[Elwynn]

Quote:

Originally Posted by Omgwtfbbqkitten

Oh, wait, I play on PS2.

This. They haven't quite yet reached the point of hacking routers or ISPs to intercept sessions. That would probably allow hacking even PS2, depending on details of how it works. After all, the PC malware can have key loggers too.

But this is why SSH has an initial key exchange the first time you talk to a new host. BOTH sides exchange their unique public key, and store the other key somewhere. Every time you start a session, they send something encrypted with the private key, and if it doesn't match up, it bitches you about the potential MAN IN THE MIDDLE ATTACK and you have to confirm that you want to continue. HTTPS is also designed to identify MITM situations.

FFXI is a bit more complicated, because I think it uses UDP to allow packets to be lost without breaking the connection, so it's not one big stream like SSH or HTTPS. But the main point is that if your protocol isn't secure from a MITM attack, and people are sufficiently motivated, it will happen eventually. And apparently it's easy now on Winderz for malware on your own computer to be MITM.

About the only way you can keep a PIN code secure is to do what the US banks do, and inject an encryption key into the pinpad's RAM, which encrypts the PIN with the pad's own unique key before it ever leaves the (potted) hardware device. And the bank has to have a database of every keypad and what key it's using. The difference with the token is that your PIN is effectively 0000, and the encryption is the same for like 30 seconds, so if they're fast enough, they can use it from somewhere else.

SE needs to go hire some crypto guys, FAST, and figure out how to secure the password/account information related parts of the protocol. (They can't encrypt everything, because that's a lot of extra CPU usage on the server side.) Whenever you have an amateur roll his own security, there's always going to be holes.

So anyhow, I guess this explains the recent drop in RMT gil prices. If SE isn't going to block them from spamming us, the least I can do is watch the price to see how much they're hurting.

(Aside: I remember back in the old days of modems, I was shocked when I found out that AOL's protocol transmitted your password in the clear. Holy WTF Batman. I think when they added TCP/IP connections, it was still in the clear at first.)

[Kafeen]

Quote:

Originally Posted by Aksannyi

As you try to re-login and input your password a couple times the hacker now has obtained that information and used it to change your POL password, if they are fast enough.

To do that don't you also need to input a password from the security token again?

[Aksannyi]

They aren't ever using your token to even get control of your character. As you attempt to log in, the token code that you use while your POL is hanging is what they intercept and use to change your password. I don't think this has happened that much, but from what I read of the thread on BG, it's possible.

As far as I know, they haven't been stealing accounts, just taking over your connection and stripping them. People report that their friends red dot for a minute, then warp from what they're doing to delivery box all of their stuff to some 3rd party.

[Elwynn]

Quote:

Originally Posted by Aksannyi

People report that their friends red dot for a minute, then warp from what they're doing to delivery box all of their stuff to some 3rd party.

Wow. This is a real {/facepalm} if true. Apparently the FFXI design just relies way too much on the client preventing you from doing crazy things. First speed/pos hacks, then tell spam (which apparently bypasses the client), now delivery boxing in the middle of nowhere? (sure, they could make it check your pos first, just don't idle next to a dbox NPC, lol)

[Ziero]

Quote:

Originally Posted by Takelli

Well... With the way technology is getting now. Even using a console wont be safe soon. A PS3 is what? A computer bassically, and it has internet. Phones are being hacked now, so I don't doubt that a system can't be hacked with a keylogger if you hooked it up to your main PC and you had a kew logger on it.

Technically, all hacking started on Phones.

Quote:

Originally Posted by Aylmer

Its probably because Playonline is a crappy online medium and SE just needs to develop something better and more secure for customers to use.

How does hijacking your gaming session while you're playing and well past the PlayOnline part mean PlayOnline is the reason you're being hacked?

Quote:

Originally Posted by Elwynn

Wow. This is a real {/facepalm} if true. Apparently the FFXI design just relies way too much on the client preventing you from doing crazy things. First speed/pos hacks, then tell spam (which apparently bypasses the client), now delivery boxing in the middle of nowhere? (sure, they could make it check your pos first, just don't idle next to a dbox NPC, lol)

Who said anything about dboxing in the middle of no where? Aksannyi specifically mention people suddenly warping home to head to a Dbox. That has nothing to do with a client fault and everything to do with people letting bugs and back doors into their systems.

[AngelX]

Quote:

Originally Posted by Aksannyi

They aren't ever using your token to even get control of your character. As you attempt to log in, the token code that you use while your POL is hanging is what they intercept and use to change your password. I don't think this has happened that much, but from what I read of the thread on BG, it's possible.

As far as I know, they haven't been stealing accounts, just taking over your connection and stripping them. People report that their friends red dot for a minute, then warp from what they're doing to delivery box all of their stuff to some 3rd party.

No they put a trojan on your pc and steal your information there. Unless your using the same password for your token, I don't see how they use your token code to get into your game. The one time is no longer useable ones it flashes off. And not just any token code will work. I think this falls more on the user like everyone is stating not SE.

[TheGrandMom]

My son's account was hacked and he used a token. He is well educated in computers, in fact, he's fucking amazing when it comes to them. So he didn't have a trojan or keylogger or anything on his computer when it happened so don't assume that you HAVE to have one. As I explained in another thread on this forum, the very suspicious thing that happened when he reported it was that they took care of it very quickly. If anyone has dealt with SE, they know how slow they are to fix issues like this so when my son was back in full swing within approx 2 days of reporting it....ya thats damn odd. The GM was just trading him stuff like crazy. He'd say "I had this." and boom he'd get a trade and the GM would give it to him. About the only thing he had a problem with was abjurations...the GM was only going to give him the abj and not the cursed piece. LOL So ya...damn strange that they were so accommodating. He thought he'd be out of the game at least a month. Makes you think that they knew there was an issue somewhere...

[IfritnoItazura]

Meh. There are two kinds of people who can say with confidence "I don't have keylogger or other malware on my computer," when the computer is connected to the Internet. 1. People who know just enough about computers to be dangerous (usually, to themselves). 2. Computer security experts--professionals who work on protecting computers, or breaking computer protections, or both.

The rest of us lesser computer geeks go by best practices and hope for no malware.

[Balfree]

Quote:

Originally Posted by IfritnoItazura

People who know just enough about computers to be dangerous (usually, to themselves).

so much truth

[ShepardG]

I posted in another thread, I suspect that 1 or 2 things have happened to SE in the past 30 days.

1. Their Registration server got hacked, and this would explain why TGM's Son was so well taken care of.

2. Someone or some group is very unhappy with SE's 3-d secure decisions. and they have the knowledge to exploit some weakness's in SE's security. Supposedly according to BG the registration servers went down this morning, and people couldn't log into POL or the game.

3. ???

4. Both

[Darkhound]

SE is digging it's own grave with the POOREST AND LAMEST customer support that I havee ever known

[Durahansolo]

Quote:

Originally Posted by ShepardG

I posted in another thread, I suspect that 1 or 2 things have happened to SE in the past 30 days.

1. Their Registration server got hacked, and this would explain why TGM's Son was so well taken care of.

2. Someone or some group is very unhappy with SE's 3-d secure decisions. and they have the knowledge to exploit some weakness's in SE's security. Supposedly according to BG the registration servers went down this morning, and people couldn't log into POL or the game.

3. ???

4. Both

Do we really need to buy a security token?

Quote:

Originally Posted by TheGrandMom

I loathe to post this. I know some of the responses I'm going to get when I say this and its one of the reasons I didn't post this when it actually happened.

My son is 26 and he's played FFXI since the beginning. He's never given out his information to anyone.....ever.....not even me. With all the hacked accounts, he had a little bit of paranoia over his account possibly getting hacked so he invested in the token and used it every day. A couple weeks ago his account was partially hacked. He must have logged in and knocked whoever was on it off. They took nearly everything off his main character but had not gotten to his mules. He immediately changed his info and then contacted a GM.

Of course, we were expecting the usual bs and possibly months of getthing this fixed. It actually took 3 days. Two days after he reported it the GM returned 10 items to him and the next day when he logged in he was immediately contacted by a GM who appeared in his mog house and gave the rest of his stuff back to him.

#1 happened in June, so I'm going to say that the 30 day time period myth is busted.

[Darkhound]

WEll, a freind of mine got hacked, it has been 2 weeks and SE has not given his account back...

[Durahansolo]

Quote:

Originally Posted by Darkhound

WEll, a freind of mine got hacked, it has been 2 weeks and SE has not given his account back...

What step of the process is he in now?

#1 Account gets hacked, info changed so you can't log back in.
#2 Call SE to be shut down because none of the information matches.
#3 Get told someone will contact you about this.
#4 Wait....
#5 Call back.
#6 SE Gets tired of you calling so they send you a letter to be notarized and set back.
#7 Letter is sent back
#8 Wait....
#9 SE emails you some contact information to call them with so that you can get your account unlocked.
#10 Call SE to get account back.
#11 Get account back.
#12 Get to resurface all deleted characters and pay monthly bill lol.

That's how it was last April, but I dunno how it works now.

[Darkhound]

He was told by SE that they are investigating the report of "missing" items.
The account is currently locked up.

The hackers moves his char and his mules to different servers and his CC ws charged 100 UDS

so yeah....