It is time for Linden Labs to put in two factor authentication

[Morgan Kincess]

they did place a L$ order for 2000L$ then they added what was on my account and spent all on one female avatar... It is the most absurd thing ever indeed as they could have done way more than TP to that place. I'm lucky in a way as they didn't touch my shop where they logged in or didn't do any inventory transfers from my business... Or really worse. Anyway, that's the story that happened to me today, and now you "heard" it too  I'll go back to spend 12 more years without issue. Have a good day all! 

[Love Zhaoying]

1 hour ago, Morgan Kincess said:

I'm not denying anything, just stating my facts of what happened to me today. Phishing would have meant that I clicked on some link either inworld or online which I didn't (I didn't even log that avatar in ages as I use another one). Access to my PC? If it's the case I wish to know how because I have all the security you can think of. Phone has no link with any SL activity. And my email usually notifies me if there is an access from an unknown location or device. But don't get me wrong, I want answers and find how it happened. So I'll keep on following up with LL to find out how an avatar not in use finds herself spending all my L$...

Over the years I directly heard many stories from friends who got hacked in SL (and we didn't go on the forum to chat about it). Of course I understand we don't think it's real until the day it happens to us. And that was today for me. 

PS: LL recovered the fraudulent transactions now but they disabled my account temporarily due to some "unusual and suspected unauthorized activity". 2h to solve one part of the issue: that's a good start. Well done LL. 

I hope you change your password to a “strong” one. Maybe you were a victim of a phishing attack (logged into a fake Second Life page)?

[Morgan Kincess]

I did change it twice this morning to insanely weird strong ones. And I am 100% sure I didn't use anything to log with that account as I don't use her so much anymore besides for my accounts (see where this could have gone terribly wrong). 

[HarrisonMcKenzie]

On 11/7/2018 at 8:20 PM, AyelaNewLife said:

SL account security is objectively below standard. No 2FA, optional or otherwise, and your login username is broadcast in a box above your head, without the account name/display name sanitation that everything bar email that matters has these days. Like I don't get why people deny basic facts like this.

So you've never used email, posted anything on any web forum or comments section, used a messaging app, or played a video game online before? Guess what? Your login name for any web service is broadcast anytime you use any web service. Hysterical panicking is hysterical.

[AyelaNewLife]

2 hours ago, HarrisonMcKenzie said:

So you've never used email, posted anything on any web forum or comments section, used a messaging app, or played a video game online before? Guess what? Your login name for any web service is broadcast anytime you use any web service. Hysterical panicking is hysterical.

Every single game I play has a separate login name (or email address) and display name, for account security. I post a review on Amazon, and my display name cannot be used to login. Every service that involves payment info of any kind, everything with monetary value, everything that matters is the same - they don't broadcast one half of your login credentials to the world. It really is Account Security 101.

My messenging apps all follow the same principal as the stuff that matters. Messenger requires a facebook login (email address), so does Discord, so does Skype. Every forum I've ever used also uses an email address to login, not your display name. It's the standard way of doing things.

Everything else doesn't matter. If someone can log in to the comments section of some online newspaper, who cares? It doesn't matter. There's no financial risk involved, you invested nothing in that 'account'. Even then, half the comments sections use some Disqus-variation, which logs you in with (you guessed it) a hidden email address, not your display name.

Email is the big exception, it's problematic and almost entirely a legacy issue. People are used to just logging in with their email address, and people don't like change, and would object to having to create a separate login account name for their email address. That's why 2FA is present for every major email provider out there, to at least partially compensate for this.

Second Life has neither. It broadcasts one half of your login credentials to the world, and has no second factor of authentication to compensate. It is objectively below standard.

There are people that don't lock their doors at night. Those people are stupid. And their stupidity is no reason to stop the rest of us from buying locks, and in most cases a bolt too. That's what your argument boils down to - there are some people that don't feel the need to have adequate security, therefore no one gets to have adequate security. It makes no sense. Stop.

Edited November 9, 2018 by AyelaNewLife
Added a bit

[Selene Gregoire]

6 hours ago, Morgan Kincess said:

Well, guess what happened to me today after 12 years in SL without any issue? My account has been hacked (yes hacked as in they found my logins infos to log my avatar, teleported to some escort place and emptied my account there (silly way to empty an account if you ask me but whatever).

Now I wait for Linden Lab to wake up and solve my issue, and make SL more secure but maybe I'm dreaming too much that they will ever wake up.

PS: no my password wasn't easy to guess, no I didn't use some obscure 3rd party app, yes I changed my password through the years, and no I don't spend my SL money on SL escorts

Ever click on any links in chat or IMs? 

[Selene Gregoire]

5 hours ago, Morgan Kincess said:

I'm not denying anything, just stating my facts of what happened to me today. Phishing would have meant that I clicked on some link either inworld or online which I didn't (I didn't even log that avatar in ages as I use another one). Access to my PC? If it's the case I wish to know how because I have all the security you can think of. Phone has no link with any SL activity. And my email usually notifies me if there is an access from an unknown location or device. But don't get me wrong, I want answers and find how it happened. So I'll keep on following up with LL to find out how an avatar not in use finds herself spending all my L$...

Over the years I directly heard many stories from friends who got hacked in SL (and we didn't go on the forum to chat about it). Of course I understand we don't think it's real until the day it happens to us. And that was today for me. 

PS: LL recovered the fraudulent transactions now but they disabled my account temporarily due to some "unusual and suspected unauthorized activity". 2h to solve one part of the issue: that's a good start. Well done LL. 

Years ago I had someone log into my account after I had gone to bed. I don't click on links in chat, save passwords on my pc or any 3rd party app, didn't own a cell phone and only one other person had access to my pc besides me, my RL other half, who was still logged in and saw the whole thing. He knew I was in bed and came and got me up. I logged in on one of my alts since I couldn't log into this account. Idiot was standing in my home on my account spamming all of my groups which caused me to be ejected from two very important groups, one of which was the support group for the vendor system I was using and never was able to get back into. I was on the phone with LL watching this jerk and had my account back within 30 minutes. One of the groups they had to kick me from was the FS support group of which I was a team member at the time. Luckily it was caught in time and the only thing he or she changed was the password. Otherwise I would have been able to log in, which would have booted them off. Then it would have been a race to change the password before they could log back in.

To this day I have never figured out HOW they managed to get into my account. There were no keyloggers on my pc or anything of the sort. My password was not an easy one to "decode". None of the "usual suspects" applied.

LL will never tell you how it was done since then you could turn around and do the same to someone else. Not saying you would, just that LL is not going to risk it.

Edited November 9, 2018 by Selene Gregoire

[mikka Luik]

1 hour ago, AyelaNewLife said:

people are stupid. And their stupidity is no reason to stop the rest of us from buying locks, and in most cases a bolt too

Thank you for that snippet. Will keep it in mind.

My only objections have been on making this compulsory (alluded to various times including for the 'merchant class' howsoever defined).

If the Lab have sufficient resources to implement this as a voluntary option - fine. Focus on 'voluntary'.

Just to hammer point home - voluntary. May be those who want could crowd fund it =^^=

[AyelaNewLife]

1 minute ago, mikka Luik said:

Thank you for that snippet. Will keep it in mind.

My only objections have been on making this compulsory (alluded to various times including for the 'merchant class' howsoever defined).

If the Lab have sufficient resources to implement this as a voluntary option - fine. Focus on 'voluntary'.

Just to hammer point home - voluntary. May be those who want could crowd fund it =^^=

I honestly think having to crowd-fund or otherwise pay for basic automated account security features is unjustifiable. Even a basic SMS-based 2FA system is "install in a day" level stuff. Sure, LL are going to want to do far more testing than that, it's not literally going to take them a single day - but this is still not a massive drain on their resources. This is stuff that one of my volunteer-run gaming communities got sorted over a single weekend, by two guys.

But yeah I'm happy for it to be opt-in, that doesn't reduce the safety of my account (or credit card).

[Bradford Mint]

Nobody has ever said it should be compulsory.

[Selene Gregoire]

2 hours ago, AyelaNewLife said:

locks, and in most cases a bolt too

Just spring boarding off your post.

Locks and bolts aren't going to keep the determined criminals out. Windows can be broken, doors kicked in or taken off hinges.

 

There is no such thing as complete security on the internet. 

[AyelaNewLife]

1 minute ago, Selene Gregoire said:

Just spring boarding off your post.

Locks and bolts aren't going to keep the determined criminals out. Windows can be broken, doors kicked in or taken off hinges.

 

There is no such thing as complete security on the internet. 

Indeed there isn't. I remember reading about a case where a German politician's fingerprints had been pulled off a photograph and used to fool a fingerprint scanner. In real life, not in a Mission Impossible movie.

However, that is no reason to keep doors unlocked. A security system doesn't have to be flawless to be worthwhile, simply raising the effort bar needed will have a massive positive effect. If it only works half the time, you've just halved the number of breaches. Surely that's worth the effort?

[Bradford Mint]

6 minutes ago, AyelaNewLife said:

Indeed there isn't. I remember reading about a case where a German politician's fingerprints had been pulled off a photograph and used to fool a fingerprint scanner. In real life, not in a Mission Impossible movie.

However, that is no reason to keep doors unlocked. A security system doesn't have to be flawless to be worthwhile, simply raising the effort bar needed will have a massive positive effect. If it only works half the time, you've just halved the number of breaches. Surely that's worth the effort?

Further to this, a finger print is not a password, it is nothing more than a PIN replacement in that just like other biometrics, it serves to unlock access to a credential which CAN be used to authenticate.

Cloning a fingerprint has been demonstrated as have other attacks on other biometrics but you still need the device with the actual credential in order to continue.  It's not just a case of taking a picture of someones fingerprint off the internet, etching a bit of metal and making a latex print and then immediately getting logged in on your local PC with finger print reader to every system that person has which are actually in secure premises.

As you rightly say, the purpose is to alter the current status which is that anyone with the knowledge of just username/password (of which one is public already), can use that information from anywhere in the world.

[Selene Gregoire]

44 minutes ago, AyelaNewLife said:

Indeed there isn't. I remember reading about a case where a German politician's fingerprints had been pulled off a photograph and used to fool a fingerprint scanner. In real life, not in a Mission Impossible movie.

However, that is no reason to keep doors unlocked. A security system doesn't have to be flawless to be worthwhile, simply raising the effort bar needed will have a massive positive effect. If it only works half the time, you've just halved the number of breaches. Surely that's worth the effort?

Never said it wasn't and didn't mean to imply it was. I'm just saying nothing is as secure as we'd like it to be. We can only do the best we can with what we have to work with. Which is why I don't access things from more than one device.

[mikka Luik]

1 hour ago, AyelaNewLife said:

I honestly think having to crowd-fund or otherwise pay for basic automated account security features is unjustifiable. Even a basic SMS-based 2FA system is "install in a day" level stuff. Sure, LL are going to want to do far more testing than that, it's not literally going to take them a single day - but this is still not a massive drain on their resources. This is stuff that one of my volunteer-run gaming communities got sorted over a single weekend, by two guys.

But yeah I'm happy for it to be opt-in, that doesn't reduce the safety of my account (or credit card).

Thank you for that, As a paying resident it is very assuring that something I have no need of will not divert resources. I am also assured that it will take a single day (well with caveats as you say so - day and a semi? =^^= ) to implement.  And reall - 2 guys over a weekend?  I would hire to fire in a New York Second

 

I remain, respectfully, stupid. Thank you for that (mea culpa - ret Sys Ad)

[Qie Niangao]

2 hours ago, mikka Luik said:

May be those who want could crowd fund it =^^=

Tell ya what: They can take it out of my share of the silly Animesh boondoggle, with plenty left over for the celebratory cake and ice cream at the next offsite. (If only they'd crowdfunded that project; see if the breedable NPC creators* would pony-up. So to speak.)

Dunno about "install in a day" but this isn't rocket science -- we're not expecting LL to invent 2FA -- and the heavy lifting was done years ago when they bolted everything to oauth.

__________
*Where "breedable" refers to the NPCs; I'd never suggest such a thing about the creators.

Edited November 9, 2018 by Qie Niangao
[ Control-Enter != Shift-Enter ]

[KanryDrago]

1 hour ago, Qie Niangao said:

Tell ya what: They can take it out of my share of the silly Animesh boondoggle, with plenty left over for the celebratory cake and ice cream at the next offsite. (If only they'd crowdfunded that project; see if the breedable NPC creators* would pony-up. So to speak.)

Dunno about "install in a day" but this isn't rocket science -- we're not expecting LL to invent 2FA -- and the heavy lifting was done years ago when they bolted everything to oauth.

__________
*Where "breedable" refers to the NPCs; I'd never suggest such a thing about the creators.

just because the heavy lifting has been done by 0Auth doesnt mean the labs use 0Auth and having done it I can sure you that depending on the system converting to 0Auth can be more than a couple of days

[Qie Niangao]

4 hours ago, KanryDrago said:

just because the heavy lifting has been done by 0Auth doesnt mean the labs use 0Auth and having done it I can sure you that depending on the system converting to 0Auth can be more than a couple of days

Right, it was claimed to be a significant effort when they did it years ago as part of a single sign on project. (I suppose it's possible they've since migrated away from that particular standard.)

Actually, now that I think about it, this all might be a good topic to ask of Oz&co at the 15 November Town Hall, if somebody wants to enter it into the question thread for that meeting.

[Kenai Harbour]

Does anyone know how vulnerable SL is to bad foreign actors using this platform to hide in order to communicate privately? 

[bigmoe Whitfield]

34 minutes ago, Kenai Harbour said:

Does anyone know how vulnerable SL is to bad foreign actors using this platform to hide in order to communicate privately? 

If people were using this for that method, we'd know, it would be all over the news. there are agencies within SL, the 3 letter words. 

[Ethan Paslong]

33 minutes ago, Kenai Harbour said:

Does anyone know how vulnerable SL is to bad foreign actors using this platform to hide in order to communicate privately? 

they all can make a accout as you did .. but i think you shouldn't worry to much about this, the USA secret organisations are known about all plug ins at social media

i meet Vladimir and Donald sometimes, mostly when they have tea with Kim

[Qie Niangao]

What possible advantage to "bad foreign actors" could SL offer over starting with an end-to-end encrypted communications app such as Signal?

[Bradford Mint]

I agree with you entirely although encryption isn't always needed. We could just as easily devise a code based upon prim locations.

The biggest problem we'd have is deciding what to wear on our avatars while playing around placing prims

[Dillon Levenque]

7 hours ago, Qie Niangao said:

What possible advantage to "bad foreign actors" could SL offer over starting with an end-to-end encrypted communications app such as Signal?

SLEX.

[Klytyna]

9 hours ago, Kenai Harbour said:

Does anyone know how vulnerable SL is to bad foreign actors using this platform to hide in order to communicate privately?

Bad foreign actors?

Yeah, we should totally ban those, especially the ones from Murika who go on to become politicians, like that cowboy movie guy "Runny Ray-Gun"...