Why Does SL Not Have 2 Factor Authentication For Accounts?

[Cristiano Midnight]

After 18 years, why does SL still not have the basic account security feature of 2 factor authentication? Considering that our accounts involve financial transactions, not having two factor authentication is scary. A friend recently had their account compromised and the person tried to buy L$ (thankfully that failed), but they were able to change the account password and buy Marketplace gacha items which they transferred to their own account.

At a minimum, signing in from a new location should force you to enter some kind of code sent to your email to authorize the login.

[Wulfie Reanimator]

Welcome to the choir.

 

 

[Kimmi Zehetbauer]

Some accounts get compromised when they get a PM for a special item on Marketplace and it's really a phishing link to collect the login info. Sometimes someone impersonating a Linden staff will PM asking to "verify" the account through a special site --- once again a phishing site. All Linden Lab staff people have "Linden" as the last name and Linden Lab Employee in the payment info box.  There are some staff that use "Mole" if they're building content in world such as Linden Homes. Also Linden staff that are in world will NOT ask for personnel/account information. That is handled through the official Helpdesk only.

The other thread mainly dealt on what method should be used for 2FA.

[bigmoe Whitfield]

still waiting on an official reply.

[Innula Zenovka]

3 hours ago, Cristiano Midnight said:

After 18 years, why does SL still not have the basic account security feature of 2 factor authentication? Considering that our accounts involve financial transactions, not having two factor authentication is scary. A friend recently had their account compromised and the person tried to buy L$ (thankfully that failed), but they were able to change the account password and buy Marketplace gacha items which they transferred to their own account.

At a minimum, signing in from a new location should force you to enter some kind of code sent to your email to authorize the login.

How big a problem is that, though?   

People's accounts get compromised for various reasons but is it so great a problem that it's worth introducing TFA?     Your friend's experience suggests that LL/Tilia' s financial protection procedures are reasonably robust, and all they suffered seems to have been some inconvenience and the loss of the gacha items (unless LL were able to recover them?).

How many people a year have their accounts compromised?    What are the odds that it might happen to me?

[Aria Aurelia]

It needs to happen because it would stop certain scams from taking place in the future for sure.

[Kimmi Zehetbauer]

Just now, Aria Aurelia said:

It needs to happen because it would stop certain scams from taking place in the future for sure.

Sadly it will not stop scams as some people fall for the phishing schemes.

[Wulfie Reanimator]

5 hours ago, Innula Zenovka said:

How big a problem is that, though?   

People's accounts get compromised for various reasons but is it so great a problem that it's worth introducing TFA?     Your friend's experience suggests that LL/Tilia' s financial protection procedures are reasonably robust, and all they suffered seems to have been some inconvenience and the loss of the gacha items (unless LL were able to recover them?).

How many people a year have their accounts compromised?    What are the odds that it might happen to me?

I genuinely don't understand. Are you saying that "2FA shouldn't be implemented because my account has never been compromised (or the chance is negligible)?"

Like.. is that it? We don't need additional security because you don't think security is currently a problem?

How do you assume 2FA is going to work? Do you think it'll be mandatory? How many have you used? What are you arguing against?

Edited July 25, 2021 by Wulfie Reanimator

[Quistess Alpha]

1 hour ago, Wulfie Reanimator said:

Like.. is that it? We don't need additional security because you don't think security is currently a problem?

At the scale LL is operating, it becomes an economics problem. On the one hand some number of people have their accounts compromised in some way per year, and that costs LL a proportional amount of money to deal with. If they implement 2fa they can expect some lesser number of people's accounts to be compromised, which will cost them proportionally less money.

Without knowing what those numbers are though, we the user-base can't really give an informed opinion about what would make the most sense. It's like city-planning; yes could add extra guard rails to tricky cliffs that someone /might/ drive off and die, but that costs money and upkeep ; if the number of actual accidents is extremely low, maybe it's not enough of a problem to merit the expense.

FWIW my 2L$ is that Tillia sorely needs 2fa, and 2fa before transferring L$ in-world or granting PERMISSION_DEBIT to a script would be nice, but 2fa on the secondlife account seems a bit much.

[Marianne Little]

1 hour ago, Quistess Alpha said:

At the scale LL is operating, it becomes an economics problem. On the one hand some number of people have their accounts compromised in some way per year, and that costs LL a proportional amount of money to deal with. If they implement 2fa they can expect some lesser number of people's accounts to be compromised, which will cost them proportionally less money.

Without knowing what those numbers are though, we the user-base can't really give an informed opinion about what would make the most sense. It's like city-planning; yes could add extra guard rails to tricky cliffs that someone /might/ drive off and die, but that costs money and upkeep ; if the number of actual accidents is extremely low, maybe it's not enough of a problem to merit the expense.

FWIW my 2L$ is that Tillia sorely needs 2fa, and 2fa before transferring L$ in-world or granting PERMISSION_DEBIT to a script would be nice, but 2fa on the secondlife account seems a bit much.

I agree with this, and the last paragraph in particular. It should already be in place.

[Innula Zenovka]

5 hours ago, Wulfie Reanimator said:

I genuinely don't understand. Are you saying that "2FA shouldn't be implemented because my account has never been compromised (or the chance is negligible)?"

Like.. is that it? We don't need additional security because you don't think security is currently a problem?

How do you assume 2FA is going to work? Do you think it'll be mandatory? How many have you used? What are you arguing against?

I'm simply asking if anyone  knows the scale of of the problem.     

That is, does anyone other than LL know how many accounts are compromised each year and what the damage is?   

I mean, all I know about accounts being stolen is that it's never happened to me or any of my friends (that I remember) in all the 14 or however many years I've been in SL, but that I now and again hear about it in the forums.

So I know for sure that it's happened at least once this year, to Cristiano's friend, who suffered the inconvenience of having to ask Support to reset their password and they lost some recently-acquired gacha items (though there's presumably a transaction record showing to whom they were transferred, so I assume LL were able to reunite the owner with their items), but that's all I know.   

It presumably happens more frequently than that, but I have no idea how often it does, and it's often good, I find, to have an idea of the magnitude of a problem before deciding how much time and effort to devote to fixing it.   

All I currently know about the  scale of the problem is that once every year or so I hear that a friend of a friend has had their account somehow compromised, and that it's happened once at least this year to Cristiano's friend.

Quite possibly it's happening all the time to someone and I never get to hear about it (no reason I should), but it's equally possible it's a misfortune that occurs once in a blue moon and  any resulting loss or damage is comparatively minor. 

I just don't know how urgent a problem it is, or whether it's worth fixing at all.     

LL, who have the facts, clearly don't think it's a serious enough problem to be worth fixing, so I'm wondering how big a problem it actually is in SL, because I'd like to know that before deciding if I think LL should devote much time and effort to something they clearly don't see as a priority.   

It may be that it's a grave problem that urgently needs attention, but it may equally well be no more than an occasional irritation, and I have no way of knowing which is the case, which is why I'm asking.     

When my credit card company recently introduced 2FA for online transactions, I welcomed it because, even though I've never myself been the  victim of credit  card fraud and identity theft, I know it's a very real danger because I know people who have been victims, and I know from news reports how frequently it happens, how much money is involved.     

I don't know, though, that SL accounts are anywhere near so attractive targets to fraudsters as are bank and credit card accounts, so what's an appropriate solution in one case may be overkill in the other.

Approximately how many accounts are compromised each year and with what results?   Anyone know?

 

Edited July 25, 2021 by Innula Zenovka

[bigmoe Whitfield]

@Kristen Linden @Monty Linden  are there any updates to 2fa?  we've not heard anything and this thread brings up people would still like the option.

[Profaitchikenz Haiku]

1 hour ago, Innula Zenovka said:

I'm simply asking if anyone  knows the scale of of the problem. 

This is something that should be applied to a lot of issues that pop up here.

[Chris Corvinus]

Oh, give me a break. Those against or questioning it need to sit this one out to really reconsider their idiotic position. 2FA should be mandatory. I’m not going into the whys of it because those same people are just going to argue and be annoying without actually thinking.

[Innula Zenovka]

3 minutes ago, Chris Nova said:

Oh, give me a break. Those against or questioning it need to sit this one out to really reconsider their idiotic position. 2FA should be mandatory. I’m not going into the whys of it because those same people are just going to argue and be annoying without actually thinking.

Generally I find it's a good idea first to have an idea of how big and how urgent a problem is before I start to consider how much time and resources to devote to fixing it, and what priority to give it.  YMMV.

 

[Chris Corvinus]

5 minutes ago, Innula Zenovka said:

Generally I find it's a good idea first to have an idea of how big and how urgent a problem is before I start to consider how much time and resources to devote to fixing it, and what priority to give it.  YMMV.

 

None of that should matter, especially when money is involved. It should be automatic. The point is to Protect and Prevent. You don’t just sit there and wait to be hacked first….good grief. Cmon.

Edited July 25, 2021 by Chris Nova

[Alwin Alcott]

1 hour ago, bigmoe Whitfield said:

this thread brings up people would still like the option.

you forgot to add "some" between "up" and "people"

just a handfull in this thread isn't really "people" but "some"

[Innula Zenovka]

Just now, Chris Nova said:

None of that should matter, especially when money is involved. It should be automatic. The point to Protect and Prevent. You don’t just sit there and wait to be hacked first….good grief. Cmon.

What money was lost here? 

15 hours ago, Cristiano Midnight said:

. A friend recently had their account compromised and the person tried to buy L$ (thankfully that failed), but they were able to change the account password and buy Marketplace gacha items which they transferred to their own account.

That doesn't suggest to me that any money was ever at risk, since the precautions LL/Tilia are already sufficiently robust, or that they were in this case, to stop the intruder from accessing and misusing the friend's payment details, and that it was only the gacha items that were stolen (and I would hope LL were able to recover them for Cris' friend, since there's a record of who received them). 

What does it suggest to you?    

 

[Chris Corvinus]

5 minutes ago, Innula Zenovka said:

What money was lost here? 

If you did your research, you would know someone lost $1700 from their bank account after getting hacked and that was this year. So yeah, it happens. And 2FA would have probably prevented that breach.

it’s common sense. Anytime money is involved, you want to vigorously protect it from hackers and phishers. If you have a system where people input their credit or debit card info, you NEED 2FA as a extra layer of protection. It’s not rocket science.

[Innula Zenovka]

59 minutes ago, Chris Nova said:

If you did your research, you would know someone lost $1700 from their bank account after getting hacked and that was this year. So yeah, it happens. And 2FA would have probably prevented that breach.

it’s common sense. Anytime money is involved, you want to vigorously protect it from hackers and phishers. If you have a system where people input their credit or debit card info, you NEED 2FA as a extra layer of protection. It’s not rocket science.

Would I really?   What were the circumstances? 

Since LL's /Tilia's precautions were sufficient to protect Cris' friend's bank account in this case, they can't be identical.  Maybe Tilia introduced additional security measures after the $1700 loss to which you refer, and that's the difference?     

The credit card I have on file with LL recently introduced TFA for online  purchases (I think all UK card issuers did at the same time), so customers of my bank, at least, who use SL already have TFA protection at that level.   

I don't know know how widespread this kind of fraud is, but I'd have thought the problem will be best addressed by the card issuers and Tilia at the point someone tries to use their card/bank/PayPal account to buy L$ rather than when they try to log in.

 

 

Edited July 25, 2021 by Innula Zenovka

[Rolig Loon]

Every year, 40,000 tons of meteoritic debris hit the Earth. Some meteorites are very large and can cause significant damage.  The Tunguska meteorite that struck Siberia in 1908, for example, flattened 2000 sq miles of forest.  They can also cause personal injury.  On 30 November 1954 in Sylacauga, Alabama, a 4-kilogram (8.8 lb) stone meteorite crashed through a roof and hit Ann Hodges in her living room after it bounced off her radio. She was badly bruised. A dog was killed by the fall of the Nakhla meteorite in Egypt, in 1911. Shortly after a 2007 impact event in Peru, there were rumors of a goat and a llama being killed by the impact. 

In addition, more than 27,000 pieces of orbital debris, or “space junk,” are tracked by the Department of Defense's global Space Surveillance Network (SSN) sensors.  According to NASA, an average of one piece of debris large enough to be catalogued has fallen back to Earth each day for the past 50 years.

Clearly, we are at risk from objects falling from the sky. Being outside, especially in convertibles, puts people at risk. Obviously, though, people can be injured by objects falling from space even if they are inside, as Ann Hodges was.  We need a robust governmental program to provide sturdy metal roofs for all buildings and to place protective canopies over all roads and public gathering areas. This will cost money, of course, but human lives (and dogs, goats, and llamas) are at stake.

[Innula Zenovka]

I can't remember when last I bought L$ so I don't know what security is like since Tilia took over that side of things.

What happens nowadays when you try to buy L$ inworld?   

I imagine if I were to try buy some with my card,  then on top of LL's precautions I'd see a popup asking me to enter a code my bank has texted me, in the same way I do when I use Amazon or order a supermarket delivery,  but that's my card (maybe all UK cards?) and I'm not sure what Tilia ask in addition to that (my mother's maiden name or something?).    I used to have to re-enter my password to buy L$, I think, but I can't remember what else was involved.

  

Edited July 25, 2021 by Innula Zenovka

[Noelle Delaunay]

5 hours ago, Innula Zenovka said:

'm simply asking if anyone  knows the scale of of the problem.   

I'm making up a wild example as comparison. A company that saves all passwords as plaintext should not be asking "well how many passwords have been stolen in the past?" before they decide to change their behaviour.

[Rowan Amore]

9 minutes ago, Innula Zenovka said:

I can't remember when last I bought L$ so I don't know what security is like since Tilia took over that side of things.

What happens nowadays when you try to buy L$ inworld?   

I imagine if I were to try buy some with my card,  then on top of LL's precautions I'd see a popup asking me to enter a code my bank has texted me, in the same way I do when I use Amazon or order a supermarket delivery,  but that's my card (maybe all UK cards?) and I'm not sure what Tilia ask in addition to that.    I used to have to re-enter my password to buy L$, I think, but I can't remember what else was involved.

  

If you purchase Ls through the viewer, you're not required to use your password.  I guess they assume you are you since you've logged in.  If you purchase them from the website, even if you ARE logged in on the website, they again ask you your password.  

Edited July 25, 2021 by Rowan Amore

[Innula Zenovka]

3 minutes ago, Noelle Delaunay said:

I'm making up a wild example as comparison. A company that saves all passwords as plaintext should not be asking "well how many passwords have been stolen in the past?" before they decide to change their behaviour.

However, any company will want to ask itself, I would have thought, before undertaking any project, what resources they'll need to code it, test it, and so on.

They'll also want to consider whether they want to devote those resources to that or to something else.     How great a nuisance is, in fact, created by the problem the project is supposed to resolve would, I think, be a major consideration in determining what priority to give it.