Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Internet card address
kb4blu
Member UncommonPosts: 717
Back in the 80's and 90's I was a system manager for HP 1000, HP unix, AS400 and so on. I got my intro to networking with these machines.
I have often wondered why the network card address can't be used to identify your system when you log on to a MMO. Since the network card address is unique, could this be used to prevent someone on another computer from hacking your account??
If you got another computer or changed your card you could maybe call the MMO company and validate that you are the owner of the account ??
Is this a stupid idea ?? Am I out of date with the tech today ??
Anyway I just thought I would toss the idea out and see what kind of responce I got.
I apologize if this has been metioned before.
Comments
Having to call a game company every time you want to play a game on a different computer would be a major hassle for players and a major expense for companies. What you need is something that from the viewpoint of the company, is completely automated except for rare cases, and from the viewpoint of players, is as little hassle as possible.
What I would do is to create a file on the client computer that acts as a second "password" of sorts. This can be very long (for a password; let's say 256 bits, which is 32 bytes) and very "random" in order to be secure, since no human has to remember it. Furthermore, if you want to play the game on a different computer, you just copy the file over (which you would do anyway if you're copying the game over rather than downloading it from scratch) and you're set.
If you lose it, then having the right "normal" password and the wrong file password at a login would send you an e-mail asking you if you want to allow or block the access--and if you choose to allow it, then that becomes an additional file password attached to your account and works permanently. That also lets you know if someone else has your username and normal password and is trying to steal your account, so long as he doesn't get the file password.
There are ways to transmit the file password such that the game server can tell if you're using the same one every time, without having to know what your file password is. And there are ways to disguise it so that even someone who sees the full communications between the client and the server can't get the file password from it, either, nor even enough data to be able to convince the server that he knows the file password. You can kind of do that with normal passwords, too, but the normal passwords that most people use can be obtained by brute-force if a man in the middle sees all communications between client and server. A file password would be basically immune to brute-force attacks--and also to idiotic password choices from stupid users. But that's wandering into public-key encryption type methods, so I'll spare you the details.
Authenticators do pretty much the same thing. So what is the point of doing it that way?
This does everything for you automatically, with no need to buy an authenticator or type in a separate password from an authenticator, and no chance of physically losing your authenticator.
The downside is that my approach doesn't offer any protection from a trojan that gets full access to your computer, and thus can steal your file password. Though if you've got that on your computer, whoever put it there is probably after bigger fish than stealing game accounts.
Well, to some extent, your internet address is used by some login types.
For instance, both Blizzard and ArenaNet will look at your IP address if you are using third-part verification (security token).
The game always asks for your username/password (and can save these locally if you wish). The game asks for your security token the first time, and this comes from the keychain or mobile app. If you get it right, it records your IP address, and for all requests coming from that same IP address, the security token is bypasses, as it assumes your logging in from a normally-used computer. The security token is then only asked for to access your account and make billing/account changes, or when you access it from a new IP address.
So if your IP address is constantly changing (and for most people, it can change periodically, but rarely does it constantly change) - then it's not a huge inconvenience, and your account still stays relatively safe. Someone trying to hijack your account needs to have your username and password (not that hard to get anymore, given the tendancy for most people to share login credentials across sites, or if a trojan keylogger or something records it) and then either have broken the third-part verification (very difficult, but not impossible - a keylogger/trojan can't break this since it relies on an external ever-changing series of ciphers), or completely spoof your normal home IP address so that they bypass the third-part verification (also, very difficult, but not impossible - a botnet on your computer could possibly do it by remote-controlling your computer to start the game and log in, or by doing some very sophisticated internet routing using your computer as a proxy server).
Really though, it's hard to do fully convenient security, as there is always an equally convenient way to bypass it. Convenience and Security are mostly mutually exclusive.
I think the OP may have meant the MAC address but not sure.
There are also a lot of other semi-unique numbers you could key from that are available on your computer (network MAC address was mentioned, nearly every piece of hardware can report it's model and serial number, your Windows domain and login information, etc), or take some combination of and hash to form some unique identifier, but these are all per-computer.
You could look to Windows 8 and their new "cloud" Microsoft login that works across PC's, or something like the Apple ID that is used for iTunes/iCloud that works across computers. But those are really based on the single user/password, and can just as easily be hacked/attacked as anything else, and are probably more dangerous just because they unlock a lot more data than just a video game account.
Really, outside of biometrics (and even that relies on software to interface, which can be spoofed or bypassed) or real person-to-person contact (and even that runs big risks, as Sarah Palin found out), there isn't much a company can do to identify that you are really you. A SSN and good photo ID and you can be anyone in the United States you want to be, as scary as that is.
First of all, I assume you mean the MAC address..
Anyway, MAC addresses are generally only transmitted to the next "hop" or routing device. In your case, that would be the router at your home. The next hop out would possibly see the MAC address of your router's external interface, depending on the protocol used, but nothing else. It also wouldn't see your internal IP address (it only knows your external).
Now, if you have IPv6 setup to be autoconfigured, then it's technically possible that your cards MAC address would be visible that way, since the MAC address makes up part of an IPv6 address (if autoconfigured). It wouldn't be a very reliable way of handling it anyway, since it wouldn't apply to everyone the overhead of having to parse through the IPv6 address to determine if it's autoconfigured or not seems a little pointless.
You make me like charity
Technical limitations about the MAC not getting transmitted aside, it wouldn't matter if it's spoofable in this case. It's unlikely anyone would be able to know what MAC to spoof in the first place, unlike a password which can be guessed, or an IP address which can be farmed.
You make me like charity
That depends how they are getting the information - if they are brute-forcing/guessing/reseting a password, sure, But if they are using spyware or evesdropping on the local network, it would be trivial to grab the MAC address along with the password. At some point, if you are determined to tie a user to a piece of hardware, you might as well go the extra step of using an authentication token rather than the computer itself.
(that said, this is a topic best left to crypto specialists rather than brainstormed on a forum - I know enough to know I know too little)
I'm a systems analyst, so one thing I do know is that it's a moot point due to the MAC not being transmitted.
You make me like charity