Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Display Name Only Log In - Coming April 2, 2013

STAR WARS: The Old Republic > English > General Discussion
Display Name Only Log In - Coming April 2, 2013
First BioWare Post First BioWare Post

TomWhiting's Avatar


TomWhiting
03.07.2013 , 02:27 AM | #331
Quote: Originally Posted by DaRoamer View Post
Your log in name is not actually meant to protect anything at all, it's simply an identifier.
Therefore no protection is being removed in that regard.
Way it was done previously:
login using email, (which someone would have to guess), and password . More secure

Way it will be done now:
Login using username (which EVERYONE knows) and password. LESS secure

Quote: Originally Posted by DaRoamer View Post
I fail to understand why people are ignoring the fact that the first security check is actually your IP address.
Because an IP ADDRESS is not a form of 'security.
limiting logins based on IP address is just the most ridiculous thing I've ever heard of (well, almost as ridiculous as just giving users 1/2 the login credentials to get to my account, or anyone's for that matter). What about individuals who travel frequently, but want to play? What if someone moves? There are HUNDREDS of variables here, and limiting logins by IP on an MMO is just RIDICULOUS.

Missandei's Avatar


Missandei
03.07.2013 , 02:30 AM | #332
Quote: Originally Posted by Phillip_BW View Post
The costs you are quoting me on are support costs associated with something nearly everybody that has to call CS complains about - exactly that, the 'need' to call CS (especially internationally) and therefore the CS costs we therefore also absorb. One of the key aspects of de-linking email from the username is the ability to provide some self-service options which will negate the need for a call to CS. Yes we will save some money internally, but we are not "doing security on the cheap".
Thanx for clarification.
That was exactly the thing i personally wanted to hear from you about.

I think that if you have posted this explanation about implementing the «self-service» options
in the news/announcement article there could be much less angry responses about the new DisplayName login system.

That will actually made the experience of using the Android SecurityApp not so dangerously thrilling every time.. Nothing in this game is frightening me so much as the perspective of making a «5hrs-on-wait» calls to the Customer Service...

So im now fully welcome the changes you have started..
Missandei Shadow ...yet shadows can kill. And oft-times a very small man can cast a very large shadow.

Nemhain's Avatar


Nemhain
03.07.2013 , 03:39 AM | #333
Quote: Originally Posted by Phillip_BW View Post
So in case you haven't come across me before (most haven't!), I'm Phillip Holmes, the Senior Manager of Security here at Star Wars: The Old Republic.

I will be posting a more detailed synopsis of the upcoming changes in the next few weeks - I just have one or two ducks left to line up before I do that.
In first place I want to thank you for answering some of the questions posted by other members of our community regarding this topic.

Don't think I will help at this point post my fears and doubts about this security measure change, I'll wait for that "more detailed synopsis of the upcoming changes" like you call it. Then let's see if I'll keep with my doubts and fears regarding this.

One thing I've learned when I was in other mmorpg (subscribed one aswell, which I played for almost 6 years before change to this game), if a hacker wants to steal your account he will no matter how carefull the user is regarding his e-mail adress, if he wants he will, that happened to me.
Only thing we can do is keep making the hackers life harder as possible, and trust that the people in charge to keep the accounts safe do their job.
"Mercy is not true, your sins are next to mine"

HellaFix's Avatar


HellaFix
03.07.2013 , 04:31 AM | #334
well l can see my account going online for sale some where..

Salimet's Avatar


Salimet
03.07.2013 , 04:42 AM | #335
I agree with everyone that at times I think it will make it easier to hack into someone's account as well. But Bioware know's what they are doing.

Jedlosson's Avatar


Jedlosson
03.07.2013 , 04:50 AM | #336
Quote: Originally Posted by TomWhiting View Post
Way it was done previously:
login using email, (which someone would have to guess), and password . More secure

Way it will be done now:
Login using username (which EVERYONE knows) and password. LESS secure
I completely agree with this assessment.

Starting with 2nd April, all the hackers have to do is browse the SWToR forum for display names in order to get half of people's login credentials.

Quote: Originally Posted by Phillip_BW View Post
So two things here. Not everybody knows your Display Name, and an attacker will need to figure out your email account in order to attempt to take over your SWTOR account. We are implementing a few other measures (more news on that in the few weeks!) to ensure that account take over risk is mitigated.
Incorrect. There are two main ways of hacking into ones account - the phishing and the keylogger virus.

1) The phishing hacker already knows your email, since he already sent you a phishing e-mail. As you go to the page linked by the phishing e-mail and use your display name to log in, he will have both the e-mail and the display name.

2) If you have a key-logger virus on your computer, the hacker will get both the email address (as you log into origin) and the display name (as you log into SWToR) in order to play the game.
Sith Juggernaut 55 | Sniper 55 | Sith Sorceror 52 | Mercenary 50
Jedi Guardian 55 | Jedi Shadow 50 | Vanguard 50 | Scoundrel 13
<=== Legacy 47 ===>

Alduinsm's Avatar


Alduinsm
03.07.2013 , 05:18 AM | #337
Quote: Originally Posted by Jedlosson View Post
Starting with 2nd April, all the hackers have to do is browse the SWToR forum for display names in order to get half of people's login credentials.
They can already do it now (login with display name has been available since FTP launched).
Shin

Mogic's Avatar


Mogic
03.07.2013 , 05:48 AM | #338
Its amazing how many armchair security professionals there are playing swtor. You all should apply for high level security jobs for knowing so much.

/end sarcasm

Everyone screaming about knowing half of your login information know absolutely nothing about security. Heres how you would have to attack the site if you know the display name vs email.

Scenario 1
Try to log in.. brute force the password. Internal systems pick up brute force attack and block the IP, flag it for review. Seriously Brute force attacks are very easy to detect.

"But they could use a BotNet" True hackers using a BotNet are not interested in stealing your Swtor account. They want personal info like CC info to sell or the database of the user/passwords to sell to a 3rd party. They would be attacking Biowares internal network. Not brute forcing your account.

"Gold Farmers......." Don't brute force, they either buy email/password lists from other hacked sites or hack vulnerable forum/game sites and use it to try and access accounts for other games. Majority of users don't practice good security and use email addresses on multiple sites. You yourself probably don't but for every 1 person that does, there is probably a couple hundred that don't

Simple passwords... Again this is your own fault, not biowares, if your using a simple password like 'Password1' then you should seriously consider changing it to something much harder to guess like P2Ssw4Rd (replace each vowel with an even number and capitalize the next letter). And obviously don't use the word password.

Scenario 2
Try to log in with someones display name, click forgot password, but I don't have your email address so now I am kinda stuck because I don't know where they are sending the password. I could try to social engineer the answer out of the person, or Bioware, lets say im successful, I still don't know the password to the email account, so were back to either trying scenario 1 on the email site, or back to trying to socially engineer the password out of the person. If you give up your password to someone its your own fault and you can't blame BW for that.

Most email sites now have some sort of 2 factor or 2 step verification, you also shouldn't be using the same password for email and other sites. And if someone does ask you for your password, you should be asking yourself why, since no one ever would ask your for that info.

Those claiming that they know "50% of the login" are missing SAQ's and IP verification, so really you only know 33%, 25% if they are using an authenticator

If I had to guess the reason they are moving away from email is to seperate your email address from display name to be able to start using email verification steps for login, for users that either can't get an authenticator, don't want one, but want some sort of 2-factor login.

Whats funny is this same fear mongering / argument went down before launch when they were using email addresses to login. Now that they are changing it, same fear mongering / argument. Damned if you do, damned if you don't

TL;DR
Usernames should not be a protection for authentication. Authentication is separate from identification. Identification is a piece of data that describes an individual or group. Most of the time a username is a sequence of characters that uniquely identifies an individual. Typically an individual is authenticated with a password. I may claim I am Margret Thatcher, but if I can not type in Margret Thatcher's password than I can not authenticate as Margret Thatcher.

Jedlosson's Avatar


Jedlosson
03.07.2013 , 05:58 AM | #339
Quote: Originally Posted by Alduinsm View Post
They can already do it now (login with display name has been available since FTP launched).
I stand corrected.
Sith Juggernaut 55 | Sniper 55 | Sith Sorceror 52 | Mercenary 50
Jedi Guardian 55 | Jedi Shadow 50 | Vanguard 50 | Scoundrel 13
<=== Legacy 47 ===>

Jedlosson's Avatar


Jedlosson
03.07.2013 , 06:10 AM | #340
Quote: Originally Posted by Mogic View Post
Those claiming that they know "50% of the login" are missing SAQ's and IP verification, so really you only know 33%, 25% if they are using an authenticator
SW ToR does not use the IP verification.

I have dynamically changing IP address so I have to verify new IP every week when trying to log into Guild Wars 2. SW ToR never bothered to verify anything about my IP despite of this fact.
Sith Juggernaut 55 | Sniper 55 | Sith Sorceror 52 | Mercenary 50
Jedi Guardian 55 | Jedi Shadow 50 | Vanguard 50 | Scoundrel 13
<=== Legacy 47 ===>