Pages: [1] 2 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Lorelei Lee
|
Posted - 2010.11.30 09:55:00 -
[1]
Problem: account passwords get found out, and their owners get robbed.
Some of us have been around for a while and have major assets in the game -- thousands of dollars' worth of assets. We wouldn't like to lose them to some keylogger program that snuck onto our machine while we were browsing ****. I, for one, would go the extra mile to protect my assets, perhaps pay a higher monthly fee for extra security, if it was available.
Suggestion: provide an option of premium authentication that cannot be hacked with a keylogger: RSA SecurID.
For those who don't know, a SecurID token is a physical device that you can wear on your keychain. It displays a number that changes every minute and cannot be predicted. Whenever you log in to Eve, you pull out your token and look at it, enter the currently showing number along with your password, and the server lets you in. One minute later, this number won't let you in anymore. Now even if some evildoer types in exactly what you typed in, they won't get in. Now nobody can get your stuff without physically assaulting you, in real life, to steal your token. More information here: http://en.wikipedia.org/wiki/SecurID.
|
XxCirke LinexX
|
Posted - 2010.11.30 11:13:00 -
[2]
This would actually be a really cool idea.
|
Mara Rinn
|
Posted - 2010.11.30 11:40:00 -
[3]
Just be aware that RSA tokens are not a silver bullet solution. They are still vulnerable to "man in the middle" attacks: i.e.: a keylogger intercepting your keystrokes and transmitting them to someone else (e.g.: software residing in some zombie network) in real time, so they can log into your account before you can.
-- [Aussie players: join ANZAC channel] |
De'Veldrin
Minmatar Green-Core The Obsidian Legion
|
Posted - 2010.11.30 14:12:00 -
[4]
Edited by: De''Veldrin on 30/11/2010 14:13:02
Originally by: Mara Rinn Just be aware that RSA tokens are not a silver bullet solution. They are still vulnerable to "man in the middle" attacks: i.e.: a keylogger intercepting your keystrokes and transmitting them to someone else (e.g.: software residing in some zombie network) in real time, so they can log into your account before you can.
While this is true, because of the way Eve's login structure works, you would then immediately log them out because last one with the right password wins (try it - I do this to myself all the time. Log in with your client, then open a second copy and log in the same account - first window goes poof!).
While this is also not a silver bullet (they could send their login after yours should be completed) you would then have a visual cue that something is amiss, and could do something about it much faster. Edit: Remember - they only have a MAX of 60 seconds to use the purloined information - after that the RSA token updates, and the stolen code is no good anymore.
That said, I have always supported optional RSA tokens for eve as a way to cut down on account hacks. Those who want to participate can, those who don't, don't have to. I'd even be willing to pay a $25 or $30 one time fee for the token setup. (PLEX for RSA anyone?) --Vel
|
thelung187
Guiding Hand Social Club Dystopia Alliance
|
Posted - 2010.11.30 15:07:00 -
[5]
+1, I suggested this in another thread about security a week or so ago, and I still believe it to be a much better method of mitigating account security risks versus the existing "let's hope for the best" implementation.
|
shady trader
|
Posted - 2010.11.30 20:08:00 -
[6]
CCP have looked at this in the past and is not cost effective give their user base.
Think how much it cost to get anything shipped from the eve store as well as the extra costs CCP would have to pay for the authentication licence. Is something like ú35 a year per token for corporations (I used to handle them for a large corporation). So unless CCP developed their own one from scratch and paid someone to build them its not cost effective.
There is a Dev post stating about it not being cost effective some where. Macrointel, the place were the nature order of the universe does not hold sway. Pirates and ore thief's are congratulated by carebears for the actions. |
Valandril
Caldari Ex-Mortis
|
Posted - 2010.11.30 20:14:00 -
[7]
This provides only false sense of security which makes people care less about trojans which in the end causes more hacks.
Recruit me if you dare |
De'Veldrin
Minmatar Green-Core The Obsidian Legion
|
Posted - 2010.11.30 20:31:00 -
[8]
Originally by: Valandril This provides only false sense of security ...
The same could be said about passwords really. The only form of fool proof computer security is to never use one for anything.
Ever.
This isn't about making accounts unhackable - that's impossible. This is about making them less easily hacked, and that is exactly what it will do.
As for the cost efficiency thing, I'd be curious to know how long ago CCP looked at it and what the relative costs would be now as compared to then given the (presumably) expanding player base. --Vel
|
Valandril
Caldari Ex-Mortis
|
Posted - 2010.11.30 20:52:00 -
[9]
Edited by: Valandril on 30/11/2010 20:56:59
Originally by: De'Veldrin
Originally by: Valandril This provides only false sense of security ...
The same could be said about passwords really. The only form of fool proof computer security is to never use one for anything.
Ever.
This isn't about making accounts unhackable - that's impossible. This is about making them less easily hacked, and that is exactly what it will do.
As for the cost efficiency thing, I'd be curious to know how long ago CCP looked at it and what the relative costs would be now as compared to then given the (presumably) expanding player base.
Not really, external firewall and common sense fills all your security needs (if set up properly). And using 2nd password doesn't give you ANY protection vs trojans which is the leading cause of hacs. So how does it make accounts less hackable ? And then every idiot will open wiki and think "oh it's 100% secure, now i can launch hot2lesians.avi.exe and be safe".
And yes, we do NOT need password, all we would really need is login AND "show that to other people", not much of a news and a reason why for most part sites drop the idea of login for which your email is used.
Recruit me if you dare |
De'Veldrin
Minmatar Green-Core The Obsidian Legion
|
Posted - 2010.11.30 22:56:00 -
[10]
Originally by: Valandril Not really, external firewall and common sense fills all your security needs (if set up properly).
Because firewalls never get hacked and information stolen.
--Vel
|
|
Valandril
Caldari Ex-Mortis
|
Posted - 2010.11.30 23:11:00 -
[11]
Originally by: De'Veldrin
Originally by: Valandril Not really, external firewall and common sense fills all your security needs (if set up properly).
Because firewalls never get hacked and information stolen.
Keep on talking more bull****. Do you have any idea what resources it would take just to get access to said firewall (in home you don't need public IP) ? Stop watching swordfish
Recruit me if you dare |
De'Veldrin
Minmatar Green-Core The Obsidian Legion
|
Posted - 2010.11.30 23:33:00 -
[12]
Originally by: Valandril
Originally by: De'Veldrin
Originally by: Valandril Not really, external firewall and common sense fills all your security needs (if set up properly).
Because firewalls never get hacked and information stolen.
Keep on talking more bull****. Do you have any idea what resources it would take just to get access to said firewall (in home you don't need public IP) ? Stop watching swordfish
I'm not the one implying that a firewall is some kind of impenetrable forcefield of Internet protection. --Vel
|
Valandril
Caldari Ex-Mortis
|
Posted - 2010.11.30 23:35:00 -
[13]
Originally by: De'Veldrin
Originally by: Valandril
Originally by: De'Veldrin
Originally by: Valandril Not really, external firewall and common sense fills all your security needs (if set up properly).
Because firewalls never get hacked and information stolen.
Keep on talking more bull****. Do you have any idea what resources it would take just to get access to said firewall (in home you don't need public IP) ? Stop watching swordfish
I'm not the one implying that a firewall is some kind of impenetrable forcefield of Internet protection.
Yes you are, or you can't read. Same effect really so cause doesn't carry importance
Recruit me if you dare |
Lorelei Lee
|
Posted - 2010.11.30 23:52:00 -
[14]
Originally by: De'Veldrin As for the cost efficiency thing, I'd be curious to know how long ago CCP looked at it and what the relative costs would be now as compared to then given the (presumably) expanding player base.
Also given the (definitely) expanding amount of assets certain players have accumulated since then, making them more willing to pay to protect said assets. Originally by: Valandril Not really, external firewall and common sense fills all your security needs (if set up properly).
How many people, do you think, can set up their firewall properly? I certainly can't. I am a programmer, not a sysadmin. Originally by: De'Veldrin While this is true, because of the way Eve's login structure works, you would then immediately log them out because last one with the right password wins (try it - I do this to myself all the time. Log in with your client, then open a second copy and log in the same account - first window goes poof!).
Actually, I think the best thing would be for the server to boot both people if they log in with the same login code, and throw up a fat error message about hackers. For added protection, they could make all major asset management features not work until the used login code expires. This still does not protect against a true man-in-the-middle attack, but I don't think anything can prevent that, not even a firewall.
|
Valandril
Caldari Ex-Mortis
|
Posted - 2010.12.01 00:07:00 -
[15]
Originally by: Lorelei Lee
Originally by: De'Veldrin As for the cost efficiency thing, I'd be curious to know how long ago CCP looked at it and what the relative costs would be now as compared to then given the (presumably) expanding player base.
Also given the (definitely) expanding amount of assets certain players have accumulated since then, making them more willing to pay to protect said assets. Originally by: Valandril Not really, external firewall and common sense fills all your security needs (if set up properly).
How many people, do you think, can set up their firewall properly? I certainly can't. I am a programmer, not a sysadmin. Originally by: De'Veldrin While this is true, because of the way Eve's login structure works, you would then immediately log them out because last one with the right password wins (try it - I do this to myself all the time. Log in with your client, then open a second copy and log in the same account - first window goes poof!).
Actually, I think the best thing would be for the server to boot both people if they log in with the same login code, and throw up a fat error message about hackers. For added protection, they could make all major asset management features not work until the used login code expires. This still does not protect against a true man-in-the-middle attack, but I don't think anything can prevent that, not even a firewall.
That's why we have such thing as professional administrators which we can hire to set it up for us. I know, never crossed your mind.
Judging from 3rd portion of that post you are a terrible programmer, php4+html i guess ?
Recruit me if you dare |
Lorelei Lee
|
Posted - 2010.12.01 01:31:00 -
[16]
Originally by: Valandril That's why we have such thing as professional administrators which we can hire to set it up for us. I know, never crossed your mind.
Do you expect me, a regular user of EVE Online, to hire a professional administrator to set up my home network so I can safely play my game? I am not that dedicated. Also, that means I can only enjoy this wonderful security from my home. If I ever log in from elsewhere, I am back to trusting the integrity of my laptop. Originally by: Valandril Judging from 3rd portion of that post you are a terrible programmer, php4+html i guess ?
You disparage my point and you disparage me based upon it, but you offer no indication as to what might be wrong with said point. I believe this is known as an unmitigated personal attack. Please explain what is so wrong with my suggestion as to prompt you to infer which languages I might know.
|
Valandril
Caldari Ex-Mortis
|
Posted - 2010.12.01 02:51:00 -
[17]
Edited by: Valandril on 01/12/2010 02:53:34
Originally by: Lorelei Lee
Originally by: Valandril That's why we have such thing as professional administrators which we can hire to set it up for us. I know, never crossed your mind.
Do you expect me, a regular user of EVE Online, to hire a professional administrator to set up my home network so I can safely play my game? I am not that dedicated. Also, that means I can only enjoy this wonderful security from my home. If I ever log in from elsewhere, I am back to trusting the integrity of my laptop. Originally by: Valandril Judging from 3rd portion of that post you are a terrible programmer, php4+html i guess ?
You disparage my point and you disparage me based upon it, but you offer no indication as to what might be wrong with said point. I believe this is known as an unmitigated personal attack. Please explain what is so wrong with my suggestion as to prompt you to infer which languages I might know.
You mean that "should you pay 200$ to get proper home network setup and keep your 3000$ pc, email, bank accounts secure" ? Yeap you should. If you were to buy home alarm system would you install that yourself too ?
Why would i bother to explain ? I don't want to hire you so your improvement of knowledge and ability to think is in no value to me. You can google around and figure out how trojans that bypass 3rd party key work.
Recruit me if you dare |
Mara Rinn
|
Posted - 2010.12.01 03:38:00 -
[18]
Edited by: Mara Rinn on 01/12/2010 03:39:38
Originally by: De'Veldrin While this is true, because of the way Eve's login structure works, you would then immediately log them out because last one with the right password wins (try it - I do this to myself all the time. Log in with your client, then open a second copy and log in the same account - first window goes poof!).
That is true, which just means that the impostor has to log in to the web site instead of the game. Intercepting a couple of your RSA authentication codes should be enough to change your password and disassociate the RSA token from your account.
The major flaw with the "secure token" line of thinking is the assumption that the user's computer can be trusted.
-- [Aussie players: join ANZAC channel] |
Lorelei Lee
|
Posted - 2010.12.01 04:22:00 -
[19]
Originally by: Mara Rinn Edited by: Mara Rinn on 01/12/2010 03:39:38
That is true, which just means that the impostor has to log in to the web site instead of the game. Intercepting a couple of your RSA authentication codes should be enough to change your password and disassociate the RSA token from your account.
The major flaw with the "secure token" line of thinking is the assumption that the user's computer can be trusted.
There are ways to get around this particular hurdle. Basically, if the use of the same code is attempted more than once (including from the website), both users have to get booted and all their changes undone (that are possible to undo). That at least notifies the legitimate user that something is going on. At that point he can take some kind of action (put a hold on his account, whatever) and investigate.
The problem is, your overall point holds. A sophisticated hack could alter the Eve executable on disk or in memory, watch you play quietly, and take over once you've been AFK for half an hour. Unfortunately that's a risk most of us will have to live with, while the overdedicated among us get professional firewalls and switch to Linux.
|
|
CCP Spitfire
|
Posted - 2010.12.01 08:26:00 -
[20]
Personal attacks removed. Please keep the discussion on topic.
Spitfire Community Representative CCP Hf, EVE Online |
|
|
Shiho Weitong
Caldari Koa Mai Hoku
|
Posted - 2010.12.01 10:27:00 -
[21]
Originally by: Lorelei Lee Problem: account passwords get found out, and their owners get robbed.
Some of us have been around for a while and have major assets in the game -- thousands of dollars' worth of assets. We wouldn't like to lose them to some keylogger program that snuck onto our machine while we were browsing ****. I, for one, would go the extra mile to protect my assets, perhaps pay a higher monthly fee for extra security, if it was available.
Suggestion: provide an option of premium authentication that cannot be hacked with a keylogger: RSA SecurID.
For those who don't know, a SecurID token is a physical device that you can wear on your keychain. It displays a number that changes every minute and cannot be predicted. Whenever you log in to Eve, you pull out your token and look at it, enter the currently showing number along with your password, and the server lets you in. One minute later, this number won't let you in anymore. Now even if some evildoer types in exactly what you typed in, they won't get in. Now nobody can get your stuff without physically assaulting you, in real life, to steal your token. More information here: http://en.wikipedia.org/wiki/SecurID.
Completely awesome. Do want.
Make it spiffy and evelike and I'll pay a onetimer of 50ú happily. ----------- Why is it called common sense, when it's clearly very rare.
I had a mind once, but alas, I seem to have forgotten where I left it.
Originally by: Tchell Dahhn You win, and thank you. |
LiBressa
|
Posted - 2010.12.01 12:50:00 -
[22]
Err... it's a yearly charge of ú50 roughly. I know... I have a contract with RSA for 80 of them. Then theres the maintanence and support contract and the cost for the Radius Server.
If you can't keep your passwords secure then your failing at the principles stated by the CCP or hiding the fact that you're using 3rd party software.
|
ghosttr
Amarr ARK-CORP Intrepid Crossing
|
Posted - 2010.12.01 13:07:00 -
[23]
The best thing to do would be to add a challenge question at the login screen, when you logon from a different ip.
Also CCP should require account names to be different from the character names. As well as specify a password 'strength' (numbers, letters, capitalization, min length, notification to change pw after x amount of time) that sort of thing. Prospecting! |
Medarr
Amarr
|
Posted - 2010.12.01 15:06:00 -
[24]
Edited by: Medarr on 01/12/2010 15:09:38
Originally by: Valandril Not really, external firewall and common sense fills all your security needs (if set up properly). And using 2nd password doesn't give you ANY protection vs trojans which is the leading cause of hacs.
This is by far the biggest load of bull**** ive ever seen.. carefull you dont drown in it.
Also please refrain from posting such nonsence. You put other less educated people at risk with your false claims.
Originally by: Lorelei Lee
....while the overdedicated among us get professional firewalls and switch to Linux.
And linux doesnt have a ****load of remote exploits? or mac for that mather?
|
De'Veldrin
Minmatar Green-Core The Obsidian Legion
|
Posted - 2010.12.01 16:43:00 -
[25]
Originally by: Medarr Edited by: Medarr on 01/12/2010 15:09:38
Originally by: Valandril Not really, external firewall and common sense fills all your security needs (if set up properly). And using 2nd password doesn't give you ANY protection vs trojans which is the leading cause of hacs.
This is by far the biggest load of bull**** ive ever seen.. carefull you dont drown in it.
Also please refrain from posting such nonsence. You put other less educated people at risk with your false claims.
Originally by: Lorelei Lee
....while the overdedicated among us get professional firewalls and switch to Linux.
And linux doesnt have a ****load of remote exploits? or mac for that mather?
I will reiterate my previous point - and Mara's as well - this is not and should not be considered a bullet proof solution. But it does make your account MORE secure (note, I do not say completely secure, and never have). It's a tool - one tool - that when combined with the other tools we already have (strong passwords, not being a dumbass, etc) help better protect your game account from being hacked.
It is possible to protect your account without the use of an RSA token. Having one just makes it easier. --Vel
|
Medarr
Amarr
|
Posted - 2010.12.01 17:31:00 -
[26]
err Didnt I just say that??
Firewalls are nice and all but they arent the end all against malware. Same as linux, hell linux adds the problem of complexity to the mix.. how many people do you think know the linux file system layout? Or where to look for malicious files.
|
Enst Smath
|
Posted - 2010.12.01 19:19:00 -
[27]
Originally by: shady trader Think how much it cost to get anything shipped from the eve store as well as the extra costs CCP would have to pay for the authentication licence. Is something like ú35 a year per token for corporations (I used to handle them for a large corporation).
OP indicated he'd be willing to pay extra. Heck, I'd be willing to pay extra, too. As for physically shipping the token, they can be drop-shipped from anywhere. Heck, I'd prefer just receiving the token via encrypted Email for using with the iPhone version of the RSA SecureID.
|
shady trader
|
Posted - 2010.12.01 21:01:00 -
[28]
Edited by: shady trader on 01/12/2010 21:04:24 Edited by: shady trader on 01/12/2010 21:02:11
Originally by: Enst Smath
OP indicated he'd be willing to pay extra. Heck, I'd be willing to pay extra, too. As for physically shipping the token, they can be drop-shipped from anywhere. Heck, I'd prefer just receiving the token via encrypted Email for using with the iPhone version of the RSA SecureID.
While a lot of people may be willing to pay extra, I would be surprised if CCP got a large percentage of the player base to sign up to buy a physical token. As for shipping all items form the eve store are shipped form one location I believe and it tends not to be that cheap.
Assuming you are talking about a high end token like used by large corporations to authenticate.
ú150 (over a years subscription) + shipping +taxes (some countries have a very high rate of tax on this type of tech, in some cases in over 100% when I was sending them overseas).
ú35 per year to maintain the licence and infrastructure(more then the cost of a quarterly subscription).
This also assumes that CCP can buy the tokens at near wholesale price and do not add a profit margin. This also assumes that CCP can build out the hardware at the same price as large multinationals that have many more staff then CCP has customers, otherwise they would have to charge more.
Now if they had a software one they developed that used a shared secret to generate a one time code. I suspect a lot more people would consider as it would only cost a couple of pound per year (less then a months subscription).
Or even an Iphone/android app that you link to your accounts and you get a pop up when you attempt to log in via the PC with a permit/reject option.
Or develop something that can read say the serial number on a USB drive, so we could use an existing USB drive (or a new one) as a physical security measure once set up. If you get a 4 gig one and you could keep a copy of the eve client on there just in case. Macrointel, the place were the nature order of the universe does not hold sway. Pirates and ore thief's are congratulated by carebears for the actions. |
Etrias Jhozah
Adhocracy Incorporated
|
Posted - 2010.12.01 23:00:00 -
[29]
I like this idea. It's not likely to be needed by a huge part of the EVE population, but I can see some pilots that would like to have that extra layer of protection.
Oh and Valandril, you have no idea what you're talking about so do people a favor and not talk about this topic. An RSA authentication isn't a typical password that can be grabbed by a trojan. That grabbed "password" is only good for a very short window of time before it expires and you need the new one. It is susceptible to a man in the middle attack, as it was mentioned earlier in the thread, but does no good to a trojan or keylogger who phones home only now and then. If you would have taken a single minute to follow the link provided and read the first paragraph, you'd have known that.
By the way, most people have no idea how to set up even a simple firewall. I can't tell you how many I've run across in businesses and organizations who haven't even bothered to change the default password, you think that a home user who's not a tech would know how?
RSA is a nice feature for those who want to pay for that extra protection on their account. Bulletproof? No, but it would take a dedicated effort rather than a couple of well placed bots.
BTW, to reiterate a point I think was lost. This isn't for the general EVE population. It's for those people willing to pay for a form of two-factor authentication to add security to their accounts. Don't make it more than that.
|
HeliosGal
Caldari
|
Posted - 2010.12.01 23:51:00 -
[30]
signed make it optional of course. But a very good idea any ccp responsed on this ?
|
|
|
|
|
Pages: [1] 2 :: one page |
First page | Previous page | Next page | Last page |