open All Channels
seplocked EVE General Discussion
blankseplocked Is our personal information at RISK?
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 [3]

Author Topic

iudex
Posted - 2009.10.31 03:10:00 - [61]
 

I mentioned above that an online banking security system, which uses a transaction number list (which makes it impossible to do any transactions, unless the hacker comes to your home and steals the list with the numbers) is not practical for online games, but maybe an altered version might be an option:

CCP could give us the choice of a higher security account (for an additional fee maybe) and send us an individualised list with lets say 100 codes by post. Each code consists of 5 digits (letters or numbers), the list will look like this:

1. x8s34
2. b203e
3. dw3fe
etc.

After typing login name and password there is an additional login field, which contains lets say 4 (36x36x36x36 = ~1.68 million possibilities) random digits from a random code, example:

Enter code 31 digit 3, code 84 digit 2, code 47 digit 1, code 63 digit 5.
We then have to look on the list and enter the 4 digit code, in order to get access to the account. This isn't as perfect like the online banking, where every code decays after use, but the hacker would have to observe and write down hundreds of logins, which can take months, until he finally gets enough data (could be made even harder with e.g. 200 codes consisting of 10 digits etc.).

Domoso
Posted - 2009.10.31 10:49:00 - [62]
 

Edited by: Domoso on 31/10/2009 11:10:34
Edited by: Domoso on 31/10/2009 10:53:01
Originally by: iudex
I mentioned above that an online banking security system, which uses a transaction number list (which makes it impossible to do any transactions, unless the hacker comes to your home and steals the list with the numbers) is not practical for online games, but maybe an altered version might be an option:

CCP could give us the choice of a higher security account (for an additional fee maybe) and send us an individualised list with lets say 100 codes by post. Each code consists of 5 digits (letters or numbers), the list will look like this:

1. x8s34
2. b203e
3. dw3fe
etc.

After typing login name and password there is an additional login field, which contains lets say 4 (36x36x36x36 = ~1.68 million possibilities) random digits from a random code, example:

Enter code 31 digit 3, code 84 digit 2, code 47 digit 1, code 63 digit 5.
We then have to look on the list and enter the 4 digit code, in order to get access to the account. This isn't as perfect like the online banking, where every code decays after use, but the hacker would have to observe and write down hundreds of logins, which can take months, until he finally gets enough data (could be made even harder with e.g. 200 codes consisting of 10 digits etc.).


I agree. More security options would be great. And there are a number of available options that have been around for years. A digital signature would be great. Or perhaps a password generator like SAFEMLS keys that is a little device purchased from a company such as CCP. You press a button to get a random password that's good for about 90 seconds for you to log in with.

UserID and Password, for security, has been outdated since the Internet going online. Any person in any business even casually concerned about security knows this. And yet our options are limited to UserID and Password.

The #1 reason more security isn't implemented is cost. It doesn't cost CCP anything if your account is hacked unless they decided to repair the damage. Cost is quickly followed by reason #2, complexity or perceived complexity. The reality is solutions can be very simple. But, most companies just don't want to deal with it because userid and password is cheap and the standard.

CCP using the same account for the client and the website was a bad idea. The fact that CCP has allowed this practice to persist since inception is idiotic. Considering the ease at which CCP could rectify this situation and haven't is irresponsible. At the very least they should require a separate password for the website. Yes, I realize that our account on the web access certain information from Tranquility and we can renew our accounts online....but come on! There has got to be a more secure means to do all this with slightly more effort then required presently and infinitely less effort than implementing real security.

If CCP doesn't want to mandate a change in security practices for everyone, can we at least have the option for those of us wanting better security??? I realize that the weakest link in the customer interfacing with the company. So how about some options that don't require me, the customer, to have years of experience in the IT field (which I do)in order to properly secure my home network and nodes? And even with IT experience in order to properly secure a system one needs to be properly informed of the latest hacks and security threats. So how about some security that is a bit more secure and easier on the customer, eh CCP???

Kharamete
Amarr
Posted - 2009.10.31 11:32:00 - [63]
 

Edited by: Kharamete on 31/10/2009 11:32:56
Any kind of additional security measure would lead to a whine-fest threadnaught that would dwarf the ghost skilling by a factor of 2m. Honestly.

People do not read, generally, what shows up on their screen. People just click away warnings and pop-ups. Anything that gets between the user and a task will be got rid of, even if what gets between is valid and of concern.

Having worked in customer service, i know this for a fact. You can post a note with two m letters somewhere saying "X is this" and you will still get a lot of people come in and ask "What is X!?".

So, adding extra security measures like additional one time security codes will lead to two things:

a) People will whine
b) People will not play and go somewhere that does not have those measures.

People are lazy. Is that cynical? Probably. But experience says this.

Dionisius
Gallente
the muppets
RED.OverLord
Posted - 2009.10.31 11:41:00 - [64]
 

Originally by: Ukucia
Originally by: Dionisius
CCP could give us a virtual keyboard for user and pass input in the login screen, if not it would help reducing the possibilites of further accounts being hacked.

I recommend not suggesting solutions unless you actually understand the software involved.

Most "keyloggers" do not actually record the keystrokes you enter. It's much easier to just read the text out of the edit boxes where you enter your username and password.

So virtual keyboards, cut-n-paste, and similar solutions do nothing for security.

When you get a 'keylogger', your system is absolutely and completely open to the 'bad guys'. If it's inside your computer, they can read it. If it's attached to your computer, they can read it.


I recomend you shutting the hell up as i was a developer in one such softwares for a bank entity and i can pretty much assure that this type of measures is about 90% effective against the common hacks.

Again you people assume that most of the hackers use backdoors 100% of the time wich is a completely frakked up and dumb assumption.


Dionisius
Gallente
the muppets
RED.OverLord
Posted - 2009.10.31 11:57:00 - [65]
 

Originally by: iudex
I mentioned above that an online banking security system, which uses a transaction number list (which makes it impossible to do any transactions, unless the hacker comes to your home and steals the list with the numbers) is not practical for online games, but maybe an altered version might be an option:

CCP could give us the choice of a higher security account (for an additional fee maybe) and send us an individualised list with lets say 100 codes by post. Each code consists of 5 digits (letters or numbers), the list will look like this:

1. x8s34
2. b203e
3. dw3fe
etc.

After typing login name and password there is an additional login field, which contains lets say 4 (36x36x36x36 = ~1.68 million possibilities) random digits from a random code, example:

Enter code 31 digit 3, code 84 digit 2, code 47 digit 1, code 63 digit 5.
We then have to look on the list and enter the 4 digit code, in order to get access to the account. This isn't as perfect like the online banking, where every code decays after use, but the hacker would have to observe and write down hundreds of logins, which can take months, until he finally gets enough data (could be made even harder with e.g. 200 codes consisting of 10 digits etc.).


Are you by any chance refering to those matrix type cards you receive from the bank? Thats pretty hard to crack if implemented right.

And yes again, separate our client logins from the forums/webpage logins, why on earth do we have the same ID's for both?

Spurty
Caldari
V0LTA
VOLTA Corp
Posted - 2009.10.31 12:13:00 - [66]
 

Well I just got paid and my bank account is rosey until Monday morning when the mortgage gets paid. Oh nos my bank account is dying....

Only thing customers need to worry about us that their financial details are encrypted while at rest on CCP's end and knowing they are pretty clever ppl, a little bit of encryption isn't going to be very much effort for them.

Be more concerned about where hour credit card goes when you pay for your food at a resturant tbh

Sandeman Reserve
Posted - 2009.11.02 09:32:00 - [67]
 

Only time I've ever had credit card problems was when I ordered a Pizza Hutt pizza over the phone.

Stupid of me to give my CC details over the phone, I'm sure... but it was the first time in months I'd used the card, and I was damn hungry... I got a phone call from the bank two days later to ask if I'd moved to Australia... because suddenly I'd bought Aus$1500 worth of phone cards.

S.

Al Thorr
Caldari
The Wheel
Posted - 2009.11.02 11:32:00 - [68]
 

Just My 2 Iskies.

Remember that Macromedia Flash Can store huge amounts of your private data and ship it off to whom ever with out you realising it. They are much worse than tracking cookies.

It is a shame that companies move to these methods more and more.

It is always best to go to their online website settings manager tool and delete all the websites and set the general storage to Zero with dont ask me again enabled.

Unfortunately your privacy is always under attack .

Regards

Al Thorr



Ukucia
Gallente
The Scope
Posted - 2009.11.02 19:23:00 - [69]
 

Originally by: Dionisius
Originally by: Ukucia
Originally by: Dionisius
CCP could give us a virtual keyboard for user and pass input in the login screen, if not it would help reducing the possibilites of further accounts being hacked.

I recommend not suggesting solutions unless you actually understand the software involved.

Most "keyloggers" do not actually record the keystrokes you enter. It's much easier to just read the text out of the edit boxes where you enter your username and password.

So virtual keyboards, cut-n-paste, and similar solutions do nothing for security.

When you get a 'keylogger', your system is absolutely and completely open to the 'bad guys'. If it's inside your computer, they can read it. If it's attached to your computer, they can read it.


I recomend you shutting the hell up as i was a developer in one such softwares for a bank entity and i can pretty much assure that this type of measures is about 90% effective against the common hacks.

Again you people assume that most of the hackers use backdoors 100% of the time wich is a completely frakked up and dumb assumption.



You don't use a 'backdoor' to read edit fields. Windows makes it nice an easy to read from 'em. You just need an HWND to the edit fields, which is trivial to get since you know the name of the application.

But even if we assume you know what you're talking about, you are arguing that if CCP changed the login process keyloggers would not adapt. They'd just throw up their hands and say "oh well, we're never gonna get any more accounts to hack. Time to turn back from this life of crime."

Dilaan Ito
Posted - 2009.12.21 21:47:00 - [70]
 

Some difference between CCP and several financial institutions:
    several investment banks offer a 2FA (two factor authentication aka digital key (a small USB like gadget which generates a number)). As a result you need both the password+the secure key hardware in your hand to hack the account
  • Banks (at least in the US) are insured against "account take-overs". As a result I got my money back 2 weeks after reporting fraud on my checking account. I do not think CCP offers the same type of coverage

Dyphorus
Posted - 2009.12.22 14:42:00 - [71]
 

So some moron clicks a suspect link on the forums or goes to an ISK sellers site, gets thier computer infected with a key logger, as a result gets their account hacked, and you want to blame CCP? I fail to see how they can control the ignorance of their subscribers.

Aside from that, all of these other things you say never happen, occur every day. It's called identity theft, ever heard of it? The difference is that CCP tries to take care of it's subscribers where many institutions say 'well, I guess you should have avoided all of those virus infested **** sites.'

Report every instance of an account hacking to local cyber crime divisions? Yeah that'll get priority over the hundreds/thousands of people who've had their credit cards, bank information, social security number, or other important digital information stolen.

You sir are an idiot.

Fillip
Posted - 2009.12.22 15:06:00 - [72]
 

as many have said already, its not ccp's severs that get hacked its the players pc.

you cant blame BMW that your car got stolen because you left the keys in sight of your front door (say hello to the peice of wire on a stick, through the letter box trick)

Malcanis
Caldari
Vanishing Point.
The Initiative.
Posted - 2009.12.22 15:17:00 - [73]
 

Originally by: Cute SpyGirl
Edited by: Cute SpyGirl on 31/10/2009 12:39:17
[list][*]I never heard of online banks, online stock trading, or shopping online ever get hack, not once...

Cute
Hips Dont't Lie



Notsureifserious.jpg

Sir Rush
Caldari
Sirrush Holdings And Industries Inc.
Posted - 2009.12.22 15:27:00 - [74]
 

Originally by: Cute SpyGirl
Words



Laughing, also Rolling Eyes

Nicholas Barker
Deez Nuts.
Posted - 2009.12.22 17:06:00 - [75]
 

confirming i have also stolen bank details, as well as eve account details.

Pesky LaRue
Brotherhood Of Fallen Angels
Etherium Cartel
Posted - 2009.12.22 17:37:00 - [76]
 

Originally by: Spurty

Be more concerned about where hour credit card goes when you pay for your food at a resturant tbh


if you're in the US then most restaurants fall under PCI compliance, which they take really seriously (or get shut down) and everyone has to follow strict guidelines about how the info is handled and transmitted and is actually very safe (for the most part).

worry more about giving your credit card info out over the phone - some helpdesks are still outsourced to prisons...

Daelorn
Posted - 2009.12.22 18:36:00 - [77]
 

Originally by: CCP Wrangler
...tight... making it even tighter.



Mmmm

LeeIaa
Posted - 2009.12.23 02:22:00 - [78]
 

if they find any money to steal from me irl would be a damn suprise to me..

Choujinburi
Gallente
The Greater Goon
Clockwork Pineapple
Posted - 2009.12.23 02:47:00 - [79]
 

Honestly just shut up OP.

Ava Starfire
Minmatar
Teraa Matar
Posted - 2009.12.23 04:29:00 - [80]
 

THE SKY!

ITS FALLING!!

Taedrin
Gallente
Kushan Industrial
Posted - 2009.12.23 04:39:00 - [81]
 

Originally by: Choujinburi
Honestly just shut up OP.


The OP did "shut up". This thread was necrod after 60 days, and not by the OP.

MsValentineWiggin
Posted - 2009.12.23 04:47:00 - [82]
 

Originally by: http://abcnews.go.com/GMA/citigroup-hacked-russian-cyber-gang-wsj-reports/story?id=9398512
I mentioned above that an online banking security system, which uses a transaction number list (which makes it impossible to do any transactions, unless the hacker comes to your home and steals the list with the numbers) is not practical for online games, but maybe an altered version might be an option:



You are not technically correct. See the post that refers to 2FA Even if a keylogger or "friend" gets your password, it is only valid for another minute or two. More conveniently, you can now get the 2FA as an iPhone application, so you do not even need extra hardware.

You are also incorrect about other games: WoW has offered a 2FA solition for quite some time. And recently, they started giving out an in-game pet to encourage people to increase their security. http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660

Perhaps this is not the most important thing for CCP to work on. On the other hand, if CCP is offering less security than other games, that is at least partially on them.

Hundreds of thousands of people get their machines hacked/keylogged; >99% of them have never bought ISK or even played EVE.

BTW, American banks have learned from the Bees: just blame the Russians : :-)
http://abcnews.go.com/GMA/citigroup-hacked-russian-cyber-gang-wsj-reports/story?id=9398512



Pages: 1 2 [3]

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only