BoardsPlayer Behavior

Reminder: Keep your accounts secure.

Hotarµ·9/20/2019, 4:43:11 AM·7 votes·10,950 views

Just wanted to make this post because unfortunately in the past few days I have seen a lot of players have their accounts compromised and subsequently banned for using 3rd party programs, account sharing, or boosting.

Keep your antivirus software up to date, use unique passwords and e-mails for each service, and check your match history every now and then. If you see any matches you don't remember playing or something that looks suspicious, be proactive and file a support ticket to explain the situation in detail. It might also help to jot down some information about your account (such as your account creation date, skins owned, or other confidential information that only you would know) and keep that on-hand in the rare case that your account is locked under suspicion of being compromised.

If you're looking for a good website to generate passwords that are hard to brute-force, check out "passwordsgenerator.net" or use Norton Security's password generator. And again, be sure to use unique passwords for each service, don't use the same one more than once.

Stay safe out there.

[slayer-pantheon-thumbs]

15 Comments

DartExplosion109/20/2019, 5:16:33 AM5 votes

what if the hacker only plays tft

Flukenux9/20/2019, 8:40:32 AM4 votes

"in the past few days I have seen a lot of players have their accounts compromised"

Must be players having out of date anti-virus and poor passwords! Couldn't possibly be a data breach at Riot!

"and check your match history every now and then."

Don't stop there, always keep an eye on how many Riot Points are on your account. If they go down, go to "Store" -> "Account" -> "Gift History" to find out who benefited from your account compromise. Riot won't restore the RP so you are completely screwed in that regard but at least you get to see where it went!

It might be a good idea to just do a full 10 minute review of your entire LoL account every day. Riot could do several things to improve security but won't because they don't care and take their lack of caring "very seriously."

"something that looks suspicious, be proactive and file a support ticket to explain the situation in detail."

You can then get a "helpful" response from "support" like: "There isn't much I can do for your case as a Player Support, I'm really sorry"

The level of "seriousness" taken in the lack of escalation to Riot's apparent non-existent security team is breath taking! Every detail clearly of so much great importance to Riot support to ignore!

Could you still get banned for account sharing after pointing out to support your account was compromised? Support won't spoil that surprise by telling you! It seems the answer maybe YES! Or maybe no? Who is to say? Such fun! :)

"jot down some information about your account (such as your account creation date, skins owned, or other confidential information that only you would know)"

Yes, we should ignore that websites like Mobalytics might help determine publicly the date of the first match and help make a determination when the account creation date might be.

Also someone that has compromised an account to the extent they can play matches on it couldn't possibly know what skins are owned by the account. Out of curiosity, what does clicking on "Collection" -> "Skins" show again?

"Stay safe out there."

Yeah. Right.

It should also be stated that if you want to get the full details on what IP address someone logged into the account from, what they said in chat and other details, you can do so by submitting a ticket. An automated reply will be provided by Blitzcrank bot (I'm not make a joke, this is how "seriously" Riot takes this) and you will be told to NOT change your password for 30 days or your request for the information will be void.

Again, I am not making a joke no matter how much it may sound like I am. If you are trying to get details about an account compromise, Riot's taking things "very seriously" solution is to discourage changing your password for 30 days even if it seems like your account might have gotten compromised again during those 30 days!

Things you should NOT expect Riot to do:

(1) Riot will not require a 2FA verification code if you use the League of Legends game client. 2FA verification may help prevent someone be able to play matches from an untrusted device but the game client is always trusted from all devices. Riot believes 2FA is only a web browser security method.

(2) Riot will not provide a method to review recent login IP addresses immediately without waiting 30 days. That would just be too damn helpful and Riot want you to talk to "Blitzcrank Bot" instead.

(3) Riot will not require 2FA verification on the website BEFORE confirming the password is correct. An attacker can use the web site to brute force the password and then ignore the 2FA step. Since the League of Legends game client doesn't require 2FA, they are golden.

(4) Riot will not use a cell phone app based authenticator system similar to Google Authenticator. If you wanted the security provided by something like Blizzard Authenticator then you would be playing Heroes of the Storm instead. Or if you wanted security provided by something like Steam Guard Mobile Authenticator you would be playing Dota 2 instead. If you are playing LoL then you want the frustration of not having that. There is a League Friend mobile app but you should never expect a smart phone security app from Riot.

But remember, keep anti-virus up to date because that way Riot doesn't have to acknowledge there should be anything they should change on their side! Also run Windows Update since that also will change nothing about Riot's attitude towards 2FA or easy access to last login information!

Happy mass account compromise month! Here is hoping to Riot changes nothing and October can be record breaking!

Thanks for the heads up Hotarµ! I'm glad you got our back.

Such joy and wonderfully insecure gaming experience -- GLHF!

A Palmtop Tiger9/21/2019, 5:22:06 AM4 votes

Optional 2 step verification when? I know some players hate the idea but having it optional would be nice.

PaladinNO9/20/2019, 1:30:59 PM2 votes

It's okay; I am confident enough to say that if anyone can get access to my account, they can keep it.

ShyImagoghnar9/20/2019, 7:52:46 PM2 votes

since league has a "keep me logged in" feature now, is there an ETA on TOTP 2FA?

Flukenux9/21/2019, 6:10:06 AM1 votes

I get the feeling I am getting banned from the board and the game by Hotarµ for being a troll and having nothing "helpful" to say. I completely understand the need to keep the board and the game as free of toxic behavior as possible. I also completely get a specialist deciding my pointless discussion on security just is not fun and that Hotarµ has to do what he/she has to do.

However, just on the off chance someone at Riot does care and is listening, I would like to try one more time to restate my position.

Please take a look at the videos for a product called SawStop.

They can be found here: https://www.sawstop.com/why-sawstop/video-vault/

Or better yet here: https://www.youtube.com/watch?v=PCnW1poqAj4&t=302

Then ask if Riot's stance resulting in the banning of players for common mistakes that resulted in a compromise is similar to what happens when a common mistake is made with a classic table saw or similar to what happens with a SawStop? Is Riot putting the right tools into the hands of the players to help keep the common mistakes from escalating into bad results? Or do players just deserve to lose their fingers for making common mistakes?

Full disclosure: SawStop is being used as metaphor. I do not work for them and do will not profit from the sale of their products. I'm not endorsing them and take no responsibility if their product doesn't work as advertised. They also didn't authorize me using their brand as a metaphor but hopefully it falls under fair-use.