How can I investigate an unknown authorized “device”?
When removing a MacBook Pro from work from the list of authorized devices I noticed a Safari log in on March 30 from “London, United Kingdom GB”. However, I was not in London that day; not even in the UK. All other devices list the correct city and country, but this one is bothering me!
How can I investigate this?
(The only assuring explanation I could come up with, but can’t verify, is that I was using Mobile Safari on an iOS device with Encrypt.me VPN enabled and set to “Fastest Available” instead of my own country)
Sync Type: 1password.com
Comments
-
(The only assuring explanation I could come up with, but can’t verify, is that I was using Mobile Safari on an iOS device with Encrypt.me VPN enabled and set to “Fastest Available” instead of my own country)
That explains it. One common (and often intentional) side-effect is that using a VPN will cause you to appear to be located wherever the VPN server that you are connected to is located. In fact many people use a VPN just for this reason.
Ben
0 -
It’s a possible explanation, but only if I actually did that...
Is Mobile Safari listed as just Safari on that page?
0 -
Yes; I just tested and that does appear to be the case.
Ben
0 -
Did not notice the OS before...
That weird entry shows “macOS High Sierra”, so the theory (VPN on iOS causing this) is proven false... :(
0 -
Perhaps it is worth looking into further then. You can look up who owns the IP (usually an ISP) using a tool like this one from Hurricane Electric:
http://rwhois.he.net/whois.php
That may help give you some insight.
Ben
0 -
I spoke with our security team about this case. If you'd like to have them investigate further on their end please send us an email to
support+forum@agilebits.com
. With your email please include:- A link to this thread:
https://discussions.agilebits.com/discussion/89538/
- Your forum username:
XIII
- Which 1Password instance you are using (.com, .eu, or .ca)
Please reply here with your Support ID when you receive one. :)
Thanks!
Ben
0 - A link to this thread:
-
Let me give a more generic response here, and will discuss the specific case when this gets to me via email support.
- If the event that has the strange IP address isn't actually about setting up a new device, then there is extremely little chance that this is something to worry about.
- If the event is about enrolling a new device that you do not recall enrolling, then it is worth asking whether someone could have gotten your Master Password and Secret Key. If your 1Password Master Password is not unique, and if one of your devices fell into the hands of a potential attacker (so they got the Secret Key), then there is a potential issue.
- If you used 1Password from that device at that time, then it is also going to be just a VPN-like routing issue.
We really see this kind of thing all the time. So much so, that I sometimes wonder whether it is doing more harm than good to report locations based on IP.
0 -
@Ben: The IP lookup did definitely help! Thanks.
The IP is owned by "Zscaler, Inc.". A customer I worked for uses Zscaler Cloud Security. This is most likely the explanation...
It's a bit hard to verify, since the last access was dated March 30 (more than a month ago). Suggestion: send a push notification to the iOS Apps whenever a login from a new IP occurs (I don't check this list of authorized devices regularly, so an immediate trigger would help).
0 -
Yes, I do.
I guess I only checked the headline back then, because I now see that the body of the mail of March 30 does mention “England, United Kingdom”.
0 -
@XIII: Yeah, it can definitely be confusing — and sometimes alarming. I'd be lying if I said I hadn't panicked myself a few times when I forgot that I had changed my VPN settings for whatever reason and got a notification "in" a country I didn't expect. I think it's helpful to break this down a bit:
- When a sign in email notification is received, did I just sign in at that time?
- If so, it's still worth verifying, but that makes it easier to narrow down. What's my IP being reported as currently? Then sign into my 1Password.com Profile page to confirm.
Of course, if I didn't just sign in on a device, I should still head on over to 1Password.com, but to change my account credentials. Or, if the time frame is right but something else isn't adding up, that's an opportunity for me to do the same, but then to also investigate further myself, or by getting in touch with support — awkward, for me, but hey, better safe than sorry! :)
0