One time password Authenticator - Mobile App?

[Delsus]

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.

If its just an authenticator app they use it has no connection to your SE account except the OTP which changes every 30s, they have one part of the puzzle of hacking your account if they gained access to your phone.

They would need to find out what PC you access FFXIV from, then put a keylogger on it for your SE id and pass, then hack your phone for the OTP, the likely hood of getting access to all both of these devices is unlikely.

If RMT (usual account hackers) wanted to go through this they would be completly blind, they would have to hack every smartphone until they find an FFXIV app, but a OTP is usless without the user id and pass.

Someone also said that smartphones are mor vulnerable to attack because of lack of security, but smartphones have alot of security software available, and atleast android has protection in the framework in that if an app doesn't have permission to access certain features it cannot, example if the FFXIV app doesn't need network access it can never be manipulated to access the internet.

[Ziyyigo-Tipyigo]

but smartphones have alot of security software available,

"Available" is not the same as "in use."

if an app doesn't have permission to access certain features it cannot,

Most people just click through the default settings.

example if the FFXIV app doesn't need network access it can never be manipulated to access the internet.

Super Happy Awesome Funtime XIV app will use your own character for the hourly /panic dance show if you just give it your login info! Be the first kid on your block!

Sure, such a phone app is (probably) better than nothing (for now). But it cannot and will never be as secure as something you'd need a screwdriver and soldering iron to get inside of.

[BrusselSprout]

"Available" is not the same as "in use."



Most people just click through the default settings.



Super Happy Awesome Funtime XIV app will use your own character for the hourly /panic dance show if you just give it your login info! Be the first kid on your block!

Sure, such a phone app is (probably) better than nothing (for now). But it cannot and will never be as secure as something you'd need a screwdriver and soldering iron to get inside of.

*posted from my 6x6 concrete bunker 100 feet underground surrounded by 3 inch lead shielding and a Faraday cage. Tinfoil hat at the dry-cleaner.*

[Delsus]

*posted from my 6x6 concrete bunker 100 feet underground surrounded by 3 inch lead shielding and a Faraday cage. Tinfoil hat at the dry-cleaner.*

Let me phone my friends in Worms land to borrow a Bunker Buster

[BrusselSprout]

Let me phone my friends in Worms land to borrow a Bunker Buster

[Delsus]

"Available" is not the same as "in use."

Their own fault, especially if they buy the rip off Norton/mcaffee etc that come with a free code for thier smartphone security, I personnaly use Lookout and have had no problems with malicious apps. These people that don't use security software are probably the people that dont have anti-malware on thier PCs except an out of date norton trial and windows defender.

Most people just click through the default settings.

Its not a setting, its how Android works, each app is basicly run in its own user account, that user account has permissions like any user account, for example access personnal information, network access, services that cost you money etc etc there is (as far as I am aware) no way to possibly access things your app does not have permission to access.

When you download an app there is a list of permissions it asks for, and you check this list and question it, why does a dancing lalafell app need network access if it says ad free in the description? why does it need to access my personnal information? why does it need this that and the other, if there is doubt in your mind you don't download it. I also think there is a permission to view installed apps, which Super Happy Awesome Funtime XIV does nor need, therefore I would never download it.

Super Happy Awesome Funtime XIV app will use your own character for the hourly /panic dance show if you just give it your login info! Be the first kid on your block!

Yeah anyone who would do that deserve to be hacked, absolutely anyone, they would know that little about computers they would struggle to install ffxiv never mind play it.

Sure, such a phone app is (probably) better than nothing (for now). But it cannot and will never be as secure as something you'd need a screwdriver and soldering iron to get inside of.

Lets not forget iPhone (I don't use one so my knowladge is limited) iTunes heavily vets apps for any form of malware, while there have been apps that have got round this before now, something like this will flag up instantly "oh the code is asking for xxx app, lets install this and see what happens, its suddenly using the internet, whats it doing... Ok its a Trojan it cannot go on iTunes".

[Ziyyigo-Tipyigo]

Yeah anyone who would do that deserve to be hacked, absolutely anyone, they would know that little about computers they would struggle to install ffxiv never mind play it.

OK, then you, personally, don't fall for it. But enough people will that the game economy will crash and playing XIV will feel like XI before the Special Task Force, thus ruining your gaming experience regardless of your savvy.

People fall for these ruses all the time. Attackers keep doing it because it keeps working spectacularly, and the rewards always far outweigh the effort. S-E had to implement the Special Task Force and push these security fobs on us because far too many people weren't as secure as they thought they were. And, if given half a chance, the RMTs will do their best to make it happen all over again. Going from a security measure that is completely out-of-band to one that is more connected is a step in the wrong direction.

Just because you haven't heard a peep from the Cylons for a few decades doesn't mean it's OK to let the leggy blonde have access to the mainframe.

And if you really are a super-1337 hax0r posting from behind 7 proxies who doesn't have to worry about these risks, why are you even using the token to begin with? It's not mandatory.

[Delsus]

OK, then you, personally, don't fall for it. But enough people will that the game economy will crash and playing XIV will feel like XI before the Special Task Force, thus ruining your gaming experience regardless of your savvy.

People fall for these ruses all the time. Attackers keep doing it because it keeps working spectacularly, and the rewards always far outweigh the effort. S-E had to implement the Special Task Force and push these security fobs on us because far too many people weren't as secure as they thought they were. And, if given half a chance, the RMTs will do their best to make it happen all over again. Going from a security measure that is completely out-of-band to one that is more connected is a step in the wrong direction.

Just because you haven't heard a peep from the Cylons for a few decades doesn't mean it's OK to let the leggy blonde have access to the mainframe.

And if you really are a super-1337 hax0r posting from behind 7 proxies who doesn't have to worry about these risks, why are you even using the token to begin with? It's not mandatory.

It works on uneducated people, at school I hardly learned about the possible attacks on PCs, I am interested in computers so I researched them myself, people who haven't learned about them fall for it, but I believe this type of education is standard in schools now because of the risk in it all.

The main people to fall for this sort of "ohai gimme your login details" emails is pentioners, because they are for the most part completly un-educated, the main way of getting login information is because people download programs which contain keyloggers, the standard phishing is going down because people are not falling for it as much as they used to.

Normal common sense and anti-malware are gradually winning and hackers are forced to revert to other methods.

And I don't hide behind 7 proxies, I have anti-virus, anti-spyware and a software firewall, when I get the money I may get a decent hardware firewall as well, but not right now.

I am educated I know what the risks are and I try to prevent those risks, as of today I have never had a security breach on my laptop or phone and hopefully I never will, if I do I will get rid of it as soon as its detected.

[Delsus]

"Available" is not the same as "in use."



Most people just click through the default settings.



Super Happy Awesome Funtime XIV app will use your own character for the hourly /panic dance show if you just give it your login info! Be the first kid on your block!

Sure, such a phone app is (probably) better than nothing (for now). But it cannot and will never be as secure as something you'd need a screwdriver and soldering iron to get inside of.

Oh Oh I know what if Super Happy Funtime XIV has access to GPS and some RMT guys come to your house and steal your authenticater and beats your user id and pass out of you, seems like the key fob isn't as secure as you think with that app.