Security Key Removed Account Hacked

[MacCleoud]

I logged in today to see that my account had been hacked and someone charged 600 to my credit card. Now what gets me is that I had a security key on the account. My email was changed, and security key removed with no notification to me. What the hell is the point of a security key if it can be removed without any notification?

[MadDutchman]

I logged in today to see that my account had been hacked and someone charged 600 to my credit card. Now what gets me is that I had a security key on the account. My email was changed, and security key removed with no notification to me. What the hell is the point of a security key if it can be removed without any notification?

 

First of all, no security system is fool proof. It is simply not possible.

 

That being said, the vast majority of security breaches are the result of user error or third party breaches.

 

First of all, we can probably rule out a direct breach of SWTOR's/EA's account servers. This would be VERY hard to pull off and if an attacker had such an ability, they would not waste the opportunity on something so tiny.

 

This basically just leaves us with your account credentials. In order to access your account without password or security key, they would need to have access to your email in order to receive a one time password. If this is the case, it would also be trivial to delete the email notification so you don't notice.

As such, your email account security should be the first place you should look for a problem.

Make sure your password is long enough and non-obvious.

It should not be a password you use for other applications.

You should never share any password.

You should never use a shared email for any personal account. Just because you trust the other party now doesn't mean this will always be the case, sad to say.

If you ever access your email on a public computer/network (should be avoided if at all possible), make absolutely sure you log out, and if you make a habit of it, change your password often.

It is a good idea to use two factor authentication on your email account as well.

 

Most small scale account breaches like this are the result of people you know using your email account, often because they know/can guess your password, or can access the account without it from your own computer/device. I suggest tracing back through your recent computer use for any case where your email could have been compromised

 

 

Besides general advice though, nothing we can do on the forums, only CS can help you with this. They should be able to reverse the charges and restore the account.

[MacCleoud]

First of all, no security system is fool proof. It is simply not possible.

 

That being said, the vast majority of security breaches are the result of user error or third party breaches.

 

First of all, we can probably rule out a direct breach of SWTOR's/EA's account servers. This would be VERY hard to pull off and if an attacker had such an ability, they would not waste the opportunity on something so tiny.

 

This basically just leaves us with your account credentials. In order to access your account without password or security key, they would need to have access to your email in order to receive a one time password. If this is the case, it would also be trivial to delete the email notification so you don't notice.

As such, your email account security should be the first place you should look for a problem.

Make sure your password is long enough and non-obvious.

It should not be a password you use for other applications.

You should never share any password.

You should never use a shared email for any personal account. Just because you trust the other party now doesn't mean this will always be the case, sad to say.

If you ever access your email on a public computer/network (should be avoided if at all possible), make absolutely sure you log out, and if you make a habit of it, change your password often.

It is a good idea to use two factor authentication on your email account as well.

 

Most small scale account breaches like this are the result of people you know using your email account, often because they know/can guess your password, or can access the account without it from your own computer/device. I suggest tracing back through your recent computer use for any case where your email could have been compromised

 

 

Besides general advice though, nothing we can do on the forums, only CS can help you with this. They should be able to reverse the charges and restore the account.

 

I work in IT, and follow all the rules above. I even have a password vault that puts my passwords in for me. I don't have any passwords or usernames that are the same across any of my games/applications. I am currently running virus scans on both my computers.

 

I also have my email account that is attached to the game send push notifications to my phone. There were no notifications sent to my phone either. This could only happen if they were able to get into my account, and change my email address, which they did, but they could not have done that without already bypassing the security key. Which again....points to my personal email being hacked, but again, no emails were sent to my phone. So, they could have been in my account and deleted them immediately before the push happened....possibly....

 

But, the other games I play that have an authenticator also require two factor authentication to make any changes to the account.

 

Edit: I did call CS, but they are closed right already.

Edited March 18, 2019 by MacCleoud

[MadDutchman]

I work in IT, and follow all the rules above. I even have a password vault that puts my passwords in for me. I don't have any passwords or usernames that are the same across any of my games/applications. I am currently running virus scans on both my computers.

 

I also have my email account that is attached to the game send push notifications to my phone. There were no notifications sent to my phone either. This could only happen if they were able to get into my account, and change my email address, which they did, but they could not have done that without already bypassing the security key. Which again....points to my personal email being hacked, but again, no emails were sent to my phone. So, they could have been in my account and deleted them immediately before the push happened....possibly....

 

But, the other games I play that have an authenticator also require two factor authentication to make any changes to the account.

 

Edit: I did call CS, but they are closed right already.

 

Hmm, push notifications are not reliable (especially on Apple, APNS is crap), however it's not likely to be that unreliable. Of course, if they have access to your email, they can just turn them off (and possibly back on), however that sounds like an oddly thorough attack, hard to see someone going to that much effort unless the whole point was just to screw with you personally (not a pleasant thought).

 

Another thing that might be worth investigating with CS is if they have a record of when/how the information was changed. It's possible that the breach happened on their end, some poorly trained CSR intern getting a sad story about forgetting their email address and asking for it to be changed. Of course, this should never happen, this is what security questions are for, but the human element is always the most likely culprit. If you can rule out the human element on your end, it might be worth seeing if there was one on their end.

 

If it was done via the website, at least knowing exactly when might help you investigate.

 

 

I think the main reason that they still allow the SK to be removed with just a OTP is because the system they use dates back to the physical security keys, before you could use common 2FA apps like google's authenticator. They were probably getting very tired of people calling in because they had lost their keys. Laziness trumps security every time with corporations...

[MacCleoud]

Yeah. I will be asking them for any information on how and when it was changed. Checked login locations for my email, and other than my phone and my home IP, no other login locations. We will see what they say.

 

Thanks for your input as well.

[Fiqh]

Dont the voice apps like discord capture your email, password, and ip? Can't the person who set up the server see all 3?

[MacCleoud]

Looks like a conpromosed advertisement on Tor decorations possibly. Went to all the sites I have been to in the last two weeks. An ESO wardrobe advert was the only advert on there, and I got a warning from my AV.

[OwenBrooks]

Do you have a security key on your EA / Origin account that is linked to the swtor account ? If not i would add one to that account too.

 

Per https://help.ea.com/en-us/help/star-wars/star-wars-the-old-republic/swtor-account-linked/

 

Any changes you make to your SW:TOR account also applies to your linked EA Account, and vice-versa.

[MacCleoud]

Do you have a security key on your EA / Origin account that is linked to the swtor account ? If not i would add one to that account too.

 

Per https://help.ea.com/en-us/help/star-wars/star-wars-the-old-republic/swtor-account-linked/

 

Any changes you make to your SW:TOR account also applies to your linked EA Account, and vice-versa.

 

I did.....it was removed somehow.

[Faelwolf]

Looks like a conpromosed advertisement on Tor decorations possibly. Went to all the sites I have been to in the last two weeks. An ESO wardrobe advert was the only advert on there, and I got a warning from my AV.

 

Which is why I run a full ad blocker on my browser. I don't even let ads load. In over 40 years of working with computers, and online since the early days of BBS, IRC, Archie, and the "World Wide Web" (yeah I'm old,) the only time I have ever gotten a virus on my computer was 1. An infected disk sent out by a corporation (thanks, WIRED), and 2. Malicious coding from an ad in the days before anti-virus software was able to detect them.

I just laugh at the pop-ups that complain about my ad blocker, as in my experience, they whine about revenue, but the moment you get malicious code from an ad, suddenly they "aren't responsible for what third party ads do on their site". It used to be you had to actually try to get a virus on your system, clicking E-Mail links, going to shady sites, authorizing popups, etc. but now it's much more pervasive. Use an ad blocker, and make sure whatever anti-virus software you use has an active browser component. I still scan as well, and always scan any file download, no matter how trusted the site is.

Never use a password based on personal information, such as a pet's name, your own name, or a relative's, etc. I have seen some amazingly stupid passwords over the years. A strong password can be made from an easy to remember phrase, modified further with capitols and numbers. Even something as simple as a phrase alone makes it infinitely harder for a hacker using a dictionary program to break it. As usual I admonish anyone reading this to never give out their password to anyone, no matter how trusted, and to never use the same password for multiple sites. For that matter, never allow software to store your passwords off site, like in the "cloud" etc. You are trusting your passwords to a third party at that point. If you need to know why this is a bad thing, look at how many breaches of corporate security there have been even in companies that should be the most secure, like Equifax and other financial institutions. I won't even trust password vaults on my own system, but perhaps that's just me.

In a nutshell, security starts with you, and ends with you. Take a look at your habits and make the changes you need to make yourself more secure. It's not paranoia when they really are out to get you!