One time password Authenticator - Mobile App?

[Impulse]

Yes, but for that you actually have to actually get a plane ticket from China and do it one at a time.

1.) Publish a Super Happy Awesome Funtime XIV app that XIV players would be likely to download. Say it's shows a /panic dancing Lalafell every hour, on the hour.

2.) While you're d'awwww-ing over said Lalafell, said Super Happy Awesome Funtime XIV app copies the keys from your onetime password app and sends them to the mothership in China.

3.) OK, they'd also need other login information. Conveniently enough, Super Happy Awesome Funtime XIV app will prompt you for some information about your account and character, to "personalize" your dancing Lalafell experience; this too will be sent back to the Chinese mothership.

Multiply this by however many users would fall for this. Lather, rinse, repeat, profit.

Meanwhile, your keychain device has only one input interface (the button) and one output (the screen).

If a person is stupid enough to give away their login details like that, I'd say let virtual Darwinism take its course. They'd be hacked with or without the authenticator (physical or mobile) in that case, especially if the person on the receiving end of the info were on top of their game with a 10 minute leniency. Codes expire after a short amount of time whether they are used or not.

Never had an issue with BNet's, didn't have an issue with TOR's equivalent in the short time I played that. If you get hacked with one of these attached to your account, you can almost guarantee that it's your own fault.

[Delsus]

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.

If its just an authenticator app they use it has no connection to your SE account except the OTP which changes every 30s, they have one part of the puzzle of hacking your account if they gained access to your phone.

They would need to find out what PC you access FFXIV from, then put a keylogger on it for your SE id and pass, then hack your phone for the OTP, the likely hood of getting access to all both of these devices is unlikely.

If RMT (usual account hackers) wanted to go through this they would be completly blind, they would have to hack every smartphone until they find an FFXIV app, but a OTP is usless without the user id and pass.

Someone also said that smartphones are mor vulnerable to attack because of lack of security, but smartphones have alot of security software available, and atleast android has protection in the framework in that if an app doesn't have permission to access certain features it cannot, example if the FFXIV app doesn't need network access it can never be manipulated to access the internet.

[Ziyyigo-Tipyigo]

If a person is stupid enough to give away their login details like that, I'd say let virtual Darwinism take its course.

I'd wager most people reading this have given their email password to Facebook.

Fine, we'll add another step:

0.) Super Happy Awesome Funtime XIV app claims to be from S-E themselves. People don't know the difference; they got to the download site through a QR code.

You don't protect yourself from social engineering by assuming you're immune to social engineering.

[Ziyyigo-Tipyigo]

but smartphones have alot of security software available,

"Available" is not the same as "in use."

if an app doesn't have permission to access certain features it cannot,

Most people just click through the default settings.

example if the FFXIV app doesn't need network access it can never be manipulated to access the internet.

Super Happy Awesome Funtime XIV app will use your own character for the hourly /panic dance show if you just give it your login info! Be the first kid on your block!

Sure, such a phone app is (probably) better than nothing (for now). But it cannot and will never be as secure as something you'd need a screwdriver and soldering iron to get inside of.

[Ruisu]

I'd like this.

For some reason, my one time password that came with the stupid CE of FFXIV doesn't work, so it's more of a collector's item than anything. Kinda shitty, but I'd like to have something to keep my account safer. I just can't imagine what would happen if I lost my phone.

[BrusselSprout]

"Available" is not the same as "in use."



Most people just click through the default settings.



Super Happy Awesome Funtime XIV app will use your own character for the hourly /panic dance show if you just give it your login info! Be the first kid on your block!

Sure, such a phone app is (probably) better than nothing (for now). But it cannot and will never be as secure as something you'd need a screwdriver and soldering iron to get inside of.

*posted from my 6x6 concrete bunker 100 feet underground surrounded by 3 inch lead shielding and a Faraday cage. Tinfoil hat at the dry-cleaner.*

[Delsus]

"Available" is not the same as "in use."

Their own fault, especially if they buy the rip off Norton/mcaffee etc that come with a free code for thier smartphone security, I personnaly use Lookout and have had no problems with malicious apps. These people that don't use security software are probably the people that dont have anti-malware on thier PCs except an out of date norton trial and windows defender.

Most people just click through the default settings.

Its not a setting, its how Android works, each app is basicly run in its own user account, that user account has permissions like any user account, for example access personnal information, network access, services that cost you money etc etc there is (as far as I am aware) no way to possibly access things your app does not have permission to access.

When you download an app there is a list of permissions it asks for, and you check this list and question it, why does a dancing lalafell app need network access if it says ad free in the description? why does it need to access my personnal information? why does it need this that and the other, if there is doubt in your mind you don't download it. I also think there is a permission to view installed apps, which Super Happy Awesome Funtime XIV does nor need, therefore I would never download it.

Super Happy Awesome Funtime XIV app will use your own character for the hourly /panic dance show if you just give it your login info! Be the first kid on your block!

Yeah anyone who would do that deserve to be hacked, absolutely anyone, they would know that little about computers they would struggle to install ffxiv never mind play it.

Sure, such a phone app is (probably) better than nothing (for now). But it cannot and will never be as secure as something you'd need a screwdriver and soldering iron to get inside of.

Lets not forget iPhone (I don't use one so my knowladge is limited) iTunes heavily vets apps for any form of malware, while there have been apps that have got round this before now, something like this will flag up instantly "oh the code is asking for xxx app, lets install this and see what happens, its suddenly using the internet, whats it doing... Ok its a Trojan it cannot go on iTunes".

[Impulse]

I'd wager most people reading this have given their email password to Facebook.

Fine, we'll add another step:

0.) Super Happy Awesome Funtime XIV app claims to be from S-E themselves. People don't know the difference; they got to the download site through a QR code.

You don't protect yourself from social engineering by assuming you're immune to social engineering.

As far as Apple's Appstore goes, SE is in there as a developer. Good luck getting their name to show up above your shoddy app.
Android's marketplace is just a mess as it is, so I won't even get into that.

Either way, we're talking about a piece of software that has no idea what account it is attached to. The only connection is your SE account having the authenticator's serial number attached to it as well as the algorithm that goes with code generation.

[Delsus]

*posted from my 6x6 concrete bunker 100 feet underground surrounded by 3 inch lead shielding and a Faraday cage. Tinfoil hat at the dry-cleaner.*

Let me phone my friends in Worms land to borrow a Bunker Buster

[BrusselSprout]

Let me phone my friends in Worms land to borrow a Bunker Buster