Hello,
 
This is my second to last post on here, so if you are tired of reading my posts about my concern over Fortune Jack's security, then do not worry.

On February 20th, Fortune Jack sent me a pm "Hey, if there's anything that we can help you with the regarding the concern you've, please let us know so we can assist you accordingly.
Team FJ"

I took a few days to respond to this, because it kind of felt like the phrasing was structuring this is as my problem, and how could they help me fix whatever issue I seemed to be having.

Regardless, I responded on March 3rd. Since no one was willing to supply me with a created username/password just for the sake of testing, I went against my normal ethical boundaries with this kind of testing, and just pulled a random users account from the site. I told this to Fortune Jack, and did not hide the fact  this account was not mine, did not belong to me, and that the user had no connections with me, or any knowledge of my existence. The IP logs would back this up, and since the account had almost no balance, and I would not be doing anything to alter the balance, I took this approach.

I took a video using screen capturing video software Bandicam, and sent a short video of me attempting to log into the account, only to prompted for the 2FA code.
I had a stopwatch/timer on screen running to show that nothing was being editing, and within 30-seconds, I demonstrated my ability to login into the account, reassign the accounts 2FA code to one I controlled, effectively bypassing the 2FA verification.

I then disabled the 2FA completely on the account before signing out.

Since that, I haven't heard a single word from them. Meanwhile, they are still active and more than happy to post and update  about their latest promotions on the forum.

Even though I may have started off these posts with a bit of an already skeptical view on Fortune Jack, I tried to give them the benefit of the doubt and see if bringing this issue to light would maybe push them to acknowledged the issue and move toward a fix.

If you want to keep playing on the site, I hope you nothing but success and smooth sailing. I am not going to tell anyone what to do with their own crypto. I simply wanted to bring it to attention that if an attacker has your username and password (which I assure you, is much easier than many may realize) your 2FA does not work. In the terms of service, the 2FA is YOUR RESPONSIBILITY to keep safe, because in practice, it is designed to give your account a very robust, additional security control.
If an attacker logs into your account and drains your balance, this will be repeated to you by Fortune Jack like it has in past cases. The 2FA is your responsibility since you are in control of it.

The truth is, this control is broken, and through multiple emails, messages, video walkthroughs, etc. I have not heard a single word in response, and they just close my tickets.

My advice: Do not leave a balance on your account when you are not actively playing.

As soon as I have a break in my schedule today, I will post a video of the same process that I sent to them, using a random account I will pull from their user list.

I never once asked for any kind of request for compensation, any reward, or made threats of any kind from the moment I found out about this. I tried to be a professional as possible, but for whatever reason, it does not seem like they have any concern that their site is failing at implementing security procedures for very crucial steps in keeping all of your accounts safe.

While I do appreciate getting a response, the only reason I took it upon myself to write this all publicly on Bitcoin Talk's board was because I could not get any kind of response when I was trying to get a hold of anyone that seemed concerned about the gravity of the situation.

My inbox is still empty from you guy though, and I don't want to waste our time having you explain to me how secure your system is, when I know beyond a shadow of a doubt, that isn't close to the truth.

Although your security practices have worked in the past, they fell short in this regard. I am concerned that you just want to list off the things you have done right, while still ignoring the things that are currently going wrong. The MFA once again does not hold much weight, seeing the nature of this exploit, and account takeovers are indeed a huge issue with this industry, which is why I would think you would rather fix the problem, rather than explain to me how their isn't one.

My main questions and concerns I have regarding 2FA related security issues, is what would be done for the players on this board if someone other broke into their account, and drained their funds because of this flaw?
Regardless if it was $20 dollars or if it was $25,000 dollars, by incorporating the 2FA features on your site, you are protecting yourselves just as much as it protects the players.
The players on your site should have the security to not have their accounts possibly in jeopardy, and they should not be subject to dealing with the after affects of  having something as irreversible as a crypto payment removed from their account.
At the same time, this gives your company the protection from players who fair and square lost their bankroll, who may desperately approach you and lie about having their account breached by hackers., This shouldn't be possible with 2FA, since you need to have the physical device as well as knowing your login details.

This is only when it is working though. Right now, the tables have sharply turned against the players, because you have your entire customer base more exposed to this vulnerability / exploit
While you still are able to maintain arguments, similar to these

https://www.askgamblers.com/casino-complaints/account-hacked-2

https://bitcointalk.org/index.php?topic=934177.0


Offer is still on the table though. Maybe a random higher ranking Bitcoin Talk user (who doesn't have an account with FJ currently) would be willing to set aside a small amount of time so I can show this to.

I have spent a lot of time on these forums, and learned a huge amount of information throughout the years on various topics. I really like this community, and I am appreciative on all the knowledge and all the insightful and nice (for the most part) users on these forums I have got to interact with over the years.  I want to make it very clear that I am not brute forcing accounts, or doing any  of these takeovers. I have not told anyone else this, nor do I plan on doing so.

My inbox is now able to receive PM's

Apologies for my delayed response, it was a hectic weekend, but I am now able to finally sit down at my pc.

To clarify, this doesn't allow the ability to alter/change a 2fA on account by just knowing the username. In order for an account takeover to be necessary, both the username and the password need to known. This is done through brute forcing, credential stuffing, phishing attacks, and other types of malware such as clippers or cookie stealers. There are many ways your login details can become exposed on the web, and this is an entirely separate topic itself.

When you have 2fa enabled, after you enter your login details, you are presented with a screen asking for the 6-digit code which revolves in a timed rotation on your Google Authentication app. For an attacker, this is where the dead end would normally be. Without access to the device which has the authentication set up, there is nothing you should be able to do which would side step this.

This is not the case for Fortune Jack. This 2FA feature is useless if an attacker knows your login details.


Fortune Jack never responded to anything I wrote them, whether it was through a direct email, making an account on their support site, talking to their live chat, etc.

For reasons unknown to me, this is not important to Fortune Jack, as I never did, and still haven't received as much as a single word. They close my open reports with them, they respond to other people commenting on this thread, I really just do not understand it.

When a user creates a new account, the first thing you see in big, bold red letters at the top of the screen states, "DUE TO THE NATURE OF THE ONLINE GAMBLING INDUSTRY, ACCOUNT TAKEOVER IS EXTREMELY HIGH. PLEASE SETUP TWO-FACTOR-AUTHENTICATION TO ENSURE THE SAFETY OF YOUR ACCOUNT" (might not be word for word, but it is something close)


This is not any kind of bait or phishing attempt.

This can be replicated as many times as you like. If someone makes a new account (The information used can be all made up and not tied to you at all) and enables 2FA, if you supply m e with the login username and password to the account, I can have full control of the account in less than a minute.

I am more than happy to do this, and to show you that what I am saying is valid. However, if you don't want to believe what I am saying, that' 100% up to you.

I made this post to tell the players of Fortune Jack, that you are using a system with a completely flawed security practice. The company in charge of holding all your balances and account info safe, doesn't seem to give a shit. I will tell you right now though, that if you log into your account and some malicious actor drained your balances, Fortune Jack's response to this will informing you that you have two-factor authentication setup, and this ensures only YOU are able to log in to your account.

Let me first start out by saying I was very optimistic about the "bug bounty" program which I saw posted by Fortune Jack throughout numerous boards, but after my experience today, and I can safely say that it is backed by absolutley nothing on their end.

I sent numerous emails to their support team, I was told to email different members of their team after creating an account, and no one would even answer a single question I had about their program and the scope involved.
Online casino's do not have a history of running their own bug bounty programs, nor do they work with outside companies. I took great care to approach them as professionally as possible, and not have the tone as if I was attempting to use my knowledge to extort them into paying a high bounty. After over 14 hours, not only did they never take a minute to acknowledge me, my questions, or anything at all, but they also closed my ticket without with a single word.

Can't say that I am shocked though, so after trying and failing to take the path they created for these situations, I would rather alert the playrbase of Fortune Jack to the complete disregard they have shown regarding a severe vulnerability.

Literally every single one of your accounts can have your 2FA bypassed, reset, and resigned to any device a malicious actor decides to. The process takes less than 20 - seconds, and this makes account takeover an easier process than actually registering for an account in the first place.

I have been a long time player at Fortune Jack myself, but I just wanted to at least get the word out to the Bitcoin Talk community that I would strongly consider not leaving any funds to sit in your wallets. If this reaction from half a dozen of the workers at this organization, I have no faith in their ability to keep your funds secure.

This entire process is also only possible because of their negligence and their code. This does not involve any payloads to be done on the attacker end.

Be alert, and be safe out there with your funds. Hopefully companies begin to take their customers security more seriously in the future.


Edit: If you would like proof, make an account (DO NOT SEND ME YOUR REAL, LIVE ACCOUNT) and link a 2fA with Google Authentication. I will have it disabled and resigned to my own number in less than a minute.