HELP! I GOT HACKED! GAMEMASTER HELP?

[AduroT]

Where i work, we have regular announcements warning customers about fake tax calls wanting to be paid via itunes and other gift cards.

We even have signs around the place warning people about it. It baffles me how people can fall for it so hard that we actually need to do public announcements and ram the warnings down their throats.

Here’s the thing. All those phishing attempts that you hear about and wonder how could anyone falls for that? They keep doing them because people keep falling for them. Like, I feel bad for the person who lost their stuff, but That Exact Tell and others like it has been posted about on This Very Forum multiple times for the past month or more. People will still continue to click random links that people send them. Enter my password? Sure, why not.

[Rasikko]

SE always uses tiny URL versions of links, never the full really long ones.

[MsMisato]

To be honest, get 2-factor authentication. They can't log into your account unless they have your token. worst case is your account gets locked due to many attempts and you have to follow the instructions SE sends you.

[Cinno]

To be honest, get 2-factor authentication. They can't log into your account unless they have your token. worst case is your account gets locked due to many attempts and you have to follow the instructions SE sends you.

Apparently on the phishing site's login page it has you put in your token. They then instantly use that token to log into your account in game, before the token changes. So I dont know if it will help in this situation..

[AduroT]

To be honest, get 2-factor authentication. They can't log into your account unless they have your token. worst case is your account gets locked due to many attempts and you have to follow the instructions SE sends you.

It would not have helped in this case. If you enter that two factor code from the token into the phisher’s website, they now have the code, and can use it to get your account.

[Klaleara]

Apparently on the phishing site's login page it has you put in your token. They then instantly use that token to log into your account in game, before the token changes. So I dont know if it will help in this situation..

Which is why push codes are far superior imo. At least for the majority of users.

[MsMisato]

Apparently on the phishing site's login page it has you put in your token. They then instantly use that token to log into your account in game, before the token changes. So I dont know if it will help in this situation..

...

I see...

I wouldn't know what the site looked like or what details it asked for, didn't realize they went straight for a redirected login page. This much I do know. You are able to browse both Lodestone and the Forums without logging in. Granted the forums are a mess to navigate and you can't post or reply without logging in. Anything that immediately requests a login for Lodestone and the Forums link wise, I would back away. If anything manually navigate to the forum and not copy paste links. I hope gets a roll back if possible.

Still if you don't have 2 factor still get it. It definitely secures the actual square enix account management section. You can't change your password or remove your token without. You can't change your email unless the person knows your secret question so they cant simply emergency remove it.

I hope OP that they get some things back from SE when they reach out.

Which is why push codes are far superior imo. At least for the majority of users.

I wish we had push code authentication here as well. at work we can use either the token which is on a 20-second timer or push authentication. SE actually needs to shorten their timer on the authentication token.

[Johaandr]

this is actually scary. makes me want to become a villain and hunt down those hackers and punch them so hard.

[KageTokage]

I honestly wonder if the one behind this scam is doing it strictly to be malicious and has no real interest in the belongings of the compromised accounts because in theory, there shouldn't be any way they could be stealing the gil/items without making it painfully obvious as to what the primary "bank" account they're funneling all of the resources to is.

The fact that they personally contacted the owner of a stolen account to taunt/antagonize them is particularly unusual.

[Klaleara]

I wish we had push code authentication here as well. at work we can use either the token which is on a 20-second timer or push authentication. SE actually needs to shorten their timer on the authentication token.

Unsure if shortening the timer would help. The only way this would work is if it was automatic. So basically the moment you put in your credentials, a program is throwing it into SE's site. I'd say within less than a couple seconds.

And don't forget that the person has to type in the code, so you can't shorten it too much. Far too many people type slowly to change it much.