Previously our login form was exposed to what is known as "credential stuffing", whereby an attacker uses user data leaked from other sites (check if your data as been leaked) to attempt to log into a user's other accounts on other websites. This was briefly happening on a large scale on GameBanana due to two shortcomings of our login form:
- No blockout for repeated login failures, allowing automated scripts to make unlimited login attempts (called a "brute force attack").
- No unrecognized location checking or blacklist checking of IP's logging in.
We've resolved these shortcomings but there are still other security holes, such as changing emails, making BananaExchange purchases, etc.
New Security ProceduresWe now have 3 different security procedures, of varying strength and convenience, which will be deployed when Potential Attack Vectors (PAVs) are interacted with:
- The Security Advisory - account holder is notified that a PAV interaction occurred.
- The Verification Email - account holder must verify via email the PAV interaction was initiated by them.
- The Wait Period - account holder must wait X number of hours before a PAV interaction is automatically accepted.
Known PAVsWe have identified six Potential Attack Vectors:
- Logging in from an unrecognized IP
- Logging in from a blacklisted IP
- Multiple failed login attempts
- Changing emails
- Changing passwords
- BeX purchasing
Each one must be addressed with a security procedure. Determining which security procedure to use is the tricky part and where all the potential inconvenience comes in.
Unfortunately we live in an age where your data is leaking everywhere, as new sites are breached every day. Enhanced security comes at the price of convenience, but we will try to make the inconvenience as minor as possible.