Jump to content

Display Name Only Log In - Coming April 2, 2013


CourtneyWoods

Recommended Posts

  • Replies 531
  • Created
  • Last Reply

Top Posters In This Topic

This is an excellent Security Update as this will do several things from a global Security prospective.

 

  1. Help to protect individuals identities or identifying information.

This won't actually protect anything here. Nothing at all. In fact, there's a layer of protection that's removed here because of this. What part of 'you now have half my login information' do you not get?

 

BTW before you think #1 is not the case. I work professionally in Information Security and hold several Global Certifications including my CISSP

And I'm the Queen of England, the sky is really purple, and the world is flat. If you have your CISSP, then forfeit it immediately, because you clearly know very, very little about security

Link to comment
Share on other sites

This won't actually protect anything here. Nothing at all. In fact, there's a layer of protection that's removed here because of this. What part of 'you now have half my login information' do you not get?

 

 

And I'm the Queen of England, the sky is really purple, and the world is flat. If you have your CISSP, then forfeit it immediately, because you clearly know very, very little about security

 

Your log in name is not actually meant to protect anything at all, it's simply an identifier. Therefore no protection is being removed in that regard. I fail to understand why people are ignoring the fact that the first security check is actually your IP address. So what if someone knows your user ID? If their IP address is different than yours they have multiple security conditions to run through before having access to your account. Even WITH the correct password they STILL won't be able to access your account.

Link to comment
Share on other sites

In general the message given anywhere is: "DO NOT SHARE YOUR LOGIN INFORMATION WITH ANYONE", not just the password. Personally I think the term "password" is wrong, "passcode" would be more accurate and it's never advisable to use an actual word.

 

If I had designed this I would never have used the email address to log in in the first place, which is why I made a new email account to use for SWTOR exclusively. It would have been much better to have an account name & display name with an email field in the account.

 

I do understand that a login shouldn't be relied upon for security, but having an account name that is unknown to people is an additional security string that works together with the password. But I understand this will probably never happen now, so I will move to the next point...

 

Another good question.

This change fundamentally changes what else we can improve within our authentication system in other areas such as self-help services. I have a few ducks with names that start with 'self-help' floating around here somewhere.... :jawa_wink:

 

Now this trade off does make me curious as to what we'll be given to do ourselves without calling customer support. Especially since ALL tickets needing any help with accounts or global issues affecting thousands of people need you to call them, and ESPECIALLY since calling is no longer free. - Called once, waited forever, couldn't be helped, the ticket I originally send in was basically remade and send to the highest tier with no more information in it than was originally supplied. But that's not your fault.

 

So what can we expect on the 2nd of April?

- Remove security key? (would like that when I see mine may die soon, which I hope is very far away)

- Reset payment allowance? (Cause people still can't be warned about the endless lockout when they buy too much in a short time)

- Change email address?

- Server transfers?

- Character renaming?

- Character restoration?

- ...

 

Just summing random things up because I don't have so many wishes at this point, just not sure what to expect and very curious. Basically hoping for anything that reduces the chances of needing to call crappy support for things a ticket should be enough to fix.

Link to comment
Share on other sites

Can we fix the android authenicator. The number text for mine is black. I have to use it in landscape to be able to see the numbers

 

In my phone you can change the colour of the display by clicking on the settings tab, while there isn't an option to change the display colour it seems to do it automatically.

Link to comment
Share on other sites

Your log in name is not actually meant to protect anything at all, it's simply an identifier.

Therefore no protection is being removed in that regard.

Way it was done previously:

login using email, (which someone would have to guess), and password . More secure

 

Way it will be done now:

Login using username (which EVERYONE knows) and password. LESS secure

 

I fail to understand why people are ignoring the fact that the first security check is actually your IP address.

Because an IP ADDRESS is not a form of 'security.

limiting logins based on IP address is just the most ridiculous thing I've ever heard of (well, almost as ridiculous as just giving users 1/2 the login credentials to get to my account, or anyone's for that matter). What about individuals who travel frequently, but want to play? What if someone moves? There are HUNDREDS of variables here, and limiting logins by IP on an MMO is just RIDICULOUS.

Link to comment
Share on other sites

The costs you are quoting me on are support costs associated with something nearly everybody that has to call CS complains about - exactly that, the 'need' to call CS (especially internationally) and therefore the CS costs we therefore also absorb. One of the key aspects of de-linking email from the username is the ability to provide some self-service options which will negate the need for a call to CS. Yes we will save some money internally, but we are not "doing security on the cheap".

 

Thanx for clarification.

That was exactly the thing i personally wanted to hear from you about.

 

I think that if you have posted this explanation about implementing the «self-service» options

in the news/announcement article there could be much less angry responses about the new DisplayName login system.

 

That will actually made the experience of using the Android SecurityApp not so dangerously thrilling every time.. Nothing in this game is frightening me so much as the perspective of making a «5hrs-on-wait» calls to the Customer Service...

 

So im now fully welcome the changes you have started..

Edited by Missandei
Link to comment
Share on other sites

So in case you haven't come across me before (most haven't!), I'm Phillip Holmes, the Senior Manager of Security here at Star Wars: The Old Republic.

 

I will be posting a more detailed synopsis of the upcoming changes in the next few weeks - I just have one or two ducks left to line up before I do that.

 

In first place I want to thank you for answering some of the questions posted by other members of our community regarding this topic.

 

Don't think I will help at this point post my fears and doubts about this security measure change, I'll wait for that "more detailed synopsis of the upcoming changes" like you call it. Then let's see if I'll keep with my doubts and fears regarding this.

 

One thing I've learned when I was in other mmorpg (subscribed one aswell, which I played for almost 6 years before change to this game), if a hacker wants to steal your account he will no matter how carefull the user is regarding his e-mail adress, if he wants he will, that happened to me.

Only thing we can do is keep making the hackers life harder as possible, and trust that the people in charge to keep the accounts safe do their job. :rod_wink_g:

Link to comment
Share on other sites

Way it was done previously:

login using email, (which someone would have to guess), and password . More secure

 

Way it will be done now:

Login using username (which EVERYONE knows) and password. LESS secure

 

I completely agree with this assessment.

 

Starting with 2nd April, all the hackers have to do is browse the SWToR forum for display names in order to get half of people's login credentials.

 

So two things here. Not everybody knows your Display Name, and an attacker will need to figure out your email account in order to attempt to take over your SWTOR account. We are implementing a few other measures (more news on that in the few weeks!) to ensure that account take over risk is mitigated.

 

Incorrect. There are two main ways of hacking into ones account - the phishing and the keylogger virus.

 

1) The phishing hacker already knows your email, since he already sent you a phishing e-mail. As you go to the page linked by the phishing e-mail and use your display name to log in, he will have both the e-mail and the display name.

 

2) If you have a key-logger virus on your computer, the hacker will get both the email address (as you log into origin) and the display name (as you log into SWToR) in order to play the game.

Edited by Jedlosson
Link to comment
Share on other sites

Starting with 2nd April, all the hackers have to do is browse the SWToR forum for display names in order to get half of people's login credentials.

They can already do it now (login with display name has been available since FTP launched).

Edited by Alduinsm
Link to comment
Share on other sites

Its amazing how many armchair security professionals there are playing swtor. You all should apply for high level security jobs for knowing so much.

 

/end sarcasm

 

Everyone screaming about knowing half of your login information know absolutely nothing about security. Heres how you would have to attack the site if you know the display name vs email.

 

Scenario 1

Try to log in.. brute force the password. Internal systems pick up brute force attack and block the IP, flag it for review. Seriously Brute force attacks are very easy to detect.

 

"But they could use a BotNet" True hackers using a BotNet are not interested in stealing your Swtor account. They want personal info like CC info to sell or the database of the user/passwords to sell to a 3rd party. They would be attacking Biowares internal network. Not brute forcing your account.

 

"Gold Farmers......." Don't brute force, they either buy email/password lists from other hacked sites or hack vulnerable forum/game sites and use it to try and access accounts for other games. Majority of users don't practice good security and use email addresses on multiple sites. You yourself probably don't but for every 1 person that does, there is probably a couple hundred that don't

 

Simple passwords... Again this is your own fault, not biowares, if your using a simple password like 'Password1' then you should seriously consider changing it to something much harder to guess like P2Ssw4Rd (replace each vowel with an even number and capitalize the next letter). And obviously don't use the word password.

 

Scenario 2

Try to log in with someones display name, click forgot password, but I don't have your email address so now I am kinda stuck because I don't know where they are sending the password. I could try to social engineer the answer out of the person, or Bioware, lets say im successful, I still don't know the password to the email account, so were back to either trying scenario 1 on the email site, or back to trying to socially engineer the password out of the person. If you give up your password to someone its your own fault and you can't blame BW for that.

 

Most email sites now have some sort of 2 factor or 2 step verification, you also shouldn't be using the same password for email and other sites. And if someone does ask you for your password, you should be asking yourself why, since no one ever would ask your for that info.

 

Those claiming that they know "50% of the login" are missing SAQ's and IP verification, so really you only know 33%, 25% if they are using an authenticator

 

If I had to guess the reason they are moving away from email is to seperate your email address from display name to be able to start using email verification steps for login, for users that either can't get an authenticator, don't want one, but want some sort of 2-factor login.

 

Whats funny is this same fear mongering / argument went down before launch when they were using email addresses to login. Now that they are changing it, same fear mongering / argument. Damned if you do, damned if you don't

 

TL;DR

Usernames should not be a protection for authentication. Authentication is separate from identification. Identification is a piece of data that describes an individual or group. Most of the time a username is a sequence of characters that uniquely identifies an individual. Typically an individual is authenticated with a password. I may claim I am Margret Thatcher, but if I can not type in Margret Thatcher's password than I can not authenticate as Margret Thatcher.

Link to comment
Share on other sites

Those claiming that they know "50% of the login" are missing SAQ's and IP verification, so really you only know 33%, 25% if they are using an authenticator

 

SW ToR does not use the IP verification.

 

I have dynamically changing IP address so I have to verify new IP every week when trying to log into Guild Wars 2. SW ToR never bothered to verify anything about my IP despite of this fact.

Link to comment
Share on other sites

Can we fix the android authenicator. The number text for mine is black. I have to use it in landscape to be able to see the numbers

 

Had the same problem. This happens when you open up the app after not having properly closed it before. When I press the 'go back' button once or twice on my HTC phone, it reverts to the normal dislpay.

 

Hope that helps.

Link to comment
Share on other sites

The display name has always been valid for login. While that is a stupid security flub on the part of EA/Bioware it isn't a new issue. Having half your login info *is* a security issue because it's that much less work for someone if they really wanted to grab your info, but those cows left the barn years ago. It would be nice if they let us change our forum name.

 

I don't think it's a major problem anyway, unless their client is like DAOC's when it first came out and it would handshake with anyone who was listening. That's exaggeration but close enough as a representative idea. I don't know how TOR transmits login info but I assume it operates the same way most clients do regarding crypto. If someone busts that cyrpto then it really don't matter where they got your username from because you're screwed anyway.

 

If you're talking about getting phished, well... that's beyond the scope of security professionals and enters the realm of very patient support staff to help you resolve your own created issues.

 

I still wanna change my forum name though.

Link to comment
Share on other sites

SW ToR does not use the IP verification.

 

I have dynamically changing IP address so I have to verify new IP every week when trying to log into Guild Wars 2. SW ToR never bothered to verify anything about my IP despite of this fact.

 

Remove your Authenticator/Security Key and you will be asked to answer your Security Questions whenever your IP changes.

Edited by Alduinsm
Link to comment
Share on other sites

1

Only people that post on the Forums have their Display Name visible to others currently. Even then we took that into account when designing the updated system and I wouldn't recommend trying to attack known Display Names...

 

You should log on to Steam again - they currently only use the equivalent of DisplayName, and that name is what you are known as to all your friends (and in the community section of Steam for that matter).

 

HAHAHAHAHA!!! Have you logged in to steam lately? I'm going to assume no since this is inaccurate information.

 

Yes Steam doesn't make you log in with your email address, however they also don't use your display name either. my Steam account is one name and my display name on the forums is completely different. NI suggest next time before you spread false information, that you do research first.

 

On that note, since you want to remove Email addresses as the login ID, why aren't we able to use an actual user name instead of the display name? You do know that display names don't allow numbers which makes the available permutations for a name less than desirable, right?

Link to comment
Share on other sites

I tried to strengthen my password in TOR. I tried to generate a long complex password with KeePass. Even after I do a random gen in KeePass I go in and change a few around. And TOR wouldn't accept it unless I shortened it CONSIDERABLY. Like cut it to 1/3 the length. What kind of "superior security" is that? Edited by Jacen_Starsolo
Link to comment
Share on other sites

 

The note we sent out was only changing the username aspect of authentication. All of the other peices such as passwords and Security Keys remain in place. I hope that makes more sense...

 

 

OK, I've finished this reply up to the end of page 20. Given the sheer length of this post I'll reply again for page 21+ soon! :jawa_biggrin:

 

Phillip,

 

As a fellow Information Security professional, let me just say you've been doing yeoman's work in trying to explain what does and does not constitute security with regards to authentication. It can't be easy when something that seems intuitively obvious to most is actually incorrect.

 

Keep up the good fight. :D

Link to comment
Share on other sites

HAHAHAHAHA!!! Have you logged in to steam lately? I'm going to assume no since this is inaccurate information.

 

Yes Steam doesn't make you log in with your email address, however they also don't use your display name either. my Steam account is one name and my display name on the forums is completely different. NI suggest next time before you spread false information, that you do research first.

 

On that note, since you want to remove Email addresses as the login ID, why aren't we able to use an actual user name instead of the display name? You do know that display names don't allow numbers which makes the available permutations for a name less than desirable, right?

 

About Steam

http://www.swtor.com/community/showthread.php?p=5961316#edit5961316

I stand corrected and apologize for the assumption (yes, I made an *** of myself!). I've used the same display name since before most people had heard of Steam and have never attempted to change it. At the same time (and the reason I didn't think it was changeable), the current security of Steam means that knowledge of my username in Steam has no bearing on the actual security of my account. Many people have tried (Steam emails me) and none have succeeded. I may not work at Valve, but I have to hand it to their team that they have one of the best/secure authentication systems in the industry. Of course I'm egotistical enough to think that we have one of the best too, and our upcoming improvements (Display Name is a piece of those improvements) will only make our system stronger.
Link to comment
Share on other sites

SW ToR does not use the IP verification.

 

I have dynamically changing IP address so I have to verify new IP every week when trying to log into Guild Wars 2. SW ToR never bothered to verify anything about my IP despite of this fact.

 

Unless its changed since beta/ launch and Phillip is completely wrong, the only way to not get the SAQ's when your IP changed was to have an authenticator attached to the account. I remember going through the testing for this in Beta and it was the same at launch until I put the authenticator on.

 

As others have pointed out, if you log in from a different location and/or machine, you will be prompted for a SQA if you don't have a Security Key.

There is one caveat - if you are a new 'F2P' player and have never bought anything, you currently don't have a email address and probably don't have SQA's associated with your account. You can add either at any time of course, but until you do your account will only ever be secured by a Display Name and password combination.

We may change it so that all players have at least a valid email address at some point in the future, but currently it is optional up until the point you want to buy something and therefore associate a real money transaction against your account.

Link to comment
Share on other sites

In a lot of systems (mainly corporate and military) the username is a given piece of information that the person using it has no control over specifying. It's usually a standard format that is commonly derived from the persons actual name or an internal identifier. My BioWare login internally is no different in that respect. This is one of the contributing factors on why username in of itself should never be a major concern around the security of an authentication system.

 

Forget about security for a second. You are not giving us control over whether the username is hidden or visible, and lack of control is obviously what's making us "vocal." It doesn't matter whether a hidden username actually increases security or not; in our minds it does. Consider the cost of implementing a hidden username or non-login forum name solely against the benefit of shutting us the hell up and having happier customers.

 

It's what you're doing with your posting, anyway, trying to get us to be less vocal. It's not working for some of us. You're using reason and logical explanations to argue agains how we feel. It's not working.

Link to comment
Share on other sites

You know, I was very leery of the change given just the bit of information that came out initially.

 

After reading Phillip_BW's posts on the topic, I'm very much looking forward to these changes. Seems like a step in the right direction and Phillip_BW obviously knows his stuff.

Link to comment
Share on other sites


×
×
  • Create New...