Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Aicha]

Seems compete amateurs made the net/server code of this game. I mean this and those excessive teleport hacks shouldn't be possible at all.

[Soukyuu]

I don't think posting the thread was the right thing to do OP. There are channels you should have used to report it directly to SE (and by that I don't mean the bug report forums but the ingame "contact us" -> "report a bug" form in the game helpdesk.)

[Quitesa]

He already did that - he's in my FC

[hobostew]

Bumperella!

[Misteyes]

Long post incoming. I work with people who have done network security professionally in the past, and I got some of their opinions. SE's use of SIDs is basically as prescribed by the OAuth standard, which is secure against most forms of attack. The system itself is not unsound, but some of the parameters SE has chosen are unsuitable for a service like FFXIV. I'd like to talk about what attack vectors this opens up and, more importantly, what we can do to protect ourselves from them.

Likely Attack Vectors:
Embedding Viruses in Hacks/Bots - Easy (but costly). Projected Captures: Hundreds
Yeah, this probably happens. Don't download bots, don't buy gil, don't give your password to gilsellers for powerlevelling. Duh. However, this is probably not how most people get hacked. There's plenty of good reasons not to buy gil - not least of which is that you're paying people to hack other people's accounts - but personal safety isn't one of them. Gilsellers value customers a lot more than they value gil, and people who buy gil once tend to be the kind of people who buy gil twice. It's unlikely that they'd steal a customer's account, because that means they lose a customer in exchange for gil. (Botting programs probably do come with viruses, since people who download bots are not repeat customers.)

Social Engineering - Very Easy. Projected Captures: Depends
Social engineering is the practice of tricking users into giving their password voluntarily. This can take many forms, but there's enough information out there already about password security, so I won't get into that. Quick summary: Don't enter your password into sites that you're not sure are legitimate, don't re-use the same password for anything, don't click links in e-mails and then enter your password into them.

Browser Based Exploits - Moderately Difficult. Projected Captures: Tens of thousands. <--Most Likely Attack!
Depending on your browser, flash player version, java version, security settings, Windows version, etc. there are vulnerabilities that can be exploited from a browser to harvest data. This is the most likely attack vector, and I'll get into more about how to defend yourself from it later.

Things not to worry about:
Guessing SIDs - Effortless. Projected Captures: Nobody ever
I wouldn't worry about this one. In theory, anyone could just start entering random SIDs and hope they get one, however, the odds of actually getting a match are so close to zero that even with a giant multi-thousand computer array guessing until the heat death of the universe, it's unlikely to capture anyone.

Coffee-Shop Attack - Effortless. Projected Captures: Almost nobody ever
The easiest "man in the middle" attack: The hacker finds an unecrypted wireless network (such as at Starbucks) and sit there with a program that listens to all traffic (even the traffic not meant for him) until someone logs in to XIV. He harvests their SID for later use. The problem is that your average Starbucks probably gets an average of 0 people logging into it per day. This sort of attack just isn't worth any commercial hacker's time. If someone's stealing accounts by this method, they probably aren't doing it for money (though they might still steal all your gil for themselves). The odds of you personally running into anyone snooping for XIV SIDs is almost nil, but you still might not want to log in at coffee shops, just to be safe.

MitM - Compromised Local Router - Moderately Difficult. Projected Captures: Not enough to be worth it.
The classic "Man in the Middle" attack. The hacker starts randomly dialing IP addresses until they find your (or anyone's) router. Query that router's firmware, google to find known attacks for that version of that router (assuming it isn't up to date), compromise the router, and have it split connections to SE's server to go to them as well. Then, sit and listen and harvest SIDs. I wouldn't worry about this one either, because it basically requires a moderately competent hacker to personally spend time hacking your particular home router. Unless you're a crafting baron with hundreds of millions of gil and your IP address is public knowledge, you're probably safe from this one. If you are in that category, you might want to update the firmware on your router.

MitM - Compromised Backbone Router - Almost Impossible. Projected Captures: All of them
"Man in the Middle" attack, extreme version. Like the above, but the hacker compromises a backbone router, like, say, one that routes international traffic between America and Japan, and harvests all SIDs of all American players. The problem with this one is that backbone routers tend to be up-to-date on their security, and there aren't any known exploits for them. I wouldn't worry about it, because anyone who has the ability to compromise backbone routers probably is after much more valuable things than your FFXIV account.

Compromised Client Machine - Difficult. Projected Captures: Very few
This is the attack form that beat WoW's authenticators a couple years ago, so it's not impossible. The hacker modifies your launcher to connect to his machine instead of to SE. He then forwards information back and forth until you attempt to log-in, at which point he throws you an error, while usurping your login information for his own login session. I don't consider this one a "man in the middle" attack since the attack occurs on the client machine, which is an endpoint and not the middle, even if it does involve placing his machine in "the middle." I wouldn't worry about this one because all of the same defenses apply to this as apply to browser based exploits, and it's much harder for a hacker to install software on your machine via Flash or Java than it is for them to harvest data from your machine using Flash or Java. Also, this has nothing to do with SIDs; if someone is capable of doing this to you, it doesn't matter what Square-Enix does; with this method, the hacker could steal your account, password, and one-time key just as easily (as they did with World of Warcraft).

How to protect yourself from browser-based exploits
The guiding mantra here is "assume that nothing about your browser is secure." Any website that runs any kind of script content could potentially be harvesting data from your system. Java and Flash are generally pretty good, but occasionally exploits do get discovered, and it can take a day or two for a patch to get pushed out (and even longer for all users to install that patch). On any given day, you can't count on even staples like Flash, Java, or HTML5 to be secure. This doesn't mean hijacks are easy, but reading shared data on your system is very possible.

There are three important things to consider before visiting any website:
1. Who is capable of posting scripts to this website? Usually, this will only be the website operator, however, some fan forums and guild hosting sites allow users to imbed flash scripts into their posts. Many many websites allow flash-based banner ads, and not every flash banner ad service actually checks them for vulnerabilities.
2. Do I trust all those people, both not to steal my data, and to keep their own access safe? Most website operators are not malicious. However, many website operators use outdated versions of server software, with known vulnerabilities. I can't tell you what websites are safe and what websites aren't, but even the Curse network has been hacked a couple times, and they have a security team. I would be very wary of low-budget fansites and guild forum hosting sites.
3. What demographics does this site target? A site that targets FFXIV players is much more likely to be an FFXIV account harvesting site (or be a target for FFXIV account harvesting hackers) than a site that sells clothing.

You can make yourself safer by installing things like FlashBlock or NoScript, but remember the mantra: Assume nothing about your browser is secure. Recognize that you are potentially giving someone access to your system every time you visit a new site. If a banner ad seems more interested in getting you to click it than it does in selling a product - remember those nearly-pornographic Evony Online ads? Or, more recently, Wartune? - the website operator might have an ulterior motive besides pushing the product they claim to be selling. Be very wary of any advert on an FFXIV-related site.

Should we be mad at Square-Enix?
If you bought a security token, changed your password ever, or took any other measure to keep your account safe, you have a right to be (especially if you still got hacked). The way in which they use SIDs makes you vulnerable to all of the same attacks (besides some forms of social engineering) as you would be if you had no security token, as well as a few more.

What could (should) Square-Enix be doing to protect us?
In order of importance
1. The biggest thing is, as many people have pointed out, invalidating the SIDs after a logout/disconnect. If a flash program harvests your SID, that should not give them indefinite access to your account, in spite of a password change and authenticator.
2. The other important thing would be to scrub the SID from shared memory after the launcher passes it to the game. I understand why they have a launcher, and I understand why login isn't done within the game (the reasons are too technical even for this post). The SID will have to be passed from the launcher to the game, so it has to live in some public space at some point, but once the game has it, there is no reason why that SID should persist in a space where it can be harvested by any rogue flash script. The game client should scrub it after copying it to non-shared memory.
3. Tying SIDs to IP addresses seems feasible to me, but I didn't get that idea checked by my colleagues and it's not prescribed by the OAuth standard, so there's probably some difficulty there that's not obvious to me. If it can be done, there's no good reason not to do it.
4. Encrypting the channel would protect against the Coffee-Shop attack and other Man in the Middle attacks (though not compromised client). If the other things are done (even just 1 and 2), we'll be safe from any commercial-scale attack, but some people might want to log in from a coffee shop without worrying about someone stealing their account. An extra layer of security never hurts. However, if this is done and 1 and 2 are not done, it will provide no protection at all except against MitM.

[tymora]

Did anyone post this in the bug report section? My search didn't turn up anything.

Just to add that, I am able to verify Livilda's screenshot as well.

[CptGeorge]

Sounds like someone needs to invest in some security software. If your new to computers, or don't have a clue what your doing. I'm sure someone at some point has told you to invest in a Anti Virus. Most ISP's now adays provide them for free.

If your computer is riddled that bad with Virus's You need to not be playing video games and get ur machine fixed. If you don't run an Anti Virus then it's nobodies fault but your own when you loose your bank account / gaming accounts.

It is ALL over the internet. Ignorance is NOT an excuse.

[Marenwynn]

Tested this with a 10 minute old key and it worked. On the bright side, we can bypass the launcher and login. I'm kidding, though... SE may already be tracking SIDs for compromised accounts, so logging in with the same key multiple times (especially from different locations) may be a good way to get your account locked for investigation.

This doesn't look like a problem born of negligence, but SE's way of cutting costs on their authentication servers. I know the curiosity can drive some people crazy, but please don't ever visit any of the sites the RMT spammers advertise, even if you don't intend to buy. Browsers are constantly being patched for security holes, and scanning active processes is one of the milder things cutting edge malicious code can do.

[DanteMog]

Just asking would Ccleaner help to remove session ID from your browser or similar such programs?

[eyloi]

Sessions are not IP locked. I'm able to use my friend's account from Texas, and he lives in Japan.

If I tried that in WoW, it would auto lock the account.