View Single Post

Phillip_BW's Avatar


Phillip_BW
03.06.2013 , 04:06 PM | #296
A couple of people have noted I use a bit of 'sass' in my replies. I should probably point out I'm from the UK, and 'sass' type comments aren't meant to be offensive, its just a virtual language difference. I still get quite a few interesting looks when I talk here in the office, even after being in Austin Texas for 3 years now. I have at least learnt to use the z instead of an s and to drop the occasional u when typing (most of the time...)

On to more answers!

Quote: Originally Posted by RalphYauger View Post
Please make it so we can change our display names.
This has come up a lot in the responses so far. I did try to answer this previously, so I'll have another go now
Technically, changing the forum system to start using a new display name is not as trivial as adding a new column in a table and spending 10 minutes on. We have a large and rather complex set of systems in order to be able to handle the sheer volume of traffic, and what sounds like a simple change is anything but simple. Or easy. This isn't to say we shy away from work, but rather we have to focus our work efforts in a prioritized fashion. Based on the feedback you will be happy to hear that we are again discussing the perceived issue. I can't promise 'soon' - heck, I can't promise 'later' just yet. It is likely based on the underlying systems that we will not change the account Display Name, but rather look at adding a new Forum Name that can be different.
So thanks for the feedback from everybody that has raised this. You are being listened to - but please also remember that being listened to does not mean we can easily change everything based on just your feedback. We have other pieces to consider. Think of what I have disclosed publicly today as the tip of an iceberg. A very big iceberg that constantly changing shape as it freezes and unfreezes due to global warming... An iceberg with feedback chiseled into it that we can plainly see and are paying attention to.

Quote: Originally Posted by bigheadbrandon View Post
That actually is false, yes you can choose to use your account name as your display name but it is entire possible to go by a completely different name (which in most cases is what people are doing). I can assure you my steam display name is not my account name.
I stand corrected and apologize for the assumption (yes, I made an *** of myself!). I've used the same display name since before most people had heard of Steam and have never attempted to change it. At the same time (and the reason I didn't think it was changeable), the current security of Steam means that knowledge of my username in Steam has no bearing on the actual security of my account. Many people have tried (Steam emails me) and none have succeeded. I may not work at Valve, but I have to hand it to their team that they have one of the best/secure authentication systems in the industry. Of course I'm egotistical enough to think that we have one of the best too, and our upcoming improvements (Display Name is a piece of those improvements) will only make our system stronger.

Quote: Originally Posted by Bomyne View Post
I need three pieces of information to log in. My username. My password. My authenticator. You are willing giving one of those away to potentinal hackers and the other two are easy to overcome. Wow. Really? This is actually worse than Blizzard's real name on the forums thing.
I'm going to apologize in advance for the upcoming security lecture!
In a lot of systems (mainly corporate and military) the username is a given piece of information that the person using it has no control over specifying. It's usually a standard format that is commonly derived from the persons actual name or an internal identifier. My BioWare login internally is no different in that respect. This is one of the contributing factors on why username in of itself should never be a major concern around the security of an authentication system.
In the security field, when waffling on about authentication we talk of two-factor quite a bit, and it looks like that needs a bit more explanation. Two-factor (or dual-factor) is actually not 'the most secure' that we can be, as it really stands for 'two of three factors'. Those factors are:
  • Something I know (e.g. password)
  • Something I am (e.g. biometrics)
  • Something I have (e.g. security key)
I have often thought that putting all three factors in place would be awesome, but nobody liked my 'pint of blood in order to play' suggestion, so we haven't moved into biometrics as a requirement
As it is sure to come up, let us be clear that Security Questions and Answers (SQA's) are not truly two-factor. It's the first factor applied twice, so leaves us in a hybrid/grey area which counter-intuitively is actually very secure. Just not as secure as a true two-factor system.
The key implementation that we are currently missing as mandated for all players is 'Something I have'. The Security Key is available and doing well today, and while I would love to see more people using them, we are not pushing people to have a Security Key as a mandatory requirement. Truth be told we deliberately do not make a profit on the physical security key, and absorb all of the cost of the mobile security key.
Another potential 'Something I have' is something we could call an 'Email Security Code'. The key point here being it is something you have that is provided out of the same channel as the password. For example sending a code via email fulfills a time limited code that changes frequently. Very similar to a Security Key, but without the overhead of a smartphone or key-fob. Come to think of it, I have a duck around here somewhere called 'Email Security Code'...
So no, this is nothing like displaying a persons real name on the forums. Technically that would probably be easier in our system than implementing a 'forum display name', but rest assured we have learned from Blizzard's foray into that area and are not considering doing that at all.
One last thing that I should also point out, the Security Key is a time-limited code that changes frequently. If you think somebody can brute force their way through an account secured by a Security Key, then you should look into lottery tickets. It's far easier to win the jackpot in the lottery...
TL;DR: username should never be considered a security component - that's what passwords, SQA's and Security Keys (or ducks!) are for.

Quote: Originally Posted by Bomyne View Post
Do you remember the two pieces of information you inputted in the app when you were setting it up? Naturally you made a backup. If anyone gets that backup, they can recreate your authenticaor.
Actually our system doesn't really work that way. I'm not going into details, but entering in the serial and challenge/response some time later (I can't say how long) will not result in a working Security Key code.
To ward off all the questions that statement could create, yes, I have another duck called 'I lost my Security Key and don't like calling an international phone number'. Its a tricky little duck and there will be more news on that subject in the next few weeks.
Securing your home PC and personal email account isn't something we have any control over though, so 'if anyone gets that backup' who isn't supposed to be getting that backup, then you have other issues you also need to consider.

I'll go on to say 'please secure your personal email account' again - so many of today's authentication systems totally depend on the security of your personal email account, and that is something you can control.

Quote: Originally Posted by JPryde View Post
So you know, that the mail of my own domain is not exclusively used ? When I own several mail-accounts that are exclusively under my own control ?
Respect... but I would suggest, that you are a little less bold on what you claim to be able to guarantee.

And even if I did use my email-address on any other site, then someone would still need to figure out, that I am using that e-mail for SWTOR too... With your proposed new system, noone needs to take any guesses. Everyone interested in hacking will know for sure, what my login name is.
Valid reprimand! I looked up your email address and it looked generic (no plus addressing!) so assumed you would use it in multiple locations. And there is that word 'assume' again.
If it is any consolation, I've only spent a few minutes responding to these posts, and over two years working (off and on) the new implementation of our authentication system - also we have quite a number of people who have put their two cents into play on the new system so its been attacked six ways from Sunday multiple times.
I'll try to assume less in my forum replies - after all I strive to assume nothing in my 'normal' work.

Quote: Originally Posted by Bomyne View Post
It's not paranoia. It's fact. Gold sellers exist on the internet. These people hack accounts and steal gold, credits, etc from MMO accounts then turn around and sell them to other players. Previously they had to rely on keyloggers and clever methods to get login details. Now they only need to skim the forums.

I have an authenticator on my account but I don't 100% trust apple or google not to accidently include a bug or exploit in their OS software, so I don't rely on it's for security. Passwords are easy to overcome. Most people use easy to guess passwords. I'm willing to bet that Password1 is a VERY common SWTOR password.
I would recommend not posting your password to your SWTOR account, or the password and email address for your personal email account on the forums.
Hackers need to do a lot more than skim the forums currently, and will have to undertake a lot more effort once we de-link email account from your current SWTOR password. The vast bulk of 'attacks' on any system are email and password pairs gleaned from other sites, and we have existing (and are putting in additional) systems in place to mitigate attacks just against the username/password combination.

Quote: Originally Posted by PAMuttoni View Post
Raise your hand if your Swtor account has been hacked.

...


Raise your hand if you think this change is necessary. (No one asked for it)

....


Instead of focusing in Log In changes, fix the game crashes, lag, disconnections.....
I don't think anybody would want me working on game crashes, lag or disconnections. My only contribution there would possibly be to create them! Personally, I don't experience game crashes, lag or disconnections on a constant basis as you appear to be implying is a 'thing'. We don't host game servers in Texas, so I have to put up with the varied ISP issues that everybody else has to as well...

Quote: Originally Posted by theblaznee View Post
Alright, now the "book is open" so to speak, and we have Swtors CSO looking at this, I'd like to personally get some assurance here..

1. Userdatabase with logins, passwords and security key answers.. Are they hashed using md5, sha-(1-512) or any other fast "off the shelf" crypto algorithm (yes or no answer - no need to feed info)? Are they salted?

2. Do you use multi factor authentication before allowing authorization attempts? Does the level of authorization required change based on the provided authentication "level".. Basically, do you have differing levels of authentication?.

3. This is mostly me being curious. Why don't you require all users to use 2-factor? With the current reliance on username/password schemes - even with security questions, the only way forward is at least 2-factor.

My hopes for answers are

1. No, we use a high work factor custom password encryption hash.

2. Yes

3. We wish we could, but politics say 2-factor is not user-friendly and so..
Good questions, but I can't go into all the details as you guessed.
My answers such as I can:
  1. So you also know that off the shelf/'fast' algorithms only benefit an attacker! If they can get to the data that is. We could even make it harder by using a unique (and changing) salt per password. I can't answer your question though for obvious reasons.
  1. Do you mean internally within our production data centers? I could say I have multiple Security Keys. And not all of them are game related. Again I can't answer your question though...
  1. Back when Greg and Ray were still around (the co-founders of BioWare) we had this discussion many times. While of course all of us wanted to have a Security Key on every account, we also agreed with the business decision that we would have too many people 'rage /quit'. Some of the replies to this authentication change announcement are indicative of that I believe
Hey, I did give you an answer you wanted! 1 out of 3 means I failed though right?

Quote: Originally Posted by Blackavaar View Post
Yes, to my knowledge not one single account has been hacked on SWTOR, so why bother making this change at all?

Another good question.
This change fundamentally changes what else we can improve within our authentication system in other areas such as self-help services. I have a few ducks with names that start with 'self-help' floating around here somewhere....

Quote: Originally Posted by discbox View Post
Case 1:

nobody knows what e-mail I use for SWTOR, except BioWare (really noboby, just me and BioWare)

my e-mail has about 20+ chracters including @ - and .

Case 2:

everybody can read my nickname here

it has 7 characters

Which one is more secure, Phillip?

What kind of education do you have, Phillip? Cook?
Which one is more secure? Neither.
As explained above in a bit more detail, the username in of itself should never be something considered for securing an account. Identifying an account sure, but not securing one. We have multiple layers of controls around the overall authentication piece, and we work on the supposition that the username is not a control.
I don't have any formal cooking qualifications, sorry about that.

Quote: Originally Posted by Nealzeypoo View Post
Can we fix the android authenicator. The number text for mine is black. I have to use it in landscape to be able to see the numbers
While we continue to wait for an updated mobile Security Key application, there is fix for this existing bug - if you go back to the app home screen and then tell it to generate a new key, it should show up correctly (failing that, close the app completely and launch it again). I wish I had a concrete date for an updated android app but I don't.

Quote: Originally Posted by RyaSan-sal View Post
Whoever told you guys this is safer should leave a large opening where his/her job used to be. How old and out of touch do you need to get, EA? You've proven you haven't got a clue what gamers want. So stop already. Change for the sake of change is a futile exercise for you and annoying as heck for your paying customers.
This is far from change for the sake of change as you will see over the next few weeks. I agree there is a minor annoyance as you will have to change your username to use your Display Name, but then you can use the existing 'remember this account' function that has been there for a few years now and the annoyance will go away...

Quote: Originally Posted by noobzor View Post
One concern that I have is that it seems this is opening up a way for people to "grief" each other by intentionally trying to log into someone else's account and failing a number of times, resulting in the account getting locked out. Currently, the only way to re-enable the account is to call customer service.

I, personally, don't want to have to call customer service to get my account re-enabled over and over again if someone decides they want to pick on me. That would be enough to make me not want to play this game anymore.

Are there any plans to address this scenario?
Short answer: yes.
Longer answer: An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account.
Much longer answer: I'll give that sometime in the next few weeks once the ducks are all lined up.

Quote: Originally Posted by Leonalis View Post
Maybe you can explain: why

Blizzard changed the login from login-name to email and said: this is more safety
Bioware changed the login from email to login name

Logic!

And blizzard has a liitle bit more user and my email adress on the battle net is additional my login to sc2 and D3 and wow
Blizzard and BioWare, while sharing the same first letter of the studio name, have very different authentication systems. For us, using email account as the username precludes us from rolling out some other additional security features which dictates that to roll out more features we must change to Display Name only.
I don't know, and won't attempt to guess the inner workings of the Blizzard authentication system, so I'm not qualified to say its better or worse in using email address for the username. I do however know our system very well, and know that it is better for us to change now in order to be able to implement other enhancements to our security.

Quote: Originally Posted by PeterGun-SWE View Post
Big thanx for the replys Phillip_BW


And since this topic is about security and you are the Senior Manager of Security, i hope you dont mind me asking:

When will we in Europe and Asia-Pacific be able to buy Physical Security Keys?

And please dont give me that baloney that its possible via the Origin Store, or even via the US Origin Store... cause they dont ship outside the US.
I don't mind being asked at all! I can only apologize for the delay, and can assure you that we are working on this. I don't have an actual date for when we can get the key-fobs available for purchase again. I can say that even today I had various emails specifically on this topic with the teams in Europe that control the EU side of the Origin store, and therefore the availability of the key-fobs themselves.
I really do want everybody to have a Security Key or at least the choice on if they want to get one - this has been a hot topic with me (as many people internally know) ever since we had to take the key-fobs off the store last year.

Quote: Originally Posted by Bomyne View Post
After reading this thread, I have come to a conclusion. There is a MASSIVE security hole in SWTOR's login system. You can log in by a publically displayed username already.

I'd like to make a suggestion. Disable this publically displayed username login system and force everyone to log in though the more secure email login system.
We don't need to change the existing implementation as there is no MASSIVE security hole. As others have pointed out, if you log in from a different location and/or machine, you will be prompted for a SQA if you don't have a Security Key.
There is one caveat - if you are a new 'F2P' player and have never bought anything, you currently don't have a email address and probably don't have SQA's associated with your account. You can add either at any time of course, but until you do your account will only ever be secured by a Display Name and password combination.
We may change it so that all players have at least a valid email address at some point in the future, but currently it is optional up until the point you want to buy something and therefore associate a real money transaction against your account.

Quote: Originally Posted by Halabane View Post
The email you sent out looks like a phishing email. You should tell people to log into their accounts with out a link. It would be easy to grab account info, especially for those who don't have an authenticator by using this email form.

They hammer us at work about this.
Apologies - we had put in place explicit instructions to not put in links in the email, but it appears that one got through regardless.


Quote: Originally Posted by Dragarr View Post
So sacrifice player account security in chase of the Almighty dollar, it's good to know what Bioware think of us. Should I just start depositing my pay check straight to your account?
If anything we are spending a lot of money to increase security. A lot of players have complained about having to call CS due to various issues such as being unable to log in due to forgetting their Secret Questions and Answers or losing their Security Key, and in order to facilitate some self-service pieces (those previously mentioned ducks) with an acceptable level of risk, we have to de-link the email address from the authentication system.


Quote: Originally Posted by DaRoamer View Post
What about the IP checks and secret answers they will need to log in to the account?
I've noticed a lot of people are forgetting about the other checks we do. There are more than just those two of course...


Quote: Originally Posted by DarthSabreth View Post
OHHH JOY i can just see it now. Joe shmuckatelly gets upset with joe smoe's post then well hey since he / she already has 50% of his or hers log on then let the fun begin for their hack on them for revenge. There are alot of smart folks that play this game and giving them half of a logon is just silly.

At any rate it will force people to either not use the forums or delete all the past posts to avoid any credit farmers from phishing the forums for easy pickings. why not they now have HALF the logon.

so since we cant or are shuned from using another service they provide due to lack of security is there any other surprises down the road? was there really that many hacked accounts to warrent such a change?
We have a very vocal community of players. If there was an issue with accounts being hacked, I'm very sure we would all know about it. So to put your mind at rest, none of the changes we are making with the authentication system are a result of an issue with hacked accounts and in fact it will be even harder for an attacker to attempt to hack an account.
We are keeping ahead and avoiding account take-over issues, not reacting to one.


Quote: Originally Posted by Jagrevi View Post
A question - I may be losing the email address associated with this account in the course of the upcoming year. Will this change allow me to (or affect my ability to) change the e-mail address associated with this account?
Another good question! Your ability to change your email address is available today, and will remain available after the changes on April 2nd. I would recommend changing to a new email address (and completing the validation process for that new email address) before you lose access to your current email account.

Again I'd stress using a unique password on the email account and if possible using a two-factor solution like Two-Step for GMail.


Quote: Originally Posted by WorldSecurities View Post
But then he showed favor to 'doing security on the cheap.'
Taking that one sentance at face value, let's just be clear that we are not "doing security on the cheap". Far from it. I can't go in to the total costs of the Mobile Security Key per player, but it's not a trivial cost, and we are absorbing that completely with no plans to change. We sell the Physical Security Key at less than cost and still have to ship it to the buyer, again, no plans to change who pays that cost.
The costs you are quoting me on are support costs associated with something nearly everybody that has to call CS complains about - exactly that, the 'need' to call CS (especially internationally) and therefore the CS costs we therefore also absorb. One of the key aspects of de-linking email from the username is the ability to provide some self-service options which will negate the need for a call to CS. Yes we will save some money internally, but we are not "doing security on the cheap".


Quote: Originally Posted by BanRau View Post
That has got to be the worst move I've ever heard of. Why is it that if you are going to change the login that you make us use the name that we subscribe under instead of letting us log in like we have been with our emails? You came out with these devices that attach to our key-chains that give us a number to enter as our Security Key and our emails and passwords to go with it and you're changing it. Why didn't you do this when the game was first released instead of doing it now after all of this time, tell me that? This makes no sense.
The note we sent out was only changing the username aspect of authentication. All of the other peices such as passwords and Security Keys remain in place. I hope that makes more sense...


OK, I've finished this reply up to the end of page 20. Given the sheer length of this post I'll reply again for page 21+ soon!

Phillip Holmes
SWTOR Head of Security