Security Updates

A Blog Post for GameBanana

In the wake of the December attacks on GameBanana I have been working closely with GameBanana's Chief Security Analyst (Mini) to patch up exploits in our account platform. 

Previously our login form was exposed to what is known as "credential stuffing", whereby an attacker uses user data leaked from other sites (check if your data as been leaked) to attempt to log into a user's other accounts on other websites. This was briefly happening on a large scale on GameBanana due to two shortcomings of our login form:

  1. No blockout for repeated login failures, allowing automated scripts to make unlimited login attempts (called a "brute force attack").
  2. No unrecognized location checking or blacklist checking of IP's logging in.

We've resolved these shortcomings but there are still other security holes, such as changing emails, making BananaExchange purchases, etc. 

New Security Procedures

We now have 3 different security procedures, of varying strength and convenience, which will be deployed when Potential Attack Vectors (PAVs) are interacted with:

  1. The Security Advisory - account holder is notified that a PAV interaction occurred.
  2. The Verification Email - account holder must verify via email the PAV interaction was initiated by them.
  3. The Wait Period - account holder must wait X number of hours before a PAV interaction is automatically accepted.

Known PAVs

We have identified six Potential Attack Vectors:
  1. Logging in from an unrecognized IP
  2. Logging in from a blacklisted IP
  3. Multiple failed login attempts
  4. Changing emails
  5. Changing passwords
  6. BeX purchasing

Each one must be addressed with a security procedure. Determining which security procedure to use is the tricky part and where all the potential inconvenience comes in.

Unfortunately we live in an age where your data is leaking everywhere, as new sites are breached every day. Enhanced security comes at the price of convenience, but we will try to make the inconvenience as minor as possible.
Sign up to access this!
  • JMXremix avatar
    JMXremix username pic Joined 2y ago
    UnreaLaws Flag Affiliation: UnreaLaws
    13,053 points Ranked 369th
    24 medals 1 legendary 3 rare
    • Returned 5000 times Medal icon
    • Returned 1000 times Medal icon
    • Submitted 20 Maps Medal icon
    • 10 submissions featured Medal icon
    • Became a Club Leader Medal icon
    • Submitted 5 Maps Medal icon
    JMXremix avatar
    JMXremix
    UnreaLaws Flag
    Affiliation
    UnreaLaws
    1y
    I was logging in in the very same location everytime and using the similar computer, but it still says logged in in a new location. Why ? :(
    Back to what it is.
    URL to post:
  • D-Wanderer avatar
    D-Wanderer username pic Joined 4y ago
    Gone playing..
    3,033 points Ranked 1720th
    25 medals 2 legendary 7 rare
    • 15+ Entries! GameBanana’s Christmas Giveaway 2015 Medal icon
    • 15+ Entries! GameBanana’s Christmas Giveaway 2016 Medal icon
    • GameBanana’s Christmas Giveaway 2015 Day Twelve Winner! Medal icon
    • GameBanana’s Christmas Giveaway 2015 Day Fourteen Winner! Medal icon
    • Returned 1000 times Medal icon
    • Returned 1000 times Medal icon
    1y
    I log in from the same IP every day and it still says it has detected unknown IP.

    Also turns out I got pwned as the site in the link refers to it. But they showed me a website I've never visited in my life. What is going on here?
    If only I wasn't so lazy.. avatar
    Mantra
    If only I wasn't so lazy..
    URL to post:
  • Royalist avatar
    Royalist username pic Joined 4y ago
    Exist?
    1,833 points Ranked 2923rd
    20 medals 1 legendary 1 rare
    • Returned 5000 times Medal icon
    • Returned 1000 times Medal icon
    • One month a member Medal icon
    • 6 months a member Medal icon
    • Reached 1,000 Points Medal icon
    • Received thanks 5 times Medal icon
    1y
    So this explains the reason why I keep receiving the "Log in from an unidentified IP address" notification, I guess
    I want to shoot myself
    URL to post:

Embed

Share banner
Image URL
HTML embed code
BB embed code
Markdown embed code

Blogger


tom avatar
tom username pic Joined 17y ago
TBS2 Manager Super Admin
Offline
48,977 points Ranked 81st
58 medals 12 legendary 10 rare
  • Achieved Super Admin clearance Medal icon
  • 10 years a member Medal icon
  • Thanked 500 submitters Medal icon
  • Submitted 200 Blogs Medal icon
  • Submitted 200 Threads Medal icon
  • Submitted 60 Polls Medal icon
Sign up to access this!
Sign up to access this!
Sign up to access this!

Game

Sign up to access this!

Category

Details

Initiative
None

Share

  • Share on Reddit
  • Share on Twitter
  • Share on Facebook
  • Share on Google+
  • 477 Views
  • 6 Posts
  • 1ySubmitted
  • 10moModified

More from Submitter

WiPs by Submitter

More Site News/Updates Blogs

bcp.crwdcntrl.net tracking pixel