(Topic ID: 269133)

TNT Amusements Best Offer Sale:Safe to Register?

By pintim80

3 years ago


Topic Heartbeat

Topic Stats

You

Linked Games

No games have been linked to this topic.

    Topic Gallery

    View topic image gallery

    Screenshot_20200606_124859 (resized).jpg
    The Rise and Fall of an Arcade Empire Cover - FRONT (resized).jpg
    sleepyheadTodd (resized).JPG
    BestOffer4 (resized).jpg

    You're currently viewing posts by Pinsider forceflow.
    Click here to go back to viewing the entire thread.

    29
    #6 3 years ago
    Quoted from pintim80:

    He said first of all the site is not secure and because of that he would never enter all the private information needed to register. His concern is the site could easily be hacked and more importantly would want to know what TNT was doing to secure every one's personal information?

    Since your post received some downvotes, I'd like to point out that your friend is correct in that there is no SSL certificate on that site. So, any information you enter will be sent in the clear and readable by anyone. Name, address, username, password--none of that is being encrypted in transit from your browser and over the internet to whatever server the site is hosted on. So basically, if you were standing in a crowded room, you would be shouting your username and password for anyone to hear.

    SSL certificates are fairly inexpensive. You can get one for as little as $20-$30 for 1 year.

    Personally, I would not submit any personal information to a site without a secure connection.

    Would it be a target for hackers? Eh, *probably* not. At least, not initially. Hackers tend to go for slightly bigger targets, not custom niche websites. But it doesn't take too long before a site gets crawled by bots and search engines, and ends up on a target list somewhere meeting some initial criteria (ie, unsecured website with a submission form that matches some keywords like "name" and "address" and "password").

    So, an SSL certificate protects data while its being transmitted--but what about the database on the server? Normally, passwords are "salted and hashed" and then saved as an unreadable jumble of characters using a specific algorithm. This is a repeatable process that happens in only one direction. When a password is "salted and hashed", it means that a specific string of text is added onto the password, and then the whole thing is converted into a jumbled string of characters so that it is not a plain text password readable by humans. So in theory, that jumbled string of characters would be useless for anyone who might manage to hack into the server and/or read the database. It's very difficult to reverse a hash to spit out the original password.

    So whenever you send your password to the server, it then adds that known "salt" to the password, then "hashes" it, and compares the two hashes. If they match, the server logs you in.

    Then, on top of that, some databases or database fields are also encrypted as an additional security measure to protect the data.

    Some website database breaches that have occurred in the past either stored passwords in the clear without being salted, hashed or encrypted; or, have used a very weak and easily crackable hash algorithm (such as MD5).

    Once your username and password are out in the open (or are crackable having been hashed insecurely), hackers try using those on a variety of common/major websites to see if you used the same username and password anywhere else. Unfortunately, a lot of people do, so inevitably, login information extracted from a less secure website can be used to gain access to accounts in other more secure websites that have good security measures in place (such as a banking website, DMV, insurance websites). After that, they can steal your account and take over your identity, drain your funds, apply for credit cards or loans, issue driver's licenses, etc.

    In summary--yes, the site is insecure to some degree. Since the back end is not freely accessible, it's not clear how secure or insecure it is.

    Would I submit personal information to this site like this in its current state? No.

    If I absolutely had to use an insecure website, this would be what I would do:
    1) Get a PO box, and submit that as the address information.
    2) Use a completely new and unique email address that you have not used *anywhere* else.
    3) Use a completely new and unique username that you have not used *anywhere* else.
    4) And finally, a completely new and unique password that you have not used *anywhere* else.
    5) Then, never ever use that email, username, or password on any other websites anywhere.

    So, if the website is compromised, and someone else gains access to that information, the information would be largely inactionable since you did not use it anywhere else. And also, since you are using a PO box rather than your home address, your home address wouldn't be published for the world to see.

    If you think that if your home address getting out in the open doesn't matter much, keep in mind that hackers are also sometimes pranksters. They could send glitter bombs, dog poop, order a pizza for delivery, or even go as far as to swat the address. If you don't know what swatting is, that means someone calls in a fake emergency to the police. People have died as a result of this with police arriving at the address thinking it's a life-or-death situation based on the information given in the fake 911 call.

    So yeah--an insecure website containing personal information can be quite a serious matter these days.

    [edit]: If you would like to check if your email address has been listed within a known data breach, this is a legitimate website to check with: https://haveibeenpwned.com/

    [edit 2]: The site now has an SSL certificate in place.

    #9 3 years ago
    Quoted from phil-lee:

    I've been watching all of these best offer sales (the long versions). Is Mr.Tuckey going out of Business?
    Been worried about him, he looks tired.

    I was under the assumption he was doing what he could to earn some income while his store was closed due to covid.

    #23 3 years ago
    Quoted from YeOldPinPlayer:

    They are free. Let's Encrypt provides them and that's what Todd's dev uses at the secure site: https://perfectionsgroup.com/

    I kind of forgot about the free ones. The last time I looked into them, they weren't easy to set up (the paid certs were much simpler), documentation was poor/complicated, and encryption wasn't as strong as the paid certs. I can see most of that has been improved upon now.

    #24 3 years ago
    Quoted from PrincessJillian:

    Not having an SSL certificate on a website does not mean it is not secure, what it means is if someone was listening to the connection between you and our server when you send us data they may be able to impersonate your login and get the information you sent before it is encrypted

    That is pretty much a prime example of something that is insecure...

    #39 3 years ago
    Quoted from Manimal:

    I realize the risks, given my many years in Law Enforcement, but I would add that about anyone with any kind of keyboard competency can obtain address info pretty easily, along with a ton of other stuff that you would never think of. There are all kinds of public databases out there....you just need to look in the right place. Ever hand someone a written check? I know they are less and less common these days.....but you realize you just handed them your bank account and routing number, along with your name and often times your address and phone number. Doesn't make it right...and I am not saying you should not protect the info....what I am saying is not to have a false sense of security because you only frequent so-called "secure" sites.

    Sure, given enough effort, you can dig up info on pretty much anyone. The point is to make that as difficult as possible for malicious actors. Chances are, they'll go after easier low-hanging fruit.

    For me personally, I've taken steps to scrub as much as my personal info from public databases as possible to make it a bit harder for someone to steal my personal info.

    If any of you have ever searched for your own name online, you may have noticed various websites holding bits of data about you that is publicly accessible. What you might not know is that with a little bit of effort, most of that can be removed from open public view. Just google the name of the site that it appears on and something along the lines of "how to remove" or "removal instructions" or "removal request", and you can usually find info on how to request a take-down of your personal info.

    Quoted from Manimal:

    And the guy that "died" because someone swatted his address.....that address wasn't even correct. It was a fake address one person gave to the other as his own when they were arguing....the problem was, he pulled it out of thin air. That could happen to anyone at any time. In the KS case, the guy that got shot was completely innocent, and having his address published somewhere had absolutely nothing to do with the case...he just had the mis-fortune of living at the address the guy made up.

    I admit that I'm a bit fuzzy on the details of that specific case since it's been so long, but the point still stands--swatting can make a situation unnecessarily dangerous for everyone involved. And being on the receiving end of a hacker's pranking/trolling activities is also not a fun position to be in.

    https://en.wikipedia.org/wiki/Swatting#Injuries_or_deaths_due_to_swatting

    #47 3 years ago

    Well, good news--the SSL certificate is now in place on the auction registration site.

    #64 3 years ago
    Quoted from Manimal:

    For over two years I signed pretty much everything that wasn't a court document with the name John Wayne....it started as a gag and then became a challenge....no one ever noticed. Time sheets, evaluations, checks....everything. I even made the name purposely legible....but still no one noticed. After a couple of years, I finally gave up, but it basically proved how worthless a signature is.

    Well, technically, a signature is just a mark that identifies it as yours--whether or not if it's your name, a different name, an "X", or a drawing of a whale.

    You're currently viewing posts by Pinsider forceflow.
    Click here to go back to viewing the entire thread.

    Reply

    Wanna join the discussion? Please sign in to reply to this topic.

    Hey there! Welcome to Pinside!

    Donate to Pinside

    Great to see you're enjoying Pinside! Did you know Pinside is able to run without any 3rd-party banners or ads, thanks to the support from our visitors? Please consider a donation to Pinside and get anext to your username to show for it! Or better yet, subscribe to Pinside+!


    This page was printed from https://pinside.com/pinball/forum/topic/tnt-amusements-best-offer-salesafe-to-register?tu=forceflow and we tried optimising it for printing. Some page elements may have been deliberately hidden.

    Scan the QR code on the left to jump to the URL this document was printed from.