Security Updates

A Blog Post for GameBanana

In the wake of the December attacks on GameBanana I have been working closely with GameBanana's Chief Security Analyst (Mini) to patch up exploits in our account platform. 

Previously our login form was exposed to what is known as "credential stuffing", whereby an attacker uses user data leaked from other sites (check if your data as been leaked) to attempt to log into a user's other accounts on other websites. This was briefly happening on a large scale on GameBanana due to two shortcomings of our login form:

  1. No blockout for repeated login failures, allowing automated scripts to make unlimited login attempts (called a "brute force attack").
  2. No unrecognized location checking or blacklist checking of IP's logging in.

We've resolved these shortcomings but there are still other security holes, such as changing emails, making BananaExchange purchases, etc. 

New Security Procedures

We now have 3 different security procedures, of varying strength and convenience, which will be deployed when Potential Attack Vectors (PAVs) are interacted with:

  1. The Security Advisory - account holder is notified that a PAV interaction occurred.
  2. The Verification Email - account holder must verify via email the PAV interaction was initiated by them.
  3. The Wait Period - account holder must wait X number of hours before a PAV interaction is automatically accepted.

Known PAVs

We have identified six Potential Attack Vectors:
  1. Logging in from an unrecognized IP
  2. Logging in from a blacklisted IP
  3. Multiple failed login attempts
  4. Changing emails
  5. Changing passwords
  6. BeX purchasing

Each one must be addressed with a security procedure. Determining which security procedure to use is the tricky part and where all the potential inconvenience comes in.

Unfortunately we live in an age where your data is leaking everywhere, as new sites are breached every day. Enhanced security comes at the price of convenience, but we will try to make the inconvenience as minor as possible.

Posts

  • JMXremix avatar
    JMXremix username pic Joined 1y ago
    UnreaLaws Flag Affiliation: UnreaLaws
    4,710 points Ranked 1092nd
    22 medals 3 rare
    • Returned 1000 times Medal icon
    • Submitted 20 Maps Medal icon
    • 10 submissions featured Medal icon
    • Became a Club Leader Medal icon
    • Submitted 5 Maps Medal icon
    • Returned 100 times Medal icon
    JMXremix avatar
    JMXremix
    UnreaLaws Flag
    Affiliation
    UnreaLaws
    9mo
    I was logging in in the very same location everytime and using the similar computer, but it still says logged in in a new location. Why ? :(
    Jesus knocks
  • D-Wanderer avatar
    D-Wanderer username pic Joined 4y ago
    Gone playing..
    1,625 points Ranked 3266th
    25 medals 2 legendary 7 rare
    • 15+ Entries! GameBanana’s Christmas Giveaway 2015 Medal icon
    • 15+ Entries! GameBanana’s Christmas Giveaway 2016 Medal icon
    • GameBanana’s Christmas Giveaway 2015 Day Twelve Winner! Medal icon
    • GameBanana’s Christmas Giveaway 2015 Day Fourteen Winner! Medal icon
    • Returned 1000 times Medal icon
    • Returned 1000 times Medal icon
    9mo
    I log in from the same IP every day and it still says it has detected unknown IP.

    Also turns out I got pwned as the site in the link refers to it. But they showed me a website I've never visited in my life. What is going on here?
    If only I wasn't so lazy.. avatar
    Mantra
    If only I wasn't so lazy..
  • Royalist avatar
    Royalist username pic Joined 3y ago
    Exist?
    1,455 points Ranked 3621st
    20 medals 1 legendary 1 rare
    • Returned 5000 times Medal icon
    • Returned 1000 times Medal icon
    • One month a member Medal icon
    • 6 months a member Medal icon
    • Reached 1,000 Points Medal icon
    • Received thanks 5 times Medal icon
    9mo
    So this explains the reason why I keep receiving the "Log in from an unidentified IP address" notification, I guess
    I want to shoot myself

Embed

Share banner
Image URL:
HTML embed code:
BB embed code:
Markdown embed code:

Blogger


tom avatar
tom username pic Joined 17y ago
TBS2 Manager Super Admin
Present
?
55,844 points Ranked 67th
57 medals 12 legendary 10 rare
  • Achieved Super Admin clearance Medal icon
  • 10 years a member Medal icon
  • Thanked 500 submitters Medal icon
  • Submitted 200 Blogs Medal icon
  • Submitted 200 Threads Medal icon
  • Submitted 60 Polls Medal icon
Sign up to access this!
Sign up to access this!
Sign up to access this!

Game

Sign up to access this!

Category

Details

Initiative
None

Share

  • Share on Reddit
  • Share on Twitter
  • Share on Facebook
  • Share on Google+

Stats

  • 452 Views
  • 6 Posts
  • 9mo Submitted
  • 6mo Modified

More from Submitter

WiPs by Submitter

More Site News/Updates Blogs

bcp.crwdcntrl.net tracking pixel