| Pages: [1] 2 :: one page |
| Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Big BillyBob
   |
Posted - 2006.01.08 16:56:00 -
[1]
We have all gotten the news that accounts are being hacked, passwords getting out and money taken or ships and equipment destroyed or lost.
CCP urged us to ALL change our passwords to try and prevent this from happening again.
Well, I don't know if that neccessarily helps.
I changed my password the day I got the mail, different from my first.
Today at 14:38 EVE time, not an hour before I logged on, a character by the name of kill2008 mysteriously aquired 215,000,000 isk from my account.
My password was not changed, no equipment taken or destroyed, just the isk...thankfully.
I petitioned (like a PERSON and not a spoiled little child mind you) and got a swift response.
So here is my warning:
Although you might have changed you passwords as CCP asked, this MIGHT NOT be helping the situation. First of all, in order to get to your account they have to know (1) your account name (2) password and, maybe, (3) email address.
I don't know how they could get this without personally knowing you or hacking CCP email or the database, and if it is indeed the latter, is there really that much we can do to stop it ourselves other than staying logged in 23/7?
Anyway, to everyone in EVE, even to my enemies, keep your details secret and keep watching for suspicious actions and strange occurances on your account. Thieves are out there, and no matter how much I may want to turn your corpse into a sports bag, nobody deserves to be compromised like this. Its pathetic, its a stupid thing to do, and CCP is diligently working on it.
|
Clytamnestra
|
Posted - 2006.01.08 17:05:00 -
[2]
I'm not sure I should even post this but I can't sit idly by. I understand that the people in charge of "ask a question" and the support emails have their hands full, but I have some information I really, really think is important.
My password was not among those who got reset. But as an added security measure I went ahead and changed mine after the fact. However, I find now that I am able to log in to the game and the website with both my old and my new password. I'm sure everyone can realize how that constitutes a security issue.
--
|
Dakath
|
Posted - 2006.01.08 17:08:00 -
[3]
I'm not sure which end the problem is on. To make sure your computer is not compromised you can get a free virus scan from Trend Micro.
http://www.trendmicro.com/hc_intro/default.asp
I did not make that a link on purpose. Copy paste into browser.
LAG!Ö |
Nee'kita Frist
|
Posted - 2006.01.08 17:11:00 -
[4]
Precautions you should always take when any ONLINE SERVICE.
One email should be used for secure accounts, preferably an POP3 account email which you recieve via a client such as Outlook or Thunderbird. (Although depending on your pc's security you may be better of with web based, personally I prefere webbased due to my constant travelling around.)
Always have a spyware checker on your system. Ad-aware and PC-cillan have Spy checkers although both seem to have different ideas what, exactly is spyware. I find running them both is a good comprehensive scan.
People complain that Software firewalls just don't work. Maybe not against someone who wants to really break into your pc but script kiddies are completely screwed over by them. However I still do recommend that you have a hardware firewall in the form of a router or a small hardfirewall that attaches directly to your phoneline and stays on 24/7 a lot of these are being release lately and have adaptive firewall tech in them, mean they automatically configure themselves to authorise access programs to which you run.
Finally make sure your not running a ridiculus amount of programs that open a trillian ports to the internet. MSN messenger is a real ***** and from what I've seen and opens 10 connections when it in realitly (at least for me anyway) only uses 3 of these. So you may wish to figure out those opened but inactive ports and get your firewall software to block them. (In fact one of those ports are for the annoying ads on MSN so if you block that. no more ads.)
To check what ports that are open, just go to start menu -> run -> cmd and type in netstat and press return.
Thats all the spiel I can pour of the top of my head the at moment. I'm sure theres someone here whos actually an expert in security here who could give you far more info.
|
Joshua Foiritain
|
Posted - 2006.01.08 17:16:00 -
[5]
Currently switching passwords on a daily basis 
-------------
|
Altai Saker
|
Posted - 2006.01.08 17:17:00 -
[6]
Out of curiosity, has anyone had their connection usurped? Or do they wait till you log off?
|
BuzzBuz
|
Posted - 2006.01.08 17:21:00 -
[7]
It is also possible that people may put up EVE/Corp websites and gain info through that from non security conscious people that register ....
... and what about those websites that are compatible with EVE Online where you get a warning box that if you enter the site info about your character will be gleaned ...
just a thought ...
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
...One mans rubbish is another mans treasure... |
Montague Zooma
|
Posted - 2006.01.08 17:27:00 -
[8]
Interesting. I just tried to log into the "My Account" section but connection was refused after I entered the username and password.
|
Joshua Foiritain
|
Posted - 2006.01.08 17:29:00 -
[9]
 Originally by: BuzzBuz
... and what about those websites that are compatible with EVE Online where you get a warning box that if you enter the site info about your character will be gleaned ...
I assume you mean trough the Ingame Browser? That normally doesnt allow people to get any special info just basic stuff about your character that almoast everyone can see.
-------------
|
Kerushi
|
Posted - 2006.01.08 17:30:00 -
[10]
Edited by: Kerushi on 08/01/2006 17:30:24
Originally by: BuzzBuz
It is also possible that people may put up EVE/Corp websites and gain info through that from non security conscious people that register ....
... and what about those websites that are compatible with EVE Online where you get a warning box that if you enter the site info about your character will be gleaned ...
just a thought ...
what`s most worry me with this feature is the data storage wich could includeur ip range (or static) aswell with locations and normal char info (corp roles like ceo are interresting)
not gonna say anyone uses it to gather the data but this is a reason why i haven`t use the igb auth besides for stuff i play around with wich i wrote myself
________________
|
Big BillyBob
|
Posted - 2006.01.08 17:30:00 -
[11]
My pleas have been heeded, and my precious isk returned. My thanks to GM 1000. (or whatever your name is) 
|
Xelios
|
Posted - 2006.01.08 17:31:00 -
[12]
Originally by: Montague Zooma
Interesting. I just tried to log into the "My Account" section but connection was refused after I entered the username and password.
Mine won't even connect to the My Account section in the first place =/
Signature removed. -Zhuge ([email protected])
Woot.
|
BuzzBuz
|
Posted - 2006.01.08 17:35:00 -
[13]
Originally by: Joshua Foiritain
Originally by: BuzzBuz
... and what about those websites that are compatible with EVE Online where you get a warning box that if you enter the site info about your character will be gleaned ...
I assume you mean trough the Ingame Browser? That normally doesnt allow people to get any special info just basic stuff about your character that almoast everyone can see.
OK - however I have never trusted it and still wont :)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
...One mans rubbish is another mans treasure... |
Sol Basso
|
Posted - 2006.01.08 18:11:00 -
[14]
I got the email Friday night and changed my password to something new
Saturday morning someone transfered 300 million to my character and then transfered that plus all my cash to a character that no longer exists
In game petition tool didnt work, still waiting for a reply to my question via the web site
Not happy right now 
|
Rod Blaine
|
Posted - 2006.01.08 18:15:00 -
[15]
Edited by: Rod Blaine on 08/01/2006 18:15:46
Quote:
However, I find now that I am able to log in to the game and the website with both my old and my new password.
Maybe the people that got their accounts accessed after changing their pw's earlier could test this and see if it's a common thing between you all ?
I had one account reset too, changed the pw, and my old pw is NOT usable anymore after the change. So what you describe is not a general problem at least.
_______________________________________________
Power to the players !
|
ElCoCo
|
Posted - 2006.01.08 18:29:00 -
[16]
This is troublesome.
Those of you that had that happened, did you use "remember password" on your eve client?
|
Clytamnestra
|
Posted - 2006.01.08 18:40:00 -
[17]
Originally by: Rod Blaine
Edited by: Rod Blaine on 08/01/2006 18:15:46
Quote:
However, I find now that I am able to log in to the game and the website with both my old and my new password.
Maybe the people that got their accounts accessed after changing their pw's earlier could test this and see if it's a common thing between you all ?
I had one account reset too, changed the pw, and my old pw is NOT usable anymore after the change. So what you describe is not a general problem at least.
Actually, I went through this with a GM, it appears the passwords are case insensitive. All I did was change the caps on some of the characters in my password.
--
|
Maya Rkell
|
Posted - 2006.01.08 19:03:00 -
[18]
Yep, they've never been case sentitive and a disclamer to that effect would be handy on the change password page...
Warning: above post may contain traces of sarcasm.
"Corpse cannot be fitted onto ship. Only hardware modules can be fitted." |
Shadowsword
|
Posted - 2006.01.08 19:07:00 -
[19]
The thing I find the most weird about that whole hacking issue is that, in most cases, the hacker, instead of just wrecking havoc on the account, transfer money to one of his characters.
Yet that kind of transfer is so easy to trace, they can't really beleive that they'll get away with this, can they?
How can they be such utter morons, I wonder...
|
Kerushi
|
Posted - 2006.01.08 19:10:00 -
[20]
Edited by: Kerushi on 08/01/2006 19:10:32
Originally by: Shadowsword
The thing I find the most weird about that whole hacking issue is that, in most cases, the hacker, instead of just wrecking havoc on the account, transfer money to one of his characters.
Yet that kind of transfer is so easy to trace, they can't really beleive that they'll get away with this, can they?
How can they be such utter morons, I wonder...
what if it is only done to create havoc among ppl by making transferring large sums of isk to prominent/influencial persons ingame?
________________
|
The Wiseman
|
Posted - 2006.01.08 19:28:00 -
[21]
Unfortunately, I don't think this is the first time this has happened nor will it be the last. There is obviously a MAJOR security gap in the system here. I won't comment on my opinions there any furthre because I don't know the system they have in place, but it's obviously flawed.
I have played Eve on and off since Beta Phase 5. My original account ( I now have others ) has a bit of a problem that is MOST likely related to this issue. For those of you worrying about getting corp deals or hangars screwed there is something worse.
When I returned last year after some time off I found I could not log into my original account. I was playing on a Trial account at that time ( which I have now turned into a retail account ) namely becuase I wanted to see the changed before I came back. So I filed petition with my trial account and within a couple days the account was returned to me. I say returned because the account was not locked, it was under the use of someone entirely different. Well, to make the story take a turn for the worse ( instead of the better as you would think in getting my account back ) I come to find out that my namesake character had been transferred OFF the account via the automated service on the Account Management section. I am not mentioning any names here because this issue is STILL unresolved and most likely pending legal action.
Apparently, someone else had taken over the account in my absence and opted to tranfer the character off the account. Now, call me silly, but this is a red flag to me anyway. Why would someone really transfer a character to another account from an account they acquired under shady circumstances? Well, most likely to cover themselves should the original owner return. The only reason *I* see to transfer a character is to a brand new account if perhaps you had been working on two characters ( instead of only training one at a time ) so that you could work on them simulataneously. But this was THE ONLY character on that account.
In my many correspondances with the Customer Service Department, we brainstormed as to how this happened. I admitting that I had, at one time, given my password to another corp mate ( I was the CEO he was the VP ) while I was off on vacation. I had stated that I was 99.99% sure I changed the password when I was away to a temp password and back when I returned. I asked the CSRs if there was a chance that the account had beenhacked and they said that was impossible. So much for THAT sentiment. We ALL now know that it IS possible and HAS been done. What worries me are the people who AREN'T actively around to change their passwords right now or report an issue with their account. What happens to someone who returns in 6 months from now only to find they have had their characters moved to a new account? Will they get the same "tough luck" treatment I have been getting?
Needless to say, this debocle is NOT going to reflect verywell on their security systems and customer service departments should I be forced to take a legal path to resolve MY character loss. If they are jumping to a mass password reset logic tells me that it's not us, the individuals who have been compromised, rather it's THEIR database that has been. For all we know these perpatrators may have a list of every account and password out there. If that is the case we're going to be dealing with this for a LONG time to come and anyone not around right now to report the issue is " out of luck" if CCP takes the same stance they have with my case.
Something definately needs to be done. I am not ANTI-CCP. In fact, I find them to be one of the best developmental teams out there. Even their CSRs are "usually" lightyears beyond many others have I dealt with. But in the end this is plain unexcusable. I know they are working on the problem and I commend them for that. However, in my eyes, I am still sitting here without my original character due to something like this already happening before.
|
Andrue
|
Posted - 2006.01.08 19:31:00 -
[22]
Originally by: Clytamnestra
Originally by: Rod Blaine
Edited by: Rod Blaine on 08/01/2006 18:15:46
Quote:
However, I find now that I am able to log in to the game and the website with both my old and my new password.
Maybe the people that got their accounts accessed after changing their pw's earlier could test this and see if it's a common thing between you all ?
I had one account reset too, changed the pw, and my old pw is NOT usable anymore after the change. So what you describe is not a general problem at least.
Actually, I went through this with a GM, it appears the passwords are case insensitive. All I did was change the caps on some of the characters in my password.
Huh? We go through all this and all you can think of doing is changing capitalisation? You really need to take online security more seriously!
--
(Battle hardened miner)
[Brackley, UK]
WARNING:This post may contain large doses of reality. |
HippoKing
|
Posted - 2006.01.08 19:32:00 -
[23]
Originally by: Altai Saker
Out of curiosity, has anyone had their connection usurped? Or do they wait till you log off?
yesterday, i got logged off as though my connection was being usurped. i logged back in instantly, only to be redisconnected again instantly. i relogged in and while doing so changed my pass - no ISK was ever lost, but it kinda worried me
|
The Wiseman
|
Posted - 2006.01.08 19:36:00 -
[24]
^Ran out of character available.
Mind you, this is the account that has the issues and ONCE again it was attacked.
No:
1- I do not use the save password setting. I have mutiple accounts with different passwords. That wouldn't really help at all.
2- I have NEVER responded to an email asking for account information. In fact, I have never responded directly to an Eve Online email period. If I receive an email from the support team I login in directly to the support section and update from there.
3- I have a clean machine ( or machines I should say ). I run 2 spyware specific software, 3 anti-virus ( with another spyware software included ) and they are current. Scans are run twice a week.
4- My wireless connection is not flapping in the breeze like many of my neighbors. I have 128-bit encryption as well as IP specific conenction abilities ( all IPs are altered from default ranges save the router ). This isn't really a concern since I was not on wireless back when this original account was shanghai'd.
In any case, I guess all we can do is sit back now and twiddle our thumbs till we hear more news. I would suggest not doing anything momnumental with your characters as there is a GOOD chance they a server-wide roll back may be the only way to fix things once they lock the loophole down. If they are forced to take that route I would understand it. It would just plain be easier to roll things back to before the major problem began rather than reset and repair 100s, possibly 1000s of accounts one at a time.
|
John BigBootay
|
Posted - 2006.01.08 19:37:00 -
[25]
I think some of you should get together and talk about what 3rd party programs you use or have used related to EvE. Such as a player created Character Manager or whatever. Just a suggestion.
|
The Wiseman
|
Posted - 2006.01.08 19:40:00 -
[26]
I use NO 3rd party programs. I even clear my cache manually. I refuse to use 3rd party software.
|
The Wiseman
|
Posted - 2006.01.08 19:42:00 -
[27]
Originally by: HippoKing
Originally by: Altai Saker
Out of curiosity, has anyone had their connection usurped? Or do they wait till you log off?
yesterday, i got logged off as though my connection was being usurped. i logged back in instantly, only to be redisconnected again instantly. i relogged in and while doing so changed my pass - no ISK was ever lost, but it kinda worried me
Personally, I see a security flaw right there in the fact that you STILL, to this day, get logged out if the same account tries to log in again. Rather than, like most MMOs, getting a message up front stating "This account is already logged in. Bugger off!"
That alone makes me wonder how secure things are.
|
Trepkos
|
Posted - 2006.01.08 19:53:00 -
[28]
When and how far back did you return?
--------
|
The Wiseman
|
Posted - 2006.01.08 20:04:00 -
[29]
Originally by: Trepkos
When and how far back did you return?
I returned over a year back ( yes the issue has been going back and forth for that long ). The original account is a day 1 account. I left about 8 months after release. I could get specific dates since the character is still in the database and I can even see a corp change listed, but that's really a moot point right now.
In reading their news about the "changes" being made to the Account Management page it leads one to believe that page was NEVER quite secure. It was just a matter of time until someone eploited it. The fact that people are still getting their accounts attacked AFTER the password changes illustrates this. There are other possibilities, but in my mind this is the most likely.
Some of the people who had their accounts attacked are just too network savvy to fall for basic ploys that an intermediate computer user may be to naive to spot. At this point I go with an old thought process of mine. 100s of accounts were attacked ( and are still being attacked ). Let's pause and look at the obvious similar variable in each of these equations. It's not the client...
I will let the rest of the math speak for itself.
|
Korth
|
Posted - 2006.01.08 20:09:00 -
[30]
The swapping of isk through various accounts might be some form of "isk" cleaning just to make it harder for CCP to trace.
Whatever it ain't a good sign.
|
| |
|
| Pages: [1] 2 :: one page |
| First page | Previous page | Next page | Last page |