Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Lost Hamster
Hamster Holding Corp
|
Posted - 2010.11.15 10:19:00 -
[1]
Dear CCP,
I would like to ask you why is there the "security question" during the forum login? Where you need to give your character name as a security measurement.
I mean, that doesn't help anything. It's just annoyance. (in the current form)
Probably you ask why is that? It's strengthening the security.
Unfortunately it's not. Just login to evegate, and you can get all the character names. And from there you can login to the account management.
Or login to the game, it will reveal the same information.
So I suggest you do something: The Evegate should require the character name as well, when you login from an unknown place. And probably it would be good to have the feature in the game login as well.
With this two changes, you could strength the access to the account management.
And now there is the question, why should we (CCP) implement this enhancement?
I guess if you take in account the amount of time/money/resources what it takes to handle all the account hacking, then it is worth.
I guess the changes would pay off after the first two month.
Please do something.
An anxious Player
-------------------------------------------------------------------------------------------- Shields are like pants, they're supposed to come off. Armor is like the condom once its gone ur ****ed |
|
CCP StevieSG
|
Posted - 2010.11.15 10:26:00 -
[2]
Moved to Features and Ideas from EVE General.
|
|
Lost Hamster
Hamster Holding Corp
|
Posted - 2010.11.15 11:21:00 -
[3]
Dear players, give your thought about the issue. -------------------------------------------------------------------------------------------- Shields are like pants, they're supposed to come off. Armor is like the condom once its gone ur ****ed |
thelung187
Guiding Hand Social Club Dystopia Alliance
|
Posted - 2010.11.15 15:24:00 -
[4]
Agreed on all points, the utter lack of security beyond "hey guise change ur passwords whenevs kthx" is just utter facepalmish. Also, the lack of email confirmation when changing an account's associated email address is basically sticking your **** in the wind as far as security goes.
The smart move: use RSA-token authenticators in order to login to Eve/Evegate/account administrator.
The CCP move: business as usual, working as intended, the logs show nothing, et al.
|
Mara Rinn
|
Posted - 2010.11.15 21:54:00 -
[5]
The November 2010 crowdsourcing thread includes reviewing account security - see item #3.
Make sure you post in that thread to support account security as a priority! -- [Aussie players: join ANZAC channel] |
Abdiel Kavash
Caldari Paladin Order Fidelas Constans
|
Posted - 2010.11.15 23:01:00 -
[6]
An username / secret password combination is all the security anyone can ever need, if they are using it properly. Anything else is just convenience, or protecting the idiots from themselves. You will certainly not "strengthen the security" in any well-defined meaning of the term by adding security questions or multiple passwords, or even RFID tokens. ___________
|
Deviana Sevidon
Gallente Panta-Rhei Butterfly Effect Alliance
|
Posted - 2010.11.15 23:08:00 -
[7]
An EVE security token would certainly increase the account security.
The most common reason for account hacking are keylogging malware and phishing attempts. While the phishing can be avoided with some common sense, entirely avoiding malware is more difficult. Even if you do everything right to keep your system clean it is always possible to fall victim to a new exploit that is not yet fixed.
I have a lot of personal experience with security tokens such as the one another company uses and it drastically reduces the risk of having an account hacked. Basically the only way to get past a security token is a man in the middle attack and that is much more difficult to execute then it might sound.
Quote: Disclaimer: All mentioned above contains my opinion and is therefore an absolute truth (for me anyway, my universe, muhahaha.....ok, done
|
HIT GYRL
|
Posted - 2010.11.17 08:41:00 -
[8]
Termination of accounts also need a separate password.
|
Medarr
Amarr
|
Posted - 2010.11.17 19:10:00 -
[9]
Edited by: Medarr on 17/11/2010 19:11:46 Edited by: Medarr on 17/11/2010 19:10:55 Your reasoning is flawed.
EVE-gate only displays the same information as the ingame information display does. This does not allow you to link User names to Character names. Unless offcourse you use the same name for your acount.. Its an extra authentication method wich works assuming that only the actual owner knowns his acount name and character name... Now since sharing acount information is against the EULA and this includes your acount name...
Originally by: HIT GYRL Termination of accounts also need a separate password.
Now this IS a good sugestion...
|
Imiarr Timshae
Caldari Funny Men In Funny Hats
|
Posted - 2010.11.17 21:17:00 -
[10]
Originally by: CCP StevieSG Moved to Features and Ideas from EVE General.
Love the fact that essentially a low-level backdoor to the Account Login page has been found... and fixing it is a "Features and Ideas" topic.
Feature? : Fix your ****. Ideas? : Don't make your **** so ****. -----
Originally by: GM Horse
Remember kids, both meth and macro use are Really Quite Bad Things.
Originally by: CCP Shadow Tragic smelting accidents.
|
|
thelung187
Guiding Hand Social Club Dystopia Alliance
|
Posted - 2010.11.17 21:34:00 -
[11]
Edited by: thelung187 on 17/11/2010 21:39:10
Originally by: Medarr Edited by: Medarr on 17/11/2010 19:11:46 Edited by: Medarr on 17/11/2010 19:10:55 Your reasoning is flawed.
EVE-gate only displays the same information as the ingame information display does. This does not allow you to link User names to Character names. Unless offcourse you use the same name for your acount.. Its an extra authentication method wich works assuming that only the actual owner knowns his acount name and character name... Now since sharing acount information is against the EULA and this includes your acount name...
Originally by: HIT GYRL Termination of accounts also need a separate password.
Now this IS a good sugestion...
I think you're not understanding. Scenario:
1. Chinese hacker keylogs your password info 2. Hacker attempts to login to your account 3. Hacker is prompted with a screen saying "Please enter the name of a character on the account." 4. Hacker does not have this information, but has read this particular post so he knows what to do, and logs into Eve Gate (or in-game if he's feeling particularly cavalier) 5. Since Eve Gate does NOT have the same type of <fingerquotes>"authentication"</fingerquotes> as the Account Manager does, he uses his keylogged account credentials to login to Eve Gate and finds the names of the characters on the account being hacked 6. Hacker returns to the Account Manager, uses the information gleaned from Eve Gate (or in-game) to access the account, and subsequently changes the email address (with no confirmation at the old address nor separate password to confirm said change), then changes password (which sends a confirmation to the NEW email address he just entered). 7. Hacker logs into Eve on hacked account with no difficulty. He could have also skipped the Eve Gate step entirely and gleaned the same information using the keylogged attempt, but who wants to leave a blatantly different log of IP address out there any longer than need be?
Hope that provides clarity. The scenario described above is basically negated by a regenerating-code token-based solution (or iPhone app, or Android app, the methods of implementation are fairlyetc.):
1. Chinese hacker keylogs your password info 2. Hacker attempts to login to your account 3. Hacker is met with proper method of two-factor authentication via token/app-based code 4. Hacker moves onto next account on his spreadsheet; the time involved to attempt a man-in-the-middle attack outweighs the sliding-scale probability of both getting caught, as well as the effort of laundering the isk from liquidating whatever unknown assets you may or may not have.
Also, for the record:
Originally by: Imiarr Timshae
Originally by: CCP StevieSG Moved to Features and Ideas from EVE General.
Love the fact that essentially a low-level backdoor to the Account Login page has been found... and fixing it is a "Features and Ideas" topic.
Feature? : Fix your ****. Ideas? : Don't make your **** so ****.
Sums it up quite nicely, actually.
|
Lost Hamster
Hamster Holding Corp
|
Posted - 2010.11.18 17:02:00 -
[12]
Originally by: Imiarr Timshae
Originally by: CCP StevieSG Moved to Features and Ideas from EVE General.
Love the fact that essentially a low-level backdoor to the Account Login page has been found... and fixing it is a "Features and Ideas" topic.
After the move that was my first reaction as well. Why features and ideas? It's not really an idea, it's a huge security hole in the account management.
Originally by: thelung187
I think you're not understanding. Scenario:
Wall of text.
Yep, that exactly was my theory as well. Recently a friend and a corp mate was hacked, and I was thinking how did they managed to do that. -------------------------------------------------------------------------------------------- Shields are like pants, they're supposed to come off. Armor is like the condom once its gone ur ****ed |
Medarr
Amarr
|
Posted - 2010.11.18 18:19:00 -
[13]
Edited by: Medarr on 18/11/2010 18:26:45 Edited by: Medarr on 18/11/2010 18:24:58 Edited by: Medarr on 18/11/2010 18:22:23
Originally by: thelung187 Stuff
If an hacker has a key logger running on your machine he DOESNT need to login to anything. He allready has all available info. Nor does he need to change emails or what ever. And keyloggers running on your machine is YOUR problem and responcibility it has nothing to do with the eve login scheme.
Originally by: thelung187
7. Hacker logs into Eve on hacked account with no difficulty. He could have also skipped the Eve Gate step entirely and gleaned the same information using the keylogged attempt, but who wants to leave a blatantly different log of IP address out there any longer than need be?
So? he bounces his ip off a shell acount or a proxy ring SSH acounts are perfect for this they offer encryption and obfuscation. and as for a MITM attack.. check out thoughtcrime.org you'll be amazed how easy it is to set up a working SSL connected man in the middle attack.
Originally by: thelung187
3. Hacker is met with proper method of two-factor authentication via token/app-based code
Bingo but can still be defeated with a sniffer and a session hijack
ps, come to think of it if you have a keylogger running that character name isnt gonne do much in regards of security at all because he knows that to pps, key loggers are out its memory scraping thats all the hype now
ppps, please dont ban me... I'll be good now
|
thelung187
Guiding Hand Social Club Dystopia Alliance
|
Posted - 2010.11.18 18:51:00 -
[14]
Edited by: thelung187 on 18/11/2010 18:52:13
Originally by: Medarr If an hacker has a key logger running on your machine he DOESNT need to login to anything. He allready has all available info. Nor does he need to change emails or what ever. And keyloggers running on your machine is YOUR problem and responcibility it has nothing to do with the eve login scheme.
Technically untrue, since keylogger =/= screen capture (necessarily). Changing emails would be WISE on their part, otherwise you'll get your actual email box spammed with stuff like "confirming character transfer won't take place until 10 hours from now" along with "hey your password changed hope that's ok." I will grant you that personal accountability definitely is a factor here, but leaving the bank door vault open doesn't help the situation either. In my mind, it's CCP's responsibility (from an intellectual property standpoint) as well as my own to offer proper levels of security beyond "let us know how it goes."
Quote:
So? he bounces his ip off a shell acount or a proxy ring SSH acounts are perfect for this they offer encryption and obfuscation. and as for a MITM attack.. check out thoughtcrime.org you'll be amazed how easy it is to set up a working SSL connected man in the middle attack.
I'm not saying that using shell accounts or any other methods of re-architecturing the method by which said hacker can be traced isn't viable. Hell, if he really wanted to, the guy could sit in China, open an RDP session to a box sitting in California (or wherever), and make it appear that he was using a country-local internet connection. Rather, I'm just saying that, from a simple standpoint, the cyber smash-and-grab solution is:
1. Get account info 2. Login to hacked char 3. Convert anything available including the kitchen sink into liquid assets 4. Launder liquid ISK as quickly as possible before the network banhammer comes down on your connection (assuming such a thing exists). 5. Call it a day
Quote:
Bingo but can still be defeated with a sniffer and a session hijack
ps, come to think of it if you have a keylogger running that character name isnt gonne do much in regards of security at all because he knows that to pps, key loggers are out its memory scraping thats all the hype now
ppps, please dont ban me... I'll be good now
Let's address these individually...
1. Indeed he *could* pull the session hijack method once he's keylogged your token code, but that's good for, what 20 seconds? I'd have to look at mine and time it, it's not much more than that. As soon as you see yourself logged off for no apparent reason, you can more or less just KEEP logging on and off until you get network-banhammered or (more likely) go to the CCP website, file a Stuck petition that says "hey, I'm being hacked right now, please lock my account for the next 24-48 hours while I format my computer." Sure it's inconvenient, but I'd rather lose 2 days of training time than X billion in assets.
2. I don't really get how the keylogger would be able to grab your name just by logging keys, as typically (well, at least with me), I don't use my character names in the account name they belong to... that's just dumb. As I said, keylogged account information means that they can just go the extra step, login to Eve Gate, and have all the pertinent information available.
3. RAM scraping is really a non sequitur with regard to what we're talking about here. Password information isn't held within system memory (as I understand it anyways), rather the credentials are passed via network to the server itself for authentication. Even if I were to grant you the fact that RAM scraping could somehow be used on the client side, we run into two issues: first, I would have to believe that any temporary password data locally stored/transmitted would be encrypted, and second, even if it wasn't, you can't RAM-scrap a keyfob, thus rendering that authentication method as secure.
|
TheBooky
|
Posted - 2010.11.18 19:22:00 -
[15]
Edited by: TheBooky on 18/11/2010 19:23:03 I hate everyone stating that RSA authenticator like wow is the way to go for this. When the Authenticators came out I made a program that gave me the same key as an authenticator every time. All it takes is someone to phish for the serial to the token device with an email saying "For some reason your authenticator was deleted from the database can you please email the serial or go to our website." to get your key. So then they would not only have your username and password they have your exact authenticator for all intensive purposes and you also have a $6.50 hunk of useless plastic. As for the session hijacking, they have it for anywhere from 5-15 minutes to login. In that time they can do irreparable harm to your account or even take the authenticator off entirely.
|
Lost Hamster
Hamster Holding Corp
|
Posted - 2010.11.18 19:54:00 -
[16]
Originally by: Medarr
If an hacker has a key logger running on your machine he DOESNT need to login to anything. He allready has all available info. Nor does he need to change emails or what ever. And keyloggers running on your machine is YOUR problem and responcibility it has nothing to do with the eve login scheme.
Actually from the info what I got from friends (who got hacked) is that the hacker is changing the email address, so when you notice that you can not login to the game, then you can not reset the password, as the new password mail goes to the new mail address.
They need time to liquidate everything on your account, and initiate character sale etc. -------------------------------------------------------------------------------------------- Shields are like pants, they're supposed to come off. Armor is like the condom once its gone ur ****ed |
Medarr
Amarr
|
Posted - 2010.11.18 20:32:00 -
[17]
Keyloggers is just a word. They have evolved quite a bit. As for memory scraping.. lol you'dt be amazed.
Originally by: http://wiredbytes.com/node/6 I looked up the PID (process Identification number) of the browser by using Microsoft Sysinternal's pslist command line tool.
C:\hacktools>pslist chrome ... Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time chrome 2440 8 28 582 34892 0:02:13.609 7:59:29.048
Alternatively, you can use Windows's task manager to get the PID as well.
Armed with the PID of the process I want, I run pmdump and output the data to a text file.
pmdump 2440 chrome_pmdump.txt
This produced a huge 124 MB file which represented the memory space that chrome was using.
I opened up Windows Grep (http://www.wingrep.com/) and searched for the first four letters of my bank account password. Wow, my password was there in clear text 5 times.
Now this will be my last post, if you want to know more you can send me a eve message, we can talk on irc or something.
|
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |