Pages: 1 [2] 3 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 19 post(s) |
Xodd Hil
Gallente Trucido Veritas
|
Posted - 2011.01.21 06:04:00 -
[31]
Originally by: Mielono
Originally by: Noun Verber
Originally by: Nye Jaran Say it with me... auth-en-tic-a-tor.
still hack-a-ble
and bullet proof vest dont always work, but for some reason people still wear them
+better than nothing! Still, if the shipping prices would be the same hialriously inflated for the CCP authenticator, it wouldn't be bought by many outside the US... 60day ETC |
Komiliya Jenius
|
Posted - 2011.01.21 06:26:00 -
[32]
I miss the old Chribba picture.
|
Abulurd Boniface
Gallente Honored By Death
|
Posted - 2011.01.21 07:12:00 -
[33]
Great dev blog!
It's great to see CCP is making every effort to keep the bad people away, although, if you did the meta, you'd say that the care you take in the game is nothing more than the care you should be taking in the real world.
To an EVE player this should be second nature, no?
I was asked to provide the name of a character on logging in [a new one for me] while this is the machine I play EVE on. "lolwut?" appears appropriate.
For good to survive it suffices for evil to acquire a deadly, incapacitating disease. |
DmitryEKT
Point of No Return Waterboard
|
Posted - 2011.01.21 08:01:00 -
[34]
Gmail labs has a thing you can enable which puts a little key icon next to legit emails from ebay/paypal to make it obvious they're not fakes. Have CCP thought of getting in on that?
|
Sentient Blade
|
Posted - 2011.01.21 08:14:00 -
[35]
There is a potential sixth wall that I do not see mentioned which is effectively "Tell me something about myself".
Show me your birthmark... Show me the rose... drop your pants*
To put it simply, allow each player to define a few words that are tied to their account such as "turtle, antelope, gallentesux" and display this string to the person attempting to login prior to them getting to the sector factor of authentication, i.e.
<Enter name and password> Hello [Full real name]. This is CCP server secure.eveonline.com saying "[word string]" please enter any character name to continue.
This would give an opportunity for the user to verify that the server already had sufficient details on the account to know their real life name and their secret word string, and back out, before entering the character name.
* James Bond reference
Geographic Jumping Checks
Seen as it is unlikely that the person attempting to phish for accounts is going to be living in the house next door, or even in the same country for the most part, login attempts to both websites and the EvE client should be GeoIP'd and the original registrar notified via email when 2 logins occur within a short period which come from geographically diverse locations.
In game / out of game paradox
It occurs to me that there is somewhat of a paradox in security within the EvE universe where CCP seems to condone, and perhaps even actively encourage scams and behaviour designed to strip a victim of all of their assets and enjoyment through trickery and obscufation of data, in an almost identical way to how phishing attacks work.
Is there really that much difference in the CCP financial loss / bad player experience when comparing the end results of in-game scamming vs out-of-game phishing?
How does CCP reconcile treating two mechanism with near identical end results differently?
Misc
* What's wrong with letting the EvE login screen remember passwords? If someone can read my hard disk where they're stored I've got bigger problems.
* Can we have a webpage to show all of the recent login times / IPs / Locations we've connected with? Like we do on the EvE API. Heck, mail it out distinct(location) once a month or so.
|
Kayen Qeid
Federal Navy Academy
|
Posted - 2011.01.21 08:26:00 -
[36]
[email protected] ...is [email protected] available aswell. Easier to remember =) |
Remulon McNab
The Galactic Collective
|
Posted - 2011.01.21 08:38:00 -
[37]
Quote: SPF will be implemented in approximately 7 days. DomainKeys will take a bit more time as things need to be moved around in order to implement that properly
@CCP Sreegs Why are you guys implementing SPF and DKIM/DomainKeys now, technology wise the start of 2010 was the year that everyone started encountering huge problems related to phishing. So from my point of view you are a bit late, especially with all those phising mails going round.
What are the global plans to protect your customers from phishing/account security issues in the future?
Mail security & deliverability is part of my daily job and those are going hand in hand
--- got Twitter?
- * said hi to CCP Navigator @ Gamescom 2010 - Cologne, G |
Cyaxares II
|
Posted - 2011.01.21 08:39:00 -
[38]
Edited by: Cyaxares II on 21/01/2011 08:43:11
nice devblog - except for the heavy scaremongering
Quote: If you got it for free there's a catch and they're probably stealing from you.
There are plenty of (free) AHK/IS scripts floating around that verifiably don't contain any malicious functionality on their own and it seems highly unlikely that AHK or IS itself would be specifically adapted to steal EVE account data (especially for AHK, IS might be more risky).
On top of that stealing account data is just plain bad business for most paid-for bots (especially subscription-based ones) - the only case i can come up with in which it would make sense to steal an account would be if CCP did magically manage to disable botting thus denying the bot writer any further revenue from his work.
If you want to convince us not to use bots please do it by delivering decent arguments and not FUD.
Taking a very wild guess I would guess that a similar amount of information is stolen through the official API ("all your in-game mails are belong to us") or through tools building on the API that are trojans, keyloggers, ... as is via bots.
Just provide a "Download source here" link and nobody will check if the version you compile from source matches with the official binary, anyways.
|
Lost Hamster
Hamster Holding Corp
|
Posted - 2011.01.21 08:59:00 -
[39]
Originally by: CCP Sreegs Block 3 - Block 3 is where we ensure that we're properly authenticating our users. Authentication from our perspective is ensuring that you are you. Not that you are someone with your password. That you, guy whose name is yours, is really you. An initial shot at this was when we began asking you to name one of the characters on your account.
The idea itself is not bad, however there is still a hole in the security system.
With this feature you try to protect the account management - that's fine. However if a bad guy have access to the user name and password, then how long will it take to get a character name on that account? I will tell you. 15 seconds.. Just log in to the game and voila.
However it's a positive note that the similar hole on the evegate site have been filed. :)
So please get a similar login screen to the game as well. With an option to save the Character name to the individual game files. -------------------------------------------------------------------------------------------- Shields are like pants, they're supposed to come off. Armor is like the condom once its gone ur ****ed |
Alain Kinsella
Minmatar
|
Posted - 2011.01.21 09:04:00 -
[40]
As a part-time security officer (and an old Stoll fan), I appreciate this devblog. +1 and /salute
Consider me a +1 for an Auth Token Generator (either something like the SecurID fob - I've had four so far at work - or a software OTP). One interesting thing I heard recently was that RSA/EMC has a BlackBerry app which can replace the fob; I've got mixed feelings about that.
Originally by: Sentient Blade
Misc
* What's wrong with letting the EvE login screen remember passwords? If someone can read my hard disk where they're stored I've got bigger problems.
* Can we have a webpage to show all of the recent login times / IPs / Locations we've connected with? Like we do on the EvE API. Heck, mail it out distinct(location) once a month or so.
I'm actually happy with having the client not save a password. When I was in NYC for State of Play 2005 (and the SLCC right after), I saw a couple instances of folks walking up and logging in to someone else's SL account on an open notebook. Not something you want to happen in that environment (where US$ really was hard-linked into the environment).
Big Heck Yes to that second item though. If possible the list should include website login (and distinct lists for both perhaps).
|
|
Naga Tokiba
|
Posted - 2011.01.21 09:05:00 -
[41]
Excelent post, keep up the good work.
|
Avensys
|
Posted - 2011.01.21 09:11:00 -
[42]
Edited by: Avensys on 21/01/2011 09:11:46
(posting on a different character as it's a separate point)
How does asking for a character name actually help?
Wouldn't phishing sites just ask for a character name as well (they want to mimic the "real" login process as closely as possible after all)?
|
Pottsey
Enheduanni Foundation
|
Posted - 2011.01.21 09:23:00 -
[43]
Edited by: Pottsey on 21/01/2011 09:26:29 ôAn initial shot at this was when we began asking you to name one of the characters on your account.ö This has caused me problem as I am unable to post. My main account is fine but since this was implanted my secondary account has been unable to post. Even if I copy and paste the characterÆs name the security check still fails.
I understand why you implant this stuff but it a pain when a person with legal account cannot access what he needs due to faulty security.
My best guess is any name with a ' symbol automatically fails the security even if the name is correct. ______ How to Passive Shield Tank T2
|
Sentient Blade
|
Posted - 2011.01.21 09:35:00 -
[44]
Originally by: Pottsey My best guess is any name with a ' symbol automatically fails the security even if the name is correct.
You probably want to petition that one.
In the world of the internets the ' character is responsible for more exploits and pwnage than almost anything else, and there's a remote possibility that CCP may have forgot to escape a query argument.
|
Louis deGuerre
Gallente Malevolence. Imperial 0rder
|
Posted - 2011.01.21 09:45:00 -
[45]
Nice work guys.
I am slightly worried that extra security you are thinking about will cause me more hassle than the occasional phising attack (remembers forum locking horror), but we'll see. ----- Malevolence. is recruiting. Dive into the world of 0.0 !
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.21 09:48:00 -
[46]
Originally by: Cyaxares II Edited by: Cyaxares II on 21/01/2011 09:02:55
nice devblog - except for the heavy scaremongering
Quote: If you got it for free there's a catch and they're probably stealing from you.
There are plenty of (free) AHK/IS scripts floating around that verifiably don't contain any malicious functionality on their own and it seems highly unlikely that AHK or IS itself would be specifically adapted to steal EVE account data (especially for AHK, IS might be more risky).
On top of that stealing account data is just plain bad business for most paid-for bots (especially subscription-based ones) - the only case i can come up with in which it would make sense to steal an account would be if CCP did magically manage to disable botting thus denying the bot writer any further revenue from his work.
If you want to convince us not to use bots please do it by delivering decent arguments and not FUD.
Taking a very wild guess I would guess that a similar amount of information is stolen through the official API ("all your in-game mails are belong to us") or through tools building on the API that are trojans, keyloggers, ... as is via bots.
Just provide a "Download source here" link and nobody will check if the version he could compile from source matches with the official binary, anyways.
edit: also, consider that people running bots are already willing to gamble their account based on incomplete information - otherwise they wouldn't break the EULA. Saying "OMG you might lose access to your account" might change the perceived odds but it's a quantitative change rather than a qualitative one.
... and without naming & shaming (and providing reproducible steps to confirm the malicious behavior) you are not exactly the most credible source of information on the risks of botting to start with as CCP has a large business interest in making EULA violations look extremely risky, independent of reality.
tl;dr serious botters will carry on as before (because they know what they're doing and probably use their own software anyways), some casual botters might be a bit scared but will reaffirm each other that you're just spreading FUD in their forums and my mood is ruined by reading that silly, silly paragraph.
Every single thing I said in that paragraph about botting is true and while you're welcome to your opinion, opinions don't alter facts. The paragraph was written for your benefit, so that people are aware of the information being collected and motivations of the creators. This wasn't a delivery of opinion. It was a statement of facts based on our investigations. |
|
Agent Stone
Volition Cult -Mostly Harmless-
|
Posted - 2011.01.21 09:51:00 -
[47]
Edited by: Agent Stone on 21/01/2011 09:54:00 Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.
For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.
Your competitors (Blizzard as an example) are years ahead of you in this regard.
|
Alain Kinsella
Minmatar
|
Posted - 2011.01.21 09:55:00 -
[48]
Originally by: Pottsey
My best guess is any name with a ' symbol automatically fails the security even if the name is correct.
I have another character (in a second account) with a name like that. Auth was fine.
However, that's a single quote mark. I'm not sure if the backquote ` has problems here - in UNIX circles that's far more dangerous, but Eve's backend is Windows.
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.21 09:56:00 -
[49]
Originally by: Agent Stone Edited by: Agent Stone on 21/01/2011 09:54:00 Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.
For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.
Your competitors (Blizzard as an example) are years ahead of you in this regard.
Without discussing a specific technology, were I you I would assume that something would be done to improve things given the comments I made in the "Authentication" section. We are looking at the authentication issue quite a bit. |
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.21 10:00:00 -
[50]
Originally by: Sentient Blade There is a potential sixth wall that I do not see mentioned which is effectively "Tell me something about myself".
Show me your birthmark... Show me the rose... drop your pants*
To put it simply, allow each player to define a few words that are tied to their account such as "turtle, antelope, gallentesux" and display this string to the person attempting to login prior to them getting to the sector factor of authentication, i.e.
<Enter name and password> Hello [Full real name]. This is CCP server secure.eveonline.com saying "[word string]" please enter any character name to continue.
This would give an opportunity for the user to verify that the server already had sufficient details on the account to know their real life name and their secret word string, and back out, before entering the character name.
* James Bond reference
Geographic Jumping Checks
Seen as it is unlikely that the person attempting to phish for accounts is going to be living in the house next door, or even in the same country for the most part, login attempts to both websites and the EvE client should be GeoIP'd and the original registrar notified via email when 2 logins occur within a short period which come from geographically diverse locations.
In game / out of game paradox
It occurs to me that there is somewhat of a paradox in security within the EvE universe where CCP seems to condone, and perhaps even actively encourage scams and behaviour designed to strip a victim of all of their assets and enjoyment through trickery and obscufation of data, in an almost identical way to how phishing attacks work.
Is there really that much difference in the CCP financial loss / bad player experience when comparing the end results of in-game scamming vs out-of-game phishing?
How does CCP reconcile treating two mechanism with near identical end results differently?
Misc
* What's wrong with letting the EvE login screen remember passwords? If someone can read my hard disk where they're stored I've got bigger problems.
* Can we have a webpage to show all of the recent login times / IPs / Locations we've connected with? Like we do on the EvE API. Heck, mail it out distinct(location) once a month or so.
These are all tied to authentication and if we're not already considering them I'll add them to the list to think about. re: your questions
1) I don't see this happening anytime soon. Whether you have bigger problems if someone can read your disk or not, when it happens it also becomes our problem. There have been quite a few trojans that targeted various games who have used this methodology and I'm not sure the risk outweighs the potential benefits.
2) Playing with location IMO is part of Authentication and I'll have something more to say about that soon. |
|
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.21 10:02:00 -
[51]
Originally by: DmitryEKT Gmail labs has a thing you can enable which puts a little key icon next to legit emails from ebay/paypal to make it obvious they're not fakes. Have CCP thought of getting in on that?
I have to look into the labs solution. The one solution I'd seen involved the use of an installer which proceeded to make it impossible for me to access gmail so I shot it down. I'll take a look at this one ASAP, because these types of things are specifically what I was referring to when I said it would be possible for you to verify that an email had come from us. |
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.21 10:05:00 -
[52]
Originally by: Remulon McNab
Quote: SPF will be implemented in approximately 7 days. DomainKeys will take a bit more time as things need to be moved around in order to implement that properly
@CCP Sreegs Why are you guys implementing SPF and DKIM/DomainKeys now, technology wise the start of 2010 was the year that everyone started encountering huge problems related to phishing. So from my point of view you are a bit late, especially with all those phising mails going round.
What are the global plans to protect your customers from phishing/account security issues in the future?
Mail security & deliverability is part of my daily job and those are going hand in hand
SPF was implemented, it just wasn't implemented the best way. Whether we're late to the SPF table or not I didn't work here in 2010 so I can't speak to what people may have done or been thinking at the time. I'm here now and we're correcting our SPF implementation.
Regarding future plans, I'm assuming you're alluding to something particular but from my perspective this blog is what we have for the next x period of time. Once implementation is done we can measure effectiveness and determine what additional steps may be required. |
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.21 10:06:00 -
[53]
Originally by: Lost Hamster
Originally by: CCP Sreegs Block 3 - Block 3 is where we ensure that we're properly authenticating our users. Authentication from our perspective is ensuring that you are you. Not that you are someone with your password. That you, guy whose name is yours, is really you. An initial shot at this was when we began asking you to name one of the characters on your account.
The idea itself is not bad, however there is still a hole in the security system.
With this feature you try to protect the account management - that's fine. However if a bad guy have access to the user name and password, then how long will it take to get a character name on that account? I will tell you. 15 seconds.. Just log in to the game and voila.
However it's a positive note that the similar hole on the evegate site have been filed. :)
So please get a similar login screen to the game as well. With an option to save the Character name to the individual game files.
Just to clarify I'm talking about authentication at every interface. I don't believe authentication of the same credentials should be in any way different because you're using a different interface to request the information. |
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.21 10:07:00 -
[54]
Originally by: Avensys Edited by: Avensys on 21/01/2011 09:11:46
(posting on a different character as it's a separate point)
How does asking for a character name actually help?
Wouldn't phishing sites just ask for a character name as well (they want to mimic the "real" login process as closely as possible after all)?
Yes, which is why it's not good enough and we're looking to improve. |
|
Agent Stone
Volition Cult -Mostly Harmless-
|
Posted - 2011.01.21 10:08:00 -
[55]
Originally by: CCP Sreegs
Originally by: Agent Stone Edited by: Agent Stone on 21/01/2011 09:54:00 Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.
For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.
Your competitors (Blizzard as an example) are years ahead of you in this regard.
Without discussing a specific technology, were I you I would assume that something would be done to improve things given the comments I made in the "Authentication" section. We are looking at the authentication issue quite a bit.
Cool. Thanks.
Yes, I read Block 3 Authentication section and felt urged to reiterate... "Hey, Look... This is what banks use as additional authentication... (normally plastic tokens of some sort) CCP... research doing something like this..." Players have suggested it for years so its good CCP are researching such things.
I also mention the smartphone implementation as well as actual tokens, as for players who have such they don't need to pay extra and you can get additional layers of security to more of your player base.
For others players reading about this and not in the know: http://en.wikipedia.org/wiki/Security_token
|
Sentient Blade
|
Posted - 2011.01.21 10:33:00 -
[56]
Originally by: CCP Sreegs 1) I don't see this happening anytime soon. Whether you have bigger problems if someone can read your disk or not, when it happens it also becomes our problem. There have been quite a few trojans that targeted various games who have used this methodology and I'm not sure the risk outweighs the potential benefits.
In my experience it really depends on how big a hole they can punch in the attack surface, and 99% of the time if that hole is big enough that if it provides a means of reading the hard disk then that hole is also big enough for them to be capable of installing a keyboard hook or swiping the person's paypal or banking details and using them to create a few hundred accounts.
That's a worse case scenario of course, but once it gets to the remote code execution stage there is not much more that can be done on your part - it's the actual identity of the account holder that's been compromised rather than the underlying security of EvE.
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.21 10:43:00 -
[57]
Originally by: Sentient Blade
In my experience it really depends on how big a hole they can punch in the attack surface, and 99% of the time if that hole is big enough that if it provides a means of reading the hard disk then that hole is also big enough for them to be capable of installing a keyboard hook or swiping the person's paypal or banking details and using them to create a few hundred accounts.
That's a worse case scenario of course, but once it gets to the remote code execution stage there is not much more that can be done on your part - it's the actual identity of the account holder that's been compromised rather than the underlying security of EvE.
You are of course correct. I will say though that it doesn't make it any less our problem when an account is compromised whether it's through a fault of our own or not and I'm not sure that the costs of putting information on disk outweigh the benefits. |
|
Flios Bror
Amarr Doom Guard
|
Posted - 2011.01.21 10:56:00 -
[58]
Originally by: Sentient Blade
Originally by: Pottsey My best guess is any name with a ' symbol automatically fails the security even if the name is correct.
You probably want to petition that one.
Sounds like something for a bugreport, instead of petition, imho. [None] |
Remulon McNab
The Galactic Collective
|
Posted - 2011.01.21 11:06:00 -
[59]
@Sreegs Thanks for your reply, besides SPF it might be worth in implementing SenderID besides SPF. This improves deliverability of all your e-mail messages.
I am aware of the fact that SenderID is backwards compatible, though it's still useful as Microsoft implements it in all their mailserver software.
So far, great job!
--- got Twitter?
- * said hi to CCP Navigator @ Gamescom 2010 - Cologne, G |
Bhattran
|
Posted - 2011.01.21 11:11:00 -
[60]
Originally by: Pottsey Edited by: Pottsey on 21/01/2011 09:26:29 ôAn initial shot at this was when we began asking you to name one of the characters on your account.ö This has caused me problem as I am unable to post. My main account is fine but since this was implanted my secondary account has been unable to post. Even if I copy and paste the characterÆs name the security check still fails.
I understand why you implant this stuff but it a pain when a person with legal account cannot access what he needs due to faulty security.
My best guess is any name with a ' symbol automatically fails the security even if the name is correct.
I don't know if the issue is this or not but I found I 'failed' when I entered the name of a character NOT training, when I entered the name of the currently training character it worked, haven't had an issue since but it presumption on my part. For characters that trained out their queue I used the last character that was training. Again don't know if makes a difference if you have no alts, or use ' as neither situation fit my accounts at the time.
--WIS/Incarna/Ambulation where microtransactions come to play, and uh bars.-- |
|
|
|
|
Pages: 1 [2] 3 :: one page |
First page | Previous page | Next page | Last page |