Password Trading And How To Monetize The Traffic?

[Lee]

So ive been looking over my StrongBox stats today and im really happy that i have this installed, theres a bunch of sites on Condom Cash that have had username/passwords disabled due to sharing and i was wondering, once the password has been disabled, what are some good ways to actually monetize this traffic?

For example, has anyone tried creating a 'custom' page on StrongBox that looks like a members area but its just full of links to FHGs, hosted free sites and cam upsells? If so, how well did that work for you?

Im seriously thinking about doing something like this in the next couple of days just to see how well that works, if you havent tried that, have you used other methods to generate an income from members passwords and usernames that have been disabled by a script such as StrongBox, if so, what were they and how would you rate them in terms of income generation?

Oh, one other idea i had was sending the disabled username traffic to a toplist to get some 'fresh' surfers back to the sites tour pages as a kind of 'bonus' but im not sure if that would work well.

Your thoughts on this, what is a good way to monetize password sharing accounts that have been disabled?

Regards,

Lee

[Xstr8guy]

What a brilliant fucking idea! Please share with us if you can figure out how to do this.

[Lee]

What a brilliant fucking idea! Please share with us if you can figure out how to do this.

Well right now ive been looking over the template pages for StrongBox but im having trouble figuring out which pages control what, hopefully Ray will pop in and give us a heads up, i really do think this could work well to get some addition revenue from traders, especially as for all intents and purposes, it would be a 'transparent' change as far as they would know hehe

The ONLY downside i could potentially see to this would be if a surfer used a traded password to 'check out' the site before joining first, although one would assume the instances of that happening are slim to non.

Regards,

Lee

[Alex_Manifest_M]

We recently had 17,000 hits generated from a password trading site. These convert at a rate of 1:894. So while we also punish and black list the member, it does result in (meager sales). While I don't think we could ever get stats on it I do believe that one or two of these folks may come back and join (of course they post their passwords and the cycle begins again). We always send them a very intense email regarding theft of services and in a couple cases actually got them to pay for the bandwith their bandit brothers sucked up. On a side note regarding CCBILL, my interactions with them have always been great but man I wish there was a way to better filter out these folks. The same ones come back again and again with different email addys but yet so similar that it is pretty clear whats going on. We check each and every transaction against a data base we have which indicates when a banned individual or questionable transaction is occuring. We had one repeat offender that was stealing card numbers from his salon clients. Same user name, same password, same email address (with different numbers added after his name and yet the card is always a woman's name (different each time). We contacted local law enforcement and the guy was arrested.

[raymor]

One simple thing you can do right away is add banners, text links, or even a pop up
to your "failed login" page, sblogin/badlogin.shtml.

A long explanation follows. The executive summary is that in order to avoid a security hole
you shouldn't try to redirect suspended members.

Something to keep in mind regarding this is a security concern that isn't immediately
obvious. Back around 2000 a cracker published a white paper which is now ubiquitous
explaining how to take advantage of Pennywize to make a site easier to crack than it
would be with no "protection" at all. The basic idea behind the exploit was taking
advantage of exactly what you're talking about doing. Pennywize would send a blocked
user to a different page than the one a user would get if they just entered their password wrong or if the user had expired or whatever. Pennywize would actually take the visitor
away to their own site, but what mattwers here is that blocked users went to one page
and invalid user names or passwords went to different pages.

By looking at where they were redirected to, the cracker could then tell if the user name
was valid and if the password was valid. If they had a valid user name and password that
was just suspended by Pennywize they'd just save it for tomorrow, when Pennywize would
probably let it work again. That sure makes brute force or dictionary attacks a lot easier,
as well as letting the cracker know that you haven't deleted his favorite password, so it'll
probably work later. Similarly other information revealed by Pennywize makes it a lot
easier to get into a Pennywize site.

Because of this concern, Strongbox responds exactly the same whether the user name
doesn't exist, it's been suspended, the password is wrong, the Turing image is wrong,
the IP has been suspended, or whatever. This way crackers can't get any useful
information by looking at where Strongbox redirects them. They are either allowed in or
not, but there is no hint as to WHY they weren't allowed in. This is important for your
site's security. It means, though, that all those people coming from the password sites
are going to get the same page that a legitimate member gets when he enters his password wrong.
You wouldn't want to send this innocent member to what "looks like a members area but
its just full of links to FHGs, hosted free sites and cam upsells". Instead you'll want to
make a page that serves both purposes - it has a banner or two to monetize that traffic,
yet won't totally annoy a legitimate member who types their password wrong.