Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Dreathor]

Like people said you should of just sent a report in. If anything left out HOW you found this out etc because now I could do it without issue if I chose to.

Good find though because this and teleport hack are like "omfg really?" issues lol....

[Silverwalk]

Sessions are not IP locked. I'm able to use my friend's account from Texas, and he lives in Japan.

If I tried that in WoW, it would auto lock the account.

It did IP lock in 1.0 if you tried to log in from a new IP your account was locked untilyou changed your password

[Zoner]

Is this for real, if so it needs to be fixed asap!

[LordSideKicks]

Using the Security token / Software token is still a better protection then having non.

[Splice]

Some ppl seem to forget the main purpose many ppl use the token setup is so they can avoid the IP lock, so if you get the session ID of someone who used a token it no longer checks the IP. This is almost reversal logic, I would rather have my account lock when it logs in from a diff IP than the alternate.

You could almost argue the token makes your security worse if you have virus's...

[Alavastre]

That's kind of like saying 'I always wear my seatbelt and I've never had a car crash therefore seatbelts completely prevent car crashes'. You shouldn't really accuse people of being mentally challenged when you obviously have no actual comprehension of what the issue detailed in this thread is.

Security tokens such as this are not useless, and it is always good practice to exercise safe browsing and PC security. However, anyone with a technical understanding of how these things work can see that there is indeed an issue here. There's no good reason that a session id shouldn't expire after logoout in this sort of context of usage. I would certainly hope that SE address this issue swiftly.

Don't try to reason with it.

[Susanoh]

People who say things like "just don't get hacked or it's your own fault" are missing the point here. The security token is supposed to be an extra layer of security that the user can set up to prevent outside sources from accessing your account. So that even if someone were to obtain your user name and password, they would not be able to easily access your account. If a hacker can easily grab an unencrypted session ID that never expires and use that and only that to access your account indefinitely, it bypasses the token and makes it essentially worthless. Yes, users should take precautions not to get hacked, but SE should also take the necessary steps in ensuring that the security options they're giving to the users are working properly.

[Ronyx]

Interesting. I agree having a token is still good enough, but yah this must be address asap.

[Cienna]

Interesting. I agree having a token is still good enough, but yah this must be address asap.

Physical tokens are not bullet proof: RSA which served many Fortune 500 companies had their tokens hacked. Millions were affected, DoD contractors, banks, businesses, etc.. http://www.secureworks.com/cyber-thr...rsacompromise/ more here also: http://www.securenvoy.com/blog/2012/...logy-turnpike/ Tokens can be an extra layer of protection, but that is all they are, an extra layer, you still need to take precautions and SE still needs to patch up holes on their end. It is a 2-way street.

[HamHam]

Well. Ppl need to stop going to porn sites. That'll save you from 90% of the viruses in the internet.