View Single Post

Phillip_BW's Avatar

03.07.2013 , 11:52 AM | #389 Click here to go to the next staff post in this thread. Next  
We had a minor issue with uploading one of my posts yesterday, and it lost the 'Next BW Post' link as a result. So just in case you missed it, here is a list of the posts thus far! (Courtney's starting post) (First reply) (Second reply - this is the one with the missing link) (Third reply)

OK - pages 31 to 37 answers...

Quote: Originally Posted by Dink View Post
When will we get an authentication app for (don't hate) Windows 7/8 phones? I'm not going to carry my keyfob with me everywhere just so I can login to the website, so I've yet to activate it...but I would activate if I had an app I could access from my phone.
We have Security Key applications for Windows Phones (and Blackberry even) on the list of 'would be really nice to have', but there is no current development plans for those at this time. That is a business decision based on market share - the development effort is not trivial, and until the percentages change significantly (which they could!) we probably will not get funding for the work involved. I've used Windows Phones most of my life, so this is a topic near and dear to my heart as well :jawa_grin:

Quote: Originally Posted by Bomyne View Post
This is going to be blunt but you are wrong. I'm sorry. How do i know? Last week i upgraded from my iPhone 4 to an iPhone 5. Upon restoring my backup via iTunes, I found the app was crashing. Security feature, maybe? Anyway, i grabbed the details i saved and removed and restored the app from the app store. I input the saved information and I now have a working security app for my account. Been using it ever since i got the iPhone5.
I will have that functionality tested again - the time period for being able to reuse the same key successfully (and this relates to the Mobile version only) should stop that after a certain number of authentications. It's possible the configuration changed when we consolidated some of our back-end systems, so I'll get the configuration validated for sure. I'll make sure if we do have a configuration change there that we only change it after the self-service options are available (your next question is actually related after all).

Quote: Originally Posted by Bomyne View Post
Unrelated note but both blizzard and Sony have a way for me to remove an authenticator my self incase of upgrading the device/changing the keyfob. Any chance of that here?
As part of the April 2nd release or later? I can't say just yet on April 2nd, but this is one of the ducks I'm lining up. It's no coincidence that the change we are making is related to that (among other) self-service implementations. One of the ducks even has 'move' in it's name.

Quote: Originally Posted by Invincibelle View Post
I wonder if this might be a prelude to using Display Names as handles attached to character names... like STO does it. I know a lot of people have been upset over losing character names in the server merges, so this would be a way to let them have their names back (not saying this is a good thing... it just sticks out as a possibility). So instead of having a character named Mara and being the only Mara on the server, I'd be "Mara@InvinciBelle". It'd only display "Mara" in the game world, but when you click to friend or chat it'd clarify with the "@InvinciBelle" added to it. And that way there would be no more unique names and everyone who lost their original names could have them back.

Again, I'm not saying this is a good idea (I kinda like having a unique identity, even if it's not the one I wanted)... just that this seemed like a possible direction after I read the announcement.
The removal of email address as a username option is a change to our out-of-game authentication system only. No in-game name changes will result. I thought it best to clear that up...

Quote: Originally Posted by MadHobbit View Post
ok tin foil hat time, this change is due to splitting off swtor ,to in effect create different account.
Also squashing this before it becomes a rumour - we aren't splitting off SWTOR from EA. The change in our authentication system is an enabler for modifications or additional systems associated with authentication only.

Quote: Originally Posted by TomWhiting View Post
Way it was done previously:
login using email, (which someone would have to guess), and password . More secure

Way it will be done now:
Login using username (which EVERYONE knows) and password. LESS secure

Because an IP ADDRESS is not a form of 'security.
limiting logins based on IP address is just the most ridiculous thing I've ever heard of (well, almost as ridiculous as just giving users 1/2 the login credentials to get to my account, or anyone's for that matter). What about individuals who travel frequently, but want to play? What if someone moves? There are HUNDREDS of variables here, and limiting logins by IP on an MMO is just RIDICULOUS.
Relying purely on IP Address indeed would be ridiculous. Imagine a university dorm and everybody being able to play each others accounts. That would be horrific if you valued your account at all in that scenario.
All these scenarios (and many many more) have been considered and mitigated. We aren't relying solely on one control (such as an IP Address) to protect an account, just as we have never relied on just username/password in the live game. We rely on many controls that work together to protect the account. Yes we are changing some of those controls, but only so we can put additional systems in place without removing security. The upshot is that accounts will be in an even more secure state as of April 2nd.

Quote: Originally Posted by Jedlosson View Post
I completely agree with this assessment.

Starting with 2nd April, all the hackers have to do is browse the SWToR forum for display names in order to get half of people's login credentials.

Incorrect. There are two main ways of hacking into ones account - the phishing and the keylogger virus.

1) The phishing hacker already knows your email, since he already sent you a phishing e-mail. As you go to the page linked by the phishing e-mail and use your display name to log in, he will have both the e-mail and the display name.

2) If you have a key-logger virus on your computer, the hacker will get both the email address (as you log into origin) and the display name (as you log into SWToR) in order to play the game.
Even today, hackers can browse the SWTOR forums for Display Names. It doesn't give them anywhere near half of a players login credentials though, and we have built our security based on the knowledge that some players use the same username and even the same password on multiple websites. With the number of compromises of those credentials at other companies in the last few years, the concept that 'username' is something to try and protect is a foolish concept indeed. It's why we have so many other controls in place to make knowledge of the username in of itself irrelevant.
You are right that two of the ways of being 'hacked' is phishing and keyloggers. And these are things that you as a player (indeed, all the players!) can and should control. There are some very simple ways to protect yourself:
* Ensure you have a good AV program installed and kept up to date
* Use a unique password on your email account
* If possible put a two-factor system around your email account (Two-Step for GMail is the most obvious/easy to get of the solutions out there)
* Don't visit hacker websites, or for that matter most **** sites - a lot of them have virus attacks included in viewing the pages
* Don't open attachments on emails that you aren't expecting. You have more chance of winning the lottery by buying a ticket in a shop...
* There are many other things you can do - research 'securing my home computer' on Google and do 'all the things' you can!

Quote: Originally Posted by Jacen_Starsolo View Post
I tried to strengthen my password in TOR. I tried to generate a long complex password with KeePass. Even after I do a random gen in KeePass I go in and change a few around. And TOR wouldn't accept it unless I shortened it CONSIDERABLY. Like cut it to 1/3 the length. What kind of "superior security" is that?
The maximum length of 16 characters is an EA restriction due to a lot of other systems across EA that cannot handle more than 16 characters still. One day that may change (and I continually push for that work to be completed!), so in the meantime we have many other controls in place to make a shorter password not as important as it otherwise could have been. Being forced to have a shorter password has meant we have placed more controls than we otherwise would have, which is why you don't see thousands of 'my account was hacked' posts on a daily basis. Sometimes being restricted in specific instances on what security we can implement has created better security overall due to the other controls we put in place.

Quote: Originally Posted by Merouk View Post
Forget about security for a second. You are not giving us control over whether the username is hidden or visible, and lack of control is obviously what's making us "vocal." It doesn't matter whether a hidden username actually increases security or not; in our minds it does. Consider the cost of implementing a hidden username or non-login forum name solely against the benefit of shutting us the hell up and having happier customers.

It's what you're doing with your posting, anyway, trying to get us to be less vocal. It's not working for some of us. You're using reason and logical explanations to argue agains how we feel. It's not working.
That has to be one of the best posts in this entire thread! I would love to care more about peoples feelings when it comes to security, however the attackers/hackers out there don't. Not one bit. Personally I do care, but professionally I also have to deal with the attackers, so I have to cater for their level of caring and look at security from the point of view of boring concepts such as logic. If that focus on preventing zero-feeling attacks has bled over into my answers, then I can only apologize - my ambition is to ensure we continue to keep accounts secure at a reasonable level of cost. That, and nobody likes my idea of requesting a pint of blood for DNA verification every time a player logs in.
I actually like people being vocal btw. It helps ensure we haven't missed anything (there are a lot more of you than us working here!), and I can safely say that nobody has brought up a concern with regards to the change to Display Name only that we haven't already planned for or mitigated by ensuring we have other controls in place. I'm just trying to alleviate (or even educate) people with regards to better security, as it is a very complicated subject that most people take for granted without fully understanding. Perceptions based on less than full understanding are something I'm trying to get to perceptions based on better understanding...

Quote: Originally Posted by LarryRow View Post
I call BS. This level of detail and attentiveness requires a much larger time commitment.

Don't stop the sass, Phillip. These guys need to know that
1. British people are the funniest.
2. Amateurs and arm-chair analysts are not qualified to weigh in on internet security
OK - you caught me. I'm only spending a few minutes on each answer. The reason there has usually been a day delay in answering the questions is that I'm writing up the answers out of office hours most of the time.

Quote: Originally Posted by KALELSAB View Post
Ok. With the change of login from email to user name, there are a lot of concerns. In Developer forum BW says "An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account."

How are both true?

They also say that this will be more secure. Nothing they are saying about this seems to make sense. If someone can attempt to log in without locking out the account, how is that more secure? If the account can be locked out, then why give all of our user names to the world?
Both are true as we have other controls in place which we don't talk about, and from a players perspective you will never see in action as you aren't trying to 'hack' your own account. Attackers on the other hand trigger the other controls and are dealt with accordingly - that's why those other controls exist to protect your legitimate usage of your account.

Quote: Originally Posted by iamthehoyden View Post
I do have a question. Is there any chance we'll be able to write our own security questions? Or get more options than what's there currently? The current ones don't seem particularly secure.
Within SWTOR we will not be changing the system to allow custom questions. More options than there are currently has been looked at a few times already, and I'm sure it will come up as a topic internally again. With regards to the custom questions, while most people are very polite with the answers, the questions themselves are also used as voice verification for Customer Services, and impolite custom questions are something we would like to protect our CS staff from when a disgruntled player could otherwise be impolite.

Quote: Originally Posted by DaRoamer View Post
Because it IP bans them. You will still be able to log in from your IP address.

You can put anything you like in those answers. You don't have to answer truthfully :P As long as you remember what your answers are.

What is your favorite color?
I too don't answer the answers truthfully! To prevent myself from forgetting the answers though, I keep them locked up in a little program called Password Safe (sourceforge project). There are quite a few similar programs out there such as KeePass, and I highly recommend using one to avoid that 'forgot!' moment. I use a different answer on every site as well, so would never be able to remember the answers if I wanted to...
Just never ever use that 'master password' anywhere else!

OK, finished with page 39 now...

Phillip Holmes
SWTOR Head of Security