Friendly reminder about account security (ie G2A)

[Dancso]

I have just become a victim of a nasty threat, although it's speculation for the most part, I believe there is a strong argument against it being a coincidence.
I bought a game for a friend from G2A.

I know, bad site, please contain your lectures.
To be fair, I have used it multiple times before without any issue, and according to my theory it isn't directly their fault, but some of the shady people that use it.

About 20 minutes after the purchase, I get an email from amazon.com that my email assigned to my account was changed. No confirmation link, no link to say "this was not me", it was however an actual legitimate email (i went on amazon by typing it in and it was indeed changed)
Furthermore my password was no longer working so it is likely I have been "pwned". I Quickly changed the password of my important accounts even those that didn't share a password, for good measure. I got lucky I think, there hasn't been charges so far and I've made the necessary measures with my bank to prevent further damage.

My theory is, the phishy guy could see my email as I made my purchase via paypal, as it provides sellers the info of who's purchasing. He then went on one of those sites that sell database leaks, and got my info.
The only leak my email was revealed to be involved in was a dropbox leak years ago, but I thought I updated my passwords at the time.

Sucks to only find out now that amazon actually has 2 factor authentication, I use 2FA for my sensitive accounts, but did not care enough at the time to look one up for amazon. Whoops!
For anyone who has suffered a similar fate, here's where you can gain ACTUAL help from Amazon: http://amzn.to/2qPrflQ (it's rather hidden normally, as per usual with big sites)

Bottom line, remember to use different passwords (at least for your important accounts) and 2 factor whenever possible. It's not just G2A you should be careful with, this could happen anywhere your email address or other sensitive information is shown to a potentially untrustworthy person.

[Chris]

according to my theory it isn't directly their fault, but some of the shady people that use it.

Directly or not, they still facilitate it, and do little to stop it. Worse, they require you to pay more for G2A Shield if you want to be protected against buying illicit goods, which any respected marketplace gives such protection for free. If I ran a marketplace and it turned out to get a good number of people selling off stolen property, and despite numerous complaints (from both buyers, and the rightful owners of those stolen goods) did little about it, except to turn around and tell potential victims that they had to pay me to be protected from all the illegal sales made through my marketplace, do you think the police would show up and just go "Well, it wasn't your fault." No, I would be called an "accomplice", and would also be charged with racketeering.

There's a reason respected online marketplaces don't allow the resale of digital keys from third parties as part of their TOS. It's impossible to know which keys are legitimate and which are stolen, the amount of money they'd have to give in recompense for the stolen keys would be high, and they'd be on a lot of publishers' shit-list for causing so many charge-backs (charge-backs cause a lot of problems for publishers, such as not being able to do business with financial institutions, hence why many take a zero-tolerance policy with regards to them).

[Nevander]

This is why I use a different password for every site.

[Caligari87]

I've been *really* bad about that... I have some pretty damn good passwords for a few important sites, but the rest are lazy. I should be using a password manager, but I feel like that's just deferring the problem and will eventually end up with me loosing access to my database file or something, leaving me unable to access anything.

[Chris]

I have an inherent distrust of password managers. It's like using a single password everywhere: once the master password for your password manager is compromised, all places you use your password manager for are compromised. This goes double for online password managers, since it's no longer dependent on your personal system security, but some online third party. Security is only as good as the weakest link in the chain.

[NeuralStunner]

Couldn't that only happen if someone has access to your system? (Unless it's an online PM, which is of course silly for exactly the reasons mentioned. Please tell me those don't exist...)

[Chris]

Couldn't that only happen if someone has access to your system?

Which unfortunately isn't that hard, relatively. For most people, their biggest defense is that they're unlikely to be directly targeted, but can still get caught up in self-spreading viruses and the like. It's especially a problem if you're connected to a LAN, because if any of the computers on the LAN get infected (say, a roommate or coworker that has no idea about computer security) it's a lot easier for it to infect other local systems.

(Unless it's an online PM, which is of course silly for exactly the reasons mentioned. Please tell me those don't exist...)

https://www.lastpass.com/
https://www.passpack.com/
https://www.zoho.com/vault/
...

[Rachael]

Here we go. I'm going to sound like a hypocrite running several phpBB forum sites, but I still firmly believe this:

The biggest problem of all is that every site and its grandmother demands that you register and requires that you assign a password to your account. Yep, there, I said it.

Yes - the biggest issue truly is that you need an account everywhere, even if the site gains no real benefit (other than spying on your activity patterns) for having it. Because of this, the average person visits about as many sites as they spend time on the internet - and since the internet is becoming ever more popular it's not far-fetched for every person to have accounts with a permeation in many crevices of the internet based on that individual's interest. (And boy would marketing companies LOVE to get their hands on some private site DB's... lol)

Can you realistically expect to have a different password that you will remember for each and every single one of these sites? Maybe if you used some sort of methodology you could do it i.e. d3WM4zdoom (putting the site's name in the password). (Also, please don't use that as your password. If you do, I apologize! Please change it.) But for us normal people, we aren't going to remember a different password for every single site. So we have to have some way to store passwords. Some people use an excel file. Some people use password managers. Some people simply use an encrypted folder. Some people still, believe it or not, write it on a sticky note and stick it to their monitor.

Every method has its weakness - either you're going to forget the passwords over time if you never write them down, or you're susceptible to someone stealing your info if you do. The problem is that there is no fool-proof method. Two-factor authentication has by far proven the best but adoption rates are low because the technology required for it can be a bit costly to develop and distribute unless you go through a third party.

The real crux of the issue though, is exactly what I said at the beginning of the post: What do all these sites out there REALLY need your password for?!

That is my take on it, anyway.

[Dancso]

The biggest problem of all is that every site and its grandmother demands that you register and requires that you assign a password to your account. Yep, there, I said it.

Wholeheartedly agree.

Can't believe I'm saying this but I almost like it when a site offers you to log in with an existing account from another popular site. It's an extra risk for sure as you'd lose out on multiple accounts at once, it can also expose personal information in places you'd prefer not to and leaves a footprint for gluttonous data miners to feast upon, but at least it's not an absolute hassle to deal with.

Personally I don't trust key managers, especially since I'm currently glued to an idiot on LAN (although I've tried my best to block dataflow between the computers as it's never needed), but in general it feels wrong to have passwords stored somewhere, regardless of their form.
I'm not the best at making up efficient passwords that I'll actually REMEMBER, so I've mostly stuck to reusing some of them here and there, still it's annoying enough when I sometimes have to take 5 minutes just to guess which one I used on the particular site. Even "better" when the bot protection locks me out for a short while or makes me do those picture puzzles for EVERY ATTEMPT.

Also, typing in secure passwords on a phone is not fun, even if it's only a long string of words.

My preference for passwords lay in catchphrases or memorable quotes from my past, as I'd have to suffer from amnesia to ever forget those, but then I'm sadly running the small risk of it being guessed by someone who knows me. Still feels like the best option for me though.

[DoomRater]

Couldn't that only happen if someone has access to your system? (Unless it's an online PM, which is of course silly for exactly the reasons mentioned. Please tell me those don't exist...)

They presumably have far more dedication to protecting information than any single company or even government. You know, Hash + salt everything, never store anything in plain text, and probably a few things I still don't know about in computer cryptography. Pretty much every time these onilne PM systems were broken into, people were able to steal MD5s that told them nothing, and changing your password the moment the breakin was sealed meant everything was still safe, because they weren't going to break the hashing in that short of a time.

[Marisa the Magician]

Huh, nice. I didn't even know Amazon had 2fa. And it even allows you to use an authenticator app, which is double-nice, because SMS-based methods are actually very insecure (seriously, paypal and twitter, why?).

For my passwords I actually just use keepass and generate very complex, unique long passwords for every thing (sometimes having to keep things simpler because of dumb password rules). Since there's also an android app for it, I don't have any problems using the passwords on the phone, it's just copy and paste.

[Nevander]

it's just copy and paste.

Is there such a type of attack or hacker that can intercept clipboard data on phones? Because it wouldn't surprise me. This is why I actually still keep all my passwords on paper the old fashioned way. These days people are more likely to look for passwords on the PC itself and forgot about the old school way.

Personally I don't keep any passwords or identifying information on my computer. I don't save history or logins. If someone got my PC, they'd just have a computer with lots of Doom WADs, games, and music.

[Dancso]

Paypal actually has a phone app-based 2fa but it was very convoluted to get going.
They also don't use Google Authenticator, instead it's Symantec's VIP access app.

I can't recall the exact steps now but I think it involved having to google search an older page on paypal's site to access the option at all, because somehow they decided to remove functionality alongside design when they transitioned to this oversimplified style.
EDIT: maybe accessible through the security page but it's not exactly giving you any hints so meh