EVE Search - [Proposal] RSA authentication (help us protect our accounts)

All Channels

Assembly Hall

[Proposal] RSA authentication (help us protect our accounts)

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Author	Thread Statistics \| Show CCP posts - 0 post(s)
SXYGeeK Gallente do you -Mostly Harmless-	Posted - 2010.10.04 16:54:00 - [1] With the recent wave of account hackings and CCP's reminder again to "Protect Your Accounts" I would like to reboot an inactive Proposal. http://www.eveonline.com/ingameboard.asp?a=topic&threadID=131673 With the amount of time we invest into this game and the damage that can be caused by hacking perhaps greater than that of a credit card theft to some of us there is, in my opinion, not enough done by CCP to give us the tools to protect our accounts. There are a lot of suggestions about how security could be improved but the single best improvement would be RSA authentication. Blizzard uses this for WOW and we make fun of how "trivial" it is to level a WOW character, yet they have a better level of protection than our EVE characters. Please don't take it that I am recommending you go play WOW... but they have a very well done implementation of RSA security. here's the FAQ that will give a little idea of how it works. http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660 some key things to note. -keys are optional, If you do not have a key setup on your account you can login with username and password as usual. -once a key is added to the account it will be required for all logins. -a single key can be added to multiple accounts, it won't mean they are linked just that they all accept the same key. -ideally keys would be available for <$10 US, CCP could even offer them for 1 PLEX, optionally software keys would be available for all the smart phone app stores so we can use our phones as a key. I believe this is one of the most important meta game issues we have at this time, please discuss and promote this issue, do not let this thread die again. -We So SeXy
SXYGeeK Gallente do you -Mostly Harmless-	Posted - 2010.10.04 22:33:00 - [2] Originally by: Saithe There's also this thing I recently discovered. It's called your brain. I laugh at these people who cry about being victims of Identity theft and account hacking. Very FEW accounts are actually 'hacked'. Instead, the account info is phished because someone isn't using their brain. I personally run my entire PC with no antivirus, no firewall, and I run with DMZ on. Never once have I gotten any form of spyware, any virus, and only ONCE has my Eve account been compromised. And that was a lucky guess due to someones computer storing passwords in Firefox. So, in short; to better protect your account, USE YOUR **ING HEAD WHEN GOING TO WEBSITES. Seriously, why the ** do you need to enter your account information ANYWHERE but eveonline.com, eveonline gate, or the actual Eve client? This may work for some, and has so far worked for me as well, but I am not naive enough to believe that I am better than every security threat out there. this Is why I employ every security precaution at my disposal when dealing with things like my bank, utility companies, ext... I would like to have more options for security for EVE as I have invested a significant amount of my time there. However, not all users of Eve are as capable as you / or I , nor do I think we wish to limit the possible subscriber base to PC security enthusiasts. also, there's no need for the rude language in the Assembly Hall -We So SeXy
SXYGeeK do you -Mostly Harmless-	Posted - 2010.10.05 15:08:00 - [3] Originally by: TeaDaze This is part of the Account Security Enhancements proposal which is still in the CSM backlog. We can discuss this again during the December summit and try to get it raised in priority. Thanks Tea, however the security tokens seems to be a small footnote in the proposal you linked. It's mostly concerned with character transfer proceedings. I might add that If account management was secured by RSA key it would be much much harder for anyone to initiate an unauthorized character transfer. I want to stress that RSA keys are perhaps the single best security mechanism that could be added and we should be clear that it should be the first priority, not a "Long term security improvement to consider" -We So SeXy
SXYGeeK Gallente do you -Mostly Harmless-	Posted - 2010.10.08 16:25:00 - [4] Another announcement today to protect our accounts, and the only tool we are given is the antiquated password with the recommendation to change it often. Please support this topic and let CCP know we need better tools to help us protect our accounts. -We So SeXy
SXYGeeK Gallente do you -Mostly Harmless-	Posted - 2010.10.25 16:56:00 - [5] Yet another reminder today to secure our accounts under yet another "wave" of account hackings. perhaps the frequency and seeming ease at which these "waves" of account compromise are occurring should give some indication that EVE account security is not adequate, and that placing most of the responsibility for account security on vulnerable users and their systems is not improving the problem. Please support this and ask your favorite CSM to encourage CCP to prioritize account security in light of these continuing waves. We need a breakwater, a breakwater made of authentication tokens :), and perhaps some "no wake" buoys. -We So SeXy
SXYGeeK Gallente do you -Mostly Harmless-	Posted - 2010.10.28 23:57:00 - [6] http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1406554&page=1 Check out this thread for a great video on youtube. Markee Dragon (shattered crystal fame) interviewing Jared Psigoda (a kingpin in RMT consulting "Chinese Gold Farming" Discuss in the thread linked above. It is another reason that we need increased account security capabilities. -We So SeXy
SXYGeeK Gallente do you -Mostly Harmless-	Posted - 2010.11.03 20:08:00 - [7] Another proposal thread popped up for this issue here... http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1408509&page=1 I wanted to consolidate this discussion to this thread and keep it alive as it has a number of supports. Please remember to click the "support" checkbox when posting your support here. in this other thread it was suggested that PGP encryption be used as it is freely available. I will cross post my response here. --- PGP encryption is not a suitable alternative to external pass phrase systems. a private key is needed to generate the PGP encryption on your client side, this could be captured by a keylogger or other compromise just as easy as a password. The power of a security key, such as Pay Pal, or Blizzard Authenticator, is that it is a separate device that is much more difficult to compromise (it can even be your smart phone). The best security is implemented by authenticating 3 things. 1: Something you know (a password) 2: Something you have (an external key, ID badge, ext..) 3: Something you are (fingerprint) we currently only have #1, and it's easy to obtain something someone knows. adding #2 has proven sufficient for other games, financial institutions, government agencies, ext... and could rather easily be implemented for EVE. adding #3 is usually reserved for the highest security (military/secret) and would be difficult to implement in any meaningful way for online transactions. -We So SeXy
SXYGeeK Gallente do you -Mostly Harmless-	Posted - 2010.11.06 14:48:00 - [8] Edited by: SXYGeeK on 06/11/2010 14:50:38 Originally by: EdwardNardella This enables secure account sharing. This will allow someone to lend out their account with no threat of it being stolen. If it does not then it is worthless. If only one security key can be associated with an account (typical) then this isn't making it easier for account sharing. you'd have to have the person your sharing with to call you (TS or w/e) and read the passphrase of the moment of to them. It's no different than if you where to reset your password for each person you share with prior to allowing them to login and then reseting it. Sharing will continue to be a risk as you still don't know that the person you're sharing with won't otherwise compromise your account, wipe your items/isk, steal your MOM&Titan or otherwise. and when those situations get petitioned someone usually ends up taking the BAN. (read recent EveNews24) If this is combined with IP based security it would make it even more difficult for account sharing to take place. -We So SeXy
SXYGeeK Gallente do you -Mostly Harmless-	Posted - 2010.11.07 02:36:00 - [9] I see, you're saying that the risk of having something unrecoverable stolen due to account sharing should be an effective limit on account sharing. I don't know that that is the case, I have heard of several situations where someone sharing an account just reported it as "hacked" and had their characters/items returned. (the article in EveNews24 is the most recent such report of such a situation) If CCP where serious about account sharing violations they would have IP based access control and would be issuing warnings and temp bans for suspicious access. I've actually never heard of them doing this. Personally I think they don't really care until it causes them a support ticket. You are right, security keys could remove one of the possible risks in sharing an account, however, there is still the risk to assets, corp/alliance roles, reputation. And I don't think that that those risks are really an effective deterrent in the first place. I think that the pain of communicating the key's pass phrase for every login would make most account sharing folks choose to use just passwords and not get a key. -We So SeXy
SXYGeeK Gallente do you -Mostly Harmless-	Posted - 2010.11.19 08:12:00 - [10] I just can't let this drift into the shadow, It must stay on the front page, moar supports plz. -We So SeXy

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.