Theft in SL - Remedies?

I know a guy who once worked for the FTC, whose job had something to do with consumer fraud. In his office, he had what may have been the most financially valuable list of names in existence. This list was informally known as the List of Suckers. It was a list of consumers who had been defrauded by consumer scams at least twice.

sadly its becoming more and more common for phishing in SL.

One particular scam hit a group I help moderate - twice in some hours span. The person would spam the group with an ad for free lindens and please fill out the questionaire, with a link to a site using a misspelling of a well known search engine site.

When they could access, it would come up with the LL web login screen to enter your password. It was a phish and a darn successful one. People flocked to it and put their password right in without thinking.

Someone was getting free lindens, it just wasn't them.

The compromised accounts would then be drained and used to spam the phishing site again in large groups.

It made me crazy to see people FLOCK to that site... I mean FLOCKED absolutely trustingly and just typed the passwords in, willingly, with no hesitation.

I know there was the leak in the summer of 06. But again I ask, who had money stolen from them because of it? I ask for the names for the simple reason that you (in a general sense) can say anything if you don't have to provide proof. The poster I asked this of is quite well known for making outrageous claims and never backing up anything she says.

people are stupid by default.

OIY!

-points to my name-

So, is it a bad idea to keep your c/card details on your account, is it safer to delete it and re enter your details when you want to purchase more L$???

But... but... I like that band! Who told you my secret password?

Rumor has it that deleting your payment info doesn't completely remove it from LL's system.

Greedy too.

I do IT for police systems. The two passwords that I found the most often used are Harley1 and Adam12 - imagination at its best. When we added the requirement of 8 characters or more, they just added a few zeros in there.

Many thanks to all who have posted replies. Many will be useful for others. Sadly, none of the enumerated problems with users apply in my case.

Importantly, I have recently learned from other residents that this is not an isolated case. While the amount involved in my case was small, I understand there have been much more substantial amounts involved in the other incident. Moreover, the incident and the lack of any remedy so demoralized the victim that he left SL after a long-term residency.

I would hope that all victims come forward to tell their stories. If there is a systemic problem, all residents should be made aware. And if there is a problem that needs attention from Linden Labs, because it is or is becoming widespread, I would hope that they would take appropriate corrective action and inform the residents.

Additional thoughts and comments welcome!

I doubt you have the data to support your claim. Have there even been 10,000,000 security breaches in SL? There would have to be at least that many (with one SL-caused one) for that to be accurate.

I agree with the gist of your post, but you call others to back up a claim while making a totally unsubstantiable one yourself.

People, please: don't use numbers unless you HAVE numbers, and good statistical arguments to back them up -- unless you like looking ignorant.

I wonder how we get this information. In any competent password system, the password is never stored: only a mangled form of it is stored, a form that doesn't allow you to figure out the original password, but provides the ability to test whether the entered password matches. So, this data is simply not available. (Storing passwords in cleartext, or any form where they're derivable, is an unnecessary security risk. No competent security system would allow it.)

The string of discussion is at last becoming substantive.

"I doubt you have the data to support your claim. Have there even been 10,000,000 security breaches in SL? There would have to be at least that many (with one SL-caused one) for that to be accurate.

I agree with the gist of your post, but you call others to back up a claim while making a totally unsubstantiable one yourself.

People, please: don't use numbers unless you HAVE numbers, and good statistical arguments to back them up -- unless you like looking ignorant."

Firstly, I do have the data to support my claim. This comes in the form of a month of L$ transaction history. Even the most severely challenged would have difficulty in concluding anything other than fraud or theft if they had access to that data. Sadly (and it appears possibly self-servingly), I cannot provide general access to that date without violating SL rules. Rest assured that the relevant transaction history (complete with names, dates, amounts and times) has been submitted to Linden Labs.

Secondly, the math boggles the imagination. How can anyone extrapolate from my experience to 10,000,000 breaches? There is no basis in logic or math for that assertion. My only assertion is that I was defrauded, and robbed, and that based on my conversations with other residents, I am not alone. Whether the victims number 10, 100, 10,000, 100,000, 1,000,000 or 10,000,000 is not the point. The integrity of SL is the point. If the 10,000,000 figure was intended to trivialize the problem, I leave it to the readers to judge whether (1) my statements implied such a figure and (2) the astronomical figure may be intended to suppress a significant concern.

Thirdly, you "agree with the gist of [my] post". Given the rest of the response, I am at a loss to understand your reference to "gist". To be clear, the essence of my complaint is twofold: (1) there are no remedies for fraud and theft in SL, and (2) the lack of remedies means that the credibility of SL (and the economy it supports) are at risk.

Fourthly, I have not used numbers. Accordingly, I do not understand the exhortation to "don't use numbers unless you HAVE numbers". In addition, the inference that doing what I have not done means I "like looking ignorant" is not only baseless, but offensive.

Finally, in closing, I would invite all who might read this thread to review the content from this particular author. It may be that the author has crossed the line with specious arguments. If so, it would not be unreasonable to conclude that he or she is part of the organization that would only be served by suppressing what may be systemic, serious problems. Just a thought.

Nongmin, the only way I can interpret this post of yours is to assume that you somehow could not, or did not see, the quotation in my most, to which I was replying:

"Originally Posted by Chris Norse
In 99.99999% of cases it has been actions taken by the resident that compromised the data. Can you give me the name of one person who has been harmed by having their information given out by LL, along with evidence backing it up? "

That is the post I was commenting on. I hope this was simply a miscommunication. In any case, I hope that in the future you take considerably more care before accusing someone of being a criminal.

Lear,

Well put, and you are correct. You and I have had a miscommunication, and my points should rightfully be directed to Chris Norse. I do apologize for my confusion.

Moreover, I would invite Chris to respond to the substance of both your observations and my further comments on the merits.

It seems to me that there may be systemic issues here, and ones that go to the integrity of the SL economy.

Many thanks, Lear, for pointing out my error.

Others, please comment -- particularly those who may have had recent similar experiences with fraud and theft in SL, regardless of the amount involved.

It is very simple, has anyone ever posted here that they have lost money due to LL leaking or not protecting their data? Can you name anyone who has had this happen to them? Sure they start out making this claim, but when questioned, they always end up admitting to:
1) Using a cybercafe
2) Falling for a phishing scheme
3) Giving their password to that lovely young lady who won their heart.
4) Piggy backing on an unsecured wireless connection.
5) Some other bit of idiocy that LL could do nothing at all to prevent.

Can you find me one case in which one of these was not the cause of people losing money?
Banking errors by LL which are corrected and the various land, gambling, banking changes excluded.

"Nongmin Thor"
The OP has thusfar expressly denied any such acts of idiocy. Unless/until that changes, further insistence in this vein could be considered very insulting. The only truth is that none of us really know. Time may tell...

The original question is:
And Nongmin doesn't fit the bill. The question here is, was anyone actually damaged by the security breeches to LL's database in the past? The answer is, to date, a resounding no. As Kitty Barnett explained somewhere else, the break-in was looking for a way to automagically create lindens, not to rip off people's identities.

It was admitted that the break in, did cough up an unknown amount of customer data, but said that the data was encrypted, so it was said that it was safe. How safe could it be?

No one really knows who is working with that data. There are a number of websites discussing the break-in.

People post all the time on these boards they lost money for this or that reason. Making assumptions of the poster's incompetence accomplishes nothing.

One can be sure though, that there are many people trying to devise ways to scam people in Second Life in as slick a ways as possible and skim off money. Its an easy target now and in the future.

If a counterfeiters did start duplicating Lindens they certainly would avoid attention making big transactions. I would guess that the same would hold true if people did have customer data. How would anyone know? You wouldn't necessarily know if all that data was readable yet. Maybe down the road a bit...

That is a fair question. But if people did as they were told and changed their passwords, got new credit cards, etc. then the only vulnerable people are the ones who didn't do it.

Neither does automatically blaming LL, especially when it is documented that most security failures are because of user mishaps. There is no good approach when looking at *individual cases*.


It is entirely possible, and is why people need to watch their credit in case of stuff like this. www.annualcreditreport.com

Online applications can differ in how well they deal with security.

Some are carefully protected and watched and some are lais-ey fairey, booby-trapped, unstable and when they find real openings international organized farming businesses, move in to harvest.

It's the lowest common denominator, booby-trapped existence, waiting for the big game hunter to come and use a big funnel and suck all the Lindens$ straight into Lindex banked in some anonymous hideaway.

The OP raises some valid questions about LL security.

I find it disappointing to read some of the nonsense written in here by regulars. Some of you act as if you know something, the truth is you're just guessing and probably clueless about LL security. It's a crying shame that readers coming into RA to find out information regarding breaches have to read such diatribe.

Here's from my own experiences.

My account was suspended on 3 separate occasions during a 4 week span this April.The reason being is that my password had attempts of being forced cracked (pummelled). LL's response in Live chat was this -->
"We're making notes of this address to attempt not to blanket ban anymore but if indeed it does occur please simply state "I believe I've been blocked by a 'generic MAC' ban" whereby numerous attempts were being made to login on your AV Name.

I was lucky they did not succeed. My password is a combination of upper and lower case letters with some numbers thrown in. I don't use this same password anywhere outside my SL login screen . I have different passwords for OnRez and SLEX or any other 3rd party site. I have "remember password" unchecked. So from my part, it's as secure as it gets.

About a week ago,my SL partner was not so fortunate, when her main a/c was accessed and someone gained entry into SL. It was LL that alerted her not the other way round...and suspended her account for several days! My SL partner is an SL oldbie, long time Linden mentor and knows a 1 or2 of the Linden employees personally...she too had a tight password with the "remember password" unchecked. LL spotted the infringement because the IP address (or Mac address) that logged in was different from her usual (California) IP address. They said they're now monitoring the activity of her main a/c over the next few weeks/months. They also advised her not to hold large Linden balances but to convert them into USD regularly.

The last part is quite telling imo....why would they advise a customer to regularly convert their Lindens into USD if there wasn't a vunerability?


PS Linden balances are not necessarily the most important asset in your account! Supposing you're a skins creator and you have all your skin files in your inventory...or any other content creations. Those texture files could easily be "SAVE AS" (not transferred to another av a/c) I suggest that would have more long term value than simply stealing e.g 100,000 Lindens which can show the recipient account.

One reason would be if the person who got access to her account rezzed a prim with a debit script in it.

Breach the account but don't do anything with it other than that, wait a few months for all the logs to expire, then start draining L$ and noone is any wiser.

---

Nothing you said indicated any problem on LL's side of things, just the opposite actually. If they suspended your friend's account proactively that means they're keeping an eye out rather than just letting things muddle on until someone tells them there's a problem.

Yes, i commend LL for being proactive with both of our accounts. LL actually stopped 5000 L being transfered out of my partners a/c (not a great amount!).....that however doesn't hide the fact that it does occur, which relates to what the OP was initially saying.
So if a "tight" password was cracked (my partners), just imagine what happens to those "Harley1 and Adam12" type passwords.

The point I'm making, it's not just negligence on behalf the player, but there are cases that are outside the control of the players. The OP and my SL partner are both cases of such events. This is not a dig at LL's security......but you can't stick your head in the sand pit and pretend it's not happening either.