open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: Account Security Improvements Part I - Phishing
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 [2] 3

Author Topic

Xodd Hil
Gallente
Trucido Veritas
Posted - 2011.01.21 06:04:00 - [31]
 

Originally by: Mielono
Originally by: Noun Verber
Originally by: Nye Jaran
Say it with me... auth-en-tic-a-tor.

still hack-a-ble


and bullet proof vest dont always work, but for some reason people still wear them
+better than nothing! Still, if the shipping prices would be the same hialriously inflated for the CCP authenticator, it wouldn't be bought by many outside the US...

Komiliya Jenius
Posted - 2011.01.21 06:26:00 - [32]
 

I miss the old Chribba picture.

Abulurd Boniface
Gallente
Legio Geminatus
Posted - 2011.01.21 07:12:00 - [33]
 

Great dev blog!

It's great to see CCP is making every effort to keep the bad people away, although, if you did the meta, you'd say that the care you take in the game is nothing more than the care you should be taking in the real world.

To an EVE player this should be second nature, no?

I was asked to provide the name of a character on logging in [a new one for me] while this is the machine I play EVE on. "lolwut?" appears appropriate.

DmitryEKT
Clandestine.
Posted - 2011.01.21 08:01:00 - [34]
 

Gmail labs has a thing you can enable which puts a little key icon next to legit emails from ebay/paypal to make it obvious they're not fakes. Have CCP thought of getting in on that?

Sentient Blade
Posted - 2011.01.21 08:14:00 - [35]
 

There is a potential sixth wall that I do not see mentioned which is effectively "Tell me something about myself".

Show me your birthmark... Show me the rose... drop your pants*

To put it simply, allow each player to define a few words that are tied to their account such as "turtle, antelope, gallentesux" and display this string to the person attempting to login prior to them getting to the sector factor of authentication, i.e.

<Enter name and password>
Hello [Full real name]. This is CCP server secure.eveonline.com saying "[word string]" please enter any character name to continue.

This would give an opportunity for the user to verify that the server already had sufficient details on the account to know their real life name and their secret word string, and back out, before entering the character name.

* James Bond reference

Geographic Jumping Checks

Seen as it is unlikely that the person attempting to phish for accounts is going to be living in the house next door, or even in the same country for the most part, login attempts to both websites and the EvE client should be GeoIP'd and the original registrar notified via email when 2 logins occur within a short period which come from geographically diverse locations.

In game / out of game paradox

It occurs to me that there is somewhat of a paradox in security within the EvE universe where CCP seems to condone, and perhaps even actively encourage scams and behaviour designed to strip a victim of all of their assets and enjoyment through trickery and obscufation of data, in an almost identical way to how phishing attacks work.

Is there really that much difference in the CCP financial loss / bad player experience when comparing the end results of in-game scamming vs out-of-game phishing?

How does CCP reconcile treating two mechanism with near identical end results differently?

Misc

* What's wrong with letting the EvE login screen remember passwords? If someone can read my hard disk where they're stored I've got bigger problems.

* Can we have a webpage to show all of the recent login times / IPs / Locations we've connected with? Like we do on the EvE API. Heck, mail it out distinct(location) once a month or so.

Kayen Qeid
Federal Navy Academy
Posted - 2011.01.21 08:26:00 - [36]
 

security@ccpgames.com ...is phishing@ccpgames.com available aswell. Easier to remember =)

Remulon McNab
The Galactic Collective
Sovereign Technologies
Posted - 2011.01.21 08:38:00 - [37]
 

Quote:
SPF will be implemented in approximately 7 days. DomainKeys will take a bit more time as things need to be moved around in order to implement that properly


@CCP Sreegs
Why are you guys implementing SPF and DKIM/DomainKeys now, technology wise the start of 2010 was the year that everyone started encountering huge problems related to phishing.
So from my point of view you are a bit late, especially with all those phising mails going round.

What are the global plans to protect your customers from phishing/account security issues in the future?

Mail security & deliverability is part of my daily job and those are going hand in hand Wink

Cyaxares II
Posted - 2011.01.21 08:39:00 - [38]
 

Edited by: Cyaxares II on 21/01/2011 09:02:55

nice devblog - except for the heavy scaremongering

Quote:
If you got it for free there's a catch and they're probably stealing from you.


There are plenty of (free) AHK/IS scripts floating around that verifiably don't contain any malicious functionality on their own and it seems highly unlikely that AHK or IS itself would be specifically adapted to steal EVE account data (especially for AHK, IS might be more risky).

On top of that stealing account data is just plain bad business for most paid-for bots (especially subscription-based ones) - the only case i can come up with in which it would make sense to steal an account would be if CCP did magically manage to disable botting thus denying the bot writer any further revenue from his work.

If you want to convince us not to use bots please do it by delivering decent arguments and not FUD.

Taking a very wild guess I would guess that a similar amount of information is stolen through the official API ("all your in-game mails are belong to us") or through tools building on the API that are trojans, keyloggers, ... as is via bots.

Just provide a "Download source here" link and nobody will check if the version he could compile from source matches with the official binary, anyways.


edit: also, consider that people running bots are already willing to gamble their account based on incomplete information - otherwise they wouldn't break the EULA.
Saying "OMG you might lose access to your account" might change the perceived odds but it's a quantitative change rather than a qualitative one.

... and without naming & shaming (and providing reproducible steps to confirm the malicious behavior) you are not exactly the most credible source of information on the risks of botting to start with as CCP has a large business interest in making EULA violations look extremely risky, independent of reality.

tl;dr serious botters will carry on as before (because they know what they're doing and probably use their own software anyways), some casual botters might be a bit scared but will reaffirm each other that you're just spreading FUD in their forums and my mood is ruined by reading that silly, silly paragraph.

Lost Hamster
Hamster Holding Corp
Posted - 2011.01.21 08:59:00 - [39]
 

Originally by: CCP Sreegs
Block 3 - Block 3 is where we ensure that we're properly authenticating our users. Authentication from our perspective is ensuring that you are you. Not that you are someone with your password. That you, guy whose name is yours, is really you. An initial shot at this was when we began asking you to name one of the characters on your account.


The idea itself is not bad, however there is still a hole in the security system.

With this feature you try to protect the account management - that's fine.
However if a bad guy have access to the user name and password, then how long will it take to get a character name on that account?
I will tell you. 15 seconds.. Just log in to the game and voila.

However it's a positive note that the similar hole on the evegate site have been filed. :)

So please get a similar login screen to the game as well. With an option to save the Character name to the individual game files.

Alain Kinsella
Minmatar
Posted - 2011.01.21 09:04:00 - [40]
 

As a part-time security officer (and an old Stoll fan), I appreciate this devblog. +1 and /salute

Consider me a +1 for an Auth Token Generator (either something like the SecurID fob - I've had four so far at work - or a software OTP). One interesting thing I heard recently was that RSA/EMC has a BlackBerry app which can replace the fob; I've got mixed feelings about that.

Originally by: Sentient Blade

Misc

* What's wrong with letting the EvE login screen remember passwords? If someone can read my hard disk where they're stored I've got bigger problems.

* Can we have a webpage to show all of the recent login times / IPs / Locations we've connected with? Like we do on the EvE API. Heck, mail it out distinct(location) once a month or so.


I'm actually happy with having the client not save a password. When I was in NYC for State of Play 2005 (and the SLCC right after), I saw a couple instances of folks walking up and logging in to someone else's SL account on an open notebook. Not something you want to happen in that environment (where US$ really was hard-linked into the environment).

Big Heck Yes to that second item though. If possible the list should include website login (and distinct lists for both perhaps).


Naga Tokiba
Posted - 2011.01.21 09:05:00 - [41]
 

Very Happy Excelent post, keep up the good work.

Avensys
Posted - 2011.01.21 09:11:00 - [42]
 

Edited by: Avensys on 21/01/2011 09:11:46

(posting on a different character as it's a separate point)

How does asking for a character name actually help?

Wouldn't phishing sites just ask for a character name as well (they want to mimic the "real" login process as closely as possible after all)?

Pottsey
Enheduanni Foundation
Posted - 2011.01.21 09:23:00 - [43]
 

Edited by: Pottsey on 21/01/2011 09:26:29
“An initial shot at this was when we began asking you to name one of the characters on your account.”
This has caused me problem as I am unable to post. My main account is fine but since this was implanted my secondary account has been unable to post. Even if I copy and paste the character’s name the security check still fails.

I understand why you implant this stuff but it a pain when a person with legal account cannot access what he needs due to faulty security.

My best guess is any name with a ' symbol automatically fails the security even if the name is correct.

Sentient Blade
Posted - 2011.01.21 09:35:00 - [44]
 

Originally by: Pottsey
My best guess is any name with a ' symbol automatically fails the security even if the name is correct.


You probably want to petition that one.

In the world of the internets the ' character is responsible for more exploits and pwnage than almost anything else, and there's a remote possibility that CCP may have forgot to escape a query argument.

Louis deGuerre
Gallente
Malevolence.
Posted - 2011.01.21 09:45:00 - [45]
 

Nice work guys.

I am slightly worried that extra security you are thinking about will cause me more hassle than the occasional phising attack (remembers forum locking horror), but we'll see.

CCP Sreegs

Posted - 2011.01.21 09:48:00 - [46]
 

Originally by: Cyaxares II
Edited by: Cyaxares II on 21/01/2011 09:02:55

nice devblog - except for the heavy scaremongering

Quote:
If you got it for free there's a catch and they're probably stealing from you.


There are plenty of (free) AHK/IS scripts floating around that verifiably don't contain any malicious functionality on their own and it seems highly unlikely that AHK or IS itself would be specifically adapted to steal EVE account data (especially for AHK, IS might be more risky).

On top of that stealing account data is just plain bad business for most paid-for bots (especially subscription-based ones) - the only case i can come up with in which it would make sense to steal an account would be if CCP did magically manage to disable botting thus denying the bot writer any further revenue from his work.

If you want to convince us not to use bots please do it by delivering decent arguments and not FUD.

Taking a very wild guess I would guess that a similar amount of information is stolen through the official API ("all your in-game mails are belong to us") or through tools building on the API that are trojans, keyloggers, ... as is via bots.

Just provide a "Download source here" link and nobody will check if the version he could compile from source matches with the official binary, anyways.


edit: also, consider that people running bots are already willing to gamble their account based on incomplete information - otherwise they wouldn't break the EULA.
Saying "OMG you might lose access to your account" might change the perceived odds but it's a quantitative change rather than a qualitative one.

... and without naming & shaming (and providing reproducible steps to confirm the malicious behavior) you are not exactly the most credible source of information on the risks of botting to start with as CCP has a large business interest in making EULA violations look extremely risky, independent of reality.

tl;dr serious botters will carry on as before (because they know what they're doing and probably use their own software anyways), some casual botters might be a bit scared but will reaffirm each other that you're just spreading FUD in their forums and my mood is ruined by reading that silly, silly paragraph.


Every single thing I said in that paragraph about botting is true and while you're welcome to your opinion, opinions don't alter facts. The paragraph was written for your benefit, so that people are aware of the information being collected and motivations of the creators. This wasn't a delivery of opinion. It was a statement of facts based on our investigations.

Agent Stone
Volition Cult
Fatal Ascension
Posted - 2011.01.21 09:51:00 - [47]
 

Edited by: Agent Stone on 21/01/2011 09:54:00
Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.

For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.

Your competitors (Blizzard as an example) are years ahead of you in this regard.

Alain Kinsella
Minmatar
Posted - 2011.01.21 09:55:00 - [48]
 

Originally by: Pottsey

My best guess is any name with a ' symbol automatically fails the security even if the name is correct.



I have another character (in a second account) with a name like that. Auth was fine.

However, that's a single quote mark. I'm not sure if the backquote ` has problems here - in UNIX circles that's far more dangerous, but Eve's backend is Windows.


CCP Sreegs

Posted - 2011.01.21 09:56:00 - [49]
 

Originally by: Agent Stone
Edited by: Agent Stone on 21/01/2011 09:54:00
Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.

For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.

Your competitors (Blizzard as an example) are years ahead of you in this regard.


Without discussing a specific technology, were I you I would assume that something would be done to improve things given the comments I made in the "Authentication" section. We are looking at the authentication issue quite a bit.

CCP Sreegs

Posted - 2011.01.21 10:00:00 - [50]
 

Originally by: Sentient Blade
There is a potential sixth wall that I do not see mentioned which is effectively "Tell me something about myself".

Show me your birthmark... Show me the rose... drop your pants*

To put it simply, allow each player to define a few words that are tied to their account such as "turtle, antelope, gallentesux" and display this string to the person attempting to login prior to them getting to the sector factor of authentication, i.e.

<Enter name and password>
Hello [Full real name]. This is CCP server secure.eveonline.com saying "[word string]" please enter any character name to continue.

This would give an opportunity for the user to verify that the server already had sufficient details on the account to know their real life name and their secret word string, and back out, before entering the character name.

* James Bond reference

Geographic Jumping Checks

Seen as it is unlikely that the person attempting to phish for accounts is going to be living in the house next door, or even in the same country for the most part, login attempts to both websites and the EvE client should be GeoIP'd and the original registrar notified via email when 2 logins occur within a short period which come from geographically diverse locations.

In game / out of game paradox

It occurs to me that there is somewhat of a paradox in security within the EvE universe where CCP seems to condone, and perhaps even actively encourage scams and behaviour designed to strip a victim of all of their assets and enjoyment through trickery and obscufation of data, in an almost identical way to how phishing attacks work.

Is there really that much difference in the CCP financial loss / bad player experience when comparing the end results of in-game scamming vs out-of-game phishing?

How does CCP reconcile treating two mechanism with near identical end results differently?

Misc

* What's wrong with letting the EvE login screen remember passwords? If someone can read my hard disk where they're stored I've got bigger problems.

* Can we have a webpage to show all of the recent login times / IPs / Locations we've connected with? Like we do on the EvE API. Heck, mail it out distinct(location) once a month or so.


These are all tied to authentication and if we're not already considering them I'll add them to the list to think about. re: your questions

1) I don't see this happening anytime soon. Whether you have bigger problems if someone can read your disk or not, when it happens it also becomes our problem. There have been quite a few trojans that targeted various games who have used this methodology and I'm not sure the risk outweighs the potential benefits.

2) Playing with location IMO is part of Authentication and I'll have something more to say about that soon.

CCP Sreegs

Posted - 2011.01.21 10:02:00 - [51]
 

Originally by: DmitryEKT
Gmail labs has a thing you can enable which puts a little key icon next to legit emails from ebay/paypal to make it obvious they're not fakes. Have CCP thought of getting in on that?


I have to look into the labs solution. The one solution I'd seen involved the use of an installer which proceeded to make it impossible for me to access gmail so I shot it down. I'll take a look at this one ASAP, because these types of things are specifically what I was referring to when I said it would be possible for you to verify that an email had come from us.

CCP Sreegs

Posted - 2011.01.21 10:05:00 - [52]
 

Originally by: Remulon McNab
Quote:
SPF will be implemented in approximately 7 days. DomainKeys will take a bit more time as things need to be moved around in order to implement that properly


@CCP Sreegs
Why are you guys implementing SPF and DKIM/DomainKeys now, technology wise the start of 2010 was the year that everyone started encountering huge problems related to phishing.
So from my point of view you are a bit late, especially with all those phising mails going round.

What are the global plans to protect your customers from phishing/account security issues in the future?

Mail security & deliverability is part of my daily job and those are going hand in hand Wink



SPF was implemented, it just wasn't implemented the best way. Whether we're late to the SPF table or not I didn't work here in 2010 so I can't speak to what people may have done or been thinking at the time. I'm here now and we're correcting our SPF implementation.

Regarding future plans, I'm assuming you're alluding to something particular but from my perspective this blog is what we have for the next x period of time. Once implementation is done we can measure effectiveness and determine what additional steps may be required.

CCP Sreegs

Posted - 2011.01.21 10:06:00 - [53]
 

Originally by: Lost Hamster
Originally by: CCP Sreegs
Block 3 - Block 3 is where we ensure that we're properly authenticating our users. Authentication from our perspective is ensuring that you are you. Not that you are someone with your password. That you, guy whose name is yours, is really you. An initial shot at this was when we began asking you to name one of the characters on your account.


The idea itself is not bad, however there is still a hole in the security system.

With this feature you try to protect the account management - that's fine.
However if a bad guy have access to the user name and password, then how long will it take to get a character name on that account?
I will tell you. 15 seconds.. Just log in to the game and voila.

However it's a positive note that the similar hole on the evegate site have been filed. :)

So please get a similar login screen to the game as well. With an option to save the Character name to the individual game files.


Just to clarify I'm talking about authentication at every interface. I don't believe authentication of the same credentials should be in any way different because you're using a different interface to request the information.

CCP Sreegs

Posted - 2011.01.21 10:07:00 - [54]
 

Originally by: Avensys
Edited by: Avensys on 21/01/2011 09:11:46

(posting on a different character as it's a separate point)

How does asking for a character name actually help?

Wouldn't phishing sites just ask for a character name as well (they want to mimic the "real" login process as closely as possible after all)?


Yes, which is why it's not good enough and we're looking to improve.

Agent Stone
Volition Cult
Fatal Ascension
Posted - 2011.01.21 10:08:00 - [55]
 

Originally by: CCP Sreegs
Originally by: Agent Stone
Edited by: Agent Stone on 21/01/2011 09:54:00
Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.

For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.

Your competitors (Blizzard as an example) are years ahead of you in this regard.


Without discussing a specific technology, were I you I would assume that something would be done to improve things given the comments I made in the "Authentication" section. We are looking at the authentication issue quite a bit.

Cool. Thanks.

Yes, I read Block 3 Authentication section and felt urged to reiterate... "Hey, Look... This is what banks use as additional authentication... (normally plastic tokens of some sort) CCP... research doing something like this..." Players have suggested it for years so its good CCP are researching such things. Very Happy

I also mention the smartphone implementation as well as actual tokens, as for players who have such they don't need to pay extra and you can get additional layers of security to more of your player base.

For others players reading about this and not in the know:
http://en.wikipedia.org/wiki/Security_token

Sentient Blade
Posted - 2011.01.21 10:33:00 - [56]
 

Originally by: CCP Sreegs
1) I don't see this happening anytime soon. Whether you have bigger problems if someone can read your disk or not, when it happens it also becomes our problem. There have been quite a few trojans that targeted various games who have used this methodology and I'm not sure the risk outweighs the potential benefits.


In my experience it really depends on how big a hole they can punch in the attack surface, and 99% of the time if that hole is big enough that if it provides a means of reading the hard disk then that hole is also big enough for them to be capable of installing a keyboard hook or swiping the person's paypal or banking details and using them to create a few hundred accounts.

That's a worse case scenario of course, but once it gets to the remote code execution stage there is not much more that can be done on your part - it's the actual identity of the account holder that's been compromised rather than the underlying security of EvE.

CCP Sreegs

Posted - 2011.01.21 10:43:00 - [57]
 

Originally by: Sentient Blade


In my experience it really depends on how big a hole they can punch in the attack surface, and 99% of the time if that hole is big enough that if it provides a means of reading the hard disk then that hole is also big enough for them to be capable of installing a keyboard hook or swiping the person's paypal or banking details and using them to create a few hundred accounts.

That's a worse case scenario of course, but once it gets to the remote code execution stage there is not much more that can be done on your part - it's the actual identity of the account holder that's been compromised rather than the underlying security of EvE.


You are of course correct. I will say though that it doesn't make it any less our problem when an account is compromised whether it's through a fault of our own or not and I'm not sure that the costs of putting information on disk outweigh the benefits.

Flios Bror
Amarr
Wildly Inappropriate
Posted - 2011.01.21 10:56:00 - [58]
 

Originally by: Sentient Blade
Originally by: Pottsey
My best guess is any name with a ' symbol automatically fails the security even if the name is correct.

You probably want to petition that one.


Sounds like something for a bugreport, instead of petition, imho.

Remulon McNab
The Galactic Collective
Sovereign Technologies
Posted - 2011.01.21 11:06:00 - [59]
 

@Sreegs
Thanks for your reply, besides SPF it might be worth in implementing SenderID besides SPF.
This improves deliverability of all your e-mail messages.

I am aware of the fact that SenderID is backwards compatible, though it's still useful as Microsoft implements it in all their mailserver software.

So far, great job!


Bhattran
Posted - 2011.01.21 11:11:00 - [60]
 

Originally by: Pottsey
Edited by: Pottsey on 21/01/2011 09:26:29
“An initial shot at this was when we began asking you to name one of the characters on your account.”
This has caused me problem as I am unable to post. My main account is fine but since this was implanted my secondary account has been unable to post. Even if I copy and paste the character’s name the security check still fails.

I understand why you implant this stuff but it a pain when a person with legal account cannot access what he needs due to faulty security.

My best guess is any name with a ' symbol automatically fails the security even if the name is correct.


I don't know if the issue is this or not but I found I 'failed' when I entered the name of a character NOT training, when I entered the name of the currently training character it worked, haven't had an issue since but it presumption on my part. For characters that trained out their queue I used the last character that was training. Again don't know if makes a difference if you have no alts, or use ' as neither situation fit my accounts at the time.


Pages: 1 [2] 3

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only