Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Bufkus]

Why do you expect SE to fix something that would be purely your fault? (i.e. if you have a virus on your system)

The authenticator prevents hacking that isn't your fault (hackers getting your passwords from website databases for instance).

[NeruMew]

Why do you expect SE to fix something that would be purely your fault? (i.e. if you have a virus on your system)

The authenticator prevents hacking that isn't your fault (hackers getting your passwords from website databases for instance).

To improve the quality of service and security of their systems? Gee Idk... Why would we ever want to move forward and become better? OH MY!

Because it's ridiculous that old sessions don't expire, not in any decent amount of time (and it should be upon disconnection).

[Bufkus]

To improve the quality of service and security of their systems? Gee Idk... Why would we ever want to move forward and become better? OH MY!

Because it's ridiculous that old sessions don't expire, not in any decent amount of time (and it should be upon disconnection).

Doesn't matter, because you're not going to be compromised unless you were already compromised.

The point that he is trying to get across is that the Session ID's don't expire, and can be reused indefinitely. A simple "fix" would be to expire the Session ID's upon logout/dc.

And my point is that it doesn't matter.

If the authenticator was a strong measure of security, it would aid in preventing both. People would expect SE to fix this issue because they expect their security measures to be kept up to par. If you can fault the user for accidentally getting a virus, then you can certainly fault SE for providing sloppy security options, considering they should have people who are hired to know what they are doing.

Is this some kind of joke?

[Susanoh]

Is this some kind of joke?

I'm not quite sure why you find the thought of SE providing tight security options on their end to be a joke, but no, it is not.

[Susanoh]

Why do you expect SE to fix something that would be purely your fault? (i.e. if you have a virus on your system)

The authenticator prevents hacking that isn't your fault (hackers getting your passwords from website databases for instance).

If the authenticator was a strong measure of security, it would aid in preventing both. People would expect SE to fix this issue because they expect their security measures to be kept up to par. If you can fault the user for accidentally getting a virus, then you can certainly fault SE for providing sloppy security options, considering they should have people who are hired to know what they are doing.

[Waraji]

The point that he is trying to get across is that the Session ID's don't expire, and can be reused indefinitely. A simple "fix" would be to expire the Session ID's upon logout/dc.

[Twiddle]

Hey OP guess what.... tried to duplicate your test, it don't work. The session ID expires as soon as i logged out. Neither me nor a friend of mine who is an IT/Programer were able to reuse it. As the message was given that that session id is no longer active. As well he tried it while i was logged in to test your second claim. Again the message was given that the ID is currently in use and that he DOES NOT have the rights to use it, yet alone log in while i play. Only thing you prove in your OP is that you happily give out your account info despite it being a bad idea. If you have taken the time to set up you PC security, and SE account security, if anyone who is not on your PC tries to log in... your account should get locked until you unlock it.

[KisaiTenshi]

Hey OP guess what.... tried to duplicate your test, it don't work. The session ID expires as soon as i logged out. Neither me nor a friend of mine who is an IT/Programer were able to reuse it. As the message was given that that session id is no longer active.

See that's what happened when I originally tried and the basis for my earlier comment about it not working. I even recorded video of it and was like "the f...."

This begs the question... Is it against the ToS to multiclient/multibox from the same account.

[NeruMew]

Ok I want to make a pause here, we are all speculating ourselves since we can't really prove what is happening, some say this is possible to re-use some others say it's not. Other people are bringing up to light the issue about logging in multilpe times on the same account, which is another matter of great importance.

And for those who say, if you got infected it's your fault, please if you're not going to add anything productive just stand back and keep it to yourself, a lot of people don't know how to protect themselves or what security preventive measures to adopt, and on top of that, you are always vulnerable, it's just that by keeping some basic measures you can reduce the risk chances a lot. Anyway, please if you do know so much, enlighthen the others with your knowledge.

And again, it doesn't matter if the user got infected by their own doing, it still doesn't justify SE not doing what they can to prevent and help all these situations. After all it's their service and their business, if they don't help taking care of their customers, there wouldn't be much of a service anymore. SE should implement every reasonable security measure they can in order to make this a more secure enviroment.

[Hulan]

Being a moderate in all things (and therefore a very boring person), I think people are taking things a little too far here. This is a problem that does need to be fixed, but only because all security vulnerabilities should be patched as soon as possible. As far as vulnerabilities go, though, this one is not as bad as it first seems. It's been mentioned already several times by people more well informed on the subject than me, but Man in the Middle attacks will still be a threat even if SIDs expired and were 100% secure. This vulnerability is predicated on the client machine being infected by malware, something that is always a danger.

On that topic, if you'll excuse the hyperbolic comparison, internet security is like going to a war torn region of the world. Is it your fault that someone shot you? No, it's their fault. But is it your fault that you got hurt because you weren't wearing a bullet proof vest? Well, yeah, sort of. Everyone needs to take some responsibility for their own safety when using the internet. SE need to take responsibility for making the environment as safe as possible, but that does not exonerate you from your individual responsibility to preserve your own safety.