Jump to content
You are about to reply to a thread that has been inactive for 288 days.

Please take a moment to consider if this thread is worth bumping.

Question

Hey, so last nigh I bought 2500 L$ with my bank account. And today I added in my paypal account also. I was wondering when will my trading limits go up at selling ..and when and how I can transfer my L$ into USD on my paypal account, because I also heard that I can't transfer my money into my bank account. But I already bought L$ with my bank account. I would love to get an answer with that and help me out with it .. my limits are 0 out of 0 at selling in 24 hours and 30 days. Thank you!

Link to post
Share on other sites

10 answers to this question

Recommended Posts

  • 0
27 minutes ago, laviflower2009 said:

Hey, so last nigh I bought 2500 L$ with my bank account. And today I added in my paypal account also. I was wondering when will my trading limits go up at selling ..and when and how I can transfer my L$ into USD on my paypal account, because I also heard that I can't transfer my money into my bank account. But I already bought L$ with my bank account. I would love to get an answer with that and help me out with it .. my limits are 0 out of 0 at selling in 24 hours and 30 days. Thank you!

Best place to start is reading this  

Your limits will change over the comming days.  This is put in place to keep you safe

https://accounts.secondlife.com/lindex/economic_limits?lang=en-US

As per the first link above you can request LL review your account to increase your limits by submitting a support case:

 

  • Like 2
Link to post
Share on other sites
  • 0

I'm betting you did not buy $L "with your bank account" directly, but went through your bank credit card instead.  Because that's the only way you could have done it.  LL does not do direct transactions with your bank account.

You can't transfer money in the other direction using a credit card, because credit cards don't work that way.  They are not designed to accept payments, except in the special case of being issued a refund.  PayPal and Skrill, on the other hand, DO allow you to move money in both directions.  Your PayPal account must be "verified"...backed up by your bank account.

Be patient.  Now that you have bought some $L, a clock starts ticking.  Your caps on buying and selling $L will be raised progressively within the next couple of weeks.

  • Thanks 1
Link to post
Share on other sites
  • 0

I took a look at how LL/Tilia verifies user identity.

It's outsourced to IdentityMind, a startup in Palo Alto, CA which does identity verification.

The page which does this leaks information to the following other sites:
 

s3.amazonaws.com
accounts-customer.secondlife.com
d3cp171vczm3hx.cloudfront.net
regtech.identitymind.store
cdn1.identitymind.com
regtech.identitymind.store
cdn1.identitymind.com
maxcdn.bootstrapcdn.com
cdnjs.cloudflare.com
ajax.googleapis.com
cdn1.identitymind.com
cdnjs.cloudflare.com
maxcdn.bootstrapcdn.com
cdn1.identitymind.com
fonts.googleapis.com
pixel.cdnwidget.com
data.cdnbasket.net
page.cdnbasket.net
view.cdnbasket.net
ids.cdnwidget.com
plugin.identitymind.com
js-agent.newrelic.com
maxcdn.bootstrapcdn.com
kyc-plugin-socketio-production.herokuapp.com
plugin.identitymind.com
cdn1.identitymind.com
restcountries.eu

Who gets told when you enter your personal information to get money out of Tilia.

IdentityMind is doing the identity verification. They actually get all your personal information. The others just know you sent it, although some might be used as attack vectors.

Blocking New Relic, which is a tracking service, breaks the process. Should not be on a security-critical page.

"cdnbasket.net" seems to be associated with Bounce Exchange, a "behavioral marketing company", according to Forbes. (You have to track through Whois to find this.)

"Since being founded in 2012, Bounce Exchange has swiftly grown to become the leader in cloud-based behavioral marketing and analytics software. Their technology has been adopted by marketers looking to shift their marketing strategy, moving away from audience segmentation and fragmented targeting to build more complete profiles of their consumers. Based on these robust profiles, marketers can execute direct marketing efforts and curated personal experiences rooted in holistic behavioral patterns, instead of focusing on very nuanced lifestyles and interests." - Forbes. That should not be on a security-critical page.

"restcountries.eu" is a service for looking up country names. Probably harmless.

kyc-plugin-socketio-production.herokuapp.com indicates that IdentityMind outsourced their computing to Heroku. Probably OK.

Cloudfront is a well known content delivery network. But this is a low-volume secure page. It doesn't need to use a CDN.

Overall, this looks like the designers were not very security conscious. Pages with crucial identity info should not be going all over the place for assets and talking to marketing trackers. Too much attack surface. A security audit is indicated.

 

  • Thanks 2
  • Sad 1
Link to post
Share on other sites
  • 0
1 hour ago, animats said:

The page which does this leaks information to the following other sites:
 

Who gets told when you enter your personal information to get money out of Tilia.

 

makes me think to the sacked eployee a while ago that warned for weaknesses in Tillia ..

  • Like 2
Link to post
Share on other sites
  • 0
21 hours ago, animats said:

I took a look at how LL/Tilia verifies user identity.

It's outsourced to IdentityMind, a startup in Palo Alto, CA which does identity verification.

The page which does this leaks information to the following other sites:
[...]

 

 

Hey, Animats. This is a good area for us to investigate. As a rule, we tightly control which partners are in a position to access personal information. I can count those vendors without running out of fingers, and none of them are marketers. You may have seen that we make liberal use of iframes to limit the scope of DOM access on any page where PII, payment data, email addresses, etc are presented. This means that even if a request shows up in the network log, it doesn't mean the third party was in a position to access the contents of the page. A hypothetical bad actor who gained control of those services could not access the personal information presented on a page with appropriate isolation.

I'm going to open up a conversation with our identity verification vendor to review their form page. I see that they have a similar approach for some of those script inclusions, such as the Google Tag Manager sandboxed in an iframe. But I want them to detail what kind of controls are in place for the A/B testing script they include from a third party, and for the additional inclusions that stem from that. I'll also push for them to add additional isolation unless they can demonstrate appropriate compensating controls.

  • Like 5
Link to post
Share on other sites
  • 0
5 minutes ago, Soft Linden said:

Hey, Animats. This is a good area for us to investigate. As a rule, we tightly control which partners are in a position to access personal information. I can count those vendors without running out of fingers, and none of them are marketers. You may have seen that we make liberal use of iframes to limit the scope of DOM access on any page where PII, payment data, email addresses, etc are presented. This means that even if a request shows up in the network log, it doesn't mean the third party was in a position to access the contents of the page. A hypothetical bad actor who gained control of those services could not access the personal information presented on a page with appropriate isolation.

I'm going to open up a conversation with our identity verification vendor to review their form page. I see that they have a similar approach for some of those script inclusions, such as the Google Tag Manager sandboxed in an iframe. But I want them to detail what kind of controls are in place for the A/B testing script they include from a third party, and for the additional inclusions that stem from that. I'll also push for them to add additional isolation unless they can demonstrate appropriate compensating controls.

Thanks. It's not that I found a security hole. It's that there's just too much third party stuff connected to a page that collects everything needed for identity theft. That page is a juicy target for attackers. Don't rely on "sandboxing". Clean out everything that does not absolutely have to be there to do the identity verification task. Reduce the attack surface on the crucial pages.

Welcome to the world of running a financial services provider. People will try to defraud you or your customers of real money. The security requirements for everything are higher,  there are regulators, and the negative publicity if you get hacked is severe.

(Incidentally, Google does not want you to put Google Tag Manager in an iframe. However, not putting Google Tag Manager in an iframe opens a huge security hole, one that has been exploited. So it probably shouldn't be on a security-critical page at all.)

  • Like 2
Link to post
Share on other sites
  • 0
22 hours ago, animats said:

I took a look at how LL/Tilia verifies user identity.

It's outsourced to IdentityMind, a startup in Palo Alto, CA which does identity verification.

The page which does this leaks information to the following other sites:
 


s3.amazonaws.com
accounts-customer.secondlife.com
d3cp171vczm3hx.cloudfront.net
regtech.identitymind.store
cdn1.identitymind.com
regtech.identitymind.store
cdn1.identitymind.com
maxcdn.bootstrapcdn.com
cdnjs.cloudflare.com
ajax.googleapis.com
cdn1.identitymind.com
cdnjs.cloudflare.com
maxcdn.bootstrapcdn.com
cdn1.identitymind.com
fonts.googleapis.com
pixel.cdnwidget.com
data.cdnbasket.net
page.cdnbasket.net
view.cdnbasket.net
ids.cdnwidget.com
plugin.identitymind.com
js-agent.newrelic.com
maxcdn.bootstrapcdn.com
kyc-plugin-socketio-production.herokuapp.com
plugin.identitymind.com
cdn1.identitymind.com
restcountries.eu

Who gets told when you enter your personal information to get money out of Tilia.

IdentityMind is doing the identity verification. They actually get all your personal information. The others just know you sent it, although some might be used as attack vectors.

Blocking New Relic, which is a tracking service, breaks the process. Should not be on a security-critical page.

"cdnbasket.net" seems to be associated with Bounce Exchange, a "behavioral marketing company", according to Forbes. (You have to track through Whois to find this.)

"Since being founded in 2012, Bounce Exchange has swiftly grown to become the leader in cloud-based behavioral marketing and analytics software. Their technology has been adopted by marketers looking to shift their marketing strategy, moving away from audience segmentation and fragmented targeting to build more complete profiles of their consumers. Based on these robust profiles, marketers can execute direct marketing efforts and curated personal experiences rooted in holistic behavioral patterns, instead of focusing on very nuanced lifestyles and interests." - Forbes. That should not be on a security-critical page.

"restcountries.eu" is a service for looking up country names. Probably harmless.

kyc-plugin-socketio-production.herokuapp.com indicates that IdentityMind outsourced their computing to Heroku. Probably OK.

Cloudfront is a well known content delivery network. But this is a low-volume secure page. It doesn't need to use a CDN.

Overall, this looks like the designers were not very security conscious. Pages with crucial identity info should not be going all over the place for assets and talking to marketing trackers. Too much attack surface. A security audit is indicated.

 

THANK YOU FOR POSTING THIS!!!!!!!

 

Screenshotting (now a word in my vocabulary) :D. 

  • Like 1
Link to post
Share on other sites
  • 0
31 minutes ago, animats said:

Thanks. It's not that I found a security hole. It's that there's just too much third party stuff connected to a page that collects everything needed for identity theft. That page is a juicy target for attackers. Don't rely on "sandboxing". Clean out everything that does not absolutely have to be there to do the identity verification task. Reduce the attack surface on the crucial pages.

Welcome to the world of running a financial services provider. People will try to defraud you or your customers of real money. The security requirements for everything are higher,  there are regulators, and the negative publicity if you get hacked is severe.

(Incidentally, Google does not want you to put Google Tag Manager in an iframe. However, not putting Google Tag Manager in an iframe opens a huge security hole, one that has been exploited. So it probably shouldn't be on a security-critical page at all.)

No disagreement on anything you've said. 

And yes, Google warns about putting their tag manager in an iframe:

Quote

Placing it in a hidden iframe [...] will prevent certain tags from accurately tracking the parent page.

But between you and me, sometimes that's a feature. :) Even where there is a business need for these tags to be present (we don't add them on this particular page ourselves), it can be helpful to minimize the granularity of information provided.

  • Like 2
Link to post
Share on other sites
You are about to reply to a thread that has been inactive for 288 days.

Please take a moment to consider if this thread is worth bumping.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...