Pages: [1] 2 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Post Count
|
Posted - 2009.06.02 17:34:00 -
[1]
PLEASE at least read the post before you flame, its not a game mechanic thing
The Authenticator.
It was a little key chain you could buy, that would provide you with a unique code ever 30 seconds. This code was used as a second layer of security, and pretty much made you immune to hacking. If someone didnt have your authenticator, they couldnt access your account. Period.
Now that EvE has moved up to the #2 MMO in NA, it would be really nice if they looked into adding a security feature like this. Its just a nice little way to feel more secure for those of us with multiple accounts.
Not to mention it would cut down on some of the petitions.
|
Cat o'Ninetails
Rancer Defence League
|
Posted - 2009.06.02 17:40:00 -
[2]
i'd like the option to buy one. if ccp can't budget the device into their balance sheet atm, i'd probably even buy one what are they like 20 bucks?
|
Sun Clausewitz
|
Posted - 2009.06.02 17:46:00 -
[3]
but what about our guys with 15 accounts, they might get their authenticaters confused and get logged out
Pick Three: Caldari/PVP/Solo/Success |
Cat o'Ninetails
Rancer Defence League
|
Posted - 2009.06.02 17:49:00 -
[4]
Originally by: Sun Clausewitz but what about our guys with 15 accounts, they might get their authenticaters confused and get logged out
you could get each account to authenticate with that one key perhaps? and they'd only need to auth at logon really.
|
Pesets
The Hunt Club
|
Posted - 2009.06.02 17:50:00 -
[5]
No idea about WoW, but the ones we use for VPN access cost more like a hundred i believe.
|
Aenaenon
Caldari Dont Give A Fluck Rough Necks
|
Posted - 2009.06.02 17:54:00 -
[6]
Originally by: Pesets No idea about WoW, but the ones we use for VPN access cost more like a hundred i believe.
Final Fantasy XI has the little keychain authenticators as well. They ran us $10 and shipping. They only generate a 6 digit key, so they are likely much less sophisticated than ones used for serious network security measures.
|
Post Count
|
Posted - 2009.06.02 17:55:00 -
[7]
Originally by: Cat o'Ninetails i'd like the option to buy one. if ccp can't budget the device into their balance sheet atm, i'd probably even buy one what are they like 20 bucks?
They are extremely cheap, the one from blizzard was like 6 bucks
|
Post Count
|
Posted - 2009.06.02 17:55:00 -
[8]
Originally by: Cat o'Ninetails
Originally by: Sun Clausewitz but what about our guys with 15 accounts, they might get their authenticaters confused and get logged out
you could get each account to authenticate with that one key perhaps? and they'd only need to auth at logon really.
I 5 boxed in wow, had one authenticator for all 5 of my accounts, so could do the same thing here
|
Valandril
Caldari Ex-Mortis
|
Posted - 2009.06.02 17:57:00 -
[9]
As long as it is an option, i'm fine with it. Signature graphics that may only contain your character name, corporation logo, corporation or personal slogan or other text that is directly related to your in-game persona, or content directly related to Eve Online. All content must be in good taste.Applebabe |
Amaterasu Omikami
Caldari Ama's Trade Corporation
|
Posted - 2009.06.02 17:58:00 -
[10]
I had mentioned the Authenticator device back in a post in December Linkage
This, I seem to remember was around the time a spate of key-logger problems had come to light - I am amazed that with the availability of such technology and the ever constant threat of security issues something like this isn't yet an option
|
|
Valandril
Caldari Ex-Mortis
|
Posted - 2009.06.02 17:59:00 -
[11]
Originally by: Amaterasu Omikami I had mentioned the Authenticator device back in a post in December Linkage
This, I seem to remember was around the time a spate of key-logger problems had come to light - I am amazed that with the availability of such technology and the ever constant threat of security issues something like this isn't yet an option
Because it's more of your own psychical conmfort that actualy something you need. Signature graphics that may only contain your character name, corporation logo, corporation or personal slogan or other text that is directly related to your in-game persona, or content directly related to Eve Online. All content must be in good taste.Applebabe |
Post Count
|
Posted - 2009.06.02 18:03:00 -
[12]
Originally by: Valandril
Originally by: Amaterasu Omikami I had mentioned the Authenticator device back in a post in December Linkage
This, I seem to remember was around the time a spate of key-logger problems had come to light - I am amazed that with the availability of such technology and the ever constant threat of security issues something like this isn't yet an option
Because it's more of your own psychical conmfort that actualy something you need.
I dont know if thats true any more. Getting "compromised" isnt like it used to be. With browser exploits, images, youtube, etc. Its no longer simply a case of "dont download anything".
I have been playing MMO's since 1997 with UO and up till a few months ago I had the same thoughts as you. Only stupid people get hacked. My Darkfall account got hacked, I had no trojan any virus scanner could find on my pc, and my password wasnt extremely simple. I still to this day dont know how I was compromised, but an authenticator would have prevented it.
9 out of 10 times the authenticator would be redundant. But that 10% or even less say 2%. Thats still 6,000 accounts out of 300,000 and as CCP gets bigger, the effectiveness of a tool like this only becomes more important
|
Amaterasu Omikami
Caldari Ama's Trade Corporation
|
Posted - 2009.06.02 18:07:00 -
[13]
Originally by: Valandril
Originally by: Amaterasu Omikami I had mentioned the Authenticator device back in a post in December Linkage
This, I seem to remember was around the time a spate of key-logger problems had come to light - I am amazed that with the availability of such technology and the ever constant threat of security issues something like this isn't yet an option
Because it's more of your own psychical conmfort that actualy something you need.
I am not too sure what you mean by my physical comfort as opposed to a security device that would stop key-logging problems pretty much straight away.
I guess we would need the before and after stats from Blizzard on the effect of introducing the device - I guess that they saw it as beneficial otherwise they wouldn't have bothered?
I also think that having something like this available would cut half the petitions filed that relate to stolen accounts and such-like freeing the GMs to handle other petitions
|
Valandril
Caldari Ex-Mortis
|
Posted - 2009.06.02 18:13:00 -
[14]
Why it's useless ? Because those are only 6 digits and there is no real brute force protection coming along (unlike in banking systems that use automatic tokenizer) so with fast connection it's quite breakable "security" measure. This will not protect you from getting sniffed either by trojans or someone funny 1 step above you in your network, it will simply require some resources to break it (which is not really any issue).
And yes, only stupid people got theyr accounts hacked, you've most likely been sniffed out of your password because you've used unsecure network somewhere (reason why i tunnel all my traffic via ssh to transit server first). Signature graphics that may only contain your character name, corporation logo, corporation or personal slogan or other text that is directly related to your in-game persona, or content directly related to Eve Online. All content must be in good taste.Applebabe |
Post Count
|
Posted - 2009.06.02 18:16:00 -
[15]
Originally by: Valandril Why it's useless ? Because those are only 6 digits and there is no real brute force protection coming along (unlike in banking systems that use automatic tokenizer) so with fast connection it's quite breakable "security" measure. This will not protect you from getting sniffed either by trojans or someone funny 1 step above you in your network, it will simply require some resources to break it (which is not really any issue).
And yes, only stupid people got theyr accounts hacked, you've most likely been sniffed out of your password because you've used unsecure network somewhere (reason why i tunnel all my traffic via ssh to transit server first).
You are right, its only six digits, but its six random digits that changes ever 20 - 30 seconds. So they have to go through a few million different numbers + know you password every 30 seconds just to get it right. That seems like pretty good security to me.
Not everyone is savy enough to "Tunnel their traffic" this is a cheap solution that even the computer IDIOTS (which are 90% of the ones getting hacked) can use and be safe with 99% of the time.
|
Valandril
Caldari Ex-Mortis
|
Posted - 2009.06.02 18:20:00 -
[16]
Originally by: Post Count
Originally by: Valandril Why it's useless ? Because those are only 6 digits and there is no real brute force protection coming along (unlike in banking systems that use automatic tokenizer) so with fast connection it's quite breakable "security" measure. This will not protect you from getting sniffed either by trojans or someone funny 1 step above you in your network, it will simply require some resources to break it (which is not really any issue).
And yes, only stupid people got theyr accounts hacked, you've most likely been sniffed out of your password because you've used unsecure network somewhere (reason why i tunnel all my traffic via ssh to transit server first).
You are right, its only six digits, but its six random digits that changes ever 20 - 30 seconds. So they have to go through a few million different numbers + know you password every 30 seconds just to get it right. That seems like pretty good security to me.
Not everyone is savy enough to "Tunnel their traffic" this is a cheap solution that even the computer IDIOTS (which are 90% of the ones getting hacked) can use and be safe with 99% of the time.
Once you get password it's open game, you don't need it again after 30 seconds. Then you simply prepare 1m requests which combine of your password+one of pregenerated possible combinations and send them all at 1 time and you WILL receive which one hit. So once you get sniffed, you are going down and token won't help you at all. Signature graphics that may only contain your character name, corporation logo, corporation or personal slogan or other text that is directly related to your in-game persona, or content directly related to Eve Online. All content must be in good taste.Applebabe |
Post Count
|
Posted - 2009.06.02 18:31:00 -
[17]
Originally by: Valandril Once you get password it's open game, you don't need it again after 30 seconds. Then you simply prepare 1m requests which combine of your password+one of pregenerated possible combinations and send them all at 1 time and you WILL receive which one hit. So once you get sniffed, you are going down and token won't help you at all.
When you say 1m requests, I assume you mean 1 million? Most games dont allow 1m log in attempts with out throwing many red flags.
Also, this is the type of hacking that is a bit above and beyond what the authenticator would be to protect, and is rather uncommon. Most hackers use simple keyloggers that dump to IRC channels. Passwords are saved and then later used to compromise accounts.
With the authenticator, you are safe from these.
Assuming CCP has no safes to prevent a million + attempts to guess your authenticator password, then yes, the authenticator in THAT instance, would be just a snare not a stop. However, Im fairly sure that CCP has measures to prevent just that, as does most mmos, and damn near any secure network.
|
Valandril
Caldari Ex-Mortis
|
Posted - 2009.06.02 18:36:00 -
[18]
Originally by: Post Count
Originally by: Valandril Once you get password it's open game, you don't need it again after 30 seconds. Then you simply prepare 1m requests which combine of your password+one of pregenerated possible combinations and send them all at 1 time and you WILL receive which one hit. So once you get sniffed, you are going down and token won't help you at all.
When you say 1m requests, I assume you mean 1 million? Most games dont allow 1m log in attempts with out throwing many red flags.
Also, this is the type of hacking that is a bit above and beyond what the authenticator would be to protect, and is rather uncommon. Most hackers use simple keyloggers that dump to IRC channels. Passwords are saved and then later used to compromise accounts.
With the authenticator, you are safe from these.
Assuming CCP has no safes to prevent a million + attempts to guess your authenticator password, then yes, the authenticator in THAT instance, would be just a snare not a stop. However, Im fairly sure that CCP has measures to prevent just that, as does most mmos, and damn near any secure network.
Said wow do not have any protection on that issue, and i will lead you to a point why they don't. Basic protection (and realisticly only one) against brute force attack is to ban attacker for X where X is some time unit (be it minute, day, month) but banning ip is not really good idea because you will end up banning whole network from eve (cable tv internet ftw ?) for said time (also ip can be quite easly spoofed). So we have to settle with lockdown on given username. Now what stops me from renewing this ban on your username every X thus preventing you from playing the game ? Signature graphics that may only contain your character name, corporation logo, corporation or personal slogan or other text that is directly related to your in-game persona, or content directly related to Eve Online. All content must be in good taste.Applebabe |
Post Count
|
Posted - 2009.06.02 18:42:00 -
[19]
Originally by: Valandril
Originally by: Post Count
Originally by: Valandril Once you get password it's open game, you don't need it again after 30 seconds. Then you simply prepare 1m requests which combine of your password+one of pregenerated possible combinations and send them all at 1 time and you WILL receive which one hit. So once you get sniffed, you are going down and token won't help you at all.
When you say 1m requests, I assume you mean 1 million? Most games dont allow 1m log in attempts with out throwing many red flags.
Also, this is the type of hacking that is a bit above and beyond what the authenticator would be to protect, and is rather uncommon. Most hackers use simple keyloggers that dump to IRC channels. Passwords are saved and then later used to compromise accounts.
With the authenticator, you are safe from these.
Assuming CCP has no safes to prevent a million + attempts to guess your authenticator password, then yes, the authenticator in THAT instance, would be just a snare not a stop. However, Im fairly sure that CCP has measures to prevent just that, as does most mmos, and damn near any secure network.
Said wow do not have any protection on that issue, and i will lead you to a point why they don't. Basic protection (and realisticly only one) against brute force attack is to ban attacker for X where X is some time unit (be it minute, day, month) but banning ip is not really good idea because you will end up banning whole network from eve (cable tv internet ftw ?) for said time (also ip can be quite easly spoofed). So we have to settle with lockdown on given username. Now what stops me from renewing this ban on your username every X thus preventing you from playing the game ?
Simple, change the user name in the database.
However, I think you are arguing small while possible, fairly remote issues in reference to this authenticator. This would stop most keyloggers. Would it stop EVERY break in security. No. But as they say, nothing is 100% secure. This is however something that would protect most people from most attacks.
|
Pesets
The Hunt Club
|
Posted - 2009.06.02 18:46:00 -
[20]
Well, the attack has to come from the same network as myself for this to work... not impossible, but could be somewhat complicated.
Also that's a DoS attack already, and could be considered serious business...
|
|
Cat o'Ninetails
Rancer Defence League
|
Posted - 2009.06.02 18:54:00 -
[21]
Edited by: Cat o''Ninetails on 02/06/2009 18:55:30
Originally by: Valandril Now what stops me from renewing this ban on your username every X thus preventing you from playing the game ?
A combination of username and IP. Chances are you aren't brute forcing from the same location, so ban username+ip for a period of time. I could still log on at home as the username hasn't been banned with that IP. Presumably the login+pw pair isn't particularly useful unless working through the client. Which has a time delayed 'Authenticating.....' thing, so I think true brute forcing would not be applicable.
I guess a significant weak point could be the website. If I had a password to an account, I could simply log in and change that password. That'd have to be locked down unless you logged in on the client, and sent an authentication token to the backend.
|
Pesets
The Hunt Club
|
Posted - 2009.06.02 19:09:00 -
[22]
That's if you have an IP that's reserved just for you. Otherwise the IP you get is just one out of the available "pool" of addresses, and IP you're using now might be the one previously used by the attacker.
|
Cat o'Ninetails
Rancer Defence League
|
Posted - 2009.06.02 19:15:00 -
[23]
Originally by: Pesets That's if you have an IP that's reserved just for you. Otherwise the IP you get is just one out of the available "pool" of addresses, and IP you're using now might be the one previously used by the attacker.
If that happened, I'll buy a lottery ticket that day.
|
Post Count
|
Posted - 2009.06.02 19:23:00 -
[24]
Originally by: Cat o'Ninetails Edited by: Cat o''Ninetails on 02/06/2009 18:55:30
Originally by: Valandril Now what stops me from renewing this ban on your username every X thus preventing you from playing the game ?
I guess a significant weak point could be the website. If I had a password to an account, I could simply log in and change that password. That'd have to be locked down unless you logged in on the client, and sent an authentication token to the backend.
The website also requires the authenticator to log in with
|
Pesets
The Hunt Club
|
Posted - 2009.06.02 19:35:00 -
[25]
Originally by: Cat o'Ninetails If that happened, I'll buy a lottery ticket that day.
You shouldn't, cause by that time you'd be out of luck :p
But actually, depending on how long the ban lasts, and how many IPs you ISP has, that's not as unlikely as it seems. Especially if you consider that the attack doesn't necessarily come from a single PC of the attacker himself.
|
Parmala Udoni
|
Posted - 2009.06.02 20:08:00 -
[26]
I bought a SecurID starter kit from RSA which included 25 of them, for what worked out to be about US$70.00 each. This was for a VPN firewall project I worked on last year.
|
Ivy Scorn
Amarr Nethro Ore Conglomerate
|
Posted - 2009.06.02 20:28:00 -
[27]
Originally by: Pesets That's if you have an IP that's reserved just for you. Otherwise the IP you get is just one out of the available "pool" of addresses, and IP you're using now might be the one previously used by the attacker.
The "ban" would only have to last 30 seconds as this is the refresh interval of the authenticator.
Even though aquiring a password and hacking an account in less than 30 seconds is simply unrealistic given the technical and logistical difficulties, you could even protect against this situation by simply blocking login to an account for 30s after someone successfully logged in.
Conclusion: Yes, the authenticater would offer significantly improved security.
|
Armon Deacon
Amarr Rage Quit Inc
|
Posted - 2009.06.02 20:36:00 -
[28]
I went ahead and added this to the CSM section, love the idea.
If you support it, please show it in the thread.
---------------------sig------------------ EvE BeliEvE project. Can a new player compete in EvE? |
Ivy Scorn
Amarr Nethro Ore Conglomerate
|
Posted - 2009.06.02 20:45:00 -
[29]
Edited by: Ivy Scorn on 02/06/2009 20:45:40 delete.
|
Lazarann
Caldari Balls Deep Inc.
|
Posted - 2009.06.02 20:57:00 -
[30]
This is actually a pretty cool idea. Obviously you can't make everyone do it, but if it was added as an option, I would definitely get one, so long as one of them can authenticate all three of my accounts.
|
|
|
|
|
Pages: [1] 2 :: one page |
First page | Previous page | Next page | Last page |