security – Page 3 – MMO Fallout

How To End Security Issues For…Some Time.

Security. In the game of anything tech related, security would be the boss you fight before fighting Lucifer himself. The big question that lies heavy on the minds of the IT guys is: how do you save the consumers, when most of the time their biggest enemy is themselves? People losing their account because their had an easy to guess password, or a keylogger that was not detected due to the lack of properly updated anti-virus software, or the guy who loses his account to the gold farmer he bought power leveling, or the guy who downloaded a rogue cheat application. What about the family member who downloads everything they see on the internet?

Now that MMOs are mainstream, and the black market has hit a point where accounts and items can be worth hundreds if not thousands of dollars online, it’s about time that our developer friends started treating our account security as seriously as our banks do. A simple password doesn’t cut it anymore, and developers must assume that the computer is no longer safe.

You have entered a no dongle zone.

Make Cell Phones, Not Emails.

I voiced my concern for Rift’s Coinlock system out of a simple statement: If Trion admits that 80% of account theft takes place via keyloggers, then allowing your system to be bypassed by the first system to be hacked alongside your account is useless. If you lose your password to a keylogger, odds are your email is lost with it, either through having the same password or by having the separate password logged. As I originally stated, this is akin to having two locks on your door, both opened with the same key. Or, in the latter case, keeping both keys on the same keyring and losing the keyring.

Rather, why not allow the system to go to your cell phone? I’m not talking about smart phones, I don’t have one (although I do own an iPad). I mean simple text messages, which anyone with a cell phone should have. Going by Rift’s coin lock system, rather than having the code be sent to your email address, have the code texted to the phone number linked with your account. Let’s take the system even further, and say that anytime you want to log in from a new computer after the first (I’m a firm believer that the first time after creating your account shouldn’t be a hassle), you would be texted a confirmation key. This would stop someone who has your password from logging in to change your details.

In addition, you will have two separate forms of authentication to send when you log in from a new computer. Public and private. On private setting, the computer is authorized forever. On public setting, for those who use internet cafes, the computer will be authorized until you log out of the account.

In accordance with privacy concerns, the phone number would be treated like your credit card number, and display as (***)***-**46, varying depending on your country. And yes, I understand that there are those of you who don’t have cell phones, or at least cell phones capable of receiving text messages, but those of you with regular phones will also have the option of having a robo-call send you the code as a phone call. Think of how many people, using this method alone, would be protected from their accounts being stolen. Until Trion can give me an exact figure as to how many people also had their cell phones stolen with their Rift account, I’m going to go on a limb and say that (apart from social engineering) there is no way to hack this.

“Speaking of social engineering, what happens if I get drunk and my cell phone decides to take a bath in the punch bowl…that is to say, what happens if I lean over the altar too far in church and my cell phone (which was off because I’d never text in church) breaks against the Jesus statue? Yea…That’s the one.”

Good thing you asked. When you link your phone, you’ll be initially texted a code. If for any reason you have to change your phone number, you text that code from the new cell phone, and your new phone will be automatically set up. Of course, if you don’t want to pay the fee (if you don’t have unlimited texting), your computer should be authorized anyway to change your account details, so you’ll be able to log in and do it from your computer, without the need for the code.

I know what at least one developer would think when they read this. “Omali, setting up these texting services can get expensive.” Which is more expensive, sending texts or having to pay customer service to deal with each person individually when they lose their account, and the people who quit because of your backed up CS department? The texting service is automated, your CS workers require paychecks.

So there you have it. If you are online and carry a cell phone capable of texting, you can secure your account for the low, low price of twenty cents (without a texting plan, I believe that’s how much it costs).

So What Is The Conclusion?

The end result of this project is to create a system that separates the recovery from the PC, which means that email is no longer an option. My idea takes the authenticator system and expands upon it by including everyone who has a phone, not just those who have a smart phone capable of running a compatible app. The texts are 100% optional, and is ultimately a better system than the authenticator, which relies on a static algorithm that, although incredibly difficult, could theoretically be cracked.

I would like to note that this is a very basic draft of my idea, and there is like a workaround that I haven’t thought of. Another factor I’m aware of is using this to grief, such as a group of people finding a person’s account name/password and spamming their cell phone with the aim of racking up a lot of charges or using up their prepaid time. One method to combat would be to require the person to know their phone number in order to send the activation code, but the person would type it in via an onscreen keypad to combat keyloggers.

Ultimately, I posted this up to get feedback, and the sole intention is for you all to puncture holes in my theory. So, go ahead. Give me all you’ve got.

Rift: How About An Authenticator?

Rift launched last month to the fervor of a substantial number of people, opening up more than thirty servers in the days after launch to deal with population. With the mechanics involved, Rift has pulled in players from World of Warcraft and similar MMOs, by presenting a similar game with a new mechanic attached: Dynamic rifts. Of course, the attraction of the large crowd could lead to the two inevitabilities: A whole lot of compromised accounts and a whole lot of real money traders to steal those accounts.

In response to growing complaints of account security, Trion has responded by implementing the Coin Lock program. Coin Lock is similar to the computer identity systems your banks may have begun using recently, where a computer is identified as the “home computer” and any attempt to log in from another computer requires additional information in order to proceed. Without that information, the characters will go into coin lock, during which the following activities will be disabled:

Accessing the Auction House.
Sending Mail (can still receive and view mail or remove items).
Selling to vendors.
Deleting Characters
Salvage, Runebreak, or destroy items.
Trade.
You can continue to play and gain coin and items, but cannot get rid of them.

Coin Lock is a nice idea, but ineffective. Take Trion’s own statement:

“80% of the hacked accounts we’ve seen are from keyloggers.”

The method to unlock a character from coin lock is via a code sent through email, so if your account is compromised via key logger, and thus your email address compromised with it, this system won’t help. At all. Yet by Trion’s own admission, their new security system is going to help, at most, 20% of compromised accounts.

Trion should be utilizing other features in addition to the white list. Why not a black list? If I know that I will only play Rift from my location, why not be able to blacklist all other areas, no exceptions? How about an authenticator that operates through a smart phone app, ala World of Warcraft? A four digit pin that must be entered with the mouse instead of the keyboard, ala Aika Online and Runescape? There are plenty of options that Trion has, and they don’t even need to manufacture security dongles.

The feature of this white list is about as effective as having two locks on your door for extra security, but allowing the same key to work with both. Then again, this is just frustrating because, by Trion’s own admission, this will not help 80% of compromised accounts. It is a start, so we’ll see how this turns out.

Aion: Server Transfers, Security, and More…

Given that we are nearing the end of November, and Aion is still running to the best of our knowledge, the jingling of pipe bombs at my doorstep is a good indicator that the Aion producer Chris Hager has put out a new address to the community.

Earlier this year, Aion introduced the free slightly restricted server transfer service with the hopes of one day making such a service paid for all. Hager boasts that the team has transferred over 170,000 characters since July, and that the team has learned enough from the test service to put a full paid version in effect coming next year. After January 5th, 2011, when everyone has no doubt finished clustering into the transfer service while it is still free, server transfers will become paid. Of course there will be restrictions on certain factions transferring to certain servers where they may be unbalanced.

But what would an Aion article be without talking security? In the next week or so, Hager plans to address a new security system going live on December 1st, that will entail a secondary pin system. Security has been a major issue in Aion’s history, from NCsoft account problems to fansites getting hijacked, and everything in between. If this pin system is anything like several other games, it will likely involve the player inputting a pin via a mouse click screen. I can’t really see NCsoft using a dongle system like Final Fantasy XIV and World of Warcraft.

Make Cell Phones, Not Emails.

So What Is The Conclusion?

Spread It:

Spread It:

Spread It: