Security Updates

With the incredible growth of Splinterlands and the value of in-game assets over the past few months has also unfortunately come an increase in the number of accounts having assets stolen via hacks or other forms of unauthorized access. In order to try to reduce the frequency with which this occurs as much as possible, we plan to introduce the following changes on Monday, October 4th, 2021.

We expect there to be a (hopefully) short downtime around 10 AM ET / 14:00 UTC on Monday while we release these changes along with other back-end scalability updates and optimizations.

Removing the Require Active Key Setting

Going forward, all accounts will have the "require active key" setting for transferring assets out of their account enabled by default, and will no longer have the option to disable it. Accounts that currently have the setting turned off will have the option to enable it, but once enabled it will no longer be able to be disabled.

Require Active Key for Market Purchases and Rentals

Also going forward, the active key will be required for purchasing and renting cards on the Splinterlands market for all accounts with the "require active key" setting enabled. This had been used as a method for attackers to move DEC and Credits out of accounts to which they had gained unauthorized access to the posting key in the past, and needed to be closed down.

UI Updates When Retrieving Keys

In addition to the protocol changes listed above, the page on the Splinterlands website which allows players to retrieve their keys will also be updated with additional information and education for players on how to properly secure and use their keys.

We will highly encourage all players to use the Hive Keychain browser extension to manage their keys and provide an option to automatically add their account and keys to the extension once it is installed.


Stay tuned for more updates from the Splinterlands!

Website | Blog | Discord | Telegram | Shop

NOTE: All rewards from this post will be burned.

Sort:  

@ylich wrote a tutorial about using Keychain for Splinterlands, it would be great to include it on the "Request my keys" page to educate new players:
https://peakd.com/hive/@keychain/using-hive-keychain-to-play-on-splinterlands

Thanks for the update, keep your keys safe people!!!

You guys do a great job staying on top of this stuff! I have been a part of several other gaming communities in the past, and have never seen another company work so hard to kep things updated and fresh! Thank you guys! Keep up the great work, it is being noticed!!
-SilentxNecrosis from Twitch

Once I was scammed directly from Splinterlands discord, but it was all my fault and I learn a great lesson and thanks to the support team who did a great job and help me keep my account secure.
P.S. Don't trust anyone who offers you something online for free, even if they are very polite, and trust only the authorized support team if you need help with the game!

Hope you didn't face too many losses :)
!PIZZA

One security issue is that bots are being able to exploit newbies that does not have enabled the option to "hide" their selected cards, enabling the cheater to know exactly your cards and build a perfect team to beat it.

I don't know why hidden cards isn't the default.

This is a trade off, and even as a veteran I've only recently become aware this was a thing, but if you turn this option off you forfeit the ability to achieve a victory (towards your daily quest) if the opponent flees after you've submitted a team, so I'm gathering the people who did know about "splinterviewer" just waited until the time was nearly up to submit so that exploit couldn't be used, but I agree, all things considered we should just adapt to not getting quest credit on surrenders...

Wait... what is all of this? I had no idea about any of this... is there anything I need to do or set to avoid this issue?

I don't think so. I believe they've already made it default and removed the toggle, but the issue as I understand it was, but leaving the former setting "Do not reveal team until..." off made it possible to see what some one had submitted in a brief window, that could be exploited by someone quick enough, or bots.

Turning it off however meant that if the opponent fled after your team was submitted, you wouldn't get credit for a daily quest even if you met the criteria.

I never thought much about it, but in retrospect I can see how I should've been more concerned about keeping my cards close to my chest instead of opting for an occasional easy win.

I have no idea any of this was a thing... but personally I love the occasional easy win... and I deliberately choose my cards quickly if only one or two splinters are allowed because they tend to be the most surrendered by opponents.

So... I guess none of this is really an issue anymore?

I don’t think so. I read they were going to change it and I realized today the toggle is gone so I imagine if you already had it on it’s on forever. I’d check, though.

This is what I see.... do you reckon I need to toggle that last one on?

image.png

Afaik this is also going to be addressed soon™

this has already been addressed. The hide cards is always on now so forfeits will no longer give points towards daily quests. By default this is what's shown in the settings.
image.png

Do you know if this is the new default for ALL players, or just the new default for newly signuped players?

All players.

In that picture is on or off? it seems is off. You have to toggle it on (blue) so battle results until vieweed are hidden? am i right or wrong?

oh in that picture, that's how the settings look like now. There is no more toggle to turn it on of off.

2 Factor Authentication would be a nice option to log in.

This would be particularly useful for mobile users.

Maybe there should be a mechanism that prevents highly unusual market transactions until confirmed (or rejected) after a minimum amount of time has passed (like 24 hours), such as renting or buying a card for way more than the current market price (this seems to be one way attackers quickly move funds out of the victim accounts).

Solid updates :)

This is great news and will protect many users. I'm not sure how it will affect iOS players though... The app is unstable, and I "surrender" so many games that I mainly play via Safari when using my phone or iPad. However, KeyChain does not work on mobile browsers.

How will this be addressed?

You have Hive Keychain app on mobile, why do you need a browser extension?
I never played on mobile, I like to play on PC... 😃

I agree, I could play the game via the in-app browser (and maybe that has improved with iOS 15), however, I found it even less reliable than the iOS app. I also prefer playing on the PC for longer stints, but for a quick break during coffee to wake up the brain cells, or during the 5 min trip home (not driving!) it's so much easier spending a few minutes playing on the phone.

Hive keychain is available on the iOS store. I thought the same as well but downloaded it two or three weeks ago. Love having it on my phone! No more active key copy and paste into my browser on my phone lol. I don’t play with the app, only do transactions so I don’t know how reliable it will be for playing.

Thanks -- I'll give it another go. Do you play through the Hive-Browser on iOS?

I use brave on my phone to play. I despise safari; though I do have my alt Splinterlands account set up on safari but don’t play it often.

On my laptop I use brave as well since it’s a great browser.

I’ve never used the iOS app for Splinterlands. I dislike the gameplay on it, if you use mobile.Splinterlands.com (or some iteration, maybe .io?) it uses the same interface and I don’t like it lol. Maybe I’m just too used to the original layout of the game and cards to enjoy that different layout. The battles are laid out differently and other UI changes that I’m not a fan of.

On iOS the splinterlands.com site gives you the "desktop" version of the site, rather than the dumbed down mobile version (I'm also not a fan of the simplified user interfaces...). It is fine on the iPhone 12 Max if you have small fingers and good eyes 😂 but I find that I can't change the order of my cards around placing them -- so I've fielded (and won!) some pretty wild line-ups (including using poor Feral Spirit as tank...)

At least this way I can check my SPS airdrop when I wake up, stake it, and adjust any rentals before work.

I started using Brave on laptop and really liked it, but had couldn't get Splinterlands to work with my MetaMask wallet (I never got the messages to approve/sign when trying to transfer SPS and DEC into my account). On Chrome it worked like a charm. I haven't tried Brave on iOS yet.

Acredito que todas as atualizações que sejam válidas para melhorar a experiência e portanto a sustentabilidade do jogo são extremamente importantes sim. Espero que a cada dia essa comunidade torne-se um lugar melhor para todos que estão aqui de boa fé e construindo um sonho também.

Acredito que todas as atualizações que sejam válidas para melhorar a experiência e portanto a sustentabilidade do jogo são extremamente importantes sim. Espero que a cada dia essa comunidade torne-se um lugar melhor para todos que estão aqui de boa fé e construindo um sonho também.

With all the high value of the Splinterlands NFTs these security updates are welcomed to protect such assets. And when you think some out there have assets worth hundred of thousands or even millions, there isn't enough security for them....

Thanks for your update post

Your content has been voted as a part of Encouragement program. Keep up the good work!

Use Ecency daily to boost your growth on platform!

Support Ecency
Vote for Proposal
Delegate HP and earn more

For being utterly important, I reblogged this! Thank you for raising these issues!

Awesome

Thanks so much for the updates, they were needed as there are many not blockchain skilled users playing the game.

Keep up the great job!
Cheers.

Thanks for the update

PIZZA!
PIZZA Holders sent $PIZZA tips in this post's comments:
@d-zero(6/10) tipped @dimmonoid (x1)
Learn more at https://hive.pizza.

thanks for the update, now at least sometimes you can rent cheap cards

Good thing is you found out and learned a lesson before losing an account worth 100k$ or something.