Jump to content

It is time for Linden Labs to put in two factor authentication


You are about to reply to a thread that has been inactive for 1945 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

2 minutes ago, Fionalein said:

There is just one problem with that argument - it is inversible: If 2FA is entirely optional it is no use - if it is enforced: who tells us others would not stop investing - don't underestimate the casual users who just pay small amounts - they still are the bulk of paying users - hassle them enough and they might get more reluctant.

2FA should be optional from the platforms perspective if the risk is to the customer.  The risk is to the customer and therefore should be available to those who would wish to reduce their risk.  Because the risk is not owned by LL, there's no interest.

To repeat: For those who pass thousands of $ through SL, additional account security should be an option.  (It should be an option for those who don't pass large sums too but just because the majority don't, doesn't negate the desire by those who do!)

  • Like 2
  • Haha 1
Link to comment
Share on other sites

Ah adopting the "because it hasn't happened" is always the best strategy, you're using the clover leaf methodology again.

Yeah, my car didn't get stolen when I accidentally left it unlocked in an airport car park, therefore that demonstrates that there's no need to lock a car because it doesn't get stolen.  Trying to have a sensible discussion here about account security on a platform that deals in large value assets is like trying to convince flat earthers that the world isn't flat.

I'm also pretty sure that most organisations that hadn't previously been breached had quite a wake up call when it finally happened.  Do you have any idea just how long this distinguished list of high profile breaches is?

The attitudes here are just confusing, it's almost as bad as the flat earth debates.

  • Like 2
  • Haha 1
Link to comment
Share on other sites

31 minutes ago, Bradford Mint said:

Trying to have a sensible discussion here about account security on a platform that deals in large value assets is like trying to convince flat earthers that the world isn't flat.

Pretty much. Which is weird; SL account security is objectively below standard. No 2FA, optional or otherwise, and your login username is broadcast in a box above your head, without the account name/display name sanitation that everything bar email that matters has these days. Like I don't get why people deny basic facts like this.

I honestly can't comprehend why people would complain about an optional extra layer of security. Just seems like complaining for the sake of complaining.

Link to comment
Share on other sites

1 hour ago, AyelaNewLife said:

I honestly can't comprehend why people would complain about an optional extra layer of security. Just seems like complaining for the sake of complaining.

because some, don't see the need for it. It makes entering SL more complicated, while the current system proved to be OK. A esier solution would be that the ones that want more protection just more often change their pw.
As soon mr Mint than responds those are flat earth supporters is just a proof he doesn't respect other opinions and only his is valid.
it has to, it must, .... no to all of those.

My suggestion : LL makes traders/merchant accounts, the ones that want can subscribe to that for lets say... 25 usd a month for more protection and security.

Link to comment
Share on other sites

Just now, Ethan Paslong said:

because some, don't see the need for it. It makes entering SL more complicated, while the current system proved to be OK. A esier solution would be that the ones that want more protection just more often change their pw.

Legitimate question - and I've only read this page, so this may not have been true earlier in the discussion - but did you miss the point about 2FA being opt-in?

Because yeah I agree with you about a blanket forced 2FA for every account. 2FA is a pain in the ass to manage; I use it for a handful of key services that matter, but not for accounts that personally aren't worth the hassle. But if it's opt-in, for those that want it? I can only see that as a positive.

Link to comment
Share on other sites

25 minutes ago, Ethan Paslong said:

because some, don't see the need for it. It makes entering SL more complicated, while the current system proved to be OK. A esier solution would be that the ones that want more protection just more often change their pw.
As soon mr Mint than responds those are flat earth supporters is just a proof he doesn't respect other opinions and only his is valid.
it has to, it must, .... no to all of those.

My suggestion : LL makes traders/merchant accounts, the ones that want can subscribe to that for lets say... 25 usd a month for more protection and security.

ok so let me break this down for you:-

Changing passwords regularly is against the best practice advised. Yes you read that correctly!

Changing a password AFTER the account has had thousands of $ drained, tell me how that works?  How has that worked for the victims of other such attacks?

As for charging more for merchants, yes that may be a valid argument but how about if I get a $25 per month discount because I don't want fleximesh armatures or experiences? That's surely just as fair?

Just because some don't see the need for it, lets look at that one again...

If you own a house, do you have house insurance? Why?  Has it ever fallen down or been burgled?

Have you ever been on a holiday and taken out holiday insurance?  Why?

My main question here, do you have thousands of $ or other valuable assets in or passing through SL or are you in fact not really a stakeholder in any possible loss situation?

Link to comment
Share on other sites

This thread is still alive? I have the urge to reiterate: no need to change your password every five minutes, just use a really long one and it doesn't have to be complicated, for example, Aunty.Jane.Doe.60.01.30.Seattle <-Relative name, birthdate, city where they live. Just use a different relative for different websites.

S.I.M.

P.L.E.

  • Like 2
Link to comment
Share on other sites

1 minute ago, Alyona Su said:

This thread is still alive? I have the urge to reiterate: no need to change your password every five minutes, just use a really long one and it doesn't have to be complicated, for example, Aunty.Jane.Doe.60.01.30.Seattle <-Relative name, birthdate, city where they live. Just use a different relative for different websites.

S.I.M.

P.L.E.

The bold bit is the crucial part here; password reuse is the #1 cause of "hacked" accounts of any kind.

Educational PSA: https://haveibeenpwned.com/ is a great way to check to see if your email address and a password was included in any of the major public data breaches. If so, and if you reuse passwords, change them! And mix them up.

Link to comment
Share on other sites

9 minutes ago, AyelaNewLife said:

If so, and if you reuse passwords [for multiple unrelated access points], change them! And mix them up.

~Points to quoted text above~ Most important thing about access credentials for anything and everything, not just the Internetz. But also the P.I.N. numbers on your debit and credit cards, the unlock code for your Smartphone, the access for... Oh, you all get the idea ~SNORTS~

(For those unfamiliar: in the U.S., editorial marks ("[" and "]") means it is text the editor, or in this case myself, has added for clarification - I added to @AyelaNewLife quote for clarity in what I respond to.)

Edited by Alyona Su
  • Like 1
Link to comment
Share on other sites

8 hours ago, Bradford Mint said:

Experian

Do you have any idea just how often Experians DBs get hacked? 

Oh and on the last really big breach, all the non-answers/lies people were given over the phone was done by a company I refuse to ever work for again. I learned way more about Experian than I ever wanted to know. None of it good.

  • Like 1
Link to comment
Share on other sites

2 hours ago, Bradford Mint said:

ok so let me break this down for you:-

Changing passwords regularly is against the best practice advised. Yes you read that correctly!

Changing a password AFTER the account has had thousands of $ drained, tell me how that works?  How has that worked for the victims of other such attacks?

As for charging more for merchants, yes that may be a valid argument but how about if I get a $25 per month discount because I don't want fleximesh armatures or experiences? That's surely just as fair?

Just because some don't see the need for it, lets look at that one again...

If you own a house, do you have house insurance? Why?  Has it ever fallen down or been burgled?

Have you ever been on a holiday and taken out holiday insurance?  Why?

My main question here, do you have thousands of $ or other valuable assets in or passing through SL or are you in fact not really a stakeholder in any possible loss situation?

clearly proved again.. you only want to hear yourself.

Link to comment
Share on other sites

14 hours ago, Fionalein said:

... If 2FA is entirely optional it is no use ...

Why?

Is it, like, a system with "weakest link" vulnerability? or ???

I've seen this argument before and never grokked the thinking behind it. (But that's not surprising, I'm obviously not in cybersecurity)

 

Link to comment
Share on other sites

10 hours ago, Qie Niangao said:

Why?

Is it, like, a system with "weakest link" vulnerability? or ???

I've seen this argument before and never grokked the thinking behind it. (But that's not surprising, I'm obviously not in cybersecurity)

There isn't any coherent thinking behind it.

If you leave a security feature as optional, you will have a pretty low uptake over that feature. But even if only a few percentage points of active accounts use 2FA, that's still better than having no one with 2FA; and that few percentage points of raw account numbers will cover a much larger portion of the total owned Lindens, as anyone with any kind of SL business that matters will use 2FA.

The account security we have now doesn't get degraded in any way by slapping an optional 2FA on the top, it is still a clear net gain with no disadvantage to those that choose not to use it. There's no reason to oppose it.

Edited by AyelaNewLife
reworded slightly for clarification
  • Like 2
  • Thanks 1
Link to comment
Share on other sites

38 minutes ago, AyelaNewLife said:

There isn't any coherent thinking behind it.

If you leave a security feature as optional, you will have a pretty low uptake over that feature. But even if only a few percentage points of active accounts use 2FA, that's still better than having no one with 2FA; and that few percentage points of raw account numbers will cover a much larger portion of the total owned Lindens, as anyone with any kind of SL business that matters will use 2FA.

The account security we have now doesn't get degraded in any way by slapping an optional 2FA on the top, it is still a clear net gain with no disadvantage to those that choose not to use it. There's no reason to oppose it.

There is a reason to oppose it if you dont plan to use it. Developer time is limited. This is a reason to oppose any change that you won't use.

Link to comment
Share on other sites

Well, guess what happened to me today after 12 years in SL without any issue? My account has been hacked (yes hacked as in they found my logins infos to log my avatar, teleported to some escort place and emptied my account there (silly way to empty an account if you ask me but whatever).

Now I wait for Linden Lab to wake up and solve my issue, and make SL more secure but maybe I'm dreaming too much that they will ever wake up.

PS: no my password wasn't easy to guess, no I didn't use some obscure 3rd party app, yes I changed my password through the years, and no I don't spend my SL money on SL escorts

Link to comment
Share on other sites

22 minutes ago, Morgan Kincess said:

yes hacked as in they found my logins infos to log my avatar

PS: no my password wasn't easy to guess, no I didn't use some obscure 3rd party app, yes I changed my password through the years, and no I don't spend my SL money on SL escorts

in spite of your denial it's most likeley still a phishing issue, or indirect access by people have access to your pc? ..phone? email?... double verification can be easely passed by that.

If it was a hack the forums would be exploding by people talking about it, not so likely only your account was interesting for them.

Link to comment
Share on other sites

2 minutes ago, Ethan Paslong said:

in spite of your denial it's most likeley still a phishing issue, or indirect access by people have access to your pc? ..phone? email?... double verification can be easely passed by that.

If it was a hack the forums would be exploding by people talking about it, not so likely only your account was interesting for them.

I'm not denying anything, just stating my facts of what happened to me today. Phishing would have meant that I clicked on some link either inworld or online which I didn't (I didn't even log that avatar in ages as I use another one). Access to my PC? If it's the case I wish to know how because I have all the security you can think of. Phone has no link with any SL activity. And my email usually notifies me if there is an access from an unknown location or device. But don't get me wrong, I want answers and find how it happened. So I'll keep on following up with LL to find out how an avatar not in use finds herself spending all my L$...

Over the years I directly heard many stories from friends who got hacked in SL (and we didn't go on the forum to chat about it). Of course I understand we don't think it's real until the day it happens to us. And that was today for me. 

PS: LL recovered the fraudulent transactions now but they disabled my account temporarily due to some "unusual and suspected unauthorized activity". 2h to solve one part of the issue: that's a good start. Well done LL. 


 
  • Thanks 1
Link to comment
Share on other sites

10 minutes ago, Ethan Paslong said:

in spite of your denial it's most likeley still a phishing issue, or indirect access by people have access to your pc? ..phone? email?... double verification can be easely passed by that.

I'm not really convinced by the story that someone had remote or physical access to this person's PC/phone/primary email, and then decided to ignore the actual bank accounts or paypal accounts or anything that actually matters but instead spent lindens on Second Life escorts. If an explanation sounds absurd, it's because it is.

Proper 2FA (ie not a code sent to your email) would have most likely prevented this.

6 minutes ago, Morgan Kincess said:

PS: LL recovered the fraudulent transactions now but they disabled my account temporarily due to some "unusual and suspected unauthorized activity". 2h to solve one part of the issue: that's a good start. Well done LL. 

That's standard practice for any kind of game or service where there's an issue with contested account ownership. Lock the thing down ASAP, then take time to fix the damage and return control to only the rightful owner.

  • Like 1
Link to comment
Share on other sites

27 minutes ago, Morgan Kincess said:

Over the years I directly heard many stories from friends who got hacked in SL

"hear say" is in nearly all situations far from the real truth.

i'd advice to listen again, and find out if it's not phishing, it for sure 99.999999% was hacking at the client side, NOT hacked in SL.

Edited by Ethan Paslong
Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 1945 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...