PSA: Real Money Traders and Account Security

[Endy]

INTRODUCTION

Hello all. This is a public service announcement from a professional IT technician, concerning the rampant rise of Real Money Traders (referred to hereafter as RMT) currently spamming shout channels and tell messaging players. The purpose of this post is to give you, the players, information on how you can help prevent your account from being hacked, exploited, or otherwise wrested from your control by malicious RMTs.



HOW IS THIS HAPPENING?

Account hacking or hijacking typically happens one of two ways in today's computing world: phishing, which is the act of stealing personal information such as passwords and username accounts through fraudulent websites; and password cracking, in which specialized programs are used to forcefully guess a password based on alphanumeric keyboard input. We will speak about the risks of both of these methods, as well as how to mitigate these risks.



PHISHING FOR DUMMIES

Phishing occurs usually through email, and sometimes through website impersonation. The general idea behind email phishing is to con a user into giving the scammer access to their username, password, secret questions and answers, and so forth. Usually, they'll include a message about how your account is at risk of being banned for malicious activity or deactivation due to inactivity, or some other story to get you to provide details.

Square Enix (or any legitimate company, for that matter) will NEVER ask you for your account details or tell you to use them in an email message. EVER. The only place you should ever supply your credentials is the site you created the account at. Do not click on links to get to the site; whenever possible, either type out the site address (being certain to check for typos, as many scam sites will use addresses similar to the original) or use a bookmark for the known-good address. Likewise, if you receive an email telling you there is a problem with your account, you may email the help desk. Include screenshots or the content of the email.

On the subject of fraudulent websites, many RMT sites can infect your computer with keyloggers and other potentially compromising badware through Javascript or Flash-based content without you ever realizing such things have been installed. If you use Firefox, I highly recommend downloading and learning to configure NoScript and Adblock Plus. NoScript prevents the display and execution of Javascript programming on webpages unless you tell the program to allow for that domain to display them. Adblock Plus does the same for Flash-based programming and banners. If you use Chrome, Adblock Plus is available for it as well, though you may need to find a substitute for NoScript. Knowing what websites are likely fraudulent is always the best security, but these browser add-ons can save your bacon if you make a mistake.



PASSWORD CRACKING

When choosing your password, you will often be told to use as complex a password as possible, such as including numbers or special symbols. This is terrible advice, as unless you have someone hovering over your shoulder as you input your password, guessing will not be your concern. The truth is that cracking programs take into account every possible character that can be used and input on a keyboard, so the complexity of a password is meaningless. In addition, complex passwords are difficult to remember and change, so you run the risk of having to reset your password more frequently.

In today's computing world, few malicious users bother with guessing passwords. Instead, they use what are known as "brute force methods" to attempt to run as many password possibilities as possible. Modern computers are capable of going through hundreds of password attempts a second, and the programs used to accomplish this are very easily found.

The best way to protect an account from a brute force method attack is to have a longer password. Every character added to the length of a password exponentially increases the amount of time a password cracker needs to come to the right answer. Passwords between 6 - 8 characters can take mere days to crack. A password of 20 characters? Months. Longer? Years. The password needn't be complex; a string of easy to remember words makes for a good password because it can be easily remembered, and the length of the password greatly reduces the risk of being cracked. A good example might be, "thisisthedaymotherwasbornjan31".

Remember, RMTs are looking for quick bucks; they won't hang around years trying to bust one or two account passwords. Longer passwords are good for personal security and as deterrents, and are much easier to memorize and change.



BUT THE SERVERS WON'T LET YOU REPEATEDLY SPAM PASSWORD ATTEMPTS!

The sad truth of the world of network security is this: There is no security that cannot be circumvented. If someone really wanted to get at your account, they eventually will if you ignore them. However, more than 99.9% of the time, this will not be the case, as hackers rarely want to wait to crack your account. They want instant gratification, the easy hack, the easy script. If you practice good security, use the tools available (such as the One-Time Passwords offered by Square Enix), and make sure to change your password regularly, you will likely never have to worry about being compromised.

Please, for your own good as well as this game's, practice good security. Thank you.



PASSWORD REPETITION

It has been brought to my attention by an attentive poster that one of the biggest dangers to account security is the repetition of passwords. In general, you do not want to use the same password for multiple accounts at multiple websites, emails, or any other place you might need one. The reason for this is simple; more often than not, when they gain access to your account via password cracking or through phishing, they also gain access to your contact details. Like your email. And should that be secured with the same password, they now have password reset access to most every other account tied to that email (security questions aside, but not every place uses those). Just like that, a swath of destruction and possible loss of money, the banning of multiple accounts, and the risk of exposing anyone you know to the same phishing schemes that originally targeted your account.

For this reason, it's important to not use the same password for all accounts and websites. Even though it can be difficult to track multiple passwords this way (my roommate uses multiple passwords and forgets them on a regular basis), there are ways you can aid yourself. Keep a list in your wallet without noting what each is for (just seeing a familiar password is often enough to jog memories). Make use of a password organizer program (personally not recommended due to centralization, but what can you do). This could lead to the difference between having one account compromised, and having all of them.


EDIT 9/07/2013: Added details on recommended browser add-ons and fraudulent websites.

EDIT 9/09/2013: Added details on password repetition, courtesy of Elcien.

[Thundaja]

Well said.

[Endy]

Thank you.

[Eisah]

Great advice. Especially about the having long passwords. I used one of those crackers once (not to hack anyone! I had a RAR file with a password I couldn't remember) and I could only imagine how long it would take for that thing to go through a 15 character long password.

[Derceto]

Nice post with some good info. Hopefully will help people make their accounts that much safer.

[Endy]

I just hope these guidelines will make it harder for RMTs to get a foothold.

[Ormathon]

Sadly people will still go and just take a peek at a gil seller site, thats also a super easy way to get ur computer infected with keyloggers thanks to flash/java codes.

[Endy]

This is true, it's super important to practice good security when browsing the web. I recommend add-ons like NoScript and Adblock Plus. NoScript blocks Javascript functions unless you trust and allow the web page, and Adblock prevents Flash-based content from the same. Between these and an up-to-date antivirus, you'll be pretty well protected.

[Endy]

Bumping to keep information available.

[Ranebow]

HOW IS THIS HAPPENING?

Account hacking or hijacking typically happens one of two ways in today's computing world: phishing, which is the act of stealing personal information such as passwords and username accounts through fraudulent websites; and password cracking, in which specialized programs are used to forcefully guess a password based on alphanumeric keyboard input. We will speak about the risks of both of these methods, as well as how to mitigate these risks.

Which makes me wonder why on Earth they've forced us to use our in-game characters on the forums, where our name, server and other information is phishable.... I don't use the word 'derp' often, but really?

The sad truth of the world of network security is this: There is no security that cannot be circumvented. If someone really wanted to get at your account, they eventually will if you ignore them. However, more than 99.9% of the time, this will not be the case, as hackers rarely want to wait to crack your account. They want instant gratification, the easy hack, the easy script. If you practice good security, use the tools available (such as the One-Time Passwords offered by Square Enix), and make sure to change your password regularly, you will likely never have to worry about being compromised.

This is, with all due respect, contradictory. Time is extremely relevant if there's a limited amount of password attempts allowed in one 'session.' Individuals breaking and hacking accounts for the impersonal (key word here) purpose of RMT and monetary gains, are not going to as you say - wait to crack your account. Square and other companies know this, which is why login attempts have limits.

It's also why the saying 'no system is impenetrable' is a bit out-dated and archaic because in the terms and scenarios you're describing, brute force methods ARE dated and easily managed/blocked by a transcending watch dog system. The only way to disable that system would be to physically do it in real life. We're getting into the realms of phreaking and the only relationship these 'hackers' you talk about have with phreaking, is by knowing someone who works for a company whom then leaks information - the SOE 'hack' of last year comes to mind as a perfect example.

The point was most things are an inside job, and no amount of complex or lengthy password will make a difference.

Sadly people will still go and just take a peek at a gil seller site, thats also a super easy way to get ur computer infected with keyloggers thanks to flash/java codes.

Modern iterations of web browsers have inherent OCX controls and blocks built-in for this purpose. Additionally (usefulness debates aside), a lot of people use hoggy AI suites which monitor everything pulled down over your network - so unless these loggers are bypassing the up to date definitions, then they are a moot point.
I haven't seen a successful backdoor trojan or keylogger come across anything but an email where an unsuspecting person downloaded and RAN the program locally.