Posted September 18, 2016
Cavalary
RIP GoodOldGOG:DRMfree,one price,goodies,community
Cavalary Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: May 2011
From Romania
timppu
Don't worry, be sorry.
timppu Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2011
From Finland
Posted September 18, 2016
herbertfilby: I logged in to my browser and needed a pin, and then logged into Galaxy and it asked for a pin too, same IP.
Yeah, that's because your Galaxy client doesn't use the cookies that your browser does. Same happens if you log in from the same PC with two different browsers. Treasure: I'm not certain however what you mean that they wouldn't be able to lock me out of my account -if they somehow guesssed the password and then change it they could - and the problem with that would mainly be that I haven't got everything downloaded and backed up (around 25% of my games are of bigger size and thus not downloaded yet) so I'd be locked out of those purchases at the very least...
I was talking about if GOG had two-step verification separately for changing email and/or password, which is the common way on all other web sites I know. Then they couldn't change your email nor your password, even if they were logged in as you on e.g. that university lab PC where you forgot to log out. They would need still to get another verification code from your email before they got changed. Currently GOG doesn't require any verification for changing email or the password, which is silly.
Post edited September 18, 2016 by timppu
Maighstir
THIS KNIGHT MISLIKES THESE HEIGHTS
Maighstir Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2008
From Sweden
Posted September 18, 2016
Yup. A function to "log out all sessions" should do just that, regardless of which client the session belongs to, otherwise the function is entirely useless.
Matruchus
Don't ignore Tux
Matruchus Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2011
From Slovenia
Posted September 18, 2016
That option is only made for browsers. Definitely not for Galaxy. You have to log out manually out of Galaxy.
Post edited September 18, 2016 by Matruchus
HypersomniacLive
The Reluctant Voter
HypersomniacLive Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Sep 2011
From Vatican City
Posted September 18, 2016
timppu: I don't think it depends at least primarily on your IP address? I thought it was about cookies. If you let those different browsers on different PCs to keep the cookies, then I think it should let you log in without the extra authentication. [...]
Keeping your (GOG) cookies is not enough, at least not on Firefox. Using the same browser, the same PC, the same IP, and keeping my (GOG) cookies, it still asks for a 4 digits authentication code at every log in. I wonder what those two Galaxy related cookies I can see in my browser are about.
Goodaltgamer
New User
Goodaltgamer Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Oct 2014
From Germany
Posted September 18, 2016
I was actually wondering:
It looks like GOG is storing our IP address. (not bothered with it)
Why is the 2 step system not working different?
You create an account, tie it to an email and IP-address.
Like as Treasure mentioned, people use different PC's for this. BUT why not making sure, via verification through the first one, that this is a legit attempt? More or less, what you shall do on your WAN network as well?
So you log onto a new device, the original will get an email asking for verification and if not answered, the device will NOT be authorised?
This way, nobody would be able to hack anything.
For comparison, if you do on your home network MAC as well, it makes it rather hard for anyone to get onto the network.....even without password ;)
It looks like GOG is storing our IP address. (not bothered with it)
Why is the 2 step system not working different?
You create an account, tie it to an email and IP-address.
Like as Treasure mentioned, people use different PC's for this. BUT why not making sure, via verification through the first one, that this is a legit attempt? More or less, what you shall do on your WAN network as well?
So you log onto a new device, the original will get an email asking for verification and if not answered, the device will NOT be authorised?
This way, nobody would be able to hack anything.
For comparison, if you do on your home network MAC as well, it makes it rather hard for anyone to get onto the network.....even without password ;)
Treasure
Cartoony Corsair
Treasure Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: May 2013
From Cyprus
Posted September 18, 2016
timppu: I was talking about if GOG had two-step verification separately for changing email and/or password, which is the common way on all other web sites I know. Then they couldn't change your email nor your password, even if they were logged in as you on e.g. that university lab PC where you forgot to log out. They would need still to get another verification code from your email before they got changed.
Currently GOG doesn't require any verification for changing email or the password, which is silly.
Ah ok. Yes, they should probably implement something like that, as I'm not the kind of person that regularly changes emails or passwords, so if I saw such an email I'd be certain that somebody else tried to do so. I also already clarified that I personally always log out of stuff - I'm not even logged in my google profile on Chrome, as I don't see the need for that -but since you were talking about an hypothetical situation where I could hypothetically forget to logout both out of gog and out of the computer session, well, in such a case of absentmindedness, an implentation of such a policy would certainly be helpful. Currently GOG doesn't require any verification for changing email or the password, which is silly.
HypersomniacLive: Keeping your (GOG) cookies is not enough, at least not on Firefox. Using the same browser, the same PC, the same IP, and keeping my (GOG) cookies, it still asks for a 4 digits authentication code at every log in.
That's useful to know. Gog always seemed to be implemented better for Chrome rather than Firefox, but I still wouldn't want the possibility to be asked for the 4digit code every time, even if nothing had changed in regard to IP and cookies... Goodaltgamer: Like as Treasure mentioned, people use different PC's for this. BUT why not making sure, via verification through the first one, that this is a legit attempt? More or less, what you shall do on your WAN network as well?
So you log onto a new device, the original will get an email asking for verification and if not answered, the device will NOT be authorised?
This way, nobody would be able to hack anything.
For comparison, if you do on your home network MAC as well, it makes it rather hard for anyone to get onto the network.....even without password ;)
Do you mean that gog should detect if the new device is connected to the same wireless network (WLAN) and if yes, not make a fuss about it? Well, that would work on computers used in the same space (e.g. a house) -I thus wonder what would happen if someone took a device with a given IP, already tested on his home's WLAN, somewhere else (e.g. a coffee shop) - would gog detect a different wifi network and ask for 2step authentification again? So you log onto a new device, the original will get an email asking for verification and if not answered, the device will NOT be authorised?
This way, nobody would be able to hack anything.
For comparison, if you do on your home network MAC as well, it makes it rather hard for anyone to get onto the network.....even without password ;)
And when you say "the original will get an email", you mean the original device? If yes, firstly webmail services (as are Gmail and Outlook.com) are independent of devices and they generally do not throw a fuss if someone logs in from a different device, and secondly one would need to bring with him several devices when he goes out -e.g. if he went to the computer lab of his university, he would also need his laptop -a desktop would certainly be impossible to carry, so it's obvious that if the original device was a desktop there would be a serious problem- which would totally be at the very least an inconvenience. I'm pretty certain there's a lost in translation issue here though...
Post edited September 18, 2016 by Treasure
Goodaltgamer
New User
Goodaltgamer Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Oct 2014
From Germany
Posted September 18, 2016
Treasure: Do you mean that gog should detect if the new device is connected to the same wireless network (WLAN) and if yes, not make a fuss about it? Well, that would work on computers used in the same space (e.g. a house) -I thus wonder what would happen if someone took a device with a given IP, already tested on his home's WLAN, somewhere else (e.g. a coffee shop) - would gog detect a different wifi network and ask for 2step authentification again?
And when you say "the original will get an email", you mean the original device? If yes, firstly webmail services (as are Gmail and Outlook.com) are independent of devices and they generally do not throw a fuss if someone logs in from a different device, and secondly one would need to bring with him several devices when he goes out -e.g. if he went to the computer lab of his university, he would also need his laptop -a desktop would certainly be impossible to carry, so it's obvious that if the original device was a desktop there would be a serious problem- which would totally be at the very least an inconvenience. I'm pretty certain there's a lost in translation issue here though...
No, I meant if GOG would be using the same principle ;) And when you say "the original will get an email", you mean the original device? If yes, firstly webmail services (as are Gmail and Outlook.com) are independent of devices and they generally do not throw a fuss if someone logs in from a different device, and secondly one would need to bring with him several devices when he goes out -e.g. if he went to the computer lab of his university, he would also need his laptop -a desktop would certainly be impossible to carry, so it's obvious that if the original device was a desktop there would be a serious problem- which would totally be at the very least an inconvenience. I'm pretty certain there's a lost in translation issue here though...
And different devices? If you have access to the original email on the new device?
OK, I try to rephrase:
You use PCA and Email A (EMA, the abbreviation I wanted to use before, I didn't liked ;) )
You move to PCB and still having access to EMA, you try to log in in PCB, GOG would send a EMA an email, yes or no. If EMA says yes, PCB would be added to the list and so on.
If you would have no access (within a certain time frame) the request would be discarded. Similar as with MAC address on LAN/WLAN. You always need a trusted source to confirm, hence my analogy ;)
And getting both EMA AND/OR PCA being hacked at the same time is not so likely for the normal hacking......
Not translation issue ;) just assuming too much ;)
EDIT: ok, if somebody would hack EMA, he would have a free go, but that is also the case in the moment, or?
Post edited September 18, 2016 by Goodaltgamer
Treasure
Cartoony Corsair
Treasure Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: May 2013
From Cyprus
Posted September 18, 2016
Goodaltgamer: No, I meant if GOG would be using the same principle ;)
And different devices? If you have access to the original email on the new device?
OK, I try to rephrase:
You use PCA and Email A (EMA, the abbreviation I wanted to use before, I didn't liked ;) )
You move to PCB and still having access to EMA, you try to log in in PCB, GOG would send a EMA an email, yes or no. If EMA says yes, PCB would be added to the list and so on.
If you would have no access (within a certain time frame) the request would be discarded. Similar as with MAC address on LAN/WLAN. You always need a trusted source to confirm, hence my analogy ;)
And getting both EMA AND/OR PCA being hacked at the same time is not so likely for the normal hacking......
Not translation issue ;) just assuming too much ;)
EDIT: ok, if somebody would hack EMA, he would have a free go, but that is also the case in the moment, or?
Well, if I understood correctly, what you say is (probably) what is already happening with 2step. I only have experience with Humble Bundle's method, so I'll use that as an example -let's say I login to Humble from a different device. Upon my login Humble says something like "We detected you logged in from a different device. Paste the 5digit code we'll send to your email here -below is a space to fill in and confirm so that we know everything's fine" (well, they don't say this, but that's the gist of it). I then go to the login screen of my email provider, type in my email/username and password, login and see their email in my inbox. I copy said code and paste it and then click confirm, and only after all that I'll able to access my Humble Bundle account. Gog probably uses something similar, but anyways, this is quite a long winded method, and I end up getting annoyed every time Humble does this (in order to not get too annoyed I see where they think I am geographically in their email and I'm usually like "Hah! They thought I'm the wrong city!" and feel all smart and stuff). In short, your thinking is already being applied, at least by some services, but it ends up being annoying for people that semi-regularly login from other devices...And different devices? If you have access to the original email on the new device?
OK, I try to rephrase:
You use PCA and Email A (EMA, the abbreviation I wanted to use before, I didn't liked ;) )
You move to PCB and still having access to EMA, you try to log in in PCB, GOG would send a EMA an email, yes or no. If EMA says yes, PCB would be added to the list and so on.
If you would have no access (within a certain time frame) the request would be discarded. Similar as with MAC address on LAN/WLAN. You always need a trusted source to confirm, hence my analogy ;)
And getting both EMA AND/OR PCA being hacked at the same time is not so likely for the normal hacking......
Not translation issue ;) just assuming too much ;)
EDIT: ok, if somebody would hack EMA, he would have a free go, but that is also the case in the moment, or?
Goodaltgamer
New User
Goodaltgamer Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Oct 2014
From Germany
Posted September 18, 2016
Treasure: Well, if I understood correctly, what you say is (probably) what is already happening with 2step. I only have experience with Humble Bundle's method, so I'll use that as an example -let's say I login to Humble from a different device. Upon my login Humble says something like "We detected you logged in from a different device. Paste the 5digit code we'll send to your email here -below is a space to fill in and confirm so that we know everything's fine" (well, they don't say this, but that's the gist of it). I then go to the login screen of my email provider, type in my email/username and password, login and see their email in my inbox. I copy said code and paste it and then click confirm, and only after all that I'll able to access my Humble Bundle account. Gog probably uses something similar, but anyways, this is quite a long winded method, and I end up getting annoyed every time Humble does this (in order to not get too annoyed I see where they think I am geographically in their email and I'm usually like "Hah! They thought I'm the wrong city!" and feel all smart and stuff). In short, your thinking is already being applied, at least by some services, but it ends up being annoying for people that semi-regularly login from other devices...
I only use this one device, so no idea ;) But yes that is my idea, again as I said, I never logged in from another device, so no idea if this happening.
You said: annoying for people: Their could be an option do disable it, but if you decide you want to use, you shall not be annoyed ;) Hey you have looks on your doors, or? ;)
But with this method your GOG-account shall be save.
So could somebody confirm if this described method is being used by GOG?
It is as usual a question of balance. Security against 'annoyance (?)' . Couldn't think of a better word, laziness is too harsh ;). If you are for security, that's what you have to live with. The underlying problem is, from a user perspective, too many different layers and passwords involved.
First password to get onto the device, maybe even with username
second to get into the Internet (maybe)
third to access GO
4th to access email
5th humble or whatever.....
And the list goes on and on.....
In real world, you just have ONE key to get into your house/flat/whatever. Imagine having to use 5 keys for your home ;) The worst I ever had was three, front door and 2 for the door of the flat.
timppu
Don't worry, be sorry.
timppu Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2011
From Finland
Posted September 18, 2016
Odd, maybe I need to test it too. At least in Internet Explorer 11 it was enough that I didn't tell it to delete "cookies and website data". All others are checked (history, temporary internet files and website files etc.) and deleted when closing the browser, and the 2-step authentication is not triggered when I want to log into GOG again.
Lin545
May. 24, 2022
Lin545 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2011
From Russian Federation
Posted September 18, 2016
GOG should really take this serious and issue statements to Russian Internal Affairs on every such case via its Russian staff. Because these f**ckers can be legally dealt with, if you have logs and solid proof.
Post edited September 18, 2016 by Lin545
whelm
New User
whelm Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Apr 2012
From Canada
Posted September 18, 2016
Checked my email today within the span of 5 hours 6 different attempts from various places in Russia have tried to log into my account.
Changed my password as well.
Changed my password as well.
tremere110
Hmmm...
tremere110 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Mar 2011
From United States
Posted September 18, 2016
My guess is these hackers are brute forcing passwords using GoG downloader. It doesn't require two factor authentication and doesn't utilize captcha regardless of how many times you enter a password. I also suspect GoG's solution to this is to remove the downloader completely as soon as Galaxy comes out of beta.
Lin545
May. 24, 2022
Lin545 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2011
From Russian Federation
Posted September 18, 2016
tremere110: My guess is these hackers are brute forcing passwords using GoG downloader. It doesn't require two factor authentication and doesn't utilize captcha regardless of how many times you enter a password. I also suspect GoG's solution to this is to remove the downloader completely as soon as Galaxy comes out of beta.
Does this mean gogrepo.py will also be affected? I hope not, because without that updating manually will be Sisyphean work. :(( But if what you think is true, they can add the grace period between each download attempt, can't they? Like 5-10 seconds should suffice. I think this is somehow connected to GOG wallet, because most of victims are from USA. Account is useless, GOG easily restores original owner so the scumbags are not actually after the account me thinks.