Announcement

Collapse
No announcement yet.

Epic: Your account security design is atrociously bad

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • replied
    Hey Epic, if possible can you add an option to use Google Authenticator for Android/iPhone for 2FA? It produces a seeded random set of 6 numbers generated from a unique code for each users account as an authentication code which changes (expires) every 30 seconds. I use it for about a dozen other websites with 2FA, it works really well, and would be nice to have an option to use it instead of email for 2FA on Epic accounts.

    My account was hacked here and on twitter shortly afterwards a few months ago during the time I was away and I too was receiving emails similar to the OP. Thankfully no harm was done, but it could have been a nightmare cleaning up the mess on the forums if they realized I was a moderator. My email now shows up as Pwnd on this site, which is annoying but I'm not getting much spam so I don't know whether to stop using it completely or not. Since then I have been going OCD overkill on security both here and all my other accounts, changing long passwords monthly and never reusing a password for any other sites. It's a pain but worth it in the long run.

    I would like to change my email address attached to this account though, so I will be sending a request from the support request page to fix that. If anyone else is having account issues use that link to report it to Epic Support. It says Fortnite, but it's for UE4 support too, just select "PC/Mac" from the Fortnite Game Platform combo-box, select a random Game Mode, and then use "Account Security Issue" option for Game Issue.
    Last edited by DotCam; 06-02-2018, 06:41 PM.

    Leave a comment:


  • replied
    What if someone uses a different IP in every log in?
    Last edited by EvilCleric; 06-02-2018, 02:58 AM.

    Leave a comment:


  • replied
    I wrote up a detailed explanation to Unreal about how they could solve these problems, but they just don't care. Personally though, I am more concerned about the fact that their system is stupidly easy to exploit to shut down an entire studio. All you need is a login bot that repeatedly tries to login to a set of accounts. So once you get a list of emails, you spam failed login attempts to lock their accounts. That's an old trick from the early 90's that's usually used to get people to reuse old passwords eventually, but it can be used as a sort of denial of service attack.

    Considering how frequently my account is locked I am fairly certain that bots are already in use, but I'm smarter about my passwords than most so the only real problem I get is that I get spammed by Unreal and there's no way to make them shut up.

    Both the login bot issue and the issue of compromised accounts would be easy to solve if they took one of my many suggestions. For example, suppose that if/when an account is locked an IP address that you used to login successfully last is allowed to have continued access. Logically, if the attacker had the correct password they wouldn't know to lock it anyway so clearly the last successful login can be assumed to be from a valid user. In this case, it reduces the vulnerability to a login bot - and completely eliminates it for companies with a static IP address. It would be even better if they allowed the last, say, 3 IP addresses to remain active or to let the user manually set a white list.

    From there, if the user could manually set their account to only allow access from certain geographical locations, it would prevent hacking attempts from outside that geographic area. The attacker shouldn't get anything more than the normal failed login attempt. This, of course, doesn't eliminate the possibility of someone in my geographic area from compromising my account or from someone spoofing their IP, but generally speaking if implemented correctly the attacker wouldn't really know which geographic ranges would be correct. To further protect the account, it could be set to prevent you from blocking out your current geographic range and could be set to prevent that from being changed for X days. So if I set my location, I could say not to let anyone touch it for a year - not even me - so if my account is ever compromised regardless they can't lock me out.

    Lacking any of those fixes, how about lifting the login requirement to create projects and use purchased assets? It's great that I can use already created projects while locked out, but this always on DRM clearly isn't working.

    Then again, I highly doubt Unreal will do anything whatsoever unless and until one of the larger studios that use Unreal are shut down by a malicious attacker abusing their vulnerabilities and then they get sued, which is even worse IMHO - it represents a callous disregard for real security.

    ...

    Now, in regards to Fortnight, what idiot thought it was a good idea to integrate a game with a development engine? Developer accounts should be totally separate. It's so bad, that most of the contact emails for Epic are now unmonitored and the few that are tend to focus on fortnight and when I contact about development issues the first responses are always about fortnight. There is no freaking way I will EVER play that game at this point, regardless of it's merits, because doing so will probably make it even harder to be taken seriously. Why couldn't you guys just develop a separate client for that game? With a separate account system?

    Leave a comment:


  • replied
    Originally posted by Amanda.Bott View Post
    We encourage all folks to enable 2FA. This a a HUGE step in securing your account. The delayed emails you experienced this weekend were due to an issue with our email provider, which prevented you from receiving active codes. That issue has been resolved and the team is investigating offline MFA options to help get you back into your account in the event that the online options are failing.
    Glad to have come here to report a similar issue and already seeing a dialog about it. I tried enabling 2FA on my account, but when I attempted to log in from another computer, I never received the 2FA email, which left me unable to login. I tried again for several days in a row without ever getting a verification code sent to me. I ended up having to go back to a computer I was already logged in on and disabling 2FA to get access. How can we use 2FA if we can't reliably expect Epic to send 2FA codes?

    Leave a comment:


  • replied
    Originally posted by Amanda.Bott View Post
    I apologize that you all have experienced issues with your Epic accounts. As you’re aware, with the massive influx of users to Fortnite, we’ve seen an increase in attempts by hackers to gain access to Epic accounts. Our team is rapidly implementing changes to our security systems to protect and secure your data while improving your experience in the event that your account is targeted. For the sake of security, we can’t disclose all of that information, but please know that we are progressing on mitigating attacks.

    We encourage all folks to enable 2FA. This a a HUGE step in securing your account. The delayed emails you experienced this weekend were due to an issue with our email provider, which prevented you from receiving active codes. That issue has been resolved and the team is investigating offline MFA options to help get you back into your account in the event that the online options are failing.

    Accounts that do not have MFA enabled will be locked after a number of failed login attempts, since these accounts are less protected. However, resetting your password will enable you to access your account again in the event of a lockout.

    We could obscure the email address when sending the code. Keep in mind, though, that the hacker would already have your email address if they’re able to view the 2FA message.

    Our customer support infrastructure is undergoing a significant overhaul, and we are working to have better resources in place for you very soon. I’ll update this post as soon as we have an improved support loop for Epic accounts.

    Lastly, please check out this post on all the steps you can take to make sure your account is as secure as possible.
    Next week it will be 2 months. I tried changing my e-mail through customer support, but I was told to wait and very soon we could change our e-mailaddresses. All my accounts use different passwords and I want to retire my old e-mailaddress due to phishing and spam-mails. My Epic account is the only one left that uses the old e-mailaddress I wish to retire.

    When will we be able to change our e-mailaddresses, either ourselves or through customer service.

    Leave a comment:


  • replied
    Amanda.Bott

     
    Spoiler

    Following the links above brings up a maintenance error but it still lets you enable 2-factor...
    However, as long as your 'Email-Address' is fully visible it just changes the 'Attack-Vector'.
    We know from here, that not all hackers use bots / scripts, some just try combos/get lucky.
    If a hacker keeps good notes then yes they'll have the email already, but it not they may not.
    So please obscure the email. Where there's doubt, there is no doubt...Please fix this Epic!

    Leave a comment:


  • replied
    Originally posted by Amanda.Bott View Post
    We could obscure the email address when sending the code. Keep in mind, though, that the hacker would already have your email address if they’re able to view the 2FA message.
    In my case, it seems to me that they had my username, Delicieuxz, and somehow had the password, but didn't have access to my email (which uses a different password) - otherwise, they would have been able to successfully enter the 2FA code and take over my account. Since they kept trying, I'm guessing they were attempting to brute-force the 2FA code, while having no access to my email to see what it is.

    And the hacker would likely not have known my email address at all, if not for the Epic log-in page saying along the lines of: A 2FA code has been sent to exampleemail@email.com - which it does following each username and password log-in, without obscuring any of the letters. It definitely will give account holders more security of their 2FA-protected Epic accounts, and of their email accounts, to obscure enough of the email address that only the person who own that address will know which it is.


    I'm glad that Epic is working on putting together a much better account security and recovery system, though.
    Last edited by Delicieuxz; 04-05-2018, 10:27 PM.

    Leave a comment:


  • replied
    I get "Your account has been locked." emails all the time due to someone trying to brute force my account. It's gotten to the point where I just smile and ignore it now. It's ridiculous.

    Leave a comment:


  • replied
    ^s'wat I'm talking about. Thanks for the info Amanda!

    Leave a comment:


  • replied
    I apologize that you all have experienced issues with your Epic accounts. As you’re aware, with the massive influx of users to Fortnite, we’ve seen an increase in attempts by hackers to gain access to Epic accounts. Our team is rapidly implementing changes to our security systems to protect and secure your data while improving your experience in the event that your account is targeted. For the sake of security, we can’t disclose all of that information, but please know that we are progressing on mitigating attacks.

    We encourage all folks to enable 2FA. This a a HUGE step in securing your account. The delayed emails you experienced this weekend were due to an issue with our email provider, which prevented you from receiving active codes. That issue has been resolved and the team is investigating offline MFA options to help get you back into your account in the event that the online options are failing.

    Accounts that do not have MFA enabled will be locked after a number of failed login attempts, since these accounts are less protected. However, resetting your password will enable you to access your account again in the event of a lockout.

    We could obscure the email address when sending the code. Keep in mind, though, that the hacker would already have your email address if they’re able to view the 2FA message.

    Our customer support infrastructure is undergoing a significant overhaul, and we are working to have better resources in place for you very soon. I’ll update this post as soon as we have an improved support loop for Epic accounts.

    Lastly, please check out this post on all the steps you can take to make sure your account is as secure as possible.

    Leave a comment:


  • replied
    Originally posted by TheJamsh View Post
    Have since deleted that tweet I'm afraid Luos. Tend to use twitter as a ranting platform then go back through it once my day is back to normal
    I know, but it contained at least one other person who was dealing with weird-login-by-other issues.

    Leave a comment:


  • replied
    Originally posted by RareSumo
    I just want my account deleted. Why is it impossible to do something as simple as that? Garbage.
    I'll quote this and post here for the rest of the readers.

    If you want an account deleted, contact Epic Account Support. We are forum moderators, not Epic Staff. Regardless of how frustrating this issue is (we all feel it) - stick to the Code of Conduct and remain polite and professional. Cursing will get you nowhere fast and the thread will be locked.

    Leave a comment:


  • replied
    Have since deleted that tweet I'm afraid Luos. Tend to use twitter as a ranting platform then go back through it once my day is back to normal

    Leave a comment:


  • replied
    Wait, so let me get this straight. Now that I've turned on 2fa someone can just endlessly probe my account with infinite login attempts until they get the right password since the lockout was removed? That's great!
    Last edited by Envieous; 04-03-2018, 08:40 AM.

    Leave a comment:


  • replied
    Imma just leave this here: https://twitter.com/Luos_83/status/977851446900215808
    and agree with OP/Jamsh.
    Not so much with RareSumo though.

    Leave a comment:

Working...
X