About all the recent account security concerns
By
Emberly,
Posted on: 2010-01-06 14:03 in ALL ACCESS Gameplay Technical Issues Bugs
Wow has some sort of account security service where they mail you something for your computer. I believe it plugs into the usb and generates a number or something to use whenever you login.
I really wish ncsoft offered this service because you'd never have to worry about being hacked ever again. Once you setup your account it is REQUIRED to have that device just to login.
Maybe I understood it incorrectly but I was told wow had that. Any wow players want to shed some light?
Friends don't let friends buy an ncsoft controlled project.
Quote:
It's a little fob thing, you don't need to plug it into your PC but when you log in you must press the button on the fob and it generates a number. You enter the number and you are in. You can't access your account settings or log into the game without it. Works a treat. If you lose it you have to phone in and get things sorted but that's not a big deal I think. Supposedly it will last for a decade without batteries dying or whatever.
|
Originally Posted by Noyjitat
Wow has some sort of account security service where they mail you something for your computer. I believe it plugs into the usb and generates a number or something to use whenever you login.
I really wish ncsoft offered this service because you'd never have to worry about being hacked ever again. Once you setup your account it is REQUIRED to have that device just to login. Maybe I understood it incorrectly but I was told wow had that. Any wow players want to shed some light? |
Wow, that seems a bit much for a game.
I've seen lots of online banks and brokers that use those.
Paragon City Search And Rescue
The Mentor Project
That's why WoW uses them; it's virtually impossible to break the cypher that generates the next OTP (One Time Password). Without the Username, Password, and OTP, one cannot log into the account, even if compromised by a keylogger, since the OTP changes for every login session.
Edit: My biggest problem with NCSoft's security is and has always been the restriction to alphanumeric characters. One could easily build a strong password using special characters such as $%@# and the like, but PlayNC Master Accounts won't let one use anything but alphanumeric characters - making brute force or dictionary attacks more effective, to a degree.
Quote:
I'd be careful using that word.
|
Originally Posted by Noyjitat
I really wish ncsoft offered this service because you'd NEVER have to worry about being hacked ever again.
|
@Rylas
Kill 'em all. Let XP sort 'em out.
Quote:
/this.|
Originally Posted by Ironblade
Wow, that seems a bit much for a game.
I've seen lots of online banks and brokers that use those. |
Seems like overkill. And the original issue was going on longer (and ignored, apparently) in Guild Wars.
(FWIW, I supported something similar when I worked for Lockheed Martin - the SecurID. Number changed every few seconds, had to combine it with your own PIN. They would, occasionally, get out of sync, which made logging in *interesting* to say the least. Made sense there, doesn't really make sense to use here.)
You would not think it overkill if you spent the last 4.5 years of your life investing thousands of man hours building and maintaining your characters only to have it all stripped away in a few minutes.
This has happened thousands, I would wager even tens of thousands of times in World of Warcraft, and their response was perfect. This little thingy you buy for 7$ guarantees that your account will not be hacked, cracked or otherwise compromised by anyone not holding that device in their hand. That is a tiny cost to pay for such protection and piece of mind.
I left WoW shortly before this was released, but had i still been playing I would definitely own one even though I had never been compromised, I would rather not take the chance.
I wish all MMO's used this feature. It only takes a couple seconds more to login and it is so worth it. Would put a huge strain on the gold farmers as well.
One of my friends picked a fob up for free at Blizzcon. And yes, it is extremely hard on not only gold farmers, but also power-leveling companies that require account credentials.
Sure, it's only a game, but when 5 years of enjoyment are suddenly vaporized by an account hack (such as due to a keylogger, Trojan, or even a disgruntled friend), that fob could have been worth it, to say the least.
Hmm... At first, it sounds like it would just be an annoying extra step, but after thinking about it, I don't think I'd mind. After all, I'd rather pay $14 for account security (I have two accounts), than risk losing everything.
[ ProTip: The banner is a link to art refs!! | The Khellection | The HBAS Repository | Brute Guides (4/16/10) | How To Post An Image - A Quick Guide ]
Biggest Troll on the forums? I'll give you a hint:
I JUST had my WoW account hacked last weekend. They (the hackers) somehow got my password (and just to clarify, I work in IT, and I'm quite aware of the most common methods by which passwords are stolen, however, my computer is CLEAN - I've just spent the last three evenings running scan after scan for viruses, malware, worms, keyloggers and rootkits and there is nothing there) and once they got into my account, they associated one of the authenticator devices to it in order to lock me out. It is more difficult for them to retain access to an account now, as there is a secret question/answer for password changes, so they are associating authenticators with stolen accounts (there is a software app version for iphone, so it is easily downloadable) so the legitimate account holder is locked out of the account until she is able to spend 4 hours on hold and on the phone with account support to get the situation cleared up.
Unfortunately, Blizzard has not seen fit to require confirmation from the account holder before associating an authenticator with an account for the first time, nor is anything emailed to the account holder notifying her that a modification has been made to her account details. I find that a to be a very bad omission on Blizzard's part and will be making it a priority to do my best to see that they change that. If they had required confirmation from me, nobody would have been able to lock me out of my account at all... granted, they still would have gotten into it, but they would have had less time with it than they got.
I do, however, have an authenticator on the way to my house. I know that it is only a game, only virtual stuff and that I will likely be able to get most, if not all of it restored, but the experience has made me stressed out and made me feel a little bit ... well ... violated. I would really rather not go through this again.
Hacking WoW accounts generate big money for gold-seller/hackers - they strip your characters, personal storage and guild storage of anything of value, sell it off at the auction house, sell the gold that they get from that and what was on your character, then use your stolen account to farm and/or hawk their gold sales and power leveling services. Then they sell the personal information from those people stupid enough to buy gold with their credit cards ...
Ugh.
Edited to add: I read a WoW forum post which suggested that Blizzard should include the device in the game box. I think that's a great idea.
Storm
Serenity is not freedom from the storm, but peace amid the storm ...
Quote:
It's nice to see that yet another person doesn't understand the NCSoft security problem. What's been happening is that you log in to the NCSoft Master Account site with your own username and password, and the server gives you access to somebody else's account. Having one of these keyfobs wouldn't change a thing.
|
Originally Posted by Noyjitat
I really wish ncsoft offered this service because you'd never have to worry about being hacked ever again. Once you setup your account it is REQUIRED to have that device just to login.
|
Quote:
See thats the thing. People who think their pc is clean really arent. Thats how all of this happened with Aion. So many folks just so over confident their machine will never get spyware, virus or trojans. Right now the trojan thats effecting aion users is almost undetectable by most virus scanners. It will be a minute before virus definitions come out for this one. I am an IT professional as well but I dont think for one minute I am 100% safe. I am also not saying brute force password attacks dont happen its just odds are you probably got keylogged some how.
|
Originally Posted by PerfectStorm
I JUST had my WoW account hacked last weekend. They (the hackers) somehow got my password (and just to clarify, I work in IT, and I'm quite aware of the most common methods by which passwords are stolen, however, my computer is CLEAN - I've just spent the last three evenings running scan after scan for viruses, malware, worms, keyloggers and rootkits and there is nothing there) and once they got into my account, they associated one of the authenticator devices to it in order to lock me out. It is more difficult for them to retain access to an account now, as there is a secret question/answer for password changes, so they are associating authenticators with stolen accounts (there is a software app version for iphone, so it is easily downloadable) so the legitimate account holder is locked out of the account until she is able to spend 4 hours on hold and on the phone with account support to get the situation cleared up.
Unfortunately, Blizzard has not seen fit to require confirmation from the account holder before associating an authenticator with an account for the first time, nor is anything emailed to the account holder notifying her that a modification has been made to her account details. I find that a to be a very bad omission on Blizzard's part and will be making it a priority to do my best to see that they change that. If they had required confirmation from me, nobody would have been able to lock me out of my account at all... granted, they still would have gotten into it, but they would have had less time with it than they got. I do, however, have an authenticator on the way to my house. I know that it is only a game, only virtual stuff and that I will likely be able to get most, if not all of it restored, but the experience has made me stressed out and made me feel a little bit ... well ... violated. I would really rather not go through this again. Hacking WoW accounts generate big money for gold-seller/hackers - they strip your characters, personal storage and guild storage of anything of value, sell it off at the auction house, sell the gold that they get from that and what was on your character, then use your stolen account to farm and/or hawk their gold sales and power leveling services. Then they sell the personal information from those people stupid enough to buy gold with their credit cards ... Ugh. Edited to add: I read a WoW forum post which suggested that Blizzard should include the device in the game box. I think that's a great idea. Storm |
Bump and Grind Bane/SoA
Kenja No Ishi Earth/Empathy Controller
Legendary Sannin Ninja/Pain Mastermind
Entoxicated Ninja/PSN Mastermind
Ninja Ryukenden Kat/WP Scrapper
Hellish Thoughts Fire/PSI Dominator
Thank You Devs for Merits!!!!
Quote:
Some users have been claiming this was happening on Aions home page. On the page you have a log in that lets you see your character, stats, auction house sales and gear (AKA what never gonna happen City Vault should have been). Sometimes when you log in it does let you see someone else's character but thats about it. It doesnt let you change anything from there or tie into someone's master NcSoft account.
|
Originally Posted by Katie V
It's nice to see that yet another person doesn't understand the NCSoft security problem. What's been happening is that you log in to the NCSoft Master Account site with your own username and password, and the server gives you access to somebody else's account. Having one of these keyfobs wouldn't change a thing.
|
Bump and Grind Bane/SoA
Kenja No Ishi Earth/Empathy Controller
Legendary Sannin Ninja/Pain Mastermind
Entoxicated Ninja/PSN Mastermind
Ninja Ryukenden Kat/WP Scrapper
Hellish Thoughts Fire/PSI Dominator
Thank You Devs for Merits!!!!
Quote:
I did not say that my computer will never get spyware, viruses or trojans. I said that I scanned my computer with multiple virus scanners, rootkit scanners and malware scanners. And I did so multiple times, under multiple conditions. There was nothing found. Nothing. The very first thought I had when I found my account had been hacked was that my computer must have something on it - I am not in denial, I'm not clueless, I'm not naive - I'm not infected.|
Originally Posted by EvilRyu
See thats the thing. People who think their pc is clean really arent. Thats how all of this happened with Aion. So many folks just so over confident their machine will never get spyware, virus or trojans. Right now the trojan thats effecting aion users is almost undetectable by most virus scanners. It will be a minute before virus definitions come out for this one. I am an IT professional as well but I dont think for one minute I am 100% safe. I am also not saying brute force password attacks dont happen its just odds are you probably got keylogged some how.
|
The other thing ... rootkits are the tools that enable these bits of malware and keystroke loggers to be hidden. The 64 bit OS (I have Vista Ultimate 64 bit), while not immune from infection, is very difficult if not impossible to infect with a kernel rootkit, because the kernel cannot be patched.
The hackers out there are using multiple means of getting people's passwords, and, most unfortunately for WoW players, Blizzard has basically given away the farm with their requirement that your game account login and your login to account management is ... ready? Your EMAIL ADDRESS plus a single password for both the game and the account management login. The email address has to be one that you actually check, because that is also your contact email address. And this was done in the name of "security"... what it's done, in essence, is handed hackers half of the information they need in order to break into accounts. The other half (password) is undoubtedly being taken care of by malware/rootkits/keyloggers in addition to programs that run password cracking in a manner that won't lock the account.
Hackers use sophisticated software to get what they want. It is not always the fault of the unsuspecting gamer or the gamer's computer.
Storm
Serenity is not freedom from the storm, but peace amid the storm ...
Quote:
When I see actual video or photographic evidence of this actually occurring, then I might believe it. Until then, it's unquantified F.U.D.
|
Originally Posted by Katie V
It's nice to see that yet another person doesn't understand the NCSoft security problem. What's been happening is that you log in to the NCSoft Master Account site with your own username and password, and the server gives you access to somebody else's account. Having one of these keyfobs wouldn't change a thing.
|
Quote:
If all MMOs had this feature, RSA stock would shoot through the roof. There'd be a keyfob for every game, or at least every game manufacturer. Where'd I put the Halo fob... no, that's NCSoft... there's the Blizzard one... that's Dragon Age... god only knows how many Final Fantasy would need! |
Originally Posted by F_M_J
You would not think it overkill if you spent the last 4.5 years of your life investing thousands of man hours building and maintaining your characters only to have it all stripped away in a few minutes.
I wish all MMO's used this feature. It only takes a couple seconds more to login and it is so worth it. Would put a huge strain on the gold farmers as well. |
Then there's the token infrastucture and authentication upgrades required on the back end. It's not the worst idea, but it would drive people away from trying the game out. How would trial account be handled? Would you get one in every box? Pay deposit until you decide to sub?
Quote:
This is ridiculous, I said MMO's, not every game. Halo, Dragon Age, etc are not MMO's and are not the target of any large scale hacking enterprise looking to make a profit.|
Originally Posted by Spear0
If all MMOs had this feature, RSA stock would shoot through the roof. There'd be a keyfob for every game, or at least every game manufacturer. Where'd I put the Halo fob... no, that's NCSoft... there's the Blizzard one... that's Dragon Age... god only knows how many Final Fantasy would need!
Then there's the token infrastucture and authentication upgrades required on the back end. It's not the worst idea, but it would drive people away from trying the game out. How would trial account be handled? Would you get one in every box? Pay deposit until you decide to sub? |
The trial accounts don't need them since they are not worth anything yet. If you decide to obtain a full subscription then it would be prudent to purchase one(a fob) and use it.
Also, I believe most people don't play multiple MMO's at the same time so there would not be an issue trying to manage multiple fobs, and the ones that do play two, maybe three at the most.
The minor cost of the upgrades on the back end would more than be made up for by the near complete drop in petitions and customer service calls regarding account hacking.
Quote:
I know I'm not "most people" by any stretch, but ... I play 3 MMO's right now - not at the exact same moment, but all of them generally a couple of times a week if not more frequently, and sometimes I am known to play a bit of each of them in an evening or day. At one point, I was playing four MMO's pretty much all the time, but I've suspended my Age of Conan account as the rest of my guild has stopped playing. And, at the craziest point, I also had a trial account for CO ... |
Originally Posted by F_M_J
Also, I believe most people don't play multiple MMO's at the same time so there would not be an issue trying to manage multiple fobs, and the ones that do play two, maybe three at the most.
The minor cost of the upgrades on the back end would more than be made up for by the near complete drop in petitions and customer service calls regarding account hacking. |
That being said, I would still have no problem with extra layers of security to prevent my accounts being hacked. WoW is by far the most gear / item driven of all the MMO's I play, with Aion a close second. CoX ... not so much (even if you are calling enhancements "gear"). And with the huge player base that WoW has, it is also, by far the most lucrative for the hackers/gold sellers. Make me jump through some hoops so that someone can't hack my account - and I'll just say "thanks for thinking of me."
Storm
Serenity is not freedom from the storm, but peace amid the storm ...
Quote:
So the bulk of your argument consists of a 'belief' and a made-up 'fact'.|
Originally Posted by F_M_J
Also, I believe most people don't play multiple MMO's at the same time so there would not be an issue trying to manage multiple fobs, and the ones that do play two, maybe three at the most.
The minor cost of the upgrades on the back end would more than be made up for by the near complete drop in petitions and customer service calls regarding account hacking. |
Unless you work in computer security, you have no idea how "minor" the back-end cost is. And unless you manage tech support, you have no idea what the customer service cost is.
Paragon City Search And Rescue
The Mentor Project
Quote:
This talk comes from a dark and fecal-smelling orifice.|
Originally Posted by F_M_J
The minor cost of the upgrades on the back end would more than be made up for by the near complete drop in petitions and customer service calls regarding account hacking.
|
I don't know about you, but I've actually bought and implemented a SecureID infrastructure on in the course of my employment.
Even with all the tools provided by RSA and somebody who's set up such a system before holding your hand, the cost of implementation is NOT minor. And the cost multiplies for every additional authentication-controlled system you have to tie back to it.
Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.
Quote:
I'm not even aware of or referring to whatever problem you're talking about. I just added my own little thoughts about increased account security to this thread.
|
Originally Posted by Katie V
It's nice to see that yet another person doesn't understand the NCSoft security problem. What's been happening is that you log in to the NCSoft Master Account site with your own username and password, and the server gives you access to somebody else's account. Having one of these keyfobs wouldn't change a thing.
|
Friends don't let friends buy an ncsoft controlled project.
Quote:
Yep, and when taken in context they are both pretty accurate. Since you did not provide any useful information here, other than saying "I think you are wrong since you didn't say if you worked in customer service or in tech support management" (which by the way is also a "belief" or "made up fact" since you do not know to the contrary.) I am assuming you just posted to argue with me so, however I will try to elaborate a bit. |
Originally Posted by Ironblade
So the bulk of your argument consists of a 'belief' and a made-up 'fact'.
Unless you work in computer security, you have no idea how "minor" the back-end cost is. And unless you manage tech support, you have no idea what the customer service cost is. |
The cost of implementing the fob device, when compared to the money saved by not having to deal with thousands and thousands of requests for account issues regarding hacking, stolen pw's, etc which ties up thousands of man hours will easily be covered and then some. Of course, this is dependent on the size of the customer base which greatly effects the cost savings that would be gained, so YMMV.
Yes, most people, not all, do not play multiple MMO's at the same time. Again, when taken in context, ALL players who play mmo's vs the number of those players who actively play 3+ MMO's will be far far fewer than the norm who play one, maybe 2 at the same time.
If a company can implement this feature while only charging a meager $7 for the fob and a zero percent increase in the subscription cost then the cost can't be that astronomical. I don't see why you guys are complaining about the cost when there will be extremely minimal impact to the customer, and it's not like YOU have to pay for it. This is of course assuming that all the situations would come out like Blizzard's did. If there was a corresponding increase in the monthly cost,more than a dollar or so then I might reconsider my glowing approval for this system.
Feel free to prove my "fact" or "belief" wrong if you wish, but until then I stand by them.
And yes, I do work in Tech Support and Management in fact, not that it makes any difference here.
Quote:
(shrug) I notice you give a detailed reply to my post, but 'overlook' the reply to you from someone who actually knows what they're talking about, quoted here:|
Originally Posted by F_M_J
Feel free to prove my "fact" or "belief" wrong if you wish, but until then I stand by them.
|
Quote:
|
Originally Posted by Hyperstrike
I don't know about you, but I've actually bought and implemented a SecureID infrastructure on in the course of my employment.
Even with all the tools provided by RSA and somebody who's set up such a system before holding your hand, the cost of implementation is NOT minor. And the cost multiplies for every additional authentication-controlled system you have to tie back to it. |
Paragon City Search And Rescue
The Mentor Project
Quote:
*shrug* Because he gave a well thought out, and detailed post with information to back up his claims rather than just post hypocritical nonsense. However, he could have done it without the veiled insult.|
Originally Posted by Ironblade
(shrug) I notice you give a detailed reply to my post, but 'overlook' the reply to you from someone who actually knows what they're talking about, quoted here:
|
I addressed several posts in my reply, but I am not willing to put forth the effort to copy and quote everyone so I just took the first reply and went down from there. This first reply just happened to be yours.
After reading the post about this in the announcement section I think our people are going about this the wrong way. We are getting more account hackings not for CoX but its because of the game Aion. There seems to be an Aion specific trojan that is getting the usernames and passwords from the keylogger and sending it to the gold sellers so they can hack the accounts. Many folks carelessly use the same username and password for both the game and the master account, which in term gets them hacked. So not only are they losing their Aion accounts but any other NcSoft accounts they may have. I would encourage those who have had hacked accounts to visit the Aion forums and read the posting there by their community manager Tamat. These keyloggers get installed when users click links to fake pr0n sites which are really the sites of the gold sellers. The community manager there also said that the attempts and phishing and hacking increased due to Aion banning alot of RMT accounts so they (RMT) are getting desperate. Right now you might think your system is clean but its not always detectable so keep that in mind.
Bump and Grind Bane/SoA
Kenja No Ishi Earth/Empathy Controller
Legendary Sannin Ninja/Pain Mastermind
Entoxicated Ninja/PSN Mastermind
Ninja Ryukenden Kat/WP Scrapper
Hellish Thoughts Fire/PSI Dominator
Thank You Devs for Merits!!!!