[Aksannyi]

Yeah, that's right, people are getting hacked with the security tokens at work. I understand how it works but not well enough to explain it, so I'll quote BG:

Quote:

Originally Posted by Valient from BG

Did all you guys miss what TummieGaruda said? While SE has strengthened their account security using a token generated password it still isn’t impossible for a hacker to take control over your account while you are logged in. In this case they never even input the password.

Let me demonstrate with my asci skills.
Normally your connection with SE would look like this.

You <----> SE

You get some evil program on your computer that changes your connection to look like this.

You <----> Hacker <----> SE

Hacker now sees everything you are doing in game. They come along back from their nap and see you are connected to the game. They spring into action and cause this to happen.

You <--X--> Hacker <----> SE

You are now D/Cing from your end but the hacker now has full control of your character, more importantly, bypassing all passwords.

As you try to re-login and input your password a couple times the hacker now has obtained that information and used it to change your POL password, if they are fast enough.

I find it very unlikely for a hacker to be actively waiting and watching for you to login. They rather capture that data and use it at their convenience. With the above method they can just hop on anytime they see you connected to the game and take over.

That’s my theory and I’m sticking to it.
EOL

And the thread: The sky is falling: player with token hacked? (lolIE) - Order of the Blue Gartr

Apparently it's been reported on sites like slashdot and a few others (forgot which) that this is a new token exploit for much more secure companies like banks, government agencies, etc., and the RMT have found their new niche.

Awesome.

So yeah, no one's safe anymore. Not that we assumed security tokens were 100% secure, but we sure didn't expect a new hacking method to come about so soon. Apparently there's a stink about it on Alla as well, but I really can't stand to go there anymore to read about it. I'd suggest watching your shit closely.

[Mhurron]

Quote:

You get some evil program on your computer

Nothing saves users from themselves.

[TheGrandMom]

Ya I think I pretty much reported this issue a while ago when I told how my son was hacked and was using the token. Of course, everyone ignored it and thought I was full of shit.

[Aksannyi]

You were one of the first people I thought if when I saw the thread on BG, TGM. I mean we knew it was possible somehow, but hell if I know the way this shit all works. People were clinging to the token as a security blanket, and probably still are. ><

I read you don't really d/c from the game ... you red dot, and when you recover from the red dot, your game is crashed but the hacker remains in control of the character and strips it. So you never even know that your account has been accessed, and when you attempt to log back into FFXI, the hack prevents POL from loading all the way through.

Sophisticated and creepy.

[Durahansolo]

Crazy, somebody was mentioning that "You <----> Hacker <----> SE" thing possibly happening awhile back on this board. Don't remember where exactly, probably in one of the token discussions lol.

[Malacite]

And this is why I never use 3rd party software regardless.

Also, Microsoft Onecare FTW.

[Takelli]

Dang. That really sucks. Just don't download any files or open any emails that you don't trust. Thats the only real way to prevent hacking. Even then, you can still get hacked. Even having the most up to date fire wall, anti virus, and anti spyware. Hell, if my account gets hacked I'd be pissed, but I'll be quitting soon enough anyways, so it wont matter all that much to me. (FFXIV!)

[hexx]

This is why i play on a console ^^b

[Takelli]

Quote:

Originally Posted by hexx

This is why i play on a console ^^b

Well... With the way technology is getting now. Even using a console wont be safe soon. A PS3 is what? A computer bassically, and it has internet. Phones are being hacked now, so I don't doubt that a system can't be hacked with a keylogger if you hooked it up to your main PC and you had a kew logger on it.

[Aksannyi]

There have been some console users reporting hacks on Alla. So yeah, not exactly sure how, but it seems nothing is safe. If they're hijacking your online internet session (which it was what it sounds like) then they may have some way to track your console on your network and figure out how to un-encrypt the data sent to the server or something.

Hell if I know if that even makes any sense. But with this new session hijack thing people are talking about on BG, I wouldn't be too surprised.

[hexx]

Quote:

Originally Posted by Takelli

Well... With the way technology is getting now. Even using a console wont be safe soon. A PS3 is what? A computer bassically, and it has internet. Phones are being hacked now, so I don't doubt that a system can't be hacked with a keylogger if you hooked it up to your main PC and you had a kew logger on it.

And that is also why I do not link my consoles to computers. Besides, to be able to access my consoles, they would have to be parked outside my house, within range of my wireless network, to be able to intercept it, if at all with all the security I have attached to mine. Never the less, I'll be keeping a close eye on it just in case.

[Aylmer]

Its probably because Playonline is a crappy online medium and SE just needs to develop something better and more secure for customers to use.

[IfritnoItazura]

hmm. This reminds me of the descriptions for the "packet sniffer" third party apps. (BTW, "packet sniffer" is the wrong term; more like "packet-intercept-modify-generate" programs, but I digress.) Wonder where these thieves cut their computing-fu teeth at. lol.

Hack FFXI for fun and in-game profit -> write bots and tools for RL $$$ while 'helping' other players -> hijack FFXI accounts for gil to sell to poor FFXI players who 'need' more in-game money. Interesting career path there. The next step would be finding horrific systemic weaknesses to exploit, and blackmail SE into paying "protection money" if the company doesn't want the FFXI cash cow to croak.

We don't walk up and loot the lying on the ground unconscious players for gil in FFXI--we go to the web and buy the gil taken from the kidnapped and then horribly butchered characters instead. Well, the gil buyers do; the rest of us just tolerate their dealings with the body snatching mobsters.

Edit:

Quote:

Originally Posted by Aylmer

Its probably because Playonline is a crappy online medium and SE just needs to develop something better and more secure for customers to use.

"Medium"? Strange choice of the word.

Faults with POL client's security or lack of aside, there's not much the application developers can do when facing compromised network stack and computers infected by rootkits without going through extraordinary measures (which probably wouldn't withstand hack attempts for long anyway). Like Mhurron says, nothing saves the users from themselves.

If you don't know how to protect your lousy PC from at least the worst of the attacks, it's your fault for being ignorant and lazy.

[Raydeus]

Quote:

Originally Posted by Mhurron

Nothing saves users from themselves.

Death is salvation.








...what? <_<;

Ok, ok, I've been watching The Lost Canvas.

[Omgwtfbbqkitten]

You mean if I download all these crazy plug-ins for Windower that I don't know are trustworthy or not, I might get session hacked? Shit, I'll delete all that stuff right now.

Oh, wait, I play on PS2.

Each new security scare is always the same, someone got "hacked" when in reality they didn't secure their PC well or trust the wrong people with their information. And its always SE's fault, never the user's fault.

Because this is the internet, where everyone is always right.