I bet one of the questions Bercus sent was about hacking. >.>
I bet one of the questions Bercus sent was about hacking. >.>
QFMFT.Originally Posted by ringthree
It seems that SE, like they've done in the past, is trying to make us believe they're doing good. A lot of times, though, nothing worth mentioning has come out of it, and a lot of the users are still left with nothing at all. A friend of mine recently got hacked, got his account back, but had nothing left, and they couldn't do anything about it. He had some pretty rare sellables, and every day now he's passing by a mule that suspiciously suddenly is selling every single item that he had on his character... Finding mules that bazaar these things aren't rare - finding a mule that's bazaaring all of these things at once?
I hope that this new policy or whatever will apply retroactively, and that good things will come out of this, but frankly, I'm not holding my breath.
Off Topic and nitpicky:
Generally tape backup's are not used in the larger IT industry anymore, mostly data is backed up and warehoused offsite on Network Attached Storage servers or they just use redundant offsite mirrored servers.Originally Posted by Arkanna
Point stands, regardless.Originally Posted by Bardicrune
I like how it took ABC and another major news carrier for them to 'notice' and present better measures to restore characters than the bull they have in place now. Place on top of that abysmal lack-of measure in place to avoid hacking, like questions just to ALLOW you to change your password.
Eugh. Way to fail SE.
when we complain, management tells us to stuff ourselves and it dies there. when ABC prints it, shareholders hear about it and the negative impact it's having on their stock and this generates a fire i'd imagine.Originally Posted by Akucaen
Interesting, Maybe I'll get Spookiness back eventually, rather than SE just telling me I'm Screwed.
lolSE
Originally Posted by that ABC pageOriginally Posted by that Yahoo page
so... after getting a formal wake up call by two Media Companies and official research by an Anti Virus Conglomerate, they finally accept to work on something their own customerbase have been kicking/screaming/threatening to sue about for the last what, 6 months? jeez...
I love the game, dont get me wrong... I just hate how the people in charge of making the decisions go about making said decisions. Not necessarilly Too Little-Too Late, but i cant help to feel that they could be taking a more (pro)active approach once they started getting spammed by US, their loyal and paying customers... isntead of waiting until our drama became public.
Interesting. I assume people are getting their characters stripped as well. How is Blizzard handling it? Are people who lost accounts getting them back, and all their items? How long does it take? What's involved?Originally Posted by Kyreth
blizzard has a FAST turn-around on getting characters back, you get a majority if not all your items back... they don't fuck around when it comes to customer service it seems, they don't fuck around giving the banhammer to obvious RMT's or blatant system hackers either. and they serve up at least 20 times the number of active players as ffxi...last i checked.Originally Posted by Kenji
every time SE says "investigating" replace the word with "taking our sweet fucking time because we don't really give a shit about"
Yes, we're still "investigating" your account.
Thanks for your RMT report, we'll be "investigating" that issue.
Gonna lawl when the next "GM told me to get TFO when I reported my account got hacked" thread pops.
Blizzard has alot more representatives (or perhaps they outsource) handling the issue, the SE information center has like 10 people manning the phones and 2 managers tops - SE is simply undermanned big time. I assume the people investigating hacked accounts are probably 2 people in tandem with a manager.Originally Posted by setzor
It comes down to also how the companies view issues as well.
I guarantee this is just SE's way of showing that other games are affected by these hackings, not just ffxi. So not really day late dollar short, just their idea of player relations.
and the obligatory
OMGMYACCOUNTWASHACKEDFUCKINGSEYOUBASTARDSLOSTMYRAI NBOWCAPE
i get the feeling that the blizzard devs have a lot more of a hands on approach to their userbase than say the ffxi devs. consider for a second the "need or greed" system in WoW a friend of mine explained to me a while back.
as best i understand in WoW, a large chunk of the gold (gil in ffxi) comes from accruing drops in instanced zones and selling, often to NPC. this would cause players to lot things they couldn't wear or otherwise use but wished to have to NPC for gold. in order to enable players who would actually put the gear to use for more than vendor trash, prior to lotting, players would declare if they wished to lot it for "need" or "greed" IE, they want to wear it or NPC it respectively. if no player declared need, players who declared greed could lot it and the top lot got a couple of shinies. if anyone declared need, all players declaring greed would pass for those who declared need. this was a convoluted system though, akin to our shouting out for people who want to burn points on items with a limited time before it plunks into someone's inventory. blizzard responded after a bit by adding instead of 1 universal lot button a "need" button and a "greed" button, effectively automating the process. any player clicking need negated any greed lots, so all players needed to do was hit the right button and let the game as well as lady luck decide who was walking home with the item. blizzard saw a system players had implemented, albeit inefficiently managed by hand and automated the system. meanwhile, we can't bludgeon SE into forcing our coinage and af in dynamis out in a timely fashion.
while this may not be the world's best example, it does indicate the dogmatic differences between blizzard and SE. blizzard takes a more aggressive stance towards what the playerbase wants while SE seems to take the attitude of "we will tell you what you want. your concerns are pity and boring." it's depressing to watch such blatant mismanagement continue. customers of other large scale products, from relatively cheap products such as office suites to software solutions costing in the tens to hundreds of thousands of dollars, are the guiding force behind requirements specifications and feature additions, but SE seems to have forgone this tried and true model for one that more resembles "SE knows best." not until SE is made to look a fool will anyone step up and actively attempt to solve the problem in such a stagnant environment.
Friend lost all his chars and items on Wow, he simply made a new char, called GM and told him what happened, GM asked him to logout, he did and found all his chars and everything restored, so its instantlyOriginally Posted by Kenji
OK, maybe I am oversimplifying things here or maybe giving their system too much credit.
How about they put in a tracking system where if an account appears with a new IP address (especially one that originates in China) and attempts to change password, that a huge red flag pops up for investigation? Or that several different accounts that had completely different IP addresses have their passwords changed from the same IP address, that a huge red flag pops up for investigation? Or how about you have to input your whole credit card number before you can change the password?
Or how about all of the above? Seriously, how can I get this to the dev team?
They would have to do this based on IP Blocks owned by providers and the password being changed from outside that block. I myself have 6 unique public IPs at home, 4 of which could be used at any given time to sign into FFXI. And this isn't counting when I'm over at a friends house, or working seriously late at night at work and have it running on a laptop while I fish or campaign.Originally Posted by Septimus
However, I would recommend a two-pronged approach to increasing the security of the accounts.
1) As others have suggested, a security question/answer required to change the password. This will prevent those not easily guessed from being able to completely remove access to the account.
2) Have an option to generate a security hash. The security hash would be an option located under the account management section of POL and nowhere else. You click a single button and the hash is generated (method can be completely random, it doesn't matter so long as it's long/complicated enough to not be guessed). The hash is displayed to the user and is stored in POL/SE's databases. Each time you do this, it adds another entry. There is no method of seeing past security hashes, only the one you just generated. This security hash can then be used as initial verification of ownership of the account so that alternate characters can request a lock to the account from a GM or can be used by the user for verification with callcenter personnel to lock the account. ANY security hash can be used to lock the account. Once locked, the user has to go through the process of contacting the callcenter to re-gain access to the account. While this would require users to proactively prepare for security issues, it guarantees they will be able to stop access the instant they discover unauthorized access has occurred.
i ran that idea, but unfortunately it fails.Originally Posted by Septimus
evolutionary step 1: SE bars IP addresses from china outright (ignoring the chinese players who actually play)
evolutionary response 1: CGF begin using open US proxies to reroute traffic and avoid IP block ban.
evolutionary step 2: SE bars IP address changes from any IP addresses that has not been the only address to access the account for at least 24 hrs.
evolutionary response 2: CGF will loot the chars even if they can't change the password. CGF will develop new keyloggers that not only steal passwords but change the password via the local machine, bypassing all IP checks.
evolutionary step 3: SE bans password changes and cc changes without the last 4 digits of the most recent credit card on file.
evolutionary response 3: CGF will loot the char stealing and NPCing anything they can take. the account will be protected but will be largely unusable due to losing virtually anything of value.
the problem with most of these solutions is that they all hinge on trusting the computer to be secure, which is always violated when an account is stolen. rsbo.exe was the tip of the iceberg. having not looked at it, but guessing based on the accounts i've heard, it's not all that sophisticated. it's easily identified, removed, and offers almost no self-defense tools against anti-malware products or the like beyond simply sufficient obscurity to avoid detection. it was only effective due to the CGF playing the first strike card. knowing that we would be slow to react to such a new threat, even a simple tool would be enough to harvest hundreds of accounts. still, this is only the opening salvo in the war.
as our reactionary countermeasures increase, so too will the offensive measures that the CGF take. rootkits will be implemented. more complex and automated tools will be used to steal the account and change the passwords. these attacks are in their infancy and will only increase in scope and capacity. from IP policies to security tokens, no solution is foolproof. just look at the violation of the chip and pin system used for credit cards and bank cards in europe. not only have methods been developed to violate the security of it, but due to the supposed impregnability of the system, cardholders who have been ripped off are treated as criminals filing false testimony and not victims when they report it. both solid upfront security and solutions to solve inevitable breeches when they occur are necessary to ensure a viable working environment.
btw, i do like the idea of a security hash or a "locking password." if the account is compromised at any point, go to SE's website and key in the account name and the locking password. this freezes the account until such time as a phone call is placed to SE (note, BYPASSING THE COMPUTER which is known to be infected!) and the account is unlocked. a very clever trick.
This is why SE needs to be 100% on its toes ready to accept that this was only the start of a long an protracted battle that ALL MMOs fight constantly. FFXI was lucky in the sense it took nearly 4years for hacking to go mainstream but now its happened the typical SE response speed (4months-1year) to resolve issues is not going to cut it especially when CGF are only going to keep picking at this option for making money especially as the STF starts to shut them down on the ingame front.the problem with most of these solutions is that they all hinge on trusting the computer to be secure, which is always violated when an account is stolen. rsbo.exe was the tip of the iceberg. having not looked at it, but guessing based on the accounts i've heard, it's not all that sophisticated. it's easily identified, removed, and offers almost no self-defense tools against anti-malware products or the like beyond simply sufficient obscurity to avoid detection. it was only effective due to the CGF playing the first strike card. knowing that we would be slow to react to such a new threat, even a simple tool would be enough to harvest hundreds of accounts. still, this is only the opening salvo in the war.
as our reactionary countermeasures increase, so too will the offensive measures that the CGF take. rootkits will be implemented. more complex and automated tools will be used to steal the account and change the passwords. these attacks are in their infancy and will only increase in scope and capacity. from IP policies to security tokens, no solution is foolproof. just look at the violation of the chip and pin system used for credit cards and bank cards in europe. not only have methods been developed to violate the security of it, but due to the supposed impregnability of the system, cardholders who have been ripped off are treated as criminals filing false testimony and not victims when they report it. both solid upfront security and solutions to solve inevitable breeches when they occur are necessary to ensure a viable working environment.
btw, i do like the idea of a security hash or a "locking password." if the account is compromised at any point, go to SE's website and key in the account name and the locking password. this freezes the account until such time as a phone call is placed to SE (note, BYPASSING THE COMPUTER which is known to be infected!) and the account is unlocked. a very clever trick.
SE is quick to point out that many players have unsecure computers and they are completely right - some people arent running the most secure stuff HOWEVER SE has some major flaws of there own as well. Currently if CGF breech you while the information center is closed: your fucked - 24/7 customer service is too hard to ask for? Even if it means calling the EU center during NA centers downtime and vice-versa? This is a huge flaw and CGF are more than happy to wait until the centers down/weekends to gank and be completely free to do whatever until monday. Is paying workers minimum wage too hard to ask for 2more days on top of the usual?
Blocking IPs and trying to keep the RMT out is a massive undertaking: giving the users more ways to secure themselves within POL and within the Square-Enix umbrella of influence is much more simple to mainstream. You can deter the RMT into a situation where it isnt as feasible and so salivating to try to keylog and hack people. Quicker response to people affected by hacking is only the start, no reason why it should take 3-4months to respond to an issue.