Discussion: New Security Update on NCsoft Master Accounts

I stand corrected.

But having the game login the same as forum login is still stupid and bad security.
Having the master account being able to share the same password is also not great secuirty practise.

edit:

I'm not going to risk buying, changing or editing anything on my master account until I get my precious vanguard pack.

Will lock outs cauuse people to lose that?

Originally Posted by Zwillinger GG, I would tell you that "I am killing you with my mind", but I couldn't find an emoticon to properly express my sentiment.

Originally Posted by Captain_Photon NOTE: The Incarnate System is basically farming for IOs on a larger scale, and with more obtrusive lore.

I wasn't asked "what is your mother's maiden name?" or "What was your first pet's name?". If I'm given a choice I purposely choose anything BUT those questions because of the security RISK that they pose.

I was asked what my birthday is (I'm pretty sure I got that right) and "what is my computer type?" I gave my standard response (I self-build my computers so I get to name them whatever I want) to that question in a couple different capitalization variations.

Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters

Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.

i havent been locked out (have 1 attempt left)

but its been almost 24 hours since i sent in my support ticket and no responses on it

You were initially asked to choose these questions when you started the account.

And remember, it's essentially working like a password. If your original answer was "I build all my stuff myself from parts" and you answer "self-built", it don't work.

I'm just lucky the credit card I still have is the one I originally registered the account with.

Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.

This actually doesn't help people who've had their IP addresses flagged in the lockout too. Sure, you can get back in from other locations. But how long before the IP block drops and we can log in from home again.

I REALLY don't want to be fscking around with this for 30-60 days.

Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.

I know that... And the answer I always give to that question should be valid. It likely is correct, but the wrong case. I'm not willing to lock my account to fix it though.

Same.

Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters

Not to specifically shoot the messenger, but I'm going to put my security professional hat on now. I'm now speaking as an authority on information systems security, not just some shmuck that works the help desk at Symantec. I'm not fooling around here.

1. Asking people to use *truthful* personal information as authentication information is no longer considered best practice, as others have pointed out. Its considered about as stupid as using your own name as your password in the security community, or "123456". In fact, *asking* people for this information as authentication information could be considered both a breach of privacy *and* a failure to protect customers from phishing attacks. I would personally cite a customer for doing this today, and for a few years now. I *have* cited customers for doing this: this is not a "should remediate" but "must remediate" audit failure.

Back when this game was new, that was not a commonly held opinion, so they get a legacy pass. But the current system leverages it, and no reputable security professional would do that in a system intended to improve the security of the system for its users. No reputable professional with a brain.

2. Best practice for customers asked by a company to do this is to pick someone else randomly, and use their answers. A distant cousin, you mother's neighbor, some familiar but no one would likely guess off the top of their heads even if they knew you personally. Or, famous or fictional people work as well. Abraham Lincoln, James Bond, Spider Jerusalem - someone you can remember and easily look up the answers to even if you forget them. Its a variation on the "pick a password by picking a memorable phrase, then using the third letter from each word plus some numbers and puncutation." You can make arbitrarily long and strong passwords this way without having to remember them.

3. Tying the security to IP address is not a good idea in isolation. Its not as stupidly bad as the thing above, but its still not good. Cloud vendors like to do this, and its fine if the goal is not to secure the system, but to restrict the pool of potential attackers. Sure: if you IP address changes often, eventually someone else will have your IP address and could attack your account. But that is still better than everyone on Earth being able to do that. The problem, as others have specified, is that people whose addresses change a lot will have to reauthenticate often. This violates one of the cardinal rules of security: don't make it harder for the user than it would be for an attacker. I could *attack* the system easier than someone whose IP address changes every day could even use the system normally. In the security community, we call that an Epic Phail.

Incidentally, good cloud vendors at least tend to authenticate out of band. Meaning, they don't usually ask you security questions to validate the new address, they do something like send an email to you asking you to authenticate the address. Which is slightly more secure, but also less practical for a game. In this case, an encrypted cookie would have been better. Alternatively an SSL client authentication certificate would have been better yet: that is how I would have likely written the system if I wanted some level of authentication with minimal cost, without the problems associated with IP filtering and cookies.

4. If you're really serious about security take a cue from WoW. Give people the *option* to use two-factor authentication. *Real* two-factor authentication. These days, you can even get authenticator tokens built into software that work in smartphones: RSA (which was mentioned earlier) has an iPhone soft-token and I believe an Android one. Or you can go with the cheaper Vasco (I believe) tokens that Blizzard went with. I think the $6.50 price is the price break when you buy in crates of a million, but they are still fairly cheap even at non-blizzard quantities. Or you can even go with one of those services that will text message you a login passcode when you want to log in if you want to eliminate the hardware and software altogether (but those have issues, not the least of which is having to register a phone number).

With genuine two-factor authentication, you don't have to worry about all this IP address validation stuff. The token just works where ever the player is, however the player logs in, because the presumption is that the player isn't sharing the token with someone else. If they are, that's their problem (also, this presumes NCSoft protects seed records for the tokens better than Fort Knox).


You're supposed to leave corporate security to the professionals. Whoever advised NCSoft to do this is either not a professional, or not a good one. I intend to ask around.


Summary:

Option 1: Cookies. Okay. Unless your players like blocking cookies.

Option 2: SSL certificate auth with verification before issuance. Good. Assuming your web developers know what they are doing and your players haven't teleported into this year from the early 90s.

Option 3: Two-factor token auth. Better. Also more expensive.

Option 4: IP filters. Bad. More work for some valid users than statically allocated attackers.

Option 5: Personal information questions. Very Bad. Considered laughing stock by modern security professionals.

Thank you for summing up what I'm currently too irritated to express in a civil fashion.

Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.

Oh, and I'll add that if I ever find out that CoH adopts a Character PIN like Aion, that will likely cause me to quit playing any and all NCsoft games.

I have a suggestion to enhance security at NCsoft: Hire competent security staff.
--------
It has been 24 hours since my support ticket was filed, with no response beyond the automated response.

Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters

im in the same boat here, 24 hours and no response yet

I've only been a security professional for about seventeen years now, so its possible the developers of Aion know something I don't, but I'm having difficulty with the concept of evading a keystroke logger by making the player type more keys. Seriously: that's going on a slide on my next presentation as an ice-breaker joke.

If you want to thwart keystroke loggers, there are ways to do that. In fact, there are keypad entry systems that exist today for high security environments in which the keys don't have printed numbers: they have LEDs behind them that randomly move the numbers around so that the keypad is different every time you use it. Why? So that its not possible to guess someone's PIN by either looking over their shoulder or by looking for fingerprint smudges on the buttons.

Similarly, if you want to thwart a keystroke logger, just make the player type different keys every time they want to log in by making them do something that requires different keys. Something as simple as asking them to click on one picture on a screen out of many different pictures that are randomly displayed would thwart all keystroke loggers I'm aware of. Only a video session recorder would beat that, and if someone has hijacked your computer and is video capturing your session and relaying that over the internet without your knowledge, just send them all your money now and save them the trouble. Whatever you did to piss off that guy, you're screwed.

So yeah, one way for even City of Heroes to evade keystroke loggers, assuming any large hacking group is even targeting City of Heroes, is to change the login screen so that it has name, password, and a bunch of pictures of different critters: Malta, CoT, Carnies, Family, Nemesis, etc. To log in, type name, type password, click on your favorite critter, and in you go. Keystroke logger defeated. Make sure X wrong guesses locks the account out so they cannot just keep guessing pictures randomly. Not secure enough: make players click two. Do the same thing for master account login on the web site, and you're done. Or use the other technique: print letters on the pictures, and make the user type the letter(s) of their favorite critters in a third blank.

This would take me all of an afternoon to code (for the web: for the game, it shouldn't take more than a day or two, SCR or no SCR), and poof: no more keystroke logger problem. And it would be actually more secure than what was actually implemented. Because I'll bet the security questions are easier to guess the answers to collectively across the entire playerbase than these visual captchas would be to crack.


By the way, I have no personal ax to grind here. I got home, authenticated my computer, remembered the original answer I gave to the security question provided, and passed the captcha. So I'm not saying this entire thing is questionable from a security stand point because I'm pissed off I'm locked out of something. I'm fine. I still think this is not kosher.

Actually, my challenge question was: "Tom's dog?"

Now, I know which Tom and I know the name of his dog. Don't know why I was locked out (didn't get a chance to try all caps, but I never use all caps in passwords).

Point being, that at one point, they allowed us to come up with our own challenge question and not "Mother's maiden name?".



Well, this only applies to the Master Account, and how often is someone accessing their Master Account. I'd agree that IP checking and constant challenging would be burdensome to use the forums or enter the game.

File > Settings > Advanced > Allow multiple instances.

Also, wrong thread.

Yes they did, and I did, and that was the challenge question I was asked. Interestingly, it was also a dog question. However, that was not universal, and the system did not recommend creating an obscure question to my recollection. It was, however, better than the current system which forces you to pick one of their questions.

Modern systems that honor best practices these days present a variation of this prompt:

* Please enter a special passphrase that can be used to authenticate your account. Please pick a passphrase that cannot be easily guessed.
* Please enter a reminder phrase that we will send to you to ask you for your secret passphrase.


The infrequent use creates a separate problem: namely that for people who's IP addresses change on any kind of frequency, the odds are good that they will have to authenticate *every* access. That's a problem because the authentication system is not supposed to be used that frequently. If it is, its no better than a password. Its supposed to be something used only rarely and when necessary, but if its essentially used every time you authenticate, its equally exposed as your password. That's a problematic design because it violates the intent of an authenticator challenge.

If you don't have professional experience working with and designing these systems, you make mistakes. Obvious mistakes to a professional and vulnerable to attackers. Anything that can break your password will likely break your challenge phrase when both are always used in conjunction. Ergo, this is a system design error.

I cannot stress enough how extremely hazardous it is to design and implement systems like this without professional guidance. I could have told them this would blow up in their face. And I could have told them that for the cost of inconvenience, the added security would be relatively small. And I could have told them better ways to do it that wouldn't suffer either problem. And so could any other competent security professional. This is not normal forum debate fodder. This is not really a matter of debate at all. This was either non-professional overreach, or professional malpractice. There are literally no other possibilities.

I'm guessing no one at Paragon had anything to do with this, and I'm guessing no one in Community had any involvement in this except to be told to handle damage control. My guess is that my assessment here isn't likely reaching the eyes of anyone that did this thing. There's no one here to beat up over it. Still, its annoying: someone out there thinks they can do this better than a qualified professional, or a presumably qualified professional needs to retire. Both equally annoying to me personally.

Better hope you have a colonic map on file...

Hell, now I'm scared to attempt this. It's been 6.5 years since I set up my account. Hell if I can remember anything from it. Most days, I'm lucky if I can remember what I had for breakfast, much less something more than half a decade ago.

Edit - Well, what do you know. Got it in one. But gotta say, that captcha image is horrendous. Can't distinguish half the letters.

Same here. And am very wary at giving out my details as I have had many a fake looking email looking like its NCsoft or whoever . . . .

The longer it takes for my account to be resolved the more anxious and worried I get . . . .