Why Do We Not Have an Authenticator Yet?


AliasiSudonomo

 

Posted

Well, I just discovered this morning that another MMOG I play was hacked and had its customer database stolen. That's the second time this year that a MMOG I play was hacked and had its customer database stolen. I still have a few complimentary months remaining on a credit report service from the first time!

While this hasn't happened to City of Heroes... yet... with the way things are going, it's only a matter of time.

Why is there still no authenticator? Whether it be mobile or physical, (preferably physical?) While this wouldn't prevent a hacker from obtaining my information, it would at least prevent someone else from logging onto my account with the stolen information and would give a little peace of mind.


@Celestial Lord and @Celestial Lord Too

 

Posted

CoH isn't big enough to justify the expense in setting an authenticator system up.


@FloatingFatMan

Do not go gentle into that good night.
Rage, rage against the dying of the light.

 

Posted

After two years of using an OTP key to authenticate my work, home, and MMO accounts, I can tell you that while it IS nice and IS secure, it's also a gargantuan PITA should the keys fall out of sync with the server. On one hand, you get added security. On the other, you get an increased potential for screw-ups that can literally lock you out of the game until someone fixes it.


My guides:Dark Melee/Dark Armor/Soul Mastery, Illusion Control/Kinetics/Primal Forces Mastery, Electric Armor
"Dark Armor is a complete waste as a tanking set."

 

Posted

Quote:
Originally Posted by FloatingFatMan View Post
CoH isn't big enough to justify the expense in setting an authenticator system up.
Security by obscurity is no security at all.


@Celestial Lord and @Celestial Lord Too

 

Posted

How would an authenticator help keep the game's databases from being hacked?


Quote:
Originally Posted by Arcanaville View Post
Samuel_Tow is the only poster that makes me want to punch him in the head more often when I'm agreeing with him than when I'm disagreeing with him.

 

Posted

Quote:
Originally Posted by Samuel_Tow View Post
How would an authenticator help keep the game's databases from being hacked?
Quote:
Originally Posted by Celestial_Lord View Post
Why is there still no authenticator? Whether it be mobile or physical, (preferably physical?) While this wouldn't prevent a hacker from obtaining my information, it would at least prevent someone else from logging onto my account with the stolen information and would give a little peace of mind.
As you can see by the bolded part, I already answered that.


@Celestial Lord and @Celestial Lord Too

 

Posted

Quote:
Originally Posted by Celestial_Lord View Post
Why is there still no authenticator?
Because we don't want to kill Arcanaville with a laughing fit. We like having her around.

From past experience, the web development staff at NCsoft isn't competent enough to do even an adequate job at web security.

Edit:
How bad can they be you ask? Read the following thread (all 422 posts):

Discussion: New Security Update on NCsoft Master Accounts




Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters

 

Posted

Security in general is a joke.
Clearly you haven't heard the reports of people who didn't have authenticators who got their accounts hacked THROUGH the use of an authenticator. in World of Warcraft.

Or the people who had authenticators, who still got hacked.

And then there's people like me. I had an authenticator for rift through my phone (how handy!) and then when I took my phone in for repairs, they did a factory reset, costing me my authenticator, making it difficult enough for me to get back into my account that I JUST GAVE UP. I didn't want to jump through hoop after hoop to get back into a game I might not like that much anyways.

It's a case of security versus convenience.

And when your business model is free-to-play, anything that takes away from convenience is first on the chopping block.


you could have it all
My empire of dirt
I will let you down
I will make you <3

 

Posted

Quote:
Originally Posted by Celestial_Lord View Post
Well, I just discovered this morning that another MMOG I play was hacked and had its customer database stolen. That's the second time this year that a MMOG I play was hacked and had its customer database stolen. I still have a few complimentary months remaining on a credit report service from the first time!
Thank you for reporting that you play Rift. Another piece of crucial data in my social engineering database...

Quote:
While this hasn't happened to City of Heroes... yet... with the way things are going, it's only a matter of time.
It's always a matter of time. Security is NOT about "keeping people out". It's about being enough of a hassle to get past that would-be hax0rz move on to greener pastures and easier cracks.

Quote:
Why is there still no authenticator? Whether it be mobile or physical, (preferably physical?) While this wouldn't prevent a hacker from obtaining my information, it would at least prevent someone else from logging onto my account with the stolen information and would give a little peace of mind.
Because it's an enormous money pit for something like an MMO. It gives you a false sense of security. And it's an enormous hassle. The physical fobs don't keep 100% perfect sync with the server. So when they fall out of sync, you can't sign on. This leads to massive customer service overhead. I've worked for companies with only a couple hundred of the things out there and it's a pain. Think about doing it for 10-100,000 people.

Quite simply, you couldn't pay me enough.

Not to mention that such devices are NOT inexpensive.

Dongles are not the way.

Also, if you're thinking about hard-coded dongles, fuhgeddaboudit. If it's a static value, it can be read, copied, and replayed. Leaving you no more secure than you were before.

You essentially have several things protecting your account right now.

Your NCSoft Master Account and the two-factor authentication there (see, you already have it).

Your game account which, ideally, shouldn't be the same as your master account name. Moreover, it should have a different password than your master account as well.

Quote:
Originally Posted by Celestial_Lord View Post
Security by obscurity is no security at all.
Actually, yes. It's still security. Remember, the vast majority of hacks don't happen on hard targets where the user has no information. The things required to do stuff like that are spectacularly obvious and trigger massive alarms to tell your network operations that "something REALLY bad is happening".

While obscurity is not GREAT security, it's simply one of myriad tools used to provide security.



Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.

 

Posted

Quote:
Originally Posted by Celestial_Lord View Post
While this hasn't happened to City of Heroes... yet... with the way things are going, it's only a matter of time.
This is a logical fallacy, but I forget what it's called.


 

Posted

Quote:
Originally Posted by Celestial_Lord View Post
While this hasn't happened to City of Heroes... yet...
The database hasn't been hacked yet, but at least one server has. I believe the party responsible was arrested and charged, but we never heard anything more about it.


61866 - A Series of Unfortunate Kidnappings - More than a coincidence?
2260 - The Burning of Hearts - A green-eyed monster holds the match.
379248 - The Spider Without Fangs - NEW - Some lessons learned (more or less.)

 

Posted

Quote:
Originally Posted by TheDeepBlue View Post
I believe the party responsible was arrested and charged [...]
For what, not taking life seriously? I find it hard to believe that any attempts to hack a map server (which have to go through the authentication server first) could be considered criminal activity. Character information isn't even stored there.


 

Posted

Quote:
Originally Posted by GuyPerfect View Post
This is a logical fallacy, but I forget what it's called.
Misleading Vividness?




Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters

 

Posted

Bingo, that is indeed what it's called.


 

Posted

Quote:
Originally Posted by Snow Globe View Post
Misleading Vividness?

It's called "Unauthorized access".

You have a right to access those systems via approve channels (the game client). You do NOT have the right to access those systems via non-approved channels (grabbing root on a console, grabbing a remote desktop, accessing the raw filesystem, etc).

People can get real jail time for this sort of thing.
And if they can prove malicious intent, the sentence just goes up.



Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.

 

Posted

Quote:
Originally Posted by GuyPerfect View Post
For what, not taking life seriously? I find it hard to believe that any attempts to hack a map server (which have to go through the authentication server first) could be considered criminal activity. Character information isn't even stored there.
The person(s) responsible were able to send one or two messages across the entire server claiming that they warned development of the security flaws in the system. I believe someone challenged him or her to show off just how much control they claimed to have, and he or she proceeded to lock the server up, or something to the effect.


61866 - A Series of Unfortunate Kidnappings - More than a coincidence?
2260 - The Burning of Hearts - A green-eyed monster holds the match.
379248 - The Spider Without Fangs - NEW - Some lessons learned (more or less.)

 

Posted

Quote:
Originally Posted by GuyPerfect View Post
For what
unauthorized access from outside the network?
hijacking a server?


 

Posted

Quote:
Originally Posted by Zombie Man View Post
What exactly are the huge profits a hacker is going to get from hacking CoH again?
Depending on what the market is like and how much "additional information" you're providing, credit card numbers with associated personal information can go for between $1 and $10 each. Given the estimates for the size of the playerbase, the billing database is probably worth around a half-million dollars on the black market; potentially a few million if the attacker has a rapid method of cashing out the card information himself.

There isn't much of a market for CoH accounts or gear, email addresses are valued in dollars per million, and username/password pairs are trivial to get from most people, so the login database isn't worth much. An attacker familiar with the game might be able to get a few thousand dollars out of it, if they go undetected for long enough.

Control of the hardware itself has value (reasonably powerful servers connected to a high-bandwidth pipe), but any attacker who tries to make full use of it is likely to be detected and stopped in a matter of minutes.


 

Posted

Quote:
Originally Posted by TheDeepBlue View Post
The database hasn't been hacked yet, but at least one server has. I believe the party responsible was arrested and charged, but we never heard anything more about it.
Wait what? When did a server get hacked? What happened?


 

Posted

Much ado about not a whole lot here people.

1) If the Co* database is hacked... you will lose, perhaps a couple of days of playing time. Maybe. The database IS backed up... this is how things CAN BE brought back. It has already happened. So if the ENTIRE database is hacked... you clean up the mess, close the hole, and restore the servers from a couple of days ago... maybe not in that order, but pretty much.

2) If the User accounts are hacked, more games can be purchased, or perhaps items. Either of which can be used for 'gone to the americans!' type horrificness. But again, that's where backups could be important, as well as a good Customer Service to fix that issue. And change your password, yo.

3) If the credit card information database is hacked, this also can be dealt with. Everyone gets a freebie short credit alert plan, as Paragon Studios and NCSoft should make it so, and then it's not terribly hard to get a police statement, send it off, and protect yourself for 7 years. This, in effect is what I did... SOMEONE got my info, and opened a couple of accounts. I caught them doing it pretty quick, and shut it all down in about 1 day.

It's scary, sure, but once you've been robbed at knifepoint, had the house burgled, and had your personal information violated... it's just not a huge deal anymore, to me.

Let 'em get my CC info. It won't work in 1 day, if it works at all for ya. I'm watchin youuuu...

/Of course, this is my 'merican experience, so if you're not 'merican, then your issues with this kind of stuff might differ.
//Really tryin' to not need any credit anything, so I can't care much anymore about my credit score these days...
///Hopefully soon(tm) it'll all be over, and I'll never need Credit again.
////That's a day I'll be gettin' drunk about.


August 31, 2012. A Day that will Live in Infamy. Or Information. Possibly Influence. Well, Inf, anyway. Thank you, Paragon Studios, for what you did, and the enjoyment and camaraderie you brought.
This is houtex, aka Mike, signing off the forums. G'night all. - 10/26/2012
Well... perhaps I was premature about that whole 'signing off' thing... - 11-9-2012

 

Posted

Quote:
Originally Posted by Hyperstrike View Post
Because it's an enormous money pit for something like an MMO. It gives you a false sense of security. And it's an enormous hassle. The physical fobs don't keep 100% perfect sync with the server. So when they fall out of sync, you can't sign on. This leads to massive customer service overhead. I've worked for companies with only a couple hundred of the things out there and it's a pain. Think about doing it for 10-100,000 people.

Quite simply, you couldn't pay me enough.

Not to mention that such devices are NOT inexpensive.

Dongles are not the way.
It can't be that much of a money pit. I currently subscribe to four MMOGs, including this one. Three of them offer authenticators. Two of them offer physical dongle authenticators. CoH is the only one that doesn't offer any kind of authenticator.

Physical authenticators aren't expensive... the most I've had to pay for one was $12, and that included shipping.


@Celestial Lord and @Celestial Lord Too

 

Posted

Quote:
Originally Posted by Ultimus View Post
Wait what? When did a server get hacked? What happened?
December 20, 2005; Champion and Protector servers. The hacker was reportedly a minor, so the legal results were probably light.


 

Posted

Quote:
Originally Posted by Paragon View Post
December 20, 2005; Champion and Protector servers. The hacker was reportedly a minor, so the legal results were probably light.
So what did he do? Turn them off?


 

Posted

Quote:
Originally Posted by Ultimus View Post
So what did he do? Turn them off?
From what i recall at the time he mostly just spammed the Admin channel.
There was more excitement about it on the forums than what i saw in game.


Dr. Todt's theme.
i make stuff...