Affiliate Account Security

AE-Martyn

Affiliate Program Representative
Joined
Jan 21, 2009
Messages
348
Reaction score
50
Hi all, as you know, the security of your affiliate account is paramount as it contains information such as your contact information and details about your earnings, both current and historic.

This month, one of our affiliates had his account accessed without permission. No passwords were reset and the fraudster simply used the affiliates username and login information. This also happened with the same affiliate at two other affiliate groups. The fraudster changed the payment method to Skrill, gave the correct affiliates name and provided a different email address for payments. The payment was sent but recalled swiftly.

I just wanted to raise this and let you know about the security options that we have in place on AffiliateEdge, which are designed to help prevent this kind of fraudulent action.

IP Restrictions
AffiliateEdge offers you the option to restrict access to your affiliate account by IP. This obviously requires a static IP and you can enter up to 4 different IP's.

All Detail Changes Require Approval
Until any changed detail is approved by us then no details can be overwritten. However, we have made this process even more in-depth now, following this account access. Should you change your contact or payment information, you will be contacted by myself or Stephen to confirm if you did in fact make the changes. It would also be ideal if you can let us know that you did just make the changes.

Passwords
Update your password regularly, use a combination of upper case and lower case letters and numbers to help secure your account. Never use the same password at more than one affiliate program.

Let's not help these fraudsters take your hard earned commissions, help combat them by taking a few extra security steps to keep them out.

Should you have any questions on implementing any of the added security to your account, please do not hesitate to get in touch.
 

Vladi

Affiliate Guard Dog Member
Joined
Feb 4, 2008
Messages
772
Reaction score
115
What about 2 factor authentication for the login? Google Authenticator is open source or you can use a service like this: gauthify.com
 

LandofOz

Affiliate Guard Dog Member
Joined
Mar 25, 2009
Messages
710
Reaction score
280
Well Done Affiliate Edge !! I'm glad to read about these security features.
 

AussieDave

24 years & still going!
Joined
Nov 28, 2013
Messages
4,978
Reaction score
3,518
Agreed, kudos AE :)

Some aff programs don't allow special characters, which is disappointing. Either way, I use https://strongpasswordgenerator.com
While I do store passwords in FireFox, I've been looking at a stronger security level and found this: https://lastpass.com

I have a static IP, hence any program where I can specifically add my IP, to prevent unauthorized access, I make use of it.

Last but not least, programs where you have to actually content your AM, to change certain details (eg banking) is a great too.

Having a secret word or even a secret phrase attached to this process would make it even stronger and reduce the hack-risk even further ;)

One recommendation I do have for you AE (and other affiliate programs) is to use SSL on the signup forms. As it is now AE your join form is not encrypted. hence any information sent over the net, could be intercepted and viewed.
 
Last edited:

AE-Martyn

Affiliate Program Representative
Joined
Jan 21, 2009
Messages
348
Reaction score
50
Hi all, all feedback is good feedback and you know I'll raise it and see what we can do.

We've already talked about a security question, so we'll see how and if we can factor that in.

Thanks also for the support and kind words, we're here for the same reason as you guys, so if we can make it better or more secure then we'll definitely look at making the changes to improve.
 

AE-Martyn

Affiliate Program Representative
Joined
Jan 21, 2009
Messages
348
Reaction score
50
Hi all, I've started a thread at GPWA on account security and am looking to get ideas from affiliates as to how we can improve this for you.

What I'll do is try to gather ideas from you and keep them all in one place. I hope Andy doesn't mind this, but if you could contribute there it would be ideal. If you have strong feelings towards not posting there or prefer this forum, feel free to contribute below...

Here is the thread...
 

PaaskeUK

Affiliate Guard Dog Member
Joined
Sep 15, 2010
Messages
415
Reaction score
143
I am quite worried seems my gmail account was hacked yesterday. Someone from Asia IP address in Soul. Then strangely I had visitor today on my forum website also from soul korea ip address strange enough.
If anyone is expert and can gather more info would be great: from gmail hack >

Someone recently used your password to try to sign in to your Google Account -x@gmail.com.

We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
Tuesday, 9 September 2014 21:05:50 o'clock UTC
IP Address: 218.144.5.243
Location: Seoul, South Korea

If you do not recognise this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.



and had visit from korea login >
Seoul,
Seoul-t'ukpyolsi,
Korea, Republic ofKorea Telecom (121.160.130.132)



I know I need to use much harder password like numbers and letters mixed different for every single account which I am not doing.

But a very good question to you tech experts. Lets say I use one of those supposed secure password programs? Like now my Mcafee has got one build in. Let us say I get passwords done on all accounts with very hard passwords. But ALWAYS there will be ONE password which will be key then for all my accounts?? If someone gets that hacked or finds way through then all my passwords will be leaked.

What I also got to think about which made me worried how about google? I have a setting with bookmarks etc. So if I log into google somewhere else on a dif computer it will load up everything like boookmarks and stored logins passwords. But then again if someone hacks or gets hold of information then they would be able to access everything???

So should we really not use that service or that kind of service at all? Hope you get my concern here guys :)
 

AussieDave

24 years & still going!
Joined
Nov 28, 2013
Messages
4,978
Reaction score
3,518
From what I've read from these password holding sites, your Master-Password is never held on the site. It's encrypted (256 bit) on your PC/usb SD. Hence your stored passwords are protected.

However if your super paranoid, use strong passwords and keep them all written down in hard copy. Make a backup of these on a couple of USB SD. Never connect these (USB SD's) to any computer which has or has been used to access the net ;)

If someone with enough skill wants to gain access, they will.

Our job is to make this process so hard for your average script kiddie and what not, they give up and move onto a softer target. The same goes for WP sites etc etc. Most accounts get hacked because they are using inadequate passwords - EG their dogs name, with maybe a couple of numbers added to the end.

Your password should comprise of Upper/lower case alpha characters & include numerical, and be a min of 15 characters. If you can also use special characters, use them. Depending on where your hosting, I've notice some cpanel softaculous (which installs WP for you), limit password length. If this is the case, when WP is setup, change your Admin password to a something strong and secure.

Also change your userID for the generic "Admin" to something else. Make sure you also use a different name for posting, other than your userID. This can be changed in phpmyAdmin, under the DB table of 'users'....

phpmyAdmin >> WP database >> _users and click Edit link
  • Find user_login: change to another UserID
  • Find user_nicename: change to you preferred posting name
  • Find display_name: change identical name used for "nicename"
  • Finalise all this by clicking the "Go" button.
Now when a hacker tries to hack your WP site using your "displayed name", it's not your User-Login ID. NB - never use a "nicename" which you'd use on a forum etc etc or your domain name or even your real name.

Just a few simple tricks, can keep the hack bots and script kiddies at bay. :D
 
Last edited:

Vladi

Affiliate Guard Dog Member
Joined
Feb 4, 2008
Messages
772
Reaction score
115
Yes, to echo what Bet4You said, start using a password manager now. There are different ones like LastPass, KeePass, or 1Password. They will generate long, random passwords for you, and the better ones will auto-fill website forms for you so you don't even have to copy and paste them in later when you want to login. Anything else is just playing with fire.

How it works is this: you have 1 master password which should be strong but memorable. That password is used to encrypt and decrypt all your other passwords by your password manager. So yes, if someone got access to your master password they could get all the others. Write it down if you have to - at least that way a person trying to break into your list of passwords has to get physical access to the paper you wrote it on. Obviously a random hacker in South Korea won't be able to do this.

Some of the password management services allow you to store your password database online to synch between multiple computers. The whole thing is encrypted with your master password, so again make sure it is strong, but like Bet4You said it isn't stored online with the database. However if you don't need to use your passwords on multiple computers, then reduce the attack surface and don't store the database online, just keep it on your local computer. And of course keep your anti-malware program up to date if you use windows.

Some tips:
- Don't re-use your passwords across sites. This is really, really serious because you have no idea how your password is being stored by the site you register on. It could be plain text which enables anyone who works there to read it. It could be encrypted but not salted, in which case it is easy to crack. Don't trust the site to store your passwords safely. Assume that they are all readable by anyone. You need to reach the point where you don't care if a bad guy can see your strongly encrypted password because it could take them decades to decrypt it.

- Your passwords should be random strings. Don't use words found in the dictionary, or names, dates of birth, phone numbers, addresses, "keyboard-walking" patterns, quotes from books, or phrases that are published anywhere online. Crackers run programs that scrape text from the internet and use it to crack passwords. Don't make their job easier.

- Your email account password is even more crucial than all the others. You know how you can reset your password at many sites by requesting an email and clicking a link in that email? Imagine what a bad guy could do if he gets access to your email account.

- Don't answer password reminder questions truthfully. When it says "Mother's maiden name" or "first school you went to" that information can be found by an attacker. You would be surprised how much stuff like that people share with the world on Facebook for example. This is how the celebrities got hacked recently. Again, use a password manager to generate random answers to those questions and save them in the password manager.

- If the site allows 2-factor authentication using a phone app or sms, use it. Apple, Gmail, Paypal and many others are already doing this so enable it.
 

admin

Notification Admin
Staff member
Joined
Dec 17, 2006
Messages
6,960
Reaction score
7
A reminder is sent to all affiliate managers.
 

INFO

  1. AGD Terms Certification:
    Terms Not Verified
  2. Have Retroactively Changed T&C's?
    No
  3. Have Negative Carryover?
    No
  4. Are Casino Earnings Bundled?
    No
  5. Missing Admin Fee:
    No
  6. Ambiguous Termination Clause:
    No
  7. T&C updates not emailed:
    No

AGD AUDIT RESULTS

Audit coming soon

Featured resources

  • Nifty Stats
    Nifty Stats
    stats tracking, casino stats. casino stats tracking, gambling stats, casino tracking, stats remote
    • woltran
    • Updated:
  • Slots Launch
    Slots Launch
    Free Demo Games for Casino Affiliates
    • Guard Dog
    • Updated:
  • TrafficStars
    TrafficStars
    Self-Serve ad Network
    • Guard Dog
    • Updated:
  • StatsDrone
    AGD Approved StatsDrone
    iGaming Affiliate Program Stats Tracker
    • Guard Dog
    • Updated:
  • The Affiliate Agency
    The Affiliate Agency
    The Affiliate Agency
    • Guard Dog
    • Updated:
Top