Question Regarding Account Security Layers

"

JC_GGG wrote:

As mentioned, the security systems we have in place are functioning normally, as you say you've personally experienced from your own testing. I'm afraid we aren't able to speculate as to how a malicious user would have gained access to a particular account. For instance, if the associated email was compromised, then the malicious user could have received the unlock code, used it to get into the account, and then deleted the email to remove any trace of their tampering. This is why we always recommend that players ensure any credentials connected to their Path of Exile account are kept secure, with unique and complex passwords....

What exactly means "normally" ? One of the systems you have in place is like you mention tracking the Source IP and blocking the Account with an Email including a code to unlock. This system can be bypassed if the attacker is aware of the current IP of the User and there aren't additional steps in the IP-Based Locking like Device Fingerprinting, Behavioral Analysis (latency times -> suspecting proxies), Session Specific Information, etc.

The attacker would need to know
- The Users Credential
- Set up a proxy impersonating the Users IP

My mail for example is secure. Even if somebody has the password, he does not get into it without having my phone including my specific simcard currently in my phone. But by bypassing the IP-Based Locking he doesn't need that.

What we really require is 2FA. It's an industry standard. Every Security Pentesting Audit will put that into the report if it is not present and I am convinced if you did such Pentesting Audits the recommendation for that is in there.

The explanation that 2FA is bad because getting a lot of Support Tickets from people loosing access is frankly lacking....
You can automate 2FA recovery which is also a standard in the IT industry (Email Verification / Knowledge-Based Authentication / Backup Codes / Secondary Devices / Behavioral Analysis for Recovery Requests) . Only IT Sectors like Banking, Credit Card, etc. do not do this by choice and have half automated systems that send out letters via postal services.

When I created my Account in december, the first thing I was looking for was 2FA and I was kind of shocked that there is no such option. You are not a small Indy Developer.

Please implement 2FA ASAP. This is much more important then any new game feature.

Thank you

Edit. An easy fix for me for example would be to always have me get a code from my Mail to login. You could do this optional and not enable it by default. As mentioned my Mail is secure. I do not mind the extra step of getting the code from my mail every time I log into my poe2 account.

Keep in mind that you can't simply set up a proxy to spoof an IP address. For the data to be received, the proxy must be running within your home network. If malware is present on the computer where you run PoE and you access your email for 2FA on the same pc, the security provided by 2FA-Mail is not stronger than IP based 2FA. Malware could either function as a proxy or access your inbox directly through your browser.


Technically someone could steal your IP with BGP hijacking, but that's a bit more delicate, requires a high degree of investment -- thus most likely is not used to steal virtual currencies

"

JC_GGG wrote:

The security systems we have in place are functioning normally. If you are concerned about the security of your account, I recommend changing your account password to ensure that it is unique and complex, as well as securing your login methods. For example, if your email address is one of the login methods for your account you would want to ensure your email password is unique and complex and might consider using 2-Factor Authentication on your email, as malicious users would need access to your email to make any changes to your account. Likewise, if your account is linked with Steam or Epic Games you'll want to ensure those accounts are secure, as malicious users could use your Steam or Epic Games credentials to access your account as well in that case.

Could you explain why there are >500 threads in the last week of people getting their account compromised? Most of them are not using 3rd party tools, don’t have leaked passwords or clicked on a dumb link. If nothing is wrong why are there so much more cases than before the EA? I understand there are more people playing but that doesn’t explain it fully.

The common denominator amongst users with compromised accounts seems to be trading with someone after interacting with the POE Trade site. People can post all day about folks needing to make sure their stuff is secure, and certainly people should make sure of that, but it rings more than a little hollow with the amount of complaints.

It's customary when you hear of someone getting hacked to presume they've done something fishy on their own system, possibly interacting with an RMT site. It's not so customary to see quite so many with the exact same problem (presuming their honesty with regards to being careful about third party tools etc).

All in all, there's absolutely no reason for GGG to be blowing it off at this point as just a case of users need to be more careful. Far too many reports to be dismissive of the problem. Sounds more like users shouldn't trust GGG to protect their account information and should only trade with people they actually trust as trading is opening a backdoor to let these hackers in.

I get the concept that GGG is (hopefully) digging into this and being hush-hush about it till they sort out a solution. I look forward to seeing their update regarding this problem.

"

Jix#7520 wrote:

"

JC_GGG wrote:

The security systems we have in place are functioning normally. If you are concerned about the security of your account, I recommend changing your account password to ensure that it is unique and complex, as well as securing your login methods. For example, if your email address is one of the login methods for your account you would want to ensure your email password is unique and complex and might consider using 2-Factor Authentication on your email, as malicious users would need access to your email to make any changes to your account. Likewise, if your account is linked with Steam or Epic Games you'll want to ensure those accounts are secure, as malicious users could use your Steam or Epic Games credentials to access your account as well in that case.

Could you explain why there are >500 threads in the last week of people getting their account compromised? Most of them are not using 3rd party tools, don’t have leaked passwords or clicked on a dumb link. If nothing is wrong why are there so much more cases than before the EA? I understand there are more people playing but that doesn’t explain it fully.

Because someone said they didint do something dont mean its true.

Its normal behavior to lie after you did something dumb, and hope someone will fix your issue.

To get hacked hackers need to know who to hit, and if it was so easy.. why none of big PoE 2 streamers didint get hacked? Ben, ZiZ, Kripp and many others play without any issues.

This make no logical sens.

"

Pallad#4690 wrote:

"

Jix#7520 wrote:

"

JC_GGG wrote:

The security systems we have in place are functioning normally. If you are concerned about the security of your account, I recommend changing your account password to ensure that it is unique and complex, as well as securing your login methods. For example, if your email address is one of the login methods for your account you would want to ensure your email password is unique and complex and might consider using 2-Factor Authentication on your email, as malicious users would need access to your email to make any changes to your account. Likewise, if your account is linked with Steam or Epic Games you'll want to ensure those accounts are secure, as malicious users could use your Steam or Epic Games credentials to access your account as well in that case.

Could you explain why there are >500 threads in the last week of people getting their account compromised? Most of them are not using 3rd party tools, don’t have leaked passwords or clicked on a dumb link. If nothing is wrong why are there so much more cases than before the EA? I understand there are more people playing but that doesn’t explain it fully.

Because someone said they didint do something dont mean its true.

Its normal behavior to lie after you did something dumb, and hope someone will fix your issue.

To get hacked hackers need to know who to hit, and if it was so easy.. why none of big PoE 2 streamers didint get hacked? Ben, ZiZ, Kripp and many others play without any issues.

This make no logical sens.

Correct me if I'm wrong, but don't Ziz and Kripp play SSF?

"

Pallad#4690 wrote:

"

Jix#7520 wrote:

"

JC_GGG wrote:

The security systems we have in place are functioning normally. If you are concerned about the security of your account, I recommend changing your account password to ensure that it is unique and complex, as well as securing your login methods. For example, if your email address is one of the login methods for your account you would want to ensure your email password is unique and complex and might consider using 2-Factor Authentication on your email, as malicious users would need access to your email to make any changes to your account. Likewise, if your account is linked with Steam or Epic Games you'll want to ensure those accounts are secure, as malicious users could use your Steam or Epic Games credentials to access your account as well in that case.

Could you explain why there are >500 threads in the last week of people getting their account compromised? Most of them are not using 3rd party tools, don’t have leaked passwords or clicked on a dumb link. If nothing is wrong why are there so much more cases than before the EA? I understand there are more people playing but that doesn’t explain it fully.

Because someone said they didint do something dont mean its true.

Its normal behavior to lie after you did something dumb, and hope someone will fix your issue.

To get hacked hackers need to know who to hit, and if it was so easy.. why none of big PoE 2 streamers didint get hacked? Ben, ZiZ, Kripp and many others play without any issues.

This make no logical sens.

What makes no sense is to hack a big streamer... draws attention, very not in their favour.
Best they can do - and which they are doing - is picking out people with valuable items on the trade site.

Like it or not, this is not a case of people mistrusting 3rd party tools or re-using old passwords.

To me it looks like GGG messed up big time here, and I will not be convinced otherwise by a random copy / paste support post saying 'everything working as normal' - no offense.

"

lolepple#7866 wrote:

"

Pallad#4690 wrote:

Because someone said they didint do something dont mean its true.

Its normal behavior to lie after you did something dumb, and hope someone will fix your issue.

To get hacked hackers need to know who to hit, and if it was so easy.. why none of big PoE 2 streamers didint get hacked? Ben, ZiZ, Kripp and many others play without any issues.

This make no logical sens.

What makes no sense is to hack a big streamer... draws attention, very not in their favour.
Best they can do - and which they are doing - is picking out people with valuable items on the trade site.

Like it or not, this is not a case of people mistrusting 3rd party tools or re-using old passwords.

To me it looks like GGG messed up big time here, and I will not be convinced otherwise by a random copy / paste support post saying 'everything working as normal' - no offense.

Couldn’t have said it better. This whole thing rubs me the wrong way. I understand that this is a canned response, but I really hope the management is aware and actively investigating.

Made a video to showcase the happenings of this hacking issue.

https://www.youtube.com/watch?v=X_s3uN6JOc8

The goal of this video is to showcase what's happening to the community and hopefully continue to shed light on this issue, motivating a response and action from GGG.