Dear NCsoft Login Verification

Dear NCsoft Login Verification,

I appreciate what you're trying to do. Really. You want to make sure I'm logging in from the same computer each time. Fine. But, see, 186.56.29.210, 186.56.29.159, 201.251.19.223, 200.117.14.62, 186.56.16.24 and about twenty other IP addresses are all the same computer. You might have those confused with MAC addresses, that are tied to the network card used to connect to the network and don't change; IP addresses change every time my ISP feels like it.

Answering your security questions every single dang time I have to log in is quite annoying, because I actually made my answers very secure; I have to think a lot and look them up every time. If the question is "what if your favorite color", the answer might be the first twenty digits of e after the third decimal location (28182845904523536028); "what is your mother's maiden name" could be the md5sum of the name of the capital of Nicaragua (d98bf2a51283482a9283735e2324a1f2). You get the idea. If they were a lot simpler, it would be less annoying; but then they would also be less secure, defeating the purpose.

Also, since I keep telling NCsoft to remember my preference, even though I know it won't, you basically have a nice whitelist of about 30 IP addresses that have access to my account with just the password, skipping your security checks. I am not worried about this because it's highly unlikely that someone who wants to gain access to my account is in the same IP range, and my password is very secure regardless. But I can't help to point out that you're opening a (tiny) hole in your own security measures.

Also, while adding computers to your whitelist is easy, there is no way that I can see to remove computers from said whitelist. If we are to truly assume that IP addresses are a reliable way to identify someone's computer (not a chance, but let's assume) then there should be a way to remove an IP address once it's no longer "trusted" or "current".

But, if you're going to whitelist random IP addresses, then I humbly request that you let me whitelist address ranges; my ISP has four IP ranges, so all of 186.56.29.*, 186.56.16.*, 201.251.19.* and 200.117.14.* doesn't have to answer my security questions every time I need to check my account details or send a referral code to someone. Ignoring the last number in the IPv4 address when performing your check would probably be more than enough, while ensuring that I am always connecting from the same ISP.

Once enough people have IPv6 addresses at home, IP addresses will match your ideal of one address per computer. But I'm afraid you're getting a bit ahead of the technology with your strict implementation.

Best wishes,
Leandro.

PS. I also hate your captcha, but I can live with it.

Ah, an IP based whitelist and security questions; it's almost like they asked the work experience lad to devise a secure, 2-factor authentication system for their account management and if he could have it done by the end of the day that would be great. And I agree that not having any obvious way to remove IPs from the whitelist is a Bad Thing - even moreso if I access my account on my phone because that IP is far more dynamic (and widely assigned) than that of my home connection.

As the old saying goes: If you're not going to do it properly, just half-*** it and hope nobody notices

Maybe their security folks are former RIAA employees...

If they can bring lawsuits by IP addy, it must be reliable, and uniquely
identifiable to the person, right???



Cheers,
4