Pages: 1 [2] 3 4 5 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 4 post(s) |
Dbars Grinding
Garoun Investment Bank Gallente Federation
330
|
Posted - 2012.01.11 11:22:00 -
[31] - Quote
show me where the bad man touched you. |
Avensys
United Highsec Front The 99 Percent
84
|
Posted - 2012.01.11 11:25:00 -
[32] - Quote
How do you link the authenticator to your account?
seems to me that this would have to be done over a separate communications channel with credentials that a hacker wouldn't have access to even if he had compromised your PC at the time you want to set up the link.
(paper) mail or fax with a copy of your passport?
otherwise it's mostly security theater. |
Mangua Desnart
Zervas Aeronautics
4
|
Posted - 2012.01.11 11:39:00 -
[33] - Quote
Indalecia wrote: I use GNU/Linux, so an USB 3rd-party device would very likely be unsupported for my OS.
We werent talking about a USB device, this is purely a key fob type affair that generates random numbers that is linked to your account |
Mangua Desnart
Zervas Aeronautics
4
|
Posted - 2012.01.11 11:40:00 -
[34] - Quote
Dbars Grinding wrote:show me where the bad man touched you.
I should be so lucky lol |
Mangua Desnart
Zervas Aeronautics
4
|
Posted - 2012.01.11 11:42:00 -
[35] - Quote
Avensys wrote:How do you link the authenticator to your account?
seems to me that this would have to be done over a separate communications channel with credentials that a hacker wouldn't have access to even if he had compromised your PC at the time you want to set up the link.
(paper) mail or fax with a copy of your passport?
otherwise it's mostly security theater.
The way SWTOR do it is when you tie the authenticator to your account then you input the code that is on the fob / app at the time of setting it up and then I presume there is some back end magic and trickery that knows what the next numbers will be from that starting point |
Deviana Sevidon
Jades Falcon Guards
215
|
Posted - 2012.01.11 12:03:00 -
[36] - Quote
There is no magic involved and no communication between authenticator and server. The authenticator has a serial number that is added to the account .
If you press the button on your authenticator/mobile phone app, the software generates the authenticator key from the serial number and the time set in the mobile phone. Since the auth. serial number is registered on the account the login servers also knows which authenticator code is currently the correct one.
Edit:
Here is some additional information about how the process of the two factor authentication works: http://en.wikipedia.org/wiki/Two-factor_authentication |
1-Up Mushroom
Imperial Academy Amarr Empire
1862
|
Posted - 2012.01.11 12:49:00 -
[37] - Quote
Abdiel Kavash wrote:Username/password is enough as long as the users are not idiots.
I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.
5 Senses In A Person... 4 Seasons In A Year... 3 Colors In A Stoplight... 2 Poles On The Earth... ONLY 1-UP MUSHROOM!!!-á If You Like My Sig, Like Me!-áRemember EVE is EVErything! |
Skyla Kavatina
Federal Navy Academy Gallente Federation
0
|
Posted - 2012.01.11 12:56:00 -
[38] - Quote
Ursula LeGuinn wrote:Jenshae Chiroptera wrote:This token attempt at security would be entirely optional, right? Yeah. Well, the pioneers of the technology (WoW and TOR) offer them as optional features.
This is RSA SecureID technology that's been around for years although after a security breach at RSA in April last year many companies decided to re-examine the use of security tokens for two-factor authentication. |
Deviana Sevidon
Jades Falcon Guards
217
|
Posted - 2012.01.11 13:16:00 -
[39] - Quote
Yes there was a security breach, but because it is a two factor authentication it still does not mean that anyone can easily bypass the authenticator.
First someone still would need to know the authenticator serial number on the account, second it is at least unlikely that he has the key that allows him to generate a usable authenticator code, even with the serial number.
Yes, man in the middle attacks are also possible, but these are difficult to stage and have a high chance of being detected if the user also has a good anti-malware software.
The Authenticators are an additional layer of security and work quite well in that aspect and drastically reduce the chances of having an account compromised.
1-Up Mushroom wrote:Abdiel Kavash wrote:Username/password is enough as long as the users are not idiots.
I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.
And that seems quite naive to me. There are lot of possible options to attack a system, 'questionable' websites and software are the least of the worries, since there are a lot of security holes in widely used and legit softwares. Never sharing account access with anyone else is an excellent advise, but that will also not guarantee the security of the account.
Edit:
There is also an additonal benefit. With less cases of accounts being hacked, the CCP customer support staff has more time to deal with other petitions on their ticket queues. |
Mangua Desnart
Zervas Aeronautics
4
|
Posted - 2012.01.11 13:21:00 -
[40] - Quote
Deviana Sevidon wrote:
And that seems quite naive to me. There are lot of possible options to attack a system, 'questionable' websites and software are the least of the worries, since there are a lot of security holes in widely used and legit softwares. Never sharing account access with anyone else is an excellent advise, but that will also not guarantee the security of the account.
Edit:
There is also an additional benefit. With less cases of accounts being hacked, the CCP customer support staff has more time to deal with other petitions on their ticket queues.
Deviana, You seem quite knowledgeable about computer security, can I ask are you just an enthusiast in the subject or do you participate in the field in some professional capacity? |
|
Barakkus
1484
|
Posted - 2012.01.11 13:22:00 -
[41] - Quote
They can also use software RSA tokens, Harris bank and some others use them for corporate banking clients. It's basically some software you install that emulate the fobs. http://youtu.be/yytbDZrw1jc |
Jaroslav Unwanted
Brutor Tribe Minmatar Republic
1265
|
Posted - 2012.01.11 13:23:00 -
[42] - Quote
Mangua Desnart wrote:Indalecia wrote: I use GNU/Linux, so an USB 3rd-party device would very likely be unsupported for my OS. We werent talking about a USB device, this is purely a key fob type affair that generates random numbers that is linked to your account
Tokens .. number generator sync with login server..
The usual thing for people working in network industry / backbone engineers etc. But at that industry there is "real" threat. In the game .. well you maybe lose your account/character/stuff .. but it will get investigated and you eventually get it back.
Time to time they desync.. and you call an support to get it synchronized again. It happens once per month .. approximately |
Mangua Desnart
Zervas Aeronautics
4
|
Posted - 2012.01.11 13:26:00 -
[43] - Quote
Woot Page 3, I have never started a discussion that has gone on this far - thank you to everyone that has taken part Keep it going guys, we have have some good solid points here I feel |
Mr Kidd
Center for Advanced Studies Gallente Federation
348
|
Posted - 2012.01.11 13:32:00 -
[44] - Quote
Abdiel Kavash wrote:Username/password is enough as long as the users are not idiots.
I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.
While your ideas are sound, they're sound for 1994. Placed in today's world, allow me to rephrase this for you.
Username/password is enough as long as you disconnect your computer from the internet.
Idiocy is not a requisite anymore. The lone act of having your system connected to a world wide network with modern computing capabilities is enough to render username/password inadequate. One can't insure that browsing even reputable webtsites is safe since those websites generally have advertising which is dependent upon several providers for that content some of which are further dependent on networks of contributors. The end result is that one's system can be compromised at any time. The sum effect is a lottery fashioned chance of being compromised that no amount of foresight, planning and implementation on client's side alone can overcome other than to pull the plug. If you believe this to be incorrect then you will be sorely disappointed. We want breast augmentations and sluttier clothing in the NeX! |
Deviana Sevidon
Jades Falcon Guards
217
|
Posted - 2012.01.11 13:33:00 -
[45] - Quote
Mangua Desnart wrote:Deviana Sevidon wrote:
And that seems quite naive to me. There are lot of possible options to attack a system, 'questionable' websites and software are the least of the worries, since there are a lot of security holes in widely used and legit softwares. Never sharing account access with anyone else is an excellent advise, but that will also not guarantee the security of the account.
Edit:
There is also an additional benefit. With less cases of accounts being hacked, the CCP customer support staff has more time to deal with other petitions on their ticket queues.
Deviana, You seem quite knowledgeable about computer security, can I ask are you just an enthusiast in the subject or do you participate in the field in some professional capacity?
I assure you, I don't work for CCP.
But I have some experience with the digipass tokens and I would like to have one to protect my accounts. |
Mangua Desnart
Zervas Aeronautics
4
|
Posted - 2012.01.11 13:38:00 -
[46] - Quote
Deviana Sevidon wrote:I assure you, I don't work for CCP.
Sorry thats not what I meant to infer lol
Deviana Sevidon wrote:
But I have some experience with the digipass tokens and I would like to have one to protect my accounts.
Me too - I still cant believe we havent had a contribution from a dev / GM on this subject yet... |
Jenshae Chiroptera
417
|
Posted - 2012.01.11 13:41:00 -
[47] - Quote
Mangua Desnart wrote:... I work in computer security, and the only secure computer anywhere is one that is turned off in a box in a locked room with no windows, security should not be optional
... and you somehow think that your phone is more secure than a computer? People will never go to some third party site while travelling that they also browse with their computer? Ideas & Stuff EVE - the game of sand castles, either building them or kicking them down. -áStatus: Going phishing. |
Mangua Desnart
Zervas Aeronautics
4
|
Posted - 2012.01.11 13:48:00 -
[48] - Quote
Jenshae Chiroptera wrote:
... and you somehow think that your phone is more secure than a computer? People will never go to some third party site while travelling that they also browse with their computer?
No I dont think my smart phone is any more secure than my computer thats why I run anti virus on that too, the apps are an additional layer of security that are obtained through vetted means and have been checked for malcious payloads / viruses etc |
Jaroslav Unwanted
Brutor Tribe Minmatar Republic
1265
|
Posted - 2012.01.11 13:48:00 -
[49] - Quote
Jenshae Chiroptera wrote:Mangua Desnart wrote:... I work in computer security, and the only secure computer anywhere is one that is turned off in a box in a locked room with no windows, security should not be optional ... and you somehow think that your phone is more secure than a computer? People will never go to some third party site while travelling that they also browse with their computer?
Question is .. is security important..
WHO WANTS TO LIVE FOREVER ? |
Mangua Desnart
Zervas Aeronautics
4
|
Posted - 2012.01.11 13:52:00 -
[50] - Quote
Jaroslav Unwanted wrote:Question is .. is security important.. [/quote Damn silly question.... [quote=Jaroslav Unwanted] WHO WANTS TO LIVE FOREVER ?
Not such a silly question, the answer is of course me, but I digress.... Authenticators people pro or not? |
|
Jaroslav Unwanted
Brutor Tribe Minmatar Republic
1265
|
Posted - 2012.01.11 13:52:00 -
[51] - Quote
Mangua Desnart wrote:Jaroslav Unwanted wrote:
Question is .. is security important..
Damn silly question.... Jaroslav Unwanted wrote:WHO WANTS TO LIVE FOREVER ? Not such a silly question, the answer is of course me, but I digress.... Authenticators people pro or not?
optional .. as it was "promised" |
Barakkus
1484
|
Posted - 2012.01.11 15:28:00 -
[52] - Quote
Mr Kidd wrote:Abdiel Kavash wrote:Username/password is enough as long as the users are not idiots.
I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine. While your ideas are sound, they're sound for 1994. Placed in today's world, allow me to rephrase this for you. Username/password is enough as long as you disconnect your computer from the internet. Idiocy is not a requisite anymore. The lone act of having your system connected to a world wide network with modern computing capabilities is enough to render username/password inadequate. One can't insure that browsing even reputable webtsites is safe since those websites generally have advertising which is dependent upon several providers for that content some of which are further dependent on networks of contributors. The end result is that one's system can be compromised at any time. The sum effect is a lottery fashioned chance of being compromised that no amount of foresight, planning and implementation on client's side alone can overcome other than to pull the plug. If you believe this to be incorrect then you will be sorely disappointed.
Yup, there have been a few instances in the last couple years of google ads exploiting browser vulnerabilities and compromising systems.
http://youtu.be/yytbDZrw1jc |
Morganta
Peripheral Madness The Midget Mafia
789
|
Posted - 2012.01.11 15:33:00 -
[53] - Quote
I'm pretty sure I read that TOR players hate that system
and for the record, you have a very good chance of dieing a horrible death in a car crash every day do you cover your car in protective equipment? The American public's reaction to the change was poor and the new cola was a major marketing failure. The subsequent reintroduction of Coke's original formula, re-branded as "Coca-Cola Classic", resulted in a significant gain in sales, leading to speculation that the introduction of the New Coke formula was just a marketing ploy |
Roscada
We love Egg
14
|
Posted - 2012.01.11 15:40:00 -
[54] - Quote
Bleh. Too much extra work and **** to lose. How about generating a decent password and being responsible about what you download and the sites you visit? |
Famble
Three's a Crowd
257
|
Posted - 2012.01.11 15:47:00 -
[55] - Quote
Mr Kidd wrote:Abdiel Kavash wrote:Username/password is enough as long as the users are not idiots.
I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine. While your ideas are sound, they're sound for 1994. Placed in today's world, allow me to rephrase this for you. Username/password is enough as long as you disconnect your computer from the internet. Idiocy is not a requisite anymore. The lone act of having your system connected to a world wide network with modern computing capabilities is enough to render username/password inadequate. One can't insure that browsing even reputable webtsites is safe since those websites generally have advertising which is dependent upon several providers for that content some of which are further dependent on networks of contributors. The end result is that one's system can be compromised at any time. The sum effect is a lottery fashioned chance of being compromised that no amount of foresight, planning and implementation on client's side alone can overcome other than to pull the plug. If you believe this to be incorrect then you will be sorely disappointed.
You should be thankful for idiocy! If there weren't so many idiots out there then a sound username/password policy truly wouldn't be enough. The fact that there are means that they are the targets. In other words, malware authors and the like always target low-hanging fruit. It's much easier and as a result more effective.
You can attack keyfob solutions with man-in-the-middle attacks but it doesn't happen much because the bad guys aren't going to waste their time with those folks when they could simply hack Joe's simple username/password they obtained with their little phishing site or other much, much easier means.
Sure, any computer on the web is by definition vulnerable, of that there's no doubt. But the level of sophistication necessary to get in gets exponentially harder (think FBI, NSA type stuff) as you take basic security measures (e.g. username/password complexity).
There's a reason that still, to this day the vast majority of security leaks are the result of social engineering. For example:
Bank receptionist's phone rings. Receptionist: Hello, Awesome Bank, this is Cindy how can I help you? Bad guy: "Hi Cindy, this is Todd down in IT. Our diagnostics show that your computer is acting up and causing problems for the network. I'm afraid it could crash and we really need to run a few tests. I can do it remotely right now and it'll only take a moment if you have the time. Receptionist: Ok, sure. Bad guy: Excellent, open of Internet Explorer and go to our internal IT testing site, w w w.it.awesomebank1.c o m Receptionist: Ok, I'm here. Now what? Bad guy: Type in your username and password into the fields there to authenticate your PC and I'll start the tests. It'll take 10 minutes or so so feel free to grab a cup of coffee. We all need coffee this early am I right!? Receptionist: Hehe, you got that right! Ok, I entered it, I'm gonna get that coffee, good luck! ...
If anyone ever looks at you and says, "Hold my beer, watch this,"-á you're probably going to want to pay attention. |
Grateler
The People's Liberation Front of Offugen
10
|
Posted - 2012.01.11 16:14:00 -
[56] - Quote
Happy with username/password.
People use a decent password and it doesnt get hacked theres no issue.
Personally dont have CC details on account which is even better,
If every site/game I used started using tokens and other tools it would literally be a nightmare. |
Mangua Desnart
Zervas Aeronautics
4
|
Posted - 2012.01.11 16:58:00 -
[57] - Quote
I think it would be a real bonus for Eve to have this two factor authentication - and no it wouldnt be suitable for every game - I am talking about Eve and only Eve |
T'Laar Bok
45
|
Posted - 2012.01.11 17:05:00 -
[58] - Quote
Othran wrote:chocolate teapot.
I prefer white chocolate. Will these be available? Amphetimines are your friend. |
Maxpie
Metaphysical Utopian Society Explorations
39
|
Posted - 2012.01.11 18:53:00 -
[59] - Quote
Yes, I think user id/password is sufficient. I've been playing for around 6 years, have never had a problem. I guess I'd have no problem with an optional authenticator since some people are not so careful/lucky, but for me I'd prefer not to have an extra step in the process of logging on. The problem is an authenticator would start out as optional but eventually become mandatory.
Also, I'm generally against anything in Eve that protects people from their own stupidity. |
Serge Bastana
GWA Corp
0
|
Posted - 2012.01.11 18:55:00 -
[60] - Quote
Remember kids, we aren't allowed to debate this anymore, Ursula said so |
|
|
|
|
Pages: 1 [2] 3 4 5 :: one page |
First page | Previous page | Next page | Last page |