How (in)secure is your Second Life password?
June 27, 2007 11:07 amUpdate III: PingPing gone. :(
Update IV: PingPing back still gone. :)
Imagine this happening to you:
You open your mailbox and see a mail from Linden Labs that you have just changed your Second Life password. Uh?! What? I did not do that?!!! *incoming mail sound* Another mail from Linden Labs telling you you just bought Linden Dollars on Exchange. *incoming mail sound* *incoming mail sound* *incoming mail sound* *incoming mail sound*: all mails telling you you bought Linden Dollars for 100USD. Eight such emails, for a total of 800 USD.
Of course, you go to the SecondLife.com as fast as you can, change your password again, you block your credit card and check your account and transfer history. Only to see that the Linden Dollars that not-you just purchased are already transfered to two other accounts: Ababdelghani Allen (130 000L$) and Jack Maslow (80 000 L$).
What do you do next? You e-mail help, you try to reach Linden Labs on phone, you IM Lindens at random? You send an IM and friendship request to the two avatars that now have your 800USD? You also Abuse Report those two avatars. After a week, no email reply. Of course not, Linden Labs does not reply to emails from non-premium members. Apparently not even when you just bought for 800USD Linden Dollars. Linden Labs on phone? A 15 minutes wait, a computer voice and no reply. Nobody in the office there during office hours? At all?! And Zee Linden? He tells you they have ’security issues’, you are in ‘the a queue’ and somebody will call you. That same somebody that after a week time still didn’t contact you. Ababdelghani Allen and Jack Maslow have repeatedly denied friendship request but never answered any IM. There accounts are still active as we speak.
This is what happened to Pingping Zhaoying.
Now you say: this will never happen to me! I have numbers, capital letters and the name of the teacher I had a crush on 15 years ago in my password. It’s safe. Apparently, it’s not!
Going to what Linden Labs calls a ’secure, verificated page’, namely https://secure-web4.secondlife.com/ss/verify.php?r=xxx where in xxx is an amount of numbers - which I see no logic behind although obviously some other people do see that logic - you get a page with questions. Linden Labs only requires you to answer one of the following 4 questions to change your password: ‘What street did you grow up in?’ ‘Name three friends with the following last names.’ ‘Last billed amount.’ or ‘SL home location.’ The last one is rather easy to solve if someone has his ‘home’ in his profile picks. And also the ‘Friends question’ is easy when you browse an avatar’s group’s member lists a bit. After answering one of these questions correct you someone can just change your password to whatever you they want. Linden Labs does not even email you a random generated one you can change later. Which would be more safe. No, they let you them pick one!*
And they are in. With your account. And if your credit card is linked to your avatar, they now only need to right click someone and pick pay, and voila, you they buy Linden Dollars with your credit card. Which they can distribtute to other avatars at will.
A short summary:
Pingping Zhaoying lost 800USD not because someone guessed his password correct, but because Linden Labs allowed someone to change his account’s password. Yet, Linden Lab does not even respond besides one short IM saying ‘we have security issues’. Geeh. I think Pingping already figured that out himself, including that they have support issues too.
- Why - after a week - did LL not contact Pingping Zhaoying back yet?
- Why - after a week - did LL not suspend Ababdelghani Allen and Jack Maslow’s accounts yet?
- Why do they have such a crappy password security system in the first place?
Remember, this ‘account theft’ happened on secondlife.com, as you can not change your password in-world. So Linden Lab can not claim ‘what happens in-world between residents is not our business’ on this one!
Update: Ababdelghani Allen just declined my friend request. Which means he can still access his account.
UpdateII: Screenshots of the ‘provide credentials’ procedure by Nock Forager:
*This is my idea of how they got to change Pingping Zhaoying’s password. If you know off a more easy way to do so, please leave a ‘how to’ or your contact information in the comments. Apparently Linden Labs does not respond to such things, so we can set up a nice scam together. ;)
28 Responses to “How (in)secure is your Second Life password?”
ok now you managed to scare me :( i hadnt realised that before even though i just changed my password yesterday. any suggestions on what we can do to protect ourselves better since linden lab cant be relied on?
You remember the “IOU” notes ? :) it is very easy to make them in the digital world…
so - digitally signed IOU notes.
and we can develop the “pure financial” industry in-world as well then…
seriously: wow. this sucks. and they keep shut. this is a baaad baaad thing.
IOU notes: Linden Labs to issue government bonds in Linden Dollars! ;)
Thozse kind of things happens regularilly, in SL and on the rest of the internet. What is unacceptable is Linden’s behaviour. They absolutely cannot behave that way!
I feel sorry for Pingping, but choosing a name like that is asking for trouble.
That does not approve Linden’s behaviour though.
We all know they (Linden Lab) also read blogs, so maybe they will react after reading this blog, but I am afraid that Pingping will never see his money back.
@ Looker : Pingping the cash machine??
Even if I had a debit credit card and only a pair of hundreds on the associated account, I had no idea of how vulnerable is LL account management.
I tried to delete my payment information, but it seems the website doesn’t take it right, it stuck at:
Credit card type: (update pending).
Thanks for the advice, I hope they will fix it soon.
Can’t believe…
If you just click “Email nolonger active?” button, it’s redirect you to “Four question page”. and There are many who provide he/her home location on profile page…. Everyone should change HOME location asap.
I’ll translate this topic to Japanese and made some notice. thy!
*wonders how much Lindens have the Linden Island as home location* ;)
The right thing for LL to do would be to simply have the user write their own security question and response. That’s so easy to do, yet relatively difficult to crack, especially with a question like “What do I have tattooed on my ankle?”, you know?
Seems the fix has going on now. Some people got “Call Us” dialog after clicking “Email no longer active?”. Correction should be done in soon.
So that means now we can make a long distance call to California where probably we will be answered by a machine that can’t help us anyway? *grins*
I’ve clicked the ’send email’ and I did not get any email from Linden Labs at all. Strange, as their ‘offline message e-mails’ on the same address do arrive.
*writes password down again*
/me wonders what Tobie has on her ankle now. Damn.
[…] Falken reported today in an article called How (in)secure is your Second Life Password? about a Second Life resident named pingping has had $800 US Dollars “stolen” from his […]
Did he email security at lindenlab dot com?
What did he write in the abuse report?
[…] is hard to stop, but everybody who has paiment information added their account should, no, must read this… and if you feeel in the mood read this too, and this and… […]
Today, 9 days later, and without any sign of LL my account was shut down, no more loging in possible, the rest of my inventory is gone, the work of one year virtual living gone. Thank you Linden !
To make the whole story complete : i blocked my visa about 1 hour after getting the mail, and untill now the money is not charged to my bankaccount. So maybee, i will not loose my money.
I did loose my confidence in the security of second life.
And for the non-believers : i received a mail from Linden at that time to confirm me buying Lindendollars for the amount of 8*100 USD, and found it back on my account history
Nine days later my slaccount was cancelled (rip pingping) and everything is gone with the wind (with the rest of my money and inventory)
[…] 9 days later, and without any sign of LL my account was shut down, no more logging in possible, the rest of my […]
Guy,
I have issued a refund of the charges that were fraudulently placed on your account. We’ll have the account returned to you, asap. We are responding to attacks like this as quickly as possible. Sorry for the trouble.
JP
ontvangen vandaag zaterdag 30-07 9 dagen na neerleggen klacht en enige reactie (dit is violledige mail)
Stop updating faster than I can create in-world crosses! ;)
Glad to hear that you will be back!
AAHH! This is even MORE insecure to us Teen Grid members! Most members have their homes either in XXXXXXXXXXX, welcome areas, or their public homes. GAH!.
Luckily I don’t have a home (build) in SL (hehe), just XXXXXXXXX.
I suggest they give the options only after email verification, and that the “Email no longer active?” option should be phone ONLY.
I’m gonna suggest it on JIRA.
Barry, it seems they are already working towards that:
Nock said: Seems the fix has going on now. Some people got “Call Us” dialog after clicking “Email no longer active?”. Correction should be done in soon.
Done. Go here for more info and a link to the JIRA proposal:
http://www.tslwiki.vintfalken.com/wiki/index.php?title=The_How_%28in%29secure_is_your_password_campaign
Nope. That’s a DB bug, i’m certain. I know Linden, but i’ll email Torley just in case.
[…] the (in)security of our Second Life passwords, I said I’d be happy if the Lindens would say ‘No problems whatsoever’ or […]
I hate to come into this thread so late, but I do want to say that after some experimentation, I don’t believe that their change password system is ‘grossly’ insecure.
Here’s a breakdown of it:
User clicks ‘Forgot password’
User enters SL name
An email is sent to the registered email address with a URL in it.
User clicks ‘Email no longer valid’
At this point, the process splits based on a condition.
If that user has ever successfully logged into secondlife.com or into SL from the current machine’s IP address using the reported name, they go to the aforementioned ‘4 question’ screen.
If the user has never logged in under that name, they go to a screen with a phone number on it.
The email link sends the user to the ‘4 question’ screen. These questions are very easy to answer, but it is assuming that your email address is secure.
Fabricating one of these numbers would be rather difficult. It is a timestamped UUID, so the person would have to know the millisecond that SL.com generated the UUID as well as guess at a ridiculously large random number.
I’m not saying this system is ‘perfect’, just putting out my two cents on it. I don’t really believe that it’s as big a problem as made out to be here.
Is it perhaps possible that the account in question had its corresponding email address hijacked?
Comment that late: It’s more then ok. You have some information I did not know, so it’s even highly appreciated. *smiles*
No, the corresponding email address was still working fine and not comprimized.
I believe what you say about corresponding IP address and the timestamped UUID (didn’t know it worked that way, thx!) making this more safe, but still… if there were no problems whatsoever, then why did LL just did not put the JIRA issue as solved, in stead of ‘hide it’. Why did nobody ever reply, and why - this has nothing to do with the security issue, but all the more with Linden Lab policy - after TWO MONTHS, pingping zhaoying’s account is STILL NOT REINSTATED? And now - after filing another ticket, he got a phone number that’s not reachable from belgium. Hmmm…
(sorry for the caps, I really can’t understand how they can treath their residents that way.)
As the IP system is foolproof: why do I then never got the four questions page, even when trying from the PC I use daily for SL and with my own account name? (IP is fixed until reboot of the PC, I think, maybe even longer.)
Care to comment?