It is time for Linden Labs to put in two factor authentication

[Bradford Mint]

2 minutes ago, Fionalein said:

There is just one problem with that argument - it is inversible: If 2FA is entirely optional it is no use - if it is enforced: who tells us others would not stop investing - don't underestimate the casual users who just pay small amounts - they still are the bulk of paying users - hassle them enough and they might get more reluctant.

2FA should be optional from the platforms perspective if the risk is to the customer.  The risk is to the customer and therefore should be available to those who would wish to reduce their risk.  Because the risk is not owned by LL, there's no interest.

To repeat: For those who pass thousands of $ through SL, additional account security should be an option.  (It should be an option for those who don't pass large sums too but just because the majority don't, doesn't negate the desire by those who do!)

[Ethan Paslong]

31 minutes ago, Bradford Mint said:

SL where the account security is weak

15 yrs of sl proves different.

[Bradford Mint]

Ah adopting the "because it hasn't happened" is always the best strategy, you're using the clover leaf methodology again.

Yeah, my car didn't get stolen when I accidentally left it unlocked in an airport car park, therefore that demonstrates that there's no need to lock a car because it doesn't get stolen.  Trying to have a sensible discussion here about account security on a platform that deals in large value assets is like trying to convince flat earthers that the world isn't flat.

I'm also pretty sure that most organisations that hadn't previously been breached had quite a wake up call when it finally happened.  Do you have any idea just how long this distinguished list of high profile breaches is?

The attitudes here are just confusing, it's almost as bad as the flat earth debates.

[Ethan Paslong]

18 minutes ago, Bradford Mint said:

The attitudes here are just confusing, it's almost as bad as the flat earth debates.

typical statement used by people who don't want to hear anything else than their own opinion.
 

[Bradford Mint]

Not at all but in both cases, in the face of evidence to the contrary and best practice, it's just odd to suggest otherwise and that's what I struggle to understand here.

[AyelaNewLife]

31 minutes ago, Bradford Mint said:

Trying to have a sensible discussion here about account security on a platform that deals in large value assets is like trying to convince flat earthers that the world isn't flat.

Pretty much. Which is weird; SL account security is objectively below standard. No 2FA, optional or otherwise, and your login username is broadcast in a box above your head, without the account name/display name sanitation that everything bar email that matters has these days. Like I don't get why people deny basic facts like this.

I honestly can't comprehend why people would complain about an optional extra layer of security. Just seems like complaining for the sake of complaining.

[Ethan Paslong]

1 hour ago, AyelaNewLife said:

I honestly can't comprehend why people would complain about an optional extra layer of security. Just seems like complaining for the sake of complaining.

because some, don't see the need for it. It makes entering SL more complicated, while the current system proved to be OK. A esier solution would be that the ones that want more protection just more often change their pw.
As soon mr Mint than responds those are flat earth supporters is just a proof he doesn't respect other opinions and only his is valid.
it has to, it must, .... no to all of those.

My suggestion : LL makes traders/merchant accounts, the ones that want can subscribe to that for lets say... 25 usd a month for more protection and security.

[AyelaNewLife]

Just now, Ethan Paslong said:

because some, don't see the need for it. It makes entering SL more complicated, while the current system proved to be OK. A esier solution would be that the ones that want more protection just more often change their pw.

Legitimate question - and I've only read this page, so this may not have been true earlier in the discussion - but did you miss the point about 2FA being opt-in?

Because yeah I agree with you about a blanket forced 2FA for every account. 2FA is a pain in the ass to manage; I use it for a handful of key services that matter, but not for accounts that personally aren't worth the hassle. But if it's opt-in, for those that want it? I can only see that as a positive.

[Bradford Mint]

25 minutes ago, Ethan Paslong said:

because some, don't see the need for it. It makes entering SL more complicated, while the current system proved to be OK. A esier solution would be that the ones that want more protection just more often change their pw.
As soon mr Mint than responds those are flat earth supporters is just a proof he doesn't respect other opinions and only his is valid.
it has to, it must, .... no to all of those.

My suggestion : LL makes traders/merchant accounts, the ones that want can subscribe to that for lets say... 25 usd a month for more protection and security.

ok so let me break this down for you:-

Changing passwords regularly is against the best practice advised. Yes you read that correctly!

Changing a password AFTER the account has had thousands of $ drained, tell me how that works?  How has that worked for the victims of other such attacks?

As for charging more for merchants, yes that may be a valid argument but how about if I get a $25 per month discount because I don't want fleximesh armatures or experiences? That's surely just as fair?

Just because some don't see the need for it, lets look at that one again...

If you own a house, do you have house insurance? Why?  Has it ever fallen down or been burgled?

Have you ever been on a holiday and taken out holiday insurance?  Why?

My main question here, do you have thousands of $ or other valuable assets in or passing through SL or are you in fact not really a stakeholder in any possible loss situation?

[Alyona Su]

This thread is still alive? I have the urge to reiterate: no need to change your password every five minutes, just use a really long one and it doesn't have to be complicated, for example, Aunty.Jane.Doe.60.01.30.Seattle <-Relative name, birthdate, city where they live. Just use a different relative for different websites.

S.I.M.

P.L.E.

[AyelaNewLife]

1 minute ago, Alyona Su said:

This thread is still alive? I have the urge to reiterate: no need to change your password every five minutes, just use a really long one and it doesn't have to be complicated, for example, Aunty.Jane.Doe.60.01.30.Seattle <-Relative name, birthdate, city where they live. Just use a different relative for different websites.

S.I.M.

P.L.E.

The bold bit is the crucial part here; password reuse is the #1 cause of "hacked" accounts of any kind.

Educational PSA: https://haveibeenpwned.com/ is a great way to check to see if your email address and a password was included in any of the major public data breaches. If so, and if you reuse passwords, change them! And mix them up.

[Alyona Su]

9 minutes ago, AyelaNewLife said:

If so, and if you reuse passwords [for multiple unrelated access points], change them! And mix them up.

~Points to quoted text above~ Most important thing about access credentials for anything and everything, not just the Internetz. But also the P.I.N. numbers on your debit and credit cards, the unlock code for your Smartphone, the access for... Oh, you all get the idea ~SNORTS~

(For those unfamiliar: in the U.S., editorial marks ("[" and "]") means it is text the editor, or in this case myself, has added for clarification - I added to @AyelaNewLife quote for clarity in what I respond to.)

Edited November 7, 2018 by Alyona Su

[Selene Gregoire]

8 hours ago, Bradford Mint said:

Experian

Do you have any idea just how often Experians DBs get hacked? 

Oh and on the last really big breach, all the non-answers/lies people were given over the phone was done by a company I refuse to ever work for again. I learned way more about Experian than I ever wanted to know. None of it good.

[Ethan Paslong]

2 hours ago, Bradford Mint said:

ok so let me break this down for you:-

Changing passwords regularly is against the best practice advised. Yes you read that correctly!

Changing a password AFTER the account has had thousands of $ drained, tell me how that works?  How has that worked for the victims of other such attacks?

As for charging more for merchants, yes that may be a valid argument but how about if I get a $25 per month discount because I don't want fleximesh armatures or experiences? That's surely just as fair?

Just because some don't see the need for it, lets look at that one again...

If you own a house, do you have house insurance? Why?  Has it ever fallen down or been burgled?

Have you ever been on a holiday and taken out holiday insurance?  Why?

My main question here, do you have thousands of $ or other valuable assets in or passing through SL or are you in fact not really a stakeholder in any possible loss situation?

clearly proved again.. you only want to hear yourself.

[Bradford Mint]

1 minute ago, Ethan Paslong said:

clearly proved again.. you only want to hear yourself.

Huh? I asked questions, nine to be exact, I solicited your responses which you've chosen not to provide. *shrugs*

[bigmoe Whitfield]

@Tommy Linden

Edited November 8, 2018 by bigmoe Whitfield
trying to edit this into a proper message and the editor keeps stalling.

[bigmoe Whitfield]

@Tommy Linden

[Qie Niangao]

14 hours ago, Fionalein said:

... If 2FA is entirely optional it is no use ...

Why?

Is it, like, a system with "weakest link" vulnerability? or ???

I've seen this argument before and never grokked the thinking behind it. (But that's not surprising, I'm obviously not in cybersecurity)

 

[AyelaNewLife]

10 hours ago, Qie Niangao said:

Why?

Is it, like, a system with "weakest link" vulnerability? or ???

I've seen this argument before and never grokked the thinking behind it. (But that's not surprising, I'm obviously not in cybersecurity)

There isn't any coherent thinking behind it.

If you leave a security feature as optional, you will have a pretty low uptake over that feature. But even if only a few percentage points of active accounts use 2FA, that's still better than having no one with 2FA; and that few percentage points of raw account numbers will cover a much larger portion of the total owned Lindens, as anyone with any kind of SL business that matters will use 2FA.

The account security we have now doesn't get degraded in any way by slapping an optional 2FA on the top, it is still a clear net gain with no disadvantage to those that choose not to use it. There's no reason to oppose it.

Edited November 8, 2018 by AyelaNewLife
reworded slightly for clarification

[KanryDrago]

38 minutes ago, AyelaNewLife said:

There isn't any coherent thinking behind it.

If you leave a security feature as optional, you will have a pretty low uptake over that feature. But even if only a few percentage points of active accounts use 2FA, that's still better than having no one with 2FA; and that few percentage points of raw account numbers will cover a much larger portion of the total owned Lindens, as anyone with any kind of SL business that matters will use 2FA.

The account security we have now doesn't get degraded in any way by slapping an optional 2FA on the top, it is still a clear net gain with no disadvantage to those that choose not to use it. There's no reason to oppose it.

There is a reason to oppose it if you dont plan to use it. Developer time is limited. This is a reason to oppose any change that you won't use.

[Morgan Kincess]

Well, guess what happened to me today after 12 years in SL without any issue? My account has been hacked (yes hacked as in they found my logins infos to log my avatar, teleported to some escort place and emptied my account there (silly way to empty an account if you ask me but whatever).

Now I wait for Linden Lab to wake up and solve my issue, and make SL more secure but maybe I'm dreaming too much that they will ever wake up.

PS: no my password wasn't easy to guess, no I didn't use some obscure 3rd party app, yes I changed my password through the years, and no I don't spend my SL money on SL escorts

[Ethan Paslong]

22 minutes ago, Morgan Kincess said:

yes hacked as in they found my logins infos to log my avatar

PS: no my password wasn't easy to guess, no I didn't use some obscure 3rd party app, yes I changed my password through the years, and no I don't spend my SL money on SL escorts

in spite of your denial it's most likeley still a phishing issue, or indirect access by people have access to your pc? ..phone? email?... double verification can be easely passed by that.

If it was a hack the forums would be exploding by people talking about it, not so likely only your account was interesting for them.

[Morgan Kincess]

2 minutes ago, Ethan Paslong said:

in spite of your denial it's most likeley still a phishing issue, or indirect access by people have access to your pc? ..phone? email?... double verification can be easely passed by that.

If it was a hack the forums would be exploding by people talking about it, not so likely only your account was interesting for them.

I'm not denying anything, just stating my facts of what happened to me today. Phishing would have meant that I clicked on some link either inworld or online which I didn't (I didn't even log that avatar in ages as I use another one). Access to my PC? If it's the case I wish to know how because I have all the security you can think of. Phone has no link with any SL activity. And my email usually notifies me if there is an access from an unknown location or device. But don't get me wrong, I want answers and find how it happened. So I'll keep on following up with LL to find out how an avatar not in use finds herself spending all my L$...

Over the years I directly heard many stories from friends who got hacked in SL (and we didn't go on the forum to chat about it). Of course I understand we don't think it's real until the day it happens to us. And that was today for me. 

PS: LL recovered the fraudulent transactions now but they disabled my account temporarily due to some "unusual and suspected unauthorized activity". 2h to solve one part of the issue: that's a good start. Well done LL. 

[AyelaNewLife]

10 minutes ago, Ethan Paslong said:

in spite of your denial it's most likeley still a phishing issue, or indirect access by people have access to your pc? ..phone? email?... double verification can be easely passed by that.

I'm not really convinced by the story that someone had remote or physical access to this person's PC/phone/primary email, and then decided to ignore the actual bank accounts or paypal accounts or anything that actually matters but instead spent lindens on Second Life escorts. If an explanation sounds absurd, it's because it is.

Proper 2FA (ie not a code sent to your email) would have most likely prevented this.

6 minutes ago, Morgan Kincess said:

PS: LL recovered the fraudulent transactions now but they disabled my account temporarily due to some "unusual and suspected unauthorized activity". 2h to solve one part of the issue: that's a good start. Well done LL. 

That's standard practice for any kind of game or service where there's an issue with contested account ownership. Lock the thing down ASAP, then take time to fix the damage and return control to only the rightful owner.

[Ethan Paslong]

27 minutes ago, Morgan Kincess said:

Over the years I directly heard many stories from friends who got hacked in SL

"hear say" is in nearly all situations far from the real truth.

i'd advice to listen again, and find out if it's not phishing, it for sure 99.999999% was hacking at the client side, NOT hacked in SL.

Edited November 9, 2018 by Ethan Paslong