Closed Thread
Page 35 of 82 FirstFirst ... 25 31 32 33 34 35 36 37 38 39 45 ... LastLast
Results 511 to 525 of 1219
Like Tree3Likes

Thread: Account Security Discussion

  1. #511
    Soulwalker
    Join Date
    Jan 2011
    Location
    Philadelphia, PA
    Posts
    9

    Default

    Quote Originally Posted by ManWitDaPlan View Post
    Under normal circumstances you'd be right. What's going on with Rift is not normal circumstances, and the normal rule is not in force. I dare say that in Rift's case odds are high that most if not nearly all of the hacking victims were not malware-infected.

    I keep saying that there's an exploitable weakness in the design of the game's authentication system that is being exploited and is opening the door to hackers, yet people with apparent cognitive dissonance problems continue the "it must be you" angle.


    And as long as the Internet and MMOs have existed, and as many object lessons as there are now regarding security, not having damn-near-ironclad security at launch is pretty close to inexcusable. If you're not skilled enough to build in proper security for any online application you don't need to be writing online applications.
    +111111111 rep

    I don't understand why trolls keep trying to blame legitimate users when this is clearly a widespread issue.

  2. #512
    Shadowlander
    Join Date
    Dec 2010
    Posts
    31

    Default

    I'm getting a little sick of this whole ordeal.

    Being blamed for the compromised account and unable to play the game for 3 going on 4 days.

    No official word from the dev team.

    The praised coin lock feature which was obviously rushed out the door ahead of schedule and not working and impeding legitimate users from accessing the code in their emails.

    I love this game and Trion's handling of the community up to this point but as of right now i cant play the game i paid for. This is not so much a rage post as it is a depressing and sad one

    It is seriously making me reconsider putting up with all this.

  3. #513
    Soulwalker
    Join Date
    Jan 2011
    Posts
    17

    Default

    hey, i didn't know where to post this so here it goes:
    i am one of the unfortunate that got my account hacked, my lvl 50 mage lost all his gear and money.. all i got from contactic a GM was a reference number..
    so when can i expect my character to be reset and be playable again?

  4. #514
    Rift Disciple ManWitDaPlan's Avatar
    Join Date
    Feb 2011
    Posts
    114

    Default

    Quote Originally Posted by Grimring View Post
    +111111111 rep

    I don't understand why trolls keep trying to blame legitimate users when this is clearly a widespread issue.
    Because people often get mentally "stuck" into a specific viewpoint that a sudden deviation from the norm won't fit, and try to force the deviation to fit the norm instead of adapting to the change. You can't have tunnel vision if you do any sort of work in IT security, as that leaves you blind to the threat you don't expect. Such I suspect is the case with Rift - Trion obviously built its authentication system without any consideration for what would happen if it's attacked, and once it was, that was it.

    I have shareware applications on the intarwebs that have been "in the wild" yet uncracked, for years. Why? Because I built my protection around the "how would I attack this?" approach.

  5. #515
    Rift Chaser
    Join Date
    Feb 2011
    Location
    Kansas City, MO
    Posts
    364

    Default

    Quote Originally Posted by ManWitDaPlan View Post
    Under normal circumstances you'd be right. What's going on with Rift is not normal circumstances, and the normal rule is not in force. I dare say that in Rift's case odds are high that most if not nearly all of the hacking victims were not malware-infected.

    I keep saying that there's an exploitable weakness in the design of the game's authentication system that is being exploited and is opening the door to hackers, yet people with apparent cognitive dissonance problems continue the "it must be you" angle.


    And as long as the Internet and MMOs have existed, and as many object lessons as there are now regarding security, not having damn-near-ironclad security at launch is pretty close to inexcusable. If you're not skilled enough to build in proper security for any online application you don't need to be writing online applications.
    Yes, you keep saying that, and there have been some people claiming that they can log in again if on their own PC without re-entering their user id and password. No one has yet shown that they have an attack that can work remotely.

    The unfortunate truth is that the majority of hacks are normally from key loggers and the like. There have even been a number of people who have had the balls to include the fact that they did have a key logger that their AV did not originally find.

    I am not saying that Trion do not have a security hole, most security system have (at the very least) theoretical, if not always practical, security holes. I am, however, saying that there has been way too much in the way of unsubstantiated accusations going on. This is especially true considering the nature of some of the current attack vectors out there with popular software such as Flash.
    C.
    This is meant to be entertainment, not a life substitute. (lordofeyes)
    Disclaimer:
    These opinions are my own. I reserve the right to sprinkle the odd fact in amongst my opinions to confuse the reader.

  6. #516
    RIFT Community Ambassador the_real_seebs's Avatar
    Join Date
    Jan 2011
    Posts
    16,859

    Default

    Quote Originally Posted by Cheith View Post
    Yes, you keep saying that, and there have been some people claiming that they can log in again if on their own PC without re-entering their user id and password. No one has yet shown that they have an attack that can work remotely.
    I can tell you this much:

    If you gave me the key they're using to sign stuff, I'm pretty sure I could log in on any account. Without knowing the email address or password. (I wouldn't know which account, but why would the attackers care?)

    I am not saying that Trion do not have a security hole, most security system have (at the very least) theoretical, if not always practical, security holes. I am, however, saying that there has been way too much in the way of unsubstantiated accusations going on. This is especially true considering the nature of some of the current attack vectors out there with popular software such as Flash.
    It's not really unsubstantiated. It's not proven, but... They have an authentication mechanism of a type known to be vulnerable to attacks, it has at least one of the bugs that would be necessary for an attacker to exploit this, and there's other evidence that some of the system has, at the least, not gone through a thorough security audit. (e.g., the custhelp site using http: and submitting passwords and account names in cleartext).

    That, plus the number of people who actually do run the sorts of security stuff that would normally be needed to catch or prevent these attacks, or who only play RIFT on a dedicated gaming machine that does nothing but play games, and who are getting hit anyway, sort of leads to the suggestion that the exploit is, at the very least, worth considering as an explanation.

  7. #517
    Shadowlander
    Join Date
    Jan 2011
    Posts
    17

    Default

    6 days, 3 tickets and 2 phone calls and my character is still naked. **** normal circumstances. This is horrible service. For all of you out there waiting for someone to take care of your problem don't bother. I'm going to go play naked and just get new gear. I wish I would have come to this decision sooner. The GMs wont help you. For those of you who already got all their stuff back I don't know how you did it but that's awesome.

  8. #518
    Telaran Balboa's Avatar
    Join Date
    Feb 2011
    Location
    Indianapolis
    Posts
    72

    Default

    Quote Originally Posted by saphriani View Post
    I for one am happy Trion is proactive, serveral other games are not as responsive to what is happening. I was dumb once in wow and followed one of those letters/sites that looked almost real and being nieve, clicked on it and lost all.

    I was happy when I read that they were doing the lock on account but after having to key in the special codes 3-4 times now, im hoping that there is a better way to do it.

    Last night, Comcast decided to act up and kept phasing in and out. During one of the phase out, i was disconnected and I attempted to log back in. When i finally got back in, i was not totally back on line and it was like swimming in soup, i found i had one of those key things. I was on my desktop that I log on all the time with not problems. I guess because of the lag Comcast was giving me, the game thought i was coming from an other location. I could not enter the code because i could not get to my EMAIL. I had to wait til this morning to attempt to access my email, wonderful COMCAST, decided to straighten out and i got the numbers, logged in and entered them.

    I play at work on a lap top with my mobile phone as a modem, its slow but doable. when i logged in, the game again attached a key log in thing. I guess I guess it was the lagg time or something. I work 30 miles away and the ip is simular to that of my home desktop on comcast. It does not say i am hundreds of miles away.

    Im wondering if this will happen to me each time i change computors, desktop to laptop and visa versa and each time i lag.
    i keep having to log in the lock code as well. Comcast and at&t wireless modem for laptop. i dont mind the concept but it needs work
    When all is said and done ... too much is said than done.
    Rome wasn't created by meetings. They did it by killing their enemies.

  9. #519
    Rift Chaser
    Join Date
    Feb 2011
    Location
    Kansas City, MO
    Posts
    364

    Default

    Quote Originally Posted by the_real_seebs View Post
    I can tell you this much:

    If you gave me the key they're using to sign stuff, I'm pretty sure I could log in on any account. Without knowing the email address or password. (I wouldn't know which account, but why would the attackers care?)

    It's not really unsubstantiated. It's not proven, but... They have an authentication mechanism of a type known to be vulnerable to attacks, it has at least one of the bugs that would be necessary for an attacker to exploit this, and there's other evidence that some of the system has, at the least, not gone through a thorough security audit. (e.g., the custhelp site using http: and submitting passwords and account names in cleartext).

    That, plus the number of people who actually do run the sorts of security stuff that would normally be needed to catch or prevent these attacks, or who only play RIFT on a dedicated gaming machine that does nothing but play games, and who are getting hit anyway, sort of leads to the suggestion that the exploit is, at the very least, worth considering as an explanation.
    I did say it should not be ruled out, but the amount of ranting that has gone on from some other people is beyond a joke. It is absolutely worth considering, but there needs to be someone reputable claiming an authentic break in Trion's authentication mechanism that can be used remotely - not on your own PC.

    With all the self-proclaimed security experts out there I am sure there must be someone capable of doing it in 5 minutes.

    The reality is that even security 'experts' get their accounts compromised because they have a lax moment, or encounter a zero day attack delivered by a popular site that they visited. This too cannot be ruled out.

    The real problem here is that there will be several attack vectors going on. If I was going to have a sneaking suspicion I would say one of them had to do with people keeping the same passwords from Beta and their being an issue with one of the Beta clients if this was on Trion's end.
    C.
    This is meant to be entertainment, not a life substitute. (lordofeyes)
    Disclaimer:
    These opinions are my own. I reserve the right to sprinkle the odd fact in amongst my opinions to confuse the reader.

  10. #520
    Telaran Unibroue's Avatar
    Join Date
    Dec 2010
    Posts
    81

    Default

    Ok before leaving for the weekend here what i found after some packets decoding!

    Basically, the patcher/launcher is negociating your credentials, in pure HTTPS over an auth-server somewhere at trionworlds, which is perfect at this point. No way someone is stealing password over a HTTPS communication, that's WAYYYY too much complicated.

    On the other, once you're logged into the launcher/patcher, it shows some patch notes etc... runs some updates if needed and then allow to run the game!

    How they do this exactly?

    They use what we can call a "token", basically they don't want to use HTTPS for all the communications, since HTTPS add a load on all communications, and could make the game more lagging and more demanding on server side, and honestly it would be stupid to encrypt all traffic!

    They're sending for each packet an authentication token, which include some informations:

    1. Your email
    2. A big string of random chars (that string is reused in ALL communication with Trion so i'm guessing this is where they hide your password and authentication credentials)
    3. IP address
    4. Token date creation
    5. Token date expiration

    From now, i don't want to go further, cause that would be against the TOS, and that's really not my objective here, i just needed to clarify something with all of you!

    EDIT: At this point i don't know if it would be possible to change these info and inject some packets in there to gain access to others account without password, that's outside my scope!

    - Trion databases haven't been compromised
    - Your credit cards are secured
    - Trion ARE working on the issue
    - There's people who's account got hacked because of them not being careful
    - There's people who's account got hacked for unknown reasons (yet)

    I want to stipulate here, that the Trion manage the auth/negociation is perfectly normal, and it's the way MOST software do it, you encrypt the user/pass exchange, and then only pass a token that shows that you're the right person.

    I'm not a big fan of really big scale hacks going on here, cause even mmo's hacking can give good revenue, it's not worth it, think about the real spam industry (fake pills, etc...) that bring more than millions PER DAY! That is a business in which hackers will put A LOT of money, because that will bring a LOT of money.

    So they hack that is happening here, have to be quite simple ... and can include a lot of different scenarios (compromised websites/compromised emails/compromised PC) etc... honestly i this point there's no way to know that!

    I remember some 0-day threats about PDF documents i had to deal with in the past, and it's always a freaking mess, even with the best team ever, so bare with Trion and give them the time to makes things right!
    Last edited by Unibroue; 03-18-2011 at 12:08 PM.

  11. #521
    Rift Disciple
    Join Date
    Mar 2011
    Posts
    134

    Default

    Why Trion is not doing what any other MMO did? What hackers are after is in-game currency, right?

    Trion could implement their own ATM inside the game. IF people want more currency to play their game the way they want, they can do it. They could sell currency from their website and send you a one time use code to enter at the ATM machine or special vendor.

    That could cut the grass under the hackers' feet and be gone with it.

    Just a thought!

  12. #522
    Rift Disciple ManWitDaPlan's Avatar
    Join Date
    Feb 2011
    Posts
    114

    Default

    ATTENTION TRION - I HAVE VERIFIED THE AUTHENTICATION SYSTEM CAN BE BYPASSED, BY SUCCESSFULLY LOGGING INTO ANOTHER ACCOUNT WITHOUT NEEDING ITS CREDENTIALS.

    Just successfully logged into a friend's account (with his permission, and while he watched) without knowing his username or password, by bypassing the auth system entirely. Worse, all it took was about thirty seconds of time once I got all of the details locked down.

    I did trigger Coin Lock, but I was fully able to access that handy delete-character button, so this exploit is a griefer's dream.


    This is a huge security hole. Accounts can be accessed without needing any information at all from clients.


    I will not post details on how to do this (so don't ask), but I'm positive that I can reproduce this at will and likely on any account on the system. Someone at Trion probably needs to send me a PM, very, very quickly so we can go over the exploit's specifics and how to detect - and stop - it. (Or I could always log into a GM account and watch the fun that would ensue.)


    As an aside, this is one of those times I wish I wasn't correct about a suspicion...
    Last edited by ManWitDaPlan; 03-18-2011 at 12:33 PM.

  13. #523
    Telaran Balthier's Avatar
    Join Date
    Feb 2011
    Posts
    97

    Default

    Quote Originally Posted by ManWitDaPlan View Post
    without knowing his username or password,
    By username you mean email address correct? Since they use emails not usernames. So changing your email wouldn't help either?

  14. #524
    Rift Disciple ManWitDaPlan's Avatar
    Join Date
    Feb 2011
    Posts
    114

    Default

    Quote Originally Posted by Balthier View Post
    By username you mean email address correct? Since they use emails not usernames. So changing your email wouldn't help either?
    I don't need email addresses at all. In fact, I used a dummy address that isn't even real.

  15. #525
    Rift Chaser Tuqui-tuqui's Avatar
    Join Date
    Jan 2011
    Location
    The land under above you
    Posts
    262

    Default

    Quote Originally Posted by ManWitDaPlan View Post
    ATTENTION TRION - I HAVE VERIFIED THE AUTHENTICATION SYSTEM CAN BE BYPASSED, BY SUCCESSFULLY LOGGING INTO ANOTHER ACCOUNT WITHOUT NEEDING ITS CREDENTIALS.

    Just successfully logged into a friend's account (with his permission, and while he watched) without knowing his username or password, by bypassing the auth system entirely. Worse, all it took was about thirty seconds of time once I got all of the details locked down.

    I did trigger Coin Lock, but I was fully able to access that handy delete-character button, so this exploit is a griefer's dream.


    This is a huge security hole. Accounts can be accessed without needing any information at all from clients.


    I will not post details on how to do this (so don't ask), but I'm positive that I can reproduce this at will and likely on any account on the system. Someone at Trion probably needs to send me a PM, very, very quickly so we can go over the exploit's specifics and how to detect - and stop - it. (Or I could always log into a GM account and watch the fun that would ensue.)


    As an aside, this is one of those times I wish I wasn't correct about a suspicion...
    Well, I don't know if this is true or not (no offense ManWitDaPlan) but I certainly want to keep reading about this. Subscribed so I can watch this develop into something useful or troll meal.

Closed Thread
Page 35 of 82 FirstFirst ... 25 31 32 33 34 35 36 37 38 39 45 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts