Page 1 of 14 1 2 3 11 ... LastLast
Results 1 to 10 of 132
  1. #1
    Player
    TaalAzura's Avatar
    Join Date
    Jul 2012
    Posts
    420
    Character
    Taal Kheru
    World
    Gilgamesh
    Main Class
    Carpenter Lv 60

    Security Tokens/Authenticators are useless; SE needs to fix this immediately.

    Link to original post: http://www.reddit.com/r/ffxiv/commen...ainst_viruses/

    Authenticators are useless against viruses due to how the launcher and login system works. Lets get this straight: Be calm, I am not trying to fear monger here. People just need to know for account security.
    I shall explain a few things first.(There is a TL;DR at the end.)

    Authenticator/One Time Password

    The idea behind that authenticator's one time password is that it generates a password that is valid for only a few minutes and can only be verified once. Thus making it unlikely for a standard keylogger virus to bypass account security.
    It creates an unrealistic scenario where a keylogger would have to perform a man in the middle attack[1] :

    - Have to capture the information(Easy)

    - Prevent that information from being sent to the server for verification to keep the one time password valid.(Difficult, not stealthy due to the end user visibly having an issue logging in on their end.)

    - Require the hacker online to be available to view that captured information and act on it immediately to prevent from losing the time window the one time password is valid.(Difficult, unrealistic since accounts do not have a viable real world monetary value.)

    While all those steps are possible it makes it difficult to pull off on a mass scale that MMO hackers prefer. However, the authenticator and one time password is only as secure as the login system that it works with.

    The Launcher

    The launcher is a fancy wrapper for an HTML web page that is used for the log in system. This site can be loaded in a regular web browser, but due to how it integrates with the application it does not work properly. The good news is that the log in portion of the application uses HTTPS to securely connect to Square Enix's account management system.
    After the login server securely validates all the information it returns a valid session ID to the launcher. This session ID is then used by the launcher to load the FFXIV Game Client.

    FFXIV Game Client

    The game client is dumb in the sense that it has be told everything to launch properly and load the correct player's account. That is where the session ID comes into play. The launcher invokes the game client by executing ffxiv.exe with extra command line parameters. It appends DEV.TestSID=xxxx, where xxx is the session ID, to the launch command. Here is the issue with that. That session ID is now plainly visible with any basic process inspector such as Microsoft's Process Explorer. No special memory viewers to get this information. This means it is incredibly easy for any virus that is on the computer to obtain the information. This also means it is possible to bypass the launcher to load the game client by just repeating the same command at the command line.

    The Session ID

    A session ID is a uniquely generated key that is only valid for limited time window. The problem is that the session ID is valid for numerous days. I have yet to hit a limit after a few days of trying this. It has to stay valid while logged into the game, but it does not get invalidated after being logged out for a while. It also does not get invalidated by logging in and generating a brand new session ID that is different than the old one. It is also not restricted by IP address and will not require a new one time password to reuse.
    Basically, FFXIV login session IDs are not expiring at the end of the session and are not limited in any way.

    What does this all mean?

    I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world. I did not provide an account name, password, or one time password. I was also able to log into my account while my friend was logged into it at the same time with a different session ID. The only issue was that I was not able to log into any worlds because "You are already logged into the game" error 3102. This means viruses only need to grab a valid session ID of an account to log in. The hackers would be able to bypass the one time password and also effectively lock that player out from logging into a world. If the computer gets infected with a virus targeted at stealing FFXIV accounts then it is too late. No amount of changing passwords or generating new one time passwords will help.

    "What can I do to keep myself protected?"

    What you are already hopefully doing. Have good virus protection, do not download stuff that you are unsure of, and do not visit shady web sites.
    Please see Eanae's post[2] for additional security practices.

    TL;DR

    The authenticator/one time password is useless against viruses and web browser vulnerabilities since session IDs are visible in plain text to any competent programmer and appear to never expire. It is only useful against scam emails that direct people to spoofed SE web pages where people dumbly type in account information.

    [1] http://en.wikipedia.org/wiki/Man-in-the-middle_attack
    [2] http://www.reddit.com/r/ffxiv/commen...cked_accounts/
    (92)
    Last edited by TaalAzura; 10-08-2013 at 12:23 AM.

  2. #2
    Player
    Molly_Millions's Avatar
    Join Date
    Mar 2011
    Location
    Uldah
    Posts
    4,086
    Character
    Molly Millions
    World
    Balmung
    Main Class
    Marauder Lv 50
    Holy crappy formatting Batman!
    (0)

  3. #3
    Player
    TaalAzura's Avatar
    Join Date
    Jul 2012
    Posts
    420
    Character
    Taal Kheru
    World
    Gilgamesh
    Main Class
    Carpenter Lv 60
    Quote Originally Posted by Molly_Millions View Post
    Holy crappy formatting Batman!
    was in the middle of fixing it for this forum
    (2)

  4. #4
    Player
    Livilda's Avatar
    Join Date
    Aug 2013
    Location
    The Last Dregs
    Posts
    302
    Character
    Valerie Vesper
    World
    Balmung
    Main Class
    Red Mage Lv 90
    Twelvedamn. I can't really think of any other game with such a huge security hole. I'll have to try playing around with this myself when I get home.
    (6)

  5. #5
    Player Eekiki's Avatar
    Join Date
    Mar 2011
    Posts
    3,214
    Character
    Kickle Cubicle
    World
    Balmung
    Main Class
    Rogue Lv 90
    Can someone post a translation of this on the JP forums? We're already determined that the devs don't read our stuff unless we bring it to the attention of the JP community, and this is pretty important if true.
    (28)

  6. #6
    Player
    LlenCoram's Avatar
    Join Date
    Mar 2011
    Location
    Limsa Lominsa
    Posts
    1,593
    Character
    Llen Coram
    World
    Sargatanas
    Main Class
    Fisher Lv 80
    Wow, this is really good to know. Thanks for writing it up.
    (6)

  7. #7
    Player
    silverhope's Avatar
    Join Date
    Feb 2013
    Posts
    460
    Character
    Meg Xori
    World
    Cactuar
    Main Class
    Astrologian Lv 80
    >.< man this sucks.. they need to fix this NOW!!
    (6)

  8. #8
    Player
    Quesse's Avatar
    Join Date
    Mar 2011
    Location
    Gridania
    Posts
    1,176
    Character
    Quesse Mithril
    World
    Sargatanas
    Main Class
    Miner Lv 70
    You should really change the title to

    "Security Tokens/Authenticators are useless if someone has FULL access to your computer"

    I'm not saying it shouldn't be fixed but security tokens ARE useful -- to those of use who don't have hacked computers (duh!)
    (11)

  9. #9
    Player
    Orophin's Avatar
    Join Date
    Mar 2011
    Location
    Limsa Lominsa
    Posts
    3,446
    Character
    Orophin Calmcacil
    World
    Excalibur
    Main Class
    Gladiator Lv 50
    While it sounds like SE could take better steps to improve their own security, they can't be held accountable for people's poor browsing habits if they end up getting a virus from somewhere.
    (5)

  10. #10
    Player
    Feifonwong's Avatar
    Join Date
    Sep 2013
    Posts
    19
    Character
    Wulong Pie
    World
    Hades
    Main Class
    Pugilist Lv 44
    Quote Originally Posted by Quesse View Post
    You should really change the title to

    "Security Tokens/Authenticators are useless if someone has FULL access to your computer"

    I'm not saying it shouldn't be fixed but security tokens ARE useful -- to those of use who don't have hacked computers (duh!)
    The title is fine. Some folks need the bejesus scared out of them, SE included...
    (11)

Page 1 of 14 1 2 3 11 ... LastLast