Announcement

Collapse
No announcement yet.

Epic: Your account security design is atrociously bad

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Epic: Your account security design is atrociously bad

    In the past few hours, there have been over 70 attempts at spoofing the two-factor authentication for my account.

    In my effort to change my account password, to stop this, I have been faced with what is one of the most anti-user account security systems I can recall, which is possibly even more of a risk to Epic account holders than a hacking effort is - because the Epic system is designed to expose a legitimate user as much as possible, while giving them little to no recourse to do anything about a hack, or to retrieve their account if it is stolen.

    First, I'll start with one of the most absurd issues with the Epic account security system: Why do you broadcast the email address that the 2-factor authentification code is sent to? That's incredibly stupid. Now one of my email addresses is known to some lame fail-hacker somewhere in the world.

    Why not censor part of the email, like other sites do?: liv*******@****.com

    That would protect the user's privacy and security, and frustrate any further hacking efforts against other accounts - while accomplishing the goal of informing the account holder of where to get their 2FA information.



    Now, even after a person has their 2FA information, how can a person log into their own account to change the password to prevent someone who's trying to hack it from getting into it, when it takes about a half hour or longer for the two-factor authentification code to be sent to the person's email, and there's somebody constantly trying to brute-force the 2FA, using the current password each time, and resetting what the 2FA is with each log-in attempt? Again, stupid design.

    After a certain number of log-in attempts, like 5, an account should be locked, and only unlockable from an email that is sent to the person that the account belongs to. Or, no new log-ins should be possible for a set number of hours, while the last 2FA password sent to the account email may still be used - giving the person who own the account time to use it to log into their account without the 2FA code constantly changing. Each 2FA code should have a working duration of at least 5 minutes after it's RECEIVED.



    Next issue with the Epic account security system: Oh, and did I say it takes over a half hour to receive the 2FA code? My mistake - it's been over 1.5 hours now, and I haven't yet received a single 2FA code from the location I'm in - but I've received over 60 from locations in Russia, which weren't generated by my own request for a 2FA code. By the way, I changed my Epic account password over 10 minutes ago, and I'm still receiving 2FA codes in my email. Also, I still haven't received a single 2FA code from my actual location.



    Now, the next glaring issue with the Epic anti-user account system: When all efforts by a person to log-in to their account fails, or if a person's account is hijacked and its password changed, how is the person supposed to contact Epic support for assistance in retrieving their account? All Epic support options require being signed into a person's account. Therefore, if a person is locked out of their account, they're also locked out of support contact options to get help with their account. Like previous aspects of Epic's account system design, this part defies all logic. And Epic cannot even be contacted from their Facebook page, or elsewhere that I've seen (and I searched).

    So, the requirement for people to get support from Epic regarding their account security is that they don't require support from Epic regarding their account security in the first place.

    Create a support contact form on the Epic Games main website that allows a person to fill out and submit the form using just an email address for the return contact. Better yet, have an online chat support system that people can use WITHOUT needing them to be logged into their account to use it.



    And another amateur issue with Epic's account so-called security system: How is it that your account so-called security system does not identify a hacking effort when there are dozens of account log-in attempts, with each being from a unique IP address? Shouldn't any sensible system recognize, after maybe 3 - 4 log-in attempts within 30 minutes, each with a different IP address, that somebody is trying to hack the account, using IP-address spoofing?

    Here are the IP addresses that have been used to request a 2FA code for my account in the last few hours (only one of them is not from Russia, and is instead from France):

    37.18.42.16 in Russia.
    146.185.202.20 in St Petersburg, Russia.
    185.13.33.118 in Russia.
    185.101.69.94 in Russia.
    91.243.91.52 in St Petersburg, Russia.
    37.230.212.76 in Russia.
    95.181.217.34 in Russia.
    178.57.65.162 in Russia.
    185.223.164.34 in Moscow, Russia.
    5.101.218.50 in Rostov-on-Don, Russia.
    185.223.164.150 in Moscow, Russia.
    5.8.37.6 in St Petersburg, Russia.
    185.101.68.144 in Russia.
    95.181.217.221 in Russia.
    37.18.42.43 in Russia.
    141.101.201.45 in Russia.
    95.181.183.107 in Russia.
    5.188.217.38 in St Petersburg, Russia.
    37.9.41.147 in St Petersburg, Russia.
    79.133.107.133 in Russia.
    185.13.33.176 in Russia.
    146.185.202.99 in St Petersburg, Russia.
    46.161.63.254 in Nizhniy Novgorod, Russia.
    5.62.155.129 in Russia.
    5.62.152.151 in Russia.
    5.8.37.6 in St Petersburg, Russia.
    185.223.160.126 in Moscow, Russia.
    178.57.65.194 in Russia.
    185.223.160.83 in Moscow, Russia.
    5.62.157.107 in Paris, France.
    185.89.101.134 in Moscow, Russia.
    185.13.33.126 in Russia.
    185.89.101.25 in Moscow, Russia.
    46.161.63.135 in Nizhniy Novgorod, Russia.
    91.243.93.48 in St Petersburg, Russia.
    91.243.91.38 in St Petersburg, Russia.
    146.185.202.118 in St Petersburg, Russia.
    146.185.202.104 in St Petersburg, Russia.
    193.93.195.89 in St Petersburg, Russia.
    193.93.195.22 in St Petersburg, Russia.
    193.93.193.15 in St Petersburg, Russia.
    146.185.202.118 in St Petersburg, Russia.
    46.161.62.183 in St Petersburg, Russia.
    185.101.69.201 in Russia.
    185.223.160.231 in Moscow, Russia.
    5.8.37.19 in St Petersburg, Russia.
    5.62.154.162 in Kaluga, Russia.
    37.18.42.48 in Russia.
    79.110.31.43 in Moscow, Russia.
    5.62.155.103 in Russia.
    193.93.194.145 in St Petersburg, Russia.
    5.62.152.107 in Russia.
    185.101.71.79 in Russia.
    178.159.97.79 in Moscow, Russia.
    37.230.212.195 in Russia.
    91.243.90.160 in Kaluga, Russia.
    178.57.67.130 in Russia.
    37.230.212.14 in Russia.
    91.204.15.97 in Moscow, Russia.
    193.93.194.123 in St Petersburg, Russia.
    37.9.40.129 in St Petersburg, Russia.
    185.14.194.182 in Moscow, Russia.
    79.133.106.157 in Russia.
    193.93.195.110 in St Petersburg, Russia.
    5.188.217.20 in St Petersburg, Russia.
    185.101.69.141 in Russia.
    193.93.193.248 in St Petersburg, Russia.
    79.133.106.86 in Russia.
    79.133.106.11 in Russia.
    95.181.217.107 in Russia.
    37.230.213.184 in Russia.
    5.62.155.175 in Russia.


    My account should have been locked down, rather than allowing this many number of unique IPs to be signing into my account within a short period of time.



    Obviously, Epic's account security system NEEDS a major revision - and Epic account holders need it to happen to know that their Epic account is adequately secure.

    #2
    And to add to the unfortunate state of Epic’s account security system, when I changed my password, I received an email from Epic saying:

    "Hi ---------!

    You have successfully changed your Epic Games account password. If you did not make this request, please contact us immediately.

    Kind Regards,
    Your Friends at Epic"

    When I clicked the 'contact us' link to inform Epic of the difficulties I had just encountered and sent an email, I immediately received an automated email from Epic Help help+noreply@epicgames.com, saying:

    "Thank you for your email. This email address is not monitored. For support, please visit http://help.epicgames.com."

    And the page where the help.epicgames.com link leads to requires account sign-in to make any support request. So, astonishingly, Epic's help system for an issue with an account is actually a perpetual loop of futile re-direction!

    And adding to the situation, if a person is able to sign into their account, the Epic Account help option only links to the person’s profile settings, rather than to a form to contact Epic for help with their account.


    It seems clear that Epic do not want anybody to contact them, because there indeed is no way to contact them! So, what is a person expected to do if their Epic account is hacked and stolen? As it is, it appears that they can do nothing but create an alt account, and then maybe post about their issue on the forums.
    Last edited by Delicieuxz; 04-01-2018, 03:37 PM.

    Comment


      #3
      See https://forums.unrealengine.com/unre...nt-compromised
      Rule#21: Be polite, be professional, but have a plan to kill everyone you meet.

      Comment


        #4
        Just wanted to chip in here.

        I was recently locked out of my account due to too many bad password attempts from someone else trying to access my account and have lost my account to a "hacker" already once before (several months ago). Luckily I learned my lesson way back when, and now use a different password for every account I have. (A lot of people still don't which is 99% of the reason they still lose their accounts).

        However - the 2FA system in place right now is frankly, a joke - and it took a short eternity to even implement in the first place.

        I accept that the success of Fortnite is something Epic wasn't prepared for, and I accept that they are a games company and not a security company - but it's been several months now, and it seems somewhat irresponsible to not take these issues more seriously or at least be more transparent with what's being done to resolve it. I understand that dealing with this kind of thing is a sensitive topic, but the only response we ever really get is "our engineers are looking into it". (See the thread linked above for an example of it).

        Several users have had actual money go missing from their bank accounts - that is SERIOUS and messes with peoples real lives. What happens when somebodies rent money goes missing from their account due to poor security? I recently removed all payment information from my account, and I'm holding off on releasing marketplace content until I feel the system is secure enough to re-add my payment details. Incidentally, to set up as a marketplace seller, my account now stores sensitive information about my business too (such as Tax Reg Number) - which I can't remove without jumping through hoops.

        A couple of weeks ago, it took over 24 hours to get a 2FA sign-in code sent to my e-mail address, which I needed to install the engine at an on-site contract (i.e, a legitimate use of my account at another location - exactly what 2FA is designed for). As a result, I wasn't able to install the engine at all using my own account and couldn't even access anything else. Thankfully someone on-site had their own account on that machine - but if they hadn't, I'd have been out of a job that day.

        I'm a self-admitted Epic / Unreal fanboy - but even I can't look past the sheer number of people losing their accounts recently. Social media is rammed full of folks trying to understand why they keep losing access to their accounts. Serious action needs to be taken before this gets out of control, or we at least need to know that's what's happening.

        Comment


          #5
          Imma just leave this here: https://twitter.com/Luos_83/status/977851446900215808
          and agree with OP/Jamsh.
          Not so much with RareSumo though.

          Comment


            #6
            Wait, so let me get this straight. Now that I've turned on 2fa someone can just endlessly probe my account with infinite login attempts until they get the right password since the lockout was removed? That's great!
            Last edited by Envieous; 04-03-2018, 08:40 AM.
            Anime Shading Model - Twitter

            Comment


              #7
              Have since deleted that tweet I'm afraid Luos. Tend to use twitter as a ranting platform then go back through it once my day is back to normal

              Comment


                #8
                Originally posted by RareSumo
                I just want my account deleted. Why is it impossible to do something as simple as that? Garbage.
                I'll quote this and post here for the rest of the readers.

                If you want an account deleted, contact Epic Account Support. We are forum moderators, not Epic Staff. Regardless of how frustrating this issue is (we all feel it) - stick to the Code of Conduct and remain polite and professional. Cursing will get you nowhere fast and the thread will be locked.

                Comment


                  #9
                  Originally posted by TheJamsh View Post
                  Have since deleted that tweet I'm afraid Luos. Tend to use twitter as a ranting platform then go back through it once my day is back to normal
                  I know, but it contained at least one other person who was dealing with weird-login-by-other issues.

                  Comment


                    #10
                    I apologize that you all have experienced issues with your Epic accounts. As you’re aware, with the massive influx of users to Fortnite, we’ve seen an increase in attempts by hackers to gain access to Epic accounts. Our team is rapidly implementing changes to our security systems to protect and secure your data while improving your experience in the event that your account is targeted. For the sake of security, we can’t disclose all of that information, but please know that we are progressing on mitigating attacks.

                    We encourage all folks to enable 2FA. This a a HUGE step in securing your account. The delayed emails you experienced this weekend were due to an issue with our email provider, which prevented you from receiving active codes. That issue has been resolved and the team is investigating offline MFA options to help get you back into your account in the event that the online options are failing.

                    Accounts that do not have MFA enabled will be locked after a number of failed login attempts, since these accounts are less protected. However, resetting your password will enable you to access your account again in the event of a lockout.

                    We could obscure the email address when sending the code. Keep in mind, though, that the hacker would already have your email address if they’re able to view the 2FA message.

                    Our customer support infrastructure is undergoing a significant overhaul, and we are working to have better resources in place for you very soon. I’ll update this post as soon as we have an improved support loop for Epic accounts.

                    Lastly, please check out this post on all the steps you can take to make sure your account is as secure as possible.

                    Comment


                      #11
                      ^s'wat I'm talking about. Thanks for the info Amanda!

                      Comment


                        #12
                        I get "Your account has been locked." emails all the time due to someone trying to brute force my account. It's gotten to the point where I just smile and ignore it now. It's ridiculous.

                        Comment


                          #13
                          Originally posted by Amanda.Bott View Post
                          We could obscure the email address when sending the code. Keep in mind, though, that the hacker would already have your email address if they’re able to view the 2FA message.
                          In my case, it seems to me that they had my username, Delicieuxz, and somehow had the password, but didn't have access to my email (which uses a different password) - otherwise, they would have been able to successfully enter the 2FA code and take over my account. Since they kept trying, I'm guessing they were attempting to brute-force the 2FA code, while having no access to my email to see what it is.

                          And the hacker would likely not have known my email address at all, if not for the Epic log-in page saying along the lines of: A 2FA code has been sent to exampleemail@email.com - which it does following each username and password log-in, without obscuring any of the letters. It definitely will give account holders more security of their 2FA-protected Epic accounts, and of their email accounts, to obscure enough of the email address that only the person who own that address will know which it is.


                          I'm glad that Epic is working on putting together a much better account security and recovery system, though.
                          Last edited by Delicieuxz; 04-05-2018, 10:27 PM.

                          Comment


                            #14
                            Amanda.Bott

                             
                            Spoiler

                            Following the links above brings up a maintenance error but it still lets you enable 2-factor...
                            However, as long as your 'Email-Address' is fully visible it just changes the 'Attack-Vector'.
                            We know from here, that not all hackers use bots / scripts, some just try combos/get lucky.
                            If a hacker keeps good notes then yes they'll have the email already, but it not they may not.
                            So please obscure the email. Where there's doubt, there is no doubt...Please fix this Epic!
                            ----------------------------------------------------------------------------------------------------------
                            What are the BEST Unreal Tutorials / Docs? There are none tbh... Here's why
                            Instead its better to just take projects apart (see the free 'creators' listed here)

                            Comment


                              #15
                              Originally posted by Amanda.Bott View Post
                              I apologize that you all have experienced issues with your Epic accounts. As you’re aware, with the massive influx of users to Fortnite, we’ve seen an increase in attempts by hackers to gain access to Epic accounts. Our team is rapidly implementing changes to our security systems to protect and secure your data while improving your experience in the event that your account is targeted. For the sake of security, we can’t disclose all of that information, but please know that we are progressing on mitigating attacks.

                              We encourage all folks to enable 2FA. This a a HUGE step in securing your account. The delayed emails you experienced this weekend were due to an issue with our email provider, which prevented you from receiving active codes. That issue has been resolved and the team is investigating offline MFA options to help get you back into your account in the event that the online options are failing.

                              Accounts that do not have MFA enabled will be locked after a number of failed login attempts, since these accounts are less protected. However, resetting your password will enable you to access your account again in the event of a lockout.

                              We could obscure the email address when sending the code. Keep in mind, though, that the hacker would already have your email address if they’re able to view the 2FA message.

                              Our customer support infrastructure is undergoing a significant overhaul, and we are working to have better resources in place for you very soon. I’ll update this post as soon as we have an improved support loop for Epic accounts.

                              Lastly, please check out this post on all the steps you can take to make sure your account is as secure as possible.
                              Next week it will be 2 months. I tried changing my e-mail through customer support, but I was told to wait and very soon we could change our e-mailaddresses. All my accounts use different passwords and I want to retire my old e-mailaddress due to phishing and spam-mails. My Epic account is the only one left that uses the old e-mailaddress I wish to retire.

                              When will we be able to change our e-mailaddresses, either ourselves or through customer service.

                              Comment

                              Working...
                              X