Jump to content

Would it be possible?

GothGirl Demonia
 Share
You are about to reply to a thread that has been inactive for 3959 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

GothGirl Demonia

GothGirl Demonia

Posted
Posted

I was reading another locked thread on here just below this one which basically talks about false charges placed on someones credit card/billing information and being done from their IP address.

However after having my account itself compromised, Lack of IP Verification or security it does raise some red flags on something that really concerns me.

1. Lets assume that someone downloaded an illegal viewer on the internet, or got a was using a Third Party Viewer that has been compromised, couldn't it be possible to use the users PC while they are logged in as a proxy, steal their password, and use their IP address to access their own Second Life account.

2. Even if this was not possible couldn't someone buy L$ from the viewer if lets say they added some type of back-door to the viewer, and then from there all it would take to steal the L$ is an object in Second Life set to pay out debit permissions, or possibly if its possible to even use a message builder which is built into almost every illegal viewer use their session ID to transfer the L$ to someone else or something.

I am not even sure this is possible, but a friend who actually made some pretty advanced Bots in the past the kind that manage land and stuff talked a lot to me about session ID's and if it was possible to obtain one what someone could do it, and even had a bot that automatically reclaim, and resold land parcels and stuff.

Would any of this even be possible as I have my billing info stored, and would be warry about using any TPV if it is.

Link to comment
Share on other sites
Perrie Juran

Perrie Juran

Posted
Posted

odds.jpg

 

GothGirl Demonia wrote:

I was reading another locked thread on here just below this one which basically talks about false charges placed on someones credit card/billing information and being done from their IP address.

However after having
my account itself compromised,
enterred my password on a Phishing site, Lack of IP Verification or security it does raise some red flags on something that really concerns me.

1. Lets assume that someone downloaded an illegal viewer on the internet, or got a was using a Third Party Viewer that has been compromised, couldn't it be possible to use the users PC while they are logged in as a proxy, steal their password, and use their IP address to access their own Second Life account.

2. Even if this was not possible couldn't someone buy L$ from the viewer if lets say they added some type of back-door to the viewer, and then from there all it would take to steal the L$ is an object in Second Life set to pay out debit permissions, or possibly if its possible to even use a message builder which is built into almost every illegal viewer use their session ID to transfer the L$ to someone else or something.

I am not even sure this is possible, but a friend who actually made some pretty advanced Bots in the past the kind that manage land and stuff talked a lot to me about session ID's and if it was possible to obtain one what someone could do it, and even had a bot that automatically reclaim, and resold land parcels and stuff.

Would any of this even be possible as I have my billing info stored, and would be warry about using any TPV if it is.

I would place the odds for that somewhere in the neighborhood of an asteroid strike.

Also, I correct a mistake in your OP.

Link to comment
Share on other sites
Qie Niangao

Qie Niangao

Posted
Posted

This seems pretty convoluted. It really isn't that complicated, and it's not necessary to be clever about any of it, invoking session IDs or anything fancy. If one downloads a bad program, it can do anything it wants on one's machine, including simply keylogging passwords.

There's no real peer-review of the gory details of even the most popular TPVs, so yeah, even they could have Bad Stuff inside. Emerald is proof of that. Certainly Firestorm has extensively changed management of source code since that debacle. Theoretically, there's no real assurance that nobody could ever check-in nefarious code. In practice, I'd agree that Firestorm in particular has a quite low risk of that happening.

Other TPVs? There are developers and development teams I trust. One would have to judge for oneself. Or, one could scrutinize all diffs between a TPV's source and the Linden version on which it's based, and build it oneself.

TPVs without source, from developers you can't completely trust? The risks are obvious. Especially if one downloads a viewer explicitly designed to get around Linden restrictions, there is no reason to think it won't empty one's RL bank account.

And you know what? I kinda like it that way.

On the other hand, it wouldn't hurt if LL did IP address verification; I'd be fine if the login servers hesitated to let me in from Russia, for example, when I've never logged in from there before. This might go hand-in-glove with a two-factor authentication approach. Such measures would be prudent even if there were never any TPVs in existence.

Link to comment
Share on other sites
GothGirl Demonia

GothGirl Demonia

Posted
  • Author
Posted

1. I am pretty sure that I would not stupidly get Phished by entering my password on a site stupidly, after all for years I have warned about phishing, I am not that stupid, I check every link in my email, I check browser hijackers, and web address everytime before entering information.

2. If my account was compromised it was either compromised by one of the following.

1. Keylogger in a TPV the account hack happend within 72 hours after doing a viewer update seemed fishy after all I believe this may have been how I was compromised, I rolled back and completely wiped the viewer from my system the TPV may have been compromised at the time I download the viewer as it sat there for 2 months before I bothered to update it.

2. Brute-Force, while I doubt it it could be possible when I use a passwordI use something like PÄ$sW04D*!(A ^A)+ something hard as this but not password of course. ( These videos are on YouTube Showing people how to do it.)

3. Linden Lab stupidly resetting it for someone I doubt this would happen of course but there are things that do raise concerns to this, such as things I do have documented evidence on in the past that happend. For example a person calls Linden Lab, and knows the Real Life users name, email, Phone Number, and address, which is actually all very easy to legally obtain if the person is a close friend on the internet, or done any transactions via PayPal for example, and that person has not logged in claims to have forgotten secret questions, and doesn't have the email anymore but says they remember three friends and names a bunch of friends they know they are friend with.

Yes as I said I am not that stupid to get phished via stupid attempts, I also know that if I was compromised it was one of the three talked about above, but I know that after doing the safe-guard viewer roll-back, and checked my system for keyloggers sending information online I have found none yes I use Comm-View 6 to check every packet, and IP address my computer connects to.

What we need is Two Step IP Verification, for all Second Life users, not only will this protect peoples accounts, but it will block all them griefers who also try to grief others using one day old accounts if they use a fake email address because they won't be able to use IP Verification.

I did submit a JIRA, it was foward to Security Team, and Closed After, we need more people to petition for this, had there have been two-step verification my account would have never have been compromised, and god knows what they did to others using my name in SL, its the reason I don't play anymore.

Link to comment
Share on other sites
Perrie Juran

Perrie Juran

Posted
Posted

GothGirl Demonia wrote:

1. I am pretty sure that I would not stupidly get Phished by entering my password on a site stupidly, after all for years I have warned about phishing, I am not that stupid, I check every link in my email, I check browser hijackers, and web address everytime before entering information.

2. If my account was compromised it was either compromised by one of the following.

1. Keylogger in a TPV the account hack happend within 72 hours after doing a viewer update seemed fishy after all I believe this may have been how I was compromised, I rolled back and completely wiped the viewer from my system the TPV may have been compromised at the time I download the viewer as it sat there for 2 months before I bothered to update it.

2. Brute-Force, while I doubt it it could be possible when I use a passwordI use something like PÄ$sW04D*!(A ^A)+ something hard as this but not password of course.
( These videos are on YouTube Showing people how to do it.)

3. Linden Lab stupidly resetting it for someone I doubt this would happen of course but there are things that do raise concerns to this, such as things I do have documented evidence on in the past that happend. For example a person calls Linden Lab, and knows the Real Life users name, email, Phone Number, and address, which is actually all very easy to legally obtain if the person is a close friend on the internet, or done any transactions via PayPal for example, and that person has not logged in claims to have forgotten secret questions, and doesn't have the email anymore but says they remember three friends and names a bunch of friends they know they are friend with.

Yes as I said I am not that stupid to get phished via stupid attempts, I also know that if I was compromised it was one of the three talked about above, but I know that after doing the safe-guard viewer roll-back, and checked my system for keyloggers sending information online I have found none yes I use Comm-View 6 to check every packet, and IP address my computer connects to.

What we need is Two Step IP Verification, for all Second Life users, not only will this protect peoples accounts, but it will block all them griefers who also try to grief others using one day old accounts if they use a fake email address because they won't be able to use IP Verification.

I did submit a JIRA, it was foward to Security Team, and Closed After, we need more people to petition for this, had there have been two-step verification my account would have never have been compromised, and god knows what they did to others using my name in SL, its the reason I don't play anymore.

"1. If it is a link do not click on it, as the way I think my account was compromised"

http://community.secondlife.com/t5/General-Discussion-Forum/Account-Hacked-Compromised/m-p/1748085/highlight/true#M84589

 

Shall we apply Occam's Razor to your problem?

 

Link to comment
Share on other sites
Malanya

Malanya

Posted
Posted

Perrie Juran wrote:

GothGirl Demonia wrote:

1. I am pretty sure that I would not stupidly get Phished by entering my password on a site stupidly, after all for years I have warned about phishing, I am not that stupid, I check every link in my email, I check browser hijackers, and web address everytime before entering information.

2. If my account was compromised it was either compromised by one of the following.

1. Keylogger in a TPV the account hack happend within 72 hours after doing a viewer update seemed fishy after all I believe this may have been how I was compromised, I rolled back and completely wiped the viewer from my system the TPV may have been compromised at the time I download the viewer as it sat there for 2 months before I bothered to update it.

2. Brute-Force, while I doubt it it could be possible when I use a passwordI use something like PÄ$sW04D*!(A ^A)+ something hard as this but not password of course.
( These videos are on YouTube Showing people how to do it.)

3. Linden Lab stupidly resetting it for someone I doubt this would happen of course but there are things that do raise concerns to this, such as things I do have documented evidence on in the past that happend. For example a person calls Linden Lab, and knows the Real Life users name, email, Phone Number, and address, which is actually all very easy to legally obtain if the person is a close friend on the internet, or done any transactions via PayPal for example, and that person has not logged in claims to have forgotten secret questions, and doesn't have the email anymore but says they remember three friends and names a bunch of friends they know they are friend with.

Yes as I said I am not that stupid to get phished via stupid attempts, I also know that if I was compromised it was one of the three talked about above, but I know that after doing the safe-guard viewer roll-back, and checked my system for keyloggers sending information online I have found none yes I use Comm-View 6 to check every packet, and IP address my computer connects to.

What we need is Two Step IP Verification, for all Second Life users, not only will this protect peoples accounts, but it will block all them griefers who also try to grief others using one day old accounts if they use a fake email address because they won't be able to use IP Verification.

I did submit a JIRA, it was foward to Security Team, and Closed After, we need more people to petition for this, had there have been two-step verification my account would have never have been compromised, and god knows what they did to others using my name in SL, its the reason I don't play anymore.

"1. If it is a link do not click on it, as the way I think my account was
compromised
"

 

Shall we apply Occam's Razor to your problem?

 

Ya know.. lol that's what I said before, like a revolving door with answers. I don't understand why so much detail on how a person can grief has to be written in each chapter of the OP's book.

Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 3959 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...