Account security

Discussion in 'Player Support' started by Elricvonclief, Jun 21, 2015.

  1. Elricvonclief Augur

    The title says it all.

    I've two former guildmates that swear up and down that they did nothing wrong. While we were not "bestest buddies", we got along and they seemed straight up guys.

    Pwnz and Tierwin are gone, sold off and character deleted.

    Regardless of how those toons were lost, I'm asking for another level of security.
  2. Aghinem Augur

    Per Roshen from https://forums.station.sony.com/eq/...tripped-there-is-a-problem-here.223716/page-4

    "If someone is legit hacked, CS has tools to help restore characters.

    "If someone is sharing their account information, I'd like to remind people that not only is that a violation of our terms of service, but also a pretty easy way for people to get into your account without "hacking."

    Ultimately - you can implement all the security protocols you want; it doesn't help when the main root cause of a majority of these issues has been account sharing whether people will fess up to it or not.

    Additional security is like buying a new door lock for your front door and leaving the door open; obviously, the lock isn't going to work. Just like accounts, lets add 5 new security protocols and then you will still see people sharing accounts and then claim they were "hacked".

    I encourage anyone who is gunning for increased security measures to read this article:

    http://www.csicop.org/si/show/thinking_critically_about_computer_security_trade-offs/

    Quoting from that website, "Good security decisions require making intelligent trade-offs, but far too often we settle for poorly justified security measures based on fear and ignorance rather than reasoned risk analysis."
  3. complexication Kassina

    Speaking from experience as a moderator of forum and games in the past, just because someone swears up and down they didn't do anything, doesn't mean they're telling the truth. Obviously CS has the tools to see what happened, we don't.

    and like Aghinem said, we can ask for accounts that are more secure than the Bullion Depository within Fort Knox, but the security is pointless if someone decides to let their BFF or their sister's uncle's cousin's nephew play with the account. /shrug
    Aghinem likes this.
  4. Kayarra New Member

    Newsweek reported yesterday of yet another treasure trove of private Sony materials released.
    vjfinazzo likes this.
  5. Harmonae Journeyman

    I would like to understand what "legitimately hacked" means. Can we get some details on how CS determines when a legitimate hack has taken place?
  6. Corwyhn Lionheart Guild Leader, Lions of the Heart

    I can tell you that if you get a key logger installed on your computer and someone loots your RL bank account the bank isn't going to do anything for you. There have been cases where a company's employees clicked on the wrong email and infected their system and the company lost lots of cash they never got back. Same thing happens to individuals. For good or for bad the security of our own computers is our responsibility. Of course when people steal real world money they let themselves open to real world jail time.

    Korea is the only place I know they will arrest you for virtual theft or at least the only place I found articles saying so.

    All that being said I don't think keyloggers are that likely a source of any account breach. Possible not but very likely.

    As for what defines a legitimate hack I don't think I have ever seen Daybreak or SOE ever define it. I would assume it is one where there is evidence of some sort of forced intrusion other then simply typing in the account name and password with room for a couple failed attempts. Someone's account being bombarded with hundreds and thousands of password attempts over a short period of time might be considered a legitimate hack. No one is going to randomly guess a password in several attempts unless someone is being unwise and using very similar passwords all over the place. And without the account name this sort of hack would be next to impossible. Another legitimate hack would be evidence that Daybreak was hacked directly and their account databases compomised. THAT is going to cause a lot more accounts then two to be hacked and also brings up back to actual JAIL TIME for doing it. Hack a players account and steal their stuff jail time is very unlikely so which are you going to try if you are a small time EQ hood looking to score some raid gear to sell on FV? I mean if you can hack a companies system there is bigger money out there for the same jail time. So people suddenly talking about Daybreak being hacked when two members of a guild are supposed to have lost toons is really stretching it.

    So it comes down to we are all responsible for the security of our own computers. If an account is compromised because someone gets your account name and password due to your bad computer security or from you handing it out you will get nothing from Daybreak and to be honest that is not an unreasonable policy.

    And this thread will no doubt be locked as it is discussing the same subject from another locked thread.

    Not trying to be the bad guy here and I am not a apologist for Daybreak. I just feel we all need to take some responsibility for the security of our own computers. And I also believe most "hacked accounts" were simply people leaving their account info around in places they shouldn't have or with people they shouldn't have.
    complexication likes this.
  7. vjfinazzo Lorekeeper

    Guess what guys, I have LEGITIMATE proof that I could have possibly been hacked. These are just a few things to pop up within the last few days that have happened to me, making me think my whole system is compromised, and I have truly been hacked.

    Possible Proof #1: Samsung Galaxy S4-S6 Keyboard Compromised
    http://time.com/3925962/samsung-galaxy-edge-hacking-s4-s5-s6-security-cyberattack-keyboard/
    I admit I have a Galaxy S5, and I also admit that I have logged into my EQ account on the website via my mobile device to post on the forums when I am on the go. Not saying this is how I got hacked, but it is definitely a potential way, and I am just trying to put as much evidence out there as I possibly can, I just want my character restored :(

    Possible Proof #2: My Facebook Account was attempted to be hacked as well
    Here is a screenshot of it, and it should pop up, but I will also put a link after.
    [IMG]
    http://i59.tinypic.com/6qfn8j.jpg

    I would just like a more serious investigation into my account and character, before giving up. Please.. I have spent so much time and effort on this game.. troll all you want, I just want my character back, even if hes naked..
    Motherlee likes this.
  8. Rila Journeyman

    This is an excellent question. I think a lot of individuals, including many criminal prosecutors, would loosely define a "legit hack" as one individual taking action on another individual's account (the account owner) without the account owners authorization. However, I don't think Daybreak has ever come out and said what they define as a "legit hack." And, considering Daybreak's public stance to consumer complaints (shutting threads down), I have a feeling they don't even have a solid definition of it themselves.

    Furthermore, to aggravate the problem, if Daybreak doesn't have a definition of what a "legit hack" is, how in the world are they supposed to investigate complaints to determine what are a "legit hacks" vs. an "illegitimate hacks" / non-hacks? Or, maybe we just supposed to trust that Daybreak has a fool proof system and is doing everything in their power to help us customers... LOL. I believe this about as much as I believe North Korea just discovered the cure-all drug to everything.

    Of course, if Daybreak actually implemented some security measures, like requiring a text or email confirmation before changing passwords or doing server transfers, then Daybreak's customer service statements might actually have some legitimacy as they would have a substantive basis to conduct their investigations.
    Elricvonclief, Glace and vjfinazzo like this.
  9. Aghinem Augur


    I don't know about Daybreak - but my definition of legitimately hacked is someone using invasive and aggressive password decryption techniques through multiple attempts and use of malicious software that assists in decryption; and any other means that would be considered forcible entry that is not through account sharing.
  10. Aghinem Augur


    Proof #1 Response) That is not proof. That is an article suggesting there are security flaws in Samsung Galaxy smartphone models S4 through S6. This does not suggestively determine you are a victim of hacking. The only way this might be plausible is if you were using your mobile device in a unsecured WIFI network.

    Proof #2 Response) Keyword of that Facebook message is ATTEMPTED. This does not mean they were successful. They attempted to login to your Facebook and failed. That is not a hack.

    Is the email you use for your station account the same one that is linked to your facebook? When trying to identify a cyber attacker, you have to connect a lot of dots. I would suggest you contact FB, request an IP address of the person who attempted to login to your account - forward given information to Daybreak, and see if it matches the IP of the person who logged in the date your toon disappeared. If it is a match, you have hope - if there is no match; then its a false lead. Unfortunately, good hackers use proxy servers and virtual ware to mask their location - hopefully for you, it was amateur hour.
  11. moogs Augur

    Keyloggers are common and freely available. My friend is just a non-techie receptionist and she put one on her boyfriend's computer to report on all of his online activities. Not that I'm suggesting anyone else try that, only that it requires no skill and this would be the most obvious method of forced entry into an EQ account outside of people using the same login/pass for every website they visit.
  12. Mayfaire Augur

    I am more and more boggled by some of you. It seems the moment this issue is brought up, y'all come flying out of the woodwork to argue for LESS security. Can someone please explain the benefits of LESS security for our toons that we have put years of work into? :confused:

    This is like saying that placing your $2,000 Alienware laptop in the backseat of your car should be fine because the car is locked. Let's ignore the fact that thieves can see the juicy laptop laying there, and all they have to do is figure another way into the car.

    So, no, I'm going to take that laptop and put it into the trunk, and put towels and bags over it. I hopefully was smart enough to have a security system on the car. Or, even better, I'll take the laptop into the house, or keep it with me, or whatever.

    Bad analogy aside, all I am really trying to say is, these dang toons mean a lot to some of us, and there are a lot of us who feel they are currently not safe at all.

    More security measures hurts you how? Help me understand this.
    beryon, Rila and Elricvonclief like this.
  13. Aghinem Augur


    Additional Account security doesn't help someone's lack of personal computer security. EQ can implement every security measure out there; it doesn't stop people from account sharing or stop people from getting viruses from having poorly maintained AV programs. Read the article I posted. I will relink it:

    http://www.csicop.org/si/show/thinking_critically_about_computer_security_trade-offs/

    Quoting from that website, "Good security decisions require making intelligent trade-offs, but far too often we settle for poorly justified security measures based on fear and ignorance rather than reasoned risk analysis."

    You have to consider how many actual reports there have been in the last year that have been validated as legitimate hacks vs. how many were reported as hacks that were really a stolen account from account sharing before proposing additional security measures. That is why you do risk assessments; kind of like being an actuary for IT security.
    complexication likes this.
  14. Mayfaire Augur


    I really don't want to wait to find out what DBG considers a legit hack. I want the security in place to not be hacked in the first place.

    Just like I put a security system on my house and car, because I would rather try hard to prevent theft from happening in the first place, than to have to fight tooth and nail with insurance companies to get my stuff back after the theft has already occurred.

    An ounce of prevention is worth a pound of cure, people. :eek:
    beryon and Elricvonclief like this.
  15. Aghinem Augur

    To take it a step further to response to Mayfaire's response, too much security can actually create compromises to the account holders through their very own actions.

    Example: Lets say there is a 3 point security check; password to login, 6 digit pin number to access your server, secondary 6 digit pin code to access your toon - each in which are not allowed to be saved in cache - so you have to manually enter it each time.

    Do you realize the number of people who would more than likely lose access to their own accounts simply by not being able to retain all that information? CSR would be swamped with password & pin recovery requests.

    This is a very realistic scenario and in the end, you will have people complaining about too much security. I nearly lost my Diablo 3 account because my authenticator was on a smart phone that I hadn't used in a year; and had I not located it - I would have been screwed.

    Simple is better.

    Make 1 really good strong password.

    1. Password length at least 8 characters long.
    2. Password having at least 1 upper case letter within the 8 character password.
    3. Password having at least 1 number within the 8 character password.

    Those 3 steps will make a strong password.

    To make a powerful password:

    1. Password length at least 12 letters long.
    2. Password having 4 numbers within the 12 character password.
    3. Password interchanges between capital & lowercase between letters.
    Motherlee likes this.
  16. Mayfaire Augur

    But Aghinem, if they would end transfers to FV altogether, and take away the avenue to profit, then the community of EQ would not have to become pseudo online security experts in order to protect their toon.
    beryon and Elricvonclief like this.
  17. Mayfaire Augur

    I changed to a password that is so hard that I locked my own damn self out of my account for two days (proving part of your point for you).

    We should ALL feel unsafe as long as the temptation is there, via transfers to FV, to make thousands of dollars off of our toons.

    #EndFVTransfers

    PLEASE.
    Motherlee, Elricvonclief and Glace like this.
  18. Aghinem Augur


    If someone has already accessed your computer through malware, it doesn't matter what security measures exist with EQ. I'm not sure why this is so difficult to understand.

    If you run a server, and someone manages to bypass security and accesses the root directory - it doesn't matter what security measures you have for the other folders ( accounts ); the person in control of root controls all.
  19. Mayfaire Augur


    What is the benefit to them, if they cannot profit from it if FV transfers no longer exist?

    I am not sure why THAT is so hard to understand and get behind.
    Elricvonclief and Glace like this.
  20. Aghinem Augur


    You are basically asking for hundreds to be punished over the act of 10s. There are a lot of great people who transferred to FV because they were tired of certain servers and didn't feel like starting all over.