[Feba]

First off, I realize SE is unlikely to ever reply to this, it's more of a rhetorical question about FFXI seeming to turn to an RMT based business model. Secondly, I'm not doubting the value or purpose of a physical code to login.

What I am curious about is, I've seen services offered that do practically the same thing, but by sending an SMS message to the user's cellphone, instead of forcing them to use a dongle. This produces effectively the same result; sure, the user must wait from the time they begin to login until the SMS message arrives, instead of it being instantaneous, but it's a very quick process. And they obviously have tradeoffs-- the cellphone basically requires a good data plan, and a cellphone at all. You wouldn't be able to login while you're on a call, or as discreetly if you're in public for some reason. And it's slightly less secure, but for the purposes of an online game that's not really an issue. On the other hand, if you lose a cellphone, you'd have it replaced anyway, and your new login messages could simply go to the new one. Lose a dongle, and you have to pay more than you would've to have it replaced. The dongle requires more clutter, and you can't have two-- if you have a second cell phone (for example, shared accounts) it's very simple to just add an alternate number to send to.

But for all practical purposes, they both achieve the same ends in terms of account protection. Why, then, does SE not offer this service, and allow people to link a security code to their cell-phone, instead of a dongle? It's the same benefit and service, but could be done at no cost. Why is this a less valid requirement for Mog Satchel than the token? And if the token isn't just a way to make people pay for the Mog Satchel, but is truly supposed to be to get people to improve their security, why not offer this service?

[Raydeus]

I always said including the satchel with the purchase of the token was a very clumsy (read very retarded) way to handle it.

And that's about all I have to say about it.





PS > I decided to buy the token waaaay before the satchel was on the map, but that's because I was already familiar with the use of security tokens and liked that way they work.

[Firewind]

"PS2 Limitations"








On a more serious note I wouldn't want SE getting hold of my cell phone number. I get enough spam texts daily from my service provider. I think I'd go mad if SE sent me a message every time I try to log on or every time I need to pay renew a content ID X_X

There is also a practical problem. The Security Tag code changes every minute. It can take considerably longer than a minute for that text to reach you and well by the time you get the text and input the password into POL your one time password will have changed so you will have to ask for another text message.

[Feba]

1- Such a program can be used to exclusively send codes. There''s no reason it has to include advertisement or other account notifications if they're not requested.
2- Yes, but again, this service is already provided. Usually, they don't take more than a few seconds. If latency does become a problem, the length of time could easily be extended.

[TheGrandMom]

Quote:

Originally Posted by Feba

First off, I realize SE is unlikely to ever reply to this, it's more of a rhetorical question about FFXI seeming to turn to an RMT based business model. Secondly, I'm not doubting the value or purpose of a physical code to login.

I loathe to post this. I know some of the responses I'm going to get when I say this and its one of the reasons I didn't post this when it actually happened.

My son is 26 and he's played FFXI since the beginning. He's never given out his information to anyone.....ever.....not even me. With all the hacked accounts, he had a little bit of paranoia over his account possibly getting hacked so he invested in the token and used it every day. A couple weeks ago his account was partially hacked. He must have logged in and knocked whoever was on it off. They took nearly everything off his main character but had not gotten to his mules. He immediately changed his info and then contacted a GM.

Of course, we were expecting the usual bs and possibly months of getthing this fixed. It actually took 3 days. Two days after he reported it the GM returned 10 items to him and the next day when he logged in he was immediately contacted by a GM who appeared in his mog house and gave the rest of his stuff back to him.

[Caspian]

I have to ask, how the hell were they able to log in without knowing what the code from the token was?

[Grizzlebeard]

Quote:

Originally Posted by Feba

Do we really need to buy a security token?

Are you playing again?

[Durahansolo]

Yeah, how'd they get into his account without the token? (Or was this before he got it?)

Quote:

Originally Posted by TheGrandMom

Two days after he reported it the GM returned 10 items to him and the next day when he logged in he was immediately contacted by a GM who appeared in his mog house and gave the rest of his stuff back to him.

Big Brother is watching. O_O.

That is good to hear that he got everything back though.

[Guppy]

Quote:

Originally Posted by Caspian

I have to ask, how the hell were they able to log in without knowing what the code from the token was?

It could have been a Session Hijack (listed in Wikipedia, I can't link yet due to my low post count), which is a type of technique applicable when one-time-passwords are in use. Generally, it is used to allow an intruder to hop on by using the valid credentials you've entered for a single session.

For instance, as a relatively unsophisticated example, a trojan could be used to install remote desktop management software. Then they wait for you to log-in, at which point (without ever needing to know your pass-code), they remote-control your keyboard, walk your character over to a delivery box, and mail all your shinies to their mule. If they're smart, they'll wait until you're bazaaring in Jeuno or AFKing for a long time, indicating that you're probably not watching the screen.

If they're willing to put in the effort, they could make it more subtle, like using their trojan to intercept your logout request, and then instead pass the client a fake logout acknowledgment. As far as you can see, you've logged-out normally, but the session is secretly kept open since as far as SE's servers know, you never logged out.

Unlike normal a normal account hijack, the intruder never manages to steal the entire account itself, since they can only "borrow" by pretending to be you. Each time their joyride ends, they can only get back on by waiting for you to supply the correct passcode -- but they only need to do this once, if all they want is to steal your stuff, instead of the account itself.

[Omgwtfbbqkitten]

I always sort of felt that the security token was part of a bigger plan with Square-Enix Members.

Let's face it, PlayOnline as a concept hasn't really attracted what SE (and originally Namco, who's scared shitless to do anything online) wanted to accomplish. Its been a shell to host FFXI and that's about it. Square-Enix Members seems to be a bigger thing, you even get little cards about it telling you to register games there as you buy new games. I got one in FFCC: Echoes of Time.

Additionally, they mentioned the security token would function with FFXIV as well, so there goes that RMT argument, its going to have more applications than just FFXI.

[Feba]

Quote:

Originally Posted by Omgwtfbbqkitten

Additionally, they mentioned the security token would function with FFXIV as well, so there goes that RMT argument,

1- Bullshit. People are buying it for FFXI right now, not FFXIV; and the large part of them are buying it at least partially because of the satchel.
2- There's nothing saying FFXIV won't have RMT benefits for having the token.
3- If there's really no RMT aspect to it, why can't a system like I'm discussing be done and linked to an SE account instead of a security token that players must pay for?

If you want people to have account security AND join Club SE, why not offer something like this, that allows them to use their current possessions as a physical key, instead of requiring them to buy something?

There could easily be some fatal flaw in this system, or something beneficial about the token, but so far I haven't seen it.

[Omgwtfbbqkitten]

Quote:

Originally Posted by Feba

1- Bullshit. People are buying it for FFXI right now, not FFXIV; and the large part of them are buying it at least partially because of the satchel.
2- There's nothing saying FFXIV won't have RMT benefits for having the token.
3- If there's really no RMT aspect to it, why can't a system like I'm discussing be done and linked to an SE account instead of a security token that players must pay for?

1 - So what? The only people spazzing about it to the extreme (and you were crazy-go-nuts against it from the start) and labeling it RMT are the people that refuse to accept you are getting a physical item that ensures security in the process.

2 - Any benefits that the token offers to FFXIV players is moot - the people that wanted a token already have it now.

3 - Because your system is inferior. It requires data transfer and its impacted by latency. You conceded part of this, other people already pointed out the rest. Tons of other MMOs use the security tokens and they use them for a reason - they work incredibly well.

Quote:

There could easily be some fatal flaw in this system, or something beneficial about the token, but so far I haven't seen it.

Again already mentioned in this thread - trojans can lead to session hacking. This is not a fault of the token, but of the user for not keeping thier PC secure. If you're on PS2 or 360, its pretty much impossible to get a trojan.

Part of avoiding that problem is the same as any other security issue - don't go to sites that are suspect and keep your PC secure. I never saw the token as a 100% fix, just a means of closing the gap to 100%.

[Feba]

Quote:

Originally Posted by Omgwtfbbqkitten

1 - So what? The only people spazzing about it to the extreme (and you were crazy-go-nuts against it from the start) and labeling it RMT are the people that refuse to accept you are getting a physical item that ensures security in the process.

Bullshit. I've never once been against the security token. I've been against selling the Mog Satchel, or any in-game item. Please don't act like this is a "You're with Chinese RMT or you're with SE RMT" argument.

You and I both know damn well that neither of us has anything against security. I could pretend that someone who doesn't like the system I'm talking about is doing it because they don't want poorer players to be secure, and that would be just as much wrong. It's a matter of whether selling the mog satchel with a real-world item constitutes RMT. And if not, why are they not willing to provide a service that does the same thing without charging players for it?

Quote:

Originally Posted by Omgwtfbbqkitten

2 - Any benefits that the token offers to FFXIV players is moot

Bullshit. If SE tries to use in-game items or benefits to promote the satchel in FF14, that's yet more proof that it's RMT, not security. Especially when, if they really cared, they could include a token in every copy of the game at minimal cost. Or again, offer a free service.

Quote:

Originally Posted by Omgwtfbbqkitten

3 - Because your system is inferior.

Bullshit. I'm sensing a theme, BBQ. Like I said, they have trade-offs. For someone like myself, with an unlimited data plan on their phones, who gets the texts seconds after they're sent, it is far superior to having another plastic trinket (which would actually be less secure than the cell phone, in my cast, since my cell phone is with me %99 of the time; such a token would be left at my desk), and which costs money.

As for what I'm proposing, I know PayPal uses it, and I am fairly certain that Google has used something similar for some projects. For all the shit you can throw at PayPal, if there were some sort of horrible flaw in the system, they probably would've had to stop using it. Obviously, it doesn't work for some people. For others, it is the far better system, and there is practically zero difference in terms of operation. It takes me longer to enter in the security code from my phone than it does for the SMS itself to be sent. And once again, if latency is a problem, you could give people the option to increase the length of time it works for. If you don't have a data plan, obviously you'd be better off spending the money on the token.

What you're saying is like saying that consoles are inferior to PC games. It's far too broad of a statement to make it anything approaching truth. They both have their benefits and weaknesses.

Quote:

Originally Posted by Omgwtfbbqkitten

Again already mentioned in this thread - trojans can lead to session hacking.

Context, BBQ. I was clearly talking about there being some kind of fatal flaw with using cell phones and SMS messages instead of a security token And I'm talking fatal flaw in security terms, not just "oh, well that's a problem for me, but it'd work well for my friend."

[TheGrandMom]

I don't know how it was done or when it was done. It happened between 2am and 4pm that day. He logged out and went to bed and didn't even turn his computer on until he got home from work around 4pm. He logged in then and noticed his character was naked and not where he left it. He checked his safe/locker and immediately logged out, changed his info, and logged in on h is 360 and called a GM.

My son is VERY computer savvy, its his job. He has more than one virus protection, he has malware protection, blah blah blah.. So this is not some idiot that doesn't update their system or protect it. He uses firefox, as the appropriate add-ons, has flash/java disabled, etc etc etc. Thats why this is such a WTF to us. I can't tell you how it happened or explain anything but I can say that it was certainly suspicious with how quickly SE responded. I've never heard of them restoring an account THAT fast. It just made me think it was something on their end and not ours.

[Grizzlebeard]

Quote:

Originally Posted by Feba

Bullshit.

Bullshit.

Bullshit.

Can you go pick your fights or vent your righteous indignation on another forum? Coming here crying over a game you haven't played for over three years and constantly being abrasive to other posters, calling their posts bullshit, and arguing for the pure pleasure of it just smacks of being the behaviour of a troll and an attention whore.

The security tokens were news a few months back, no-one other than you gives a shit now.