Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Hulan]

Being a moderate in all things (and therefore a very boring person), I think people are taking things a little too far here. This is a problem that does need to be fixed, but only because all security vulnerabilities should be patched as soon as possible. As far as vulnerabilities go, though, this one is not as bad as it first seems. It's been mentioned already several times by people more well informed on the subject than me, but Man in the Middle attacks will still be a threat even if SIDs expired and were 100% secure. This vulnerability is predicated on the client machine being infected by malware, something that is always a danger.

On that topic, if you'll excuse the hyperbolic comparison, internet security is like going to a war torn region of the world. Is it your fault that someone shot you? No, it's their fault. But is it your fault that you got hurt because you weren't wearing a bullet proof vest? Well, yeah, sort of. Everyone needs to take some responsibility for their own safety when using the internet. SE need to take responsibility for making the environment as safe as possible, but that does not exonerate you from your individual responsibility to preserve your own safety.

[Mjollnir]

Well. Ppl need to stop going to porn sites. That'll save you from 90% of the viruses in the internet.

Take this advice, don't porn up your PC and you'll be a happy camper.

As soon as you can show me how to do this, I will happily comply. Gotta have something to do whilst waiting in DF. AMIRITE GUYS?!?!

[Hulan]

As soon as you can show me how to do this, I will happily comply. Gotta have something to do whilst waiting in DF. AMIRITE GUYS?!?!

I really would rather not think about what you are implying about people who say "One second guys" when they get into a Duty Finder party.

[Kosmos992k]

Sessions are not IP locked. I'm able to use my friend's account from Texas, and he lives in Japan.

If I tried that in WoW, it would auto lock the account.

Oh good grief...bad SE, bad, bad. Fix this, and encrypt the communication between game and server. Come on SE, do it now!

[Hulan]

Oh good grief...bad SE, bad, bad. Fix this, and encrypt the communication between game and server. Come on SE, do it now!

The only thing that needs to be encrypted is the handshake and credential exchange; which, according to this, is. After that, it's all just icing on the cake. There's not much a potential exploiter or account thief could learn from the normal game traffic, even unencrypted. Hmmm, I take that back, they could learn if you were an acceptable mark based on your gil and transaction history. But it's not going to get them any closer to stealing your account. The session ID is only exposed during the original exchange done by the launcher, which is encrypted. The risk is of a program on the client machine stealing the session ID, which makes encryption worthless (local encryption does nothing, as it is akin to placing the key on top of the safe).

[KisaiTenshi]

I'd rather see them invalidate the Session ID after a successful logout. They would burn through more sessions but since IPs can be spoofed and the hack would be originating from the machine where the virus is, thus the IP can be logged, it would be a more secure option.

Works this way for GM convenience (piggybacking) a GM could in theory just generate a session and log into it. That said...

The risk is of a program on the client machine stealing the session ID, which makes encryption worthless

Why even go through the bother? All they have to do do is MITM when ffxiv.exe is launched by grabbing the string from the launcher the same way any other tool can see it. There is a logical fix to this:
a) don't use a launcher or
b) write the session to a memory file, have the client read this file.

Anyhow the weakness in this is the client which you can't trust anyway.

[Hulan]

Why even go through the bother? All they have to do do is MITM when ffxiv.exe is launched by grabbing the string from the launcher the same way any other tool can see it.

Well, I excluded MitM attacks because I was responding to the comment about encryption. If you can MitM the launcher, all of your information is at risk, not just the session ID. It's not my area of expertise, so I wouldn't say it's completely unavoidable, but as far as I know, MitM attacks aren't something SE can easily prevent beyond the measures they are already taking. That's why I said the only real risk associated with this vulnerability is from client machine infection.

[KisaiTenshi]

That's why I said the only real risk associated with this vulnerability is from client machine infection.

Basically, security-wise, it's not possible for SE to secure the client machine (or PS3.) If someone already has a rootkit on that system, absolutely nothing is going to stop the account from being stolen if that's specifically what they're looking for. The Authenticator is only "worthless" in this sense because the machine itself is worthless.

[Mjollnir]

Basically, security-wise, it's not possible for SE to secure the client machine (or PS3.) If someone already has a rootkit on that system, absolutely nothing is going to stop the account from being stolen if that's specifically what they're looking for. The Authenticator is only "worthless" in this sense because the machine itself is worthless.

Yes, but if the Session ID was invalidated on logout, the Authenticator wouldn't be useless as the stolen Session ID would not longer work and a new Session ID would need to be generated with the Authenticator to log back on.

The system's not impervious to advanced attacks, but a virus that invisibly sits in the background and only sends the 32-digit string it's read off the process tree is very easy to write and will be a lot easier to get onto people's systems as more and more plug-ins and tools are downloaded *especially* if just one of those is kept on an unsecure server where someone could upload a subtly modified copy of the software.

Pretty sure invalidation of the Session ID on logout is the easiest and most sensible way to prevent this system being taken advantage of.

[Kosmos992k]

The only thing that needs to be encrypted is the handshake and credential exchange;

No, according to another topic, there is a way to inject D/B queries to modify your character because the communication between the game client and servers - including character D/B updates are not protected and can be easily manipulated by an unscrupulous player to gain levels, items and gil. In other words cheat. So yes, I'd like to see some level of encryption between client and server, as well as stronger session key security.