Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[M4Fade]

And don't give us the "memory limitations" or "server resources" excuse.

This. LOL.

There really needs to be some meme's regarding these phrases.

[Ranebow]

Am I the only one who thinks that some of the companies SE outsourced their programming to are in cahoots with RMT sites? There seem to be a TON of obvious backdoors. It's very strange that the RMTs were able to almost immediately take over the economy.

No, and it goes hand in hand with my conspiracy theory that MMO developers intentionally design features/items into the games that are meant to be a commodity, of which become so desired that they fuel RMT practices.
They may ban thousands of accounts, but they still made money off it.

[Lisotte]

This. LOL.

There really needs to be some meme's regarding these phrases.

It's the new ps2 limitations

[Runoff]

Spotted this yesterday scary if someone plays from Internet Café as im sure Admins can watch processes on each PC in realtime from behind counter.
Was also something about using Process ID details on account that has one time token and it puts you on a Strange JP account.

[Flarestar]

The fix is simple. All SE needs to do is encrypt the session data. And don't give us the "memory limitations" or "server resources" excuse. Encrypting the session data generates a negligible amount of overhead.

Am I the only one who thinks that some of the companies SE outsourced their programming to are in cahoots with RMT sites? There seem to be a TON of obvious backdoors. It's very strange that the RMTs were able to almost immediately take over the economy.

Um. Encrypting the session data is fine but does nothing against MITM attacks.

The second part of the fix is making the one-time use code expire properly. Those codes should NOT stay valid for more than a very, very brief time window. That's how you protect against MITM. It's still not foolproof if they're fast enough, but it drastically cuts down on your vulnerability.

Edit - Also IP binding. That's spoofable, particularly if you already have a MITM situation, but it at least helps.

[Alhanelem]

Can someone post a translation of this on the JP forums? We're already determined that the devs don't read our stuff

this is false. Keep telling yourself it's true though

[Pellegri]

this is false. Keep telling yourself it's true though

Ask Reinhart just how much more gets posted in the JP threads from the devs than the English ones, looking over everything he's translated we get about 1 post for every 3 they get even though we have the exact same topics over here(some of which are just as high profile to all countries and not just Japan).

Keep telling yourself though that they don't have extreme favoritism when it comes to the home country of the game even though the playerbase outside of Japan composes atleast 60% of actual players.

[Eekiki]

this is false. Keep telling yourself it's true though

Hard not to when I've seen it with my own eyes.

[LordSideKicks]

BUT at least the one time password keeps ppl who played WoW and LoL with the same ID and password safe. It is still useful to a certain extent. Of coz SE still has to do something on the lack of security. We are so exposed!

Oh wait I saw this instead
http://www.reddit.com/r/ffxiv/commen...s_are_useless/


So which is real?

[TheRac25]

BUT at least the one time password keeps ppl who played WoW and LoL with the same ID and password safe. It is still useful to a certain extent. Of coz SE still has to do something on the lack of security. We are so exposed!

Oh wait I saw this instead
http://www.reddit.com/r/ffxiv/commen...s_are_useless/


So which is real?

whats real is once someone has this "key" they can logon to your account and do whatever they want on your charactors, even if you have a token
getting the key is as simple as using any number of methods "check out this sweet xiv_parser.exe or mining_bot.exe" or some browser flash/java exploits