Jump to content

Topic on Help talk:Login notifications

IP address of unknown device

45
Summary by NKohli (WMF)

It's being worked on. Expect to see it in near future. Thanks for your patience.

Eric (talkcontribs)

Hello all- Anyone know if there's a way to find out the IP address of an unknown device from which someone has tried to log in to our account? Please let me know if this is not where I should be posting this question. Thanks. ~~~~

NKohli (WMF) (talkcontribs)

Hi. According to the privacy policy of our projects, the IP address is confidential information and hence we cannot reveal that in the notification. We might in future think about revealing an approximate location of the login but that's also uncertain.

GoneForGood (talkcontribs)

Sorry but that is a ridiculous policy. I.P addresses don't really reveal much at all without legal access to the ISP's customer records and they're not about to give us that. Not to mention Google has been revealing I.P. of ALL successful logins, and approximate locations of failed attempts for years. Knowing the IP allows me to determine whether I recognize it or not. If I do, I know it's not a problem. If I do NOT, then I know it's an issue and something needs to be done. Simply offering for us to change the password on a failed attempt is utterly useless. If they already FAILED, then my password is pretty good. If you're really that concerned about revealing IP's (an archaic position IMO), then change the login page to stop using usernames, which are publicly available across the entire site, to require registered email addresses instead. That makes a lot more sense to me since email is NOT publicly accessible. The way the system is now, where I get an email telling me there was a failed attempt, but all I can do is change the password they already couldn't figure out, is about as useful as an email telling me a 7-11 somewhere in East Podunk Australia was held up and the would be robbers got away with nothing. It's just silly.

Not to mention you guys already publicly post EVERY IP of anonymous editors! So to do that on the one hand, then when it comes to someone trying to break in, suddenly it's a security issue is just ludicrous.

NKohli (WMF) (talkcontribs)

Hi. I point out below in this thread that we got legal to agree to changes and there is ongoing work to bring this feature to users.

Professor alacarte (talkcontribs)

totally agree. Could not agree more. Well said. ~~~~

MarcoAurelio (talkcontribs)

Ain't the IP addresses of the person trying to log into our accounts displayed to us? We already receive the IP data when someone try to reset our passwords. This should be the same here. If the person trying to enter an user account that is not theirs do not want their IP addresses exposed to the account owner he should not try to log in into that account.

NKohli (WMF) (talkcontribs)

> We already receive the IP data when someone try to reset our passwords. This should be the same here.

That's a good point. I didn't remember that. Okay, I'll poke some security/legal folks and see if we can get the IP address from where the attempted login happened to be displayed in the notification.

MarcoAurelio (talkcontribs)
NKohli (WMF) (talkcontribs)

As for recording that, I don't think that that data is in CheckUser table but I could be wrong. CheckUser stores IPs when an IP requests a password reset but AFAIK it doesn't do the same for attempted logins.

MarcoAurelio (talkcontribs)

I don't know, then, why this feature went out without proper CheckUser integration for proper anti-abuse and anti-harassment purposes. I'm a bit dissapointed at that to be sincere. While LoginNotify is certainly a good idea, as it stands now it only gives some FUD to users receiving notifications and won't let CheckUsers/stewards nor the very user try to counter the abuse because a) the "intruder" IP address is not even exposed via email on successful logins from unknown devices and b) abusive login attempts ain't (citation needed?) recorded in the RC or CU table so we need to rely on ops people to browse the database logs to help in the investigations. Currently it's something like "hey, somebody (tried|did login) your account, but we won't tell you no more about that". Regards.

MarcoAurelio (talkcontribs)

In summary, I think we lack here:

  • IP info data should be visible:
    • for unsuccessful login attempts, maybe to the user or to the checkusers should we want a more conservative approach.
    • for successful logins on unknown devices, on the email notification sent to the registered email of the "hacked" account.
  • Proper CheckUser integration so unsuccessful login attempts and successful logins from unknown devices are recorded for bettering anti-(abuse/harassment).

Fortunately the extension is in active development so we can have this fixed if people thinks it's a good idea.

Regards.

NKohli (WMF) (talkcontribs)

How would you counter that anyway? Even if you came to know the IP address? Complain to an admin to block them? Not everyone does that. The main idea behind the feature was to make sure you know when your account is under attack and you can make sure you have a strong password/2FA.

Don't forget you can turn it off in your preferences if the notifications are feeling more like spam to you.

MarcoAurelio (talkcontribs)

I don't think that "not everyone does that" is a valid statement for this possible overlook.

Not all vandals are smart enough to use some techniques I won't mention to fool admins/checkusers in their work. In any case, I think it is in the best interests of the owner of the account to fully know the activity happening on their accounts, and if it is about the security of their account, more. If someone maliciously tries to log in into your account, I think that you ought to know who. It happens on OTRS, on several other Internet websites, and here when doing password resets.

As things stand now, 2FA is only avalaible for users with elevated user rights and users requesting that it be manually enabled by the stewards on their accounts. And even for those that are allowed to use 2FA, it is not mandatory.

Regards.

NKohli (WMF) (talkcontribs)

Three questions:

  • Even if you do come to know the IP address that attempted to log in, what would you do?
  • Is the fact that there was a login attempt from the IP a sufficient ground for blocking the IP address?
  • Would maybe knowing the approximate location of the attempt be more useful to people? (I don't imagine a lot of people know what IP addresses are or how they work)
KrakatoaKatie (talkcontribs)

In answer to your three questions (enwp CheckUser here):

  • If I know that an unusual IP address is trying to log in to an account without authorization, I can find out if that IP or range is trying to do the same to other users. This was useful to us earlier this year during the mass attack on administrator accounts.
  • Yes, if they're trying to hack into more than one account. I hardblocked an IP just last night that successfully managed to gain access to the account of a longtime enwp contributor.
  • If I know the IP, I can geolocate it. I don't see the use of telling me geolocation, which would require the software to go get the geolocation and then present it, when I can just get that from the IP itself.

I believe Marco is coming from his CheckUser point of view instead of that of a user. Present the IP to the end user or not, but it really needs to go into the CheckUser tables so we have it if we need it.

NKohli (WMF) (talkcontribs)

Thank you, @KrakatoaKatie. This is helpful. I'll bring it up when my team discusses work for the next sprint and we'll see what we can do about this.

Eric (talkcontribs)

Thanks to all of you for discussing this. I keep getting notifications of login attempts, and I'm curious to know where from.

Platonides (talkcontribs)

@KrakatoaKatie telling the geolocation may not be necessary for advanced users that know how to geolocate (could still be convenient, though), but for people that are not technical, actually giving out a location would help. It's quite different that the attempt comes from Nigeria than from your vacation location (unless it's in Nigeria, of course!)

Eric (talkcontribs)
Platonides (talkcontribs)

While it may be annoying, assuming you have a strong password, those attempts should be fruitless. What would your expectations as a user of this feature be?

Eric (talkcontribs)

I think it would be useful to know if the attempts are all coming from the same IP or location. Then I suppose there might be a procedure for requesting an admin to block those IPs. It's remarkable how many messages I'm getting.

NKohli (WMF) (talkcontribs)

IPs cannot be blocked for attempting to log in, unfortunately. We can do edit blocks for them but we can't stop them from accessing the login page.

Eric (talkcontribs)

Ok, thanks for the info. I'm amazed at how the notifications keep pouring in. I wonder if someone's got it in for me??

Platonides (talkcontribs)

@Eric, you have a really common username. I would guess they are many different people trying to enter into "his account". While it may seem obvious that logging in as "Eric" to a site they have never been before won't work, it's not that uncommon. And, given the sheer popularity of Wikipedia, even a tiny percentage of naive Erics could produce a noticeable amount of bad logins.

HKTHC (talkcontribs)

Thanks for informing me.

I never try to login to my account from another IP or from another device.

User:HKTHC

Dryphi (talkcontribs)

I agree it would be nice to know the time and location and/or IP of the failed login. The name of the device would also be helpful (e.g. what if this was just my cell phone?). Given this information I would then be able to determine if this was me and I had simply forgotten my password temporarily, or if someone else had visited the website after me (i.e. on a public computer), or if this was indeed a fraudulent attempt.

IKhitron (talkcontribs)

Actually, I don't see why could not the developers give us the device model, and if possible, even the os.

Eric (talkcontribs)

Update: Hello all. The failed log-in attempts are still occurring regularly all these months later. Sometimes they subside a bit, sometimes they come in waves from multiple wikis. This morning my inbox has 3 messages from a span of 7 hours regarding multiple attempts to log in (en.wp, fr.wp, Commons), and a fourth regarding a password reset request (Commons, 1 minute after the failed log-in notice). It feels like harassment, though I agree with Platonides' reasoning that it likely is not. Still, the volume of messages that I've been receiving for 5 months now would seem to support granting admins the ability to research such cases. Does anyone know if any kind of CheckUser functionality is being enabled to this end? Thanks in advance for any info.

Eric

NKohli (WMF) (talkcontribs)

Hi all - work on this is ongoing. A volunteer developer, Huji, has been working on this. It's going to take a while and I will continue to report back as things progress. Thanks all for your patience. :)

If you want to track it on Phabricator, here's the ticket: https://phabricator.wikimedia.org/T174388

Eric (talkcontribs)

Thanks for the update and link, @NKohli (WMF)! Happy to see that someone is working on this.

Eric

Eric (talkcontribs)

Update FYI: the frequency of notifications has increased the past couple weeks, coming from multiple wikis (en, fr, es, zh, Commons). Today there were 12 simultaneous notifications from es.wiki.

IKhitron (talkcontribs)

Eric, could you tell me something, please? Does this happen when you've been logged in on different devices, on different OS, on different browsers? Is there a possibility that something disturbs normal cookies work, as not enough place or some read-only problem, or even cookies turned off accidentally on device preferences? Thank you.

Eric (talkcontribs)

Hi @IKhitron- No, if I understand your question correctly, I don't think it's the result of logging in on other devices. It's very rare that I am on a wiki other than at my desktop. The notification e-mails* come in both from wikis where I'm active and those where I'm not -- I'm never on zh and very rarely on es -- if that sheds any light. And I don't think it would be cookie-related. I haven't made any wiki-related cookie adjustments in my browser (Firefox these days, Vivaldi for several months the past year). Thanks for checking in. Let me know if I can give you better info.

*I got 18 of these e-mails in rapid succession last night:

Hubo 18 intentos fallidos de acceder a tu cuenta desde un dispositivo nuevo. Asegúrate de que tu cuenta posea una contraseña segura.

IKhitron (talkcontribs)

Well, User:Eric, I'm very sorry for my poor English. I believe that the problem can happen if you work most of the time on the computer. And as you say, "It's very rare that I am on a wiki other than at my desktop". So, the problem can be in this particular desktop.

Eric (talkcontribs)

Hi @IKhitron - No, it's not your English, it's my comprehension! This topic is well out of my area of expertise.

But what little understanding I have makes me wonder how an issue with my computer or browser could be causing these notifications to be sent out to me. Are you saying that it may be that my computer is randomly re-logging in and being seen as an unknown device by the various wikis? If I'm never on the Chinese or Spanish wikis, could my computer still be pinging them with log-in attempts? And why would the log-in attempts fail if I'm continuously logged in from my main computer with a universal log-in?

IKhitron (talkcontribs)

No, Eric, I do not say your computer does it all by itself. But maybe a problem, or a part of it least, created by your computer. If wiki tryes to save cookies on your computer, and does not succeed, or they are saved wrong, and next time on login wiki reads them and assumes something that did not really happen, it can cause problems.

72.93.145.225 (talkcontribs)

Well, it's beyond my ken, but I suspect that since the issue has been occurring for months, including during a several-month period during which I used Vivaldi and not Firefox, it must be something other than cookies. I just deleted all wiki-related cookies from Firefox, so we'll see what happens in the coming days. Thank you for your thoughts on this, @IKhitron.

Oops, wiping the cookies apparently logged me out!

IKhitron (talkcontribs)

It's not the only possibility. For example, User:Eric, I experinced problems for a while because there was not enough memory on my device, and not all the cookies were saved.

NKohli (WMF) (talkcontribs)

@Eric, my guess would be that 'Eric' is a common enough username that people and bots would randomly try to login to your account, like Platonides said. This isn't unique to Wikipedia and happens on a lot of websites, but we're one of the few showing you login attempt notifications which isn't as common and also logins are not tied to emails which have much less of an issue. :(

I think we had a similar complaint from another user with a very popular username.

My advice would be that you turn off the notifications after ensuring you have a good password. We are meanwhile working on a feature to let you know what IP address the attempt happened from so you can ensure that it wasn't you accidentally triggering it, which happens often.

Eric (talkcontribs)

@NKohli (WMF), thanks for the info! I think I will turn off notifications.

Titodutta (talkcontribs)

Eric, if you are an admin on any Wikipedia, perhaps you can try the 2SV? I am thinking about your account security, and as you are going to turn off notification(s).

Eric (talkcontribs)

Hi @Titodutta- No, I'm not an admin. Yes, that's why I originally posted, preferring to keep in place the notification option for what I would think would be the rare occasion where a would-be miscreant might attempt to log in as me. I can't imagine who would want to break in and assume the identity of a crusty old copyeditor!

Marc Kupper (talkcontribs)

Many web sites disclose the IP address of the attempted attack. I would hope that Wikipedia would consider doing the same. If I don't recognize the IP address then could then choose to make it public to see if others are getting attacked from the same source.

At present, all I know from the notification is the approximate date/time that someone or something may have attempted to sign in as me on a web site somewhere. I don't know if notification is immediate or if can or will be delayed and so even the date/time is approximate.

It's not clear from the notification if Wikimedia or Wikipedia's security group is also watching the failed login attempts or if they 100% rely on end-users to manage their own security. For example, if IP address 1.2.3.4 is attacking many accounts then ideally the system recognizes this and will always return "login failed" even if 1.2.3.4 happens to guess the correct password for an account. Related to this is that if a concerted attack is recognized then you likely do not need to notify end-users for each instance of the attempted attack.

I would also like to know where the attack was attempted. In other words, which wikimedia or wikimedia site the login attempt was on? Wikipedia/Wikimedia has a large attack surface. I use many of the sites and so it may helpful to know which site the login attempt was on.

I also would like to know the password the person tried assuming that Wikimedia/Wikipedia knows what it is. It's possible the password is hashed on entry and that only the hash is known. If you know the attempted password then it likely should not be in the notification message but is something that I'd like to be able to retrieve, possibly on a web page where I'm force to re-enter my own credentials. Knowing the attempted password would be of use to someone like me that uses a different password for every web site or service I deal with. If I see that someone attempted PmkE9gCH85 I'll look to see where I used that password and will know that other site is likely compromised. and can notify them.

FWIW, if you have access to the passwords being attempted then you can build and maintain a dictionary of the passwords and run that internally against accounts. End-users should not be allowed to use passwords that are known to be in the attack dictionaries.

Titodutta (talkcontribs)

I got another such email. Just one sentence does not provide sufficient information, and makes me more puzzled about what to do. Earlier I found AWB etc tools were triggering this notification.

If I get a notification like "someone from "this" place or with "this" IP" (yes, I have read the discussion above) tried to login, I'll have reason to be careful, as I know it is definitely not me.