As you may have noticed, we posted an informational thread in News and Announcements on the topic of account security and recent phishing attempts. There’s new info there, and you may have questions or concerns about the topic.
So this thread is designed as a space for you to ask questions, share suggestions or tips, and generally discuss the issue of phishing. (That’s “phishing” and not “fishing.” The latter is a topic for a whole different sub-forum. )
2FA isn’t actually going to help against phishing, since the attacker will just ask for the code, which they only need once to remember their IP. If you want to stop phishing, the original email authentication was the best bet, since you had to actually click a link to login, meaning the user couldn’t screw it up. It just needed a bigger focus on the login location.
The default email authentication is actually just as good as 2FA, because your email is the weakest link either way. If your email is compromised, 2FA isn’t going to make a difference because your email likely contains enough information to phish support into giving away access. If you actually want to secure your account, putting 2FA on your email is far more important. After securing your email, ensure that no forwarding or recovery options have been setup to create a backdoor into your account.
2FA isn’t actually going to help against phishing, since the attacker will just ask for the code, which they only need once to remember their IP. If you want to stop phishing, the original email authentication was the best bet, since you had to actually click a link to login, meaning the user couldn’t screw it up. It just needed a bigger focus on the login location.
The default email authentication is actually just as good as 2FA, because your email is the weakest link either way. If your email is compromised, 2FA isn’t going to make a difference because your email likely contains enough information to phish support into giving away access. If you actually want to secure your account, putting 2FA on your email is far more important. After securing your email, ensure that no forwarding or recovery options have been setup to create a backdoor into your account.
That’s really interesting input, Healix. I’m glad you shared that. In turn, I’m going to point out these comments. I think it may well be worthwhile to mention 2FA for e-mails in our original message!
A effective way to protect your domains (e.g. guildwars2.com) from email spoofing etc. used in phishing, is to use SPF, DKIM and DMARC.
Each contributes to protect the domain i different ways:
SPF (Sender Policy Framework) is a DNS text entry which shows a list of servers that should be considered allowed to send mail for a specific domain.
Protects domain in “Mail From”.
DKIM (DomainKeys Identified Mail) is a method to verify that the messages’ content are trustworthy, meaning that they weren’t changed from the moment the message left the initial mail server.
Protects against modified content in mail.
DMARC, (Domain-based Message Authentication, Reporting, and Conformance) helps senders and receivers work together to create more secure email communications. It enables the message sender to indicate that their messages are protected with SPF and/or DKIM. And clear instructions for the message receiver to follow if an email does not pass SPF or DKIM authentication.
Protects domain in “From Header” (Sender) and more.
Well, for basic users I don’t think there are more to say than what was already said, but thanks for bringing this subject to attention again and I see some nice technical stuff here.
It’s still sad, though, how many people are still fooled by these “so obvious” (yes, it doesn’t need too much effort to see that something is wrong with them) scams.
)