Make an SL authenicator

[QuinnParker]

So I am starting this thread in hopes that we can make SL more secure. I have been told that it is nealry impossible to hack an SL account but guess what, I had a frind get hacked and the only thing she did before her account got hacked was buy an item from a store in world. Now she is fighting to get her account back and isn't sure she will get it back. So here it is, make an SL authenticator App for mobile devices. So many MMO games use these and have not been hacked when using such devices. I want to know how many people would use this because I for one know I would use this to protect my account.

[Freya Mokusei]

Two-factor authentication is widely regarded as the future standard for online security. Many large eCommerce platforms, banks and other places that handle money use it already.

Unfortunately, there's no way to make suggestions to LL for new features, and considering the chaos of the login system already....

Good luck

[Venus Petrov]

My WoW account was hacked over one year ago and Blizzard quickly restored my toons.  I then ordered an authenticator from them.  While that adds some security, what also helps is to paste your username/id and password into the appropriate fields during the login process rather than keying them in.

How many people do that here?   Rhetorical.

[Perrie Juran]

---

Venus Petrov wrote:

<snip>

....what also helps is to paste your username/id and password into the appropriate fields during the login process rather than keying them in.

</snip>

---

I'd suggest that you google (or your search of choice) that advise.

[Freya Mokusei]

Yup.

Leaving information on your clipboard (after copying it) makes it very vulnerable to being read from memory.

Saving passwords in your browser is not recommended either, ditto saving the information in the SL viewer - a multitude of exploits exist for both.

Typing in the password each time has its own problems (especially if you can't guarantee the security of your machine - presumably Venus was hit with a Keylogger), but having a compromised system will lead to larger problems than just losing the odd password.

 As with all security advice, please don't just take my word for it.

[Venus Petrov]

---

Freya Mokusei wrote:

Yup.

Leaving information on your clipboard (after copying it) makes it very vulnerable to being read from memory.

Saving passwords in your browser is not recommended either, ditto saving the information in the SL viewer - a multitude of exploits exist for both.

Typing in the password each time has its own problems (especially if you can't guarantee the security of your machine - presumably Venus was hit with a Keylogger), but having a compromised system will lead to larger problems than just losing the odd password.

 As with all security advice, please don't just take my word for it.

---

I never said that I left it on my clipboard.  I don't keep it on my clipboard.

[Freya Mokusei]

That's good news. I never said since you never said where you said the data was once it was copied.

I was mostly posting out of caution - clipboard CAN still be monitored if your machine is compromised, as well as being pinched at random from specific online and offline applications.

I'm aware that this forum is read by others though, and sometimes even the most tech-savvy can be caught out on minor points.

[Perrie Juran]

---

Freya Mokusei wrote:

Yup.

Leaving information on your clipboard (after copying it) makes it very vulnerable to being read from memory.

Saving passwords in your browser is not recommended either, ditto saving the information in the SL viewer - a multitude of exploits exist for both.

Typing in the password each time has its own problems (especially if you can't guarantee the security of your machine - presumably Venus was hit with a Keylogger), but having a compromised system will lead to larger problems than just losing the odd password.

 As with all security advice, please don't just take my word for it.

---

There was a reason I suggested doing a search on the subject.  It's just not the clipboard that is vulnerable.

A half way decent keylogger will still read the password when you paste it into the form field for the password.

For someone to hack someone else's account, assuming that everything is secure on the Server's end, they have to have your password.  To obtain it requires one of seven things:

A.  A very lucky guess.

B.  An educated guess.

C.  You wrote it down where someone could see it.

D.  You shared it with someone you thought you could trust.

E.  Using a random password generator and making multiple attempts until scoring a "hit."

F.  Obtaining it through a keystroke logger.

G.  Tricking you into entering it on a spoofed web site (a phishing scheme).

There are probably others but these are the most common I know of.

Figuring out which was used against you can be difficult sometimes.  The majority of SL hacks I have read or heard about were through phishing schemes.  The fact the OP mentioned a Market Place purchase throws up a red flag for me.  Spoofed log in pages to the Market Place have been very prevalent.

Additionally, mis-information does not help protect people.  Unfortunately the copy/paste trick does not afford the level of protection some people think.  It would be great if it did, but it doesn't.  It would be a very amateur hacker who would use a key stroke logger that did not read the 'paste.'

On a last note here, with the Holidays right around the corner, sadly, I am expecting that we will see a huge increase in Phishing attempts.  Don't click the link.

 

eta:clarity, typos

 

 

 

[Venus Petrov]

All good advice.  I have an excellent anti-keylogger software I run weekly, too.  I also always create strong passwords.  All we can do is the best we can do to push off anyone with malicious intentions.

[Perrie Juran]

---

Venus Petrov wrote:

  All we can do is the best we can do to push off anyone with malicious intentions.

---

Agreed. 

My bigger concern is that people don't have a false sense of security. That is where at least in my opinion people get burned.  When they think that they aren't vulnerable.

 

[Solar Legion]

Indeed - using Blizzard as an example, Authenticator "secured" accounts can still be hijacked. Heck, they have MULTIPLE levels of security: Initial, basic toke, the Authenticator, an SMS Protection feature and as a last ditch effort a lockout which forces you to either reset your password or call Blizzard directly.

 

Some places only use the SMS Protection style of security (Steam Guard as an example) and have varying degrees of success with them.

 

While the basic method Linden Lab employs is rather weak, it still has its success.

 

That said, while some want more security built into the backend servers and clients, what they fail to realize at this point is that building such into the system would require a total rewrite of the log in server system as well as a rewrite of the relevant code in the client - a rewrite I might add that, for security purposes, Linden Lab could never share with Third Party client developers ... Not even as an obfuscated, "black box" style code packet that MUST be present, pass all checksums and be utterly unedited.

 

Linden Lab Open Sourced the client systems - the window of opportunity to add in additional security has closed.

[GothGirl Demonia]

---

QuinnParker wrote:

So I am starting this thread in hopes that we can make SL more secure. I have been told that it is nealry impossible to hack an SL account but guess what, I had a frind get hacked and the only thing she did before her account got hacked was buy an item from a store in world. Now she is fighting to get her account back and isn't sure she will get it back. So here it is, make an SL authenticator App for mobile devices. So many MMO games use these and have not been hacked when using such devices. I want to know how many people would use this because I for one know I would use this to protect my account.

---

I agree this is a problem with Second Life, I will tell you how easy it is to compromise another users account.

Lets talk about Physical access to a users computer and hacking a persons account technically not hacking okay...

1.) But lets say I have my friends computer and want to compromise their account, All I have to do is go into the %APPDATA% Directory copy their files if they have the saved login information and password saved copy it to any computer FREE access to the persons account, and lets not forget if that user has PayPal information saved with billing on their account imagine what I could do with it. (Speaking in theory I would never do this, but want to point out this compromise issue.)

2.) Even if the user can't access a users physical computer saved "MD5" File information can be illegally copied via remote access or worse of all a "Compromised Viewer" Viewers are Open Sourced which is a great thing, but even TPV's not downloaded from official sites, someone offering better features like Nimble, or Bug features in custom viewers online can be compromised let alone Linden Lab says on their TPV viewer directory site that they can't insure the safety of its users so by using their viewer if it ever got compromised you could have you're account hacked just like mine was 50k Items mysteriously erased from inventory and some Griefer did some crap to some people, I know the group of individuals behind it and have my account, but the problem is my system turned up clean, so it was likely a viewer update/Mod I installed and updated used it for many years one of them was not clean I suspect and that ruined an account I had for years "Linden Lab" Unable to restore anything.

But anyways Imagine if a person uses any type of SL clients,Viewers, Proxy, or Mods/Plug-IN what can happen to you're account if it gets hacked even if you spent thousands of dollars on merchants goodbye if you're inventory gets deleted.

3.) Lets talk about Stealing money in Second Life how easy it is, Lets assume (X) Vendor company sold vendors which merchants use to sell products to people and made a very popular system let it run for many years imagine what would happen if every merchant using the vendor on Second Life woke up one day to see that all their L$ Hundreds of Thousands of L$ is Gone from their account because they legally gave debt permission to the vendor/object with scripts they could not see.

4.) Lets not forget about Spyware in Second Life imagine what it would be like if TPV developers put hidden code in their viewers to spy on residents similar to RLV, but imagine what would occur if a resident could obtain someones "Session ID" I have heard many rumors about this in fact I have seen people "Hack" Other peoples accounts in Tests no name disclosed to make their avatar do things that normally could not be done. However I am talking about hidden code to do things like Read peoples IM's illegally, or spy on their location via a grid wide radar.

These are the Top 3 Security Risks I fear on players/users accounts, and to be honest World OF Warcraft is way more secure. I remember years ago my WOW account was compromised due to using an add-on a script in one of the popular mods on Curse gaming ended up having a keylogger similar to what occur with me when I updated my SL Viewer then it gets hacked less than 24 hours after an update I knew what it likely was. Anyways now my wow account can't get jacked should anyone ever use a keylogger because I have keychain authinticator on my account, although I do know more and keep my PC as secure as possible there are ways to compromise accounts, thing is Blizzard restore my account that I pay $17 a month for where Linden Lab couldn't restore anything and I paid more than $20 a month for it not including land and tier fees.

I am not saying TPV's do this at all but you never know what will occur on you're next update.

Linden Lab has serious security issues I wish they would fix, and until then me and a bunch of my friends have dropped from the grid because we see what Second Life is like these days full of Griefers, Hackers, Botters, Privacy Violaters, but worse of all users who compromise others accounts.