Pages: 1 2 [3] 4 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Endeavour Starfleet
Center for Advanced Studies Gallente Federation
36
|
Posted - 2011.11.13 05:54:00 -
[61] - Quote
At the very least change any passwords related to the one you used on Steam. Tho if the bank offers it for free I don't see why there is a reason to not consider changing your card.
Doing so every once in a while is a good security measure anyway. |
draconothese
Independant Celestial Enterprises Pink Fluffy Pussycats
3
|
Posted - 2011.11.13 05:58:00 -
[62] - Quote
hey wait wait so because pc gamers reacted in a well mannered way is it safe to say all console gamers are spoiled brats and pc gammers are respectable adults |
Endeavour Starfleet
Center for Advanced Studies Gallente Federation
36
|
Posted - 2011.11.13 06:06:00 -
[63] - Quote
draconothese wrote:hey wait wait so because pc gamers reacted in a well mannered way is it safe to say all console gamers are spoiled brats and pc gammers are respectable adults
Again Valve is NOT Sony.
Yet, Can I has free Portal 2 plz valve?
|
SpaceSquirrels
9
|
Posted - 2011.11.13 07:20:00 -
[64] - Quote
Eh not even sure they retrieve any of said data. On top of that salted, and encrypted. Really the most they could do is get your password as it would take a considerable amount of time to decrypt an AES 256 line. (that's just one with a considerable amount of processing power) Change of the password to steam voids half the process. Most peoples credit cards would be expired by the time it's broken (if it's broken as it's only technically feasible.)
But I would agree there needs to be a one time pad for credit card commerce. (Not just a one time card which is kinda a PITA) |
Endeavour Starfleet
Center for Advanced Studies Gallente Federation
36
|
Posted - 2011.11.13 07:56:00 -
[65] - Quote
I heard something interesting on the steam forums.
One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server.
So the encryption on the sensitive stuff is likely many characters long. And not some 5-8 character key. Tho it does bring up a good point which is that you need to make sure your home wireless key is something very long and not something that can be easily broken by a GPU.
Again be safe and change your passwords. But don't be silly in blaming valve. They aren't sony. |
Hakaru Ishiwara
Republic Military School Minmatar Republic
39
|
Posted - 2011.11.13 13:31:00 -
[66] - Quote
Two questions:
1) Why did CCP not include the standard intermediate "you are leaving our site" page or pop-up when linking directly to a non-CCP web asset?
2) Where is the official message from Valve? The link on the eveonline.com web page points to root of the Valve / Steam forums. Not very helpful if looking for the official message.
Disclaimer: I found the official message quoted in the Steam forums, but I think that these questions need asking. 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284 Characters 284286 |
Grimpak
Midnight Elites Echelon Rising
134
|
Posted - 2011.11.13 14:09:00 -
[67] - Quote
Endeavour Starfleet wrote:I heard something interesting on the steam forums.
One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server.
that might work for the pw's themselves but not for the CC's. if what has been said it's true, CC's are encripted in AES256 and salted, which means that by the time they manage to get a CC number, with the current tech level, the universe has already ended
that said however, AES256 is only as safe as how safe you keep the decryption key. [img]http://eve-files.com/sig/grimpak[/img]
[quote]The more I know about humans, the more I love animals.[/quote] ain't that right |
SpaceSquirrels
9
|
Posted - 2011.11.13 15:18:00 -
[68] - Quote
lol regular hashed passwords (especially on xp and below) can be broken in seconds. On occasion if they're longer than 7 characters windows would break them up and a cracker would simply crack the two halves. It also doesnt matter in xp if you used upper case as windows converts them all to upper case anyway.
Look up john the ripper, or OPcrack. Granted the tables it uses are between 8-10gb per. But cracking generic hashed passwords on xp is not intensive.
But Grimm is right as it stands now cracking a DES 128-256+ is only theoretically possible, and if so only NSA or massive super computers are going to crack it anytime soon (Which would be months to years) |
Barakkus
1085
|
Posted - 2011.11.13 16:18:00 -
[69] - Quote
Grimpak wrote:Barakkus wrote:Sidus Isaacs wrote:Barakkus wrote:Yup, not liking this, changed my password already, going to call the bank tomorrow.
It will be months before they start using credit card numbers, or sell them, so you have a little time, but it will be pretty bad I think since there are so many people that have bought stuff off steam, CoD crowd and BF3 crowd in particular. Even if the stuff is encrypted, doesn't mean they can't crack it. Crack AES256? I won't be bothering to call my bank :) They don't have to crack it. If you even bothered to read anything else in this thread or use your brain to realize they don't have to do one damn thing if they compromised more than what Steam knows about, or has let the general public know about. atm there are no reports of compromised CC's. also, maybe because of Sony, Valve decided to keep their decryption key safe somewhere in a place that is not inside the steam network proper. anyways this happened around.. the 10th? and atm all of this is no more than speculation. Time will tell if there was CCs compromised or not.
They noticed almost a week before they announced it, they had the forum offline for about 4 or 5 days before the announcement for "maintenance".
Valve won't know if anyone who has had their CCs compromised, it would be nearly impossible to prove most cases of CC fraud where connected to that breach since people use the same card to purchase other places on the net. Couple friends of mine that do use steam have already had their CCs used by other people. |
Barakkus
1085
|
Posted - 2011.11.13 16:21:00 -
[70] - Quote
Grimpak wrote:Endeavour Starfleet wrote:I heard something interesting on the steam forums.
One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server. that might work for the pw's themselves but not for the CC's. if what has been said it's true, CC's are encripted in AES256 and salted, which means that by the time they manage to get a CC number, with the current tech level, the universe has already ended that said however, AES256 is only as safe as how safe you keep the decryption key.
Or they compromised machines responsible for encrypting and decrypting those numbers. |
|
Ein Spiegel
Fly-by-Night Industries LLC PTY LTD Drama Flakes
6
|
Posted - 2011.11.13 17:28:00 -
[71] - Quote
Schnoo wrote:Enik3 wrote:Gabe Newall has indicated that AES256 encryption was used on sensitive information, so there's very little to worry about if that's true.
I have far more faith in the security layers at a premier e-commerce company like Steam than I do in, say, ANY government agency. I'm pretty sure the average person's personal data is much more exposed in other places. Well that's awesome! And I'm sure the hackers are right away trying to crack the AES256 encryption, instead of, you know, just downloading the AES256 keys from the compromised machine. Sarcasm aside, one has to wonder how and where were they keeping the keys.
Remember, encryption is only as strong as the weakest employee's knees.
Relevant XKCD's: Password Strength Security
Fortunately, I don't have anything to do with steam. But I was a PSN member. |
SpaceSquirrels
9
|
Posted - 2011.11.13 22:29:00 -
[72] - Quote
Barakkus wrote:Grimpak wrote:Endeavour Starfleet wrote:I heard something interesting on the steam forums.
One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server. that might work for the pw's themselves but not for the CC's. if what has been said it's true, CC's are encripted in AES256 and salted, which means that by the time they manage to get a CC number, with the current tech level, the universe has already ended that said however, AES256 is only as safe as how safe you keep the decryption key. Or they compromised machines responsible for encrypting and decrypting those numbers.
Doesnt work like that. Two part system of public and private keys. They might use kerberos for transactions between companies in which case it's a ticket key system. There also isnt "one" key generator machine. It's handled at a software level. (key generation)
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard There's the gist. |
Barakkus
1085
|
Posted - 2011.11.13 23:18:00 -
[73] - Quote
SpaceSquirrels wrote:Barakkus wrote:Grimpak wrote:Endeavour Starfleet wrote:I heard something interesting on the steam forums.
One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server. that might work for the pw's themselves but not for the CC's. if what has been said it's true, CC's are encripted in AES256 and salted, which means that by the time they manage to get a CC number, with the current tech level, the universe has already ended that said however, AES256 is only as safe as how safe you keep the decryption key. Or they compromised machines responsible for encrypting and decrypting those numbers. Doesnt work like that. Two part system of public and private keys. They might use kerberos for transactions between companies in which case it's a ticket key system. There also isnt "one" key generator machine. It's handled at a software level. (key generation) http://en.wikipedia.org/wiki/Advanced_Encryption_Standard There's the gist.
At some point those numbers are held in an unencrypted state before they are stored encrypted. They will be decrypted from the database before they are transmitted to whatever financial institution that handles their payment processing. Most banks either use PGP or SSH to handle transmission of data from their clients. I have worked with American National, Lasalle, Bank of America and Harris, and know how they take payment transmissions. 3 of which use PGP and one of which uses SSH. We don't send encrypted account numbers, we encrypt the entire transmission via one of those two methods and they handle decrypting the information on their end. Harris is the only one that doesn't have encryption on the physical files themselves, but relies on SSH to encrypt the transmission, once it's on their end I don't know what happens to it, but the file itself isn't encrypted, only the means of transmission.
At some point those credit card numbers are in an unencrypted state, and there are machines at Steam that handle encrypting and decrypting that information. There is the possibility of compromising that system and capturing that data. |
Lutz Major
Austriae Est Imperare Orbi Universo
38
|
Posted - 2011.11.14 10:44:00 -
[74] - Quote
So you want to say, that your systems are also vulnerable?
I'm kidding. I bet you did the best job possible to create a secure and robust piece of software ... and so did Valve probably.
With your background you should know how extremly unlikly the situation you describe can happen. If the individual / group that did the hack have such a profound knowledge, they'd hack banks and not a mere game publisher.
Half of the world wide online stores have my credit card number and I had never ever an issue. Quite the contrary, the CC data from my wife was stolen in a restaurant where she paid. You are never safe. Never! |
Grimpak
Midnight Elites Echelon Rising
135
|
Posted - 2011.11.14 11:07:00 -
[75] - Quote
Lutz Major wrote:So you want to say, that your systems are also vulnerable? I'm kidding. I bet you did the best job possible to create a secure and robust piece of software ... and so did Valve probably. With your background you should know how extremly unlikly the situation you describe can happen. If the individual / group that did the hack have such a profound knowledge, they'd hack banks and not a mere game publisher. Half of the world wide online stores have my credit card number and I had never ever an issue. Quite the contrary, the CC data from my wife was stolen in a restaurant where she paid. You are never safe. Never!
well I guess Barakkus has a point. he's right, but while cautiousness is advised in this situation, it's also true that atm things have been quiet and we still don't know enough to go into a panic. [img]http://eve-files.com/sig/grimpak[/img]
[quote]The more I know about humans, the more I love animals.[/quote] ain't that right |
Lutz Major
Austriae Est Imperare Orbi Universo
38
|
Posted - 2011.11.14 11:19:00 -
[76] - Quote
Grimpak wrote:well I guess Barakkus has a point. he's right, but while cautiousness is advised in this situation, it's also true that atm things have been quiet and we still don't know enough to go into a panic.
Indeed and I (hope I) didn't offend him, but he paints a picture where it's 'easy' to decipher strong encryption. And yes everyone of us should be cautious and change passwords (which everyone should do periodicly). |
Pr1ncess Alia
Perkone Caldari State
59
|
Posted - 2011.11.14 11:35:00 -
[77] - Quote
fk em
let em steal from my account. i don't want it to happen, but what do you expect? This is a digital world, this is going to happen from time to time.
They have my card info, but ultimately that sht is on the FDIC, that's why we have it
i have no horse in this fight. worst case scenario? minor inconvenience. |
Alain Kinsella
8
|
Posted - 2011.11.14 11:53:00 -
[78] - Quote
I think this got passed over in the back-and-forth going on.
Barakkus wrote:Couple friends of mine that do use steam have already had their CCs used by other people.
Did they have a forum account, or just the normal account?
You *can* have no forum account (I'm one of them), and that's where the initial break-in was apparently, so I'm curious if that subset is less likely to have been a target. Yes, I understand that probably everyone's up for grabs regardless of what vector they came in on (especially if they got 'certain types of access'), but one can hope.
@ Alia - FDIC only protects against the bank failing, not bad transactions. That falls to the sponsoring CC/Debit company (which is sometimes the bank itself), and you usually have to report the bad transaction within a couple weeks to get a free pass. So its still worthwhile to keep a closer eye on your next statement (or better, have recent transactions printed @ ATM or by teller).
I may have come here from Myst Online, but that does not make me any less bloodthirsty than the average Eve player.
Just more subtle.
|
Barakkus
1085
|
Posted - 2011.11.14 12:41:00 -
[79] - Quote
Lutz Major wrote:So you want to say, that your systems are also vulnerable? I'm kidding. I bet you did the best job possible to create a secure and robust piece of software ... and so did Valve probably. With your background you should know how extremly unlikly the situation you describe can happen. If the individual / group that did the hack have such a profound knowledge, they'd hack banks and not a mere game publisher. Half of the world wide online stores have my credit card number and I had never ever an issue. Quite the contrary, the CC data from my wife was stolen in a restaurant where she paid. You are never safe. Never!
Nah, but if I were a hacker, and I found I could access that information, I would definitely be trying to find a way to decrypt that data before leaving.
The gaming industry is a perfect target actually for people trying to steal data. Usually lax security and millions of purchases a year. It's a bit easier though for them because they can target gamers individually with this RMT crap and get them to give up their numbers freely rather than hack companies. Most of the time they're after stealing accounts to resell the assets later though. A lot of the RMT companies will also use CC numbers gamers give up to purchase currency/items/whatever to open new accounts for farming as well.
After Sony got hacked, I had my CC number changed even though I haven't paid for anything from them in a few years aside from ordering an expansion for EQ2.
If you do online purchases it's always a good idea to change your CC numbers that you use online every couple of years anyways. Unfortunately most places aren't as great with security regardless of the industry. |
Endeavour Starfleet
Center for Advanced Studies Gallente Federation
36
|
Posted - 2011.11.14 12:44:00 -
[80] - Quote
Ya that statement Barakkus made has not been confirmed to be related to steam at all. So I am very suspicious.
How are his friends affected yet the steam forums are not overflowing with reports of CC fraud? |
|
Barakkus
1085
|
Posted - 2011.11.14 12:48:00 -
[81] - Quote
Endeavour Starfleet wrote:Ya that statement Barakkus made has not been confirmed to be related to steam at all in my opinion. So I am very suspicious.
How are his friends affected yet the steam forums are not overflowing with reports of CC fraud?
Yeah one can hope that they didn't compromise the data, but it's just been a few days, more than likely people won't even see charges for a few months until those numbers have been disseminated. There are millions of CC numbers being bought and sold in IRC chatrooms 24/7, it could take months before anyone's information is out there and used. |
Endeavour Starfleet
Center for Advanced Studies Gallente Federation
36
|
Posted - 2011.11.14 12:54:00 -
[82] - Quote
It's just that people are already trying to blame other issues on the steam hack.
A guy on there said he has fraudulent charges to his paypal and demanded Steam compensate him when there is NO evidence that paypal security has been compromised.
Blaming valve for no reason isn't helping anybody. |
Sidus Isaacs
Center for Advanced Studies Gallente Federation
9
|
Posted - 2011.11.14 13:31:00 -
[83] - Quote
Endeavour Starfleet wrote:Ya that statement Barakkus made has not been confirmed to be related to steam at all in my opinion. So I am very suspicious.
How are his friends affected yet the steam forums are not overflowing with reports of CC fraud?
Perhaps they were really careless and spread personal information left and right on the web for all we know.
At least I use a method with my bank that would not let anyone really steal that much from me anyways (if be soem mirical tehy gain access to the encrypted files). At worst I loose a few dollars. |
Luscius Uta
HAMMER STAR BLADE Universal Paranoia Alliance
1
|
Posted - 2011.11.14 14:26:00 -
[84] - Quote
If CCP say they love Steam, then why are ISDs spamming the help channel with warnings that you shouldn't play EVE through Steam (I know I don't have to, but I don't see any disadvantages of using Steam to start EVE) everytime someone mentions Valve's service? |
Barakkus
1085
|
Posted - 2011.11.14 14:51:00 -
[85] - Quote
Luscius Uta wrote:If CCP say they love Steam, then why are ISDs spamming the help channel with warnings that you shouldn't play EVE through Steam (I know I don't have to, but I don't see any disadvantages of using Steam to start EVE) everytime someone mentions Valve's service?
Yeah that's just ********. CCP should have a talk with the ISD about saying stupid **** like that. |
Grimpak
Midnight Elites Echelon Rising
136
|
Posted - 2011.11.14 14:58:00 -
[86] - Quote
Luscius Uta wrote:If CCP say they love Steam, then why are ISDs spamming the help channel with warnings that you shouldn't play EVE through Steam (I know I don't have to, but I don't see any disadvantages of using Steam to start EVE) everytime someone mentions Valve's service?
there are no advantages nor disadvantages by using Steam to start up EVE.
unless you count on the fluff like hours logged in counting. [img]http://eve-files.com/sig/grimpak[/img]
[quote]The more I know about humans, the more I love animals.[/quote] ain't that right |
Kengutsi Akira
Ministry of War Amarr Empire
162
|
Posted - 2011.11.14 18:39:00 -
[87] - Quote
Endeavour Starfleet wrote:It's just that people are already trying to blame other issues on the steam hack.
A guy on there said he has fraudulent charges to his paypal and demanded Steam compensate him when there is NO evidence that paypal security has been compromised.
Blaming valve for no reason isn't helping anybody.
I wonder if theyre liable for damages given its their fault it happened for using (apparently) shoddy protection
https://forums.eveonline.com/default.aspx?g=posts&m=255722#post255722
My stance on WiS |
Sidus Isaacs
Center for Advanced Studies Gallente Federation
9
|
Posted - 2011.11.14 23:08:00 -
[88] - Quote
Kengutsi Akira wrote:Endeavour Starfleet wrote:It's just that people are already trying to blame other issues on the steam hack.
A guy on there said he has fraudulent charges to his paypal and demanded Steam compensate him when there is NO evidence that paypal security has been compromised.
Blaming valve for no reason isn't helping anybody. I wonder if theyre liable for damages given its their fault it happened for using (apparently) shoddy protection
That is a weak argument. Lets not blame the ones who did it, let blame the victims. |
Zions Child
Odyssey Inc SpaceMonkey's Alliance
75
|
Posted - 2011.11.15 00:10:00 -
[89] - Quote
Hmm. If the group that hacked Steam releases millions of credit card numbers, I foresee horrible, horrible things happening to them. The anti-cyber crime units in the modern world have been pretty good at arresting hackers, especially hackers of this caliber and gall. If they released millions of credit card numbers, every single bank ever would basically go into overdrive mode, and probably find a way to get governments to find and arrest them in the shortest, most violent way possible. Considering that the banking industry basically runs every western government, it wouldn't be very difficult either. It might be Steam who was breached, but fraudulent credit card activity costs the banks money, and when it comes to not ******* around, banks are pretty much king. At least, the major, ethically questionable banks don't **** around.
Oh, and Steam is not responsible for fraudulent charges, and will not be required to reimburse people at all. If you call your bank within a few days though, they WILL refuse to pay the vendors where fraudulent charges were made. Still, this costs the banks money, and they hate that with a passion. |
Barakkus
1086
|
Posted - 2011.11.15 00:16:00 -
[90] - Quote
Zions Child wrote:Hmm. If the group that hacked Steam releases millions of credit card numbers, I foresee horrible, horrible things happening to them. The anti-cyber crime units in the modern world have been pretty good at arresting hackers, especially hackers of this caliber and gall. If they released millions of credit card numbers, every single bank ever would basically go into overdrive mode, and probably find a way to get governments to find and arrest them in the shortest, most violent way possible. Considering that the banking industry basically runs every western government, it wouldn't be very difficult either. It might be Steam who was breached, but fraudulent credit card activity costs the banks money, and when it comes to not ******* around, banks are pretty much king. At least, the major, ethically questionable banks don't **** around.
Oh, and Steam is not responsible for fraudulent charges, and will not be required to reimburse people at all. If you call your bank within a few days though, they WILL refuse to pay the vendors where fraudulent charges were made. Still, this costs the banks money, and they hate that with a passion.
The number of CC numbers they could have stolen is like 1/10000th the number that are traded on the black market daily. 1 CC number goes for approximately $1 on the black market, millions of them are bought and sold every day. Sometimes they're good for a few hundred dollars in purchases, sometimes a few thousand, some are completely shut off before someone can make fraudulent charges on them. It's the cost of doing business in the internet world now a days. You'd be surprised at how much CC fraud and identity theft goes on every day. |
|
|
|
|
Pages: 1 2 [3] 4 :: one page |
First page | Previous page | Next page | Last page |