Necessary Security Features

Security is a constant back and forth on the internet, a never ending battle between business, thieves, and customers, and while customers have an obligation to do more to secure their accounts, the onus also falls on businesses to keep their back end safe. Securing accounts has become more and more of a legal issue in this day and age, with businesses facing heavy ramifications in the form of civil lawsuits and criminal penalties for not keeping their customer’s data safe. With that in mind, we’ve compiled a list of security features that should be utilized by all services, but for some reason may not be.

1. Lockout timers: Brute force attacks should be the easiest method of account theft to deter, but for some reason is still an issue. Many games that carry lockout timers on their website do not offer the same protection inside the game client, and if you can figure out someone’s password by brute forcing a client then the entire feature is pointless.
2. Notification: This goes hand in hand with the lockout timer. If someone tries to get into my account and fails, I want to know. If someone logs in with the correct password but can’t get past the two factor authentication, I want to know because it means someone has my password and there might be a virus on my computer. Businesses have the ability to detect suspicious activity, and they have an obligation to inform the user if something strange is going on.
3. Case sensitive passwords: I shouldn’t even have to add this to the list, but here it is. In 2014, RuneScape still does not use case-sensitive passwords. Blizzard apparently does not use case-sensitive passwords on their website. Couple this with #1 and you make brute forcing an account a very time-consuming endeavor.
4. Two-factor authentication: There are so many ways that two-factor authentication can be utilized that it isn’t funny. By text, by phone call, smartphone apps, tablet apps, point-and-click PIN tools, physical dongles, desktop-based authenticators like Google Auth, and more. There are no more excuses as to why developers would not have some form of two-factor authentication.
5. One-click purchases: RuneScape will not allow me to buy/sell anything in-game if I don’t enter my pin first, nor will they allow me to use the Grand Exchange on the companion app if I don’t have two-factor authentication enabled on my account. I won’t deny businesses the power of impulse-buying that one-click purchases allows for, but you should not afford your customers this pleasure unless they have two-factor authentication enabled. Cleaning out an account is one thing, those items can be restored by customer support, but allowing someone to go hog-wild and start racking up credit card charges? You’re asking for a lawsuit, and you deserve one.

And of course, our list for consumers:

1. Passwords: Never use the same password twice, and especially don’t use passwords on fan sites that could be compromised and not even know it. Avoid passwords.
2. Make it up: One way people can get into your accounts is by figuring out your personal details and simply getting it through customer support. Use fake birth dates, addresses, and the like and keep them written down so you don’t forget. Remember back in the day when you’d use a fake birth date to get into websites? Same concept, different reason.
3. Updates: Keep your computer up to date, and that means all of your software. Plugins like Java regularly update to patch security holes, do not allow yourself to fall behind.
4. Anti-virus: Have an anti-virus, a good one. Norton and Mcafee are not good anti-virus programs, utilize tools like Avast and Windows Defender. Recognize that this isn’t 100% foolproof.
5. Operating System: Don’t use a pirated copy of Windows, for crying out loud. I know you don’t want to pay the cost of the OS, but these are very often filled with backdoors at an OS level that even anti-virus programs won’t detect.
6. Take Security Seriously: Keep up to date on security news.

It will likely never be possible to 100% secure an account, it is impossible, but we can do a hell of a lot more to protect customer data.