| Pages: [1] :: one page |
| Author |
Thread Statistics | Show CCP posts - 0 post(s) |
voogru
Gallente
Massive Damage
United Corporations Against Macros
   |
Posted - 2009.07.23 13:30:00 -
[1]
Edited by: voogru on 23/07/2009 13:32:58
I'm sure this has been discussed previously, but I don't see a topic here, so I'll make one.
I have two suggestions on how to improve account security.
1. Limit accounts to logging in from their origin country only.
- I have an EVE-Online account, this account is addressed in the United States. It is terribly unlikely that I will ever login to EVE from a country outside the United States. This feature could be enabled by default, but have a secure procedure that allows a player to enable/disable this feature. Logging into the ôMy Accountö section of the EVE website would need to have these same restrictions.
- In the event a login is tried from a non-origin country, the owner should be notified in the same manner as described below.
2. Alert owners of accounts if someone is trying to guess their login information.
- If someone somehow guesses my username, and tries to guess my password. If they fail to login, I should receive an email that has the following:
* The username of the account they tried (some players have more than one account)
* The password they attempted to use against my account (This would be very useful to tell if an EVE-Related site leaked information, since we could use passwords specific for these sites, if someone hits our account with that password, we know where it came from).
* The IP address of the person that attempted to login to our account.
Excessive failed login attempts from a single IP address should also raise flags for GM's as well.
Suggestions have been made before, but these were ages ago, and we haven't heard anything about it.
|
voogru
Massive Damage
United Corporations Against Macros
|
Posted - 2009.07.23 13:31:00 -
[2]
Supporting my own topic, since all the cool kids do it. |
Nidhiesk
|
Posted - 2009.07.23 13:51:00 -
[3]
what ? a captcha to log in ? well thats cool ??? I guess but anyway...mhh yeah, those things would be good. I guess it would stop the chinese farmers..well thats what I can think off.
for the account login, yeah but wouldn't that be a privacy issue since you know the IP of the person who tried to log in |
Dav Varan
|
Posted - 2009.07.23 14:11:00 -
[4]
If something similar is not allready in place then maybe also
3) More than 10 failed login attempts from an ip address per day , should automatically block any further attempts from that ip for 24 hours.
Stops brute force attacks. |
Dav Varan
|
Posted - 2009.07.23 14:11:00 -
[5]
supported |
De'Veldrin
Minmatar
Special Projects Executive
|
Posted - 2009.07.23 14:33:00 -
[6]
 Originally by: Nidhiesk
what ? a captcha to log in ? well thats cool ??? I guess but anyway...mhh yeah, those things would be good. I guess it would stop the chinese farmers..well thats what I can think off.
for the account login, yeah but wouldn't that be a privacy issue since you know the IP of the person who tried to log in
Speaking from the persepective of a non-lawyer in the US:
Most IP addresses are recycled anyway, so they're not directly tied to any one person. At best, this will get you their ISP. That plus the date and time of the attack could lead you to an actual person, but only if you supoena the ISP's records (and a court order trumps personal privacy most of the time, at least in the United States). |
Drake Draconis
Shadow Cadre
|
Posted - 2009.07.23 14:34:00 -
[7]
*Great....a captcha added to a stupid forum boards system that is already broken to begin with.*
As long as the system doesn't force password changes... no problems here.
Supported. |
voogru
Gallente
Massive Damage
United Corporations Against Macros
|
Posted - 2009.07.23 14:35:00 -
[8]
Originally by: Nidhiesk
for the account login, yeah but wouldn't that be a privacy issue since you know the IP of the person who tried to log in
Sorry, you forfeit your privacy of your IP address when trying to break into somebody's account. |
Drake Draconis
Minmatar
Shadow Cadre
|
Posted - 2009.07.23 14:37:00 -
[9]
Originally by: voogru
Originally by: Nidhiesk
for the account login, yeah but wouldn't that be a privacy issue since you know the IP of the person who tried to log in
Sorry, you forfeit your privacy of your IP address when trying to break into somebody's account.
You don't know TCP/IP very well do you?
IP Address's mean nothing today... they can be spoofed...remapped...redirected...proxye'd |
voogru
Gallente
Massive Damage
United Corporations Against Macros
|
Posted - 2009.07.23 14:43:00 -
[10]
Originally by: Drake Draconis
IP Address's mean nothing today... they can be spoofed...remapped...redirected...proxye'd
Running a proxy for the EVE server involves a little bit of logistics. |
Drake Draconis
Minmatar
Shadow Cadre
|
Posted - 2009.07.23 15:11:00 -
[11]
Originally by: voogru
Originally by: Drake Draconis
IP Address's mean nothing today... they can be spoofed...remapped...redirected...proxye'd
Running a proxy for the EVE server involves a little bit of logistics.
Your actually saying that thinking its that hard?
Your treading on thin ice pal.
Leave the geek work to the geeks and just take my word for it... its not hard at all.
A little foolish perhaps... but easily done. |
Kaylan Jahlar
Minmatar Industrial Limited
|
Posted - 2009.07.23 15:18:00 -
[12]
Quote:
1. Limit accounts to logging in from their origin country only.
A warning should be sent, but you shouldn't be prevented from loging in. There's a lot of EVE players that are in the Army, and they travel a lot. This would mean they wouldn't be able to login anymore. I can also imagine some players wanting to login into their EVE Online account to train skills while on vacation in another country. What about that?
Quote:
2. Alert owners of accounts if someone is trying to guess their login information.
This however, I totally support. Any series of 3-5+ unauthorized attempts to your account should be communicated to you in the same way credit card fraud is. If someone is trying to bruteforce your password, you should know about it. Then again, I believe your account becomes locked if someone tries to login more than 3 times in a row with the wrong info, but I'm not sure about that. |
voogru
Gallente
Massive Damage
United Corporations Against Macros
|
Posted - 2009.07.23 15:49:00 -
[13]
Edited by: voogru on 23/07/2009 15:56:45
Originally by: Drake Draconis
Your actually saying that thinking its that hard?
Your treading on thin ice pal.
Leave the geek work to the geeks and just take my word for it... its not hard at all.
A little foolish perhaps... but easily done.
I'm a geek. Thank you very much.
Did I say it was hard to do?
NO.
I said it takes a bit of LOGISTICS to do. Meaning, it is an annoying barrier for them. First they need their username/password, THEN they need to figure out what country their account is in, THEN they need a proxy that is based in that country. They can usually ASSUME it's US but it's not always the case. CCP could also narrow it down to State/Province or City (which can be configured by the end user). Then they need a proxy in the same State/Province/City as the account holder. Systems such as GeoIP are generally accurate enough for this kind of usage. Any problems a player has with the system it would be their option to disable it.
CCP already uses such system with their credit card validation.
Originally by: Kaylan Jahlar
Quote:
1. Limit accounts to logging in from their origin country only.
A warning should be sent, but you shouldn't be prevented from loging in. There's a lot of EVE players that are in the Army, and they travel a lot. This would mean they wouldn't be able to login anymore. I can also imagine some players wanting to login into their EVE Online account to train skills while on vacation in another country. What about that?
These players can go through the secure procedures to disable the feature. That's why I suggest a system to disable it. A minority of players have this situation.
Originally by: Kaylan Jahlar
Quote:
2. Alert owners of accounts if someone is trying to guess their login information.
This however, I totally support. Any series of 3-5+ unauthorized attempts to your account should be communicated to you in the same way credit card fraud is. If someone is trying to bruteforce your password, you should know about it. Then again, I believe your account becomes locked if someone tries to login more than 3 times in a row with the wrong info, but I'm not sure about that.
The account being locked after 3 attempts would be very easy to grief, figure out the username of your enemy and fail to login several times, and he is then at the mercy of the timer or GM's to get back in the game. |
Jon Lucien
Black Omega Security
Pandemic Legion
|
Posted - 2009.07.23 16:16:00 -
[14]
1. If this was implemented, this should be a disabled-by-default feature. It is your belief that a minority of EVE are international travelers, but you honestly don't know whether that is true. Also, this is amazingly easy to get around with a VPN or IP redirection service and serves little purpose.
2. I doubt CCP would release the IP that attempted to access your account. The account does not belong to you, and you therefore have to right to such information. I agree that a number of repeat failed login attempts should raise flags on accounts for suspicious activity. |
Kaylan Jahlar
Minmatar Industrial Limited
|
Posted - 2009.07.23 16:19:00 -
[15]
Originally by: Jon Lucien
2. I doubt CCP would release the IP that attempted to access your account. The account does not belong to you, and you therefore have to right to such information. I agree that a number of repeat failed login attempts should raise flags on accounts for suspicious activity.
They already show the IP of the the requester for any API call in the API logs, so I don't see why not. |
voogru
Gallente
Massive Damage
United Corporations Against Macros
|
Posted - 2009.07.23 16:59:00 -
[16]
Edited by: voogru on 23/07/2009 17:04:28
Originally by: Jon Lucien
1. If this was implemented, this should be a disabled-by-default feature. It is your belief that a minority of EVE are international travelers, but you honestly don't know whether that is true. Also, this is amazingly easy to get around with a VPN or IP redirection service and serves little purpose.
Heh, somehow I doubt a majority of EVE players frequently travel internationally. But sure, it could be default to off. The problem with that, players that are most vulnerable to getting their account hacked are not the kind of players that will go and enable this feature until all of their stuff is lost. And by then they probably won't renew and CCP loses a customer if the player can't be reimbursed.
Another thing, the system could be setup to where it's not just by country, but by state, province, city as well. The end user could have the option of configuring exactly how restrictive their account is. Country was just the first step.
The only thing that's important is having a decent and secure procedure to change these settings so someone with the password can't just go to the website login and disable them willy nilly.
Originally by: Jon Lucien
2. I doubt CCP would release the IP that attempted to access your account. The account does not belong to you, and you therefore have to right to such information. I agree that a number of repeat failed login attempts should raise flags on accounts for suspicious activity.
See above post. API.
As far as the account ownership, that may be true. But it's in CCP's best interest to HELP ME protect my account from unauthorized use. Because if someone breaks in and steals all of my stuff, my fault or not, and their GM logs "show nothing" they will lose an account (5 accounts in my case).
If you have noticed, CCP has already started making changes to the forum (captcha), these are slightly misguided because I believe they are poor methods of solving the problem but it shows they are at least trying to do something to protect the players.
|
Instagib
Reykjavik University Corpus Maximus
|
Posted - 2009.07.23 17:46:00 -
[17]
Yes please. I'd really love to see last style (a command in Unix-like OSs) log showing most recent logins.
e.g.
[Time] _____________ [IP] _______ [Type] __ [Duration]
2009-07-23/17:24:09 _ 132.23.43.2 _ Forums __ -
2009-07-22/18:05:33 _ 132.23.43.2 _ TQ ______ 01:23:43
2009-07-22/04:40:16 ___ 54.23.1.5 _ TQ ______ 00:00:05 <- Then your like wtf
2009-07-21/16:44:33 _ 132.23.43.2 _ TQ ______ 03:47:12
2009-07-21/15:32:19 _ 132.23.43.2 _ Forums __ -
If it would spawn over all login systems (TQ, forums, acc. management) then you could quickly see if somebody logged in even if it was just to verify the login.
Ofc if any system like SISI were left out it would leave a hole that could be used to verify login and explore assets before the attacker raided multiple TQ account in one go. |
Lt Forge
Pilots From Honour
Aeternus.
|
Posted - 2009.07.23 18:46:00 -
[18]
 Please visit your user settings to re-enable images. |
Herschel Yamamoto
Agent-Orange
|
Posted - 2009.07.23 19:00:00 -
[19]
Not as complete as some of the other account-security threads that have been proposed, and I don't like #1, but #2 is good. Tentative support for the package. |
Arous Drephius
|
Posted - 2009.07.23 19:29:00 -
[20]
MAEKING SUPPORT |
Verone
Gallente
Veto Corp
|
Posted - 2009.07.23 22:13:00 -
[21]
Edited by: Verone on 23/07/2009 22:14:34
Originally by: voogru
1. Limit accounts to logging in from their origin country only.
- I have an EVE-Online account, this account is addressed in the United States. It is terribly unlikely that I will ever login to EVE from a country outside the United States. This feature could be enabled by default, but have a secure procedure that allows a player to enable/disable this feature. Logging into the ôMy Accountö section of the EVE website would need to have these same restrictions.
- In the event a login is tried from a non-origin country, the owner should be notified in the same manner as described below.
No chance.
I know hundreds of people, myself included who have jobs that take them onto foreign soil. You're basically shafting a significant chunk of the playebase into not being able to play the game when they're away with work.
You're also shafting everyone who travels to fanfest and wants to skillchange or log in the morning after an epic night out to talk to their corpmates.
You're also shafting people who decide they want to emigrate and would have to run the gauntlet of customer support and wait till the next ice age to have their account details changed.
You're also shafting people that decide they want to go on vacation, and take a laptop with them only to find that their account is locked because they're logging on from an IP in a different country.
You're also shafting people who are serving in the armed forces when their tour of duty takes them to far away places.
I can see the basic logic behind it but it has a horrible set of side effects where everyone who doesn't sit at home on their buns festering in front of the same computer day in and day out is being shafted. That's lots of shafting.
Even with controls in place to enable or disable it, it's a bad idea since someone could take control of the account, and enable it for their location, and the damage is already done before CCP has a chance to respond.
Sorry, I know it's suggested with the best of intentions but it's a terrible idea.
|
voogru
Gallente
Massive Damage
United Corporations Against Macros
|
Posted - 2009.07.23 22:50:00 -
[22]
Edited by: voogru on 23/07/2009 22:53:48
Originally by: Verone
I know hundreds of people, myself included who have jobs that take them onto foreign soil. You're basically shafting a significant chunk of the playebase into not being able to play the game when they're away with work.
That's why they could opt disable it.
Originally by: Verone
You're also shafting everyone who travels to fanfest and wants to skillchange or log in the morning after an epic night out to talk to their corpmates.
Give them the option of disabling it.
Originally by: Verone
You're also shafting people who decide they want to emigrate and would have to run the gauntlet of customer support and wait till the next ice age to have their account details changed.
They'd need to change the address on the account in that case, plus it would be possible for CCP to set up a system that handles this automatically, similar to a password reset mechanic. They get an email, click on link to confirm changes.
Originally by: Verone
You're also shafting people that decide they want to go on vacation, and take a laptop with them only to find that their account is locked because they're logging on from an IP in a different country.
A good fix for this would be to give players an option to disable it.
Originally by: Verone
You're also shafting people who are serving in the armed forces when their tour of duty takes them to far away places.
Perhaps there could be an option for players to enable/disable this feature?
Originally by: Verone
Even with controls in place to enable or disable it, it's a bad idea since someone could take control of the account, and enable it for their location, and the damage is already done before CCP has a chance to respond.
Notice how I said a "secure" method of handling the enable/disabling. Meaning the account owners email would be contacted before changes take place.
Originally by: Verone
Sorry, I know it's suggested with the best of intentions but it's a terrible idea.
Heres a idea, rather than blocking the login, fire off an email to the users email account with a 6 digit code. Ask them to enter in that code.
- If they are able to connect to the EVE server, chances are they'll be able to get to their email. Maybe add SMS option too.
- Once they enter the correct code, they have the option of adding the current location as a temporary location (24 hours) or permanent location.
- These same restrictions would apply to the website as well.
I much rather see a random number generate keychain toy implemented, but if CCP's not able to do that right this minute, these are other options. |
Herschel Yamamoto
Agent-Orange
|
Posted - 2009.07.24 00:18:00 -
[23]
How do you propose that they disable the feature? Say a player lives in the US, is in the UK on business, goes to log in, gets locked out. So what, they just check the account page to disable it? Oh, wait, if you have it happen that way then all the hack attempts will just be against the account page. You'd have to have them disable the feature preemptively, which is great until someone forgets, or doesn't know that this "feature" exists, and then they find that they can't play the game. It's simply not practical. |
AtheistOfDoom
The Athiest Syndicate
Advocated Destruction
|
Posted - 2009.07.24 01:01:00 -
[24]
1. people might not always be in their country. no.
2. yes
|
voogru
Gallente
Massive Damage
United Corporations Against Macros
|
Posted - 2009.07.24 03:44:00 -
[25]
Originally by: Herschel Yamamoto
How do you propose that they disable the feature? Say a player lives in the US, is in the UK on business, goes to log in, gets locked out. So what, they just check the account page to disable it? Oh, wait, if you have it happen that way then all the hack attempts will just be against the account page. You'd have to have them disable the feature preemptively, which is great until someone forgets, or doesn't know that this "feature" exists, and then they find that they can't play the game. It's simply not practical.
The system to enable/disable/configure it should be handled by sending them emails and having them confirm their actions that way, so as long as they could access their mail, they'd be able to login. |
Herschel Yamamoto
Agent-Orange
|
Posted - 2009.07.24 06:14:00 -
[26]
Originally by: voogru
Originally by: Herschel Yamamoto
How do you propose that they disable the feature? Say a player lives in the US, is in the UK on business, goes to log in, gets locked out. So what, they just check the account page to disable it? Oh, wait, if you have it happen that way then all the hack attempts will just be against the account page. You'd have to have them disable the feature preemptively, which is great until someone forgets, or doesn't know that this "feature" exists, and then they find that they can't play the game. It's simply not practical.
The system to enable/disable/configure it should be handled by sending them emails and having them confirm their actions that way, so as long as they could access their mail, they'd be able to login.
Less bad, but I still foresee major problems. I could only conceivably support this if it defaulted to being off, and even then I'm sketchy on it. |
mazzilliu
|
Posted - 2009.07.24 12:52:00 -
[27]
Edited by: mazzilliu on 24/07/2009 12:52:09
Originally by: Jon Lucien
1. If this was implemented, this should be a disabled-by-default feature. It is your belief that a minority of EVE are international travelers, but you honestly don't know whether that is true. Also, this is amazingly easy to get around with a VPN or IP redirection service and serves little purpose.
2. I doubt CCP would release the IP that attempted to access your account. The account does not belong to you, and you therefore have to right to such information. I agree that a number of repeat failed login attempts should raise flags on accounts for suspicious activity.
(1.) i agree with
(2.) from seeing a corpmate's experience, if you suspect your account was broken into, and you want to know the history of your account's login information, the GM will disclose that information to you. in the case of my corpmate, there was a virus on his computer and the attacker was remotely controlling it, so the GM told him that it was his own IP address that was logging into the account.
also, currently if you didn't know, any IP address that accesses your API information is available to you if you check it before the log entry is a week old. This is actually a nice way to harvest IPs if you leak your API to an enemy.
edit: beaten on the API thing
MAZZILLIU 2009. CHANGE I CAN IMPOSE ON YOU. |
| |
|
| Pages: [1] :: one page |
| First page | Previous page | Next page | Last page |