Re: Do we really need to buy a security token?

At the same time, though, it's quite possible that those emails are passing through the servers of other companies. For example, if I try to check my email at a random hotspot that doesn't use Comcast, that message is certainly passing through their system. Now, obviously, that mail is encrypted, where an SMS probably isn't. But then, an email can contain valuable information-- Even if it 'only' took a year to decrypt mail, that could still be very damaging. If you get an SMS in real time, you have a very short period of time to act on that.

I dunno about that. If you know someone plays a game, and you have their password (or they automatically enter it), breaking in and stealing a small plastic item that could be worth hundreds or thousands is a pretty sweet effort:reward ratio. The "best" case scenario in this case would be someone who has their password automatic on their laptop, and keeps it right next to the security token. Go in, go to the laptop, grab it and the token, get out. That could easily be upwards of a thousand dollars, depending on the value of the account/items/hardware. Sounds silly, but then pretty much everything related to RMT does.

Re: Do we really need to buy a security token?

I only wish I could get the Satchel without the Token. I'm currently only playing XI on 360. I plan to only play XIV on my PS3. I don't log onto the LS Beta at all. Ergo, I'm not in any pressing danger from trojans and account jacking. The only game whose account is in any potential danger is my LotRO one, and maybe my PSU one if I ever played it more than a month at a time.

And as I was mumbling about somewhere else, my account is actually in my younger brother's name. Years ago, when we started, he was the one who bought the HDD. Their PS2 would not read 'colored' discs anymore, so they used mine. He didn't play very long before he got bored of the game, so it was passed to me, since he was only level 10, and it was my console. I deactivated his ID, made my own, and there's Telera, and Caeryn, and my mule. That's it. It's been 'mine' for 4+ years now. But I'm not sure I can even make a SE account in my name and link it to it, since that's in his. And if there's ever any actual issues with the Token, I could never get them resolved without contacting him first. This won't be an issue in XIV, but it's an issue in XI, and I am so not fucking restarting this time-sucking game at this point.

I'd love to have extra storage, but I see no point in adding hassle to my playing, and the potential need to have to be able to get in touch with him when the thing inevitably loses its battery or whatever. Just give me another way to get the satchel and I'll be fine.

Re: Do we really need to buy a security token?


Missed my point about the breaking in thing. I know it is easy to break into someones home. The point was that to break into someones home to steal the token for a video game is what I was trying to say. If you, or anyone else, broke into someones home, the security token would not be the first thing on your/my mind to steal from that house. TV's, Computers, jewlery, etc would be what anyone would steal. It is highly unlikely you would have someone do a B & E (thank you Dane Cook) to get a video game RL item is all I am saying.

The other part I want to address would be this issue with using the free SMS process you are talking about. For something that is suppossed to be a security item/code I would (if I were SE) want it to go through me and my products and not some other "3rd party" ways.

Example: You have a Comcast email address. You want to use it through Outlook Express. You can if you want but we can not support something that is not a Comcast product. We offer Comcast.net as the source to get your emails but you are more than welcome to use w/e 3rd party you want but we will not be involved.

This is kinda what we are talking about and I can see what your saying. If it was emails we are talking about then sure but its not. This is a SECURITY code and needs to go by the correct channels to provide the insurance of it being secure since it was under the wing of SE all the way.


Sorry for that but I thought I would give my 10 cents as well.

Re: Do we really need to buy a security token?

I would say break into someone's home. I could do that with nothing more than items you'd find in a backyard.

1: Problem: SE's Security Token requires money, thus discouraging people from using it.
Potential solution: Cell phone SMS are free for those with unlimited texting plans, and vary in cost for others, and use hardware people already have to provide more people with a secure service.

2: Problem: The Mog Satchel is ONLY available to people with a Security Token. This reeks of RMT at best.
Potential solution: Using an SMS system (again, as an ALTERNATIVE to the token, not a substitute) would allow people to get practically the same security benefit at no cost, and thus disprove the notion that the Mog Satchel is PAID for with cash, instead of a BENEFIT to using enhanced security.

Those are the big two. I'm uneasy enough about the Mog Satchel requiring you to buy anything, but if it were for a security thing that people can get without paying any money to SE (whatever else it may cost, the importance of RMT is who makes money off it, not how much the end user pays) I'd be fully behind it. That's exactly what this provides-- the same practical benefit of security, without the spectre of RMT. Not only would it open up the security benefits to people where it would be free instead of $10, but it could actually improve sales of things like the security token; people that have been concerned about supporting further in-game benefits for real world money would have that fear dissuaded (at least for the token), and not worry nearly so much about buying it.

Re: Do we really need to buy a security token?

Is it easier to "monitor your cell phone transmission" or to break into someones home to steal a video game keyfob?


I am sorry but I am still trying to grasp what the actually issue is.

Re: Do we really need to buy a security token?

Yes, but at the same time, a keyfob isn't secure either; it can be stolen.

For the purposes of what we are discussing, the security effect is practically the same. Anyone with the means to monitor your cell phone transmissions could easily just physically steal the account for you.

I'm not doubting that the keyfob is more secure if you're working on some sensitive government project or the like, but with FFXI's account/login system, I do not see how it is any significantly worse for security.

On your ten cents comment, I already explained that people without unlimited data plans would probably be better off buying the token. Some of us already use the $5-15 a month our providers charge us for that, and it's free to use the cell phone system compared to the token. For those that don't, of course the token saves money in the long run.

Re: Do we really need to buy a security token?

wow, I see no point in this entire thread.Thank you for the "bullshit", paranoia, and pointlessness of this. It is helping me get through my day.

ps, I think is funny when some people dive to deep into a issue or problem trying to find something that dosnt exist. Reminds me of all women.

Re: Do we really need to buy a security token?

No, it's inferior. A cell phone is not a secure device, the cell network is not a secure transmission medium.

The SecureID token is a secure device and since you only send what it displays (and have 30s to do so) instead of the server sending and you sending it back saying you got it making the insecurity of the transmission medium (internet) irrelevant.

It also doesn't cost me 10 cents every time I want to use it.

Re: Do we really need to buy a security token?

Can you go pick your fights or vent your righteous indignation on another forum? Coming here crying over a game you haven't played for over three years and constantly being abrasive to other posters, calling their posts bullshit, and arguing for the pure pleasure of it just smacks of being the behaviour of a troll and an attention whore.

The security tokens were news a few months back, no-one other than you gives a shit now.

Re: Do we really need to buy a security token?

I don't know how it was done or when it was done. It happened between 2am and 4pm that day. He logged out and went to bed and didn't even turn his computer on until he got home from work around 4pm. He logged in then and noticed his character was naked and not where he left it. He checked his safe/locker and immediately logged out, changed his info, and logged in on h is 360 and called a GM.

My son is VERY computer savvy, its his job. He has more than one virus protection, he has malware protection, blah blah blah.. So this is not some idiot that doesn't update their system or protect it. He uses firefox, as the appropriate add-ons, has flash/java disabled, etc etc etc. Thats why this is such a WTF to us. I can't tell you how it happened or explain anything but I can say that it was certainly suspicious with how quickly SE responded. I've never heard of them restoring an account THAT fast. It just made me think it was something on their end and not ours.

Re: Do we really need to buy a security token?

Bullshit. I've never once been against the security token. I've been against selling the Mog Satchel, or any in-game item. Please don't act like this is a "You're with Chinese RMT or you're with SE RMT" argument.

You and I both know damn well that neither of us has anything against security. I could pretend that someone who doesn't like the system I'm talking about is doing it because they don't want poorer players to be secure, and that would be just as much wrong. It's a matter of whether selling the mog satchel with a real-world item constitutes RMT. And if not, why are they not willing to provide a service that does the same thing without charging players for it?

Bullshit. If SE tries to use in-game items or benefits to promote the satchel in FF14, that's yet more proof that it's RMT, not security. Especially when, if they really cared, they could include a token in every copy of the game at minimal cost. Or again, offer a free service.

Bullshit. I'm sensing a theme, BBQ. Like I said, they have trade-offs. For someone like myself, with an unlimited data plan on their phones, who gets the texts seconds after they're sent, it is far superior to having another plastic trinket (which would actually be less secure than the cell phone, in my cast, since my cell phone is with me %99 of the time; such a token would be left at my desk), and which costs money.

As for what I'm proposing, I know PayPal uses it, and I am fairly certain that Google has used something similar for some projects. For all the shit you can throw at PayPal, if there were some sort of horrible flaw in the system, they probably would've had to stop using it. Obviously, it doesn't work for some people. For others, it is the far better system, and there is practically zero difference in terms of operation. It takes me longer to enter in the security code from my phone than it does for the SMS itself to be sent. And once again, if latency is a problem, you could give people the option to increase the length of time it works for. If you don't have a data plan, obviously you'd be better off spending the money on the token.

What you're saying is like saying that consoles are inferior to PC games. It's far too broad of a statement to make it anything approaching truth. They both have their benefits and weaknesses.

Context, BBQ. I was clearly talking about there being some kind of fatal flaw with using cell phones and SMS messages instead of a security token And I'm talking fatal flaw in security terms, not just "oh, well that's a problem for me, but it'd work well for my friend."

Re: Do we really need to buy a security token?

1 - So what? The only people spazzing about it to the extreme (and you were crazy-go-nuts against it from the start) and labeling it RMT are the people that refuse to accept you are getting a physical item that ensures security in the process.

2 - Any benefits that the token offers to FFXIV players is moot - the people that wanted a token already have it now.

3 - Because your system is inferior. It requires data transfer and its impacted by latency. You conceded part of this, other people already pointed out the rest. Tons of other MMOs use the security tokens and they use them for a reason - they work incredibly well.

Again already mentioned in this thread - trojans can lead to session hacking. This is not a fault of the token, but of the user for not keeping thier PC secure. If you're on PS2 or 360, its pretty much impossible to get a trojan.

Part of avoiding that problem is the same as any other security issue - don't go to sites that are suspect and keep your PC secure. I never saw the token as a 100% fix, just a means of closing the gap to 100%.

Re: Do we really need to buy a security token?

1- Bullshit. People are buying it for FFXI right now, not FFXIV; and the large part of them are buying it at least partially because of the satchel.
2- There's nothing saying FFXIV won't have RMT benefits for having the token.
3- If there's really no RMT aspect to it, why can't a system like I'm discussing be done and linked to an SE account instead of a security token that players must pay for?

If you want people to have account security AND join Club SE, why not offer something like this, that allows them to use their current possessions as a physical key, instead of requiring them to buy something?

There could easily be some fatal flaw in this system, or something beneficial about the token, but so far I haven't seen it.

Re: Do we really need to buy a security token?

I always sort of felt that the security token was part of a bigger plan with Square-Enix Members.

Let's face it, PlayOnline as a concept hasn't really attracted what SE (and originally Namco, who's scared shitless to do anything online) wanted to accomplish. Its been a shell to host FFXI and that's about it. Square-Enix Members seems to be a bigger thing, you even get little cards about it telling you to register games there as you buy new games. I got one in FFCC: Echoes of Time.

Additionally, they mentioned the security token would function with FFXIV as well, so there goes that RMT argument, its going to have more applications than just FFXI.

Re: Do we really need to buy a security token?

It could have been a Session Hijack (listed in Wikipedia, I can't link yet due to my low post count), which is a type of technique applicable when one-time-passwords are in use. Generally, it is used to allow an intruder to hop on by using the valid credentials you've entered for a single session.

For instance, as a relatively unsophisticated example, a trojan could be used to install remote desktop management software. Then they wait for you to log-in, at which point (without ever needing to know your pass-code), they remote-control your keyboard, walk your character over to a delivery box, and mail all your shinies to their mule. If they're smart, they'll wait until you're bazaaring in Jeuno or AFKing for a long time, indicating that you're probably not watching the screen.

If they're willing to put in the effort, they could make it more subtle, like using their trojan to intercept your logout request, and then instead pass the client a fake logout acknowledgment. As far as you can see, you've logged-out normally, but the session is secretly kept open since as far as SE's servers know, you never logged out.

Unlike normal a normal account hijack, the intruder never manages to steal the entire account itself, since they can only "borrow" by pretending to be you. Each time their joyride ends, they can only get back on by waiting for you to supply the correct passcode -- but they only need to do this once, if all they want is to steal your stuff, instead of the account itself.