Account Security Discussion

[Thorrand]

WTF is wrong with you people!! I was just playing the game when I logged off so you can do a new patch. When I log back on after the bloody patch, and I get a stupid COIN LOCK!!! Crap people get you security straight.... Its the same IP or close to it... If I have to go through this each and every time I play this game, and have to wait for a email to clear the darn thing, I will cancel the subscription... cause you can't make your stupid security passwords to include other characters. FIX THIS!!! GRRRRRRR!

I got my email before my email was even logged in fully. Refresh faster?
the exploits were widespread enough they had to implement the coin locks on everyone's accounts. Not to mention the coin lock system in the first place relied on the actual owner logging into the account before the 'hacker'

[TheScoo]

WTF is wrong with you people!! I was just playing the game when I logged off so you can do a new patch. When I log back on after the bloody patch, and I get a stupid COIN LOCK!!! Crap people get you security straight.... Its the same IP or close to it... If I have to go through this each and every time I play this game, and have to wait for a email to clear the darn thing, I will cancel the subscription... cause you can't make your stupid security passwords to include other characters. FIX THIS!!! GRRRRRRR!

please see this post if you haven't yet - thanks:
http://forums.riftgame.com/showthrea...in-Lock-Update

[DataWraith]

WTF is wrong with you people!! I was just playing the game when I logged off so you can do a new patch. When I log back on after the bloody patch, and I get a stupid COIN LOCK!!! Crap people get you security straight.... Its the same IP or close to it... If I have to go through this each and every time I play this game, and have to wait for a email to clear the darn thing, I will cancel the subscription... cause you can't make your stupid security passwords to include other characters. FIX THIS!!! GRRRRRRR!

HaTsel, this has been done to every player after the patch. It is to white list your current location (IP address). This is actually due to Trion addressing a security issue.

[HaTsel]

Before going off the deep end, read the patch notes. It was stated that EVERYONE would be coin locked after the update to make sure that only your IP range would be accepted. That was a one time ordeal. Its not going to kill you to get the email and input the code.

Thats just it!! I haven't gotten the bloody thing yet... I have two computer with the same service provider... and each time...its going to do this??? I already have had to do this the other day, and it took it a 1/2 hr to send the stupid COIN LOCK key!! Sheesh!

[BioSector]

Well, servers are back up MWTP. Please tell us the hole is sealed!

[HomeFry]

Well, servers are back up MWTP. Please tell us the hole is sealed!

I just talked to him, hes wading through the posts trying to get replies out to everyone, so just be patience.

[Alaricus]

I appreciate your efforts and know the work that is involved. Im in IT myself and know its not as easy as some would think. As Ive said before this is a larger issue that maybe the average person isnt really all that aware of but as we move forward I do appreciate the way in which Trion responded to this issue. I am confident this is just one of many steps that will be forthcoming. I also appreciate the constructive suggestions coming from players and hope we can all keep an watcheful eye on the security for this game.

[ManWitDaPlan]

Okay, caught up (more or less)...

Before I start with the sea of replies, I must shine the spotlight on some people.

First off, if I didn't find this hole the_real_seebs would have - he was hard on the heels of this thing and it was more a matter of who found the secret handshake first. So everyone should give him kudos for also working the issue and finding the same things I did.

Secondly, I gotta also hand out mad props to TheScoo for letting me break into his account and delete his test toon (kicking him off the game in the process), and HomeFry for helping me iron out some details and run some LAN-level tests to verify where the problem was manifesting.

Last but certainly not least, I must also sing the praises to Trion. Most companies do their level best to hide critical security issue sand sneak in fixes. Trion responded to the news by contacting me within the hour, discussing the details in detail, and responding within minutes of getting info that they verified the issue and were expediting a solution. A couple hours later, everyone gets to try out Coin Lock and the hole is plugged with steel-reinforced concrete under twelve feet of kevlar policed by sharks with frickin' lasers on their frickin' heads.



Okay, on to the replies - look for yours!

Thanks for reporting this exploit.

I hope Trion will validate that they in fact had such a hole after it is fixed.

My alternative is spending many hours reinstalling my OS to clear any potential holes after being hacked this afternoon.

Please post as candidly as possible when it is fixed Trion, so that those of us who were hacked won't have to go to great time and expense to "fix" systems that likely aren't broken.

That's up to them. Obviously one won't want to expose too may details of one vulnerability in case it hides others.

Did you do this from your computer or his? You can bypass the authentication on your own account on your own computer from time to time due to a bug but I didn't think you could do another account from your computer.

Used mine to log into his. In theory, it would have worked on any account, probably including the accounts used by GMs and Trion staffers themselves.

Wonder how many people are going to post appologies for saying we deserved to be hacked and we should not get anything back.

Not gonna hold my breath for that one, hahaha...

The security hole, does it give the hacker access to all the account information, it only allows to login into the game... in short, has all our account data been stolen?

Please let me make it very clear that the vulnerability I found only allowed game logins and access to game characters and any assets they had. It did not, I repeat not, expose personal or billing information.

Ok folks, its time to put your conspiracy theory and key-logging bonanzas aside for one moment and read this.

For those who don't know, a while back Trion didn't use SSL certs(?) for logging in, this was an oversight on their behalf.

The consequence is, the hackers probably have a large database of unencrypted email addresses and passwords from people logging into the Rift website/forum prior to the introduction of the SSL certs(?).

Trion now has SSL certs(?) when logging in, so if you haven't already, login and change your password. After doing this, the chances of you getting hacked should be significantly lowered.

THIS. Everyone should change their passwords right now, and to secure ones.

BTW, the Trion crew told me that they had a lot of hacks through idiots reusing old WoW account credentials, etc. that were already known to game account thieves. If you get hacked from now on and were reusing account creds from elsewhere, you no longer have an excuse.

I am sotra confused, can you say log into bob's account from jim's computer with this, or just bob's account from bob's computer.

I have had bugs where you bypass the authentication on your own computer but I never tried to follow up on it with regards to a different persons account.

Basically I am not seeing how you can access someones account from your computer.

The exploit allowed one machine to bypass the game's normal authentication process. As a result, the exploiter can "become" any valid game account, knocking off the actual account holder if they're logged in at the time.

Major Props to you guys, I wasn't very suprised that it wasn't the player's fault that they were hacked. It's still nice to see Trion fixing this so quickly.

I've been hacked before (in WoW) so i know your pain. At least it'll be fixed shortly. This is prolly the best patch we could get at primetime on a Friday :P

That's one of the reasons I gave Trion a shout-out up top - the time to fix a critical hole is now, not Monday. Sure it'll annoy some players, but if it makes a million plus game accounts safer, great.



Post's getting long - to be continued...

[the_real_seebs]

I dunno, man, I don't think I woulda gotten it. I'm not very good at the fiddly bits of security stuff.

But yeah. Trion's response to this? Perfect.

1. Fix the bug RIGHT NOW. No delay, no "let's roll this in".
2. No attempt to deny or play blame games.
3. Fix goes live IMMEDIATELY once it's available.
4. Explain what the fix was AFTER it is fixed, not before.

The decision to coin lock everyone is a reasonably good one when you consider that they have solid evidence that a whole lot of accounts were at least partially compromised... but that the attackers did not know the email addresses or passwords. Coin lock is perfect for that.

[StChoch]

So I changed my account password to be different from my forum password from my work computer in a different town.

Will this trigger the coin lock?

[Zilvermoon]

First off, if I didn't find this hole the_real_seebs would have - he was hard on the heels of this thing and it was more a matter of who found the secret handshake first. So everyone should give him kudos for also working the issue and finding the same things I did.

Read all post's in this thread (been following it since it was created, even though I wasn't hacked) and yeah sorry I didn't get your name into my BIG THANKS, So here goes:

A BIG THANKS to you the_real_seebs for the work you did on this issue getting into the light and getting fixed.

Zilvermoon

[the_real_seebs]

So I changed my account password to be different from my forum password from my work computer in a different town.

Will this trigger the coin lock?

Dunno. Won't matter, since everyone just got coin locked.

[MudBone827]

I'm with Artus, gonna predict a whopping zero people apologize from the general forums for accusing anyone who got hacked of just being stupid and clueless about account security.

Of course, it's somewhat dependent on how Trion handles this and what they announce surrounding it. Their stance from the OP of this post is that all account compromises were because of client side errors, which is of course where lots of the trolls in general got their flame-ammo from. If Trion doesn't acknowledge there was an error publicly that allowed what MWDP did, then we'll never really know, which would be very disappointing. I don't expect details on it, but something along the lines of "yup, we did have an error, and it wasn't client side, and it's patched, and we're sorry it was abusable, etc etc" will be plenty for me.

That, oh, and my plat being restored quickly, my guildmates plat being restored quickly, and our other guildmates entire character being restored from Tuesday so she can resume leveling.

There won't be any apologies to come from the public that belittled those who were unfortunate enough to be on the end of a hack, this is TYPICAL OP for TROLLS.

[Sinfullysweet]

Okay, caught up (more or less)...

Before I start with the sea of replies, I must shine the spotlight on some people.

First off, if I didn't find this hole the_real_seebs would have - he was hard on the heels of this thing and it was more a matter of who found the secret handshake first. So everyone should give him kudos for also working the issue and finding the same things I did.

Secondly, I gotta also hand out mad props to TheScoo for letting me break into his account and delete his test toon (kicking him off the game in the process), and HomeFry for helping me iron out some details and run some LAN-level tests to verify where the problem was manifesting.

Last but certainly not least, I must also sing the praises to Trion. Most companies do their level best to hide critical security issue sand sneak in fixes. Trion responded to the news by contacting me within the hour, discussing the details in detail, and responding within minutes of getting info that they verified the issue and were expediting a solution. A couple hours later, everyone gets to try out Coin Lock and the hole is plugged with steel-reinforced concrete under twelve feet of kevlar policed by sharks with frickin' lasers on their frickin' heads.



Okay, on to the replies - look for yours!

MWTP, Thank you. I mean beyond a doubt with all my heart thank you! And everyone who worked together on this to find the problem. Seebs, Scoo and Homefry, thank you also from the bottom of my heart. Trion, be glad you have players like this that are dedicated to never giving up and instead of exploiting it for their own gain, held off and worked to help you.

Just another reason why I love this playerbase so much!

[the_real_seebs]

Well, Trion's done right by me, I figure the least I can do is try to be helpful.