USB Security Token

I've had my security token for a while and I'm worried about the bettery running out. All FFXI platforms have USB support. Shouldn't be hard to make something you can plug in that would comunicate directly without the need for a battery or typing in anything manualy. Just set it up to interface as a USB keyboard, then have a button on it that would register the 6 digit 1 time password as key presses. Basicly you put the cursor where you want it to type in the 1 time password (weather it's in the POL application or web browser) and press the button. The token would read the system time, generate the 1 time password and type it in for you. No need to change any of the current software for this to work, just make the new usb tokens.

Not too sure about this, but I think USB drives can be attacked by viruses. (like a keylogger) While it sucks that the token is on a one time battery life span, at least its not susceptible to being attacked as a device. ie: can't be connected to the machine to stay safe. I can see why they wouldn't want to go that route.

You people make the assumption that people are going to simply leave their token connected all the time. I keep my token on my key chain. And how would this help with the battery life? Why are you worried about the token's battery NOW? What makes you think the battery is getting weak? Have the numbers become very faint to read? These things should last a good five to ten years.

This device is immune to key loggers. The purpose of a security token is to generate a unique number that can only be used once. The generated number has a lifespan of maybe 20 to 30 minutes. And if you want a new code, wait ten seconds and press the button again. The new code when entered will automatically prevent the any prior code from working.

As for being a USB device being prone to viruses, well have you ever heard of a keyboard or mouse being "infected" by a key logger?

When the tokens run down we will probably just have to unlink them, I have zero faith they will make linking a fresh security keychain thing in any way easy at all.

The security token is something like a coded watch. It ticks every so often (like a watch) and gives you a number. That means it's constantly running and will run out of battery similar to a watch. The battery for these are usually large and can last for a few years unless you constantly press the button to make it shows the numbers. However, the quality of the battery leaves a bit to wonder as it's made in china and I don't have many good experience with china made electronics. On the other hand, I have opened a similar token before and it's possible to replace the battery. You might have to reset it and sync it again with SE (like syncing a watch with your current time).

While the token is fairly secure, it's not going to miraculously preventing you from getting hacked. I'll give you an example. Suppose you have a keylogger on your PC that can interfere with POL. You log on, type in your 6-digits and the keylogger steals the digits while crashing your POL. So you can't put in new digits to prevent a log on until you can get rid of the keylogger. On the other side of the world, the criminal now has a fresh 6-digit code every time you attempt to log in. Thus he can log in and steal all your stuff. The whole process of stealing all your valuables take about 10-15 on your main if he just throw away the rare/ex and load your character with valuables and teleport it.

A clear head will go much further in protecting yourself in the hostile internet.

Quote:

---

Originally Posted by Inafking

Shouldn't be hard to make something you can plug in that would comunicate directly

---

Thereby negating its entire purpose.

If your system can communicate with it, malware can communicate with it.

Quote:

---

Originally Posted by Ziyyigo-Tipyigo

Thereby negating its entire purpose.

If your system can communicate with it, malware can communicate with it.

---

If someone really wants to hack your account they'd have it setup so that when PoL attempts to send out your Account info (Token Code, Username, SE name, Passwords) it rejects the connection similar to a firewall blocking access, it then sends the information to the hacker so they can log on before the token key resets and change your password.

False sense of security is what the token really is besides extra in game inventory.

The token was a legal way for SE to charge for inventory space while making people scared of hackers feel safer when they really aren't.

SE doesn't make the tokens, they buy them from another company that produces the exact same token for plenty of other online games. Unfortunately, planned obsolescence is a way of life for most tech products, so it's unlikely they'll be adding a recharging station feature for any of these tokens.

If I'm not mistaken, I believe SE just buys you another one if you run the battery out though. Is that incorrect?

Quote:

---

Originally Posted by Greatguardian

If I'm not mistaken, I believe SE just buys you another one if you run the battery out though. Is that incorrect?

---

Unless they changed it you have to buy another one yourself or cancel the feature. I haven't kept up with the procedures with the token as I just used it for the inventory space, so that might have changed.

Quote:

---

Originally Posted by Laraul

You people make the assumption that people are going to simply leave their token connected all the time. I keep my token on my key chain. And how would this help with the battery life? Why are you worried about the token's battery NOW? What makes you think the battery is getting weak? Have the numbers become very faint to read? These things should last a good five to ten years.

This device is immune to key loggers. The purpose of a security token is to generate a unique number that can only be used once. The generated number has a lifespan of maybe 20 to 30 minutes. And if you want a new code, wait ten seconds and press the button again. The new code when entered will automatically prevent the any prior code from working.

As for being a USB device being prone to viruses, well have you ever heard of a keyboard or mouse being "infected" by a key logger?

---

And I keep mine near my comp and don't carry it around. Point? If a virus is made particularity for it, all the person who made it has to do is program it to go after drives, keystroke, dl malware,ect. it isn't impossible. and as soon as its recognized as being plugged it its too late. Doesn't matter if its 1 second or 30. Tokens are effective because they arn't "apart" of your computer. If its connected you may as well not have a security device at all.

I'm fine with the token being the way it is. even with having to replace one after a few years. It is much safer being a "token" then a usb device. I'd think the only realistic concern is waiting for the new token to get here while your battery is dying. i'd imagine you'd have to still use the old one to sign in to even unlink said dying token so you'd have to do it before it did kick the bucket. Then wait weeks/months in some cases for your newly ordered token to arrive.

Quote:

---

Originally Posted by Misi

And I keep mine near my comp and don't carry it around. Point? If a virus is made particularity for it, all the person who made it has to do is program it to go after drives, keystroke, dl malware,ect. it isn't impossible. and as soon as its recognized as being plugged it its too late. Doesn't matter if its 1 second or 30. Tokens are effective because they arn't "apart" of your computer. If its connected you may as well not have a security device at all.

I'm fine with the token being the way it is. even with having to replace one after a few years. It is much safer being a "token" then a usb device. I'd think the only realistic concern is waiting for the new token to get here while your battery is dying. i'd imagine you'd have to still use the old one to sign in to even unlink said dying token so you'd have to do it before it did kick the bucket. Then wait weeks/months in some cases for your newly ordered token to arrive.

---

Thing is they aren't any safer unplugged from the computer than they would be plugged in.

Do yourself a favor and research what a hacker is capable of doing once they have a program on your computer, it will do much more than the security token ever will for you. Everyone who honestly thinks their account is safer with a token should do this not just you specifically.

Quote:

---

Originally Posted by Zagen

Thing is they aren't any safer unplugged from the computer than they would be plugged in.

Do yourself a favor and research what a hacker is capable of doing once they have a program on your computer, it will do much more than the security token ever will for you. Everyone who honestly thinks their account is safer with a token should do this not just you specifically.

---

Not denying that, I agree. Tokens are not infallible like people tend to believe.

Quote:

---

Originally Posted by Zagen

If someone really wants to hack your account

---

Yeah yeah, they can come over to your house and beat your password out of you with a lead pipe. That's no excuse to be low-hanging fruit.

Quote:

---

Originally Posted by Zagen

The token was a legal way for SE to charge for inventory space while making people scared of hackers feel safer when they really aren't.

---

The token is a way to reduce the volume of headache-inducing "my password was 12345 and my account was hacked!" support calls. Even telephone operators in India cost money.

Quote:

---

Originally Posted by Zagen

Do yourself a favor and research what a hacker is capable

---

If the NSA really wants your gil, they will get it. That doesn't mean they'll bother.

It's called "risk analsys." Simply because someone can do something to compromise you doesn't mean they will, especially if the cost and effort to do so outweighs the potential reward. If a hacker can compromise 50% of your user accounts with 5 mintues' work, but it will take 5 hours to get the other 50%, why would he? That's 5 hours he could have spent selling the gil he already has.

You don't have to outrun the bear, just outrun the guy next to you.

Hey guys, here's a simple solution. Make an app for smart phones that allow you to do this. Guess what, WoW already has one for iPhones.

There are also third party programs out there that do this already. I've seen two programs so far that can successfully generate the "secure" code for the security tokens. It uses the same code on the back of your token that SE has you use when you register it. They're safe too, because it's all programmed in already and doesn't require Internet access to use. I have one of these programs on a laptop that has Internet turned off and it generates the code flawlessly. And since FFXI isn't even on the laptop there's no need to worry about security.

SE will never do this though. The reason being, if there's money to be made, (insert derogatory phrase here).

I hate WoW, but the fact that their security token is free on iPhone, and you can do a lot more with their game on smart phones (in general, such as crafting), I'm getting really tempted to switch.

You have to call them up to unlink a dead security token, kind of sucks since it long distance and they don't got a 1800 number.

Quote:

---

Originally Posted by Zagen

If someone really wants to hack your account they'd have it setup so that when PoL attempts to send out your Account info (Token Code, Username, SE name, Passwords) it rejects the connection similar to a firewall blocking access, it then sends the information to the hacker so they can log on before the token key resets and change your password.

---

Actually if someone wanted your account they would break into your house steal the computer and your security token (if you leave it next to the computer). Of course, if someone you did not know broke into your house, your FFXI account would probably be last thing on your mind.

You are much more likely to lose your account to someone you know and see everyday in the real world. You let them in and talk for a bit... the next day your token is missing. Worse yet, your computer login info has changed. Fortunately most people aren't this way. They know that doing that would be wrong.

Look, if you are concerned that your security token is failing, then head to https://secure.square-enix.com/account/app/svc/otpCan. Login, choose "One time password" on the left side of the page. Click Next, and you'll see "security token removal." Follow the instructions and you won't ever need to use the security token again. In fact you can't you'll have to purchase a new one.

Quote:

---

Originally Posted by Wolfe

Hey guys, here's a simple solution. Make an app for smart phones that allow you to do this. Guess what, WoW already has one for iPhones.

---

Yes... there is. Have you used it? Works but if you delete it before you unlink the Unique ID you will have to call to remove it from your account. It's also much more restrictive as rather than generating a one time password, it generates a password every 60 seconds. You have to enter you email, password, and then a 8 digit code before it expires.

They do sell a token also. It used to be a little more expensive than SE's. In anycase, SE is NOT making money off the sale of security tokens.

Oh and the irony of all this is that why do people worry that a security token with no RAM, OS, or processor is susceptible to malicious code and a powerful smartphone that backs up your installed software. Which doesn't even need USB now. It all wireless.

What I am saying is, both are safe (assuming that you haven't jail broken the phone or anything). Both provide a huge boost in securing your account. They both have their pros and cons.

The notion that the security token is just a money-grabbing venture by is nonsense.

The whole reason the token is effective is because it's not connected to anything, thus isn't vulnerable to hacking or anything.
$10 every several years is a trivial expense.

The point of it interfacing as a keyboard would be to keep it from being attacked by malicious software. As long as you can't send code to it, it can't be infected. Also, if you don't know that batteries die, and that they're an important part of what the security token does then I'm not sure how to explain this all to you anyway.

What in my post suggests that I'm not aware that batteries die?

"$10 every several years is a trivial expense"

You wouldn't need to send code to a USB device. Keylogger-like programs could read what the device is sending to the computer and send that to someone who could then log on to your account before you do.

Keylogers can already read the one time password you input. This is no different. You have no understanding of the technical details involved, please stop posting.

the $9.99 every few years is trivial, I totally agree with that statement, so you spend what? an extra $9.99 every 5 or so years, big deal

as far as I know the USB security tokens out there today, most of them are not flashable, but I could be wrong on that part, it would be pretty stupid to make them flashable really

as for vulnerability, they would need to figure out the algorithm of your token, and the exact time code its on, yeah they could get the one time password you just typed in, but the chance they will use it in the 30 second time alloted? not likely

second, the point of the token is simple, hackers go after the easiest target(I.E. the person without the token will get hit first)

so yeah while they might try to get your account, most will realize you have the token and find another target to hack, cause to them time is money, and they want to do the most damage in the shortest amount of time, so the likelyhood they will go after you if you have the token isn't very high

Quote:

---

Originally Posted by Inafking

Keylogers can already read the one time password you input. This is no different. You have no understanding of the technical details involved, please stop posting.

---

I will not stop posting. I have a computer science B.A. and I do understand the technical details involved. And, on top of that, your password IS different case, because you don't have to use your keyboard to type in your password, whereas your USB key could be compromised without you even having to input anything. There are multiple alternate methods of doing so which are less risky. The input risk with your one time password is no better or worse than with the USB device. The USB device would probably also be more expensive, and, in fact, already exists in the form of the encryption key you can save to a USB stick (Unfortunately, it only covers your POL password and not the SQEX password since it cannot be saved) which prevents local unauthorized access if you take that stick with you when you're out and about.

And really, what are we fighting over, anyway? The only advantage to come from some other form of security device is not depending on an unreplaceable battery on a cheap device that (should) last years to save ourselves another $10 down the road. It's really not a big deal and since the USB idea does not reduce risk any more than the token, there is not much point.

The security token succeeds in what it is trying to do, make it more difficult for your account to be accessed without authorization. It's not 100% foolproof, no security measure is, but it does make you a far less likely target simply due to the idea of the path of least resistance.

A USB security dongle could be nearly 100% secure if they used real time network encryption.

All network traffic between SE's servers and FFXI's client would be routed through the dongle, which would encrypt it. Each dongle would have a unique key and use AES encryption. Nobody would be breaking it anytime soon and even if they did it would only break that individual dongle not all of them. (this would be possible, but would take a decades long brute force attack to break per dongle, so AES is effectively unbreakable)

No dongle, no connection. The only possible way to get at your account would be to hijack your computer and redirect network traffic from a remote computer through the dongle attached to your PC's USB port. And the only thing you'd need to do to put a stop to that would be to yank out the dongle.

So you would have near 100% invulnerability to hacking, the only possible way you could be hacked if you left your dongle in your PC and someone hijacked it while you were away.


If you didn't want the inconvenience of having to insert and remove the dongle you could just put a mechanical switch on it that turns it on and off (you don't want this controlled though software, only a mechanical switch is secure)

Quote:

---

Originally Posted by wildsprite

as for vulnerability, they would need to figure out the algorithm of your token,

---

The algorithm is already known, it uses either DES 3DES or AES depending on the customer's (Square Enix in this case) preference, though idk why you would use anything other than AES. Good encryption doesn't rely on keeping the algorithm secret to ensure security, it relies on being mathematically difficult to break. Also unlike something like a Blu-ray disk (which has encrypted data that has to work with multiple devices and therefor has to use a single common key) they can use a unique key for each token so even if someone were to mount a brute force attack on one they would only get the key for that individual token, and this would take years to decades anyway.

Quote:

---

Originally Posted by Oddwaffle

On the other hand, I have opened a similar token before and it's possible to replace the battery. You might have to reset it and sync it again with SE (like syncing a watch with your current time).

---

Square Enix and Blizzard use VASCO Digipass GO 6 tokens. It is not possible to replace the battery in these, it will suicide if you tamper with it. Also the key is kept in volatile RAM and when the battery runs down to a certain % it is lost (I'm not sure if it just runs down and is lost or if the token suicides itself when it determines the battery has lost too much power for it to run reliably anymore, probably the latter)

It is in theory possible to extract the key from one of these tokens but it requires equipment and facilities only available to large corporations and governments, and because each token has a unique key you would be spending millions to break one person's account and one person's only. So it's completely not worth it. They have designed these things to be very physically tamper resistant.

Adding the usb plugin to your key would make it a 20$ key. So whats better, 10$ for 10 years, or 20$ forever?

This is the most ridiculous thing to argue over I've seen on these forums yet. If you honestly can't afford a 10$ passkey why are you playing ffxi?

If anything in 8-9 years SE might offer everyone a free replacement as people's start crashing.

Quote:

---

Originally Posted by Urat

Adding the usb plugin to your key would make it a 20$ key. So whats better, 10$ for 10 years, or 20$ forever?

This is the most ridiculous thing to argue over I've seen on these forums yet. If you honestly can't afford a 10$ passkey why are you playing ffxi?

If anything in 8-9 years SE might offer everyone a free replacement as people's start crashing.

---

I doubt FFXI will be running in 10 years. Its possible. I wouldnt bet on it running in 20 years or longer though.

Mathematical-algorithm-based one-time passwords
Another type of one-time password uses a complex mathematical algorithm, such as a hash chain, to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known. The open source OATH algorithm is standardized; other algorithms are covered by U.S. patents. Each new password is unique, so an unauthorized user would be unable to guess what the new password may be, based on previously used passwords.


It cant be broken. This came straight from Wikipedia

Quote:

---

Originally Posted by Mordanthos

Mathematical-algorithm-based one-time passwords
Another type of one-time password uses a complex mathematical algorithm, such as a hash chain, to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known. The open source OATH algorithm is standardized; other algorithms are covered by U.S. patents. Each new password is unique, so an unauthorized user would be unable to guess what the new password may be, based on previously used passwords.


It cant be broken. This came straight from Wikipedia

---

The Blizzard Authenticator was cracked.

I personally think this is a decent, interesting idea.