Has This NATs Issue Made You Reconsider Using NATs Based Programs?

[Lee]

I must admit forst and foremost, that i dont use a single program that utilizes NATs on their affiliate system.

That being said, how many of you folks have or are in the process of reconsidering using programs that use NATs?

Do you feel comfortable enough now to beleive there wont be further security issues in the future?

Also program owners, are any of you considering changing back to a regular CCBill backend thanks to this monumental clusterfuck by TMM? If so and you have started the change, how are you finding it? I was told years back that once you have NATs in place, you are pretty much stuck with their software for the life of your program.

Regards,

Lee

[tombarr]

I was told years back that once you have NATs in place, you are pretty much stuck with their software for the life of your program.

Regards,

Lee

This is one of the primary reasons we chose, at the cost of short term gain, to wait for a different solution other than NATS. I had always feared that if we migrated to them that getting out would be a very painful and difficult evolution. I prefer to be in a position of having choices, and it never seemed to me that in being under a NATS program this was the case.

We are now part of the CCBill beta testing and I'm quite happy we waited for this option...

[Chilihost]

This is the first security issue that I have heard about with NATS, and it wasn't even with the NATS program itself but instead with the process of TMM storing an admin u/p on their server....and it was that storage server that got comprimised.

If a program owner has taken the right measures, they are secure and safe from this issue. TMM has also implemented new policies and new logging tools to ensure that this does not happen again.

In comparison, think about the number of security issues that have been (and continue to be) discovered with Windows, Apache, PHP, MySQL, etc, etc, etc..... but its not like you stop using these, instead you patch your system and implement as many security and auditing measures as possible.

If a program has a strong set of sites, good support and has already actioned this issue then stopping promoting them is a huge overreaction.

[Lee]

If a program has a strong set of sites, good support and has already actioned this issue then stopping promoting them is a huge overreaction.

Even if your personal data, including SSI numbers have potentially been leaked across the net by unknown sources?

I dont know about anyone else but that would make me strongly consider getting any and all information about me taken out of any NATs database there was.

Some things are more important than money, ensuring my private data remains safe and secure is one of them.

We still dont know the extent of the damage this breach of security has caused, we could potentially see thousands of adult webmasters having their identity stolen because of it.

Regards,

Lee

[DEVELISH]

Lee, just hypothetically... if you'd still life in Great Britain, would you consider moving to another country outside the kingdom?

http://www.cbsnews.com/stories/2007/...n3529481.shtml

Yes, there is a risk of fraud, yes data may have been currupted, yes data may have been stolen and misused. It will be taken care of now - however that may look like.

Software will never be flawless and a security breach is always immanent. One can just take care that it is all monitored if a breach happens.

The reaction among several webmasters of NATS-powered sites is understandable but not adequate. Sponsors who can afford NATS can afford tech-guys like Luke to help them out on this one - or harass TMM until they do their work. I bet the knowledgeable Tech-Webmasters would volunteer to help the not so tech savy guys on this one.

What is needed is fast and constructive communication to resolve the problem and get the software fixed and the patches out of the door and installed (TMM to their customers and vice versa, sponsors to affiliates and vice versa) - complaining about an issue does not solve it.

THEN AFTER the issue is settled there is way more time for REACTION. Be it a switch to another affiliate script, patching of the existing one or lawsuits against a company. ACTION in this case could be better server and software security (maybe an audit), patching software to the newest versions etc, setting up better monitoring.

2 €uro Cent

DEVELISH

p.s. I strongly consider moving... http://www.heise.de/english/newsticker/news/88499

[Lee]

Develish,

Its not just because of the NATs issue itself i was asking if people had considered dropping programs.

How many programs that use NATs havent contacted their affiliate base yet even letting them know there was a 'potential' that their data had been stolen?

Im only aware of seeing a post by Luke on various message boards about it, every other NATs program still seems to be keeping quiet about these problems, problems that their affiliates DO need to made aware of.

Granted this whole thing happened over the Christmas period so its possible a lot of programs arent even aware of the issues yet, time will tell i guess.

Regards,

Lee

[TropixxxStudios]

Lee,

Not so much the actual NATS problem...because I feel that any system can be compromised, etc.

HOWEVER, individual program owners responses to this situation has very much so made me re-consider working with specific people in the future...nats or otherwise. - Michael

[abostonboy]

Lee,

As a US citizen with both my SSN and wire info POSSIBLY compromised. I am scared. That is actually an understatement. I am in the process of buying the condo of my dream. And any identity theft will possibly kill that and cost me 1,000s of dollars in legal fees to fix.

It APPEARS that TMM has many enemies. Now, people say they just wanted email addys. From my experience hackers don't hack for email addys when SSN and bank details are there as well. These all can be sold on the black market for a GOOD price.

I don't believe that TMM's list of enemies will stop at this situation. Just doesn't add up.

What I am looking at in this industry is how safe my data is. Has CCBill, Epoch, or Verotel been hacked? Not to my understanding. So I feel SAFE with them.

I am in the process of putting bogus information in programs that I don't use and asking them to be canceled. I will not signup to another NATS program. Plain and Simple. Probably ever.

It's a shame as NATS has a great tool as far as reporting and cascading goes.

We too are in the CCbill beta and from the talk I had w/ Ccbill today it's looking like it might be a NATS killer. Yes, it has campaign tracking (a feature affiliates have asked me about.)

Bottom line - There is PLENTY of money to be made in this industry w/o NATS and still have your data safe. I am taking that route.

Hell, I only market a handful of sites actively now and none are NATS. I may just get all my accounts deleted.

Since I figured out how to figure out what URL are making sales in ccbill stats those are looking nicer all the time.

Best,
Lloyd

[gaybucks_chip]

There are several different issues in my opinion.

The first is the actual breach of confidential data. ANY program can have an exploit or vulnerability to hacking, and so NATS is far from unique for having hackers find an exploit. If this were a simple exploit, with a responsive company immediately notifying everyone and taking every possible step to secure things, people would be complaining, but people wouldn't be after blood.

In my humble opinion, the thing that has so many people so angry with TMM is the evidence (which I have not personally taken the time to investigate, but appears, simply from the dates on various postings on GFY, to be pretty solid) indicating that TMM knew there was a problem at least as far back as October, and possibly as far back as August, and not only did not notify program owners running NATS, but allegedly took action (lawsuit threats) against OC3 Networks, who originally identified the problem as a probable hack affecting more than one of their customers... and then, when OC3 didn't respond to the threats, TMM (according to reports by OC3) allegedly started threatening the OC3 customers who were affected, and pressured them to get OC3 to shut up on the topic.

If these allegations prove true, then TMM's action in trying to cover up the problem is far, far worse than the actual damage. And this is not the first allegation that TMM has in the past used legal threats to silence people saying bad things about its program (warranted or not.) I believe that program owners as well as affiliates have a right to be very upset and concerned about a company that allegedly knows of problems and not only covers them up, but takes extra steps to threaten companies that attempt to get out the facts.

Now... in fairness to TMM, their defense is that they believed the problem was limited only to a very small number of programs, which is why the say they took no action to notify affiliates. However, the problem with this claim is that it would not have been difficult to contact, say, a dozen random program owners and ask to check the logs, or even to use the very logins the hackers allegedly used to see if the TMM admin accounts had been accessed other than by TMM. Since it seems a very large number of NATS-based affiliate programs were compromised, it seems very unlikely they took this step, or if they did, they still did nothing once they were aware of a problem. The only reason the problem came out was because a few program owners came forward on GFY, ignored the lawsuit threats, warned other program owners, and more and more people discovered they had been compromised.

As for CCBill, from everything I have heard, this sounds like an absolutely first-rate product, approached the right way, with a competent technical team. The only problem I have with it, which I would have with *any* processor-run program, is what happens if the processor suddenly goes belly-up. I honestly believe that the way CCBill runs its company, they are likely to be on very solid footing in the long run, but for a program that is 100% reliant on membership-based revenues, it is simply not a good strategy to have any single point of failure that does not have an easy recovery plan.

CCBill could (and may already have) remedy this problem by providing some sort of process where program owners can own all of their affiliate data, and can export and backup everything and easily port it over to another program, such as NATS, MPA, or Exec Stats, at any point. They have already taken the brave (and very wise) step of saying that clients using their software can do so even if CCBill is not the primary processor in cascade, thereby winning billing clients through outstanding service rather than locking clients in.

In conclusion, there are still some pretty compelling reasons to use a third-party (non-processor affiliated) billing solution. I am not aware of any affiliate software that is superior to NATS (and we have been looking for a while.) However, there are equally (if not more) compelling reasons to seriously reconsider whether using NATS is the best solution for any program, given not so much the breach itself, but the alleged actions of the company in attempting to cover up the breach. If these allegations prove true, they really should provide any cautious and sensible program owner with good reasons to consider other alternatives.

[gaystoryman]

You know, as an 'affiliate' and not a 'program' owner, I think what perhaps has me seeing red, is the total lack of concern being shown by not just NATS, but the 'program' owners as well.

Maybe it is more of an ethics or something but you know, to be told your program might be compromised, and not notify or check your data, to see for yourself, then to NOT inform your affiliates just seems totally wrong. I can see the answers now, but we did and found nothing, but you know, even an email saying that, would be more tolerable than the silence that seems to be the mantra when there is shit hitting the fan.

I mean you get a company blasting another over various things, and when found out to be wrong, you are met by SILENCE. Frankly, this is making me rethink my entire involvement in this industry.

[basschick]

many program owners AND affiliates seem to feel that since no known issues have arisen yet with their data, it's not going to be a problem. to me, that makes no sense. it would probably take a year or two before any correlation is known. most affiliates don't post on the boards, so there's a lot of potential problems we won't hear about.

[Chilihost]

You know, as an 'affiliate' and not a 'program' owner, I think what perhaps has me seeing red, is the total lack of concern being shown by not just NATS, but the 'program' owners as well.

I totally agree, this is why I took immediate action as soon as I found out about this issue ***AND*** sent an email to all affiliates saying:
"We have already taken all recommended steps to close this exploit, as well as several further steps as recommended by our security technical people. To be safe, I highly suggest you change your HunkMoney.com password immediately, and I highly suggest you use a strong, random alphanumeric password that is unique to your HunkMoney.com account."

I also started a thread on GFY asking for program owners to confirm they did the same, so far the response is poor.

[hdkbill]

Lee,
As a US citizen with both my SSN and wire info POSSIBLY compromised. I am scared. That is actually an understatement. I am in the process of buying the condo of my dream. And any identity theft will possibly kill that and cost me 1,000s of dollars in legal fees to fix.
Best,
Lloyd

Lloyd,

One of the best ways to protect against identity theft is to place a fraud alert with all 3 of the big credit reporting agencies. I did this a few months back when I lost my wallet. Recently I purchased a new car and financed a portion of it. The dealership shopped it around to get the best rate and every company it was shopped to called me, asked only questions I would know to prove my identity.

I also belong to a service, two actually, that every time a change takes on any of my files at the big 3 credit reporting agencies, I get alerted my a text message to my cell and by email. So, if anyone tries to take out a loan in my name, even an inquiry, I get notified immediately. It only costs a few bucks a year to subscribe to these sevices but it sure does give you piece of mind.

Bill

[TropixxxStudios]

Lloyd,

One of the best ways to protect against identity theft is to place a fraud alert with all 3 of the big credit reporting agencies. I did this a few months back when I lost my wallet. Recently I purchased a new car and financed a portion of it. The dealership shopped it around to get the best rate and every company it was shopped to called me, asked only questions I would know to prove my identity.

I also belong to a service, two actually, that every time a change takes on any of my files at the big 3 credit reporting agencies, I get alerted my a text message to my cell and by email. So, if anyone tries to take out a loan in my name, even an inquiry, I get notified immediately. It only costs a few bucks a year to subscribe to these sevices but it sure does give you piece of mind.

Bill

Agreed. A few years back the entire database of student information was stolen from the school I was working on my masters degree at. SSN, bank accounts, etc. were all stolen. I immediately put a fraud alert on my account at all three and I never had any problems. I would second the suggestion of Bill, and put this on either way. No sense in messing up the condo.

And by the way, good luck with the condo.

[BBweb]

Lee,

As a US citizen with both my SSN and wire info POSSIBLY compromised. I am scared. That is actually an understatement. I am in the process of buying the condo of my dream. And any identity theft will possibly kill that and cost me 1,000s of dollars in legal fees to fix.

Why would your SSN number be in any affiliate system? You are obviously successful and have been in the adult space for sometime. Why would you not use a TIN ?