Two-Factor Authentication Saved My Account

So, for the first time in the 5+ years I've been playing GW2, I had someone attempt to take over my account. I received a two-factor authentication code on my cell phone when I hadn't requested one. I immediately changed my password.

This is just a friendly reminder to check your security settings and implement two-factor authentication if you haven't already done so. Additionally, it might be a good practice to change your password if you haven't done that in a while.

@"kharmin.7683" said:So, for the first time in the 5+ years I've been playing GW2, I had someone attempt to take over my account. I received a two-factor authentication code on my cell phone when I hadn't requested one. I immediately changed my password.

This is just a friendly reminder to check your security settings and implement two-factor authentication if you haven't already done so. Additionally, it might be a good practice to change your password if you haven't done that in a while.

There is validity in what you are saying however I wonder?

did you stop to consider how they got your password in the first place.

This is directed at anyone not you OP.

Don't use the same password over and over.

I agree that changing it is a good idea. I would change it several times per year at least 1 time per quarter if you feel unsafe. in the end though it is not about feeling you need to use all the means you have to protect yourself online not just your account for this game.

2 factor auth is a good thing and should be used, but it can still be defeated. Granted it makes it a lot harder but social eng is the way these days.

So delete your email and facebook accounts never use credit cards and make sure you get a good price on the bomb shelter because you need the extra money to buy another GW2 account when you get hacked :) (just kidding on all that but I am wearing a shirt that says "1984 George Orwell" on it. (That part I am not kidding about...))

I do not have a cellphone. And aNet does not offer any other validations. "GG" I guess?

Excelsior.

@jbrother.1340 said:

There is validity in what you are saying however I wonder?

did you stop to consider how they got your password in the first place.

This is directed at anyone not you OP.I'm not certain that my password was ever really compromised (although I have no evidence to the contrary) and that the alert was due to someone attempting to change it? Regardless, I agree that people should not repeat passwords for things that are extremely important to them. I'm an IT professional so I have a wide diversity of passwords, so much so that I have to use a password keeper to store them all and I would also encourage everyone else to do the same.

@"Zedek.8932" said:I do not have a cellphone. And aNet does not offer any other validations. "GG" I guess?

Excelsior.

I've been using JAuth for Windows. It uses the same protocol as the Google Authenticator and does not require a smartphone.

@TheQuickFox.3826 said:

@"Zedek.8932" said:I do not have a cellphone. And aNet does not offer any other validations. "GG" I guess?

Excelsior.

Never heard of it. Thanks for pointing it out!

@TheQuickFox.3826 said:

@"Zedek.8932" said:I do not have a cellphone. And aNet does not offer any other validations. "GG" I guess?

Excelsior.

Wait, Google is involved? Eww.. So the saftey aspect is basically zero again then?

@Zedek.8932 said:

@TheQuickFox.3826 said:

@Zedek.8932 said:I do not have a cellphone. And aNet does not offer any other validations. "GG" I guess?

Excelsior.

Possible. You have two options:

1. Authenticator app. Download a compatible authenticator app like Google Authenticator, or a compatible 3rd party authenticator app like JAuth for Windows. You can use the Google app but you don't have to.
2. SMS based two-factor authentication. Requires a cellphone with GSM subscription, and has nothing to do with Google.

Note that 2FA isn't going to save you if your password was compromised and you use the same password on your email. The better option is sticking to the default email authentication and having 2FA on your email.

The SMS authentication code could have been sent by accident. This happened to me in early June, as there is no way anyone could have hijacked my password(s).

However, I reported this to support for them to tell me what went wrong, yet no response on this in a month. Pretty terrible considering the people who truly got their accounts hijacked (security requests should be handled high priority, no?).

@Zedek.8932 said:

@TheQuickFox.3826 said:

@Zedek.8932 said:I do not have a cellphone. And aNet does not offer any other validations. "GG" I guess?

Excelsior.

You can determine how secure it is for yourself. it is an open standard.https://tools.ietf.org/html/rfc6238

Basically it requires, the two parties sharing a secret key once, then, without any other communications, the two parties can calculate the same password based on the current time. For authentication a new password will be sent every time, based on the current time, so that even if it is stolen it is unusable soon after. The original key is never re-transmitted, making it unlikely to be stolen (unless someone steals your authenticator's locally stored data).

Here's a site that runs a database of publicly leaked account/password databases where you can check your email address to see if you're included in one.

https://haveibeenpwned.com/

@PseudoNewb.5468 said:

@Zedek.8932 said:

@TheQuickFox.3826 said:

@Zedek.8932 said:I do not have a cellphone. And aNet does not offer any other validations. "GG" I guess?

Excelsior.

I hope you can understand that I do not dig trough all of that (and probably you neither did or would do).But seeing Google in it. Ye.. for free I guess, too? When I see how often I got to "ReCaptcha" and checked the data protection just to be redirected to Google - for a login on League of Legends! - then it gives you the shivers. Google does nothing for free. And every "man in the middle" is a potential security leak.

By the way, thank you guys for bringing up the alternative and the discussion coming from that. But Kaspersky saved me twice (!) from incredibly well-made phishing pages (probably certificate checks and whatnot), I also feel a bit unsafe. Since my Mail and my GW2 account have different passwords, I'd like to have a similar token as if you log into the forums from a different / still unknown IP.

Excelsior.

That wouldn't work for me. When Cox had its big e-mail leak a few months ago, the first thing they did was break into my Apple ID, at which point they got my phone number (along with my name and an old address). At that point, they can just clone the number and get duplicate texts of anything sent to mine.

Two-factor authentication isn't a perfect safety net.

@Zedek.8932 said:

@PseudoNewb.5468 said:

@Zedek.8932 said:

@TheQuickFox.3826 said:

@Zedek.8932 said:I do not have a cellphone. And aNet does not offer any other validations. "GG" I guess?

Excelsior.

Sorry, but just to be clear, and to try and dismiss miss-information,

This two-factor authentication protocol is not an online or internet based service. Google is just one organization that promote, use, and have implemented one of released client applications that use this protocol. It also seems to be the most well known implementation of the protocol, so I guess I shouldn't be surprised if people confuse it for a google product. If you look at the authors of the RPF you can see it has be developed by companies like Verisign, who are one of the top authorities in communications security. (at least I hope they are because I am constantly swiping my credit card on their equipment :grimace: )

You can find a list of alternate implementing applications on it's wiki page including non google and open source applications.https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm#Client_implementations

The only parties involved when using this protocol are, the target service, you (who must keep the secret key safe), and the application vendor who (hopefully) has implemented the protocol correctly and securely.

I looked at the source of an authenticator app I have used in the past, and it does in fact use a web request to the google homepage because the google web responses contain the current date and time (it is very important to have accurate time for this protocol) so I can't guarantee other implementations don't do something similar. I don't know if you have a problem with asking google for the time.

I linked the RFC because I want you to know that this isn't some kind of proprietary software that people don't know, whether or not it is data mining your data. No I don't expect you to learn about the standard and understand it, but I have worked with it before and I want to help you understand what it is. As an open standard, people are out there who can analyze it and raise flags if the standard is insecure, exploitative, or in general bad. Technology will continue to be a big aspect of our lives and if we are going to be afraid of it, as you are with anything associated with Google, how are we supposed to function? The answer is to understand what your software is doing, or to at least, understand where it is coming from, who is allowed to audit it and what it can and can't do. And, this two-factor authentication protocol, being an open standard with open source implementations is a example of software that you should not be afraid of.

This software is more clear an open about what it is doing that most anything else in the software world. So it kinda annoys me that you imply that you can't know if there is any shady google shenanigans behind it. I know you don't want to sift through technical documents and code, but you should at least understand, when something is this open, this transparent about what it is doing, you should not go around and say it is trying to take your data out of ignorance.

B.T.W this forum uses google analytics, which by design, and its purpose, it to take and analyze the data of you browsing this forum, but i am sure you have blocked you computer from talking to www,google-analytics,com.

And make a STRONG password. You only have to type it occasionally.15 characters isn't guaranteed to keep hackers at bay, but they do tend to go for the low-hanging fruit.

The best type of 2FA are keyfobs which banks use for business customers.WOW also uses them as an optional method for securing your game account.The mobile phone method is attackable depending on what country you are in, as its fairly easy to port mobile phone numbers without your knowledge.

@"Zedek.8932" said:I do not have a cellphone. And aNet does not offer any other validations. "GG" I guess?

Excelsior.

You can use landlines for SMS; an automated voice will relay the code. (I used this option.)You can use something like WinAuth to send a code to your computer.You can find information on securing your account in the Knowledge Base accessed via the 'Support' link above/below.

Do be aware that email verification is only available at account creation; once change to 2FA, one can not change back.

Good luck.

@Ashantara.8731 said:The SMS authentication code could have been sent by accident. This happened to me in early June, as there is no way anyone could have hijacked my password(s).

However, I reported this to support for them to tell me what went wrong, yet no response on this in a month. Pretty terrible considering the people who truly got their accounts hijacked (security requests should be handled high priority, no?).

Just to update everyone on here, and no, support still hasn't responded to my five weeks old ticket:

It was NOT a security breach (told you so). My IP address changed again yesterday, and when I logged into the game, but didn't enter thte authentication code immediately (as I got distracted), I was sent several codes in about a one minute frequency, as apparently those codes expire quickly as an additional security measure.

Riddle solved, told them they could close the ticket. Hope they don't treat all security requests with such a severe delay, because that would be unacceptable.