open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: Account Security Improvements Part I - Phishing
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 [3]

Author Topic

CCP Sreegs

Posted - 2011.01.21 11:41:00 - [61]
 

Originally by: Remulon McNab
@Sreegs
Thanks for your reply, besides SPF it might be worth in implementing SenderID besides SPF.
This improves deliverability of all your e-mail messages.

I am aware of the fact that SenderID is backwards compatible, though it's still useful as Microsoft implements it in all their mailserver software.

So far, great job!




If I'm correct, and I'll Google in a second and either be right or have immortalized my wrongness, SenderID is just Microsoft rebranding of either SPF or DomainKeys.

(I was wrong and I'll dig into it a bit. It's based on SPF but not the same. Thanks!)

lhaslop
Posted - 2011.01.21 11:42:00 - [62]
 

Edited by: lhaslop on 21/01/2011 11:42:11
Sreegs, fantastic blog. Always refreshing to see things moving forward and good security minds in the ranks.

Remulon McNab
The Galactic Collective
Sovereign Technologies
Posted - 2011.01.21 12:24:00 - [63]
 

@Sreegs
I send CCP Fallout a DM on Twitter, if you need further clarification just let me know via there.

Arshes Nei
LifeLine Solutions
Posted - 2011.01.21 13:59:00 - [64]
 

Personally i think that ANY communication with CCP, bar password resets, should be done via EvE-Gate. The way i see it you are already "hosting" a personal mail account for every eve player, i would imagine that it would be alot harder for a scammer to send out phishing mails over your own service. You could even very easily make an extension where eve mails from CCP are marked as such, maybe automatically go into a specific mail folder.

The fishing crap lately has gotten so bad that i hardly read anything gamerelated sent to me via email anymore, why even bother if 90% is scam anyway.

amarian arch
Posted - 2011.01.21 15:15:00 - [65]
 

good work

ROXGenghis
Perkone
Posted - 2011.01.21 17:02:00 - [66]
 

You could look at RSA's Site Key:

http://en.wikipedia.org/wiki/SiteKey

I've never had a problem with it as a user, but I haven't studied its protocol so I can't vouch for it at this point.

Melekhar Tazinas
Posted - 2011.01.21 17:17:00 - [67]
 

Sreegs, have you guys considered signing your emails with a GPG signature?

Not that many people use GPG-enabled email clients, but for those of us that do, there's few better means of authenticating your emails.

PC l0adletter
Posted - 2011.01.21 18:23:00 - [68]
 

Originally by: Cyaxares II

brilliance



Can you run for CSM, please?

Originally by: CCP Sreegs
Originally by: Agent Stone

Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.

For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.

Your competitors (Blizzard as an example) are years ahead of you in this regard.


Without discussing a specific technology, were I you I would assume that something would be done to improve things given the comments I made in the "Authentication" section. We are looking at the authentication issue quite a bit.


So, you're looking "quite a bit" at things your competitors implemented three or four years ago?

Is there some sort of magazine award you can get for that?

Originally by: CCP Sreegs

I didn't work here in 2010



Well, fair enough.

I think everyone realizes you're sticking your neck out, and I'm not trying to chop your head off for things for which you couldn't possibly be responsible.

At the same time, there are a lot of problems with this gameproduct and no accountability. Are you aware of other companies that have seen 10% year/year revenue declines, customer revolts, repeatedly missed development deadlines, and buggy end-product without consequences for those responsible?

TCL987
Gallente
Posted - 2011.01.21 18:27:00 - [69]
 

Originally by: Noun Verber
Originally by: Nye Jaran
Say it with me... auth-en-tic-a-tor.

still hack-a-ble


Everything is hackable, using an authenticator just makes it harder and prevents someone from gaining access to your account using a keylogger. Given enough time someone could eventually figure out the algorithim but it would take too long to be worth it.

Fury Mole
Posted - 2011.01.21 18:38:00 - [70]
 

I have not got the time and inclination to read through all of this thread but found it interesting to see that CCP is looking to combat Phishing e-mails. Tidying up some of their own processes might help in the first place.

I am currently having to log into the forum under one of my Alt accounts due to the fact that my main character is banned due to someone else trying to hack my account. The fact that I now have my account, that I pay for banned for 7 days... or at least until someone from CCP responds to the petition that they opened for me has wound me up enough but to add to that I found myself with an e-mail that for all intents and purposes mirrors the behaviour of Phishing! So I am sorry to vent on this subject but I have nothing better to do now due to waiting to get my account unbanned.

I have never seen a Phishing e-mail relating to CCP or Eve and I have a very simple rule for any e-mail that I receive that indicates that I have a problem with any account of any kind.

Rule number 1. Never click on the link in the e-mail. Always go to the institutions website and access the information that thay are drawing your attention to directly from their own website.

Now the e-mail that I got from CCP explained very politely that my account had been banned for 7 days (remaining calm) and that I could click on the link in the e-mail to get details of how to reactivate it before this.

Engage Rule number 1. Go to http://www.eveonline.com and try to access the account. I cannot .... it is banned. Attempt to access the petition system to confirm that the petition that is linked in the e-mail is real and not an attempt at Phishing. I cannot access the petition system to see the petition is real or not and I cannot log in.... my account is banned.

So I am left with having to click on the link in the e-mail and if necessary provide information within the petition that could be used by a Phisher to gain access to my account.

@CCP Maybe look at how your own behavoiur enpowers the Phishers that you are trying to combat.

joe1
Posted - 2011.01.21 20:23:00 - [71]
 

how about a USB key ? I would pay for such a thing to protect my accounts

Riffix
The Graduates
Posted - 2011.01.21 23:36:00 - [72]
 

Good Dev Blog! Thanks for the information and the insight into what you are doing Sreegs. Your responses in this thread are also interesting/useful.

Sel'Na Rey
Posted - 2011.01.21 23:58:00 - [73]
 

Just wanted to add a couple of thoughts on this topic, since my personal background is in Software Engineering and areas of computer/network security.

First, Sreegs blog was great in outlining the problem and some proposed solutions. Sounds like the solutions were well designed and should help reduce phishing. However I question how the SPF and DomainKeys will translate for email users not on MSN,Google, and Yahoo, like the comcast, att, cox, and other smaller ISP providers out there. Also once phishing filtering is in place, the flow of fraudulent emails back to CCP by user submissions should fall off reducing their ability to proactively detect and react to new methods.

So one of my ideas for possible consideration is essentially driving up the "cost" of these Bot and RMT activities. The motivation for this activity is the input cost to gain ratio. This academic paper outlines the costs associated with Spamming. Spamalytics. My proposed idea is some ideas for what CCP could do to increase the operating cost of RMTers and bots.

It seems to me the way CCP could drive up the cost of Bots and RTMs is to discover their accounts by honey-pot methods and then use game play elements against them. I know the point of Unholy Rage was to flat out ban their accounts which made sense from a hardware usage perspective, but in the next round, CCP could start taking away privileges from their accounts. My ideas rage from dropping standings with all empires to -10, preventing bounty payout, disallow wallet transfers of any kind, removing skills and the gained SP, and hot dropping sansha incursions on their ships. Essentially harass the heck out of them. I think these methods would be best applied to the identified participants of RMT networks and not the players unfortunate enough to have their accounts stolen by bad credentials or phishing attacks. Obviously a little leg work by the CCP security team to identify the RMT players and their army of bots.

Just seems to me that simply banning accounts doesn't solve the root of the problem, but treats a reoccurring. symptom. I'm sure there are many more ideas out there worth looking. Just my 2 cents.

BeanBagKing
Terra Incognita
Intrepid Crossing
Posted - 2011.01.22 06:01:00 - [74]
 

Originally by: Sentient Blade
http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1452886&page=2#35


I won't quote the whole thing, you can follow the link and read it, but he was discussing the use of personal strings to make sure we were logged into the correct site.

Bank of Montreal Uses something very similar to this, a phrase and a picture, both picked by the user, that are displayed when they log in. If you click a link and don't see your unique picture and phrase, then it's a phishing site. By then you are already logged in, but it does make you aware of it so you can immediatly go to the real site, change your info, open petitions, and otherwise secure date. Their methods may be worth checking out.

Also, +1 for smartphone authenticators.

Wollari
Phoenix Industries
Wicked Nation
Posted - 2011.01.22 12:30:00 - [75]
 

You just advised to use SPF to block spammail where other people claiming your identity. SPF is okay in general, but the way your SPF record is registered doesn't let the fakemail getting dropped.

== your spf record ==

mail:~# host -t TXT eveonline.com
eveonline.com TXT "v=spf1 mx ip4:87.237.32.0/24 ip4:87.237.38.0/24 ip4:87.237.39.0/24 mx:mail.global.frontbridge.com mx:ymir.ccpgames.com ~all"

the "~all" match generates a "softfail". Mail in general gets "marked" as possible identity problem but won't get discarded in the first instance of the mta. It's good for testing and monitoring purpose.

If you're 100% sure that no other systems (apart from the listed in your SPF record) will send emails from eveonline.com it's maybe an idea to change "~all" to "-all". This will other MTAs force to drop the mail if it's not send by an authorized system. This may cause problems when somebody is forwarding emails from one account to another. But that's a different story.

When you're happy with your spf record change it to -all and prevent us all from the spam.

happy mailing.

Removed a forum-breaking tag. Spitfire

herot
Fortunis - Redux
Posted - 2011.01.23 12:37:00 - [76]
 

Originally by: CCP Sreegs
Originally by: Sentient Blade
2) Playing with location IMO is part of Authentication and I'll have something more to say about that soon.


One also have to consider that some of us use VPN services and can therefore appear to flit around the world in a strange fashion (or even be i two places at once if we for instance log in from diffrent comupters to the forum and the game, with one machine routing through VPN).

Ranka Mei
Caldari
Posted - 2011.01.23 13:45:00 - [77]
 

Edited by: Ranka Mei on 23/01/2011 13:46:59
Originally by: CCP Sreegs


If I'm correct, and I'll Google in a second and either be right or have immortalized my wrongness, SenderID is just Microsoft rebranding of either SPF or DomainKeys.

(I was wrong and I'll dig into it a bit. It's based on SPF but not the same. Thanks!)

Yes, you were wrong. :)

tl;dr version: SPF works on the 'MAIL FROM' identity, as given during the envelope stage of the SMTP communication (and before DATA has been issued). And in some cases on the HELO identity.

SenderID works on an algorithm which extracts a sender ID from the mail headers (everything after DATA, basically, up to the first double linebreak).

Thirler
The Arrow Project
Morsus Mihi
Posted - 2011.01.24 10:09:00 - [78]
 

Thanks for a good insight.

I have a related question, one of my corporations members got hacked earlier. He had some trouble in getting a quick reaction to get his account blocked/returned to him quickly(he got locked out), there wasn't really a petition section appropriate for this.

What is the best way to reach CCP when you think your account has been hacked? I would imagine the priority should be the same as the 'stuck' section as this can minimize the harm done and the profit for the hackers.

CCP Sreegs

Posted - 2011.01.25 02:33:00 - [79]
 

Originally by: ROXGenghis
You could look at RSA's Site Key:

http://en.wikipedia.org/wiki/SiteKey

I've never had a problem with it as a user, but I haven't studied its protocol so I can't vouch for it at this point.


This is a pretty interesting approach though it has at least one rather glaring weakness. Thanks though it does provide some food for thought.

CCP Sreegs

Posted - 2011.01.25 02:36:00 - [80]
 

Originally by: Melekhar Tazinas
Sreegs, have you guys considered signing your emails with a GPG signature?

Not that many people use GPG-enabled email clients, but for those of us that do, there's few better means of authenticating your emails.


We have and I'm looking into it deeper. The problem in the past with this type of thing has been the barrier to entry for the end user. DomainKeys uses a certificate in the actual sending of the email to validate the sending source, so once that implementation's done you may be able to get similar functionality though. I'm taking some liberty and oversimplifying here I know but it's 2:30 am and I'm pretty much stupid right now.

Ultimately I'd like it to be simple enough for Joe Average to be able to verify that an email came from us.

CCP Sreegs

Posted - 2011.01.25 02:39:00 - [81]
 

Originally by: Wollari
You just advised to use SPF to block spammail where other people claiming your identity. SPF is okay in general, but the way your SPF record is registered doesn't let the fakemail getting dropped.

== your spf record ==

mail:~# host -t TXT eveonline.com
eveonline.com TXT "v=spf1 mx ip4:87.237.32.0/24 ip4:87.237.38.0/24 ip4:87.237.39.0/24 mx:mail.global.frontbridge.com mx:ymir.ccpgames.com ~all"

the "~all" match generates a "softfail". Mail in general gets "marked" as possible identity problem but won't get discarded in the first instance of the mta. It's good for testing and monitoring purpose.

If you're 100% sure that no other systems (apart from the listed in your SPF record) will send emails from eveonline.com it's maybe an idea to change "~all" to "-all". This will other MTAs force to drop the mail if it's not send by an authorized system. This may cause problems when somebody is forwarding emails from one account to another. But that's a different story.

When you're happy with your spf record change it to -all and prevent us all from the spam.

happy mailing.

Removed a forum-breaking tag. Spitfire



We know the record's set up improperly and making it proper is the change I was alluding to in the dev blog. Thanks though!

CCP Sreegs

Posted - 2011.01.25 02:41:00 - [82]
 

Originally by: Thirler
Thanks for a good insight.

I have a related question, one of my corporations members got hacked earlier. He had some trouble in getting a quick reaction to get his account blocked/returned to him quickly(he got locked out), there wasn't really a petition section appropriate for this.

What is the best way to reach CCP when you think your account has been hacked? I would imagine the priority should be the same as the 'stuck' section as this can minimize the harm done and the profit for the hackers.


I'll follow up here tomorrow but I thought there was a category for this. I'm not in Customer Service so it's not on the top of my head. I'd file as stuck until I can dig into it and tell you what the proper queue is. I can say that if it's not obvious it's probably something that should be fixed.

CCP Sreegs

Posted - 2011.01.25 02:44:00 - [83]
 

Originally by: TCL987

Everything is hackable, using an authenticator just makes it harder and prevents someone from gaining access to your account using a keylogger. Given enough time someone could eventually figure out the algorithim but it would take too long to be worth it.


Using an authenticator does help. The most glaring problem with authenticators tends to come from how sessions are managed by the application and not in the authenticator itself.

CCP Sreegs

Posted - 2011.01.25 02:45:00 - [84]
 

Originally by: herot
Originally by: CCP Sreegs
Originally by: Sentient Blade
2) Playing with location IMO is part of Authentication and I'll have something more to say about that soon.


One also have to consider that some of us use VPN services and can therefore appear to flit around the world in a strange fashion (or even be i two places at once if we for instance log in from diffrent comupters to the forum and the game, with one machine routing through VPN).



In any scenario flitting around the world would probably only require you to validate yourself out of band somehow. To be frank, this is still something we're thinking through and your concern here is something we're taking into consideration.

Epitrope
The Citadel Manufacturing and Trade Corporation
Posted - 2011.01.25 07:58:00 - [85]
 

Originally by: CCP Sreegs
Originally by: Melekhar Tazinas
Sreegs, have you guys considered signing your emails with a GPG signature?

Not that many people use GPG-enabled email clients, but for those of us that do, there's few better means of authenticating your emails.


We have and I'm looking into it deeper. The problem in the past with this type of thing has been the barrier to entry for the end user. DomainKeys uses a certificate in the actual sending of the email to validate the sending source, so once that implementation's done you may be able to get similar functionality though. I'm taking some liberty and oversimplifying here I know but it's 2:30 am and I'm pretty much stupid right now.

Ultimately I'd like it to be simple enough for Joe Average to be able to verify that an email came from us.


Honestly, I'd like to see CCP use PGP/GPG signatures a lot more: on emails, on downloads (the client and especially patches), and on killmails, off the top of my head. Allowing users to verify that something came from CCP is just as important as allowing CCP to verify that something is coming from a given user.

It seems to me that generating signatures doesn't make it any more difficult for users who don't validate the signatures. In emails, it'd be a bit they'd ignore; for downloads, it'd be an extra file they wouldn't get; and for killmails, it'd be a field, file, or API method they wouldn't read, download, or call.

Aside from that, EVE Online has never been filled with "Joe Average" users...

Vaneshi SnowCrash
Posted - 2011.01.26 17:30:00 - [86]
 

Originally by: CCP Sreegs
Ultimately I'd like it to be simple enough for Joe Average to be able to verify that an email came from us.


You're talking about a group of people who will click a link in an e-mail, send all their money to a 'Nigerian prince' and sit there with expired anti-virus software that came with their PC all those years ago.

That's Joe Average and frankly he's an idiot. If you want to keep him safe, sell him an iPad with an ARM compiled EVE client on it running a touch capable UI.

So if you want Joe Average to be safe... you should start taking the anti-psychotic's erm... last week :)

Aineko Macx
Posted - 2011.01.26 20:47:00 - [87]
 

Just to say thank you for the hint on SPF/DKIM, I'm now implementing my own DKIM signer for use at my company in a project that requires the sending of lots of mails to customers.


Pages: 1 2 [3]

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only