One of my trusted FC members got Hacked and now all our FC gil is gone

[Vahlnir]

Neither have I but it doesn't mean it never happens. Nothing is foolproof.

The authenticators, whether software or physical, are an additional layer of protection that help reduce the risk. I don't have a mobile phone so I had to get the physical token. Do I regret paying the $15 for it (which included the shipping/handling fees)? Not one bit. Do I think my account is 100% secure because I have one? Of course not. I still need to use common sense in my online interactions. Even normally careful people can make mistakes sometimes.

Yeah, I suppose this is true.

[Packetdancer]

One thing I'll note is that a password manager is really useful here, and not for the reason you'd expect. If you get what looks like it's supposed to be a login page, and you hit 'auto-fill' on your password manager and it does not fill out, then that's a big warning sign that you might not be on the site you think you are. Because the password manager doesn't care what the site looks like, it looks at the URL and sees it isn't where it thinks it's supposed to be. That's half of the reason I have my parents using password managers now. (The other half being "please stop using the same 4 passwords everywhere, dad, or writing down every password in a notebook, mom; your approach to security is going to give me an aneurysm".)

I mean, even savvy sorts can have an off day and fall for it, especially if tired. One of my friends fell for this, even though they normally would not; they'd had a long day, they were exhausted, they logged on to check stuff and got a tell, and copy/pasted it to look at it without really thinking or fully engaging brain the way they normally would. (And lost a looooot of gil as a result.) Using a password manager's autofill would've probably provided the "Wait, why didn't that work?" moment that would've shaken them back to full awareness rather than exhausted-brain autopilot.

The 2FA token is great, but it isn't enough. Plus the Square-Enix 2FA token also has a very long timer on it; if you provide that 2FA code on a phishing site (as you are baited into doing on this one), there is more than enough time for someone to log in as you. I mean, even the standard TOTP or HOTP implementations that Google Authenticator, Authy, 1Password, etc. have are flawed that way; they just have shorter (30 second) timers. But with bots that could log in with the provided credentials, even the 30 second window would probably be long enough.

Though, I mean, the best (and final) defense against such things is "just be careful whenever you have a login page which you didn't type the address for yourself".

[Darkobra]

[Canadane]

The 2FA token is great, but it isn't enough. Plus the Square-Enix 2FA token also has a very long timer on it; if you provide that 2FA code on a phishing site (as you are baited into doing on this one), there is more than enough time for someone to log in as you.

The rest of your post is excellent and I agree with it I just wanna touch on this bit.
It's very likely automated. There isn't someone sitting around waiting for an alert to pop up telling him someone fell for the phishing site. It's much more likely that once someone enters that information it's nearly instantly populated into a game client and logged in without human intervention.
It's only at that point a human operator would probably make more sense to take over, but even then I wouldn't put it past them to bot the gil removal, FC gil check, and future tell spam.

[Packetdancer]

The rest of your post is excellent and I agree with it I just wanna touch on this bit.
It's very likely automated. There isn't someone sitting around waiting for an alert to pop up telling him someone fell for the phishing site. It's much more likely that once someone enters that information it's nearly instantly populated into a game client and logged in without human intervention.

Oh, I agree; it absolutely is. I suspect the entire process is automated given how quickly it happens, and how it seems to work identically for everyone who’s reported it. There wouldn’t even need to be any human involvement beyond the victim entering their information. I meant “someone” in the abstract sense, as even if the login is done entirely automated there’s still someone behind the scenes running those bots.

[Hysterior]

Contact a GM in-game, I don't think "general discussion" will help.

[Yue_Amariyo]

I've used a WOW token (physical and digital) for 11 years. Not once have I been hacked since getting one.

cool, i have. had to get rid of my old email because if it tbh. what i presented was a small bit of what happen.