Post Reply We need better account security measures.
Posted 1/1/16 , edited 1/1/16
For example.
Security questions.
Phone ID code.
Acces to this Computer only by this computer.
In order to change email or password. You need verification from the original email. With a period of waiting 24 hours.
37709 cr points
Send Message: Send PM GB Post
45 / Seattle
Offline
Posted 1/2/16

KarenAraragi wrote:

For example.
Security questions.
Phone ID code.
Acces to this Computer only by this computer.
In order to change email or password. You need verification from the original email. With a period of waiting 24 hours.


I genuinely wish you the best of luck.

But considering that they can't even be bothered to send you an email telling you that an intruder has changed your email to lock you out, with what I'm told would be a simple code change, I don't think it'll happen. It's apparently better security to send the intruder (i.e. the new email) a notification.

And I'm still waiting for any answer to these challenges about CR's poor security.
The Wise Wizard
102327 cr points
Send Message: Send PM GB Post
56 / M / U.S.A. (mid-south)
Offline
Posted 1/2/16

arimareiji wrote:

But considering that they can't even be bothered to send you an email telling you that an intruder has changed your email to lock you out, with what I'm told would be a simple code change, I don't think it'll happen. It's apparently better security to send the intruder (i.e. the new email) a notification.

I'm still puzzled why they haven't made that change. I can't see why it would be difficult, as they would just be sending it to two e-mail addresses (the new and old) instead of one. I haven't even seen anyone at CR claim, "It isn't as simple as you think".


On the payment side, I would strongly advise using PayPal if possible. It means if your CR account is compromised, that unlike having a credit card on file, the person can't make additional CR purchases (as they would still need your PayPal account password). It also means if you need to cancel, you have two methods of doing so: Via CR and via PayPal (like having a valve at two ends of a pipeline).

10295 cr points
Send Message: Send PM GB Post
Offline
Posted 1/2/16
I personally hate the phone ID thing. I don't have a phone, and don't want a phone. It pisses me off that I can't change my email password anymore because I don't have one. Just one more way to fuck something up, in my opinion.

I mean, geez, just make a good password to begin with.
26328 cr points
Send Message: Send PM GB Post
30 / M
Offline
Posted 1/2/16

TheAncientOne wrote:
On the payment side, I would strongly advise using PayPal if possible. It means if your CR account is compromised, that unlike having a credit card on file, the person can't make additional CR purchases (as they would still need your PayPal account password).


Not so. Someone at CR decided that they should store your paypal info so anyone who does log into your CR account has the same access that anyone who gets into a account with a stored credit card has. To buy whatever.
Paypal emails will be noticeable to someone vs a CC/DC unless they check there bank account daily.
I even cancelled my recurring membership before testing it and my paypal CR billing agreement is still active...

As I just for a test managed to buy a 30 day gift membership with out doing anything other then clicking. No paypal password nothing required. I got..
Thank you for your purchase!
Your order (#) has been received.

I have 2 friends on CR so they can fight over it when their 3 month memberships run out. :P
The Wise Wizard
102327 cr points
Send Message: Send PM GB Post
56 / M / U.S.A. (mid-south)
Offline
Posted 1/2/16

penguincat wrote:

Not so. Someone at CR decided that they should store your paypal info so anyone who does log into your CR account has the same access that anyone who gets into a account with a stored credit card has. To buy whatever.
Paypal emails will be noticeable to someone vs a CC/DC unless they check there bank account daily.
I even cancelled my recurring membership before testing it and my paypal CR billing agreement is still active...

Well that is quite disappointing. Even with ebay (before they split), I normally had to sign in to PayPal unless I explicitly linked the two accounts.


Out of curiousity, did you get the "review order" page, where it asks you for your shipping and billing information, as well as "add card or use PayPal"? I never purchased anything from the store, so I wonder if this information is stored for those purposes only if you've used it there (i.e, not if you've only ever used it for subscriptions, like myself).

I'm tempted to click the "use PayPal" button (on a gift sub purchase) and see what happens, but I'm hesitant to spend $6.95 for this experiment.

37709 cr points
Send Message: Send PM GB Post
45 / Seattle
Offline
Posted 1/2/16

penguincat wrote:


TheAncientOne wrote:
On the payment side, I would strongly advise using PayPal if possible. It means if your CR account is compromised, that unlike having a credit card on file, the person can't make additional CR purchases (as they would still need your PayPal account password).


Not so. Someone at CR decided that they should store your paypal info so anyone who does log into your CR account has the same access that anyone who gets into a account with a stored credit card has. To buy whatever.
Paypal emails will be noticeable to someone vs a CC/DC unless they check there bank account daily.
I even cancelled my recurring membership before testing it and my paypal CR billing agreement is still active...

As I just for a test managed to buy a 30 day gift membership with out doing anything other then clicking. No paypal password nothing required. I got..
Thank you for your purchase!
Your order (#) has been received.

I have 2 friends on CR so they can fight over it when their 3 month memberships run out. :P


That probably settles it. 19 more days until my year membership expires and I'm finally "allowed" to take my own g*#-d*$^ credit card off the site, and I won't be renewing it.

I viscerally dislike some of PayPal's business practices, such as closing the accounts of anyone the MPAA and RIAA don't like (with no recourse), so I wasn't keen on using them anyway.

I'm not inclined toward the hassle of buying a new gift membership every month, especially since it would mean taking CR's word for it that they haven't decided they have a right to surreptitiously store the card info for an intruder to use anyway, promises to the contrary aside.

I haven't found a virtual credit card number issuer yet who I would trust and whose rates are reasonable, and I'm not all that tempted to continue looking considering that Crunchyroll has become all-but-unusable for video and obnoxious-but-sorta-usable for manga.

The only reason I would have continued would be to support the actual creators directly, and I'll put my efforts into finding another avenue for doing so. Hopefully one with only a minimally-distasteful middleman taking an undeserved cut, one that doesn't screw you with poor security and try to blame you for it.
26328 cr points
Send Message: Send PM GB Post
30 / M
Offline
Posted 1/2/16

TheAncientOne wrote:
Well that is quite disappointing. Even with ebay (before they split), I normally had to sign in to PayPal unless I explicitly linked the two accounts.

Out of curiousity, did you get the "review order" page, where it asks you for your shipping and billing information, as well as "add card or use PayPal"? I never purchased anything from the store, so I wonder if this information is stored for those purposes only if you've used it there (i.e, not if you've only ever used it for subscriptions, like myself).

I'm tempted to click the "use PayPal" button (on a gift sub purchase) and see what happens, but I'm hesitant to spend $6.95 for this experiment.


Yeah I did have some sort of CR confirm page that asked me if I wanted to add a card or use paypal and had my paypal email already saved on the page though. I clicked confirm but there was nothing that would stop anyone that wasn't me.

I do think it's a new "feature" my first 2 x 12 months once I clicked cancel payment renew. My paypal agreement with CR ended and Paypal sent me a email about it. This time it did no such thing.
So maybe it didn't actually cancel or whatever or they want you to by stuff from the store. Payment methods page says "There are no saved payment methods." but shows my paypal email but no ability to remove it...
37709 cr points
Send Message: Send PM GB Post
45 / Seattle
Offline
Posted 1/2/16 , edited 1/2/16

penguincat wrote:
So maybe it didn't actually cancel or whatever or they want you to by stuff from the store. Payment methods page says "There are no saved payment methods." but shows my paypal email but no ability to remove it...

You'll probably get the same excuse they use with credit/debit cards - you're not "allowed" to take your payment method off file while you have an active subscription, even though you've already paid for it, even if you haven't indicated that you want to renew, and even if you sure as heck don't want an intruder to be able to charge up a load of stuff from the CR store. Because reasons.

Edit to add a belated thought:


TheAncientOne wrote:
Well that is quite disappointing. Even with ebay (before they split), I normally had to sign in to PayPal unless I explicitly linked the two accounts.


Out of curiousity, did you get the "review order" page, where it asks you for your shipping and billing information, as well as "add card or use PayPal"? I never purchased anything from the store, so I wonder if this information is stored for those purposes only if you've used it there (i.e, not if you've only ever used it for subscriptions, like myself).

I'm tempted to click the "use PayPal" button (on a gift sub purchase) and see what happens, but I'm hesitant to spend $6.95 for this experiment.


I find myself morbidly curious now... I wonder how long they've known this was true and said nothing.
Posted 1/2/16

HolyDrumstick wrote:

I personally hate the phone ID thing. I don't have a phone, and don't want a phone. It pisses me off that I can't change my email password anymore because I don't have one. Just one more way to fuck something up, in my opinion.

I mean, geez, just make a good password to begin with.


That doesn't mean anything.The problem is there. People have gotten their account hack. If you don't like the ID stuff? Good for you and don't use it then. Has for me and others, we will gladly use it.

Yes, my passworded is strong and long. But if somebody want to get in. They may succeed. For somebody who was a marine, you would think you would know better. Doesn't hurt to have multiple layers of security.
10295 cr points
Send Message: Send PM GB Post
Offline
Posted 1/2/16

KarenAraragi wrote:


HolyDrumstick wrote:

I personally hate the phone ID thing. I don't have a phone, and don't want a phone. It pisses me off that I can't change my email password anymore because I don't have one. Just one more way to fuck something up, in my opinion.

I mean, geez, just make a good password to begin with.


That doesn't mean anything.The problem is there. People have gotten their account hack. If you don't like the ID stuff? Good for you and don't use it then. Has for me and others, we will gladly use it.

Yes, my passworded is strong and long. But if somebody want to get in. They may succeed. For somebody who was a marine, you would think you would know better. Doesn't hurt to have multiple layers of security.


No, it doesn't. And I'm all for more security, as long as it is opt in. The problem is, they usually don't give you a choice with the Phone ID thing.

As someone who can't even change my email pass, now, it's downright infuriating.
Posted 1/2/16

HolyDrumstick wrote:


KarenAraragi wrote:


HolyDrumstick wrote:

I personally hate the phone ID thing. I don't have a phone, and don't want a phone. It pisses me off that I can't change my email password anymore because I don't have one. Just one more way to fuck something up, in my opinion.

I mean, geez, just make a good password to begin with.


That doesn't mean anything.The problem is there. People have gotten their account hack. If you don't like the ID stuff? Good for you and don't use it then. Has for me and others, we will gladly use it.

Yes, my passworded is strong and long. But if somebody want to get in. They may succeed. For somebody who was a marine, you would think you would know better. Doesn't hurt to have multiple layers of security.


No, it doesn't. And I'm all for more security, as long as it is opt in. The problem is, they usually don't give you a choice with the Phone ID thing.

As someone who can't even change my email pass, now, it's downright infuriating.


That what I am saying. I feel uncomfortable how things are right now. I want the email thing too but with some kind of preventive measure in case, somebody other than you is trying to get it change.
28785 cr points
Send Message: Send PM GB Post
22 / M / United States
Offline
Posted 1/2/16

HolyDrumstick wrote:

I personally hate the phone ID thing. I don't have a phone, and don't want a phone. It pisses me off that I can't change my email password anymore because I don't have one. Just one more way to fuck something up, in my opinion.

I mean, geez, just make a good password to begin with.


Sucks for you then. For the rest of us, I think we'd love to see a phone option for security measures. Sometimes having a good password isn't enough these days. And not to sound rude, but what grown adult doesn't have a phone in this day and age? You don't need a smart phone...there are cheap plans out there you know..
37709 cr points
Send Message: Send PM GB Post
45 / Seattle
Offline
Posted 1/5/16
I could be wrong, but I think what people on both sides want are options.

I hate it when any company wants to make me change my password constantly to be "safer", force me to use G0bbL3Dygo0|{ characters, or give my telephone number for text messages. But if you give me those options, I'll be happier.

Actually, that seems to be the core of what's wrong with Crunchyroll's "security" right now.

An option to take your card number off file after you pay for a year subscription? We've decided you don't need that until after the full year is up.
An option to make your card number usable only for subscription charges, so that an intruder can't run up hundreds of dollars of purchases in the CR store? You don't need that either.
An option to get an email warning you when someone locks you out of your account by changing the email (preventing a password reset)? Nope, we'd rather send it to the intruder.
A link to let you immediately reset that change (instead of waiting for days or weeks to hear back)? ...You're kidding, right?
Two-factor security? Dream on.
An option to stop payment at PayPal when Crunchyroll's system tells you that your subscription has been successfully ended - but then you keep getting billed every month anyway? Apparently, we've found a way to take that away too.

My personal favorite, though it's less a security lapse than it is sheer "Because we said so, that's why":
It took you less than an hour to realize you don't want that free membership trial after all, and you want to cancel before you forget? Too freaking bad. We'll make you wait a couple of days until we've verified that we can charge your card.

For your free trial.
You must be logged in to post.