What's new

Shadowcard Down

Splodge

Member
Is anyone else having problems with Shadowcard right now? No card options are available no matter which currency type you select.
 

Splodge

Member
They have clearly taken down the buy option. They've commented out the card options in the HTML. You can undo the comments to make the visible, but selecting a card just takes you to a non functioning buy page.
 

Sparkle

Administrator
Staff member
Administrator
We contacted Shadowcard regarding the issue with the cards purchase using crypto currency and expecting for the reply from them. I'll get back to you in this thread as soon as I get more details.
 

Kahmlee

Member
You pay with crypto how could it not be safe?
"crypto" does not mean "safe"!

You send money to someone you don't know at all, and who is asking credential of a third party.
No mention about why asking those credentials, how they are used, how they are stored, who is reponsible...

The request of ArcheRage credentials in the shadowcard iframe was a NO-GO for me, and for everyone who really understand about security.
The payment option disabled via a simple comment in the HTML is another indicator that those guys have no idea how to implement a payment system.
 

Skullface

New Member
But I dont send money I send crypto.. :(
I send money to buy the crypto yes but this is on a seperate trusted service.
I assume the details are so the system can automate your credits being applied?

Perhaps there is something going on so they disabled a segment of their page to stop purchases for a bit, Doesnt mean its sketchy..
 

Sjinderson

Active Member
Staff member
Technical Assistant
Trion is not out of the picture. They are just owned by Gamingo.
Gamingo have the same ability to remove donations as Gamingo. There will probably never be a paypal direct donation
 

Kahmlee

Member
But I dont send money I send crypto.. :(
It does not matter if the cryptocurrency has not the legal status of an official currency issued by a government, like USD or Euro. I still need money to buy it and use to buy other items or services.
So, in a way or the other, is like "sending them money" because what they get is something with a value.

I send money to buy the crypto yes but this is on a seperate trusted service.
About the "trusted", it is not!
I cannot "trust" someone that does not provide any detail about him when asking my money (or something that costs me money like crypto).
Is like give money to someone never seen before who's wearing a Guy Fawkes mask, and does not tell a word about him.
Trusted?
I don't think so!

I assume the details are so the system can automate your credits being applied?
There's not a single valid reason for them to ask for credentials of ArcheRage accounts.

Perhaps there is something going on so they disabled a segment of their page to stop purchases for a bit, Doesnt mean its sketchy..
Disabled code should not be sent to the client, this should have been done server side, where the changes, maybe temporary, are not visible outside like in plain text HTML code.

As I said, all those features are indicators of very bad security implementation and designing skills.
 

Splodge

Member
I have no issue with the Shadowcard system Could they have handled the "Buy" page better? Absolutely. I don't have an issue with them commenting out the HTML. Maybe they simply didn't feel like deleting the code from a template. Not a big deal. It didn't expose anything. Plus the page that code links you to had been disabled. A message staying the Buy service was down for maintenance or something along those lines would have been more professional but it isn't the end of the world.

They have greatly improved the buy time which is appreciated. The site normally works very well. I've made far too many purchases over the last year or so and I've never had an issue other than slow delivery (now fixed). I use a reliable/credible crypto exchange to buy my ETH and beyond that everything works as expected.

I will admit I was nervous the first few times I used Shadowcard. Not worried that I'd somehow be exploited or whatever. More worried that I wouldn't get the credits I paid for. It has never been an issue. ArcheRage is going to use a reliable service because as soon as people stop getting what they paid for, this place dies. The people running this site have expenses that have to be paid and they aren't going to want to lose their revenue stream.

You are spending money on an online game. By default you aren't using your money wisely. You are spending it on a private server. Let's not judge Shadowcard as if somehow they are the suspect link in the chain :) So if you like the game, don't hesitate to buy credits. It gets you things you like and it motivates staff to keep making improvements to the game.

Speaking of... .WTB thunderstruck tree decoration :)
 

Kahmlee

Member
Just because you (and many others) don't see the problems, it doesen't mean that the problems are not there.

The HTML comment itself is not a big deal.
But is one of a series of problems, some small and some bigger, that when put all together have a different meaning: people behind Shadowcard have no clue about what security is.

Having someone who is storing your ArcheRage credentials on his server is not a problem for you? Good for you that can live in ignorance.
For me is different. Because, when I see how they manage all other details, I wonder how they store those credentials, and how secure they are from some attack.
And that's the best scenario, the one where they are simply incompetent.

ArcheRage is another story. I have no problem at all in spending money on an online game, not even on a private server.
The problem is Shadowcard only.
 

Splodge

Member
You have no idea who runs Shadowcard. For all you know, they can be the same people that own this site. You have no idea what their security is like. You have no idea what the security is like here. Any site you log in to could be capturing your username and password and saving it in plain text. You would have absolutely no way of knowing. I'm willing to bet that most people reading this, at one time or another, have made an online purchase from a vendor that wasn't PCI compliant. It is more common than you think. I don't care if Shadowcard knows my credentials on here because I don't use the same login information everywhere. I'm also betting that most people reading this also use the same credentials everywhere. Even if Shadowcard were to save your username & password, are you worried they are going to hop on and play the game as you? Heck I don't even have the same credentials for the forum as I do the AA account.
 

Kahmlee

Member
You didn't get my point, so I repeat here:
There's not a single valid reason for them to ask for credentials of ArcheRage accounts.
Shadowcard is doing that, then is not safe.

What they can or cannot do with people's credentials is not the main topic, their lack of security is.
And continue to use a unsafe service put at risk ArcheRage too.
 

Splodge

Member
You didn't get my point, so I repeat here:


Shadowcard is doing that, then is not safe.

What they can or cannot do with people's credentials is not the main topic, their lack of security is.
And continue to use a unsafe service put at risk ArcheRage too.
Except maybe to register the purchase of the Shadowcard here. Here is a challenge to you. Find another site that accepts Shadowcard. How does Shadowcard know your credentials are correct and how do they load the credits into your account. There is clearly a connection between the two sites. I'm sorry but you are hung up on a technology that you clearly do not understand. You don't know how (or if) your login information is stored. You don't know how Shadowcard communicates the purchase back to ArcheRage, and you have no idea how ArcheRage stores your information. The two sites are obviously connected in some way and if you are using the same credentials here and everywhere else then that is on you. I'd be more worried about your security if you use Yahoo or Walmart.com.
 

Kahmlee

Member
There is clearly a connection between the two sites. I'm sorry but you are hung up on a technology that you clearly do not understand.
I understand enough about technology, to know that make this connection using user account credentials is against all security fundamentals.

In no case those type of connections should be made using personal accounts, and defend similar approach means that you know nothing about IT security.
There are tokens and service accounts for server to server connections.


...if you are using the same credentials here and everywhere else then that is on you. I'd be more worried about your security if you use Yahoo or Walmart.com.
Now tell me, where did I said that I use same credentials everywhere?
 

Splodge

Member
Didn't say you were. I am speculating you are. You probably are but I don't expect you to admit that here. You really don't understand how this stuff works or even what the likely setup is here. Yes... normally you wouldn't use your credentials somewhere else. Now how much do you think it matters when one site owns the other? If I am installing a payment system on my website using a 3rd party application, there is no way in hell I would install it if the user had to enter his or her credentials that belonged to my site. If I, on the other hand, owned the payment gateway, it wouldn't matter one bit. It would be every bit as secure as you logging directly into my site. When you input the credentials into Shadowcard's system, you are inputting data into a page served on a secure connection. That information is obviously verified which means a couple of different things. Either the two sites are sharing a database, or Shadowcard is passing the credentials back to ArcheRage using an API, along with additional information that includes the size of the card purchased. This is really no different than when you enter your credit card information on a website. You are doing no one any service by trying to spread a false sense of fear. Just a little common sense would tell you this is a non issue. Clearly ArcheRage staff knows the credentials are being input, and clearly they are accepting this back in some way as a form of verification otherwise you could put in any username and password you wanted. And what in the world would Shadowcard.net staff do with your ArcheRage login information if they were behaving poorly? Log in to the game as you? Any complaints of that in the forums? Nope. So please give up on your attempt to discredit Shadowcard.
 

Kahmlee

Member
Didn't say you were. I am speculating you are. You probably are but I don't expect you to admit that here.
And your speculation is wrong.

Rest of your "speculation" simply means that you obviously understand nothing about internet security.

But if you are so sure that there's a valid reason to do so, you should not have any problem to bring a real example of a payment API that really needs to receive user's credentials.


You are doing no one any service by trying to spread a false sense of fear.
Is much more dangerous the false sense of security you're trying to spread.

Clearly ArcheRage staff knows the credentials are being input, and clearly they are accepting this back in some way as a form of verification otherwise you could put in any username and password you wanted.
And this is the reason why I will never send a cent to AR, until they get rid of Shadowcard and switch to a safe system.

As I said, this approach put at risk ArcheRage site too, and not only for those users that shared their credentials with Shadowcard, but also for those who never did.
If there's a similar deliberate violation of security, very likely there are other security flaws, and this potentially expose both sites to an attack.

So please give up on your attempt to discredit Shadowcard.
Is much more ridiculous your attempt to defend an insecure "payment provider" that is violating most basic principles of IT security.
 

Splodge

Member
There is no point in discussing this with you. You clearly do not have a background in this. You are speaking to someone with a significant background in this. If you have any deductive reasoning ability, you'd be able to understand the nature of Shadowcard and the relationship it has with this website. But clearly you do not. Don't quit your day job. Since you will never send a cent to AR or use Shadowcard, simply leave this discussion. This doesn't concern you and you are not adding anything of value to this discussion. Consider your further replies to be blocked. You are wasting my time.
 
Top