Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[NeruMew]

Wow.... man, just wow... Thank you so much for bringing this up, I just, just simply can't grasp my mind around the fact that SE let this slip thru their fingers, this is like the most basic rule of security... you just can't have a session ID not expiring like that... granted, for easy use some websites allow you to keep your old session ID but these are exceptions.
And I really hope SE gets into fixing this ASAP, I personally don't like the launcher but it works, anyway....

BTW! For anyone who reads this, just know this is NOT an issue with the tokens, but it's rooted deeper into the game system, it renders tokens useless as you can easily bypass them.

Also, just saying, like the guy with the very long post said, more than likely, any form of malware infection targetted for SE/FFXIV will come from enviroments around SE/FFXIV so yeah.. HamHam, we can't ban the very own internet's reason to be (aside from the CIA spying on us all @.@ lol jkjk for those paranoids out there)

[NeruMew]

Also, I had to cut off half my post... why the hell do we have a 1000 limit? When does it get raised? if anyone knows...

BTW! For anyone who reads this, just know this is NOT an issue with the tokens, but it's rooted deeper into the game system, it renders tokens useless as you can easily bypass them.

Either way don't be scared, try to keep your PC clean of viruses, maybe you can scan it once a week, and just be more wary of the sites you visit. Just be cautious.

Read this post if you're more interested, since it'll get passed by peolpe who doesnt check all pages.

-snip-

Just skip more tecnical aspects if you don't understand em.

[Bixby]

Also, I had to cut off half my post... why the hell do we have a 1000 limit? When does it get raised?

When you click Edit. Cut excess text, post first part, edit, paste excess text back in, no limit.

[NeruMew]

When you click Edit. Cut excess text, post first part, edit, paste excess text back in, no limit.

lol I thought about it right after posting, cause I saw the edit no the lnog posts, that's just glitchy and wrong... lol

But thanks alot Good tip :3

[CSX]

Well. Ppl need to stop going to porn sites. That'll save you from 90% of the viruses in the internet.

This man right here has the solution. Only I'd say it would save you from 100% and stay away from gold seller sites.

Take this advice, don't porn up your PC and you'll be a happy camper.

[NeruMew]

Well. Ppl need to stop going to porn sites. That'll save you from 90% of the viruses in the internet.

This man right here has the solution. Only I'd say it would save you from 100% and stay away from gold seller sites.

Take this advice, don't porn up your PC and you'll be a happy camper.

Sorry but you gotta love the ignorance, porn sites are not the only source of malicious software nor phishing nor whatever the hell you wanna blame it for. I mean, just, gah. Lol.. I know I'm not providing any feasible evidence but come on man. Just funny

Cute lil Falafells

[FF2GO]

While I agree an encrypted session ID is a much more formidable way of securing pivotal information, the simple fact(s) still remain in that people just need to be smart. Things like making long, difficult passwords (NOT TIED TO ANYTHING such as e-mail), and changing it every 30 days or so goes a long way. Also, using AV software and updating virus defs goes a long way. Do not visit shady websites, and do not loan your account info to anyone, even a friend. If they use your account info on THEIR PC and their pc is infected, kiss your account good bye. Don't download shady things either. I have followed these rules for the past 15 years of playing MMO's and never been hacked. Bottom line, don't be dumb.

[KisaiTenshi]

FFXIV Game Client

The launcher invokes the game client by executing ffxiv.exe with extra command line parameters. It appends DEV.TestSID=xxxx, where xxx is the session ID, to the launch command. Here is the issue with that. That session ID is now plainly visible with any basic process inspector such as Microsoft's Process Explorer. No special memory viewers to get this information. This means it is incredibly easy for any virus that is on the computer to obtain the information. This also means it is possible to bypass the launcher to load the game client by just repeating the same command at the command line.

Sorry but clearly you haven't verified your facts before posting them. This does not work. I've tried to launch the game this way twice (once before and once after getting the authenticator app) and both times it does not get anywhere.

[DragonFlyy]

Yep, this is dead on and by far the easiest. Make the SID valid only for the IP it was granted to. Anything else is just plain retarded. Encrypt it as well for good measure.

Basic security 101. ><

Encrypt yes, IP lock is also a decent idea, but IPs are easily spoofed and if they have a virus to capture the SID, then they can also capture the IP and spoof it. Encryption would be the better option, or move the login to the game client itself (best option).

RIFT ran into this when they released, their login is on a web browser setup as well and you could get the SID of the login bypassing passwords and such. Matter of fact, the RIFT issues didn't even have virus. Hackers would just run a script that would start counting at 00000 (example only) and add one trying each one until it successfully logged in.

Sorry but clearly you haven't verified your facts before posting them. This does not work. I've tried to launch the game this way twice (once before and once after getting the authenticator app) and both times it does not get anywhere.

It does work. Had to do this to bypass the launcher on Linux awhile back, before I could get Wine to open the actual launcher. Opened up the game on windows and got the SID. Then passed it to the linux machine and logged in just fine.

[Bufkus]

Why do you expect SE to fix something that would be purely your fault? (i.e. if you have a virus on your system)

The authenticator prevents hacking that isn't your fault (hackers getting your passwords from website databases for instance).