Interview with an Account Cracker - What Makes a Site Secure?
hacking·@kirkins·
0.000 HBDInterview with an Account Cracker - What Makes a Site Secure?
As part of my [research project on cyber-crime](https://CR1M3.com) and hacking I met online with an account cracker to get some in depth information about what makes a website secure or insecure.  I found a cracker selling accounts on a popular Telegram Group named Redd and he agreed to meet with me for an interview about cracking. He runs a [channel with over 100 people](https://t.me/reddstore), where sells goods from Walmart, Starbucks, and other stores. He reveals some of the sites with the worst security *(Office Depot)* and what security features can scare off most crackers. These features include 2FA, Captcha, and Akamai. ***Interview:*** <hr/> **Philip:** Ok cool, I won't ask anything about your background or stuff, just jump into the technical aspects. I'll add you to my list first though **Redd:** Cool **Philip:** Ok, cool added I guess the main aspects I'm curious about looking at in this interview is how varied security is for everything from: serial numbers, giftcards, coupon codes, ect. **Redd:** Okay **Philip:** Are those the main things people try to crack? **Redd:** Not really. Mostly accounts and gift cards Serial numbers arent cracked to my knowledge Well depends **Philip:** And when we're talking about "cracking" do you mean brute force style methods or using combo lists? **Redd:** Combo lists brute force is rarely done anymore I make configs **Philip:** Well for brute force style, I've heard of giftcards that simply incriment by 1 for example **Redd:** Yeah, so a lot of companies dont go by that anymore usually its a certain format that crackers crack. Programs like OpenBullet (only modded versions) if i recall correctly allow you to kind of generate randomized codes following a pattern Say L = letter N = Number A pattern would be NNNLLLLNNLLL And they would be able to generate large lists of combinations following the pattern And check them via the program Now, this is only for sites without PIN PIN codes are a little harder **Philip:** Interesting, I've heard certain restraunts have had huge problems due to bad security and no pin like PF Changs what do you mean by modded version? I know openbullet, but I haven't heard of mods. **Redd:** A lot of people make modded versions that are simply better, one example is black bullet and open bullet anomaly Yeah that is true *(about PF Chang)*, though a lot of restaurants have caught on **Philip:** The people working there kind of thing? Or they added security on their websites? I heard for PF Chang people use to go in with just a number and no printed PDF and now they don't allow that. **Redd:** Both i believe. And yeah I have done that a couple times but now they dont allow A number of people have been cracking with PIN now Which is difficult and more expensive As usually they have captcha **Philip:** What makes it more expensive? More computer power and time kind of thing? **Redd:** No they need to buy anti captcha services that bypass captcha **Philip:** right like anti-captcha or 2captcha (can't remember the name) **Redd:** Yeah exactly Some people do manage to code it themselves **Philip:** code anti-captcha? **Redd:** Yeah Don't know the specifics of it **Philip:** I saw there was an exploit in the past where you could use the audio version for blind people and then feed it to audio to text, but they fixed that exploit what makes black bullet and open bullet anomaly different from the normal version? **Redd:** They have some different features which i dont have off the top of my head. Some of them they are smoother **Philip:** Very interesting stuff Without revealing any of your best sources, since you won't want competition. Can you say what are some of the worst companies for security you've seen cracked? Also what are some of the best ones? **Redd:** Worst security hands down is OfficeDepot **Philip:** what makes it so bad? **Redd:** No captcha, no security protection The best security i've seen is maybe JetBlue, though it has been cracked. Also StockX and Chiptole now that they fixed their shit **Philip:** sounds bad, I think ones that let the person change name and email without any verification by email are super bad too. Kind of crazy that, letting someone change your email without first verifying with your current email damn, so even though JetBlue is one of the best is was still cracked? **Redd:** Yep Anything can be cracked And i know the person who can crack anything Even stuff with high security there are ways around it Which it is hard to prevent **Philip:** Is there a security feature that when you see, you just move on because it's going to be way too hard? Maybe 2FA or captcha? **Redd:** For me, yeah. Akamai **Philip:** I have heard of them, they provide anti-bot protection right? **Redd:** 2FA is pretty pointless to crack but people get email access accounts for that Yes **Philip:** Very interesting because I just heard of Akamai 2 days ago **Redd:** Yeah Very good cybersec on certain sites But still bypassable **Philip:** Someone told me he knows a guy that sometimes makes cracks for AKamai, and sells for $1000 but the bypass only works for like 2-3 days **Redd:** People crack 2FA accounts by getting email access accounts and using a program to login to the email and search for sites Nah akamai bypass can work for a while but yeah they run upwards of 1k **Philip:** oh wow, haven't heard of that. Do you know the program? **Redd:** I think its called woxy. **Philip:** Thanks, this has been a great interview Do you have any lasts thoughts and/or a service you want to plug? **Redd:** Join [t.me/reddstore](https://t.me/reddstore), an all-around shop for your bitcoin, config, and method needs! <hr/> If this interview was of interest to you, be sure to check out the [early reader program for my book about cyber-crime](https://leanpub.com/CR1M3). <hr/> Want to get in touch? You can find me on [Twitter](twitter.com) or email kirkins and gmail dot com.