A disturbing coincidence

Bruttle

Space Marshal
Donor
Aug 20, 2016
664
2,547
2,600
RSI Handle
Bruttle
So I had a bit of an issue with my phone and had to get my authentication switched on my RSI account. I put a ticket together, making sure to add in the bits they needed, and went to bed (caveat: I couldn't log into my account so the ticket was submitted from their basic site). The next morning I checked on the status and discovered a huge issue. The email address that I used for my RSI account had an unauthorized login attempt 3 hours after I put in the request. 2 + 2 = 4

I know it's not definitive proof. Far from it. However, after zero issues for years (on any email), after a fresh OS install (literally wiped and upgraded 3 days ago), after having really good internet hygiene, I get someone chasing my account mere hours after putting in a ticket. That is definitely a disturbing coincidence.

So the moral of the story is: Even if you do everything right, there is some shady sh!t going on out there. Make sure you use EVERY security measure available. Chances are if a company has two-factor, they rely on it to make things secure. You should too. I firmly believe that my account would have been compromised if it weren't for that.
 

Wolfy

Space Kitty
Donor
Apr 27, 2017
2,190
8,602
2,860
RSI Handle
Wolfy_Alexstrasza
Two Factor Security, Secure Passwords, Multiple Passwords/Emails. All these are super important. I also recommend running your email through https://haveibeenpwned.com/ to see if it has ever been compromised and if so take steps to safeguard your info.

(Really simple stuff keeps you safe. Just my experience as an analyst in the security field)
 

NaffNaffBobFace

Space Marshal
Donor
Jan 5, 2016
12,248
45,044
3,150
RSI Handle
NaffNaffBobFace
One last check would be a query with Customer Services to ask if their work on the account didn't create a false-positive :)

But yes, I know what you mean. I always used to get security warnings that someone in Germany was trying to access my email account. Transpired thats where the servers my tablets web-mail app uses are based.
 

DirectorGunner

Space Marshal
Officer
Donor
Sep 17, 2016
2,911
12,710
2,900
RSI Handle
DirectorGunner
I NEVER use a mobile device to log into important websites via a mobile browser.. at most only via the app built by said company. Since CIG does not have an app yet.. it's simple.. don't use your mobile device's mobile browser (weak sauce technology still) to log into any important website. Get a netbook or some kind of easy to transport laptop device with a FULL operating system on it.
 

SpudNyk

Space Marshal
Donor
Jun 19, 2016
886
3,435
2,650
RSI Handle
spudnyk
I NEVER use a mobile device to log into important websites via a mobile browser.. at most only via the app built by said company. Since CIG does not have an app yet.. it's simple.. don't use your mobile device's mobile browser (weak sauce technology still) to log into any important website. Get a netbook or some kind of easy to transport laptop device with a FULL operating system on it.
Never had an issue using mobile to manage my account, asides from some poor optimization for mobile on the CIG website. It is a lot easier to manage and use on the desktop for sure, but any fault in the tech is from the website, not the browser. Annoyingly enough a lot of apps are just wrappers around a mobile version of the sites website and don't provide any better security than the browser.

What is important is security practices - especially on public networks, use https (and heed certificate warnings) wherever possible (all decent sites nowadays should force usage). Definitely use two factor authentication, if available (some forms are better than others but they're all better than not at all). Use a password manager, so you can easily use a different passwords on each website you use.
 

Shadow Reaper

Space Marshal
Jun 3, 2016
5,448
15,107
2,975
RSI Handle
Shadow Reaper
I NEVER use a mobile device to log into important websites via a mobile browser.. at most only via the app built by said company. Since CIG does not have an app yet.. it's simple.. don't use your mobile device's mobile browser (weak sauce technology still) to log into any important website. Get a netbook or some kind of easy to transport laptop device with a FULL operating system on it.
Are email accounts easier to hack when you access them from a smartphone?
 

Bambooza

Space Marshal
Donor
Sep 25, 2017
5,782
18,311
2,875
RSI Handle
MrBambooza
You have to remember most of the email/password compromises are not done at the personal level but at the destination level as the millions of accounts they can acquire are for more valuable. So you really only have two options. Create a new email address at every site you sign into and/or use a new password every month. While changing your password will not prevent your account being compromised at the destination level it will prevent your account from being used by third parties who buy account information.
 

Xist

Moderator
Staff member
Officer
Donor
Jan 16, 2016
903
2,654
1,650
RSI Handle
Xist
You have to remember most of the email/password compromises are not done at the personal level but at the destination level as the millions of accounts they can acquire are for more valuable. So you really only have two options. Create a new email address at every site you sign into and/or use a new password every month. While changing your password will not prevent your account being compromised at the destination level it will prevent your account from being used by third parties who buy account information.
Agreed. You really should use a unique password for every site/app/service.

There are some great password managers out there that will help you do this. Research them and choose a secure one with the feature set you think you need.
 

SpudNyk

Space Marshal
Donor
Jun 19, 2016
886
3,435
2,650
RSI Handle
spudnyk
You have to remember most of the email/password compromises are not done at the personal level but at the destination level as the millions of accounts they can acquire are for more valuable. So you really only have two options. Create a new email address at every site you sign into and/or use a new password every month. While changing your password will not prevent your account being compromised at the destination level it will prevent your account from being used by third parties who buy account information.
Just want to add and reiterate to not reuse passwords across accounts that way if one account is compromised, your others won’t be too. If your e-mail is compromised they can use that to reset passwords etc. on accounts connected to it. So be doubly sure that your e-mail accounts passwords are unique and enable any extra protections on it.
 

DirectorGunner

Space Marshal
Officer
Donor
Sep 17, 2016
2,911
12,710
2,900
RSI Handle
DirectorGunner
Never had an issue using mobile to manage my account, asides from some poor optimization for mobile on the CIG website..

Having.. well... lets just say I have some experience with things years ago that allow you to listen in on phone calls and remotely login whenever you want to see through the camera or listen via speaker (authorized). All it took was access to a phone for less than 5 minutes. I have reason to be paranoid, for accessing anything with less than bank level encryption and security.. if it has value (like my SC account) then I'm 100% #NOPE to risking unauthorized access even with 2FA. It's one of the reasons I won't use cloud gaming. But that's only with the game client... what's worse is if someone gets your password and hijacks your login cookies. If I'm not mistaken it's a vector that can bypass 2FA. WIth your password and a valid login session string (not sure if CIG uses IP as a secondary cookie security validation.. but probably not)... with this anyone can gift out all your pledges before you get a chance to login and change your password.

Luckily, supposedly.. CIG can fix these kind of issues eventually but it's not worth going through that kind of experience imo.

P.S. I've gained access to people's gmail accounts before (authorized security test). Do NOT answer the security questions with the real answers.... One guy I got into all his accounts minus his lifelock account because I didn't have his social yet. Though I could have human engineered him for that last four of his social easy enough. Was a real learning experience for him after his security audit. Point being... shit is scary man.. people don't think like I'd expect / hope.
 
Last edited:

SpudNyk

Space Marshal
Donor
Jun 19, 2016
886
3,435
2,650
RSI Handle
spudnyk
Having.. well... lets just say I have some experience with things years ago that allow you to listen in on phone calls and remotely login whenever you want to see through the camera or listen via speaker (authorized). All it took was access to a phone for less than 5 minutes. I have reason to be paranoid, for accessing anything with less than bank level encryption and security.. if it has value (like my SC account) then I'm 100% #NOPE to risking unauthorized access even with 2FA. It's one of the reasons I won't use cloud gaming. But that's only with the game client... what's worse is if someone gets your password and hijacks your login cookies. If I'm not mistaken it's a vector that can bypass 2FA. WIth your password and a valid login session string (not sure if CIG uses IP as a secondary cookie security validation.. but probably not)... with this anyone can gift out all your pledges before you get a chance to login and change your password.

Luckily, supposedly.. CIG can fix these kind of issues eventually but it's not worth going through that kind of experience imo.

P.S. I've gained access to people's gmail accounts before (authorized security test). Do NOT answer the security questions with the real answers.... One guy I got into all his accounts minus his lifelock account because I didn't have his social yet. Though I could have human engineered him for that last four of his social easy enough. Was a real learning experience for him after his security audit. Point being... shit is scary man.. people don't think like I'd expect / hope.
Back in the day session cookies were sent over https and http (dumb move, fortunately not practiced on most sites anymore) this made sessions very very easy to hijack with network sniffing. Facebook was very vulnerable to this a long time ago. Modern WiFi now at least encrypts per client so local network sniffing is a lot harder (though of course don’t trust a public router). Fortunately CIG requires a password to gift/melt every time. Also I’ve seen desktops rooted with a USB key as fast too, plus all the stuff people literally hide in usb cables to intercept keys, network etc. basically whatever you use, keep it locked down as much as you can. Websites should stick to https only. All that being said practice good security, don’t reuse passwords, being paranoid is also a good thing too!

P.S. I need my password manager for my security questions, it’s all random stuff. Also have a locked safe with an account recovery kit (backup codes etc) for all your important accounts.
 

Bruttle

Space Marshal
Donor
Aug 20, 2016
664
2,547
2,600
RSI Handle
Bruttle
This could have been your problem. What issue did you have with your phone?
My phone fried due to a sharp spike in internal humidity.... So I don't think the two are related.

The real problem is, nothing is safe. Not your information. Not your house. Not even your identity. If someone clever devotes enough time and effort, there is absolutely nothing you can do to stop it. Between people oversharing information, social engineering, and unsecured information, it's not even really that hard.

Honestly, the most effective security measure is that you are just one fish in a huge ocean of information. Unless you are famous, rich, or both, you look like every other fish in that ocean. So unless someone with that skill set specifically picks you out of the crowd and says "I'm going to fuck with that fish right there." You're fairly safe. If for some reason that scenario does play out though, you'd better stock up on lube cause there's not much you can do.
 

Shadow Reaper

Space Marshal
Jun 3, 2016
5,448
15,107
2,975
RSI Handle
Shadow Reaper
You have to remember most of the email/password compromises are not done at the personal level but at the destination level as the millions of accounts they can acquire are for more valuable. So you really only have two options. Create a new email address at every site you sign into and/or use a new password every month. While changing your password will not prevent your account being compromised at the destination level it will prevent your account from being used by third parties who buy account information.
Well I don't do this, but there is precious little I do that is confidential. I do have a second email address for work, and I never access it from my phone because of my paranoia about snooping. So long as I keep that separate and don't use the phone to access it, it should remain safe?
 

DirectorGunner

Space Marshal
Officer
Donor
Sep 17, 2016
2,911
12,710
2,900
RSI Handle
DirectorGunner
Suggestions for others:
  • Use different email addresses for different tiers of accounts (important accounts don't use the same email as say your linkedin account).
  • Use different passwords for every single account, and different security answers that are never the answer to the actual questions.
  • Use 2FA
  • Keep OS up to date
  • Use very good firewall tools and software, but this doesn't stop kernel level attack vectors
  • Do NOT use cloud based password managers, that defeats the actual purpose of a password manager
  • NEVER... and I mean NEVER... give any private info to anything or anyone who cold calls or emails you. Like someone pretending to be with your bank. It

Additional steps the super paranoid can do:
  • Encrypt your entire PC data storage solutions
  • Have a 2nd sort of "burner" phone for some 2FAs, they're really cheap now.
  • Use fake bio info and keep your real identity separate from your gaming identity.
  • Don't use real pics of yourself anywhere online
  • Never live stream or do videos with your real voice and real face or actual background (say stuff in your room or office)
  • Always use one or more private VPNs to access anything online
  • Use fake real info for weak security accounts like your cell phone, so that it's harder to human engineer customer support idiots from compromising your account.
  • Join hack communities to keep yourself in the loop as best you can
  • IF at all, use a private TRUST for every public record... once your real info is found out... if you have any public records matching that info... you are now vulnerable to an attack. You'd be surprised how many public records include your home address and or cell phone number.
  • Don't get married

I'm past the point of no return of mixing my real ident with my gaming ident years ago because of YouTubing and streaming....
But some of you, can still do a lot now to give yourself extra layers of protection... double condom that biznitch.. the internet is dirty.
 
Last edited:
  • Like
Reactions: Bruttle

Bambooza

Space Marshal
Donor
Sep 25, 2017
5,782
18,311
2,875
RSI Handle
MrBambooza
Honestly, the most effective security measure is that you are just one fish in a huge ocean of information. Unless you are famous, rich, or both, you look like every other fish in that ocean. So unless someone with that skill set specifically picks you out of the crowd and says "I'm going to fuck with that fish right there." You're fairly safe. If for some reason that scenario does play out though, you'd better stock up on lube cause there's not much you can do.
Truth. Security through anonymity.
 

NaffNaffBobFace

Space Marshal
Donor
Jan 5, 2016
12,248
45,044
3,150
RSI Handle
NaffNaffBobFace
My phone fried due to a sharp spike in internal humidity....
Thats the best way I've ever seen of saying "I dropped it in the toilet".

Mrs. 'Bobface once put my phone through the washing machine. It's internal humidity went to 100% very quickly - It was okay though, it only cost £10 as did it's replacement.
 

Bambooza

Space Marshal
Donor
Sep 25, 2017
5,782
18,311
2,875
RSI Handle
MrBambooza
Thats the best way I've ever seen of saying "I dropped it in the toilet".

Mrs. 'Bobface once put my phone through the washing machine. It's internal humidity went to 100% very quickly - It was okay though, it only cost £10 as did it's replacement.
Was she just trying to destroy the gf phone?
 
Forgot your password?