for delivery, or even go as far as to swat the address. If you don't know what swatting is, that means someone calls in a fake emergency to the police. People have died as a result of this with police arriving at the address thinking it's a life-or-death situation based on the information given in the fake 911 call.

So yeah--an insecure website containing personal information can be quite a serious matter these days.

[edit]: If you would like to check if your email address has been listed within a known data breach, this is a legitimate website to check with: https://haveibeenpwned.com/

[edit 2]: The site now has an SSL certificate in place.

I've been watching all of these best offer sales (the long versions). Is Mr.Tuckey going out of Business?
Been worried about him, he looks tired.

Although I don't really think it helps the situation, the server is hosting a secure version of the site at https://perfectionsgroup.com (presumably the site developer?) with a certificate from Let's Encrypt (nobody should be paying for https these days without a good reason).
It's apparent that the certificate was either not issued correctly and/or the webserver is not serving the correct one.

I was under the assumption he was doing what he could to earn some income while his store was closed due to covid.

I think this is the guy Todd paired up with to facilitate this sale in the first place. Someone can try contacting him and asking. TNT’s personal website seems a bit old and antiquated so maybe with some concerned folks asking, Todd will get it modernized.

North Korean hackers after Todd Tuckey confirmed. Got it...

pure_penalty - You are correct the site https://perfectionsgroup.com is the site that has the SSL cert, if people are concerned you can make offers and update information on that URL as you can on sale.tntamusements.com. Thanks for putting this out there. The reason that sale.tntamusements.com does not have a cert at the moment is because Todd did not a wildcard cert for the domain and we will be getting one soon.

pintim80 - I am the developer of the site for Todd. As you can guess this was a prototype that we are trying out. After the first sale was very hard for him and his family to manage I built something that "functioned" to show him we could have better automation. Todd said lets use it and the 2nd sale happened. As I have MANY hobbies and a full time job I am doing this to help a friend in our community. The 8th grade layout, is thanks to his outdated www.tntamusements.com site and I did it to match his "brand". I am a coder not a designer, if someone here wants to help my ears are open! I have been making changes every few days trying to make things better.

As for you not getting the confirmation email from us, you did not enter a valid email address. I can help you update that, PM me here.

ForceFlow - You bring up a ton of great points, I think I addressed a few of them already. One I want to say is that I am NOT MD5ing the passwords they are salt/hashed. I work in the industry full time and, as I said, I am doing this for fun, I am using my tech abilities to protect us all. I really do not want to be in the "profile storage" business but not everyone has a google/facebook/other account that I can easily universally map to. As a result, we are where we are.

If someone is concerned about the storage of their personal information in the database, I am sure that Todd can store it offline in his GIANT ROLODEX and
I can delete it from the database once confirmed. The point of this is NOT to store the information it is to prevent people that are attempting to troll the sale by inflating offers.

They are free. Let's Encrypt provides them and that's what Todd's dev uses at the secure site: https://perfectionsgroup.com/

PrincessJillian FYI, it's worth noting that Let's Encrypt supports wildcard as well with a dns verification method. It's also an option to have a single certificate specify multiple host names - so perfectionsgroup.com and sale.tntamusements.com could be on the same one.

That being said, you can also have individual certificates for each name, and does not matter if the top level domain does not have a matching one or wildcard.

pure_penalty - Thanks for the info, I am hoping that I have time to get this all done before the next sale. Again, this was a project that I did as a prototype to make life better. I am spending the time that I can to make it all happen but as you all know, things are strange in the world at the moment.

Welcome aboard "PinTim80"! I see you joined just 16 hours ago and we now have been blessed with your first post! You certainly went to alot of trouble to register--why not have "Your Friend" post your findings? At least he would have the backing of some kind of background on this forum! I also noticed your "name" is awfully close to one of our Twins--Tim--email name which is grimtim1980@ .... hmmmmm ......ummmmm.....and the town you live in is Abingdon, the town right NEXT to Tim's town in Maryland! Ahhhhh.... Ohhhhhh.... Could this be a NEW Troll or and OLD Troll? Hmmmmm....
Anyway, we will look forward to MORE of your helpful posts!
We also noticed someone in Maryland with same "name" tried to register on our site about the same time you "Joined" the forum and we denied it--very suspicious information. And please get back to your "friend" (you have one??) and tell him how great you are! Todd Tuckey

I'm not going to do a deep assessment or anything, but I assume his friend is figuring you all are sending credentials in plaintext since you aren't using SSL on the login page (or anywhere else on the site that I can see). Since you aren't using SSL I'd hope you're performing client-side encryption before transmitting any creds. Ideally you'd also be encrypting at rest too.

Most browsers will do a very basic check for sites not using HTTPS and warn about signing up for those sites. Even if you are doing client-side encryption I'd recommend updating the site as it would alleviate some of the concerns around that.

Edit: Looks like people already addressed this earlier in the thread anyway. My bad.

Troll or not, he's right... you should secure your customer information form.

Yeah, they probably even wear Covid masks out in public too. Bastards.

metallik - Please read all of my replies above to peoples concerns. We are protecting customers information! It is encrypted in the database so that we do not have access to it and prevents hackers from ever being able to access it.

Not having an SSL certificate on a website does not mean it is not secure, what it means is if someone was listening to the connection between you and our server when you send us data they may be able to impersonate your login and get the information you sent before it is encrypted. The SSL encrypts the connection preventing that rare case. As I mentioned, this was an oversight for one domain name not the entire site. If you use the https://perfectionsgroup.com rather than http://sale.tntamusements.com there is no issue.

I kind of forgot about the free ones. The last time I looked into them, they weren't easy to set up (the paid certs were much simpler), documentation was poor/complicated, and encryption wasn't as strong as the paid certs. I can see most of that has been improved upon now.

That is pretty much a prime example of something that is insecure...

you don’t need to use private info, all you need is a name and an email. All payments are made after the sale is over

Jillian, congrats for your attitude.
And Todd, you are a legend in our hobby!! Just keep going with TNT (business and videos) for the next 50 years, please!!

Thank you!

Hi Tim! Let's show the readers the "information" you tried to register today! Hmmmm...no email address...what a great address....and just look at that phone number! Perhaps, is this why we did not validate you? Is there a reason you filled this out this way? Todd

[screenshot with personal info removed by moderator]

I have personally have two addresses that I use, and will share with you:

1600 Pennsylvania Ave. and 123 Fake St.

Because it's an insecure website and he would prefer to provide as little information as possible to a potential attacker?

Your developer has this handled. Don't shoot the messenger.

OK, I have some things to say here. Please understand what I am saying and why I am saying it.

I am 43 years old, I was an Executive Director for WBGames and ran the PCI (credit card storage environment for monthly billing) for all of WBs monthly billing. I was directly responsible for the team created and operated the environment that securely store profiles, credit card information, etc for their systems, this included all of Mortal Kombat, Injustice, Batman Arkham, Game of Thrones: Conquest, as well as nearly 20 other titles. My name is in the credits! I am not some 20 year old developer that is hacking on a keyboard.

I say all of this as I want to be clear that I am talking from experience. I have gone to training at Mastercard as well as other, I know SSL, encryption as well as many other technologies. The data in the database is encrypted at rest! If someone hacks the site to get to the database it is all safe.

"I" made a mistake when launching the site for Todd. "I" saw the opportunity to help someone who is a friend, I put something together and showed it to him. He liked what he saw and found it useful, asked me if he could use it for sale #2! This was less than a week before sale #2. I made a few changes for him and put it online for him. If anyone knows how Agile Software Development works it is exactly what I was doing, making a proof of concept, getting feedback, and making it better one change at a time.

ONE of those changes, after we launched on httpS://perfectionsgroup.com was to make the name easier for the users to get to. Todd asked is there a way we can use the TNTAmusements.com site in conjunction with this. I told him to have his web guy add a DNS entry to point sale.tntamusements.com to my server. This game him an easier name to use, one that he did not have to spell, when he talked about the site on youtube.

"I" am the one that did not think to get a cert for that site, it was not the top of my mind as it was setup in 'https'. "I" am the one that made that mistake! Due to my time constraints and doing this "on the side" that this happened. I have admitted that and am doing so more clearly now. "I" Jillian take responsibility for that.

I feel HORRIBLE that my mistake is causing the TNT brand to be attacked. I am sorry that my mistake made some of you lose trust in TNT. As you can see above it was not intended to treat anyone's information without care, I would not do that. In fact I did take precautions but missed one that I wish I would not have.

Again, I am sorry. I did the best I could under the time constraints. I will be getting an SSL cert for the "sale" site once I am done with my full time job today and perhaps will be installed before many people even read this message.

Please know that your data is encrypted at rest and in the backups, know that there is no indication that the site has been hacked and that if you are a concern about your data to use the https://perfectionsgroup.com address rather than sale.tntamusements.com address until I am able to resolve that issue.

Jillian, Todd, it's just business. Remember you can't please all the people all the time.
People are like ass holes, no one pays much attention until one says something shitty!

I don’t believe that site takes payment info. Just follow Rule #1, use different passwords for different sites.

Jillian, you're honesty is so refreshing.

Thank you for all that you do for Todd, he needs someone like you in his corner looking out for him on his online best offer sales.
The last sale was such an improvement and so much fun.
Thank you for your hard work. The sales are a fantastic diversion.
We can't wait for the next one!

Paul and Chrissi

PS.. Todd is a creep for not giving you the pinball/slot machine topper.

And think about this... WHY would PinTim80 even TRY to register if he thought it WAS insecure? WHY BOTHER? And you STILL have not told us who you are...you are still an invisible "collector" that NO ONE knows. We were only getting name, address, phone and email info and no Social Security number, or ANY payment information. Jillian is in process of fixing this. Todd

Sure, given enough effort, you can dig up info on pretty much anyone. The point is to make that as difficult as possible for malicious actors. Chances are, they'll go after easier low-hanging fruit.

For me personally, I've taken steps to scrub as much as my personal info from public databases as possible to make it a bit harder for someone to steal my personal info.

If any of you have ever searched for your own name online, you may have noticed various websites holding bits of data about you that is publicly accessible. What you might not know is that with a little bit of effort, most of that can be removed from open public view. Just google the name of the site that it appears on and something along the lines of "how to remove" or "removal instructions" or "removal request", and you can usually find info on how to request a take-down of your personal info.

I admit that I'm a bit fuzzy on the details of that specific case since it's been so long, but the point still stands--swatting can make a situation unnecessarily dangerous for everyone involved. And being on the receiving end of a hacker's pranking/trolling activities is also not a fun position to be in.

https://en.wikipedia.org/wiki/Swatting#Injuries_or_deaths_due_to_swatting

I'm Not impressed with my namesake's responses, I have to say. I think your defensiveness is contrasted by Jillian's very professional and apologetic response.
I would think someone with your years of experience could take a punch better......you should practice a conciliatory tone....even if you aren't to blame it goes a long way in the service industry.

With that said, I'm sure you are much better in real life. Sometimes these forums have a way of infecting us with a cynicism we wouldn't have otherwise.

Todd

Possibly, but more likely, just a jackass who has no intention of buying from TNT and trying to give him a hard time.

They are free. Just do it for every domain.

Feel Free to register on our secured website! sale.tntamusements.com Our next Best Offer Sale is Saturday May 30th, 2020 at 4pm Eastern Time. We already have 35 items listed that we will be featuring and will have sixty total, listed by this weekend!
Registration is fast and easy. You must register a complete address, phone number and email address, which we will then verify. We do not ask for any payment information until after sale ends. (Regular auction sites will not accept bids unless you register a credit card!) Anyone that bids in this new auction will also get a chance to win a couple door prizes--you do not have to win anything!
You can watch the sale right from this site on the YouTube window so you can see the current offers, etc. However, you are welcome to just watch and chat on the YouTube channel too! We have lots of fun and there are plenty of jokes too! It is family friendly too.
Thanks to all our fans for their continued support!

BestOffer4 (resized).jpg

Hey Todd, here’s a bump. But I have a request. You have so many great videos and animations and photos, how’s about putting an Avatar photo or TNT logo for your Pinside name?

A lot of the armchair lawyers and experts confuse the wisdom of experience for the arrogance of the ignorant.

It’s been an eye opener to work with people in the industry and see how different things are in the real world.
It’s a bit unbelievable that people would rag all over a professional that most certainly has been held to much higher standards and dealt with more money than all but maybe 3 people in this thread have ever handled in their lifetimes.

And personally, to the cyber security folks who I know are in this thread, please be realistic. We all know the dangers but be serious for a moment. If someone is really sniffing your internet traffic, either you’re doing really sketchy things to get the feds on your ass, or you’ve got a really insecure connection and I recommend getting a VPN or DSL anyway.

Well, good news--the SSL certificate is now in place on the auction registration site.

I'm not impressed that you bring such shame to the name. I would think someone with your years of experience being a couch critic could understand the basic logic behind a highly suspicious internet post. You should practice a mute tone, especially when your inside voice is scratching at the door. With that said, I'm sure you're much better in real life.

Hey, I'm sure Todd is just searching the warehouse for that little violin he received in a trade about the same time he bought that fireworks art piece. He'll be back soon to play it for you while the fireworks raise to the heavens in the background.

But what of the children..? Those poor, poor children!

Lol. First post sob story.

Wow I no there is nothing to talk about here but jeez, if your that concerned just don’t use it or use a burner email. You think your data is any safer with the big boys? Loads of massive companies get hacked every day and huge emailing lists and UNENCRYPTED passwords uploaded to torrents all the time (look at linked in for example) your data is probably far safer here then most other places lol. Tbh I’d be more worried about stepping outside right now then your email/password on a little site