open All Channels
seplocked Features and Ideas Discussion
blankseplocked Premium authentication with RSA SecurID
 
This thread is older than 90 days and has been locked due to inactivity.


 
Author Topic

Lorelei Lee
Posted - 2010.11.30 09:55:00 - [1]
 

Problem: account passwords get found out, and their owners get robbed.

Some of us have been around for a while and have major assets in the game -- thousands of dollars' worth of assets. We wouldn't like to lose them to some keylogger program that snuck onto our machine while we were browsing ****. I, for one, would go the extra mile to protect my assets, perhaps pay a higher monthly fee for extra security, if it was available.

Suggestion: provide an option of premium authentication that cannot be hacked with a keylogger: RSA SecurID.

For those who don't know, a SecurID token is a physical device that you can wear on your keychain. It displays a number that changes every minute and cannot be predicted. Whenever you log in to Eve, you pull out your token and look at it, enter the currently showing number along with your password, and the server lets you in. One minute later, this number won't let you in anymore. Now even if some evildoer types in exactly what you typed in, they won't get in. Now nobody can get your stuff without physically assaulting you, in real life, to steal your token. More information here: http://en.wikipedia.org/wiki/SecurID.

XxCirke LinexX
Posted - 2010.11.30 11:13:00 - [2]
 

This would actually be a really cool idea.

Mara Rinn
Posted - 2010.11.30 11:40:00 - [3]
 

Just be aware that RSA tokens are not a silver bullet solution. They are still vulnerable to "man in the middle" attacks: i.e.: a keylogger intercepting your keystrokes and transmitting them to someone else (e.g.: software residing in some zombie network) in real time, so they can log into your account before you can.

De'Veldrin
Minmatar
Norse'Storm Battle Group
Intrepid Crossing
Posted - 2010.11.30 14:12:00 - [4]
 

Edited by: De''Veldrin on 30/11/2010 14:13:02
Originally by: Mara Rinn
Just be aware that RSA tokens are not a silver bullet solution. They are still vulnerable to "man in the middle" attacks: i.e.: a keylogger intercepting your keystrokes and transmitting them to someone else (e.g.: software residing in some zombie network) in real time, so they can log into your account before you can.



While this is true, because of the way Eve's login structure works, you would then immediately log them out because last one with the right password wins (try it - I do this to myself all the time. Log in with your client, then open a second copy and log in the same account - first window goes poof!).

While this is also not a silver bullet (they could send their login after yours should be completed) you would then have a visual cue that something is amiss, and could do something about it much faster. Edit: Remember - they only have a MAX of 60 seconds to use the purloined information - after that the RSA token updates, and the stolen code is no good anymore.

That said, I have always supported optional RSA tokens for eve as a way to cut down on account hacks. Those who want to participate can, those who don't, don't have to. I'd even be willing to pay a $25 or $30 one time fee for the token setup. (PLEX for RSA anyone?)

thelung187
Guiding Hand Social Club
Dystopia Alliance
Posted - 2010.11.30 15:07:00 - [5]
 

+1, I suggested this in another thread about security a week or so ago, and I still believe it to be a much better method of mitigating account security risks versus the existing "let's hope for the best" implementation.

shady trader
Posted - 2010.11.30 20:08:00 - [6]
 

CCP have looked at this in the past and is not cost effective give their user base.

Think how much it cost to get anything shipped from the eve store as well as the extra costs CCP would have to pay for the authentication licence. Is something like 35 a year per token for corporations (I used to handle them for a large corporation). So unless CCP developed their own one from scratch and paid someone to build them its not cost effective.

There is a Dev post stating about it not being cost effective some where.

Valandril
Caldari
Ex-Mortis
Posted - 2010.11.30 20:14:00 - [7]
 

This provides only false sense of security which makes people care less about trojans which in the end causes more hacks.

De'Veldrin
Minmatar
Norse'Storm Battle Group
Intrepid Crossing
Posted - 2010.11.30 20:31:00 - [8]
 

Originally by: Valandril
This provides only false sense of security ...


The same could be said about passwords really. The only form of fool proof computer security is to never use one for anything.

Ever.

This isn't about making accounts unhackable - that's impossible. This is about making them less easily hacked, and that is exactly what it will do.

As for the cost efficiency thing, I'd be curious to know how long ago CCP looked at it and what the relative costs would be now as compared to then given the (presumably) expanding player base.

Valandril
Caldari
Ex-Mortis
Posted - 2010.11.30 20:52:00 - [9]
 

Edited by: Valandril on 30/11/2010 20:56:59
Originally by: De'Veldrin
Originally by: Valandril
This provides only false sense of security ...


The same could be said about passwords really. The only form of fool proof computer security is to never use one for anything.

Ever.

This isn't about making accounts unhackable - that's impossible. This is about making them less easily hacked, and that is exactly what it will do.

As for the cost efficiency thing, I'd be curious to know how long ago CCP looked at it and what the relative costs would be now as compared to then given the (presumably) expanding player base.
Not really, external firewall and common sense fills all your security needs (if set up properly).
And using 2nd password doesn't give you ANY protection vs trojans which is the leading cause of hacs. So how does it make accounts less hackable ? And then every idiot will open wiki and think "oh it's 100% secure, now i can launch hot2lesians.avi.exe and be safe".

And yes, we do NOT need password, all we would really need is login AND "show that to other people", not much of a news and a reason why for most part sites drop the idea of login for which your email is used.

De'Veldrin
Minmatar
Norse'Storm Battle Group
Intrepid Crossing
Posted - 2010.11.30 22:56:00 - [10]
 

Originally by: Valandril
Not really, external firewall and common sense fills all your security needs (if set up properly).


Because firewalls never get hacked and information stolen.
Rolling Eyes


Valandril
Caldari
Ex-Mortis
Posted - 2010.11.30 23:11:00 - [11]
 

Originally by: De'Veldrin
Originally by: Valandril
Not really, external firewall and common sense fills all your security needs (if set up properly).


Because firewalls never get hacked and information stolen.
Rolling Eyes


Keep on talking more bull****. Do you have any idea what resources it would take just to get access to said firewall (in home you don't need public IP) ? Stop watching swordfish

De'Veldrin
Minmatar
Norse'Storm Battle Group
Intrepid Crossing
Posted - 2010.11.30 23:33:00 - [12]
 

Originally by: Valandril
Originally by: De'Veldrin
Originally by: Valandril
Not really, external firewall and common sense fills all your security needs (if set up properly).


Because firewalls never get hacked and information stolen.
Rolling Eyes


Keep on talking more bull****. Do you have any idea what resources it would take just to get access to said firewall (in home you don't need public IP) ? Stop watching swordfish


I'm not the one implying that a firewall is some kind of impenetrable forcefield of Internet protection.

Valandril
Caldari
Ex-Mortis
Posted - 2010.11.30 23:35:00 - [13]
 

Originally by: De'Veldrin
Originally by: Valandril
Originally by: De'Veldrin
Originally by: Valandril
Not really, external firewall and common sense fills all your security needs (if set up properly).


Because firewalls never get hacked and information stolen.
Rolling Eyes


Keep on talking more bull****. Do you have any idea what resources it would take just to get access to said firewall (in home you don't need public IP) ? Stop watching swordfish


I'm not the one implying that a firewall is some kind of impenetrable forcefield of Internet protection.
Yes you are, or you can't read. Same effect really so cause doesn't carry importance

Lorelei Lee
Posted - 2010.11.30 23:52:00 - [14]
 

Originally by: De'Veldrin
As for the cost efficiency thing, I'd be curious to know how long ago CCP looked at it and what the relative costs would be now as compared to then given the (presumably) expanding player base.
Also given the (definitely) expanding amount of assets certain players have accumulated since then, making them more willing to pay to protect said assets.
Originally by: Valandril
Not really, external firewall and common sense fills all your security needs (if set up properly).
How many people, do you think, can set up their firewall properly? I certainly can't. I am a programmer, not a sysadmin.
Originally by: De'Veldrin
While this is true, because of the way Eve's login structure works, you would then immediately log them out because last one with the right password wins (try it - I do this to myself all the time. Log in with your client, then open a second copy and log in the same account - first window goes poof!).
Actually, I think the best thing would be for the server to boot both people if they log in with the same login code, and throw up a fat error message about hackers. For added protection, they could make all major asset management features not work until the used login code expires. This still does not protect against a true man-in-the-middle attack, but I don't think anything can prevent that, not even a firewall.

Mara Rinn
Posted - 2010.12.01 03:38:00 - [15]
 

Edited by: Mara Rinn on 01/12/2010 03:39:38
Originally by: De'Veldrin
While this is true, because of the way Eve's login structure works, you would then immediately log them out because last one with the right password wins (try it - I do this to myself all the time. Log in with your client, then open a second copy and log in the same account - first window goes poof!).


That is true, which just means that the impostor has to log in to the web site instead of the game. Intercepting a couple of your RSA authentication codes should be enough to change your password and disassociate the RSA token from your account.

The major flaw with the "secure token" line of thinking is the assumption that the user's computer can be trusted.

Lorelei Lee
Posted - 2010.12.01 04:22:00 - [16]
 

Originally by: Mara Rinn
Edited by: Mara Rinn on 01/12/2010 03:39:38

That is true, which just means that the impostor has to log in to the web site instead of the game. Intercepting a couple of your RSA authentication codes should be enough to change your password and disassociate the RSA token from your account.

The major flaw with the "secure token" line of thinking is the assumption that the user's computer can be trusted.
There are ways to get around this particular hurdle. Basically, if the use of the same code is attempted more than once (including from the website), both users have to get booted and all their changes undone (that are possible to undo). That at least notifies the legitimate user that something is going on. At that point he can take some kind of action (put a hold on his account, whatever) and investigate.

The problem is, your overall point holds. A sophisticated hack could alter the Eve executable on disk or in memory, watch you play quietly, and take over once you've been AFK for half an hour. Unfortunately that's a risk most of us will have to live with, while the overdedicated among us get professional firewalls and switch to Linux.

CCP Spitfire


C C P
C C P Alliance
Posted - 2010.12.01 08:26:00 - [17]
 

Personal attacks removed. Please keep the discussion on topic.


Shiho Weitong
Caldari
Koa Mai Hoku
Posted - 2010.12.01 10:27:00 - [18]
 

Originally by: Lorelei Lee
Problem: account passwords get found out, and their owners get robbed.

Some of us have been around for a while and have major assets in the game -- thousands of dollars' worth of assets. We wouldn't like to lose them to some keylogger program that snuck onto our machine while we were browsing ****. I, for one, would go the extra mile to protect my assets, perhaps pay a higher monthly fee for extra security, if it was available.

Suggestion: provide an option of premium authentication that cannot be hacked with a keylogger: RSA SecurID.

For those who don't know, a SecurID token is a physical device that you can wear on your keychain. It displays a number that changes every minute and cannot be predicted. Whenever you log in to Eve, you pull out your token and look at it, enter the currently showing number along with your password, and the server lets you in. One minute later, this number won't let you in anymore. Now even if some evildoer types in exactly what you typed in, they won't get in. Now nobody can get your stuff without physically assaulting you, in real life, to steal your token. More information here: http://en.wikipedia.org/wiki/SecurID.


Completely awesome. Do want.

Make it spiffy and evelike and I'll pay a onetimer of 50 happily.

LiBressa
Posted - 2010.12.01 12:50:00 - [19]
 

Err... it's a yearly charge of 50 roughly.
I know... I have a contract with RSA for 80 of them. Then theres the maintanence and support contract and the cost for the Radius Server.

If you can't keep your passwords secure then your failing at the principles stated by the CCP or hiding the fact that you're using 3rd party software.


ghosttr
Amarr
ARK-CORP
Intrepid Crossing
Posted - 2010.12.01 13:07:00 - [20]
 

The best thing to do would be to add a challenge question at the login screen, when you logon from a different ip.

Also CCP should require account names to be different from the character names. As well as specify a password 'strength' (numbers, letters, capitalization, min length, notification to change pw after x amount of time) that sort of thing.

Medarr
Amarr
Ghost Festival
Naraka.
Posted - 2010.12.01 15:06:00 - [21]
 

Edited by: Medarr on 01/12/2010 15:09:38
Originally by: Valandril
Not really, external firewall and common sense fills all your security needs (if set up properly).
And using 2nd password doesn't give you ANY protection vs trojans which is the leading cause of hacs.


This is by far the biggest load of bull**** ive ever seen.. carefull you dont drown in it.

Also please refrain from posting such nonsence. You put other less educated people at risk with your false claims.

Originally by: Lorelei Lee

....while the overdedicated among us get professional firewalls and switch to Linux.


And linux doesnt have a ****load of remote exploits? or mac for that mather? Rolling Eyes

De'Veldrin
Minmatar
Norse'Storm Battle Group
Intrepid Crossing
Posted - 2010.12.01 16:43:00 - [22]
 

Originally by: Medarr
Edited by: Medarr on 01/12/2010 15:09:38
Originally by: Valandril
Not really, external firewall and common sense fills all your security needs (if set up properly).
And using 2nd password doesn't give you ANY protection vs trojans which is the leading cause of hacs.


This is by far the biggest load of bull**** ive ever seen.. carefull you dont drown in it.

Also please refrain from posting such nonsence. You put other less educated people at risk with your false claims.

Originally by: Lorelei Lee

....while the overdedicated among us get professional firewalls and switch to Linux.


And linux doesnt have a ****load of remote exploits? or mac for that mather? Rolling Eyes


I will reiterate my previous point - and Mara's as well - this is not and should not be considered a bullet proof solution. But it does make your account MORE secure (note, I do not say completely secure, and never have). It's a tool - one tool - that when combined with the other tools we already have (strong passwords, not being a dumbass, etc) help better protect your game account from being hacked.

It is possible to protect your account without the use of an RSA token. Having one just makes it easier.

Medarr
Amarr
Ghost Festival
Naraka.
Posted - 2010.12.01 17:31:00 - [23]
 

err Didnt I just say that??

Firewalls are nice and all but they arent the end all against malware. Same as linux, hell linux adds the problem of complexity to the mix.. how many people do you think know the linux file system layout? Or where to look for malicious files.

Enst Smath
Posted - 2010.12.01 19:19:00 - [24]
 

Originally by: shady trader
Think how much it cost to get anything shipped from the eve store as well as the extra costs CCP would have to pay for the authentication licence. Is something like 35 a year per token for corporations (I used to handle them for a large corporation).


OP indicated he'd be willing to pay extra. Heck, I'd be willing to pay extra, too. As for physically shipping the token, they can be drop-shipped from anywhere. Heck, I'd prefer just receiving the token via encrypted Email for using with the iPhone version of the RSA SecureID.

shady trader
Posted - 2010.12.01 21:01:00 - [25]
 

Edited by: shady trader on 01/12/2010 21:04:24
Edited by: shady trader on 01/12/2010 21:02:11
Originally by: Enst Smath


OP indicated he'd be willing to pay extra. Heck, I'd be willing to pay extra, too. As for physically shipping the token, they can be drop-shipped from anywhere. Heck, I'd prefer just receiving the token via encrypted Email for using with the iPhone version of the RSA SecureID.


While a lot of people may be willing to pay extra, I would be surprised if CCP got a large percentage of the player base to sign up to buy a physical token. As for shipping all items form the eve store are shipped form one location I believe and it tends not to be that cheap.

Assuming you are talking about a high end token like used by large corporations to authenticate.

150 (over a years subscription) + shipping +taxes (some countries have a very high rate of tax on this type of tech, in some cases in over 100% when I was sending them overseas).

35 per year to maintain the licence and infrastructure(more then the cost of a quarterly subscription).

This also assumes that CCP can buy the tokens at near wholesale price and do not add a profit margin. This also assumes that CCP can build out the hardware at the same price as large multinationals that have many more staff then CCP has customers, otherwise they would have to charge more.

Now if they had a software one they developed that used a shared secret to generate a one time code. I suspect a lot more people would consider as it would only cost a couple of pound per year (less then a months subscription).

Or even an Iphone/android app that you link to your accounts and you get a pop up when you attempt to log in via the PC with a permit/reject option.

Or develop something that can read say the serial number on a USB drive, so we could use an existing USB drive (or a new one) as a physical security measure once set up. If you get a 4 gig one and you could keep a copy of the eve client on there just in caseVery Happy.

Etrias Jhozah
Adhocracy Incorporated
Posted - 2010.12.01 23:00:00 - [26]
 

I like this idea. It's not likely to be needed by a huge part of the EVE population, but I can see some pilots that would like to have that extra layer of protection.

Oh and Valandril, you have no idea what you're talking about so do people a favor and not talk about this topic. An RSA authentication isn't a typical password that can be grabbed by a trojan. That grabbed "password" is only good for a very short window of time before it expires and you need the new one. It is susceptible to a man in the middle attack, as it was mentioned earlier in the thread, but does no good to a trojan or keylogger who phones home only now and then. If you would have taken a single minute to follow the link provided and read the first paragraph, you'd have known that.

By the way, most people have no idea how to set up even a simple firewall. I can't tell you how many I've run across in businesses and organizations who haven't even bothered to change the default password, you think that a home user who's not a tech would know how? Rolling Eyes

RSA is a nice feature for those who want to pay for that extra protection on their account. Bulletproof? No, but it would take a dedicated effort rather than a couple of well placed bots.

BTW, to reiterate a point I think was lost. This isn't for the general EVE population. It's for those people willing to pay for a form of two-factor authentication to add security to their accounts. Don't make it more than that.

HeliosGal
Caldari
Posted - 2010.12.01 23:51:00 - [27]
 

signed make it optional of course. But a very good idea any ccp responsed on this ?

Lorelei Lee
Posted - 2010.12.02 00:36:00 - [28]
 

I suspect physical tokens don't need to be shipped from the EVE Store, because any RSA office can issue them. Perhaps that's what Enst Smath called drop-shipping.

However, if such a service cost 150 per year, I would have to pass. I think $75..100 is the most I would be willing to pay.

De'Veldrin
Minmatar
Norse'Storm Battle Group
Intrepid Crossing
Posted - 2010.12.02 01:14:00 - [29]
 

Originally by: Lorelei Lee
I suspect physical tokens don't need to be shipped from the EVE Store, because any RSA office can issue them. Perhaps that's what Enst Smath called drop-shipping.

However, if such a service cost 150 per year, I would have to pass. I think $75..100 is the most I would be willing to pay.


And that may be what CCP meant by not economically feasible. The price they would have to charge us would be so high, they knew no one would go for it. Because you're right, I damned sure wouldn't pay that much for it. It is just a game after all.

I'd like to see CCP crunch the numbers on this again and give us an honest estimate of the costs we, as players would have to pay, per token per year (under the assumption that you could use one token for multiple accounts). If it's a reasonable number (and I think $35-50 is probably at the upper end of reasonable) or an equivalent number of Plexes I think they'd get a lot of takers.


 

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only