Lost account with satchel attached

[Bumbles]

Not sure where to put this.
Just heads up I lost an account with the one time password satchel thing attached... so i guess its possible Oh also I didnt have phone app if that matters much.

[Kohan]

Although you can Google and therefore find a variety of tales within which people have claimed they've been hacked, even though they have a VASCO DigiPass—the product that has been relabeled as a "Square Enix Security Token," "Blizzard Authenticator," et al—none of this is worth considering. Why? VASCO products aren't just used by videogame companies who want to provide a reasonable amount of security to their users—they're used by major banking institutions, branches of the government where high security is a necessity, and more. No mere RMT or enterprising script kiddie is going to crack VASCO's technology; if they could, they would be making millions by doing so for a world power, not by stealing your comparatively worthless FFXI account.

If you'd like to see an engineer describe how sound the system is in brief, look here: http://www.spinellis.gr/blog/20061201/. I've also quoted a noteworthy paragraph below.

The one time password generator depends on a key that is shared between the dongle and the authenticating application. Specifically, the algorithm generates the OTP by encoding a moving factor (an increasing counter or a time value) with the shared secret as a key, using the SHA-1 keyed-hash message authentication code. The keys manufacturer, Vasco, pre-programs this shared key into the dongle, and also supplies a file with a copy of the shared key in encrypted form to the purchaser of the keys (in this case my bank). The serial number on the back of the key, is only used to lookup my key's shared secret in that file, and the activation number my bank supplied me with is probably only used to tie the specific key to my account. The shared key is hidden in my dongle and in my bank's database. Therefore, cloning the dongle or re-using it in other applications isn't possible.

The only way that someone would be able to hack your account would be if they intercepted the token number before you used it up, and then input that, alongside all of the rest of your Square Enix account information, into either PlayOnline or their web browser, through which they would access your account. At that point, they would have to deactivate the token to permit easy usage of the account from then on, if they so chose to—or, if they didn't bother with the SE account and simply went through POL, they'd just clean your character out and then abandon it.

In short: no, someone isn't going to hack the VASCO technology, but yes, your account can still be stolen if you have a keylogger, and/or input your account information into places you shouldn't, like shady websites, or your friends' email boxes. This has always been true, and will remain true into the forseeable future.

Use properly updated anti-virus programs, don't visit questionable websites, and play safe, my friends. Since this isn't anything new, consider this topic closed.