I will be posting a more detailed synopsis of the upcoming changes in the next few weeks - I just have one or two ducks left to line up before I do that.
Yesterday I logged with my Display name. Granted I don't have security concerns as I do have security key (worth every penny for these 1k fleet passes and my marauder dancer outfit /grin).
I will be posting a more detailed synopsis of the upcoming changes in the next few weeks - I just have one or two ducks left to line up before I do that.
Yesterday I logged with my Display name. Granted I don't have security concerns as I do have security key (worth every penny for these 1k fleet passes and my marauder dancer outfit /grin).
In the meanwhile it gives 2 methods to log in which increases risk of being hacked more so until April 2nd
Why could they not get their ducks lined up, then do this?
There is a forum management in the account options, but as the name has been used for that already it makes it difficult to add in a new name for forum use. What they should do is let you choose a unique login name, after you enter your email address for one last time. Future account creations ask for a forum name in the forum management section.
It seems they are saving money over peoples security. It seems that they can use separate names for login and display name, but they do not want to put the money / dev time into getting it done.
We did look at using a secondary 'login only' display name, but sadly this would create more confusion and increase costs associated with support of the new system rather than decrease existing support costs
I have the security key too, but they are not 100% secure. This change still lowers the security. Before this change those who had the security key had 3 layers of unknown information, now it is 2 layers. Those who have no security key just have 1 layer - the password.
They are looking into giving you the option to change display name one time but seems that is beyond their abilities too.
I have that on my list of things to look at already. That is a much harder challenge to change though as Display Name is also a unique reference, and changing the unique reference can create a ton of data inconsistencies. Technically possible, but not technically easy to accomplish. I wouldn't hold your breath on this one.
Changing from two methods to log in to one method sounds ok to me. Strange move to be happening now though.
Cheers,
BadOrb.
PSO 4 years , EQOA 4 months , PSU 7 years , SWTOR launch ongoing , PSO2 SEA launch ongoing , Destiny 360 launch ongoing. "SWG was not fun. Let it go buddy." quote from iiNoSkillzii 10/18/13 The original propoganda pixie dust villain :[]
Changing from two methods to log in to one method sounds ok to me. Strange move to be happening now though.
Cheers,
BadOrb.
Changing from two to one is OK, but it was only one method to log in beforehand - an email address. It is currently two methods so that people get used to logging in with the display name, then from Aptil 2nd it will be back to the one method whcih will be the display name
Changing from two methods to log in to one method sounds ok to me. Strange move to be happening now though.
Cheers,
BadOrb.
Changing from two to one is OK, but it was only one method to log in beforehand - an email address. It is currently two methods so that people get used to logging in with the display name, then from Aptil 2nd it will be back to the one method whcih will be the display name
Oh right I read it started when F2P was released , not an official source though.
Cheers,
BadOrb.
PSO 4 years , EQOA 4 months , PSU 7 years , SWTOR launch ongoing , PSO2 SEA launch ongoing , Destiny 360 launch ongoing. "SWG was not fun. Let it go buddy." quote from iiNoSkillzii 10/18/13 The original propoganda pixie dust villain :[]
A "Hacker" can easily use a readily available legal script to collect display names from a forum. This is half of your login information. If they have half of your login information all that is left is your password.
Many people ignore security advice and use common passwords, these will be the first to cry foul (From your posts and how uninformed you seem I believe you will be in this group). Currently you have unlimited attempts to guess passwords, while their security specialist has stated they plan on adding extra security I do not have confidence in them when they make such a inexperienced mistake like using a displayed name as a security measure so I expect the rest will be at risk as well.
No, this is completely false.
The first check is your IP address. If you're not logging in from your last IP address then it assumes you're someone else and procedes to the second layer of security. 2 things now happen. If you attemp to log in with the wrong password too many times they block that account from your IP. You can no longer log in even if you get the right password. You can, however, still log in from your actual location. So if someone tries to get your account locked by guessing your password wrong too many time all it will do is ban him, not you.
Second, if they have the correct password they still won't be able to log in. If the IP address is different then they will be asked one of your 5 security questions that you created when you made the account. If you guess wrong too many times they IP ban you.
Lastly they said they are adding additonal security on top of that and he hinted that it would be an email that is sent to you if someone attempts to log from another location, similar to how GW2 does it. That is why they don't want your email address visible to any hackers.
Hackers generally use stolen email/password combos and try them all to see if they get any hits. If you remove email from the equation they would then need to know your display name. Considering you're less likely to use the same display name on different games this adds an extra layer of protection on top of the ones stated above.
I think not the game is the main concern in TOR's case (it's easy to restore the account if hacked), more like the other infos that the account holds. I'm not sure whether EA changed their method after f2p or not, but back in the day it caused some uproar among us that they asked every personal detail up front, before you even touched the game... I know, I know they were confident (http://img820.imageshack.us/img820/3833/29775697.jpg lol), but still, it was strange.
I mean TOR was the only game I played which said "cool, you bought the box, thank you. What, you want to play with the 1month included? Give us your credit card number, etc. Or you can only watch that nice box on the shelf, without playing. But hey, thanks for the money, it's already in out pocket."
So the problem I think is not with the game accounts of those 500k who are still playing, it's the credit data of those 2mill+ who bought the game and gave the credit details during activation. (not me, I use virtual card for web payments )
I think not the game is the main concern in TOR's case (it's easy to restore the account if hacked), more like the other infos that the account holds. I'm not sure whether EA changed their method after f2p or not, but back in the day it caused some uproar among us that they asked every personal detail up front, before you even touched the game... I know, I know they were confident (http://img820.imageshack.us/img820/3833/29775697.jpg lol), but still, it was strange.
I mean TOR was the only game I played which said "cool, you bought the box, thank you. What, you want to play with the 1month included? Give us your credit card number, etc. Or you can only watch that nice box on the shelf, without playing. But hey, thanks for the money, it's already in out pocket."
So the problem I think is not with the game accounts of those 500k who are still playing, it's the credit data of those 2mill+ who bought the game and gave the credit details during activation. (not me, I use virtual card for web payments )
Every MMO does this. You don't get charged until your free month is up.
I mean TOR was the only game I played which said "cool, you bought the box, thank you. What, you want to play with the 1month included? Give us your credit card number, etc.
Every MMO does this. You don't get charged until your free month is up.
Not "every" : I could list lots of mmo's (as I wrote above, every single one I played) on the opposite side, but I just mention LotRO because that's the one in which I made a 2nd VIP account after f2p as well. Or AoC, before it went f2p.
The normal way is: you buy the box, install, make an account (without any details, only a name / password), play 30/60 days. AFTER that you can choose to ditch the game if it's weak, or pay for some more time - in this case you obviously set up a payment plan. But not before you even see the game.
That's how most p2p mmo's work/worked, in my experience. Except TOR, maybe EA expected that many players won't stay after the included 30days, that's why they collected the credit details beforehand
I mean TOR was the only game I played which said "cool, you bought the box, thank you. What, you want to play with the 1month included? Give us your credit card number, etc.
Every MMO does this. You don't get charged until your free month is up.
Not "every" : I could list lots of mmo's (as I wrote above, every single one I played) on the opposite side, but I just mention LotRO because that's the one in which I made a 2nd VIP account after f2p as well. Or AoC, before it went f2p.
The normal way is: you buy the box, install, make an account (without any details, only a name / password), play 30/60 days. AFTER that you can choose to ditch the game if it's weak, or pay for some more time - in this case you obviously set up a payment plan. But not before you even see the game.
That's how most p2p mmo's work/worked, in my experience. Except TOR, maybe EA expected that many players won't stay after the included 30days, that's why they collected the credit details beforehand
Not sure which MMOs you talk about, but every one I played asked for credit card: EQ2, WoW, Rift, Aion, LOTRO, AoC... at least at the time they launched. That might of changed later if/when they moved to F2P. but not P2P games.
I mean TOR was the only game I played which said "cool, you bought the box, thank you. What, you want to play with the 1month included? Give us your credit card number, etc.
Every MMO does this. You don't get charged until your free month is up.
Not "every" : I could list lots of mmo's (as I wrote above, every single one I played) on the opposite side, but I just mention LotRO because that's the one in which I made a 2nd VIP account after f2p as well. Or AoC, before it went f2p.
The normal way is: you buy the box, install, make an account (without any details, only a name / password), play 30/60 days. AFTER that you can choose to ditch the game if it's weak, or pay for some more time - in this case you obviously set up a payment plan. But not before you even see the game.
That's how most p2p mmo's work/worked, in my experience. Except TOR, maybe EA expected that many players won't stay after the included 30days, that's why they collected the credit details beforehand
No, before they went F2P LOTRO also asked you to enter a credit card when you set up your account and subscription.
Not sure which MMOs you talk about, but every one I played asked for credit card: EQ2, WoW, Rift, Aion, LOTRO, AoC... at least at the time they launched. That might of changed later if/when they moved to F2P. but not P2P games.
Strange... I hate giving out any info if I don't have to, and TOR was my first game where I had to enter payment details right at the activation - and I wasn't the only one who was surprised on that, at least around here.
Not an f2p thing I guess, I play AoC since launch, LotRO since Moria, and in both games I played the start without any payment plan. (I even left LotRO after the first month, and only entered credit details when I went back months later).
And to make it clear, my problem is the security, and not the card payment... since I can use virtual cards I don't give a turd as well on any company that want to collect my data (lol, it's virtual) but few years ago I liked to keep it secret, keep it safe, next to the Ring
Not sure which MMOs you talk about, but every one I played asked for credit card: EQ2, WoW, Rift, Aion, LOTRO, AoC... at least at the time they launched. That might of changed later if/when they moved to F2P. but not P2P games.
Strange... I hate giving out any info if I don't have to, and TOR was my first game where I had to enter payment details right at the activation - and I wasn't the only one who was surprised on that, at least around here.
Not an f2p thing I guess, I play AoC since launch, LotRO since Moria, and in both games I played the start without any payment plan. (I even left LotRO after the first month, and only entered credit details when I went back months later).
And to make it clear, my problem is the security, and not the card payment... since I can use virtual cards I don't give a turd as well on any company that want to collect my data (lol, it's virtual) but few years ago I liked to keep it secret, keep it safe, next to the Ring
"I Buyed AOC with 30 days free included , but to activate them you had to gif up credit card stuff etc .. so after i gave up all credit card info i Cancelled subscription , so i still have play time till the first 30 days are done , .. Will there be anything charged or not ?"
I don't understand why they are making us use a name that every single forum user can see. Currently, nobody knows my login name. Now, everybody will know it. Having authenticator will always help, but still :-/
Error: 37. Signature not found. Please connect to my server for signature access.
I think I may have come up with a rational reason for this change in login, although it would probably require a database speecialist to weigh wheter my reason seems likely.
As many know Origin has a big stinking bug where it flags email adresses as doo-doo, and people can't make micro-transactions without changing their email adresses. This spans all their titles, including SWTOR.
The undocumented workaround involves creating a new email account tied to your origin account.
There are many SWTOR players who have been hit by this Origin bug, and can't buy Cartel Coins. Many even have to buy Game cards instead of just using their Credit cards to purchase game time for subs.
Perhaps the change in login procedure is to set up a new database untied to specific email addresses so Origin can use the new database to look up payment information.
This seems to be a valid reason for changing the login procedure, although it has nothing to do with security.
I still think it decreases security on accounts. In my opinion they should have made a unique login different from the forum handle. The ioware security dude even stated that they considered this but decided it would be too expensive/too much of a hassle.
If I'm right, they should have just said so. (IMO)
Originally posted by tiefighter25 WTF arre they doing?
Basically the exact same thing they have been doing...derp...lots and lots of derp.
I hope we shall crush...in its birth the aristocracy of our moneyed corporations, which dare already to challenge our government to a trial of strength and bid defiance to the laws of our country." ~Thomes Jefferson
On April 2nd, we are changing some aspects of our Authentication system. In our first notification of the most visible of the changes on March 5th (http://www.swtor.com/community/showthread.php?p=5954106) we were still waiting on the last few background systems to be confirmed as ready. Now that they are ready, today's notification also includes those changes as well.
On April 2nd, the following changes are going live:
Display Name only login
Email Security Code replacing Security Questions and Answers during Authentication
Self-service for Forgot my Display Name
Other changes we are aiming for within April, but not necessarily on April 2nd:
Self-service for Lost my Security Key
Self-service for Remove my Security Key
Self-service for Move my Security Key
As a result of the original announcement of the initial overall change, there were a lot of questions raised. I'm going to try and give as much detail as I can here to try and answer any questions you might otherwise have, and that way we can focus on anything missed.
Here are some of the questions I expect might get asked. Accordingly I'm going to let one of my ducks do the asking so I can make a first go at answering them...
Quote:
Originally Posted by MrYellowDuck
Why can't we use our email address? It's awesome! Quack! All the best companies use email address as username!
Lots of companies do use email address as the username. Lots don't. Both approaches have risks as well as rewards. One of the key risks for using email address is that an attacker who gets a valid email address and password will then know for certain that the account is associated with the website (or game!). For SWTOR this does not mean that the attacker could then take over an account, but it would give them the knowledge of who to craft a phishing attack against and have a higher rate of success in gaining access to information such as Answers to Security Questions. Without the link to email address, they also won't know the needed information in order to target the email account itself for a take-over in order to gain access to SWTOR and anything else linked to that email account.
This change will remove the ability to link (based on knowledge of the correct password) to your SWTOR account.
Even today if an attacker gets the right password they will not be able to gain access to your account, and with this change they will not be able to figure out which email address to send a phishing attack at, or which email account to try and take over. This allows us to place more trust in the ownership of the email account as being validation that we are (electronically) talking to the owner of the account.
Quote:
Originally Posted by MrYellowDuck
Using Display Name is insane! I will be hacked! *ruffle feathers* You have given the bad guys my username! Half the battle is now lost! I'm 50% less secure!
OK, that wasn't a question. Lets just presume you are actually asking if using the publicly visible Display Name increases the chance you will be hacked...
We put in other controls before the launch of the game during 2011 such as the existing Security Questions and Answers system in order to protect your account even if an attacker managed to get the correct username and password. That security control aspect is not going away (although the 'remember' part is for the website and game launcher). In reality we are making it harder for an attacker, and giving you more control on the security of your account.
Lets look at the different pieces needed to successfully log in today:
Display Name or Email Address
Password
Security Key or Authorized Location
Non-Authorized Location via Security Question and Answer
Then lets look at the different pieces needed to successfully log in from April 2nd onwards:
Display Name
Password
Security Key or Authorized Location
Non-Authorized Location via Email Security Code
Access to your Email Account
From the get-go, we have never considered the username to be 'hidden' or 'secret'. It never factored into our security model as something to secure, as we have worked on the basis that the attacker already knows it. This is also why we have not provided a self-service system for Security Key's as while the email address is easy (for an attacker) to associate with a SWTOR account. We have had to presume they will phish or attack the email account itself. De-linking the email account means that an attacker who knows the username has no knowledge of who to phish or attack. This means they continue to be unable to take over your account.
There are hundreds of millions of known username/password data rows available on the Internet. Well over 100 million unique email addresses. Most of these compromised details use email address as the username... It is this fact that dictates that attackers will know the username for at least some accounts regardless of any secrecy we may try to implement. You can check your own email address at http://pwnedlist.com/ for instance as one of the posts on the previous thread indicated.
So no, we have not given away 50% of the security. Half the battle is not lost. You should not care that anybody else knows your username. You should instead think they may have it already.
That said, you should care about your password, both on SWTOR as well as on your email account. It is especially important to use a unique password on your email account if nowhere else. I would recommend looking at a two-factor solution for your email account and will give the 2-Step authentication feature on GMail as an example. Google 2-Step today
Quote:
Originally Posted by MrYellowDuck
I don't want my Display Name to be public! I disagree with everything you are saying!
We are working on a new 'Forum Display Name' capability so that people will at some point in the future be able to change the name used on the forums. Which way we go about that (choose a character name? let you write whatever you want?) is still being decided and that will impact the amount of work required and therefore the 'when'.
This is not something that is planned for April 2nd.
It is also not something that can be easily implemented in a matter of minutes. Regardless of if the change would be as simple as adding a column in a database, there is still getting that data presented to the website securely, providing the ability to input data into the column itself (again securely), and that is before we have our awesome QA team make sure the functionality works as expected. We won't say 'soon' on this feature, as it is too early to be able to predict when this could be rolled out.
Quote:
Originally Posted by MrYellowDuck
What is this 'Email Security Code' you speak of?
We will send you an 'Email Security Code', via email, whenever we determine you are attempting to log on from a non-authorized location. This is similar to how we prompt for the Security Questions and Answers today, except instead of having to remember an Answer, you will be provided it via email instead.
With the Security Question and Answer system in place today, it is sometimes possible for an attacker to research a person well enough to be able to have a chance of guessing the correct Answer if they have already got the correct username and password. It is also possible to phish for the Answer if you know the email address.
By changing to an Email Security code, this actually decreases the chance an attacker would be able to guess the correct 'answer', as not only will the Email Security Code be randomized each time it is set, there will only be a small number of chances to guess the correct code before the randomization reoccurs and a new code is sent. This keeps a concept called 'entropy' (as applied outside of thermodynamics and instead focusing on 'the degree of disorder or uncertainty in a system') at an extremely high level. If you want an example as applied to passwords, I highly recommend reading XKCD (http://xkcd.com/936/).
If anybody ever does actually guess the Email Security Code, they should immediately go out and buy a single-line lottery ticket. Actually they would have far more chance winning the lottery in the first place. Far, far more chance...
Quote:
Originally Posted by MrYellowDuck
Your new system will allow anybody to lock me out! *peck!* This is pathetic!
No. No it will not.
As soon as we detect an attempt to log in from a new 'location', we prompt that location for an Email Security Code which will be delivered to your Email Account (or Security Questions and Answers today). It is only after that prompt is verified that we will move the new location into an Authorized Location status. We do not remove your current Authorized Location as soon as a new location is detected. We keep a number (no I won't say how many) of Authorized Location's in the system, so an attacker can try to lock you out, but they will never succeed as they first have to validate themselves. From that point forward you will be able to log in from that new Authorized Location and at no point can an attacker actually lock you out.
Quote:
Originally Posted by MrYellowDuck
You don't know what you are doing! You will break my Origin account with all my EA games! I won't be able to log on there with my email address any more!
Actually the Origin authentication system is not changing as a result to the changes within SWTOR. You will still be able to log in to Origin with either your email address or your Origin Display Name. In the background we will still update your Origin password if you change your password on the SWTOR website.
Quote:
Originally Posted by MrYellowDuck
But what about my current location? Will I need to be sent an Email Security Code on April 2nd along with everybody else???
Rather than force everybody to get revalidated, we will be grandfathering in existing approved locations, which are based on the existing Security Questions and Answers. If you have a Security Key, that functionality will not change and you will continue to only be required to enter the next Security Key code when you log in.
Quote:
Originally Posted by MrYellowDuck
Hang on, if I migrate and have to play from an Internet Cafe while flying to my summer home, will anybody be able to take over my account?
So there are two alternatives here I would recommend. The first is to get a Security Key that you can take with you. This will protect you from any potential key-loggers or other malware on the temporary computer you use. Just don't type your email account password in at the same time unless it is also protected by a two-factor system.
The second alternative is to change your password as soon as possible (from your smartphone or tablet perhaps?) after playing, as that will remove the existing Authorized Locations.
Quote:
Originally Posted by MrYellowDuck
You just told the hackers all your secrets! What the? Are you mad? No security 'professional' would ever do that!
I may indeed just have told some amateur hackers a small portion of our security model. You'll be (happy?) to know that the professional hackers figured out these pieces well before launch of the game in 2011 and it hasn't helped them. Additionally there are certain aspects that we can talk about (a variant of Shannon's maxim as applied to overall security systems rather than just cryptography - see Kerckhoffs's principle if you want a more technical view of the background of this maxim). Relying on Security by Obscurity (assuming a username can be kept secret for example) is not a direction we aim towards.
Quote:
Originally Posted by MrYellowDuck
Do I have to log in with my character name? It has weird and wonderful characters in it that I can't type easily! What do I have to do?
No. We will not be requiring you to log on with a character name. What you need to use is your Display Name.
Quote:
Originally Posted by MrYellowDuck
Well I don't know my Display Name! What do I do?
At any time before April 2nd, you will be able to log on to www.swtor.com (or www.starwarstheoldrepublic.com for those that like typing lots), log in and your Display Name will appear in the upper-right of the website.
Starting April 2nd, you will be able to have your Display Name sent to you via email as part of our first self-service option.
Quote:
Originally Posted by MrYellowDuck
You just said you would use my email address to recover my Display Name? I thought you said email addresses are bad?
Well, to be fair if you only know your email address, we have to let you type it in somewhere. Unless you have access to the email account though, you won't be able to read any emails that are sent to that email address. Regardless of if a particular email address is associated with a SWTOR account, you won't know if there is a link unless you do have access to the email account. It is that principle that continues to de-link the email address from the SWTOR account by purely just using the website (or game launcher) itself.
I actually like email addresses and don't think they are bad. They just don't always suit being used as a username based on how we implement the different aspects of authentication.
Quote:
Originally Posted by MrYellowDuck
Hang on, I'm a new Free To Play account. I have no email address. What can I do?
At any time a Free To Play account holder can register and validate an email address. Once you get to level 15 in-game, or want to purchase something from us, you will be required to register and validate an email address at that point in time.
Quote:
Originally Posted by MrYellowDuck
Are you getting rid of all my Security Questions and Answers? I liked them. Lots.
No. We are keeping the Security Questions and Answers in place and will be using them as a form of verification on the telephone if you ever need to call our Customer Services team. A lot of the changes going into place on April 2nd are to help enable self-service systems so that you will not need to call CS as often. We appreciate that when there is a holding queue that it is very annoying, and if calling internationally also not free. We would like to reduce costs where we can both for our players as well as ourselves.
Of course, we want to keep your accounts secure, so we are not reducing security to try and save costs and instead changing security slightly.
For the Free To Play accounts, Security Questions and Answers are also required when you want to purchase something from us.
Quote:
Originally Posted by MrYellowDuck
Is there anything I should do? I'm but a simple duck and computers and stuff are not my strong point.
Yes. Yes there is.
As we transition from relying on Answers to Security Questions to sending an Email Security Code to you when authenticating, the security of your own Account becomes something you can impact directly by also making sure your Email Account is also secure.
I would recommend you look at the following or get a more computer savvy friend to help:
Use a unique, complex and as lengthy as you can password (stressing it is used nowhere else) on your email account
Where possible add a two-factor system to your email account - 2-Step on GMail is a great example
Make sure your connections to email are secured by SSL or similar. Basic SMTP (sends email in plain text) can easily disclose your password to somebody watching your network as can unsecured POP3 or IMAP
Ensure you have a good AV program installed and kept up to date. Microsoft Security Essentials for example is free on Windows and is one of many great choices
Don't visit hacker websites (or for that matter most adult-entertainment sites). A lot of them have virus attacks included in viewing the pages
Don't open attachments on emails that you aren't expecting. You have more chance of winning the lottery by buying a ticket in a shop...
Don't click links you don't know inside emails. Go to the website you think you need to go to and type the url in the hard way. Takes longer, but helps protect you...
There are many other things you can do - research 'securing my home computer' on Google and do 'all the things' you can!
Quote:
Originally Posted by MrYellowDuck
Why are you wasting all this time on changing something that I don't think needs changing? Make better graphics! Put in more flashpoints! We want more content, not more security! *peck!*
I have to say I am constantly amazed at what our artists can do. Lets just say I'm artistically challenged and my stick figures are pathetic and quite ugly to behold... I'm also not one of the server or game engineers and I don't think any of us want me messing around with code that could create full-scale blackouts across entire shards if it is written incorrectly. Basically we have many teams here and my specific team will continue to focus on the security aspects as that is what we are actually here for. Think of it as an added bonus.
Quote:
Originally Posted by MrYellowDuck
You keep mentioning two-factor. What does that mean?
I'm going to copy/paste most of an answer I gave in the previous thread. In the security field, when waffling on about authentication we talk of two-factor quite a bit. Two-factor (or dual-factor) is actually not 'the most secure' that we can be, as it really stands for 'two of three factors'. Those factors are:
Something I know (e.g. password)
Something I am (e.g. biometrics)
Something I have (e.g. security key)
I have often thought that putting all three factors in place would be awesome, but nobody liked my 'pint of blood in order to play' suggestion, so we haven't moved into biometrics as a requirement. As it is sure to come up, let us be clear that Security Questions and Answers (SQA's) are not truly two-factor. It's the first factor applied twice, so leaves us in a hybrid/grey area which counter-intuitively is actually very secure. Just not as secure as a true two-factor system. The key implementation that we are currently missing as mandated for all players is 'Something I have'. The Security Key is available and doing well today, and while I would love to see more people using them, we are not pushing people to have a Security Key as a mandatory requirement. Truth be told we deliberately do not make a profit on the physical security key, and absorb all of the cost of the mobile security key. One last thing that I should also point out, the Security Key is a time-limited code that changes frequently. If you think somebody can brute force their way through an account secured by a Security Key, then you should look into lottery tickets. It's far easier to win the jackpot in the lottery...
Quote:
Originally Posted by MrYellowDuck
OK, you have convinced me! Quack Quack! What is your email address so I can send you money via PayPal as thanks for all you have done?
Why thank you! My email address is ph..... Oh hang on, I see what you did there. Naughty duck!
OK, enough monologue from me! If you have questions or comments, please don't hesitate to reply. I can't promise an immediate turn-around, but we will be watching this thread and there will be replies when we can get them posted. I would however ask that you refrain from being too descriptive if you feel the need to say I'm wrong anywhere - the forum rules still apply.
That was a very lengthy post.... kudos for Philip for his sesse of humor while writing it LOL
I wonder though how they will go about self managing security key...
Quote:
Originally Posted by MrYellowDuck
Why are you wasting all this time on changing something that I don't think needs changing? Make better graphics! Put in more flashpoints! We want more content, not more security! *peck!*
I have to say I am constantly amazed at what our artists can do. Lets just say I'm artistically challenged and my stick figures are pathetic and quite ugly to behold...
I am not a fan of this change. Apparently, it will allow them to increase their back end security, which as I understand it, means better encryption in case someone hacks their database, and also better security for people who use an authenticator.
I use an authenticator. It's a free smart phone application, so why not? I still see this as a problem. Basically, people without authenticators are going to be screwed. I am not sure if this is an intentional screwing, or if Bioware is just making a bad design decision again. But here is the thing.
A keylogger doesn't have to hack Bioware to get your name and password. They just have to hack any web site where you use that name and password. That includes blogs, forums, youtube, email, and a lot of web sites with horrible security measures already in place.
Error: 37. Signature not found. Please connect to my server for signature access.
Comments
Lets wait for:
I will be posting a more detailed synopsis of the upcoming changes in the next few weeks - I just have one or two ducks left to line up before I do that.
Yesterday I logged with my Display name. Granted I don't have security concerns as I do have security key (worth every penny for these 1k fleet passes and my marauder dancer outfit /grin).
Sith Warrior - Story of Hate and Love http://www.youtube.com/watch?v=sxKrlwXt7Ao
Imperial Agent - Rise of Cipher Nine http://www.youtube.com/watch?v=OBBj3eJWBvU&feature=youtu.be
Imperial Agent - Hunt for the Eagle Part 1http://www.youtube.com/watch?v=UQqjYYU128E
In the meanwhile it gives 2 methods to log in which increases risk of being hacked more so until April 2nd
Why could they not get their ducks lined up, then do this?
There is a forum management in the account options, but as the name has been used for that already it makes it difficult to add in a new name for forum use. What they should do is let you choose a unique login name, after you enter your email address for one last time. Future account creations ask for a forum name in the forum management section.
It seems they are saving money over peoples security. It seems that they can use separate names for login and display name, but they do not want to put the money / dev time into getting it done.
We did look at using a secondary 'login only' display name, but sadly this would create more confusion and increase costs associated with support of the new system rather than decrease existing support costs
I have the security key too, but they are not 100% secure. This change still lowers the security. Before this change those who had the security key had 3 layers of unknown information, now it is 2 layers. Those who have no security key just have 1 layer - the password.
They are looking into giving you the option to change display name one time but seems that is beyond their abilities too.
I have that on my list of things to look at already. That is a much harder challenge to change though as Display Name is also a unique reference, and changing the unique reference can create a ton of data inconsistencies. Technically possible, but not technically easy to accomplish. I wouldn't hold your breath on this one.
Star Trek Online - Best Free MMORPG of 2012
What's with all the ducks ? Can i have some ?
Changing from two methods to log in to one method sounds ok to me. Strange move to be happening now though.
Cheers,
BadOrb.
PSO 4 years , EQOA 4 months , PSU 7 years , SWTOR launch ongoing , PSO2 SEA launch ongoing , Destiny 360 launch ongoing.
"SWG was not fun. Let it go buddy." quote from iiNoSkillzii 10/18/13
The original propoganda pixie dust villain :[]
Changing from two to one is OK, but it was only one method to log in beforehand - an email address. It is currently two methods so that people get used to logging in with the display name, then from Aptil 2nd it will be back to the one method whcih will be the display name
Star Trek Online - Best Free MMORPG of 2012
Oh right I read it started when F2P was released , not an official source though.
Cheers,
BadOrb.
PSO 4 years , EQOA 4 months , PSU 7 years , SWTOR launch ongoing , PSO2 SEA launch ongoing , Destiny 360 launch ongoing.
"SWG was not fun. Let it go buddy." quote from iiNoSkillzii 10/18/13
The original propoganda pixie dust villain :[]
No, this is completely false.
The first check is your IP address. If you're not logging in from your last IP address then it assumes you're someone else and procedes to the second layer of security. 2 things now happen. If you attemp to log in with the wrong password too many times they block that account from your IP. You can no longer log in even if you get the right password. You can, however, still log in from your actual location. So if someone tries to get your account locked by guessing your password wrong too many time all it will do is ban him, not you.
Second, if they have the correct password they still won't be able to log in. If the IP address is different then they will be asked one of your 5 security questions that you created when you made the account. If you guess wrong too many times they IP ban you.
Lastly they said they are adding additonal security on top of that and he hinted that it would be an email that is sent to you if someone attempts to log from another location, similar to how GW2 does it. That is why they don't want your email address visible to any hackers.
Hackers generally use stolen email/password combos and try them all to see if they get any hits. If you remove email from the equation they would then need to know your display name. Considering you're less likely to use the same display name on different games this adds an extra layer of protection on top of the ones stated above.
I think not the game is the main concern in TOR's case (it's easy to restore the account if hacked), more like the other infos that the account holds. I'm not sure whether EA changed their method after f2p or not, but back in the day it caused some uproar among us that they asked every personal detail up front, before you even touched the game... I know, I know they were confident (http://img820.imageshack.us/img820/3833/29775697.jpg lol), but still, it was strange.
I mean TOR was the only game I played which said "cool, you bought the box, thank you. What, you want to play with the 1month included? Give us your credit card number, etc. Or you can only watch that nice box on the shelf, without playing. But hey, thanks for the money, it's already in out pocket."
So the problem I think is not with the game accounts of those 500k who are still playing, it's the credit data of those 2mill+ who bought the game and gave the credit details during activation. (not me, I use virtual card for web payments )
Every MMO does this. You don't get charged until your free month is up.
Not "every" : I could list lots of mmo's (as I wrote above, every single one I played) on the opposite side, but I just mention LotRO because that's the one in which I made a 2nd VIP account after f2p as well. Or AoC, before it went f2p.
The normal way is: you buy the box, install, make an account (without any details, only a name / password), play 30/60 days. AFTER that you can choose to ditch the game if it's weak, or pay for some more time - in this case you obviously set up a payment plan. But not before you even see the game.
That's how most p2p mmo's work/worked, in my experience. Except TOR, maybe EA expected that many players won't stay after the included 30days, that's why they collected the credit details beforehand
Not sure which MMOs you talk about, but every one I played asked for credit card: EQ2, WoW, Rift, Aion, LOTRO, AoC... at least at the time they launched. That might of changed later if/when they moved to F2P. but not P2P games.
Sith Warrior - Story of Hate and Love http://www.youtube.com/watch?v=sxKrlwXt7Ao
Imperial Agent - Rise of Cipher Nine http://www.youtube.com/watch?v=OBBj3eJWBvU&feature=youtu.be
Imperial Agent - Hunt for the Eagle Part 1http://www.youtube.com/watch?v=UQqjYYU128E
No, before they went F2P LOTRO also asked you to enter a credit card when you set up your account and subscription.
Strange... I hate giving out any info if I don't have to, and TOR was my first game where I had to enter payment details right at the activation - and I wasn't the only one who was surprised on that, at least around here.
Not an f2p thing I guess, I play AoC since launch, LotRO since Moria, and in both games I played the start without any payment plan. (I even left LotRO after the first month, and only entered credit details when I went back months later).
And to make it clear, my problem is the security, and not the card payment... since I can use virtual cards I don't give a turd as well on any company that want to collect my data (lol, it's virtual) but few years ago I liked to keep it secret, keep it safe, next to the Ring
You're obviously not remembering correctly. As proof - http://forums-eu.ageofconan.com/showthread.php?t=74750
"I Buyed AOC with 30 days free included , but to activate them you had to gif up credit card stuff etc .. so after i gave up all credit card info i Cancelled subscription , so i still have play time till the first 30 days are done , .. Will there be anything charged or not ?"
/scratch head and looking around totally lost...
Error: 37. Signature not found. Please connect to my server for signature access.
I think I may have come up with a rational reason for this change in login, although it would probably require a database speecialist to weigh wheter my reason seems likely.
As many know Origin has a big stinking bug where it flags email adresses as doo-doo, and people can't make micro-transactions without changing their email adresses. This spans all their titles, including SWTOR.
The undocumented workaround involves creating a new email account tied to your origin account.
There are many SWTOR players who have been hit by this Origin bug, and can't buy Cartel Coins. Many even have to buy Game cards instead of just using their Credit cards to purchase game time for subs.
Perhaps the change in login procedure is to set up a new database untied to specific email addresses so Origin can use the new database to look up payment information.
This seems to be a valid reason for changing the login procedure, although it has nothing to do with security.
I still think it decreases security on accounts. In my opinion they should have made a unique login different from the forum handle. The ioware security dude even stated that they considered this but decided it would be too expensive/too much of a hassle.
If I'm right, they should have just said so. (IMO)
Basically the exact same thing they have been doing...derp...lots and lots of derp.
I hope we shall crush...in its birth the aristocracy of our moneyed corporations, which dare already to challenge our government to a trial of strength and bid defiance to the laws of our country." ~Thomes Jefferson
another name failure,,(although a different one) that would make one every 6 months
what is it with these guys and names? they just cant seem to get it right
thats one of the reasons for our posts about swtor
and this forum doesnt have a GIGANTIC $$ value attached to it
but of course it does share the IP,,and since even preferred cant post on their own forums
we go to this place, and share our opinions
about trainwrecks,,this site is much older than swtor
come back, when swtor is in its 5th year,,lets see who has crashed then
they made it from record sales to F2P in a year, and i havent seen anything, that could stop the bleeding
If you dont do stupid things while youre young, youll have nothing to smile about when youre old.
dude,,that chemical shit aint good for ya
go green, man
new dev post about the display name login change(be warned, its long):
http://www.swtor.com/community/showthread.php?p=6011930#edit6011930
On April 2nd, we are changing some aspects of our Authentication system. In our first notification of the most visible of the changes on March 5th (http://www.swtor.com/community/showthread.php?p=5954106) we were still waiting on the last few background systems to be confirmed as ready. Now that they are ready, today's notification also includes those changes as well.
On April 2nd, the following changes are going live:
Here are some of the questions I expect might get asked. Accordingly I'm going to let one of my ducks do the asking so I can make a first go at answering them...
Quote:
Why can't we use our email address? It's awesome! Quack! All the best companies use email address as username!
Lots of companies do use email address as the username. Lots don't. Both approaches have risks as well as rewards. One of the key risks for using email address is that an attacker who gets a valid email address and password will then know for certain that the account is associated with the website (or game!). For SWTOR this does not mean that the attacker could then take over an account, but it would give them the knowledge of who to craft a phishing attack against and have a higher rate of success in gaining access to information such as Answers to Security Questions. Without the link to email address, they also won't know the needed information in order to target the email account itself for a take-over in order to gain access to SWTOR and anything else linked to that email account.
This change will remove the ability to link (based on knowledge of the correct password) to your SWTOR account.
Even today if an attacker gets the right password they will not be able to gain access to your account, and with this change they will not be able to figure out which email address to send a phishing attack at, or which email account to try and take over. This allows us to place more trust in the ownership of the email account as being validation that we are (electronically) talking to the owner of the account.
Quote:
OK, that wasn't a question. Lets just presume you are actually asking if using the publicly visible Display Name increases the chance you will be hacked...
We put in other controls before the launch of the game during 2011 such as the existing Security Questions and Answers system in order to protect your account even if an attacker managed to get the correct username and password. That security control aspect is not going away (although the 'remember' part is for the website and game launcher). In reality we are making it harder for an attacker, and giving you more control on the security of your account.
Lets look at the different pieces needed to successfully log in today:
There are hundreds of millions of known username/password data rows available on the Internet. Well over 100 million unique email addresses. Most of these compromised details use email address as the username... It is this fact that dictates that attackers will know the username for at least some accounts regardless of any secrecy we may try to implement. You can check your own email address at http://pwnedlist.com/ for instance as one of the posts on the previous thread indicated.
So no, we have not given away 50% of the security. Half the battle is not lost. You should not care that anybody else knows your username. You should instead think they may have it already.
That said, you should care about your password, both on SWTOR as well as on your email account. It is especially important to use a unique password on your email account if nowhere else. I would recommend looking at a two-factor solution for your email account and will give the 2-Step authentication feature on GMail as an example. Google 2-Step today
Quote:
I don't want my Display Name to be public! I disagree with everything you are saying!
We are working on a new 'Forum Display Name' capability so that people will at some point in the future be able to change the name used on the forums. Which way we go about that (choose a character name? let you write whatever you want?) is still being decided and that will impact the amount of work required and therefore the 'when'.
This is not something that is planned for April 2nd.
It is also not something that can be easily implemented in a matter of minutes. Regardless of if the change would be as simple as adding a column in a database, there is still getting that data presented to the website securely, providing the ability to input data into the column itself (again securely), and that is before we have our awesome QA team make sure the functionality works as expected. We won't say 'soon' on this feature, as it is too early to be able to predict when this could be rolled out.
Quote:
What is this 'Email Security Code' you speak of?
We will send you an 'Email Security Code', via email, whenever we determine you are attempting to log on from a non-authorized location. This is similar to how we prompt for the Security Questions and Answers today, except instead of having to remember an Answer, you will be provided it via email instead.
With the Security Question and Answer system in place today, it is sometimes possible for an attacker to research a person well enough to be able to have a chance of guessing the correct Answer if they have already got the correct username and password. It is also possible to phish for the Answer if you know the email address.
By changing to an Email Security code, this actually decreases the chance an attacker would be able to guess the correct 'answer', as not only will the Email Security Code be randomized each time it is set, there will only be a small number of chances to guess the correct code before the randomization reoccurs and a new code is sent. This keeps a concept called 'entropy' (as applied outside of thermodynamics and instead focusing on 'the degree of disorder or uncertainty in a system') at an extremely high level. If you want an example as applied to passwords, I highly recommend reading XKCD (http://xkcd.com/936/).
If anybody ever does actually guess the Email Security Code, they should immediately go out and buy a single-line lottery ticket. Actually they would have far more chance winning the lottery in the first place. Far, far more chance...
Quote:
Your new system will allow anybody to lock me out! *peck!* This is pathetic!
No. No it will not.
As soon as we detect an attempt to log in from a new 'location', we prompt that location for an Email Security Code which will be delivered to your Email Account (or Security Questions and Answers today). It is only after that prompt is verified that we will move the new location into an Authorized Location status. We do not remove your current Authorized Location as soon as a new location is detected. We keep a number (no I won't say how many) of Authorized Location's in the system, so an attacker can try to lock you out, but they will never succeed as they first have to validate themselves. From that point forward you will be able to log in from that new Authorized Location and at no point can an attacker actually lock you out.
Quote:
Actually the Origin authentication system is not changing as a result to the changes within SWTOR. You will still be able to log in to Origin with either your email address or your Origin Display Name. In the background we will still update your Origin password if you change your password on the SWTOR website.
Quote:
But what about my current location? Will I need to be sent an Email Security Code on April 2nd along with everybody else???
Rather than force everybody to get revalidated, we will be grandfathering in existing approved locations, which are based on the existing Security Questions and Answers. If you have a Security Key, that functionality will not change and you will continue to only be required to enter the next Security Key code when you log in.
Quote:
So there are two alternatives here I would recommend. The first is to get a Security Key that you can take with you. This will protect you from any potential key-loggers or other malware on the temporary computer you use. Just don't type your email account password in at the same time unless it is also protected by a two-factor system.
The second alternative is to change your password as soon as possible (from your smartphone or tablet perhaps?) after playing, as that will remove the existing Authorized Locations.
Quote:
You just told the hackers all your secrets! What the? Are you mad? No security 'professional' would ever do that!
I may indeed just have told some amateur hackers a small portion of our security model. You'll be (happy?) to know that the professional hackers figured out these pieces well before launch of the game in 2011 and it hasn't helped them. Additionally there are certain aspects that we can talk about (a variant of Shannon's maxim as applied to overall security systems rather than just cryptography - see Kerckhoffs's principle if you want a more technical view of the background of this maxim). Relying on Security by Obscurity (assuming a username can be kept secret for example) is not a direction we aim towards.
Quote:
No. We will not be requiring you to log on with a character name. What you need to use is your Display Name.
Quote:
Well I don't know my Display Name! What do I do?
At any time before April 2nd, you will be able to log on to www.swtor.com (or www.starwarstheoldrepublic.com for those that like typing lots), log in and your Display Name will appear in the upper-right of the website.
Starting April 2nd, you will be able to have your Display Name sent to you via email as part of our first self-service option.
Quote:
You just said you would use my email address to recover my Display Name? I thought you said email addresses are bad?
Well, to be fair if you only know your email address, we have to let you type it in somewhere. Unless you have access to the email account though, you won't be able to read any emails that are sent to that email address. Regardless of if a particular email address is associated with a SWTOR account, you won't know if there is a link unless you do have access to the email account. It is that principle that continues to de-link the email address from the SWTOR account by purely just using the website (or game launcher) itself.
I actually like email addresses and don't think they are bad. They just don't always suit being used as a username based on how we implement the different aspects of authentication.
Quote:
Hang on, I'm a new Free To Play account. I have no email address. What can I do?
At any time a Free To Play account holder can register and validate an email address. Once you get to level 15 in-game, or want to purchase something from us, you will be required to register and validate an email address at that point in time.
Quote:
Are you getting rid of all my Security Questions and Answers? I liked them. Lots.
No. We are keeping the Security Questions and Answers in place and will be using them as a form of verification on the telephone if you ever need to call our Customer Services team. A lot of the changes going into place on April 2nd are to help enable self-service systems so that you will not need to call CS as often. We appreciate that when there is a holding queue that it is very annoying, and if calling internationally also not free. We would like to reduce costs where we can both for our players as well as ourselves.
Of course, we want to keep your accounts secure, so we are not reducing security to try and save costs and instead changing security slightly.
For the Free To Play accounts, Security Questions and Answers are also required when you want to purchase something from us.
Quote:
Is there anything I should do? I'm but a simple duck and computers and stuff are not my strong point.
Yes. Yes there is.
As we transition from relying on Answers to Security Questions to sending an Email Security Code to you when authenticating, the security of your own Account becomes something you can impact directly by also making sure your Email Account is also secure.
I would recommend you look at the following or get a more computer savvy friend to help:
Quote:
I have to say I am constantly amazed at what our artists can do. Lets just say I'm artistically challenged and my stick figures are pathetic and quite ugly to behold... I'm also not one of the server or game engineers and I don't think any of us want me messing around with code that could create full-scale blackouts across entire shards if it is written incorrectly. Basically we have many teams here and my specific team will continue to focus on the security aspects as that is what we are actually here for. Think of it as an added bonus.
Quote:
You keep mentioning two-factor. What does that mean?
I'm going to copy/paste most of an answer I gave in the previous thread.
In the security field, when waffling on about authentication we talk of two-factor quite a bit. Two-factor (or dual-factor) is actually not 'the most secure' that we can be, as it really stands for 'two of three factors'. Those factors are:
As it is sure to come up, let us be clear that Security Questions and Answers (SQA's) are not truly two-factor. It's the first factor applied twice, so leaves us in a hybrid/grey area which counter-intuitively is actually very secure. Just not as secure as a true two-factor system.
The key implementation that we are currently missing as mandated for all players is 'Something I have'. The Security Key is available and doing well today, and while I would love to see more people using them, we are not pushing people to have a Security Key as a mandatory requirement. Truth be told we deliberately do not make a profit on the physical security key, and absorb all of the cost of the mobile security key.
One last thing that I should also point out, the Security Key is a time-limited code that changes frequently. If you think somebody can brute force their way through an account secured by a Security Key, then you should look into lottery tickets. It's far easier to win the jackpot in the lottery...
Quote:
Why thank you! My email address is ph..... Oh hang on, I see what you did there. Naughty duck!
OK, enough monologue from me! If you have questions or comments, please don't hesitate to reply. I can't promise an immediate turn-around, but we will be watching this thread and there will be replies when we can get them posted. I would however ask that you refrain from being too descriptive if you feel the need to say I'm wrong anywhere - the forum rules still apply.
That was a very lengthy post.... kudos for Philip for his sesse of humor while writing it LOL
I wonder though how they will go about self managing security key...
Quote:
Sith Warrior - Story of Hate and Love http://www.youtube.com/watch?v=sxKrlwXt7Ao
Imperial Agent - Rise of Cipher Nine http://www.youtube.com/watch?v=OBBj3eJWBvU&feature=youtu.be
Imperial Agent - Hunt for the Eagle Part 1http://www.youtube.com/watch?v=UQqjYYU128E
I am not a fan of this change. Apparently, it will allow them to increase their back end security, which as I understand it, means better encryption in case someone hacks their database, and also better security for people who use an authenticator.
I use an authenticator. It's a free smart phone application, so why not? I still see this as a problem. Basically, people without authenticators are going to be screwed. I am not sure if this is an intentional screwing, or if Bioware is just making a bad design decision again. But here is the thing.
A keylogger doesn't have to hack Bioware to get your name and password. They just have to hack any web site where you use that name and password. That includes blogs, forums, youtube, email, and a lot of web sites with horrible security measures already in place.
Error: 37. Signature not found. Please connect to my server for signature access.