Pages: [1] 2 3 4 5 6 7 8 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 1 post(s) |
|
GM Grimmi
|
Posted - 2009.07.28 16:12:00 -
[1]
We currently have problems with accounts being hacked and cleaned out of ISK and assets. The perpetrators are ISK sellers and we are mercilessly reversing all transactions from them. ISK buyers beware that we will track down and remove ISK received from the ISK sellers even if it means putting wallets into the negative. We also would like to add that buying in-game items, aside from PLEX, for real-world money is strictly prohibited by our EULA and action may be taken against those found doing it.
A lot of the security issues stem from links being posted on the forums and players should be extremely wary of opening links as they are very likely to install keyloggers/Trojans and subsequently result in accounts being ruined.
Lastly, the internet is a dangerous place so keep your anti-virus software current and click with care.
GM Grimmi
Lead Game Master
EVE CSS |
|
Tiny Tove
|
Posted - 2009.07.28 16:13:00 -
[2]
Edited by: Tiny Tove on 28/07/2009 16:14:52 Separate passwords for forum/website and game server please.
Oh hang on, that's not a 100% guaranteed fix, I'd better just get flamed for wanting a 5% chance of fixing part of a problem.
|
iP0D
|
Posted - 2009.07.28 16:16:00 -
[3]
Originally by: Tiny Tove
Separate passwords for forum/website and game server please.
Indeed. |
Leaving Eve
Boo Hoo Federation
|
Posted - 2009.07.28 16:16:00 -
[4]
buying isk is for losers
|
ArmyOfMe
The Athiest Syndicate Advocated Destruction
|
Posted - 2009.07.28 16:21:00 -
[5]
lol, im safe at least then since im broke as heck these days
|
iP0D
|
Posted - 2009.07.28 16:29:00 -
[6]
Originally by: ArmyOfMe lol, im safe at least then since im broke as heck these days
They might just prostitute or sell you straight up, be careful
|
LordSwift
Caldari
|
Posted - 2009.07.28 16:35:00 -
[7]
Why has it got worse all of a sudden? Is this revenge attacks from the isk sellers and macro players that got mass banned a few weeks ago? Join the brown Coats today!!! |
FingerThief
Gallente
|
Posted - 2009.07.28 16:38:00 -
[8]
Originally by: LordSwift Why has it got worse all of a sudden? Is this revenge attacks from the isk sellers and macro players that got mass banned a few weeks ago?
Most likely. Don't think that CCP disclosed much about it. Fighting like Don Quixote, one windmill at a time. |
Tiny Tove
|
Posted - 2009.07.28 16:40:00 -
[9]
My online bank has two passwords for my account. One password is plain typed. So I might have to type in "mybankpassword" during the first part of the login process.
The other is entered on the next page, but they do not ask me to type anything. Instead they ask me to use drop-down boxes to select letters.
Suppose my 2nd password was "can1hazyourstuff" they might say:- "Please select the 2nd, 4th and 11th letters of your 2nd password"
And I would use the 3 drop down boxes to enter "a", "1" and "r"
In that way, somebody would have to physically record me visually logging in many times to get my 2nd password.
Whether this is suitable for game server access... I don't know.
|
LordSwift
Caldari
|
Posted - 2009.07.28 16:48:00 -
[10]
My brothers bank account sent him a keychain password generator thingy. Site gave him a code and he had to give the answer using this keychain thing. But i dont know how ccp would link each keychain to a account. And might be expensive. Join the brown Coats today!!! |
|
Regat Kozovv
Caldari Alcothology
|
Posted - 2009.07.28 16:50:00 -
[11]
I really do think that offering a two-factor authentication system would help with this issue.
Certainly it's not feasible to equip every account with one, but I'm sure there are many with large assets that wouldn't mind paying for the extra layer of security in case a password was compromised.
It's not a quick fix, but it might help reduce the number of serious cases in the future.
In any case, good luck and fight the good fight. =)
(Footnote: For those unfamiliar with two-factor authentication, this combines something you "know", i.e. a password, with something you "have" (RSA SecurID token) or something you "are", as in a biometric. WoW's use of RSA's SecurID is probably the most well known.)
|
Scott Ryder
Amarr Suns Of Korhal
|
Posted - 2009.07.28 16:52:00 -
[12]
Edited by: Scott Ryder on 28/07/2009 16:54:36
Originally by: LordSwift My brothers bank account sent him a keychain password generator thingy. Site gave him a code and he had to give the answer using this keychain thing. But i dont know how ccp would link each keychain to a account. And might be expensive.
I got another system then keychain, alot web based services also use cell phone. Works like this: You enter your first password and click ok. Then an sms is sendt to your mobile with a secondary code.
They would have to steal my phone aswell
Edit: how bout if ccp also takes some action and temporarly disables links refrering to sites not belonging to ccps domain?
|
LordSwift
Caldari
|
Posted - 2009.07.28 16:54:00 -
[13]
Either way its time for a security overhaul me thinks. Join the brown Coats today!!! |
Abrazzar
|
Posted - 2009.07.28 16:57:00 -
[14]
Originally by: LordSwift Either way its time for a security overhaul me thinks.
A security overhaul will do little to nothing if people can't keep their computers from getting compromised. -------- Ideas for: Mining
|
Angel Lightbringer
Caldari Nexus Shipyards
|
Posted - 2009.07.28 17:01:00 -
[15]
Originally by: Scott Ryder
Edit: how bout if ccp also takes some action and temporarly disables links refrering to sites not belonging to ccps domain?
This plus Chribba's sites yes? eve-search, eve-files... do not belongs to CCP btw.. -Angel |
LordSwift
Caldari
|
Posted - 2009.07.28 17:06:00 -
[16]
Originally by: Abrazzar
Originally by: LordSwift Either way its time for a security overhaul me thinks.
A security overhaul will do little to nothing if people can't keep their computers from getting compromised.
Very true. guess the only way around it is to be sensible about what you click but still would be nice to not have to worry anymore Join the brown Coats today!!! |
Regat Kozovv
Caldari Alcothology
|
Posted - 2009.07.28 17:07:00 -
[17]
Originally by: Angel Lightbringer
Originally by: Scott Ryder
Edit: how bout if ccp also takes some action and temporarly disables links refrering to sites not belonging to ccps domain?
This plus Chribba's sites yes? eve-search, eve-files... do not belongs to CCP btw..
When I read that I immediately thought of those sites. But actually, I think they should be blocked as well. (Sorry Chirbba!!!)
The reason I say that is because it's entirely possible that said attacker could then try hosting malware on the EVE Files site, and use the filter exception for that site to deliver it to eveonline.com. Chirrba could then start cancelling accounts, but he could very well soon fimd himself fighting a similar battle to the one being conducted on the EVE boards. Might be better to avoid that battle altogether if possible.
Banning all links is an extreme step, but one that could be used as a last resort.
|
Elaron
Jericho Fraction The Star Fraction
|
Posted - 2009.07.28 17:12:00 -
[18]
This is coinciding with a wave of EVE account phishing emails as well. People would be advised to check the links on any EVE related emails they receive.
|
Regat Kozovv
Caldari Alcothology
|
Posted - 2009.07.28 17:18:00 -
[19]
Originally by: Abrazzar
Originally by: LordSwift Either way its time for a security overhaul me thinks.
A security overhaul will do little to nothing if people can't keep their computers from getting compromised.
Unfortunately this is really the kicker. The forum spam is but a minor nuisance, hacked accounts are much more serious.
"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." I read once. Really the ultimate protection is good PC security, and 90% of that is simply following best practices. In the meantime, the best CCP can do is try and mitigate the effects of that should your PC become compromised.
Seperating the forum and client passwords compartmentalizes the damage somewhat, but if a keylogger is being installed on the box, then you really have to assume everything is at risk at that point. Any keystrokes typed into the PC, whether then or later are at risk. They'll simply get one set of credentials for the forum, and another for the client. It's not hard to imagine that other sites requiring passwords could be at risk as well.
Having a two-factor authentication system as some have suggested would definitely remove this risk to a large degree. Forcing this system on everyone would be difficult, and I would find it fair if CCP were to charge us for the cost of the token should we choose to use it.
It would be important to note though, that even if the EVE accounts were somehow made safe, that leaves all other accounts one may access at risk if they were indeed compromised through the forums. I'm sure many people realize this, but I cannot stress it enough. If you've been affected, get on another computer, and change your passwords.
|
Fortuna Cournot
Caldari Perkone
|
Posted - 2009.07.28 17:18:00 -
[20]
I suggest CCP allows players to restrict logins to some IP range. This is no real protection, but since it is a worlds wide game, it may significally reduce the chance of hacking an account.
Someone with hacking level 5 knows better ? ------ ineve.net Character Skill Showroom |
|
|
Chribba
Otherworld Enterprises Otherworld Empire
|
Posted - 2009.07.28 17:27:00 -
[21]
While I of course would think it be sad to see links to EVE-Search and EVE-Files be nerfed in some way, if its needed I will understand.
As for the services themselves, I do run multiple up-to-date malware/anti-virus solutions on them to prevent anything from being uploaded that shouldn't be there, or for that sake mirrored on EVE-Search (I manually try to remove those non-friendly images/links).
Of course anyone that do notice anything that shouldn't belong on either is more than welcome to use the SMS feature on EVE-Files to contact me urgently. It would be much appreciated if you do.
Anything triggering a notice in any of the filter layers I do use is removed/disabled rather than kept, that applies to false-virus alerts and likewise, just so you know. And if that happends to your files/posts and it indeed is a wrong alert, contact me and I will re-enable it again after verification.
/c
|
|
Regat Kozovv
Caldari Alcothology
|
Posted - 2009.07.28 17:37:00 -
[22]
Originally by: Fortuna Cournot I suggest CCP allows players to restrict logins to some IP range. This is no real protection, but since it is a worlds wide game, it may significally reduce the chance of hacking an account.
Someone with hacking level 5 knows better ?
It certainly could work for a while, but at a price. To be effective, an entire range or subnet would need to be blocked, and these are most often belonging to ISPs. You'd no doubt cut off some players in the process.
But it would be a stop-gap measure at best. IP offers no built-in security, and it's relativally easy to forge packets with a false source address.
Whether the current attackers are sophisticated enough to do this is another matter. There's a bunch of things they could or could not do, depending on the time and effort they are willing to expend towards these ends. But the troubling aspect of computer security is that most attacks are cheap to execute, and it only takes one or two compromised financial accounts to make the whole venture worthwhile.
CCP's challenge will be to make it infeasible for an attacker to invest the time and effort required for such a minimal payout. This means mitigating both the likely-hood an account will be compromised (reducing spam on the forums) as well as the potential impact (the information gained through a compromised account will not yield significant rewards). For the latter there's only so much they can do since they cannot secure their customer's PCs for them.
I really I cannot think of a sure-fire way to fix all of this. Any potential solution will impact the user base in some way, shape, or form. Hopefully the end result will be something we'll all be willing to live with, whether by accepting additional inconvenience or risk.
|
Fortuna Cournot
Caldari Perkone
|
Posted - 2009.07.28 17:46:00 -
[23]
Originally by: Regat Kozovv
IP offers no built-in security, and it's relativally easy to forge packets with a false source address.
I didn't say it is perfect. But coupled with Route knowledge of ISPs it could be a lttle bit perfected. ------ ineve.net Character Skill Showroom |
Serpents smile
|
Posted - 2009.07.28 17:47:00 -
[24]
I don't get this, you're playing a game called 'EVE' where you need to be 'uber' paranoid not even being able to trust your next of kin, yet you windows users blindly fall into the first open trap laid before you.
What the heck is wrong with you guys? You all suffering from 'this happens to somebody else but not to me' syndrome?
|
Agent Known
Apotheosis of Virtue
|
Posted - 2009.07.28 17:48:00 -
[25]
I think what he means by IP restriction is to record the IP that you login as, and then restrict further logins to that subnet (like 255.255.0.0 subnet) unless that user clears this setting on a secure website using dual-layer authentication (private keys anyone?).
Sure, this would be more of a pain, but it would really help against account theft.
|
Gone'Postal
Void Engineers Mass - Effect
|
Posted - 2009.07.28 17:50:00 -
[26]
Who would have guessed?? with all the forum crap thats been going on of late.
Sep passwords for site and game please.
Originally by: masternerdguy
Officer mods arent spread out because the bpos are innacesible to 99% of eve.
|
Black Leather
|
Posted - 2009.07.28 17:50:00 -
[27]
EVE is one of the least hacked games I have played online, and the only MMO.
Gamers who play 'real' games online seem to be a much more savvy bunch than your average Joe that plays the 'click button, go for a leak, come back and see if I won' type MMO games. And although they whine and cry and wave the epeen on the respective forums just as much as here, when it comes to the security of the game they are playing, they are surprisingly solid and helpful. No one who plays a game with as many cheats as, say, CS, will give a snarky answer to a "how do I stop 'X problem' from happening?
It's not hard to avoid having your computer compromised. It requires only common sense and a little tiny bit of knowledge.
Hell, most real gamers I know don't run any active protection (antivirus etc) due to trying to eke out every last frame rate increase out of their machines and not waste a single cpu clock cycle on anything but the sole purpose of having a slight advantage over their opponent. How many problems do they have compared to the average EVE player? None, or at least, very few.
Common sense folks, common sense.
Don't blame EVE, blame only yourselves for being too lazy to protect your own computer.
|
Agent Known
Apotheosis of Virtue
|
Posted - 2009.07.28 17:51:00 -
[28]
Maybe now's also the time to restart Linux support. No more keyloggers!
|
Maria Kalista
Amarr Emerald Forest Securities
|
Posted - 2009.07.28 17:55:00 -
[29]
Originally by: Agent Known Maybe now's also the time to restart Linux support. No more keyloggers!
Luckily Mac support still exists. No keyloggers here either.
Originally by: Jacharian This sounds like a bad idea. I'm in.
|
Regat Kozovv
Caldari Alcothology
|
Posted - 2009.07.28 18:01:00 -
[30]
Originally by: Fortuna Cournot
Originally by: Regat Kozovv
IP offers no built-in security, and it's relativally easy to forge packets with a false source address.
I didn't say it is perfect. But coupled with Route knowledge of ISPs it could be a lttle bit perfected.
Absolutely. In that case it would just be a matter of how much collateral damage CCP would be willing to take as there's the risk of blocking legitimate attackers as well. The answer to that really depends on where the attacks are originating from compared to where the player base largely originates from.
But the real kicker is whether or not the attacker is using any methods to hide his true origin, and unfortunate this is relationally easy to do. Packet forging is one method, but the possibility of botnets or otherwise remotely controlled machines/proxies makes it difficult. Color me unsurprised if one did a traceroute on the origin of some of these logins and found that the originated from ISP networks in the U.S, Western Europe, or other markets with large gaming communities. =(
|
|
|
|
|
Pages: [1] 2 3 4 5 6 7 8 :: one page |
First page | Previous page | Next page | Last page |