Account Security Discussion

[atso]

Unless there's a hole other than the one I'm aware of, there is no compromise of data, it just allows bypassing security when getting into the game.

Oh thank you, I was worried all our account data could have been stolen.

[Ancallagon]

I'm with Artus, gonna predict a whopping zero people apologize from the general forums for accusing anyone who got hacked of just being stupid and clueless about account security.

Of course, it's somewhat dependent on how Trion handles this and what they announce surrounding it. Their stance from the OP of this post is that all account compromises were because of client side errors, which is of course where lots of the trolls in general got their flame-ammo from. If Trion doesn't acknowledge there was an error publicly that allowed what MWDP did, then we'll never really know, which would be very disappointing. I don't expect details on it, but something along the lines of "yup, we did have an error, and it wasn't client side, and it's patched, and we're sorry it was abusable, etc etc" will be plenty for me.

That, oh, and my plat being restored quickly, my guildmates plat being restored quickly, and our other guildmates entire character being restored from Tuesday so she can resume leveling.

[Siegmund]

Coinlock is a good idea.

But there are a couple of (very simple) things that Trion could have done in the first place.[LIST=1][*]Require us to choose a username other than our email

Makes no difference at all to security. Username are no secure and you can make any damn e-mail you want. Honestly anyone promoting the whole unique username deal is just out of touch with reality.

[*]Require us to use a seperate login for the forums (user and pass)

Makes no difference. Both are behind an authentication server (when not bugged but it wouldn't matter anyway).

[*]Allow stronger passwords*


I'm currently a little irritated by the restrictions on passwords:



Only allowing 16 characters [max] on passwords? WHY?

16 characters upper/lowercase + numbers... You know that is effectively un-hackable right? Would you like to see the info sheet on how long it would take to hack a 12 character uppercase only password? No one is hacking 16 characters.

If Trion had done these simple things we would have saw many less hacked accounts to begin with.

Less phished maybe.

I'm not angry, and I appreciate what Trion is doing to rectify the situation....it just irritates me that such simple security measures are being ignored. I mean, if they have the dev power to create coin-lock, surely Trion has enough man-power to let us choose separate logins that don't use our email and to allow longer (stronger) passwords.

A multibillion dollar company uses bob@compay.cot as their username. It is the password and ONLY the password that is the security function of a login. Unsername are NOT encrypted, masked nor stored in any form but plain text.

Also, for anyone interested:

If you are worried about keyloggers, you can setup a simple autoit script to open the game and enter your password. No keystrokes, no clipboard.

Assuming you did not have the keylogger previous to the script and it is still a cut and paste.

[the_real_seebs]

Just wanted to say thanks to you ManWitDaPlan and Seebs for taking time out to investigate "some issues." In turn helping Trion and the community.

Credit goes to MWDP, I wouldn't even have thought to look at it except for a comment he made in an earlier post.

[TheScoo]

Unless there's a hole other than the one I'm aware of, there is no compromise of data, it just allows bypassing security when getting into the game.

This is absolutely correct! Without the users email and password (not that those are hard to get either, but i digress) this hack is only allowing access to the users characters! ABSOLUTELY NO USER DATA IS BEING SENT DURING THIS HACK!

[Dasty]

Seebs and MWDP,

It's small consolation since we'll never meet, but I want to thank you for salvaging this game for me and my guildies. I can hardly purport to speak for others outside of those with whom I speak directly, but six of us were going to cancel.

Obviously time will tell about the fix, and while I can only speak for myself, thank you.

[Abyssus]

Ok folks, its time to put your conspiracy theory and key-logging bonanzas aside for one moment and read this.

For those who don't know, a while back Trion didn't use SSL certs(?) for logging in, this was an oversight on their behalf.

The consequence is, the hackers probably have a large database of unencrypted email addresses and passwords from people logging into the Rift website/forum prior to the introduction of the SSL certs(?).

Trion now has SSL certs(?) when logging in, so if you haven't already, login and change your password. After doing this, the chances of you getting hacked should be significantly lowered.

[Ghostsouls]

I understand, I think, how the coin lock works, and if someone logs into your account from a different ip address, your account will be safeguarded until you can authenticate yourself. What I am not understanding, is they say press the coin lock icon..... where exactly is that located? or do you ONLY see the coin lock, if someone has accessed your account or you log in from a different ip address? I don't see the feature in game or on my rift website log in. So, unless I log in from a different ip address I will not see the coin lock icon or features?

[Brickz]

A big salute and thanks to ManWitDaPlan

Way to go dude.

[Siegmund]

The security hole, does it give the hacker access to all the account information, it only allows to login into the game... in short, has all our account data been stolen?

I am sotra confused, can you say log into bob's account from jim's computer with this, or just bob's account from bob's computer.

I have had bugs where you bypass the authentication on your own computer but I never tried to follow up on it with regards to a different persons account.

Basically I am not seeing how you can access someones account from your computer.

[tauofGrey]

I got hacked last Sunday, almost a FULL week ago on greybriar and opened an in game ticket right away. Unfortunetly despite me calling non-stop and updating my ticket every day I have STILL not gotten anything more than the generic canned responces. Worse, according to your customer service reps they have NO way of contacting the in game support department at all. I already changed my password and my email address and now 5 days later I can STILL not play.

If anyone devs read this please help. PM me if you need my ticket number but somehow I bet you can see the account used to post this anyway.

[TheScoo]

What I am not understanding, is they say press the coin lock icon..... where exactly is that located? or do you ONLY see the coin lock

The coin lock icon glowing in the lower middle of your screen, click it it will tell you to enter the code that trion sent you via your registered email

[Artus]

We will all be able to answer how Coin Lock works here in about 20mins. After this update Trion has set EVERY account to be Coin Locked for the first login to insure you are the owner of that account.

[Shaedence]

Major Props to you guys, I wasn't very suprised that it wasn't the player's fault that they were hacked. It's still nice to see Trion fixing this so quickly.

I've been hacked before (in WoW) so i know your pain. At least it'll be fixed shortly. This is prolly the best patch we could get at primetime on a Friday :P

[TheScoo]

Basically I am not seeing how you can access someones account from your computer.

While im not going to divulge how it works, i can tell you that yes, i can log into your account, without knowing any of your personal or game details from my home computer. I can then fire up your character(which in turn kicks you off the server) and delete it or spend all your money!

This is currently being fixed as we speak thanks to the help of ManWitDaPlan and his correspondence with trion!