Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Seig345]

If the launcher securely connects to their account system, is it possible then that if they look at the logs, they can tell if the launcher was bypassed for such and such number of logins? I'm not saying it's a preventative measure, but they'd at least be able to tell if someone bypassed your login info (IF it does keep track).

I get the feeling it doesn't, but it seems simple enough that it should, and on top of that, be able to detect when the launcher is bypassed and hault the login process.

[davidbowie]

nobody but me has full access to my pc and i have had a security key to every game i own and never been hacked anyone at any time.

to the lil upset whatever i did read post and i agree sq-e should look into this but if you can't accept some people take extra precautions to protect their own systems when others don't to bad for you.

I am also not going to run around screaming the sky is falling if i did that i would still be running linux.

[TaalAzura]

nobody but me has full access to my pc and i have had a security key to every game i own and never been hacked anyone at any time.

I can tell you didn't even read the post.

[Eekiki]

While it sounds like SE could take better steps to improve their own security, they can't be held accountable for people's poor browsing habits if they end up getting a virus from somewhere.

The fix is simple. All SE needs to do is encrypt the session data. And don't give us the "memory limitations" or "server resources" excuse. Encrypting the session data generates a negligible amount of overhead.

Am I the only one who thinks that some of the companies SE outsourced their programming to are in cahoots with RMT sites? There seem to be a TON of obvious backdoors. It's very strange that the RMTs were able to almost immediately take over the economy.

[AlexiaKidd]

I wonder how many of the people hacked have used the Parser or downloaded bots.

[Mysteltain]

Sooo...is this a problem for us PS3 players as well, or only people who have the PC version?

[Eekiki]

Sooo...is this a problem for us PS3 players as well, or only people who have the PC version?

Probably not a problem for PS3 users, since that goes through PSN, and unless someone's able to log onto your PSN account they can't get to your XIV account.

Now, if you've got your XIV account registered for both PS3 and PC access, I dunno. You're probably still safe.

[Rivienne]

Interesting. The key problem to me sounds simply like sessions aren't IP locked once created, which is definitely an exploitable design. Sessions, regardless of expiration, should be limited to a specific client and ip.

If the IP of a client changes mid sessions, kick them out and force them to log back in. This prevents a session from being stolen and used elsewhere. Encryption of the session might help, but is ultimately hackable since they have the client and could work out the encryption. Beyond that, if you have a virus or keylogger, a security token is still good enough 99% of the time, because the time between keylogging and hacking is going to be long enough for a OTP to expire in most circumstances, making exploits much more targeted.

So yeah, this sounds like a very simple flaw to resolve simply by implementing an IP check kick. Not a lockout, simply a forced a re-login on IP mismatch.

[Shirai]

This is quite a serious issue indeed.
While I am quite a security nut regarding anything connected to the internet at home and at work, I know plenty of people that are not.

While I am of the opinion that security falls under the end user's responsibility, this is something SE can and should pick up and fix.

[Issac]

Interesting. The key problem to me sounds simply like sessions aren't IP locked once created, which is definitely an exploitable design. Sessions, regardless of expiration, should be limited to a specific client and ip.

Yep, this is dead on and by far the easiest. Make the SID valid only for the IP it was granted to. Anything else is just plain retarded. Encrypt it as well for good measure.

Basic security 101. ><