Hi,

It's not a 'random app' really, it's Google Authenticator or another app which can handle one-time-pass codes provided by google. The security questions are a sort of 2FA but not as secure.

More info: https://support.abbywinters.com/diff...tions-for-pps/

You're main issue is that you can't get rid of the 'turn on 2FA' message, where.... in your mail ??

Well... if my sole use of Google Authenticator is for this one purpose, it seems pretty random and unnecessary to me.

The message I'm seeing is the red "(1)" indicator in the top bar of every single page.

Also - minor bug, just happened after topping up a $3.00 balance with a $25.00 deposit (for the Sienna G / Zinia B shoot, which looks divine):

Your balance is now $28.00999999999998.

nice balance

I see your point on the red '1' thing now, it looks a bit like 'you have an unread message', with now way to mark it read. I'll ask web-team how to get rid of it.
(besides using GAuth-2FA)

As the FAQ Frans linked to explains, The Google Authenticator app is the simplest to use (I've used it for four years now, never got an alert from it), but there are several alternatives (that may send alerts, dunno) that can be tried.

You're not correct that the current GMB "security question" system is 2FA already. The generally accepted factors of authentication are:

• knowledge (something the user and only the user knows, eg, a username, password or address information)
• possession (something the user and only the user has, a device, like a phone or token)
• inherence (something the user and only the user is, eg, fingerprint, face scan)

The GMB-info approach is better than nothing, but it's not good enough. Unfortunately, we're finding abuse with the GMB system - asking for CC or email info as a second factor is not ideal, and we're finding this information has been shared online (not by us!) or is guessable, and once shared it cannot be fixed: that info is permanently out there (until you change CC or email address, hassle everyone prefers to avoid). That's a fundamentally flawed system, which is a concern when it comes to online security.

The Google Authenticator app is just 13Mb, provides no alerts or annoyances, takes three minutes to set up, works reliably and - most importantly - secures your credit card from unauthorised charges on our platform. I honestly cannot see why anyone would decide to willfully be less secure - it's irrational.

For now, we will not be removing the alert (but it's likely in the future we'll make 2FA required, not optional, for logging in to AW as well!).

(I take your point about "required" apps that make alerts, or even need updates, that shit is annoying, but Google Authenticator does not do this. I don't take your point on there being "too many apps". You (presumably) don't complain there are "too many web pages" on the internet, or "too many books" in a library... you just look at the pages / books you want to, when you want to.)

I appreciate the reply. Good information.

There's a gradient between security and convenience. As the anecdote goes: you can get excellent security against online malware by permanently airgapping your computer... even better, never turn it on.

CCBill / GMBill has had my credit card info for over 20 years. I've had my credit card information stolen maybe three times in that period, with absolutely no way to identify how it got stolen - which of the 40 websites or 300 physical places I've bought something from in the last five years leaked my info? ... no idea. And in each case, one call to the credit card company got the charges reversed and a new card within 24 hours.

If it's become less secure recently... well, I guess I haven't heard about it. I'll take your word for it.

Really? You don't view that as a pretty serious obstacle for enrolling new users?

How many other adult websites require not just a credit card, not just 2FA, but a specific mobile app to complete 2FA? I've never heard of such a thing. Literally never.

First, it's not just the availability of apps. I'm glad the App Store has 19 bajillion apps. Variety is nice.

Rather, it's the number of apps that I've been grudgingly obligated to stick on my phone because a website withheld functionality unless I did.

And second, I certainly do avoid websites that make it too difficult to enter. Paywall? Nah. "Sign up here to browse our - " Nah. I walk away from those websites... specifically because, as you noted, there are millions of other webpages out there that don't throw roadblocks between new users and their content.

That's my view. Now, I'm just a casual consumer of high-grade adult content. I've never developed a commercial website, let alone one as long-lived and successful as AW. I presume, genuinely, that you understand your user base and all that. I'm just providing, I suppose, a minority report for consideration.

I'm familiar with the adage, and I like it.

I'm glad you got your money back without much hassle (and I agree, there's no way to know how the info got out). Like most consumers, you probably don't care, but here's what happens behind the scenes when you do that.

• nicework.com is a lovely small business selling access to online media that some people choose to pay for.
• Someone joins up, with a credit card. They're charged $39.25.
• The person who signed up downloads all the content in a few days
• 10 days after the join, we get a notification from our merchant bank: that charge may have been fraudulent! Please provide evidence of the charge in the next few days, or you're in trouble. And by the way, don't make sales to fraudulent customers.
• 13 days after the join, we get a notification from our merchant bank: you've not provided evidence, so we've automatically debited your account the $30 fee you charged, and fined you a further $45 for being so stupid (this is called a "chargeback")
• The person who signed up posted all the content they "bought" onto Torrent sites or to a Bitlocker site, where they get money for posting content

Turns out, of course, the person who signed up used stolen credit card details. Oh, well, at least the poor cardholder can get their money back, right? What a relief!

nicework.com is out the join fee, the fine, the cost of the service they provided, plus the piracy hit - plus, someone else is making money on the content they worked so hard to create in the first place!

And, the merchant bank has tracked how many of these "chargebacks" are occuring. They're increasing the cost of processing credit card transactions, to cover their costs of administering chargebacks (ffs). If it increases any further, the merchant bank will cancel the merchant account entirely. Any time a merchant bank cancels a merchant account, it's pretty much impossible to get a new merchant account, because there's only "good" reasons one of their buddy-merchant-banks would have cancelled the previous merchant account, right?

(For a year we tried providing evidence such as joining IP address, address, usage IP address, list of downloads, etc to contest the chargeback. Banks ignored it - they only accept a signature from a customer, which of course is not possible in an online transaction).

Well, we're not less secure (we're more secure, in fact), but attackers have become more sophisticated. Glad you have not been affected - not many of our customers have, but even one is too many!

I sure do. It sucks, but if the alternative is going out of business entirely, it's the best option we have.

Your bank probably requires 2FA now, so it's becoming more accepted.

Yes, well, SMS is the other option, I guess that's what you're referring to. I assumed customers would be far less likely to be comfortable with a porn site having their mobile phone number, than installing a third-party app. But looks like I am wrong on that!

The real problem here - not to point fingers - is customers selecting insecure passwords. We're about to add a thing that checks a list of passwords known to be shared online (there's a few billion of them; more info), and encourage customers to use a more secure one.

But most people feel that password security is not their problem and prefer to aggressively use the same few passwords over and over (instead of using a simple Password Manager, which makes it a non-issue to use very secure and varied passwords for every online service).

Can you cite some examples? Not sure I know what you mean here.

Yes, it certainly sucks to be a website selling stuff these days! If I had it my way, we'd do everything by Bitcoin and fuck the banks... but if you're not going to use 2FA, Bitcoin's out of the question!

And I certainly appreciate it - it's good to talk about these things, even if there's no ideal solution.

That... makes a lot of sense. Food for thought.

Pretty crazy that the credit card company is charging the vendor - what is the vendor supposed to do? I mean, obvious negligence (or worse, coordination with the grifter) requires attention and penalties, but that's got to be a vanishingly small share of the incidents.

I once had a top-spec MacBook Pro swiped on a train. Later that day, Dropbox reported a login attempt... from an IP address... that was tied to a residential account. It would have been trivially easy for the cops to investigate. I couldn't get them to lift a finger.

That's interesting - and I'm aware of both the existence of "have I been pwned" sites, and some password validation techniques based thereupon. But it does raise the slightly troubling prospect of a website inspecting my password in a substantive way. With all the stories about companies storing passwords in plaintext (most recently Instagram?!), I much prefer that websites let me pick whatever I want and store a ZPK / public-key type of verifier. I doubt most users will care, though.

There's a chicken-and-egg problem here: today's password managers suck. They get better every year, but even after ten years of development, they still *absolutely suck*.

(1) Poor recognition. It's been my experience that even the best password managers can correctly identify both the login and the password fields of a web page about 60-70% of the time. Even for A-list websites, auto-fill doesn't work consistently if you receive a login prompt on a different page. (Amazon vs. Amazon Prime Music vs. Amazon Prime Video, for instance.)

(2) Sharing. How do you get a stored password from your workstation to your laptop to your phone to your tablet? You have two options. First, share your passwords online... ALL of them... in one online vault. Does that seem terrifying?) Second, *don't* share them via an online vault, which means not having access to your passwords. (Or third: Password reuse, which is why so many people resort to it.)

(3) Maintenance. Even when it *was* working, password autofill regularly fails because you changed your password on another device and the changes didn't propagate, or because the website changed its URL or code or even the login scheme (switching the identity field between "email address" and "username" is a big one), etc. So now you have to interact with your password manager to throw out the old l/p record and create a new one. Sometimes your password manager will dutifully insist on providing the old credentials automatically, and you have to fight with it to get it to not do that! So in addition to not making your life easier, your password manager now *requires* more attention and gets in your way.

So I don't actually blame the plebs who keep their single password on a Post-It stuck to their monitor. Their habits suck because the tech community has failed to give them a better one. Those of us who actually understand and care about security will tolerate the drudgery, but we can't expect realistically expect that of everyone.

Sure. Back in 2010 or so, when everyone started picking up iPhones, companies rolled out mobile apps. And because they *reallyreally* wanted their customers to use their shiny new app, their web pages had some code that detected mobile browsers and forced those users to a placeholder page: "Get the new mobile app!" Hertz, the car rental agency, was guilty of this one, and it complicated several instances of travel for me.

Some other, less-obnoxious companies offered a mild facsimile of their desktop site as a mobile version: smaller page data footprint, smaller layout, simpler options. But in simplifying the options, they sometimes *removed* options that couldn't be simplified (or that weren't in the project scope). Amazon was guilty of that for a while.

Yes, many companies have improved since then. No, they haven't *all* improved. I encounter those behaviors from time to time.

Yes, it certainly sucks to be a website selling stuff these days! If I had it my way, we'd do everything by Bitcoin and fuck the banks... but if you're not going to use 2FA, Bitcoin's out of the question!

I appreciate your detailed responses (and understanding the tone of my comments, which is mostly about interesting conversation). And you've convinced me to switch to AW-approved 2FA. I'll do it later tonight.

Yah, no one seems to actually care about that one. We're in the process of changing merchant banks right now (for a good reason: a better rate!), so while everyone's all lovey-dovey, I'm gonna ask the question again (I expect they will blame the cardholder's bank and shrug, but let's see).

Yah, that's annoying, and I experience that every day (we use LastPass). :/

I have another related issue: we use subdomains a lot (eg, support.abbywinters.com), some of which use WordPress. Whenever it encounter a WordPress site on a subdo, it lists ALLL the *.abbywinters.com passwords. As you might imagine, I have a few of them...



And because a lot of my work happens on the abbywinters.com domain, this is annoying 20 times a day. Of course, the rest of my work is on google.com domains, same issue.

This seems like an easy thing for LastPass to fix, so I am going to complain again again. *time passes* did some searching, turns out they have a solution for this, and it works well!

Hm, on LastPass, this works seamlessly, so I assumed it did on other apps as well! Well, yes, stored in an online vault. I'm ok with that, when I understand how they are stored. I acknowledge it's a risk, but I am ok with it for this company.

Hm, LastPass handles this gracefully around 80% of the time, including password updates required by some sites (enter password, enter new password, enter new password again).

I agree. Spend three minutes with my mum using a computer and not only will you want to shoot yourself in the face, you'll also understand why password managers are a long way from being widely accepted.

Oh yes, got ya now. Agree these were infuriating! I feel like it's swinging back the other way now, almost too far: design sites for mobile first, and they look terrible on my 30" monitor!

In our defense, the app were suggesting to install is not like that! It's a utility app, that can be used on thousands of sites. I think in a few years, it'll be as ubiquitous as the calculator app no one is concerned about and occasionally uses on their phone.

🎉 one down, ~16,999 to go!

So I converted to 2FA a few months ago. Today I'm trying to top up, and I absolutely regret having made the switch.

I have the Google Authenticator app on my phone. When I converted my account, I used the app to authenticate with AW using my Google account. But now the exact same app is demanding that I convert my Gmail account to 2FA, so that I now need my phone to login to Google. I'm not willing to do that.

There's an option to complete 2FA by scanning a QR code using my phone camera. But I can't find any goddamn QR code on the AW site. Since I already converted to 2FA a few months ago, AW won't show me another QR code.

I tried changing my account back to GMBill, thinking that I could then toggle back to 2FA and get a new QR code. But I can only do that if I've updated my billing information in the last 30 minutes.

There's another app called Authy that's supposed to provide a path around this mess. It has an option to enter a key manually. But it doesn't seem to be asking for a key that AW provides: it's asking me to create a key so that I can create a new Authy account, which means I'll have yet another password to remember or write down somewhere, and...

You know what? No. This is exactly the mountain of flaming bullshit that I expected when AW started talking 2FA. My patience level is exhausted.

Since all of this garbage is standing between me and giving you money so that I can buy stuff, I'm just going to close my account. There are plenty of other sites that don't require users this junk.

Goodbye AW, it's been fun.

I understans very much the above frustation, as everytime I have to pour in morre money in my account, it takes many days, many e-mail exchange with GMBill etc.
FRUSTATING.
Could AW deal with professional.

When you made the change to 2FA, did you do a topup? Or is this the first time you're doing a top-up with 2FA?

uhhh, that's not a service we provide (logging in to AW with your Google account). Or have I misunderstood?

Fair enough. Google offers several options for securing your Google account - by SMS, a phone call, a 2FA app, tapping a confirmation on your phone, and a few other ways.

Only the 2FA approach requires the Google Authenticator app, as far as I know...

ok, but, why do you need ANOTHER QR code for AW? Isn't AW already listed in the Google Authenticator app (from when you set it up in April)?

Correct. Obvs, we don't want someone else lowering the security of your account. Here's how to update your billing info;



I am not sure how Authy works, but what you describe seems typical to me. We all agree current state of the art password management sucks, but I don't think it's quite as hard as you're making it out to be...

Oh come on now, it's not THAT bad! We had a cordial convo about 2FA few months ago (in this very thread). How about we keep that dialogue going, and we solve this?

I know you're frustrated, but let's fix it. Being that you cannot log in to AW with your Google account, can you confirm you have AW listed as an item in your Google Authenticator? Like this? (but with your username):



If you do, can you describe exactly what happens when you go to make a PPS topup?

I know it’s a different topic but can I voice extreme irritation with your reCaptcha ID verification system? It wasn’t bad when it started, but it’s got worse and worse and worse to the point where it is now extremely annoying.

When it first was introduced you would enter your login details and then be shown a screen and asked to click on every square with traffic lights, fire hydrants or whatever. You would click on 3 or 4 squares where there were clear pictures of whatever it was, then click Verify, and you’d be logged on. ID verified, no problem.

Then it began to get fuzzier. The pictures were often less clear. A traffic light would me close to the edge of a square and might, or might not, extend to the adjoining square. Even enlarging the image and loooking very hard didn’t help. And then it got worse again: you’d click on a picture and it disappears then reappears. And you didn’t just have to do the test once; even if you were absolutely sure that you clicked every square correctly you’d have to do another test. And another. And another. This morning I had to do FIVE tests, and I took my time and did every one very carefully and I am quite sure I got every one right.

Enough is enough. Yes, we understand you want to protect your revenue. But it’s become obsessive. One of those bloody screens is enough. Please fix. And don’t just say it’s up to reCaptcha. They’ll do what you tell them to do.

Is that the captcha you get when logging in ? I never logout so I only see it about once a year or so, it didn't seem that bad back then?

The fuzzyness is probably intentional from reCaptcha, intended to make it harder for robot/machines to pass them. They're not as much for revenue protection but for account protection, without captcha's hackers could easier try to guess passwords. For some reason sites like abbywinters.com are rather populair targets, at least it's hackers with good taste I suppose

reCaptcha is owned or run by Google I *think* so I kinda doubt they'll do whatever someone tells them to. Can't hurt to ask 'm I guess.

It is indeed entirely up to reCaptcha - it's used by literally millions of sites. The alternatives are considerably poorer.

But as Frans suggested, all this frustration can be overcome by simply checking the "remember me" box - then you'll only have to log in once a year!

Secondly, you do not get a second (third, fourth...) challenge only because you made a mistake with the previous one (though that can be one reason). reCaptcha considers many factors to see if it thinks you're a robot. Using a VPN can contribute to that - do you use a VPN?

Thirdly, you used the example of a trafflight that's maybe one square or two squares - it really does not matter what you select, if it's that unclear. The ReCapture system will compare results from many people.

Fourthly, it's fine to just click the "reload" button to get a different challenge, if the one you're served is too unclear.

While you're probably too frustrated to want to read up on the unique challenges reCaptcha has, others may wish to read https://www.theverge.com/2019/2/1/18...l-intelligence.

Our FAQ on the matter also has some background, that you might find useful, https://support.abbywinters.com/i-am...is-this-thing/.

Overall, however, simply using "remember me" should solve this issue for you right now (is there a reason you're not using this?)

I’ll try the Remember Me, but as I only look at AW in Incognito mode I doubt it will work

Well I’ve been clicking Remember Me and so far it’s working. Thanks for the tip, Gration.