USB Security Token

**Alhanelem** · 07-11-2011 02:55 AM

What in my post suggests that I'm not aware that batteries die?

"$10 every several years is a trivial expense"

You wouldn't need to send code to a USB device. Keylogger-like programs could read what the device is sending to the computer and send that to someone who could then log on to your account before you do.

**Inafking** · 07-11-2011 04:52 AM

Keylogers can already read the one time password you input. This is no different. You have no understanding of the technical details involved, please stop posting.

**wildsprite** · 07-11-2011 05:30 AM

the $9.99 every few years is trivial, I totally agree with that statement, so you spend what? an extra $9.99 every 5 or so years, big deal

as far as I know the USB security tokens out there today, most of them are not flashable, but I could be wrong on that part, it would be pretty stupid to make them flashable really

as for vulnerability, they would need to figure out the algorithm of your token, and the exact time code its on, yeah they could get the one time password you just typed in, but the chance they will use it in the 30 second time alloted? not likely

second, the point of the token is simple, hackers go after the easiest target(I.E. the person without the token will get hit first)

so yeah while they might try to get your account, most will realize you have the token and find another target to hack, cause to them time is money, and they want to do the most damage in the shortest amount of time, so the likelyhood they will go after you if you have the token isn't very high

**Alhanelem** · 07-11-2011 10:44 AM

Originally Posted by Inafking

Keylogers can already read the one time password you input. This is no different. You have no understanding of the technical details involved, please stop posting.

I will not stop posting. I have a computer science B.A. and I do understand the technical details involved. And, on top of that, your password IS different case, because you don't have to use your keyboard to type in your password, whereas your USB key could be compromised without you even having to input anything. There are multiple alternate methods of doing so which are less risky. The input risk with your one time password is no better or worse than with the USB device. The USB device would probably also be more expensive, and, in fact, already exists in the form of the encryption key you can save to a USB stick (Unfortunately, it only covers your POL password and not the SQEX password since it cannot be saved) which prevents local unauthorized access if you take that stick with you when you're out and about.

And really, what are we fighting over, anyway? The only advantage to come from some other form of security device is not depending on an unreplaceable battery on a cheap device that (should) last years to save ourselves another $10 down the road. It's really not a big deal and since the USB idea does not reduce risk any more than the token, there is not much point.

The security token succeeds in what it is trying to do, make it more difficult for your account to be accessed without authorization. It's not 100% foolproof, no security measure is, but it does make you a far less likely target simply due to the idea of the path of least resistance.

**Atomic_Skull** · 07-11-2011 11:09 AM

A USB security dongle could be nearly 100% secure if they used real time network encryption.

All network traffic between SE's servers and FFXI's client would be routed through the dongle, which would encrypt it. Each dongle would have a unique key and use AES encryption. Nobody would be breaking it anytime soon and even if they did it would only break that individual dongle not all of them. (this would be possible, but would take a decades long brute force attack to break per dongle, so AES is effectively unbreakable)

No dongle, no connection. The only possible way to get at your account would be to hijack your computer and redirect network traffic from a remote computer through the dongle attached to your PC's USB port. And the only thing you'd need to do to put a stop to that would be to yank out the dongle.

So you would have near 100% invulnerability to hacking, the only possible way you could be hacked if you left your dongle in your PC and someone hijacked it while you were away.

If you didn't want the inconvenience of having to insert and remove the dongle you could just put a mechanical switch on it that turns it on and off (you don't want this controlled though software, only a mechanical switch is secure)

**Atomic_Skull** · 07-11-2011 11:26 AM

Originally Posted by wildsprite

as for vulnerability, they would need to figure out the algorithm of your token,

The algorithm is already known, it uses either DES 3DES or AES depending on the customer's (Square Enix in this case) preference, though idk why you would use anything other than AES. Good encryption doesn't rely on keeping the algorithm secret to ensure security, it relies on being mathematically difficult to break. Also unlike something like a Blu-ray disk (which has encrypted data that has to work with multiple devices and therefor has to use a single common key) they can use a unique key for each token so even if someone were to mount a brute force attack on one they would only get the key for that individual token, and this would take years to decades anyway.

**Atomic_Skull** · 07-11-2011 11:40 AM

Originally Posted by Oddwaffle

On the other hand, I have opened a similar token before and it's possible to replace the battery. You might have to reset it and sync it again with SE (like syncing a watch with your current time).

Square Enix and Blizzard use VASCO Digipass GO 6 tokens. It is not possible to replace the battery in these, it will suicide if you tamper with it. Also the key is kept in volatile RAM and when the battery runs down to a certain % it is lost (I'm not sure if it just runs down and is lost or if the token suicides itself when it determines the battery has lost too much power for it to run reliably anymore, probably the latter)

It is in theory possible to extract the key from one of these tokens but it requires equipment and facilities only available to large corporations and governments, and because each token has a unique key you would be spending millions to break one person's account and one person's only. So it's completely not worth it. They have designed these things to be very physically tamper resistant.

**Urat** · 07-12-2011 01:30 AM

Adding the usb plugin to your key would make it a 20$ key. So whats better, 10$ for 10 years, or 20$ forever?

This is the most ridiculous thing to argue over I've seen on these forums yet. If you honestly can't afford a 10$ passkey why are you playing ffxi?

If anything in 8-9 years SE might offer everyone a free replacement as people's start crashing.

**Xellith** · 07-12-2011 01:43 AM

Originally Posted by Urat

Adding the usb plugin to your key would make it a 20$ key. So whats better, 10$ for 10 years, or 20$ forever?

This is the most ridiculous thing to argue over I've seen on these forums yet. If you honestly can't afford a 10$ passkey why are you playing ffxi?

If anything in 8-9 years SE might offer everyone a free replacement as people's start crashing.

I doubt FFXI will be running in 10 years. Its possible. I wouldnt bet on it running in 20 years or longer though.

**Mordanthos** · 07-14-2011 11:11 PM

Mathematical-algorithm-based one-time passwords
Another type of one-time password uses a complex mathematical algorithm, such as a hash chain, to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known. The open source OATH algorithm is standardized; other algorithms are covered by U.S. patents. Each new password is unique, so an unauthorized user would be unable to guess what the new password may be, based on previously used passwords.

It cant be broken. This came straight from Wikipedia

Thread: USB Security Token

Thread Tools

Search Thread

Display