this is just insane! why the hell use your forum dispaly name/ID as part of the log in has me baffled , your handing people half of the key to get into someones account.

 

If you want to remove the use of emails i can understand that as that in itself has a "bit" of risk depending on how offten someone might hand that out, but why not do what other games have done and done so successfuly in the past , a login name and pw which is seperate to your forums name , this to me and im sure others would make much more sence than the road your heading down now.

this is just insane! why the hell use your forum dispaly name/ID as part of the log in has me baffled , your handing people half of the key to get into someones account.

 

If you want to remove the use of emails i can understand that as that in itself has a "bit" of risk depending on how offten someone might hand that out, but why not do what other games have done and done so successfuly in the past , a login name and pw which is seperate to your forums name , this to me and im sure others would make much more sence than the road your heading down now.

 

Please go read the post by Phillip from Bioware on the previous page.. Thanks..

I don't understand how this help security. No one knows what email I use to log in. Everyone knows your 'Display Name'. Granted they need to know the security questions, but knowing each persons display name is one less barrier IMO.

 

Not sure about you but the game does not show my display name because people don't all use the same name to log in such as I. So unless you made it the same then that's where your fault is.

When will we get an authentication app for (don't hate) Windows 7/8 phones? I'm not going to carry my keyfob with me everywhere just so I can login to the website, so I've yet to activate it...but I would activate if I had an app I could access from my phone.

...massive post with a crapton of answers to questions...

Wow, I am completely impressed with the level of clarity and transparency on this topic. You've really gone out of your way to answer the questions raised, and for me, at least, this has cleared up any misgivings I had about this change. (It also reminded me that it was time to change my email password )

I THINK THIS IS WHY THEY ARE DOING IT

 

They are trying to protect us from a Hacker tactic called Combo'ing. What Combo'ing is, is when a bunch of hacker attack a weak website that does not have good security and raid it for "Login & Password" info. Then, they take the login & passwords and start trying to use them on other websites (Examples- Paypal, Bank websites, GAME websites, credit card websites, ect, ect, ect.) and when they find a match they get on to the account and then they screw you. This tactic works quite often because people now more than ever are forced to register to online sites in order to get access to the site and most people HATE trying to remember several login's & passwords so, they try as much as possible to recycle the same login & password if they can (I try not reuse passwords for this reason but, people do it all the time). By changing their login requirement to a screen name it helps secure your information due to the fact most web sites want you to use your email address as your login and there fore most of the time hacker using this technique are going to try to use your email address as the login and then apply the password they found.

OK, I've finished this reply up to the end of page 20. Given the sheer length of this post I'll reply again for page 21+ soon!

 

Okay. Well, I have to admire your patience and tenacity.

I am glad you are reconsidering using a new unique account name.

Thank you for taking time to address our concerns.

 

Apparently people are too short sighted to see the change is actually better. Have any of you ever had your account hacked? Did the hacker guess your password or use your e-mail to get it. The latter is likely the answer.

 

Hackers aren't stupid, do you really think they grab usernames and then just guess passwords until they find one. NO. That would be stupid. Instead, they use methods like pretending to be you and WHOOPS! you forgot your password. So, they have it sent...to...your...E-MAIL BOX!!

 

A hacker would much prefer having your e-mail addy over your username. Do you really think hackers are fixated on 1 game? Do we really think they are like "Let me just hack 1 game and guess passwords until I get one" No. MMO players tend to play multiple MMO's and thus, their e-mail is the common link to many passwords in most cases. You know, like ones beyond video games...

 

Come on guys, stop saying its "a change just to change" when it's really "complaining just to complain". They want to make money, they don't make spiteful changes and hurt their bottom line. They would only make the change if it had a monetary benefit (like long term account security, thus long term happy unhacked customers).

 

Well done on all the responses Phillip. Excellent boldness to take on the community without fear

Edited March 7, 2013 by Nomakk
errors

I see about 22 pages went poof

 

As far as security goes for this new system:

 

1) The weakest link in the entire chain is the question/answer segment. This is the weakest link in any password retrieval or account verification system, as this information can be rather easily gleaned using Google, Facebook, social engineering tricks, best guessing etc. A smart enough attacker can narrow this information down quite a bit by focusing on a particular target and paying attention to their average time spent in game, what days, what time of day, etc and then making a good guess at their regional location, especially if paired with the way particular people "speak" in forum posts. This kind of information is more valuable than most people consider.

 

2) Everyone should get and use a Security Key authenticator, period. I'd almost urge EA/Bioware to make them mandatory for any and all accounts. They should sell them for Cartel Coins if they have to, but more of these NEED to be applied to accounts. The physical keyfob needs to be on sale in every region this game is available, there's no excuses for it not to be (currently EU and AIPAC have issues).

 

3) One of the Bioware employees mentioned two-factor authentication systems. This type of system is no longer viable. Google, Apple, Microsoft, et al, all had their two-factor systems broken, and it went without detection for nearly a year in at least one case.

 

4) Phone/Mobile authenticators: Good idea on paper, bad idea in practice. Take a lesson from what happened to the reporter who had a 15-year old seize control of his iPhone and the associated Apple account via social engineering. Said kid then went on to take control of his Google account as well (said kid was able to get past the two-factor Google uses...because Google sends it to the mobile phone number on the account).

 

There are more to list, but I am reserving any further comment until I see exactly how this new system pans out.

Quite simply.. either way it wont bother me.. I'll only have to type in my username once.. just like I did with my email address that has been there since 13th Dec 2011 (thank god for the "Save login/Username")

 

And I have my security key and password like usual.. so nothing for me is changing other than to type somthing a LOT shorter into username than my email address which is time consuming to type out

Every time I try logging into the site using display name I get a login fail error. I use my e-mail and goes right in. So apparently it is not always as getting into the site doesn't work with display name for me.

 

It's always worked for me. I did it just now. So I really don't know what to say there. Might have something to do with how you signed up to the site originally.

 

I just want to say again that I think giving people the option to display a different name on the forums (like WoW...I can log in as any of my characters) would be a great idea. I know that Philip said that changing your initial username could cause all sorts of problems, but letting us just display something different may not be so problematic (though may have problems of it's own, I suppose).

 

Edit: OK, just finished reading that second loooooong response from Phillip.

 

Based on the feedback you will be happy to hear that we are again discussing the perceived issue. I can't promise 'soon' - heck, I can't promise 'later' just yet. It is likely based on the underlying systems that we will not change the account Display Name, but rather look at adding a new Forum Name that can be different.

 

Very nice, just hearing that is a possibility makes me happy.

 

Thanks again for taking the time out of your day for the very detailed responses. Hopefully it will put some of the more skeptical folks at easy. Also, it's nice to hear that more "self-help" systems are going in to place as they are very much needed and will save CS people a lot of time as well. Hopefully some of these features will include restoring deleted items/characters, and self-removing of security key.

Edited March 7, 2013 by chuixupu

I know some people plan their AFD stuff weeks in advance, but this is ridiculous...

I will continue to maintain that this is a bad idea and that giving us a unique login name would be preferable over using display names.

I'm going to apologize in advance for the upcoming security lecture!

In a lot of systems (mainly corporate and military) the username is a given piece of information that the person using it has no control over specifying. It's usually a standard format that is commonly derived from the persons actual name or an internal identifier. My BioWare login internally is no different in that respect. This is one of the contributing factors on why username in of itself should never be a major concern around the security of an authentication system.

In the security field, when waffling on about authentication we talk of two-factor quite a bit, and it looks like that needs a bit more explanation. Two-factor (or dual-factor) is actually not 'the most secure' that we can be, as it really stands for 'two of three factors'. Those factors are:

• Something I know (e.g. password)
  
• Something I am (e.g. biometrics)
  
• Something I have (e.g. security key)
  

I have often thought that putting all three factors in place would be awesome, but nobody liked my 'pint of blood in order to play' suggestion, so we haven't moved into biometrics as a requirement

As it is sure to come up, let us be clear that Security Questions and Answers (SQA's) are not truly two-factor. It's the first factor applied twice, so leaves us in a hybrid/grey area which counter-intuitively is actually very secure. Just not as secure as a true two-factor system.

The key implementation that we are currently missing as mandated for all players is 'Something I have'. The Security Key is available and doing well today, and while I would love to see more people using them, we are not pushing people to have a Security Key as a mandatory requirement. Truth be told we deliberately do not make a profit on the physical security key, and absorb all of the cost of the mobile security key.

Another potential 'Something I have' is something we could call an 'Email Security Code'. The key point here being it is something you have that is provided out of the same channel as the password. For example sending a code via email fulfills a time limited code that changes frequently. Very similar to a Security Key, but without the overhead of a smartphone or key-fob. Come to think of it, I have a duck around here somewhere called 'Email Security Code'...

So no, this is nothing like displaying a persons real name on the forums. Technically that would probably be easier in our system than implementing a 'forum display name', but rest assured we have learned from Blizzard's foray into that area and are not considering doing that at all.

One last thing that I should also point out, the Security Key is a time-limited code that changes frequently. If you think somebody can brute force their way through an account secured by a Security Key, then you should look into lottery tickets. It's far easier to win the jackpot in the lottery...

TL;DR: username should never be considered a security component - that's what passwords, SQA's and Security Keys (or ducks!) are for.

 

Usernames and account numbers should be kept secret in my opinion.

 

This is exactly like Blizzard's real ID thing in that it's giving out a piece of information that any Tom Joe or Harry should not have. One third of the login information.

 

Working in security, I'm sure you know that no password, no matter how complex is 100% secure and there fore no password is 100% trustworthy. No piece of software is ever 100% secure and bug free. No piece of software is ever 100% trustworthy. That's why i combine all three: Secrecy of login information (account name/number/ID), Password and security key.

 

Actually our system doesn't really work that way. I'm not going into details, but entering in the serial and challenge/response some time later (I can't say how long) will not result in a working Security Key code.

To ward off all the questions that statement could create, yes, I have another duck called 'I lost my Security Key and don't like calling an international phone number'. Its a tricky little duck and there will be more news on that subject in the next few weeks.

Securing your home PC and personal email account isn't something we have any control over though, so 'if anyone gets that backup' who isn't supposed to be getting that backup, then you have other issues you also need to consider.

 

I'll go on to say 'please secure your personal email account' again - so many of today's authentication systems totally depend on the security of your personal email account, and that is something you can control.

This is going to be blunt but you are wrong. I'm sorry. How do i know? Last week i upgraded from my iPhone 4 to an iPhone 5. Upon restoring my backup via iTunes, I found the app was crashing. Security feature, maybe? Anyway, i grabbed the details i saved and removed and restored the app from the app store. I input the saved information and I now have a working security app for my account. Been using it ever since i got the iPhone5.

 

And no, i'm not going to phone in to the US or UK if I ever lose my key.

 

Unrelated note but both blizzard and Sony have a way for me to remove an authenticator my self incase of upgrading the device/changing the keyfob. Any chance of that here?

 

Unrelated note but both blizzard and Sony have a way for me to remove an authenticator my self incase of upgrading the device/changing the keyfob. Any chance of that here?

 

I'm guessing, or at least hoping that the "self-help" features that he mentioned were in the works are going to include that.

Dumb, dumb, dumb, (censored) DUMB! That's what this is, everyone sees our usernames on the forums, unless you allow us to have seperate names on the forum people will know us and will try to hack us. The email addresses are more secure cause they are HIDDEN! BioWare/EA if you do this I am pretty sure many people will ditch you and go to other MMO's cause if we don't feel secure then we won't play your games.

I can't wait, to drop retail for a Private Server. Their job is to decrease security risk, not increase. First, they require you to use a certain type of password with 1 Cap and 1 number, which is already a huge security risk, most people dont use this type of password as it is, which forces most people to write it down, and of course I store it in my email, which due to SWTOR TOS (Terms of Service) if you ever read them. I created a fake email, which I normally do for anything that has a seriously messed up TOS which allows legal rights for computer confiscation, tracking, and the other usual illegal methods they make legal by forcing the acceptance of the TOS in order to play. Now they are changing the username to force the name at which is displayed to the public on a regular basis. Sure I have to mask my IP and route it through roughly 230 different IP masking servers and VPNs to hide my real IP in order to play a silly game due to their poor judgement on what they call security enhancements as it is, but now this.... Wow, I will pay $30 a month to play on a PRIVATE SERVER whenever one is available. Thank goodness SWG EMU is almost up and running. I can drop this illegal crap and not worry about my computer being hacked by a corporation. (updated to add more info) As for proof of their lack of security.... Search for a program called PeerBlock, install it, this program blocks people from connecting to you. Install the program and run it, go to SWTOR.com and login, now watch all the connections trying to hook up to you through just EA alone. I am currently getting 6 attempts per second from EA alone, they are scanning every port. I wonder why? Granted again every website and corporation does this, which is sad to say the least. At Least PeerBlock will block their attempt. (in order to play the game you do need to click the "allow HTTP" if you want to leave peerblock running while playing. Also you can have fun with this, it is shocking to see, just go to google.com, yahoo.com, FBI.gov, all these every day supposed sites that are "for your convience and benefit" and watch the connection attempts rise and try to connect to your computer..... (note: SWTOR will most likely delete this post very quickly, so if you get the chance to read it, and try it. It will be an eye opener. Edited March 7, 2013 by Gezebelle
adding to it

Much respect to Mr. Holmes for stepping up and answering everyone's questions. And that was a lot of questions answered. This is what we like to see! Direct responses!

 

Thank you, and I'm eager to hear all the related information that will be released soon

I can't wait, to drop retail for a Private Server. Their job is to decrease security risk, not increase. First, they require you to use a certain type of password with 1 Cap and 1 number, which is already a huge security risk, most people dont use this type of password as it is, which forces most people to write it down, and of course I store it in my email, which due to SWTOR TOS (Terms of Service) if you ever read them. I created a fake email, which I normally do for anything that has a seriously messed up TOS which allows legal rights for computer confiscation, tracking, and the other usual illegal methods they make legal by forcing the acceptance of the TOS in order to play. Now they are changing the username to force the name at which is displayed to the public on a regular basis. Sure I have to mask my IP and route it through roughly 230 different IP masking servers and VPNs to hide my real IP in order to play a silly game due to their poor judgement on what they call security enhancements as it is, but now this.... Wow, I will pay $30 a month to play on a PRIVATE SERVER whenever one is available. Thank goodness SWG EMU is almost up and running. I can drop this illegal crap and not worry about my computer being hacked by a corporation. (updated to add more info) As for proof of their lack of security.... Search for a program called PeerBlock, install it, this program blocks people from connecting to you. Install the program and run it, go to SWTOR.com and login, now watch all the connections trying to hook up to you through just EA alone. I am currently getting 6 attempts per second from EA alone, they are scanning every port. I wonder why? Granted again every website and corporation does this, which is sad to say the least. At Least PeerBlock will block their attempt. (in order to play the game you do need to click the "allow HTTP" if you want to leave peerblock running while playing. Also you can have fun with this, it is shocking to see, just go to google.com, yahoo.com, FBI.gov, all these every day supposed sites that are "for your convience and benefit" and watch the connection attempts rise and try to connect to your computer..... (note: SWTOR will most likely delete this post very quickly, so if you get the chance to read it, and try it. It will be an eye opener.

 

Here you go. http://dgc.imageg.net/graphics/product_images/pDGC1-10603935v380.jpg

Much respect to Mr. Holmes for stepping up and answering everyone's questions. And that was a lot of questions answered. This is what we like to see! Direct responses!

 

Thank you, and I'm eager to hear all the related information that will be released soon

 

Indeed.

 

And now when I read his comments... I can hear his UK accent in my head too.

If my original post is still up. Dont believe me and just install PeerBlock, actually google/yahoo PeerBlock and research it, do not take my word for it. I am just trying to help you understand that these security enhancements are not for you, they are for them, for easier access. This is just an upsetting factor to me that these corporations silently attack your computer and you never know about it... NOTE: The connection attempts ARE LEGAL because you accepted the TOS (Terms of Service). Updated: After further review, need to make a few corrections.. "allowing HTTP" will not allow game play. As you attempt to connect to server, PeerBlock will see the attempt and block it, you can go through the log and find that IP (which will be different than the other IPs from EA trying to hook up to you) and you can right click it and allow for 15 min, 1 hour or permanently allow. I recommend clicking allow for 1 hour to test and confirm that is the server IP, if not, try another IP from EA that is being blocked. they are time stamped. Second update. I have also noticed that EA attempts have stop after they scanned a few hundred ports, unsure why, but does appear they eventually stop trying to connect. Third, These IPs after you trace them, if you are familiar with how and what to look for, you will see they are not hackers.. Think of it like the IQCarrier hidden code in Phones to track you so they can better suit advertisements to you. Granted they learn your address, email, phone number, so they can sell that info to their affiliates so you can get extra junk mail in your mail box, telemarketer calls, etc. I find this to be worse off than a hacker, but that is my opinion. So you do not need to use PeerBlock, I was just trying to make a point, that EA says one thing, but has multiple agenda, most of which are not for our benefit. Also think of the TOS as an override to the Do not Call list, again you cannot sue if you are on that list and still get calls. Most accounts such as bank, email, really any account you have online has TOS that will naturally override privacy laws, etc. So do not think SWTOR/EA/Bioware is a bad company. It is just one those "hey they are doing, we mind as well too" type deals. Enjoy the enlightment, and attempts at hacking me cause I know I upset a few folks. I am really just trying to help folks understand this "better security measure" Edited March 7, 2013 by Gezebelle
updating info

I wonder if this might be a prelude to using Display Names as handles attached to character names... like STO does it. I know a lot of people have been upset over losing character names in the server merges, so this would be a way to let them have their names back (not saying this is a good thing... it just sticks out as a possibility). So instead of having a character named Mara and being the only Mara on the server, I'd be "Mara@InvinciBelle". It'd only display "Mara" in the game world, but when you click to friend or chat it'd clarify with the "@InvinciBelle" added to it. And that way there would be no more unique names and everyone who lost their original names could have them back.

 

Again, I'm not saying this is a good idea (I kinda like having a unique identity, even if it's not the one I wanted)... just that this seemed like a possible direction after I read the announcement.

If my original post is still up. Dont believe me and just install PeerBlock, actually google/yahoo PeerBlock and research it, do not take my word for it. I am just trying to help you understand that these security enhancements are not for you, they are for them, for easier access. This is just an upsetting factor to me that these corporations silently attack your computer and you never know about it... NOTE: The connection attempts ARE LEGAL because you accepted the TOS (Terms of Service). Updated: After further review, need to make a few corrections.. "allowing HTTP" will not allow game play. As you attempt to connect to server, PeerBlock will see the attempt and block it, you can go through the log and find that IP (which will be different than the other IPs from EA trying to hook up to you) and you can right click it and allow for 15 min, 1 hour or permanently allow. I recommend clicking allow for 1 hour to test and confirm that is the server IP, if not, try another IP from EA that is being blocked. they are time stamped. Second update. I have also noticed that EA attempts have stop after they scanned a few hundred ports, unsure why, but does appear they eventually stop trying to connect. Third, These IPs after you trace them, if you are familiar with how and what to look for, you will see they are not hackers.. Think of it like the IQCarrier hidden code in Phones to track you so they can better suit advertisements to you. Granted they learn your address, email, phone number, so they can sell that info to their affiliates so you can get extra junk mail in your mail box, telemarketer calls, etc. I find this to be worse off than a hacker, but that is my opinion. So you do not need to use PeerBlock, I was just trying to make a point, that EA says one thing, but has multiple agenda, most of which are not for our benefit. Also think of the TOS as an override to the Do not Call list, again you cannot sue if you are on that list and still get calls. Most accounts such as bank, email, really any account you have online has TOS that will naturally override privacy laws, etc. So do not think SWTOR/EA/Bioware is a bad company. It is just one those "hey they are doing, we mind as well too" type deals. Enjoy the enlightment, and attempts at hacking me cause I know I upset a few folks. I am really just trying to help folks understand this "better security measure"

 

I think you are overdue on taking your meds.

quote "It is likely based on the underlying systems that we will not change the account Display Name, but rather look at adding a new Forum Name that can be different."

 

Now, this is just plain dumb (and useless) since you've already given world + dog half our login info by then.

 

Besides, why would I want to change my name here on the forums? It's the one people here already know me as (be it 'oh, him!' or 'oh, him again o.O'); now I want them to put them through 'oh, isn't that the poster formerly known as ...'

 

Again, I urge you to give us a totally separate and unknown (to others) login name.