Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Kosmos992k]

Basically, security-wise, it's not possible for SE to secure the client machine (or PS3.) If someone already has a rootkit on that system, absolutely nothing is going to stop the account from being stolen if that's specifically what they're looking for. The Authenticator is only "worthless" in this sense because the machine itself is worthless.

Securing the PS3 is not a major issue, The only systems which can be rooted are the ones already rooted by their owners, and PSN periodically updates itself to prevent folks with hacked consoles participating in PSN, so their authentication will typically take care of that. In any event there is a dearth of 3rd party malware that does anything to a PS3 rooted or otherwise.

[Annah]

I don't think posting the thread was the right thing to do OP. There are channels you should have used to report it directly to SE (and by that I don't mean the bug report forums but the ingame "contact us" -> "report a bug" form in the game helpdesk.)

he did. That's why he posted it here. The thing is, the DEVs and GMs do not even read those reports...the DEV here even said they didn't last week.

[Soukyuu]

he did. That's why he posted it here. The thing is, the DEVs and GMs do not even read those reports...the DEV here even said they didn't last week.

You're several pages late, someone told me he did already. Also the devs don't post here, only community reps. And what they said is that they don't provide replies, not that they don't read the reports.

[Claire_Farron]

In this thread people who can't potato.

[Jess72]

What I don't understand is this part..

I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world. I did not provide an account name, password, or one time password.

How exactly did his friend log into the account without account name and password?

[Ticktick]

What I don't understand is this part..

I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world. I did not provide an account name, password, or one time password.

How exactly did his friend log into the account without account name and password?

the session id is tied to the account, so if you have the session ID, it thinks you're the other person.

[Cienna]

What I don't understand is this part..

How exactly did his friend log into the account without account name & password?

Using the session ID & the command line, you login without the launcher, thus no password, account name or token needed- just the session ID.
http://forum.square-enix.com/ffxiv/t...=1#post1390622

That is where the session ID comes into play. The launcher invokes the game client by executing ffxiv.exe with extra command line parameters. It appends DEV.TestSID=xxxx, where xxx is the session ID, to the launch command. Here is the issue with that. That session ID is now plainly visible with any basic process inspector such as Microsoft's Process Explorer. This means it is incredibly easy for any virus that is on the computer to obtain the information. This also means it is possible to bypass the launcher to load the game client by just repeating the same command at the command line.

[Soukyuu]

An interesting thing I noticed since the latest patch is that now I am getting a 90k error followed by "authentification failed" one, forcing me to close the client. I seem to not be the only one, see discussion thread here.

The reason why I'm posting here is, does anyone think they might have implemented a session ID timeout but it's not working as intended? The timespan between those kicks seems to be around 4 hours for me. Maybe the session expires despite having a valid connection?

[illriginalized]

SE you need to fix this. This is a freaking security hole.

[Devourn]

Yeah, good luck with getting an official support response. All I ever see are Forum Moderators apologizing for their ineptitude.