Anyone know if setting up mobile authentication sends you an email for confirmation?
A friend was hacked yesterday and mobile authentication was set up by the hacker (I guess so that the hacker could log on from whatever IP address they’re at?).
But no email confirmation of any sort was mailed to my friend that mobile authentication had been set up. He only discovered the hack by logging in.
His computer scanned clean.
Edit: Apparently, no email confirmation is needed to switch from email authentication to mobile authentication, which means if you have email authentication and your acct name and password are compromised, hackers can bypass email authentication by setting up mobile authentication on their own cellphones. In other words, email confirmation is worthless.
God I hate these forums sometimes. God kitten pain in the kitten “something went wrong” error.
Anyways, tell your friend to change the email account’s password, the email associated with the guild wars account (a brand new email account), and change the guild wars account password. In that order. The only way to bypass the auth system in place is by having access to that user’s email account, which also explains the lack of email regarding it. It was likely deleted.
God I hate these forums sometimes. God kitten pain in the kitten “something went wrong” error.
Anyways, tell your friend to change the email account’s password, the email associated with the guild wars account (a brand new email account), and change the guild wars account password. In that order. The only way to bypass the auth system in place is by having access to that user’s email account, which also explains the lack of email regarding it. It was likely deleted.
Nope. Email account was not hacked. Computer came up clean on scan, but more importantly, email login records show no suspicious activity (we know the account was hacked in a specific 3 hour time interval so unmodifiable email login records were all available for viewing).
Mobile authentication does not send you a mail, you just need to type the code that’s on the phone. I don’t think you can remove it if you don’t have the phone but I guess CS can do that for you.
You also don’t get email confirmation that you’ve set it up.
Only if you had enabled email authentication. Which everyone should have enabled (one or the other) at Account creation.
You need both the Account Name and password to set up Mobile Authentication. If they can easily steal the password to the game account, they can probably just as easily steal the password to any email account associated with said game, I would think.
Pretty much, yes. It’s kind of an issue really, there should be a barrier protecting you from them abusing the mobile authentication. A mail confirmation, for instance :p
they can probably just as easily steal the password to any email account associated with said game, I would think.
Not necessarily, and in any case it’s still one more step for them so it’s good anyway.
It’s best to use an Account Name that is not used for any other purpose. No mail from anywhere, not even Guild Wars, ArenaNet or NCSoft. Then you will not get phishing mails, or most likely, any kind of hacking attempts.
Only if you had enabled email authentication. Which everyone should have enabled (one or the other) at Account creation.
You need both the Account Name and password to set up Mobile Authentication. If they can easily steal the password to the game account, they can probably just as easily steal the password to any email account associated with said game, I would think.
So if you don’t have mobile authentication set up (but do have email authentication) then all hackers need to get into your account is your account password?
That seems very insecure. If you have email authentication set up, why is there no email confirmation requested when you set up mobile authentication?
As for having to steal both gw2 and email passwords. It’s definitely harder to get both than just to get one. They did not get his email password. All they had was his GW2 password (assuming they had that and didn’t get thru some other way).
The ‘hackers’ would also need the Account Name. And the password for the email account Email Authentication is using. Using a common Account Name and password can cause problems. The password is only half of the security. If you have no Authentication of any kind on your account, they only need know Account Name and password, yes. Pretty sure we all knew that.
To access ‘My Account’ you need only the Account Name and password.
If you have no Authentication of any kind on your account, they only need know Account Name and password, yes. Pretty sure we all knew that.
The problem is that this seems to be false. If you have email authentication — which my friend did have — then it appears that hackers only need your password (and acct name) because they can bypass email authentication by setting up mobile authentication (which is what the hackers did).
This seems to me to be a major security loophole — especially since you think email authentication is protecting you, but it actually does nothing (insert Simpson’s “these goggles do nothing” image).
I’m not sure I understand. How can your account be unprotected if you are using an Account Name that has never been used anywhere before? Same with a good password? It’s not like hackers can brute-force these things if you have chosen thoughtfully. Your account will only be unprotected if you give your information out, by using it elsewhere.
Create an Account Name and password that has never been in existence before. Follow the Security Tips outlined in the Sticky.
That would not be a bad idea. Unless the email account is also compromised, which seems to happen often. Perhaps, Support or Security will add that to Mobile Authentication set-up.
Still, the best security will be having a secure Account Name and password.
I’m not sure I understand. How can your account be unprotected if you are using an Account Name that has never been used anywhere before? Same with a good password? It’s not like hackers can brute-force these things if you have chosen thoughtfully. Your account will only be unprotected if you give your information out, by using it elsewhere.
Create an Account Name and password that has never been in existence before. Follow the Security Tips outlined in the Sticky.
You supposedly have 2 layers of protection:
Acct name, password
Authentication (the purpose of is to prevent non-recognized IPs from logging in)
Authentication comes in 2 forms:
Email or
Mobile
However, the problem is that email authentication can be bypassed.
The reason is that in order to set up mobile authentication, all that’s needed is acct name and password. Apparently, no email confirmation is required in order to set up mobile authentication.
This means if you are using email authentication:
If someone has your acct name and password, he can set up mobile authentication using his own cellphone. This allows him to login to your account, completely bypassing email authentication.
Edit: This is very bad because illusion of security is worse than no security.
How about you use an Account Name and password that is very difficult to get? That would surely help.
First, you should make sure you use unique Account Names and password. Then, as extra security, Authentication. We have established that an email for Mobile would be even more security. But, surely, making sure your foundation is as secure as possible would be best. Don’t you agree? =)
How about you use an Account Name and password that is very difficult to get? That would surely help.
First, you should make sure you use unique Account Names and password. Then, as extra security, Authentication. We have established that an email for Mobile would be even more security. But, surely, making sure your foundation is as secure as possible would be best. Don’t you agree? =)
That’s not the point. The point is that email authentication has a security flaw that makes it completely worthless.
Whether you have a good acct name or password is a completely different issue. It has no effect on whether this security flaw exists or not.
Come come, Lord Kuru. Inculpatus is not denying that flaw, just pointing out that there are steps to be taken for players too
If I told you your burglar alarm was disconnected, would you tell me to buy a new door and lock?
Sorry… this does sound a bit hostile.
Yes, you should practice good account and password security. On the other hand, Anet should make sure that email authentication can’t be trivially bypassed.
