Nonetheless not getting paid and no technique to repair it in the meanwhile
So I wrote about how I’m not getting Medium funds right here:
Medium’s response is that they can not pay me as a result of they don’t have any management over Stripe safety. Huh? I work in cybersecurity and that response is mindless.
However the greater drawback is I nonetheless don’t have a solution to the query:
What’s the e-mail or account you might be utilizing to ship funds to Stripe?
As a result of it doesn’t matter what e-mail I strive at Stripe it says that account doesn’t exist.
I requested Medium once more for that info so I do know which account to ask Stripe about. In any other case, Stripe in all probability has no concept how to determine which Stripe account is linked to my Medium account.
Additionally, if somebody maliciously swapped my Stripe account linkage on Medium, I’m not going to have any details about the malicious account to contact Stripe. Not saying that’s what occurred, simply that the Medium response is just not useful.
I might attempt to hyperlink a brand new Stripe account, however there appears to be no means to try this and assist didn’t present that possibility. That possibility could possibly be dangerous to grant by way of e-mail — as that will be ripe for phishing assaults.
Hoping Medium will present a safe means to try this on their site as quickly as attainable. And the flexibility to login with Yubikeys as a second issue.
How each side of an integration can result in a safety drawback
Right here’s why blaming Stripe’s safety for the issue doesn’t make sense.
A safety drawback on both aspect of an integration can lead to an information breach or safety incident.
If you’re integrating with one other vendor and also you misconfigure your aspect, or you will have a safety vulnerability in your aspect that lets attackers get in (or malicious insiders) who can leverage credentials, change, or steal information — your organization can be the supply of the safety drawback.
In that state of affairs, one thing on the Medium aspect might have modified my Stripe integration to an alternate account. I don’t know as a result of I can’t appear to seek out anyplace the place I can view that linkage to see if some rogue account is linked to Medium.
Additionally contemplate the next, associated to the info breach that acquired me into safety that I wrote about in my final publish. What if an attacker had a technique to alter methods such that I acquired an e-mail and think about saying I acquired $2, when the truth is my payout was a lot greater and somebody internally or attacking the system was redirecting a portion of my funds elsewhere?
I doubt that’s occurring, as a result of an attacker must be displaying me a pretend medium payout web page and ship the corresponding pretend e-mail and get the matching account to indicate up in my Stripe account. Oh however wait. I’m not getting my funds now…how might somebody be displaying me pretend pages? Effectively cache poisoning assaults for one factor. James Kettle has written and spoken about quite a few methods to assault caches, and I’ve seen some conduct that seems to be caching on Medium.
I used to be simply wanting again on previous funds they usually had been greater though I’m getting much more hits not too long ago. All of it appears odd to me however I’m not going to fret about it as a result of not one of the quantities are price my time. However to an attacker aggregating a bunch of small quantities from completely different Medium writers, it definitely could possibly be.
Till I do know that my authentic account that I signed up on Stripe with to make use of with Medium continues to be in tact, I don’t know if the issue is with Medium or not. So until they will present the Stripe account info so I can confirm that, I’m unsure the place the issue lies.
The identical factor might have occurred at Stripe. Somebody might have swapped my Stripe account linkage with Medium to a distinct Stripe account, given sufficient entry. Or if Stripe had some form of breach the place they acquired into my account, maybe they began sending funds to an alternate checking account. Maybe Stripe found out it was a malicious checking account and shut down my account.
Sadly I would not have sufficient info to find out what really occurred. I’m simply presenting some menace modeling and explaining why blaming Stripe assist doesn’t make sense.
A minimum of from my standpoint, I don’t have sufficient info to come back to that conclusion. And likewise, I nonetheless don’t have any technique to repair or get into my Stripe account that’s linked to Medium as a result of I don’t know what account it’s.
Probably…
I’m guessing I simply don’t bear in mind the details about the Stripe account I linked up with Medium. However I’ve no technique to know as a result of I can’t see any details about my Stripe account in Medium.
It is extremely odd, although, that I haven’t touched any of it and even logged in and I merely stopped getting paid.
Hoping they will present the Stripe account info.
Within the meantime, going to scour my information for any info on what the Stripe account was I used to enroll with Medium. Fairly positive I’ve that written down someplace…
Teri Radichel
In case you favored this story ~ clap, observe, tip, purchase me a espresso, or rent me:
Medium: Teri Radichel
E-mail Listing: Teri Radichel
Twitter: @teriradichel
Twitter (firm): @2ndSightLab
Mastodon: @teriradichel@infosec.change
Put up: @teriradichel
Fb: 2nd Sight Lab
Slideshare: Shows by Teri Radichel
Speakerdeck: Shows by Teri Radichel
Books: Teri Radichel on Amazon
Recognition: SANS Distinction Makers Award, AWS Hero, IANS School
Certifications: SANS
Training: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I acquired into safety: Lady in tech
Purchase me a espresso: Teri Radichel
Firm (Penetration Exams, Assessments, Coaching): 2nd Sight Lab
Request companies by way of LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, shows, and podcasts