How to get account/L$ stolen?

[StellaEricsson]

Hello everyone,

This is a question that has tormented me for quite some time, my problem is everyone seems to have their own opinion on this and what they don't know they make it up...

Most stores in SL will actively tell you not to accept anything from strangers because they are likely trying to steal your account/L$, but I thought in order for an object to subtract L$ from an account they need a special permission that shows in your screen in a very obvious way, right? Is there any way an object could avoid this and steal away L$ without having to ask for permission as soon as this object is worn/rezed?

What about stealing an account? Is there a way a password can be leaked by wearing/rezing an object on SL? Or do they just try to fish it?
I've heard people to say to NEVER save the password on the viewer log in screen, they claimed that option should be abolished, how is it checking the box "remember password" a possible vector for attack?

Also is it true that by listening to music a DJ can look up the IP addresses of everyone listening in and then perform an easy search to find their location?

I get a little paranoid at times as it seems an attack can come from anywhere at any time, I'm aware of clicking links sent out in chat and I never do unless I am sure of what I'm doing, but other than that sometimes I feel uneasy just walking around in SL in case I get in range of something that will compromise the security of my account in some way.

I finally thought I'd ask here as I think I will get more level heads than the general SL user on loose chat around the grid or in groups.

[Coffee Pancake]

Ok, there is a lot to unpack here ... 

42 minutes ago, StellaEricsson said:

Most stores in SL will actively tell you not to accept anything from strangers because they are likely trying to steal your account/L$, but I thought in order for an object to subtract L$ from an account they need a special permission that shows in your screen in a very obvious way, right?

This is correct, you must grant debt permissions for an object to take L$ from you, and even then it can't see how many L$ you have.

That doesn't mean people don't just click OK! without reading the HUGE SCARY MESSAGE.

As a rule .. accepting stuff from people you don't know is fine. There are couple of silly things that could happen, but nothing you cant undo.

Just don't grant anything debt permissions unless you are 1 million percent sure that's what you want to do.

42 minutes ago, StellaEricsson said:

Is there any way an object could avoid this and steal away L$ without having to ask for permission as soon as this object is worn/rezed?

Nope.

42 minutes ago, StellaEricsson said:

What about stealing an account? Is there a way a password can be leaked by wearing/rezing an object on SL?

Nope.

42 minutes ago, StellaEricsson said:

Or do they just try to fish it? I've heard people to say to NEVER save the password on the viewer log in screen, they claimed that option should be abolished, how is it checking the box "remember password" a possible vector for attack?

If your computer is shared, not letting anything remember passwords is a good idea .. although I think you have more to worry about with Chrome.

If your computer is not in a shared environment, having the viewer remember your password is fine.

That feature will never be abolished.

42 minutes ago, StellaEricsson said:

Also is it true that by listening to music a DJ can look up the IP addresses of everyone listening in and then perform an easy search to find their location?

They can get your IP address. But so can every website you visit, everyone you talk to via an IM app, etc etc. Your IP address is public information.

Your IP address can be used to get a vague location.

So some random DJ in SL knows roughly where a listener is, they cant tell which specific listener that IP belongs to and the accuracy is questionable at best. Not a big deal at all. Don't even think about it twice when deciding if you want to listen to some broadcast music or not.

42 minutes ago, StellaEricsson said:

I get a little paranoid at times as it seems an attack can come from anywhere at any time, I'm aware of clicking links sent out in chat and I never do unless I am sure of what I'm doing, but other than that sometimes I feel uneasy just walking around in SL in case I get in range of something that will compromise the security of my account in some way.

That can't happen. Nothing in rezzed or placed in SL can lead to a breach in your account. Ever.

The very worst that can happen is someone rezzes something that causes high load / lag. Move away. Problem solved.

42 minutes ago, StellaEricsson said:

I finally thought I'd ask here as I think I will get more level heads than the general SL user on loose chat around the grid or in groups.

Good idea !

[Fritigern Gothly]

9 minutes ago, StellaEricsson said:

but I thought in order for an object to subtract L$ from an account they need a special permission that shows in your screen in a very obvious way, right? Is there any way an object could avoid this and steal away L$ without having to ask for permission as soon as this object is worn/rezed?

There is no way to circumvent this permission request. However, many people see a button that they can click and click it without reading anything. And they are especially likely to ignore warnings when they somehow think that it's just how the (fake) gift card works, or if it is the way to get money from store XYZ.
 

12 minutes ago, StellaEricsson said:

Is there a way a password can be leaked by wearing/rezing an object on SL?

No, there is no way a password can be retrieved using an object, scripted or not. However, what *does* work is "hey, gullible user, give me your password so I can go into sim XYZ and get money and I will share that with you!" or "go to this link, which looks like an MP link but is really a fake MP site which asks you for your password and keeps claiming it's wrong until you give up, but secretly stores your password so they can later plunder your account or use it for griefing."
(Yeah, I know that you know what phishing is, but some readers might not.)
 

 

 

1

47 minutes ago, StellaEricsson said:

I've heard people to say to NEVER save the password on the viewer log in screen, they claimed that option should be abolished, how is it checking the box "remember password" a possible vector for attack?

This is mostly nonsense. If you are the only user of the computer that you use to access SL., then there is no way a 3rd party can retrieve your password, other than just plain guesswork. Just don't save the password in your viewer if the computer is being used by other people as well, think of a family PC, a library computer, a school computer, or a computer in your apartment complex' community room. You wouldn't save your Facebook password in a browser on a public PC either, right?
 

 

 

 

51 minutes ago, StellaEricsson said:

 Also is it true that by listening to music a DJ can look up the IP addresses of everyone listening in and then perform an easy search to find their location?

Technically, yes. But why would they? All they can learn from that is the general area that you connect to the internet from, there is no way to gain any more information than just that. The tool used to find this information is called traceroute. See https://kb.intermedia.net/article/682 for an explanation on how to use traceroute in Windows and Mac. You can use my IP to test this traceroute with, which is 98.247.90.110, see if you can find out where I live.

So, in short, there is nothing to worry about. Just don't click buttons without reading first, don't accept random gift cards from total strangers. Being able to see your IP address is harmless and you are fine saving your password in your viewer (it's being stored encrypted anyway).

Hope this helps a bit. If you have other questions, just ask away.

 

 

 

[Rolig Loon]

I understand about paranoia, but the easiest way to avoid having bad things happen is to follow the basic rules that you would follow anywhere else on line.  Don't share your account information with anyone, especially your password.  Don't click on links without looking for telltale signs that they are phishing exploits.  Beyond that, don't tell people any more about your RL self than you really want to.  It's none of their business.  Phishing is a real hazard, just as it is anywhere on the Internet, but just use your head and avoid suspicious-looking URLs and you'll be OK.  No, a scripted object cannot dig around and find your password.  LSL does not have that ability.  Most people lose control of their passwords because they share them indescriminently or just don't keep their wits about them.  Don't tell your friend or your partner -- they may be ex-friends and ex-partners some day -- and never tell strangers.

You are right that any time a scripted object takes money from you, you get some kind of warning.  The LSL functions that handle money either open dialog boxes that ask you to type in an amount or offer you a set of predetermined amounts.  The LSL function that asks for PERMISSION_DEBIT displays a large yellow box that warns you that you are being asked to give the script permission to take money from your account.  All of those functions are important for managing the SL economy. If you are a merchant with vendors that will handle customer refunds, it's hard to avoid needing scripts that ask you for PERMISSION_DEBIT.

Scripts can also be used for evil purposes.  They can't hide those dialog boxes, but they can overload you with enough requests that you get confused and start clicking "Accept" to make them go away.  If your are a non-native English speaker, you can be easy prey for scripts that don't explain why they are asking permission, or who is asking.  If you are unlucky and fall for something like that, you can hope that it's a one-time event.  Once an object has received PERMISSION_DEBIT, however, it can transfer as much L$ as it wants from your account, and it can do it very quickly. Aside from keeping your eyes open and not giving permission blindly, your only real defense is to submit an AR, change your password, and notify Linden Lab that your account may have been compromised.

There's relatively little that anyone can learn from your IP address, since it is very common for people to share addresses and many routers cycle through addresses automatically.  Yes, anyone who manages a streaming data server can read your IP address quite easily.  So DJs and landowners who pipe music into SL on their own servers can do that.  That's why many SL residents keep streaming media turned off unless they are in places that they are comfortable with. My own paranoia is not great enough that I worry about such things, but YMMV.

[StellaEricsson]

Thank you so much everyone, I should have done this sooner ♥ you are all amazing.

[Lindal Kidd]

I don't have a thing to add to the excellent replies.

I teach a class on Avatar Safety on Sundays, at 10 am SL Time, at Caledon Oxbridge University.  We cover all these topics, and a lot more.  It's free to attend!

(except I won't be teaching it this coming Sunday, May 12, on account of Mothers Day.)