Account Theft Becoming More Common

[Chronometria]

As someone who is familiar with MMO and online games, i have seen account thefts. Virtual items and money has a lot of value and games companies release authentication programs, keyrings or phone calls to keep people's accounts in their rightful hands.

This largely was not an issue in second life, perhaps because of its age and lack of visibility or "easy money". Perhaps because it has a more adult population than many MMO's and gamer communities. However, in the last few months that seems to have changed.

As a citizen of Raglan Shire, I have seen several tinyfolk suddenly start posting phishing links - things that pretend to be marketplace login pages and that ask you to input your details. I have seen a lot of this recently and considering many people leave their payment details online and that we can simply order more linden dollars by clicking a button on screen....its a perfect target. Sadly, someone finally worked that out and is going after accounts en masse.

Its extremely upsetting when it happens, not to mention potentially financially disastrous. It isnt something that second lifers are well prepared for and i do not think the lab is making people aware as it could. So i`m posting here just to get a conversation started and to raise awareness. This isnt the usual "omg you equip this item and it takes your stuff" scare that arrives in groupchat from time to time, this is very real and currently a major concern.

At the very least, take your payment details off your account and change your password if you havent in the last half year. Dont click strange links and dont type info into any login page except one you bring up yourself.

 

Please keep safe out there and educate friends where you can.

[Amethyst Jetaime]

Good advice.  The main thing is NEVER click a link inworld unless you are absolutely sure it takes you to a legit site, especially links to MP or the SL web site.  Use your own links and look for whatever you have been asked to look at through search.

Also don't use an easy to guess pass word, one that is a combo letters and number, caps and no caps, and at least one symbol.  Change it frequently to one you never used before.

 

[Perrie Juran]

---

Chronometria wrote:

As someone who is familiar with MMO and online games, i have seen account thefts. Virtual items and money has a lot of value and games companies release authentication programs, keyrings or phone calls to keep people's accounts in their rightful hands.

This largely was not an issue in second life, perhaps because of its age and lack of visibility or "easy money". Perhaps because it has a more adult population than many MMO's and gamer communities. However, in the last few months that seems to have changed.

As a citizen of Raglan Shire, I have seen several tinyfolk suddenly start posting phishing links - things that pretend to be marketplace login pages and that ask you to input your details. I have seen a lot of this recently and considering many people leave their payment details online and that we can simply order more linden dollars by clicking a button on screen....its a perfect target. Sadly, someone finally worked that out and is going after accounts en masse.

Its extremely upsetting when it happens, not to mention potentially financially disastrous. It isnt something that second lifers are well prepared for and i do not think the lab is making people aware as it could. So i`m posting here just to get a conversation started and to raise awareness. This isnt the usual "omg you equip this item and it takes your stuff" scare that arrives in groupchat from time to time, this is very real and currently a major concern.

At the very least, take your payment details off your account and change your password if you havent in the last half year. Dont click strange links and dont type info into any login page except one you bring up yourself.

 

Please keep safe out there and educate friends where you can.

---

I'm not sure why you'd think this hasn't been an issue in SL.  It has been for a while but it ebbs and flows.  For a while it was very severe.

Phishing Scheme Dont Click The Link

But what more can LL or any service provider do?  No matter how much they warn about it people still click the links.  The appeal of a bright new shiney, especially if it's 'free,' seems to override what little good sense if any they may have.

 

[Chronometria]

Well, there is quite a lot that can be done by a provider. I would suggest some form of authentication system, such as an email authenticator which sends a "yes/no" permission request if an account logs on from an unfamiliar network. Putting that in place is likely a lot less bother than dealing with the chaos that is caused by account theft and account retrieval.

[Sassy Romano]

They could easily add two factor authentication in the first instance.

[Pamela Galli]

---

Perrie Juran wrote:

---

Chronometria wrote:

As someone who is familiar with MMO and online games, i have seen account thefts. Virtual items and money has a lot of value and games companies release authentication programs, keyrings or phone calls to keep people's accounts in their rightful hands.

This largely was not an issue in second life, perhaps because of its age and lack of visibility or "easy money". Perhaps because it has a more adult population than many MMO's and gamer communities. However, in the last few months that seems to have changed.

As a citizen of Raglan Shire, I have seen several tinyfolk suddenly start posting phishing links - things that pretend to be marketplace login pages and that ask you to input your details. I have seen a lot of this recently and considering many people leave their payment details online and that we can simply order more linden dollars by clicking a button on screen....its a perfect target. Sadly, someone finally worked that out and is going after accounts en masse.

Its extremely upsetting when it happens, not to mention potentially financially disastrous. It isnt something that second lifers are well prepared for and i do not think the lab is making people aware as it could. So i`m posting here just to get a conversation started and to raise awareness. This isnt the usual "omg you equip this item and it takes your stuff" scare that arrives in groupchat from time to time, this is very real and currently a major concern.

At the very least, take your payment details off your account and change your password if you havent in the last half year. Dont click strange links and dont type info into any login page except one you bring up yourself.

 

Please keep safe out there and educate friends where you can.

---

I'm not sure why you'd think this hasn't been an issue in SL.  It has been for a while but it ebbs and flows.  For a while it was very severe.

Phishing Scheme Dont Click The Link

But what more can LL or any service provider do?  No matter how much they warn about it people still click the links.  The appeal of a bright new shiney, especially if it's 'free,' seems to override what little good sense if any they may have.

 

---

Yes I dont see how deleting your billing info and changing your password is going to help if you just give someone your password. 

Assuming that SL is full of scammers has served to protect me well.

[Perrie Juran]



---

Chronometria wrote:

Well, there is quite a lot that can be done by a provider. I would suggest some form of authentication system, such as an email authenticator which sends a "yes/no" permission request if an account logs on from an unfamiliar network. Putting that in place is likely a lot less bother than dealing with the chaos that is caused by account theft and account retrieval.

---

That's another lovely side to it.  We regularly see people post here who can't remember the answer to their security question, the e mail address they used when they created their accounts or the phony birth date they used when they registered.  And somehow they seem to be the ones who get compromised most often.  

I know I'm sounding a bit negative here but I've also been watching this go on for years now.

[Amethyst Jetaime]

A lot of people told me their account was 'hacked'.  A good number if not the majority if asked will tell you they gave their password to their partner or a 'close' friend to let them sort out their inventory.   NEVER give your password to anyone.  You never know when you may have a falling out with that person or if they will give it to someone else.

Remember per the TOS it is YOUR responsiblity to keep your account secure. 

[Sassy Romano]

---

Perrie Juran wrote:

 

That's another lovely side to it.  We regularly see people post here who can't remember the answer to their security question, the e mail address they used when they created their accounts or the phony birth date they used when they registered.  And somehow they seem to be the ones who get compromised most often.  

---

You're not wrong Perrie but there's no reason that LL couldn't offer "enhanced security".

If you don't choose to provide an email address, a phone number, mobile phone number etc. then you won't be elligible for enhanced security but just like with Google for example, if you choose to do so, you could then secure your account using factors such as expected PC all the way to a FIDO authenticated logon using a USB token.  In the case of Google, if the token isn't present then the login requires the 2FA code which is sent to the registered mobile.  If you always use the same set of PC's, then it's more transparent.  I've just noticed that DropBox have also added FIDO to their authentication.

http://www.amazon.co.uk/Plug-up-FIDO-U2F/b/ref=bl_dp_s_web_5437159031?ie=UTF8&node=5437159031&field-lbr_brands_browse-bin=Plug-up+FIDO+U2F

I honestly don't care or weep for the discardable accounts with users who do not value their credentials and play haphazard with them and then whine that someone "hacked" (read: "I was careless") but there are users here who range from those who may just have an extensive and valued inventory through to residents for whom the loss of an account could result in the loss of their RL income.  I'd be far more concerned about a targetted attack in such a case such as when I ended up selling my L$1,000,000 poseball 27 times in one day.

It's absolutely lazy and tending towards irresponsible for providers such as LL to only offer username/password authentication, especially where RL funds are attached to the use of the account and where simple and effective alternate methods exist.

[Perrie Juran]

You do make very valid points there.

And if LL wants to attract high end "experience creators" for the next gen platform (codename: Sansar), those will be people who will perhaps expect a higher level of security.

Maybe a JIRA is called for.  Then at least publically LL can't say they weren't 'warned.'

[Sassy Romano]

2FA via mobile one time code, May 2014 https://jira.secondlife.com/browse/BUG-5753

Yubikey FIDO tokens June 2008 https://jira.secondlife.com/browse/SVC-2576

Can you feel the complacency yet Perrie?! 

 

[Perrie Juran]

---

Sassy Romano wrote:

2FA via mobile one time code, May 2014

https://jira.secondlife.com/browse/BUG-5753

Yubikey FIDO tokens June 2008 

https://jira.secondlife.com/browse/SVC-2576

Can you feel the complacency yet Perrie?! 

 

---

Soft did have a semi valid point,

"The catch is that the users who would most benefit by a feature like this are also the ones who are least likely to use it. Someone who shells out for extra security hardware typically values security enough that they have a strong, unique password already, they are careful where they store it, and they are less likely to expose their system to malware."

But I did say that he "did."

Maybe it's time to revisit this issue.

 

[Sassy Romano]

---

Perrie Juran wrote:

---

Sassy Romano wrote:

2FA via mobile one time code, May 2014

https://jira.secondlife.com/browse/BUG-5753

Yubikey FIDO tokens June 2008 

https://jira.secondlife.com/browse/SVC-2576

Can you feel the complacency yet Perrie?! 

 

---

Soft did have a semi valid point,

"

The catch is that the users who would most benefit by a feature like this are also the ones who are least likely to use it. Someone who shells out for extra security hardware typically values security enough that they have a strong, unique password already, they are careful where they store it, and they are less likely to expose their system to malware."

But I did say that he "did."

Maybe it's time to revisit this issue.

 

---

Well here's the rub, a strong password is only of any value while it's not compromised and that's the attack vector that needs addressing here.  As for "shelling out for extra security hardware", I think we can all agree that most of us have a phone capable of receiving a text message thus there's no extra hardware to purchase.

We can all try to guard our credentials but sometimes we're caught off guard, how many people challenge visitors to their organisation for ID on a routine basis, hold open a door for someone following and so on.  Social engineering is the easiest way to attack a strong password and at that point, it doesn't matter how long, strong or complex the password is, it's gone in a flash.

For Soft Linden to discard current trends as invalid because their assumed user base is more vigilant is naive in the extreme.  I hope he sticks at software development and not security architecture and identity management.  The whole security model for SL is pretty weak, all the way from authentication down to user created objects.

I doubt they'll revisit it, there's no payback to LL for doing so, the customers problems are irrelevant to LL.

[irihapeti]

---

Sassy Romano wrote:

---

For Soft Linden to discard current trends as invalid because their assumed user base is more vigilant is naive

... there's no payback to LL for doing so, the customers problems are irrelevant to LL.

---

agree about the first

and I add a pile on to the second

any kind of authentication inhibits new people from signing up in the first instance. for most sites not just SL tbf

user numbers is what motivates providers to avoid/delay implementing anything that inhibits this number from increasing

for sure site owners want to reduce the churn of after signups, but only after

i dunno why LL dont just say that 2-step authentication is required if want to move $US in/out of SL. Which is a after signup and play for a time, situation

 

[Pamela Galli]

---

irihapeti wrote:

---

Sassy Romano wrote:

---

For Soft Linden to discard current trends as invalid because their assumed user base is more vigilant is naive

... there's no payback to LL for doing so, the customers problems are irrelevant to LL.

---

agree about the first

and I add a pile on to the second

any kind of authentication inhibits new people from signing up in the first instance. for most sites not just SL tbf

user numbers is what motivates providers to avoid/delay implementing anything that inhibits this number from increasing

for sure site owners want to reduce the churn of after signups, but only after

i dunno why LL dont just say that 2-step authentication is required if want to move $US in/out of SL. Which is a after signup and play for a time, situation

 

---

 

That would be a good move -- if LL cared about protecting our accounts, which as Sassy points out is one of many things that LL does not care about. I would think they would want to avoid all the support calls it gets about it, as those cost money.