PSA - Account Security - It's a thing - You should look at this thing.

[NephthysVasudan]

Something "positive" to contribute to the forums over the "blarg" posts.

===========

Today one of my sprouts reported that his account had been compromised.

His char's deleted - lost everything pretty much minus whatever we can replace.

Thankfully this is a sprout - so the loss is far less than say "myself" getting hit with this.

My main point is this - you guys, seasoned players, vets, new players, returnee's - you need to turn your OTP/TFA features on - its not just a good idea, its the best idea period.

It's not worth risking your account over laziness.

http://www.square-enix.com/na/account/otp/

SE has a decent setup - and while its not the best - it works.

Obvious yes, common sense yes... but it needs to be said, reminded.
Tell your friends, tell your newbies. Just tell them.

Thanks for your time.

PS: He's going to talk to support - but we both concluded there may not be much they can do. We (My FC) have him covered regardless.

[Sigma-Astra]

I want to add on that in this day and age, lots of people just don't make good passwords in general. Passwords should be longer than five characters with uppercase, undercase, numbers, and symbols in them. My password for the game is at least 11 characters long with a combination of various things, it's also nothing that could be easily guessed from even people that know me well enough, but, like above what the OP said.

I also use a One-Time-Password via my cellphone as well for extra security measure because it still is possible that hackers could crack my password with the tools that they have available.

[NephthysVasudan]

I want to add on that in this day and age, lots of people just don't make good passwords in general. Passwords should be longer than five characters with uppercase, undercase, numbers, and symbols in them. My password for the game is at least 11 characters long with a combination of various things, it's also nothing that could be easily guessed from even people that know me well enough, but, like above what the OP said.

I also use a One-Time-Password via my cellphone as well for extra security measure because it still is possible that hackers could crack my password with the tools that they have available.

Possible yes...but bloody damn hard with OTP on.
Might as well make it as hard as possible.

[Sigma-Astra]

Possible yes...but bloody damn hard with OTP on.
Might as well make it as hard as possible.

Well, I should have clarified that better. I meant that, it's possible that they could crack my password, despite it's long length, even if I wasn't using OTP. :P And that's why I have the OTP on anyways because the randomly generated number sequence will make sure that hackers can't run a program that would otherwise just run through variables until a number, letter, or symbol matched what I have been using.

It's also a good idea to NOT use the same password for everything either. I hear about so many people doing this....don't use your online banking password as your password for the game! lol

[NephthysVasudan]

Well, I should have clarified that better. I meant that, it's possible that they could crack my password, despite it's long length, even if I wasn't using OTP. :P And that's why I have the OTP on anyways because the randomly generated number sequence will make sure that hackers can't run a program that would otherwise just run through variables until a number, letter, or symbol matched what I have been using.

It's also a good idea to NOT use the same password for everything either. I hear about so many people doing this....don't use your online banking password as your password for the game! lol

Also good advice.
Also - do not share your accounts guys.... aside from the obvious. Don't leave your computer unattended...etc..etc.

[TaranTatsuuchi]

I want to add on that in this day and age, lots of people just don't make good passwords in general. Passwords should be longer than five characters with uppercase, undercase, numbers, and symbols in them. My password for the game is at least 11 characters long with a combination of various things, it's also nothing that could be easily guessed from even people that know me well enough, but, like above what the OP said.

I also use a One-Time-Password via my cellphone as well for extra security measure because it still is possible that hackers could crack my password with the tools that they have available.

correcthorsebatterystaple

https://xkcd.com/936/


XD



On topic.

Yes, use the one time password feature.
It's free with a mobile phone, and iirc you can even use an emulator if you don't have a mobile phone.

You even get a free teleport destination!

[Musashidon]

why? the fbi agent in my computer knows everything anyways.

[NephthysVasudan]

why? the fbi agent in my computer knows everything anyways.

The one to fear is not the FBI Agent in your computer.
Its the Jerk in your computer who want's to wreck your stuff that you spent so much time working on.
Like losing your house...for example.

[wizisi2k]

a OTP is good to have... until the day that you have to hand in your phone at the end of its 18-month lease. Then you HAVE to deactivate all 2-factor for any and all apps that use it on your phone. Once you have a new one, you gotta reset all your 2-factors. I got this coming up in September and my options are: do what I said (deactivate Steam's 2 factor, SE's, uplay's) and risk compromisation OR pay $216 to own the phone. security token apps are only good if you have a smartphone too or want to spend more on them every few years. While it's possible to crack my account, I have proof of ownership to get it back.

[KisaiTenshi]

I want to add on that in this day and age, lots of people just don't make good passwords in general. Passwords should be longer than five characters with uppercase, undercase, numbers, and symbols in them. My password for the game is at least 11 characters long with a combination of various things, it's also nothing that could be easily guessed from even people that know me well enough, but, like above what the OP said.

I also use a One-Time-Password via my cellphone as well for extra security measure because it still is possible that hackers could crack my password with the tools that they have available.

Don't bother with making an overly complex password, just make something you can remember unique to this game.


The OTP is your insurance against someone being able to replay-attack/keylogging. Also do not use an Android emulator for your OTP on the same machine. Buy an authenticator if you're unwilling to put the authenticator software on your personal cell phone or tablet. OTP doesn't protect against session jacking.

Now you might ask... wait, why can my account get jacked anyway?

Yes. MMO's can be jacked several ways

1) Username and Password jacked by brute force (which is usually not done) by emulating the launcher.
2) Username and Password jacked by password reuse
3) Username and Password jacked by keylogging/malware by hooking the keyboard api.
4) Session jacked by unauthorized third party software/mods (don't trust anything you can not get the source code for and compile yourself)
5) Session jacked by network replay attack (compromised browser plugins)
6) Session jacked by shared proxy (players using VPN's)
7) Account compromised by Remote access tools (eg Teamviewer) on the system.

Clearly the easiest is #2, which you shouldn't reuse passwords in the first place.

Of these, #4 is not that hard to pull off as it bypasses the username/password/OTP process by simulating the game launcher and passing along the session string while it's hooked into the process, while it secretly passes along that information to a third party. So you will probably find that people who report being hacked, were probably engaging in RMT, or modding, or used a third party tool for some reason and naively trusted a total stranger on the internet.

Earlier on in V2.x A player reported to the forums that they couldn't log into the game, but I found them in the game, being a RMT spammer. So, people will deny they did anything wrong, even if they clearly did, and just want to save face.

With #7, Teamviewer is often a vector by which accounts get stripped and deleted as well. If you used TeamViewer or other remote access tools to let someone "Borrow your account" or play remotely yourself, you are opening yourself up to a world of hurt if you don't uninstall the software immediately after you don't need it anymore.

The only way to prevent all of above is by requiring a OTP to login/delete the character. If your game is idle and goes AFK, it should also request a OTP to come out of AFK mode. But it doesn't do that.

a OTP is good to have... until the day that you have to hand in your phone at the end of its 18-month lease. Then you HAVE to deactivate all 2-factor for any and all apps that use it on your phone. Once you have a new one, you gotta reset all your 2-factors. I got this coming up in September and my options are: do what I said (deactivate Steam's 2 factor, SE's, uplay's) and risk compromisation OR pay $216 to own the phone. security token apps are only good if you have a smartphone too or want to spend more on them every few years. While it's possible to crack my account, I have proof of ownership to get it back.

I actually use my ipad 3 for this. As it doesn't recieve updates anymore from Apple, the only risk of "losing" the OTP generator is by losing the ipad or it being damaged. I didn't put it on my phone because SE's authenticator doesn't work through major OS updates, and the phone tends to update automatically.