These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
123Next page
 

General Warning: Two way authentication is useless

First post
Author
Previous Topic Next Topic
Nalia White
Tencus
#1 - 2017-06-15 20:27:28 UTC
Hey there

Just want to throw it out there. I was using Google authenticator for EvE and despite this i found my accounts closed and ccp told me there was a third party that logged into my accounts and deleted all the skills and other stuff... just logged in again to check a few things. not too much missing i think. Haven't got the time to go through all stuff but looks not too bad.

I really want to thank CCP for this. It was always a nightmare for me since i play online games to have my accounts get stolen or hacked or whatever...

That is also why i used two way authentication. However... I still got hacked... No idea how, i even use mobile authentication with my main e-mail address now... I have searched my PC at home and in the company with malwarebytes and other tools... nada. Quite paranoid at the moment.

So yeah. go secure your e-mail addresses as good as possible.

Syndicate - K5-JRD

Home to few, graveyard for many

My biggest achievement
Marcus Tedric
Zebra Corp
Goonswarm Federation
#2 - 2017-06-15 21:16:10 UTC
Nalia White wrote:
.....................

So yeah. go secure your e-mail addresses as good as possible.


After having been hacked just once - it wouldn't surprise me to find out that you have e-mail access on your mobile phone.

Unless you have as robust a firewall and anti-malware s/w on your phone and your PC - then you are wide open.

Personally I'll never have e-mail on my phone again - and will never use any banking apps.

Don't soil your panties, you guys made a good point, we'll look at the numbers again. - CCP Ytterbium
Nalia White
Tencus
#3 - 2017-06-15 21:30:02 UTC
i use my private e-mail maybe once a week and don't need to use it one my phone. there i only have the e-mail of my company. it's rather strange.

Syndicate - K5-JRD

Home to few, graveyard for many

My biggest achievement
Axhind
Eternity INC.
Goonswarm Federation
#4 - 2017-06-15 21:35:08 UTC  |  Edited by: Axhind
My guess would be reuse of login credentials combined with CCP implementing fallback in case you lose your authenticator data.

Your email should also be secured by proper 2factor auth with no fallback. which means don't use gmail. use something like protonmail.ch and, for love of god, backup your auth data or you will lose access to the account!
Boni d'Age
Imperial Shipment
Amarr Empire
#5 - 2017-06-15 21:45:06 UTC
Came back after few years, couldn't remember original account.

Finally figgred out cha names and what address I used after alot of chatting to help.



Result

Apparently my account was banned, while I've been away. Due to account sharing and other actions and passwords are our problem, so they won't discuss it any further.

I did point out how I be lived it was likely hacked or stolen (lost my pc years ago) but they won't answer anymore as password security is not there concern and totally customers fault (obviously hacking and stuff is a myth)


Luckily I still had an old account on another e-mail.
Mr Epeen
It's All About Me
#6 - 2017-06-15 22:40:49 UTC
Nalia White wrote:
secure your e-mail addresses


That's what I've always done.

I've played a lot of games over the last few decades. Many of them MMOs and many more that require an email address for online DRM. Never once have I had any acct compromised.

I don't know what you are doing wrong, but you are doing something wrong.

Mr Epeen Cool
Blade Darth
Room for Improvement
Good Sax
#7 - 2017-06-16 00:22:55 UTC
Damn. It might have been your network or even google that got compromised.

Omen Navy Issue Tutorial
Elenahina
Federal Navy Academy
Gallente Federation
#8 - 2017-06-16 00:35:45 UTC
Mr Epeen wrote:
Nalia White wrote:
secure your e-mail addresses


That's what I've always done.

I've played a lot of games over the last few decades. Many of them MMOs and many more that require an email address for online DRM. Never once have I had any acct compromised.

I don't know what you are doing wrong, but you are doing something wrong.

Mr Epeen Cool


This more or less.

Eve is like an addiction; you can't quit it until it quits you. Also, iderno
Wanda Fayne
#9 - 2017-06-16 01:58:19 UTC
Never use duplicate passwords anywhere. Ever.
Unique passwords for everything.

"your comments just confirms this whole idea is totally pathetic" -Lan Wang-

  • - "hub humping station gamey neutral logi warspam wankery" -Ralph King-Griffin-
Shallanna Yassavi
qwertz corp
#10 - 2017-06-16 08:36:38 UTC
If you use duplicate or similar passwords anywhere, there will be that one fail admin who stores your password in plaintext and loses it. 16 characters of pure random won't help you if someone was that stupid.

I remember a single Tahiti (R9 280X, Radeon HD 7970 and family) GPU could make about 400M guesses against MD5 (an old, fast method for one-way encryption) every second. If you use any kind of predictable pattern or stupid dirty trick (i.e. "password1", "p@$$w[zero]rd", or any clever thing where you have a base pattern), your password isn't anywhere near as strong as you think it is and needs to be taken out of service before something bad happens.

Also check here and see if they've seen your email address before.

Also something about how encrypted passowrds are broken.

A signature :o
Marek Kanenald
Sebiestor Tribe
Minmatar Republic
#11 - 2017-06-16 08:52:08 UTC
I use a password manager for every online site I do not care about.

And memorized unique passwords for he actually important things.
Elenahina
Federal Navy Academy
Gallente Federation
#12 - 2017-06-16 12:02:26 UTC  |  Edited by: Elenahina
I use password123.?!#_blurp for all of my web logins. It's just easier that way.

Also, if you don't use your computer for shady ****, you minimize the risk of getting infected with something. It's like if you don't sleep with the neighborhood ho, you reduce the risk of your **** rotting off.

Eve is like an addiction; you can't quit it until it quits you. Also, iderno
ISD Max Trix
ISD Community Communications Liaisons
ISD Alliance
#13 - 2017-06-16 12:56:57 UTC  |  Edited by: ISD Max Trix
2FA on the EVE account is a good first step. Having it on your Email is even better. It makes it a lot hardered to compromise the accounts.

ISD Max Trix

Lieutenant

Community Communication Liaisons (CCLs)

Interstellar Services Department

I do not respond to EVE mails about forum moderation.
Aedaxus
Ascendance
Goonswarm Federation
#14 - 2017-06-16 16:40:56 UTC
Make sure you split things up. This worked will with the Titanic. Unless you have a ****** captain that keeps clicking on everything except "NOT THROUGH THE F*CKING ICEBERG" to which the captain says "Calm down, miner!" and keeps going.

The most insecure thing someone can do is have 1 email account, use it for all games, work, access to top secret data, vpn and combine that with a single ultracomplex password, not only does that guy store it in every browers and addon, those people also click one EVERY bleeping fake link they get on their youpoop, twatter and facialbook accounts.

I can give tons of tips on securing a password but none, NONE OF THEM will do any good if the single point of failure is the person himself blaming "Russian Hackers" for their perverted click depravity. WTF is wrong with "you people"? HTFU. Or at least stop clicking every site, link and mail you can find on your screen. You are not the special snowflake that I am. Your life is ending one click at a time.

Also, if you stop using devices maybe, just maybe you could put in an effort to remove them as trusted? Unless you trust everyone that will get their filthy hands on it to watch pr0n and fap at your recovered pics while logging in all of your accounts thanks to your "remember password", "Password keepers" and general clicking the "don't ask for the password or 2nd auth". If you want to clean a device, think like Hillary Clinton and use "BLEACHBIT" so no one finds out about your EVE Accounts. Even if you store the password on a draft mail on your blackberry or ipad.
Axhind
Eternity INC.
Goonswarm Federation
#15 - 2017-06-16 16:43:17 UTC
Marek Kanenald wrote:
I use a password manager for every online site I do not care about.

And memorized unique passwords for he actually important things.



This is a terrible idea. Use an offline password manager (keepass), add rounds to its encryption so it takes several seconds to decrypt on your computer (makes brute force attack infeasible) and make a single high quality password for it. You can even write it down and hide it at home.

A password that is easy to remember is not a strong password!!!
Nalia White
Tencus
#16 - 2017-06-16 16:52:19 UTC  |  Edited by: Nalia White
ISD Max Trix wrote:
2FA on the EVE account is a good first step. Having it on your Email is even better. It makes it a lot hardered to compromise the accounts.


I did exactly that. And I asked my E-Mail provider for country blocking but they won't do that sadly. I asked the EvE support about that feature but sadly it isn't available either...

Alas, as I still have not found a keylogger on any on my 2 machines with which i log in to my webmail, I really wonder how they got that password which is completely unique to all my other passwords and it is only 3 months old... makes me absolutely paranoid. Tried F-Secure (the only tool which prevented ransomware attacks on our company!), Eset online Scanner, malwarebytes and panda antivirus and sophos virus removal tool... Nada. if you have any tips i would be realy glad. Just not possible to reinstall completely at least on my workstation in the company...

Well with sms authentication on my e-mail I realy should be safe now... the only possible option to breach now would be to steal the login session token or some **** like that and there is nothing on my end i can do to prevent that.

I still have an itch all the time and an urge to check my e-mails if there is someone else requesting some account information, god damn that made me absolutely paranoid... probably scarred for life Roll

Thanks again to ccp to restore my stuff!


Edit:

@Aedaxus
You speak the absolute truth and i should have set up two factor authentication for my e-mail a looong time. I swear to you that i never clicked on any bad link :) I work in IT and while i am not an expert in security I know how to move in the internet... i also use noscript addon for my firefox and the days where i watched some series on some dubious streaming sites are definitely over... still it happened. Granted the unique password was not to complex so it may have been brute forced but which service doesn't have a protection against these types of attacks nowadays? It's always more important not to share the same usernames/passwords for different services...

and as said i never log in to my private mail from my mobile phone.

well lessons learned the hard way i guess.

Syndicate - K5-JRD

Home to few, graveyard for many

My biggest achievement
Linus Gorp
Ministry of Propaganda and Morale
#17 - 2017-06-16 17:27:10 UTC
To me, this looks like a case of bad user ed (the standard), weak password (also the standard) and bad security management (standard as well).

Give me more detailed information and I'll likely be able to tell you where you got compromised.

When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.
Axhind
Eternity INC.
Goonswarm Federation
#18 - 2017-06-16 17:31:09 UTC
Nalia White wrote:
ISD Max Trix wrote:
2FA on the EVE account is a good first step. Having it on your Email is even better. It makes it a lot hardered to compromise the accounts.


I did exactly that. And I asked my E-Mail provider for country blocking but they won't do that sadly. I asked the EvE support about that feature but sadly it isn't available either...

Alas, as I still have not found a keylogger on any on my 2 machines with which i log in to my webmail, I really wonder how they got that password which is completely unique to all my other passwords and it is only 3 months old... makes me absolutely paranoid. Tried F-Secure (the only tool which prevented ransomware attacks on our company!), Eset online Scanner, malwarebytes and panda antivirus and sophos virus removal tool... Nada. if you have any tips i would be realy glad. Just not possible to reinstall completely at least on my workstation in the company...

Well with sms authentication on my e-mail I realy should be safe now... the only possible option to breach now would be to steal the login session token or some **** like that and there is nothing on my end i can do to prevent that.

I still have an itch all the time and an urge to check my e-mails if there is someone else requesting some account information, god damn that made me absolutely paranoid... probably scarred for life Roll

Thanks again to ccp to restore my stuff!


Edit:

@Aedaxus
You speak the absolute truth and i should have set up two factor authentication for my e-mail a looong time. I swear to you that i never clicked on any bad link :) I work in IT and while i am not an expert in security I know how to move in the internet... i also use noscript addon for my firefox and the days where i watched some series on some dubious streaming sites are definitely over... still it happened. Granted the unique password was not to complex so it may have been brute forced but which service doesn't have a protection against these types of attacks nowadays? It's always more important not to share the same usernames/passwords for different services...

and as said i never log in to my private mail from my mobile phone.

well lessons learned the hard way i guess.



Please, please DO NOT ever use SMS as a second auth. It is trivial to defeat and should never be even offered by the companies. Always use time based auth (OATP with google authenticator). That is the only remotely secure 2FA other than actual dedicated U2F devices. If your mail provider doesn't offer proper auth then change the provider!
Nalia White
Tencus
#19 - 2017-06-16 17:38:53 UTC
Linus Gorp wrote:
To me, this looks like a case of bad user ed (the standard), weak password (also the standard) and bad security management (standard as well).

Give me more detailed information and I'll likely be able to tell you where you got compromised.


already wrote everything down just a post above you. would be happy to get a clue my friend. :)

3 month old unique password
12 letters, one upper, 2 digits, a small sentence in my native language (swiss german, only a spoken language, so the words are not in any dictionary :))
it's clear my e-mail got breached, i just have not a clue how... just checked, of course the login site would shut down after some attempts so brute force should be out...

on the site https://haveibeenpwned.com/ only my e-mail is there, not one of my usernames

what i have done:

searched the 2 computers i use for logging in to my mail for threats to no avail...
enabling sms authentication on e-mail, should do the trick for the future
changed password again... this time to something i have to write down and pin it at my pinwall :)
sadly country blocking is not available for my e-mail service or for eve online
yeah i have all my gaming services on this one e-mail...

Syndicate - K5-JRD

Home to few, graveyard for many

My biggest achievement
Nalia White
Tencus
#20 - 2017-06-16 17:43:56 UTC
Axhind wrote:
Nalia White wrote:
ISD Max Trix wrote:
2FA on the EVE account is a good first step. Having it on your Email is even better. It makes it a lot hardered to compromise the accounts.


I did exactly that. And I asked my E-Mail provider for country blocking but they won't do that sadly. I asked the EvE support about that feature but sadly it isn't available either...

Alas, as I still have not found a keylogger on any on my 2 machines with which i log in to my webmail, I really wonder how they got that password which is completely unique to all my other passwords and it is only 3 months old... makes me absolutely paranoid. Tried F-Secure (the only tool which prevented ransomware attacks on our company!), Eset online Scanner, malwarebytes and panda antivirus and sophos virus removal tool... Nada. if you have any tips i would be realy glad. Just not possible to reinstall completely at least on my workstation in the company...

Well with sms authentication on my e-mail I realy should be safe now... the only possible option to breach now would be to steal the login session token or some **** like that and there is nothing on my end i can do to prevent that.

I still have an itch all the time and an urge to check my e-mails if there is someone else requesting some account information, god damn that made me absolutely paranoid... probably scarred for life Roll

Thanks again to ccp to restore my stuff!


Edit:

@Aedaxus
You speak the absolute truth and i should have set up two factor authentication for my e-mail a looong time. I swear to you that i never clicked on any bad link :) I work in IT and while i am not an expert in security I know how to move in the internet... i also use noscript addon for my firefox and the days where i watched some series on some dubious streaming sites are definitely over... still it happened. Granted the unique password was not to complex so it may have been brute forced but which service doesn't have a protection against these types of attacks nowadays? It's always more important not to share the same usernames/passwords for different services...

and as said i never log in to my private mail from my mobile phone.

well lessons learned the hard way i guess.



Please, please DO NOT ever use SMS as a second auth. It is trivial to defeat and should never be even offered by the companies. Always use time based auth (OATP with google authenticator). That is the only remotely secure 2FA other than actual dedicated U2F devices. If your mail provider doesn't offer proper auth then change the provider!


How many of the people here actualy even use a second auth method on their e-mail? would a skript kiddy go to the length to try and circumvent a sms authentication? man i am just a gamer not a specific target :) Or at least i hope that Pirate

in the end i will use a top secure service and lose the authenticator and lose my accounts this way lol

Syndicate - K5-JRD

Home to few, graveyard for many

My biggest achievement
123Next page