Why Do We Not Have an Authenticator Yet?
By
AliasiSudonomo,
Posted on: 2011-12-23 13:04 in CoH and CoV General Discussions
CoH isn't big enough to justify the expense in setting an authenticator system up.
@FloatingFatMan
Do not go gentle into that good night.
Rage, rage against the dying of the light.
After two years of using an OTP key to authenticate my work, home, and MMO accounts, I can tell you that while it IS nice and IS secure, it's also a gargantuan PITA should the keys fall out of sync with the server. On one hand, you get added security. On the other, you get an increased potential for screw-ups that can literally lock you out of the game until someone fixes it.
My guides:Dark Melee/Dark Armor/Soul Mastery, Illusion Control/Kinetics/Primal Forces Mastery, Electric Armor
"Dark Armor is a complete waste as a tanking set."
Quote:
Security by obscurity is no security at all.
|
Originally Posted by FloatingFatMan
CoH isn't big enough to justify the expense in setting an authenticator system up.
|
@Celestial Lord and @Celestial Lord Too
How would an authenticator help keep the game's databases from being hacked?
Quote:
|
Originally Posted by Arcanaville
Samuel_Tow is the only poster that makes me want to punch him in the head more often when I'm agreeing with him than when I'm disagreeing with him.
|
Quote:
|
Originally Posted by Samuel_Tow
How would an authenticator help keep the game's databases from being hacked?
|
Quote:
|
Originally Posted by Celestial_Lord
Why is there still no authenticator? Whether it be mobile or physical, (preferably physical?) While this wouldn't prevent a hacker from obtaining my information, it would at least prevent someone else from logging onto my account with the stolen information and would give a little peace of mind.
|
@Celestial Lord and @Celestial Lord Too
Quote:
Because we don't want to kill Arcanaville with a laughing fit. We like having her around.|
Originally Posted by Celestial_Lord
Why is there still no authenticator?
|
From past experience, the web development staff at NCsoft isn't competent enough to do even an adequate job at web security.
Edit:
How bad can they be you ask? Read the following thread (all 422 posts):
Discussion: New Security Update on NCsoft Master Accounts
Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters
Security in general is a joke.
Clearly you haven't heard the reports of people who didn't have authenticators who got their accounts hacked THROUGH the use of an authenticator. in World of Warcraft.
Or the people who had authenticators, who still got hacked.
And then there's people like me. I had an authenticator for rift through my phone (how handy!) and then when I took my phone in for repairs, they did a factory reset, costing me my authenticator, making it difficult enough for me to get back into my account that I JUST GAVE UP. I didn't want to jump through hoop after hoop to get back into a game I might not like that much anyways.
It's a case of security versus convenience.
And when your business model is free-to-play, anything that takes away from convenience is first on the chopping block.
you could have it all
My empire of dirt
I will let you down
I will make you <3
Quote:
Thank you for reporting that you play Rift. Another piece of crucial data in my social engineering database...|
Originally Posted by Celestial_Lord
Well, I just discovered this morning that another MMOG I play was hacked and had its customer database stolen. That's the second time this year that a MMOG I play was hacked and had its customer database stolen. I still have a few complimentary months remaining on a credit report service from the first time!
|
Quote:
| While this hasn't happened to City of Heroes... yet... with the way things are going, it's only a matter of time. |
Quote:
| Why is there still no authenticator? Whether it be mobile or physical, (preferably physical?) While this wouldn't prevent a hacker from obtaining my information, it would at least prevent someone else from logging onto my account with the stolen information and would give a little peace of mind. |
Quite simply, you couldn't pay me enough.
Not to mention that such devices are NOT inexpensive.
Dongles are not the way.
Also, if you're thinking about hard-coded dongles, fuhgeddaboudit. If it's a static value, it can be read, copied, and replayed. Leaving you no more secure than you were before.
You essentially have several things protecting your account right now.
Your NCSoft Master Account and the two-factor authentication there (see, you already have it).
Your game account which, ideally, shouldn't be the same as your master account name. Moreover, it should have a different password than your master account as well.
Quote:
|
Originally Posted by Celestial_Lord
Security by obscurity is no security at all.
|
While obscurity is not GREAT security, it's simply one of myriad tools used to provide security.
Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.
Quote:
This is a logical fallacy, but I forget what it's called.
|
Originally Posted by Celestial_Lord
While this hasn't happened to City of Heroes... yet... with the way things are going, it's only a matter of time.
|
Quote:
The database hasn't been hacked yet, but at least one server has. I believe the party responsible was arrested and charged, but we never heard anything more about it.
|
Originally Posted by Celestial_Lord
While this hasn't happened to City of Heroes... yet...
|
61866 - A Series of Unfortunate Kidnappings - More than a coincidence?
2260 - The Burning of Hearts - A green-eyed monster holds the match.
379248 - The Spider Without Fangs - NEW - Some lessons learned (more or less.)
Quote:
For what, not taking life seriously? I find it hard to believe that any attempts to hack a map server (which have to go through the authentication server first) could be considered criminal activity. Character information isn't even stored there.
|
Originally Posted by TheDeepBlue
I believe the party responsible was arrested and charged [...]
|
Quote:
Misleading Vividness?
|
Originally Posted by GuyPerfect
This is a logical fallacy, but I forget what it's called.
|
Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters
Bingo, that is indeed what it's called.
Quote:
|
Originally Posted by Snow Globe
Misleading Vividness?
|
It's called "Unauthorized access".
You have a right to access those systems via approve channels (the game client). You do NOT have the right to access those systems via non-approved channels (grabbing root on a console, grabbing a remote desktop, accessing the raw filesystem, etc).
People can get real jail time for this sort of thing.
And if they can prove malicious intent, the sentence just goes up.
Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.
Quote:
The person(s) responsible were able to send one or two messages across the entire server claiming that they warned development of the security flaws in the system. I believe someone challenged him or her to show off just how much control they claimed to have, and he or she proceeded to lock the server up, or something to the effect.
|
Originally Posted by GuyPerfect
For what, not taking life seriously? I find it hard to believe that any attempts to hack a map server (which have to go through the authentication server first) could be considered criminal activity. Character information isn't even stored there.
|
61866 - A Series of Unfortunate Kidnappings - More than a coincidence?
2260 - The Burning of Hearts - A green-eyed monster holds the match.
379248 - The Spider Without Fangs - NEW - Some lessons learned (more or less.)
Quote:
unauthorized access from outside the network?|
Originally Posted by GuyPerfect
For what
|
hijacking a server?
What exactly are the huge profits a hacker is going to get from hacking CoH again?
Speeding Through New DA Repeatables || Spreadsheet o' Enhancements || Zombie Skins: better skins for these forums || Guide to Guides
Quote:
Depending on what the market is like and how much "additional information" you're providing, credit card numbers with associated personal information can go for between $1 and $10 each. Given the estimates for the size of the playerbase, the billing database is probably worth around a half-million dollars on the black market; potentially a few million if the attacker has a rapid method of cashing out the card information himself.|
Originally Posted by Zombie Man
What exactly are the huge profits a hacker is going to get from hacking CoH again?
|
There isn't much of a market for CoH accounts or gear, email addresses are valued in dollars per million, and username/password pairs are trivial to get from most people, so the login database isn't worth much. An attacker familiar with the game might be able to get a few thousand dollars out of it, if they go undetected for long enough.
Control of the hardware itself has value (reasonably powerful servers connected to a high-bandwidth pipe), but any attacker who tries to make full use of it is likely to be detected and stopped in a matter of minutes.
Quote:
Wait what? When did a server get hacked? What happened?
|
Originally Posted by TheDeepBlue
The database hasn't been hacked yet, but at least one server has. I believe the party responsible was arrested and charged, but we never heard anything more about it.
|
Much ado about not a whole lot here people.
1) If the Co* database is hacked... you will lose, perhaps a couple of days of playing time. Maybe. The database IS backed up... this is how things CAN BE brought back. It has already happened. So if the ENTIRE database is hacked... you clean up the mess, close the hole, and restore the servers from a couple of days ago... maybe not in that order, but pretty much.
2) If the User accounts are hacked, more games can be purchased, or perhaps items. Either of which can be used for 'gone to the americans!' type horrificness. But again, that's where backups could be important, as well as a good Customer Service to fix that issue. And change your password, yo. 
3) If the credit card information database is hacked, this also can be dealt with. Everyone gets a freebie short credit alert plan, as Paragon Studios and NCSoft should make it so, and then it's not terribly hard to get a police statement, send it off, and protect yourself for 7 years. This, in effect is what I did... SOMEONE got my info, and opened a couple of accounts. I caught them doing it pretty quick, and shut it all down in about 1 day.
It's scary, sure, but once you've been robbed at knifepoint, had the house burgled, and had your personal information violated... it's just not a huge deal anymore, to me.
Let 'em get my CC info. It won't work in 1 day, if it works at all for ya. I'm watchin youuuu...
/Of course, this is my 'merican experience, so if you're not 'merican, then your issues with this kind of stuff might differ.
//Really tryin' to not need any credit anything, so I can't care much anymore about my credit score these days...
///Hopefully soon(tm) it'll all be over, and I'll never need Credit again.
////That's a day I'll be gettin' drunk about. 
August 31, 2012. A Day that will Live in Infamy. Or Information. Possibly Influence. Well, Inf, anyway. Thank you, Paragon Studios, for what you did, and the enjoyment and camaraderie you brought.
This is houtex, aka Mike, signing off the forums. G'night all. - 10/26/2012
Well... perhaps I was premature about that whole 'signing off' thing... - 11-9-2012
Quote:
It can't be that much of a money pit. I currently subscribe to four MMOGs, including this one. Three of them offer authenticators. Two of them offer physical dongle authenticators. CoH is the only one that doesn't offer any kind of authenticator.|
Originally Posted by Hyperstrike
Because it's an enormous money pit for something like an MMO. It gives you a false sense of security. And it's an enormous hassle. The physical fobs don't keep 100% perfect sync with the server. So when they fall out of sync, you can't sign on. This leads to massive customer service overhead. I've worked for companies with only a couple hundred of the things out there and it's a pain. Think about doing it for 10-100,000 people.
Quite simply, you couldn't pay me enough. Not to mention that such devices are NOT inexpensive. Dongles are not the way. |
Physical authenticators aren't expensive... the most I've had to pay for one was $12, and that included shipping.
@Celestial Lord and @Celestial Lord Too
Quote:
December 20, 2005; Champion and Protector servers. The hacker was reportedly a minor, so the legal results were probably light.
|
Originally Posted by Ultimus
Wait what? When did a server get hacked? What happened?
|
Quote:
So what did he do? Turn them off?
|
Originally Posted by Paragon
December 20, 2005; Champion and Protector servers. The hacker was reportedly a minor, so the legal results were probably light.
|
Quote:
From what i recall at the time he mostly just spammed the Admin channel.|
Originally Posted by Ultimus
So what did he do? Turn them off?
|
There was more excitement about it on the forums than what i saw in game.
Dr. Todt's theme.
i make stuff...
Well, I just discovered this morning that another MMOG I play was hacked and had its customer database stolen. That's the second time this year that a MMOG I play was hacked and had its customer database stolen. I still have a few complimentary months remaining on a credit report service from the first time!
While this hasn't happened to City of Heroes... yet... with the way things are going, it's only a matter of time.
Why is there still no authenticator? Whether it be mobile or physical, (preferably physical?) While this wouldn't prevent a hacker from obtaining my information, it would at least prevent someone else from logging onto my account with the stolen information and would give a little peace of mind.
@Celestial Lord and @Celestial Lord Too