Pages: [1] 2 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Nalia White
Tencus
255
|
Posted - 2017.06.15 20:27:28 -
[1] - Quote
Hey there
Just want to throw it out there. I was using Google authenticator for EvE and despite this i found my accounts closed and ccp told me there was a third party that logged into my accounts and deleted all the skills and other stuff... just logged in again to check a few things. not too much missing i think. Haven't got the time to go through all stuff but looks not too bad.
I really want to thank CCP for this. It was always a nightmare for me since i play online games to have my accounts get stolen or hacked or whatever...
That is also why i used two way authentication. However... I still got hacked... No idea how, i even use mobile authentication with my main e-mail address now... I have searched my PC at home and in the company with malwarebytes and other tools... nada. Quite paranoid at the moment.
So yeah. go secure your e-mail addresses as good as possible.
Syndicate - K5-JRD
Home to few, graveyard for many
My biggest achievement
|
Marcus Tedric
Zebra Corp Goonswarm Federation
139
|
Posted - 2017.06.15 21:16:10 -
[2] - Quote
Nalia White wrote:.....................
So yeah. go secure your e-mail addresses as good as possible.
After having been hacked just once - it wouldn't surprise me to find out that you have e-mail access on your mobile phone.
Unless you have as robust a firewall and anti-malware s/w on your phone and your PC - then you are wide open.
Personally I'll never have e-mail on my phone again - and will never use any banking apps.
Don't soil your panties, you guys made a good point, we'll look at the numbers again. - CCP Ytterbium
|
Nalia White
Tencus
255
|
Posted - 2017.06.15 21:30:02 -
[3] - Quote
i use my private e-mail maybe once a week and don't need to use it one my phone. there i only have the e-mail of my company. it's rather strange.
Syndicate - K5-JRD
Home to few, graveyard for many
My biggest achievement
|
Axhind
Eternity INC. Goonswarm Federation
368
|
Posted - 2017.06.15 21:35:08 -
[4] - Quote
My guess would be reuse of login credentials combined with CCP implementing fallback in case you lose your authenticator data. |
Boni d'Age
Big Blue Test Icicles
0
|
Posted - 2017.06.15 21:45:06 -
[5] - Quote
Came back after few years, couldn't remember original account.
Finally figgred out cha names and what address I used after alot of chatting to help.
Result
Apparently my account was banned, while I've been away. Due to account sharing and other actions and passwords are our problem, so they won't discuss it any further.
I did point out how I be lived it was likely hacked or stolen (lost my pc years ago) but they won't answer anymore as password security is not there concern and totally customers fault (obviously hacking and stuff is a myth)
Luckily I still had an old account on another e-mail. |
Mr Epeen
It's All About Me
11409
|
Posted - 2017.06.15 22:40:49 -
[6] - Quote
Nalia White wrote: secure your e-mail addresses
That's what I've always done.
I've played a lot of games over the last few decades. Many of them MMOs and many more that require an email address for online DRM. Never once have I had any acct compromised.
I don't know what you are doing wrong, but you are doing something wrong.
Mr Epeen
|
Blade Darth
Room for Improvement Limited Expectations
247
|
Posted - 2017.06.16 00:22:55 -
[7] - Quote
Damn. It might have been your network or even google that got compromised.
Omen Navy Issue Tutorial
|
Elenahina
Agony Unleashed The Bastard Cartel
1731
|
Posted - 2017.06.16 00:35:45 -
[8] - Quote
Mr Epeen wrote:Nalia White wrote: secure your e-mail addresses That's what I've always done. I've played a lot of games over the last few decades. Many of them MMOs and many more that require an email address for online DRM. Never once have I had any acct compromised. I don't know what you are doing wrong, but you are doing something wrong. Mr Epeen
This more or less.
Eve is like an addiction; you can't quit it until it quits you.
Also, iderno
|
Wanda Fayne
646
|
Posted - 2017.06.16 01:58:19 -
[9] - Quote
Never use duplicate passwords anywhere. Ever. Unique passwords for everything.
"your comments just confirms this whole idea is totally pathetic" -Lan Wang-
- -
"hub humping station gamey neutral logi warspam wankery" -Ralph King-Griffin-
|
Shallanna Yassavi
Imperial Academy Amarr Empire
554
|
Posted - 2017.06.16 08:36:38 -
[10] - Quote
If you use duplicate or similar passwords anywhere, there will be that one fail admin who stores your password in plaintext and loses it. 16 characters of pure random won't help you if someone was that stupid.
I remember a single Tahiti (R9 280X, Radeon HD 7970 and family) GPU could make about 400M guesses against MD5 (an old, fast method for one-way encryption) every second. If you use any kind of predictable pattern or stupid dirty trick (i.e. "password1", "p@$$w[zero]rd", or any clever thing where you have a base pattern), your password isn't anywhere near as strong as you think it is and needs to be taken out of service before something bad happens.
Also check here and see if they've seen your email address before.
Also something about how encrypted passowrds are broken.
A signature :o
|
|
Marek Kanenald
Federal Defense Union Gallente Federation
20
|
Posted - 2017.06.16 08:52:08 -
[11] - Quote
I use a password manager for every online site I do not care about.
And memorized unique passwords for he actually important things. |
Elenahina
Agony Unleashed The Bastard Cartel
1732
|
Posted - 2017.06.16 12:02:26 -
[12] - Quote
I use password123.?!#_blurp for all of my web logins. It's just easier that way.
Also, if you don't use your computer for shady ****, you minimize the risk of getting infected with something. It's like if you don't sleep with the neighborhood ho, you reduce the risk of your **** rotting off.
Eve is like an addiction; you can't quit it until it quits you.
Also, iderno
|
ISD Max Trix
ISD Community Communications Liaisons
1920
|
Posted - 2017.06.16 12:56:57 -
[13] - Quote
From what you posted it, there was no failure with 2FA. Seems more like you failed to secure your email.
ISD Max Trix
Lieutenant
Community Communication Liaisons (CCLs)
Interstellar Services Department
I do not respond to EVE mails about forum moderation.
|
Aedaxus
Digital Zone Corp
82
|
Posted - 2017.06.16 16:40:56 -
[14] - Quote
Make sure you split things up. This worked will with the Titanic. Unless you have a ****** captain that keeps clicking on everything except "NOT THROUGH THE F*CKING ICEBERG" to which the captain says "Calm down, miner!" and keeps going.
The most insecure thing someone can do is have 1 email account, use it for all games, work, access to top secret data, vpn and combine that with a single ultracomplex password, not only does that guy store it in every browers and addon, those people also click one EVERY bleeping fake link they get on their youpoop, twatter and facialbook accounts.
I can give tons of tips on securing a password but none, NONE OF THEM will do any good if the single point of failure is the person himself blaming "Russian Hackers" for their perverted click depravity. WTF is wrong with "you people"? HTFU. Or at least stop clicking every site, link and mail you can find on your screen. You are not the special snowflake that I am. Your life is ending one click at a time.
Also, if you stop using devices maybe, just maybe you could put in an effort to remove them as trusted? Unless you trust everyone that will get their filthy hands on it to watch pr0n and fap at your recovered pics while logging in all of your accounts thanks to your "remember password", "Password keepers" and general clicking the "don't ask for the password or 2nd auth". If you want to clean a device, think like Hillary Clinton and use "BLEACHBIT" so no one finds out about your EVE Accounts. Even if you store the password on a draft mail on your blackberry or ipad. |
Axhind
Eternity INC. Goonswarm Federation
371
|
Posted - 2017.06.16 16:43:17 -
[15] - Quote
Marek Kanenald wrote:I use a password manager for every online site I do not care about.
And memorized unique passwords for he actually important things.
This is a terrible idea. Use an offline password manager (keepass), add rounds to its encryption so it takes several seconds to decrypt on your computer (makes brute force attack infeasible) and make a single high quality password for it. You can even write it down and hide it at home.
A password that is easy to remember is not a strong password!!! |
Nalia White
Tencus
255
|
Posted - 2017.06.16 16:52:19 -
[16] - Quote
ISD Max Trix wrote:2FA on the EVE account is a good first step. Having it on your Email is even better. It makes it a lot hardered to compromise the accounts.
I did exactly that. And I asked my E-Mail provider for country blocking but they won't do that sadly. I asked the EvE support about that feature but sadly it isn't available either...
Alas, as I still have not found a keylogger on any on my 2 machines with which i log in to my webmail, I really wonder how they got that password which is completely unique to all my other passwords and it is only 3 months old... makes me absolutely paranoid. Tried F-Secure (the only tool which prevented ransomware attacks on our company!), Eset online Scanner, malwarebytes and panda antivirus and sophos virus removal tool... Nada. if you have any tips i would be realy glad. Just not possible to reinstall completely at least on my workstation in the company...
Well with sms authentication on my e-mail I realy should be safe now... the only possible option to breach now would be to steal the login session token or some **** like that and there is nothing on my end i can do to prevent that.
I still have an itch all the time and an urge to check my e-mails if there is someone else requesting some account information, god damn that made me absolutely paranoid... probably scarred for life
Thanks again to ccp to restore my stuff!
Syndicate - K5-JRD
Home to few, graveyard for many
My biggest achievement
|
Linus Gorp
Ministry of Propaganda and Morale
1578
|
Posted - 2017.06.16 17:27:10 -
[17] - Quote
To me, this looks like a case of bad user ed (the standard), weak password (also the standard) and bad security management (standard as well).
Give me more detailed information and I'll likely be able to tell you where you got compromised.
When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.
|
Axhind
Eternity INC. Goonswarm Federation
371
|
Posted - 2017.06.16 17:31:09 -
[18] - Quote
Nalia White wrote:ISD Max Trix wrote:2FA on the EVE account is a good first step. Having it on your Email is even better. It makes it a lot hardered to compromise the accounts. I did exactly that. And I asked my E-Mail provider for country blocking but they won't do that sadly. I asked the EvE support about that feature but sadly it isn't available either... Alas, as I still have not found a keylogger on any on my 2 machines with which i log in to my webmail, I really wonder how they got that password which is completely unique to all my other passwords and it is only 3 months old... makes me absolutely paranoid. Tried F-Secure (the only tool which prevented ransomware attacks on our company!), Eset online Scanner, malwarebytes and panda antivirus and sophos virus removal tool... Nada. if you have any tips i would be realy glad. Just not possible to reinstall completely at least on my workstation in the company... Well with sms authentication on my e-mail I realy should be safe now... the only possible option to breach now would be to steal the login session token or some **** like that and there is nothing on my end i can do to prevent that. I still have an itch all the time and an urge to check my e-mails if there is someone else requesting some account information, god damn that made me absolutely paranoid... probably scarred for life Thanks again to ccp to restore my stuff! Edit: @Aedaxus You speak the absolute truth and i should have set up two factor authentication for my e-mail a looong time. I swear to you that i never clicked on any bad link :) I work in IT and while i am not an expert in security I know how to move in the internet... i also use noscript addon for my firefox and the days where i watched some series on some dubious streaming sites are definitely over... still it happened. Granted the unique password was not to complex so it may have been brute forced but which service doesn't have a protection against these types of attacks nowadays? It's always more important not to share the same usernames/passwords for different services... and as said i never log in to my private mail from my mobile phone. well lessons learned the hard way i guess.
Please, please DO NOT ever use SMS as a second auth. It is trivial to defeat and should never be even offered by the companies. Always use time based auth (OATP with google authenticator). That is the only remotely secure 2FA other than actual dedicated U2F devices. If your mail provider doesn't offer proper auth then change the provider! |
Nalia White
Tencus
255
|
Posted - 2017.06.16 17:38:53 -
[19] - Quote
Linus Gorp wrote:To me, this looks like a case of bad user ed (the standard), weak password (also the standard) and bad security management (standard as well).
Give me more detailed information and I'll likely be able to tell you where you got compromised.
already wrote everything down just a post above you. would be happy to get a clue my friend. :)
3 month old unique password 12 letters, one upper, 2 digits, a small sentence in my native language (swiss german, only a spoken language, so the words are not in any dictionary :)) it's clear my e-mail got breached, i just have not a clue how... just checked, of course the login site would shut down after some attempts so brute force should be out...
on the site https://haveibeenpwned.com/ only my e-mail is there, not one of my usernames
what i have done:
searched the 2 computers i use for logging in to my mail for threats to no avail... enabling sms authentication on e-mail, should do the trick for the future changed password again... this time to something i have to write down and pin it at my pinwall :) sadly country blocking is not available for my e-mail service or for eve online yeah i have all my gaming services on this one e-mail...
Syndicate - K5-JRD
Home to few, graveyard for many
My biggest achievement
|
Nalia White
Tencus
255
|
Posted - 2017.06.16 17:43:56 -
[20] - Quote
Axhind wrote:Nalia White wrote:ISD Max Trix wrote:2FA on the EVE account is a good first step. Having it on your Email is even better. It makes it a lot hardered to compromise the accounts. I did exactly that. And I asked my E-Mail provider for country blocking but they won't do that sadly. I asked the EvE support about that feature but sadly it isn't available either... Alas, as I still have not found a keylogger on any on my 2 machines with which i log in to my webmail, I really wonder how they got that password which is completely unique to all my other passwords and it is only 3 months old... makes me absolutely paranoid. Tried F-Secure (the only tool which prevented ransomware attacks on our company!), Eset online Scanner, malwarebytes and panda antivirus and sophos virus removal tool... Nada. if you have any tips i would be realy glad. Just not possible to reinstall completely at least on my workstation in the company... Well with sms authentication on my e-mail I realy should be safe now... the only possible option to breach now would be to steal the login session token or some **** like that and there is nothing on my end i can do to prevent that. I still have an itch all the time and an urge to check my e-mails if there is someone else requesting some account information, god damn that made me absolutely paranoid... probably scarred for life Thanks again to ccp to restore my stuff! Edit: @Aedaxus You speak the absolute truth and i should have set up two factor authentication for my e-mail a looong time. I swear to you that i never clicked on any bad link :) I work in IT and while i am not an expert in security I know how to move in the internet... i also use noscript addon for my firefox and the days where i watched some series on some dubious streaming sites are definitely over... still it happened. Granted the unique password was not to complex so it may have been brute forced but which service doesn't have a protection against these types of attacks nowadays? It's always more important not to share the same usernames/passwords for different services... and as said i never log in to my private mail from my mobile phone. well lessons learned the hard way i guess. Please, please DO NOT ever use SMS as a second auth. It is trivial to defeat and should never be even offered by the companies. Always use time based auth (OATP with google authenticator). That is the only remotely secure 2FA other than actual dedicated U2F devices. If your mail provider doesn't offer proper auth then change the provider!
How many of the people here actualy even use a second auth method on their e-mail? would a skript kiddy go to the length to try and circumvent a sms authentication? man i am just a gamer not a specific target :) Or at least i hope that
in the end i will use a top secure service and lose the authenticator and lose my accounts this way lol
Syndicate - K5-JRD
Home to few, graveyard for many
My biggest achievement
|
|
Linus Gorp
Ministry of Propaganda and Morale
1578
|
Posted - 2017.06.16 18:15:22 -
[21] - Quote
Nalia White wrote:How many of the people here actualy even use a second auth method on their e-mail? I can tell you that I don't. I'm administrating my own mail server and I care a lot more about keeping that tightened up than about the possibility of someone really managing to crack a random 120-byte string. But I'm also a itsec professional and have the knowledge to keep my infrastructure reasonably secure. 2FA is definitely worth it for average Joe.
Nalia White wrote:would a skript kiddy go to the length to try and circumvent a sms authentication? man i am just a gamer not a specific target :) Script kiddies are too dumb for that. All they can do is use tools and run scripts written by others without any understanding about them or the underlying techniques. Script kiddies are no threat to anyone remotely intelligent.
Nalia White wrote:already wrote everything down just a post above you. would be happy to get a clue my friend. :) 3 month old unique password 12 letters, one upper, 2 digits, a small sentence in my native language (swiss german, only a spoken language, so the words are not in any dictionary :)) it's clear my e-mail got breached, i just have not a clue how... just checked, of course the login site would shut down after some attempts so brute force should be out... on the site https://haveibeenpwned.com/ only my e-mail is there, not one of my usernames what i have done: searched the 2 computers i use for logging in to my mail for threats to no avail... enabling sms authentication on e-mail, should do the trick for the future changed password again... this time to something i have to write down and pin it at my pinwall :) sadly country blocking is not available for my e-mail service or for eve online yeah i have all my gaming services on this one e-mail... That doesn't really tell me anything useful, short of the fact that you were registered on one or more websites that have been breached. Since you claim to have used a unique password for your mail account, it's unlikely that's the cause.
You can scan your PC for viruses all you want. Almost all AV solutions are junk that don't reduce the attack vector, but increase it by an exponential factor.
So let's go down the checklist.
- Is your OS up-to-date with the latest patches?
- Do you have an adblocker installed? (Seriously, that is THE #1 source for malware; If not, install UBlock Origin a.s.a.p.)
- Do you have a Intel CPU with AMT (active management technology) provisioned?
- Have you opened any dubious emails?
- Remember someone claiming to be customer service, technician, w/e, asking for your passwords or personal information? (Social engineering attempts)
- Browser up-to-date?
There are way more attack vectors than I could possibly list here, but these are among the most common ones.
When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.
|
Nalia White
Tencus
255
|
Posted - 2017.06.16 18:40:13 -
[22] - Quote
Linus Gorp wrote:Nalia White wrote:How many of the people here actualy even use a second auth method on their e-mail? So let's go down the checklist.
- Is your OS up-to-date with the latest patches?
- Do you have an adblocker installed? (Seriously, that is THE #1 source for malware; If not, install UBlock Origin a.s.a.p.)
- Do you have a Intel CPU with AMT (active management technology) provisioned?
- Have you opened any dubious emails?
- Remember someone claiming to be customer service, technician, w/e, asking for your passwords or personal information? (Social engineering attempts)
- Browser up-to-date?
There are way more attack vectors than I could possibly list here, but these are among the most common ones.
Thanks for your time. It's very much appreciated. As said I work in IT my whole life and while I am no expert in security (didn't knew about the ATM vulnerability, thanks a lot for this, will have to look at it at work too!) i know how to handle myself :)
OS is win10 home always updated. in the company it's still windows 7 over wsus with staggered updates so yeah, not so good i know... no adblocker. I use noscript for an always uptodate firefox. in the company nothing... I will have a look into that, thank you my cpu is fine at home. I checked it with the intel tool. have to check at work too. Again, thanks a lot for this! the last points i know to handle well. but funny enough once an uncle once got called by a supposed microsoft technician... crazy times...
I rarely even use my private e-mail in the company and now that i have such a complex password that i had to write it down it's even better so i will never log in anyway.
Syndicate - K5-JRD
Home to few, graveyard for many
My biggest achievement
|
Linus Gorp
Ministry of Propaganda and Morale
1578
|
Posted - 2017.06.16 19:28:53 -
[23] - Quote
Nalia White wrote:I rarely even use my private e-mail in the company and now that i have such a complex password that i had to write it down https://www.keepassx.org/
When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.
|
Aedaxus
Digital Zone Corp
85
|
Posted - 2017.06.17 09:41:56 -
[24] - Quote
Linus Gorp wrote:Nalia White wrote:I rarely even use my private e-mail in the company and now that i have such a complex password that i had to write it down https://www.keepassx.org/ That is the security equivalent of posting it on Facebook. |
Axhind
Eternity INC. Goonswarm Federation
371
|
Posted - 2017.06.17 10:32:35 -
[25] - Quote
Aedaxus wrote:Linus Gorp wrote:Nalia White wrote:I rarely even use my private e-mail in the company and now that i have such a complex password that i had to write it down https://www.keepassx.org/ That is the security equivalent of posting it on Facebook.
While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember.
In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative. |
Linus Gorp
Ministry of Propaganda and Morale
1581
|
Posted - 2017.06.17 17:17:32 -
[26] - Quote
Axhind wrote:While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember.
In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative. KeepassX doesn't run on Android.
Aedaxus wrote:That is the security equivalent of posting it on Facebook. I'm sorry, what? Does the clueless person have anything meaningful to say, or is spreading idiotic misinformation all you're good for?
When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.
|
Axhind
Eternity INC. Goonswarm Federation
371
|
Posted - 2017.06.17 20:16:14 -
[27] - Quote
Linus Gorp wrote:Axhind wrote:While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember.
In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative. KeepassX doesn't run on Android.
My bad. I mixed it up with the android version. Anyway keepass is excellent software that I also use and I have no idea why anyone would not use it. Offline password manager is far safer than online ones like lastpass.
|
Aedaxus
Digital Zone Corp
85
|
Posted - 2017.06.17 21:07:59 -
[28] - Quote
Linus Gorp wrote:Aedaxus wrote:Linus Gorp wrote:https://www.keepassx.org/ That is the security equivalent of posting it on Facebook. I'm sorry, what? Does the clueless person have anything meaningful to say, or is spreading idiotic misinformation all you're good for? One small vulnerability will make your heart bleed. Open source is something I like, but make sure it's funded enough to put secrets behind. But yes, "clueless person" is a good technical explanation why it is secure. Good job...
|
Axhind
Eternity INC. Goonswarm Federation
371
|
Posted - 2017.06.17 23:54:29 -
[29] - Quote
Aedaxus wrote:Linus Gorp wrote:Aedaxus wrote:Linus Gorp wrote:https://www.keepassx.org/ That is the security equivalent of posting it on Facebook. I'm sorry, what? Does the clueless person have anything meaningful to say, or is spreading idiotic misinformation all you're good for? One small vulnerability will make your heart bleed. Open source is something I like, but make sure it's funded enough to put secrets behind. But yes, "clueless person" is a good technical explanation why it is secure. Good job...
Are you on drugs or something? You are not making any sense whatsoever. Where is this fancy security issue you are talking about? Heart bleed was in OpenSSL not in keepass. |
Aedaxus
Digital Zone Corp
85
|
Posted - 2017.06.18 00:10:34 -
[30] - Quote
Axhind wrote:Aedaxus wrote:Linus Gorp wrote:Aedaxus wrote:Linus Gorp wrote:https://www.keepassx.org/ That is the security equivalent of posting it on Facebook. I'm sorry, what? Does the clueless person have anything meaningful to say, or is spreading idiotic misinformation all you're good for? One small vulnerability will make your heart bleed. Open source is something I like, but make sure it's funded enough to put secrets behind. But yes, "clueless person" is a good technical explanation why it is secure. Good job... Are you on drugs or something? You are not making any sense whatsoever. Where is this fancy security issue you are talking about? Heart bleed was in OpenSSL not in keepass. Yes, I am a clueless, dumb, on drugs and not making sense. Let me have another drink of vodka and explain before I pass out ;
OpenSSL = Open Source Keepassx = Open Source
Heartbleed was caused by lack of funding.
That was probably too hard for you IT Security specialists from CIA/NSA/HomeLand I guess Obama put you guys in charge to fend of the Russian Hackers in the recent elections, right? How did that go? I am to dumb to google that.
Isn't this EVE Online? I should only say "Here's google. Bleep you!" and you guys figure it out all by your selves, right? Right? ;)
|
|
|
|
|
Pages: [1] 2 :: one page |
First page | Previous page | Next page | Last page |