Page 1 of 2 12 LastLast
Results 1 to 20 of 29
  1. #1
    Muppet is offline Private Member
    Join Date
    December 2007
    Posts
    575
    Thanks
    165
    Thanked 659 Times in 289 Posts

    Default Skrill now has 2 factor auth, anyone else had their account locked?

    I wrote a rather long post on our site about Skrill which I won't repeat here in full. The good news is they just released free 2 factor authentication for all accounts using Google Authenticator rather than the old physical token that you had to pay for if you had a business account. So go turn yours on now. And while you're there, please let me know if you find that your account was locked and required a password change because in the last week I've seen:

    - a player have 6 figures stolen from his account
    - the send money function disabled then re-enabled several days later on a business account without explanation
    - an email to merchant accounts announcing 2 factor auth and urging us to change our passwords within 24 hours
    - another email demanding that we restrict our account to access via a known IP or else we have to sign something that indemnifies Skrill against any fraud on our account, even if we use 2 factor auth (too bad for you if you don't have a static IP)
    - plus my personal Skrill account was locked without notification and password change enforced

    I don't think I am being paranoid here when I say that all the signs point to them recently suffering a major security breach that they are not telling anyone about.

  2. The Following 6 Users Say Thank You to Muppet For This Useful Post:

    -Shay- (11 February 2016), DaftDog (12 February 2016), pariurisportive (20 February 2016), PatrickA (21 February 2016), TheGooner (11 February 2016)

  3. #2
    TheGooner's Avatar
    TheGooner is offline Private Member
    Join Date
    March 2007
    Location
    New Zealand
    Posts
    4,235
    Thanks
    1,936
    Thanked 4,182 Times in 1,990 Posts

    Default

    Hmmm - thanks for the update - I haven't seen any action at all.
    I wonder if they're just doing this for some clients / countries initially?

    EDIT :
    Logged in (with token) and did not see any changes or any news.
    Last edited by TheGooner; 11 February 2016 at 8:01 pm. Reason: more

  4. The Following User Says Thank You to TheGooner For This Useful Post:

    Muppet (11 February 2016)

  5. #3
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    27,397
    Thanks
    2,033
    Thanked 7,780 Times in 4,907 Posts

    Default

    I don't think I am being paranoid here when I say that all the signs point to them recently suffering a major security breach that they are not telling anyone about.
    I realize that this is only speculation at this point (and hope for everyone's sake you are wrong) and maybe they are being pre-emptive and increasing security BEFORE something bad happens...

    The two-factor authentication is not a bad idea, and restricting by ip isn't so bad for some but places like the UK which just absolutely refuse to see how smart using the same ip's can be, this will be a really difficult thing to enforce.

    And even though most US ISP's see the advantages of providing the same ip address to most of their DHCP clients, an IP can and sometimes will change for those that do not pay extra for a static ip. (as an example I have only had 3 ip addresses here at home in the last 5 years, just got one a few weeks ago when my isp saw a new mac address on the router since I upgraded the router - what a pain that was on some servers for a few days)

    Rick
    Universal4

  6. The Following User Says Thank You to universal4 For This Useful Post:

    Muppet (11 February 2016)

  7. #4
    AndyBonus's Avatar
    AndyBonus is offline Private Member
    Join Date
    June 2010
    Location
    Thailand
    Posts
    102
    Thanks
    44
    Thanked 44 Times in 31 Posts

    Default

    I tried to buy something at code canyon yesterday and was told to reset my skrill password, then I was told that my account was disabled, and that I needed to contact support. All is OK now, after uploading a copy of my passport via the online contact form, and getting sent a new password. My balance is unchanged, so that's good. I will now enable the extra security on my account.

  8. The Following User Says Thank You to AndyBonus For This Useful Post:

    Muppet (11 February 2016)

  9. #5
    Muppet is offline Private Member
    Join Date
    December 2007
    Posts
    575
    Thanks
    165
    Thanked 659 Times in 289 Posts

    Default

    Quote Originally Posted by TheGooner View Post
    Hmmm - thanks for the update - I haven't seen any action at all.
    I wonder if they're just doing this for some clients / countries initially?


    EDIT :
    Logged in (with token) and did not see any changes or any news.

    Perhaps you weren't notified or locked because you're already using the token.


    Quote Originally Posted by AndyBonus View Post
    I tried to buy something at code canyon yesterday and was told to reset my skrill password, then I was told that my account was disabled, and that I needed to contact support. All is OK now, after uploading a copy of my passport via the online contact form, and getting sent a new password. My balance is unchanged, so that's good. I will now enable the extra security on my account.

    Interesting, sounds the same as my account.


    Something is fishy, that is for sure. Urging people to change their passwords within 24 hours should be setting off alarm bells. Everyone should change theirs just to be safe.


    The issue with the player is very concerning. We are more or less certain that their email account was not compromised yet somehow Skrill has allowed their account email address to be changed - without notification to the old address! Correspondence with the scammer prior to that appears to have been confined to the Skrill contact form which does not record IP addresses and does not verify the person's claimed email address. We're at the point where we believe that they may have social engineered their way in, or gained access through flaws in Skrill's security. The account had a longish random password which was unlikely to be guessed.


    The static IP thing is a major annoyance. We're on a cable connection, and although it rarely changes, our ISP cannot technically give us a fixed IP. Skrill help says you can put in a range of IPs, but no format that I have tried (CIDR, using dashes) so far works and they don't have specific instructions on how to actually enter the range. Even if I find a range (and I know our ISP has many discontiguous ranges), if our IP changes to one we haven't accounted for, we're screwed and can't access the account. So I am waiting on their famously slow support to get back to me with instructions.

    Re the demand to sign something to say that you absolve Skrill of all responsibility should your account get hacked - I am sure that cannot be legal. You can't sign your legal rights away in a contract and there is no way I am signing it. If it comes down to a choice between that and closing our account, it will be bye bye Skrill. I've been reducing our use of them slowly over the past 12 months as they are so hopeless and this might just be the straw that broke the camel's back.

  10. #6
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    27,397
    Thanks
    2,033
    Thanked 7,780 Times in 4,907 Posts

    Default

    Now that is interesting Muppet....

    Well I think it's foolish that they should suggest putting in a range...that is only ok if you trust your neighbor or the guy down the street you don't know....hmmph....

    May I suggest possibly trying a star? I know sounds kinda silly but as an example all-in-one-wp-security will block a range as 192.168.1.*

    There is not another section to add the subnet mask like the old ipsec is there?

    This is really sad to hear, although i have not used them for ages since being in the US they were useless to us for years, they have been a blessing to the industry in many other countries although their support has seemed to go down hill year over year, based upon the increase in complaints in the forums the last few years.

    Rick
    Universal4

  11. #7
    Muppet is offline Private Member
    Join Date
    December 2007
    Posts
    575
    Thanks
    165
    Thanked 659 Times in 289 Posts

    Default

    I am actually mildly impressed by them for once. I just got a reply about the IP range question. This is the format you need to use and since it doesn't appear in Skrill help or docs I may as well put it here!

    please bear in mind that this range should be set with '/' sign. For example 11.123.345.2/11.123.643.1.
    I would never have guessed that. I did try a wildcard * earlier.

    Their support has been awful for a long time. I finally convinced them to give us an account manager in a similar time zone a while ago. I contacted her about this last week and she informed me that she no longer worked for Skrill. She advised me to use the regular Skrill support and "they will probably get back to you within 10 days." That says it all really.

  12. #8
    zuutroy's Avatar
    zuutroy is offline Private Member
    Join Date
    September 2011
    Posts
    69
    Blog Entries
    2
    Thanks
    18
    Thanked 28 Times in 21 Posts

    Default

    Just turned this on. Nice extra bit of peace of mind.

  13. #9
    wonderpunter's Avatar
    wonderpunter is offline Private Member
    Join Date
    August 2013
    Posts
    2,406
    Blog Entries
    5
    Thanks
    400
    Thanked 1,643 Times in 983 Posts

    Default

    Quote Originally Posted by universal4 View Post
    I realize that this is only speculation at this point (and hope for everyone's sake you are wrong) and maybe they are being pre-emptive and increasing security BEFORE something bad happens...

    The two-factor authentication is not a bad idea, and restricting by ip isn't so bad for some but places like the UK which just absolutely refuse to see how smart using the same ip's can be, this will be a really difficult thing to enforce.

    And even though most US ISP's see the advantages of providing the same ip address to most of their DHCP clients, an IP can and sometimes will change for those that do not pay extra for a static ip. (as an example I have only had 3 ip addresses here at home in the last 5 years, just got one a few weeks ago when my isp saw a new mac address on the router since I upgraded the router - what a pain that was on some servers for a few days)

    Rick
    Universal4
    My Ip address changes nearly every day, some people use static some use dynamic, Most 4g connections are dynamic,, I use the two factor authentication which gives me a 10 second window before the code refreshes it wont be long before mobile phone fingerprint tech makes it onto all devices.. perhaps even bypassing captcha which is everywhere now

  14. #10
    baldidiot is offline Private Member
    Join Date
    January 2010
    Posts
    4,280
    Thanks
    405
    Thanked 1,961 Times in 1,290 Posts

    Default

    Slight tangent, but seemed an appropriate place to ask this - if you're using two factor with an app (such as google authenticator) and you lose your phone (or it breaks etc...), what happens then?

    Can you reload the app somehow on another device?
    onlinegamblingwebsites.com - Formally known as goodbonusguide.

  15. #11
    wonderpunter's Avatar
    wonderpunter is offline Private Member
    Join Date
    August 2013
    Posts
    2,406
    Blog Entries
    5
    Thanks
    400
    Thanked 1,643 Times in 983 Posts

    Default

    Quote Originally Posted by baldidiot View Post
    Slight tangent, but seemed an appropriate place to ask this - if you're using two factor with an app (such as google authenticator) and you lose your phone (or it breaks etc...), what happens then?

    Can you reload the app somehow on another device?
    you need to make sure a code is written down.. if you dont have that then im not sure.. will probably be a case of proving id, address etc

  16. #12
    baldidiot is offline Private Member
    Join Date
    January 2010
    Posts
    4,280
    Thanks
    405
    Thanked 1,961 Times in 1,290 Posts

    Default

    Quote Originally Posted by wonderpunter View Post
    you need to make sure a code is written down.. if you dont have that then im not sure.. will probably be a case of proving id, address etc
    We use authenticator for two factor on a couple of accounts, but it uses timed codes - as far as I'm aware you can't write them down as they expire after 30 seconds.

    Can you install the same app on multiple devices as a safe guard?

    Doesn't help that there's zero information on the app. Not even a help screen.
    onlinegamblingwebsites.com - Formally known as goodbonusguide.

  17. #13
    JackTenSuited is offline Private Member
    Join Date
    March 2004
    Posts
    1,014
    Thanks
    23
    Thanked 340 Times in 208 Posts

    Default

    Quote Originally Posted by baldidiot View Post
    Slight tangent, but seemed an appropriate place to ask this - if you're using two factor with an app (such as google authenticator) and you lose your phone (or it breaks etc...), what happens then?

    Can you reload the app somehow on another device?
    I had this happen when phone was stolen. I was able to get 2 factor turned of by emailing them a copy of my passport and utility bill.

  18. #14
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    27,397
    Thanks
    2,033
    Thanked 7,780 Times in 4,907 Posts

    Default

    Thanks for that Wonderpunter,

    I don't want to derail the thread, but based upon these situations with banks and other financial institutions that watch ip's closely, there really is no excuse for the isp's NOT to use automatic renewable reservations in the DHCP servers so that clients get the same ip address all the time.

    Banking (as well as watching for bad actors) is one of the main reasons they should do this....and this would be almost completely automated.

    Rick
    Universal4

  19. #15
    FruityJelena's Avatar
    FruityJelena is offline Former AM
    Join Date
    September 2015
    Location
    Belgrade, Serbia
    Posts
    563
    Blog Entries
    1
    Thanks
    590
    Thanked 339 Times in 230 Posts

    Default

    Quote Originally Posted by Muppet View Post
    my personal Skrill account was locked without notification and password change enforced
    Happen to me as well, but everything is fixed fast and smooth, after changing password and proving I'm not a robot via captcha.

    Btw. Is there a way to see more details about your transactions? Sometimes the ones I make are processed a few days later, so I forget and then everything is so messy and I don't know what I spend this or that money amount on (applies to POS transactions) ?

  20. #16
    TheGooner's Avatar
    TheGooner is offline Private Member
    Join Date
    March 2007
    Location
    New Zealand
    Posts
    4,235
    Thanks
    1,936
    Thanked 4,182 Times in 1,990 Posts

    Default

    Quote Originally Posted by universal4 View Post
    I don't want to derail the thread, but based upon these situations with banks and other financial institutions that watch ip's closely, there really is no excuse for the isp's NOT to use automatic renewable reservations in the DHCP servers so that clients get the same ip address all the time.
    Of course there is .... system design - usually around allocation capacity.

    Outside the US many organisations have chosen not to not size their systems for a 1-to-1 relationship between IP address and user, that's a very inefficient idea when it comes to building net systems and applications and the association with specific address to virtual identity is somewhat nonsensical.

    An IP address at an ISP server is not an identification medium in most of the world.

    It's a bit like saying I saw you wearing a blue jacket last time, and I'll refuse to acknowledge you unless you are wearing a blue jacket every again. The blue jacket has nothing to do with your business with me - you wore it because it was raining - so it's silly for me to require to see it again before I will do business with you.

    So it is with IP addresses. I use at least two providers every day - mobile and broadband - and on a semi-regular basis I will use others in hotels, airports, business conferences etc. I don't expect them to be stored and recorded for my unique use. And I don't expect a fuss when I check into a new hotel either.

    Similarly I don't expect applications to expect that I'm using the same machine each time - we have 2 PC's in the house, 2 tablets as well, a travelling laptop, and of course a phone each - that might change / be upgraded at any time.

    As long as I have logins and passwords that are correct (and any secondary security that might be added) I expect to do virtual business with my bank accounts anywhere / anyhow ... to put in illogical and artificial restrictions is silly.

  21. #17
    Moonlight Cat's Avatar
    Moonlight Cat is offline Private Member
    Join Date
    November 2008
    Posts
    1,979
    Blog Entries
    1
    Thanks
    1,236
    Thanked 1,172 Times in 676 Posts

    Default

    I now use 2F.

  22. #18
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    27,397
    Thanks
    2,033
    Thanked 7,780 Times in 4,907 Posts

    Default

    Most of the ISP's I have spoken to have more then enough ip's to make the reservations.

    It is pretty rare for isp's (even in other countries) not to have 70-90% of their customers "online" 24/7. The cable modems/routers need the ip as soon as they are booted up, so the ip's have to be immediately allocated, so it stands to reason only a small portion of ip's would have to be allocated dynamically to the point where those individual pieces of equipment need to have a different ip, let alone a different subnet ever day.

    This is a lot more problematic with phones providers though.

    I do agree that you shouldn't be expected to use the same machine each time you log on, but many banks will require you to re-authorize a machine each time you log on using a different one (at least a number of the banks I use do) and if you came from the same ip each time, the re-authentication would still take place I assume, but it would be one less warning flag.

    I totally agree that I think Skrill has shown that they may end up being too restrictive in the end, and adding captcha, or a dynamic code that could be emailed or texted to the email or phone number on record should be sufficient.

    Rick
    Universal4

  23. The Following User Says Thank You to universal4 For This Useful Post:

    TheGooner (13 February 2016)

  24. #19
    TheGooner's Avatar
    TheGooner is offline Private Member
    Join Date
    March 2007
    Location
    New Zealand
    Posts
    4,235
    Thanks
    1,936
    Thanked 4,182 Times in 1,990 Posts

    Default

    Some good thoughts there Rick - and it is interesting to hear the differences between different regions.

    I'm still uncomfortable about financial systems using a piece of outside information (IP address) as a method of security of verification. The ISPs don't know that's the case and certainly don't treat the relationship as such. Typically treating a 3rd party physical layer (ISP IP address or hardware serial number) as a method of validation is a no-no.

    It's much better for financial institutions to create specific secure systems and authorisation processes - be it 2-part authentication - additional keyword challenges - a specific relationship hardware dongle or keypass - is a much more robust solution.

  25. #20
    Muppet is offline Private Member
    Join Date
    December 2007
    Posts
    575
    Thanks
    165
    Thanked 659 Times in 289 Posts

    Default

    So the thread on our site has revealed several people having had their accounts locked and 2 more who have had funds stolen within the past 2 weeks using very similar modus operandi.

    I have no doubt now that Skrill has had a major breach but they are not disclosing it.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •