It is time for Linden Labs to put in two factor authentication

[Kytten Lebed]

For several years now many of the large MMO games have had some form of two factor authentication.  Whether it be a physical token giving an authentiation number in addition to your password or the use of an authenticator app, or merely an email being sent in case the log in comes from an IP address your account does not log in from normally and making you authorize the log in before it can, it is time for Linden Labs to implement the same for Second Life.

Every day you get these bots which are hacked accounts sending messages to multiple groups asking for money, or bots sending out malicious URL's hoping to catch people clicking links randomly or sending out malicious items that once opened or worn will wipe out a person's linden amount.  It's becoming almost "wild west" like.

And even those of us who have never been hacked and are scrupulous about security are affected at least indirectly because we get bombarded by these things, many times multiple times a day.

There really is no good reason not to have two factor authorization of some sort to be able to log in to SL.  I can't imagine it would take many resources for LL to write an iOS and Android app to authenticate or even just use the Google Authenticator.  It really would reduce malicious activity greatly and provide a safer and more enjoyable in world experience for everyone.

[bigmoe Whitfield]

"hacking" of accounts is not taking place.  it is accounts being phished,  that means users are clicking links they think are legit and giving the bad guys their informations, if SL was being hacked, LL would do what they did in 2006, where they made everybody change their password.   so there is no "hack" , now onto your 2 step idea.  while that;'s doable,  I suspect at this late in the game they will not implement it.  

[Sassy Romano]

---

bigmoe Whitfield wrote:

"hacking" of accounts is not taking place.  it is accounts being phished,  that means users are clicking links they think are legit and giving the bad guys their informations, if SL was being hacked, LL would do what they did in 2006, where they made everybody change their password.   so there is no "hack" , now onto your 2 step idea.  while that;'s doable,  I suspect at this late in the game they will not implement it.  

---

Two factor authentication would alleviate the phising and given that there's potential for RL sums of money to be stolen, there's really no excuse for LL NOT to do this, it's not that complex given the number of auhenticators and APIs available.  Passwords are just too weak today.

As far as being late in the day, this should be a must have element for their next platform and so the code re-use would be easy.

[Qie Niangao]

---

Sassy Romano wrote:

Two factor authentication would alleviate the phising and given that there's potential for RL sums of money to be stolen, there's really no excuse for LL NOT to do this, it's not that complex given the number of auhenticators and APIs available.  Passwords are just too weak today.

As far as being late in the day, this should be a must have element for their next platform and so the code re-use would be easy.

---

Totally agreed. I'd just add: It's really tablestakes at this point, so if it doesn't have 2-factor authentication out of the box, the industry will (rightly) consider Sansar a pathetic joke. True, the industry has long thought Second Life a pathetic joke, so leaving our logins vulnerable is just par for the course, I suppose.

It is surprising, though, that none of the remaining SL-developers are pushing to do this. I mean, it's a much more marketable resume item than, say, adding another tweak to an obsolete rendering pipeline.

[Alwin Alcott]

yes ánd no...

the ones who are so "clever" to enter their info at malicious sites will do the same as now... happely typing their paswords and other info...

Don't forget Hackers, terrorists and other criminals are always ten steps further than implemented software/security.

 

And it's true, there is no hacking, or at least not that we know about. All who come shouting they'r locked out or "robbed " here are phished, sometimes even by their own home mates/family because they are too lazy to enter their pw manually.

Some idi*ts, i don't have another word for it, even give their CC or paypal info to others... :"i trust them fully" ( after a week)

 

[Pamela Galli]

---

Sassy Romano wrote:

---

bigmoe Whitfield wrote:

"hacking" of accounts is not taking place.  it is accounts being phished,  that means users are clicking links they think are legit and giving the bad guys their informations, if SL was being hacked, LL would do what they did in 2006, where they made everybody change their password.   so there is no "hack" , now onto your 2 step idea.  while that;'s doable,  I suspect at this late in the game they will not implement it.  

---

Two factor authentication would alleviate the phising and given that there's potential for RL sums of money to be stolen, there's really no excuse for LL NOT to do this, it's not that complex given the number of auhenticators and APIs available.  Passwords are just too weak today.

As far as being late in the day, this should be a must have element for their next platform and so the code re-use would be easy.

---

May I quote this as a lab chat question? Maybe if several of us asked about it?

[Sassy Romano]

---

Alwin Alcott wrote:

yes ánd no...

the ones who are so "clever" to enter their info at malicious sites will do the same as now... happely typing their paswords and other info...

Don't forget Hackers, terrorists and other criminals are always ten steps further than implemented software/security.

 

---

Maybe you miss the point?  That fake site might get their username/password but wouldn't have the required server side component to generate or handle the token challenge, without this, the user credentials would be worthless to authenticate to Second Life.

 

[Sassy Romano]

---

Pamela Galli wrote:

 

May I quote this as a lab chat question? Maybe if several of us asked about it?

---

Sure, as long as you're prepared to hear just *crickets* afterwards :matte-motes-zipped:

[Pamela Galli]

Well maybe you had best ask, since I noticed you just mentioned "server side component" which tells me I don't quite understand the subject.

[Alwin Alcott]

---

Sassy Romano wrote:

Maybe you miss the point? 

---

no i .. if you see how many people respond to the phishing emails from fake banks giving out their social security numbers, bank codes, CC verification codes... even send them the cards, and so on.., as they serve you a drink it's a dream to think 3way verification will prevent the people being phished.

[Freya Mokusei]

---

bigmoe Whitfield wrote:

 that means users are clicking links they think are legit and giving the bad guys their informations

---

Well, sure, that's one way. Phishing has increased in recent years, as it turns out that there's a reasonably easy profit to be made here, for a combination of reasons that I'm hesitant to post. (Users familiar with the reclamation process will probably see why SL accounts are low risk, high reward) The easy/short answer for services in wind-down is that as support, moderation and development incentive wanes and staff get assigned to other platforms/projects, we're left with our posteriors facing the breeze - scams get harder to remove, the priority of resolving abuse issues gets lowered (common to hear reports of this happening already in users' perception). As time goes on, more users suffer losses than usual, and trust in the platform erodes.

The other way that accounts get stolen is through exploited trust via 'friends', and two-factor would prevent this almost entirely. Passwords can be swapped, and this seems low-risk to some (esp. new users, and those in relationships with 'trust'/'expectation' of openness) and that ALWAYS backfires, causing frustration at a minimum and financial losses and abandoned accounts beyond this. After telling new users NOT to give out passwords for over a decade, at some point we have to try a new tack.

It's easy (and most common) to blame the user in both scenarios but at some point, regardless of whose 'fault' it is, LL could more than use some bonus trust being generated AND acknowledge that the learning curve/mentoring that many new users encounter (to their benefit mostly, but abuse is not supremely uncommon) puts new and vulnerable users at risk.

Two-factor protects LL's new userbase, and defends its old one from being exploited during the wind-down - a very real possibility. We're well-past the point where this becomes win-win.

 Think Alwin's barking up the wrong tree on this (phishing under two-factor would score the attacker some encrypted info that would expire very quickly, and not a useful password - no lasting vulnerability to the phished users account), and would happily contribute toward making this a reality. Have wanted two-factor here for a long time.

[Sassy Romano]

---

Alwin Alcott wrote:

---

Sassy Romano wrote:

Maybe you miss the point? 

---

no i .. if you see how many people respond to the phishing emails from fake banks giving out their social security numbers, bank codes, CC verification codes... even send them the cards, and so on.., as they serve you a drink it's a dream to think 3way verification will prevent the people being phished.

---

Well that depends on the value that someone places upon their account.  There's NO excuse to NOT implement it as an option for those of us who value our accounts and if it were made mandatory, it would eradicate the phishing within SL and potentially much of the fraud.

You can't fix stupid people (or even ones who are caught off guard) but if SL were to require two factor authentication then things would change.

Those elements that you mentioned above are useful for various reasons, SSN alone is not an authenticator, CVV alone is not an authenticator, a card alone is not that useful.  I could send you my CC and it's not going to find much use in a country where a PIN is required etc.  The data that you referred to is just that, it's data and more often used for identity theft or further social engineering attack.

I could tell you my PayPal username and password but you won't get in with those alone because you don't have my phone with the registered Verisign agent coupled to it.

The second factor has to be something I have, that you don't.  It could be something like a software token client on a phone, an SMS capability, secure element on a device such as a Yubikey (or similar), an enrolled certificate on a device such as a phone, coupled with a biometric such as fingerprint or face recognition, the list goes on.

What doesn't work anymore is username and password, there really is no debate here.

[Pamela Galli]

Btw Sassy, I received but could not reply to your PM, so not user error, just broken.

[Kytten Lebed]

Yes, they are being fished.  I was using the term hack as a catch all.  However, two factor authentication would still prevent the malicious site owners fromt aking over the accounts.

 

If you put on an authenticator, that code is only good for 30 seconds.  Without the physical token, or if LL were to use a smartphone app which would require both a serial number and a restore code to use it, the username and password would be useless.  A lot of MMO's and banking web sites have used these for years and it cuts down over 90% or more on accounts being taken by whatever means.

[Prokofy Neva]

More security chimeras and ritualistic approaches to life on the Internet.

Recently when the Russian opposition was hacked because some of them failed to have 2FA, they were berated for this as it's fashionable to blame the victim but Pavel Durov, the developer of Telegram actually said that while it's nice to have 2FA, the real problem is the FSB (the KGB's successors) and what he himself does is not only use 2FA, but even uses a sim card in his mobile phone that is not manufactured in Russia, because of the problem of the FSB making duplicate sim cards or getting mobile operators to cooperate with them in making sim cards or spoofing authorization SMS in order to get into a device.

In fact the people hacked were not hacked because of a break of encryption and not even really 2FA missing but because the cell phone company in Russia by law has to do what they are told, unlike Apple which defies the FBI. So they shut off the SMS notifications to the opposition guy's phone while they sent an authorization code they themselves used to hack his messages, then turned the SMS back on.

The reality is, if you don't want your money stolen from hacking in SL you have to use a variety of safeguards and back-ups and limits and not rely only on rituals like complicated passwords or 2FA if it is installed.

[Sassy Romano]

---

Prokofy Neva wrote:

The reality is, if you don't want your money stolen from hacking in SL you have to use a variety of safeguards and back-ups and limits and not rely only on rituals like complicated passwords or 2FA if it is installed.

---

Um...such as?!  *blinks*

You're completely missing the point here, what you described was a state sponsored, man in the middle attack which is completely different to what is being requested as a solution here for a different risk and set of actors.

Right now we HAVE to rely on password only authentication, there simply is no other option for SL, it's way behind the curve here and yes 2FA is an easy way forward and done properly can be very simple, not complicated at all.

Coming up the response to the problem of, "I will add an alarm to my house to supplement the key" and responding "ah but that's too complicated and the real problem is state interception of the alarm code and threat by foreign super powers with nuclear weapons and...squirrels, don't forget the angry squirrels!

Lets stay on track and point LL towards current *appropriate* good practice.

(By the way, I would expect the NSA already has Apple's code signing key but the public face of Apple can declare whatever it likes to keep the customers happy.  The NSA is also likely to have the code signing key through means unknown to Apple)

[Rhonda Huntress]

---

Kytten Lebed wrote:

Yes, they are being fished.  I was using the term hack as a catch all. 

---

You are right, it is not just phishing.  Anyone using one of the most common passwords is just as vulnerable.

For example, if I had a list of account names, I could go one by one trying to log in with the password "password" for example until I get in.  The next day I start the whole process again but this time using "111111" as the password.  Easy as can be and guaranteed to get a hit.  

Getting a list of account names is easy since we all have ours over our heads and on display in groups for anyone to read.

With the obvious rise in the number of accounts that are being reported as hacked it should be a big flag to everyone to start using a stronger password.

[Prokofy Neva]

@Sassy Romano ummm...like keeping low amounts on your inworld account and constantly cashing out? Or using multiple accounts to attach to vendors, redundancy is always a good thing to have in any event. These are simple things anyone can do without fussing about complicated passwords or 2FA.

Again, 2FA is merely the latest geek ritual that is supposed to keep us safe in a world in which all digital things are inherently vulnerable and unsafe. It's wise in fact to be very skeptical of these rituals.

Remember when the geeks told us that https was going to be the be-all and end-all for security and the job was not only to convince skeptics that included even big companies to change to https but to defeat CISPA, the legislation that would have helped crack down on piracy and copyright violations, because OMGODZORS it was going to "break" https (which was not sufficiently proven). BTW CISPA had many checks and balances on it and was never the horror claimed by Google-paid YouTubester hysterics.

So...what happened? Https wasn't enough, now we need 2FA? Oh? You see why I am always and everywhere skeptical. Before that it was these gyrations with putting in your pasword a5uMberO aNd O33 cApitalZ and sp377ingS remember?

2FA in the current setting is not a simple as "adding an alarm clock" and you know that. Are you suggesting LL mail out little necklaces with bar codes to every user? Are you suggesting the hash mark on the computer is sufficient? 

Let's not obfuscate and pretend that rituals prevent theft.

The single greatest way that people in SL can eliminate misuse or theft of their accounts is by never giving out their passport.

As a rentals landlord, I see people constantly give out passwords to their friends and partners sometimes merely because they are too lazy to figure out how to give them build perms using the existing tools on the viewer, and other times because they simply aren't logging in and want a partner to pay their rent, for example. This is a terrible practice because if those relationships go sour, the first thing that can happen is an abuse of the availability of the password to steal, deface, grief, etc. 

LL constantly warns against this but it's a huge problem. It would make sense to use campaigns, social media, awareness efforts to stop that practice than adding 2FA quite frankly.

Hacks do not happen due to lack of 2FA; they happen because of either dirt-simple passwords or this partner access problem.

I'd urge you to google news stories about the Apple/FBI affair which explain it has nothing to do with the issues you are claiming and in fact it wasn't about hacking encrypted communications but gaining access to the firmware that shuts down repeat guesses on passwords so that the FBI could try the repeat guesses. In the end they hired an Israeli company that simply hacked the firmware and Apple could only fume despite doing start turns as the paragon of user concern. In reality, Apple's sales keep tumbling. How many sales did they lose BECAUSE they defied the FBI over terrorism? And how much was their self-serving campaign about trying to boost sales? BTW, Apple had no problem cooperating with the government of China to provide access in order to keep their market there. Again, always unimpressed with this world...

 

[Sassy Romano]

Keeping low amounts in SL and cashing out regularly (other than for the increase in transaction costs) is not a suitable answer as this only seeks to protect the L$ balance and does nothing to protect the account itself, the assets in inventory or any intellectual property on those assets, that's the point in strong authentication.

Multiple accounts to attach to vendors?  I don't understand what you mean here.  The logistics of using multiple accounts to create and sell products under, very quickly becomes unworkable.  Moving assets between accounts and the resetting of permisssions is an absolute nightmare, keeping track of assets becomes a job of its own.  Marketplace does not allow consolidation of stores so the result would be a very fragmented result with awful searchability.  As for inworld vending systems, I do not know of any off the shelf ones that support multiple accounts and present a single vending experience.  The one that I use inworld was custom created by my partner at the time, to a specification that we worked out.

The better solution on many levels, remains to provide strong authentication to the account, to secure access to it, not to just shrug and try to reduce risk after the compromise of the account. 

2FA is far from a "latest geek ritual".  It's a time served strong authenticator.  Can I say bank chip and PIN here?  You know, those risk averse banks, they're pretty keen on 2FA for a reason.  The only reason the US banks have been so slow to adopt this is because they place the risk on the customer, that's not the case elsewhere and it's the bank who has the risk of account fraud.

I don't recall any geeks ever implying that https would be a be all and end all.  For a start, it's not an authentication method, so has no part to play in this at all.

Complex passwords are only to mitigate dictionary attacks, they do little to mitigate rainbow table attacks.  Passwords are no longer appropriate.

Rituals don't prevent theft, strong authentication, strong encryption, good practices do.

"The single greatest way that people in SL can eliminate misuse or theft of their accounts is by never giving out their passport."

Of course, but how do you prevent the mistakes, the phishing (which was the reason for the subject)?  The object of 2FA is to provide strong authentication... it mitigates the phishing links, it removes the guessing of weak passwords, it removes the dictionary and other password guessing attacks. 

'Hacks do not happen due to lack of 2FA; they happen because of either dirt-simple passwords or this partner access problem.'

You do realise that both of those are then completely mitigated by 2FA?

I don't need to Google anything about Apple, you brought Apple up, it was out of context in the first place and has no relevance to this topic so i'll ignore it from here onwards.  (Aside from the fact that i'm fully aware of the details of the Apple/FBI stories)

2FA doesn't have to be complex, it can be delightfully simple and enjoyable to use in preference to anything else.  Here's how I use 2FA to log in to my PC:-

"I just sit in front of it" - Done.  (Google that!)

[Ayesha Lytton]

As someone who actually had my accounts hacked last year, here are my two cents. 

 

The person who hacked my account was a scripter I hired to create a game system for me. He needed access to my web server to create the database for the system. It used a similar, but not the same, password as my SL account. Over the course of a few weeks he used that information to guess the passwords to my two main SL accounts. He then created payment scripts and inserted them into various objects I owned, including land rental boxes, and accepted debit permissions for them. The scripts gave him the power to send a command and take money from me with any avatar. 

 

He began slowly siphoning money from my accounts. I didn't notice right away, because some of the transactions appeared to be game payments. Then he started taking more using the rental boxes. While this was happening I had no idea he was accessing my accounts. I found out when one night I was on with an alt and saw myself log in. It was an incredibly creepy and violating feeling. I immediately logged myself in to knock him out, then changed my passwords. At first I had no idea who it was, until some trustworthy scripter friends helped me discover the extent of the hack. 

 

He had taken over $1000 USD by that point. Of course I filed a complaint with Linden Lab. I got about half the money back. Most of it was what he had taken using the rental boxes. It was hard on their side for me to prove that the game winnings were not legitimate payments. Since then he has tried repeatedly to get into my accounts, use his old hacks, etc. 

 

Then and now, Linden Lab gave me no tools to protect myself. Until I saw my own avatar, I had no idea someone else was accessing my accounts. I had and still have no means of protecting myself. I actually purchased one of those text message online alert devices and added my own avatars to it, as that's the only way I can know for sure someone else isn't logging in as me. The entire mess could have been prevented with two factor authentication. I would've gotten a notice that someone was trying to log in from a new IP address, and could have reported it, or in any case, he would not have successfully accessed my accounts.

 

No, two factor authentication won't protect you from the FBI, KGB, or anyone else with extreme hacking skills. But it will keep out the average loser who would care enough to try to hack into a SL account. The FBI doesn't give a rat's you know what about my virtual reality. I needed protection from some jerk in Germany who wanted to steal my money. I didn't get it. This needs to change. 

 

[Gylia Moonites]

I think a lot are not aware of how the 2FA works today. Unlike a 2nd set of password some MMO games provided back in the stone ages.
Now 2FA users don't even know the password themselves until they checked on the app on their phone.
These passwords changed every minute making it "near" impossible to hack by average hackers or someone that happened to guessed your account password. And as the 2FA setup goes... only the simplest minded people in existence will go through all the troubles just to find the infos used to provide the 2FA generator for a phishing scam. So yes, 2FA is certainly far far better than SL current password system. A FEW TIMES better in fact.
The down fall being that google wasn't able to provide a "saving" method of the 2FA account due to security reason, making it not only hard to breach but a pain for anyone who lost their 2FA device. This means you are locked out from your own account if you lost your phone. But on the other hand, other Authenticator provides a "cloud saving" method so no matter where or on which phone you use, you still gain access to your 2FA informations. Less secured but it works.

Edited September 5, 2018 by Gylia Moonites

[Garnet Psaltery]

I smell a necropost *opens a window*.

[Rhonda Huntress]

How 2FA works today? 2FA's deprecation is older than this thread. It is much more than being limited to "what you have and what you know" now.

[Love Zhaoying]

Did you say Nekopost?

[Garnet Psaltery]

10 minutes ago, Love Zhaoying said:

Did you say Nekopost?

No but I'll say it if you give me chocolate. ?

Edited September 6, 2018 by Garnet Psaltery