PSA: Real Money Traders and Account Security

[Ranebow]

HOW IS THIS HAPPENING?

Account hacking or hijacking typically happens one of two ways in today's computing world: phishing, which is the act of stealing personal information such as passwords and username accounts through fraudulent websites; and password cracking, in which specialized programs are used to forcefully guess a password based on alphanumeric keyboard input. We will speak about the risks of both of these methods, as well as how to mitigate these risks.

Which makes me wonder why on Earth they've forced us to use our in-game characters on the forums, where our name, server and other information is phishable.... I don't use the word 'derp' often, but really?

The sad truth of the world of network security is this: There is no security that cannot be circumvented. If someone really wanted to get at your account, they eventually will if you ignore them. However, more than 99.9% of the time, this will not be the case, as hackers rarely want to wait to crack your account. They want instant gratification, the easy hack, the easy script. If you practice good security, use the tools available (such as the One-Time Passwords offered by Square Enix), and make sure to change your password regularly, you will likely never have to worry about being compromised.

This is, with all due respect, contradictory. Time is extremely relevant if there's a limited amount of password attempts allowed in one 'session.' Individuals breaking and hacking accounts for the impersonal (key word here) purpose of RMT and monetary gains, are not going to as you say - wait to crack your account. Square and other companies know this, which is why login attempts have limits.

It's also why the saying 'no system is impenetrable' is a bit out-dated and archaic because in the terms and scenarios you're describing, brute force methods ARE dated and easily managed/blocked by a transcending watch dog system. The only way to disable that system would be to physically do it in real life. We're getting into the realms of phreaking and the only relationship these 'hackers' you talk about have with phreaking, is by knowing someone who works for a company whom then leaks information - the SOE 'hack' of last year comes to mind as a perfect example.

The point was most things are an inside job, and no amount of complex or lengthy password will make a difference.

Sadly people will still go and just take a peek at a gil seller site, thats also a super easy way to get ur computer infected with keyloggers thanks to flash/java codes.

Modern iterations of web browsers have inherent OCX controls and blocks built-in for this purpose. Additionally (usefulness debates aside), a lot of people use hoggy AI suites which monitor everything pulled down over your network - so unless these loggers are bypassing the up to date definitions, then they are a moot point.
I haven't seen a successful backdoor trojan or keylogger come across anything but an email where an unsuspecting person downloaded and RAN the program locally.

[Endy]

Ranebow, you make a lot of assumptions in your arguments. It is true that social engineering attacks are always a risk, but given the standards applied to gold farming in general, it has a miniscule chance to be involved here. If it was an inside job, it would be true that no amount of caution on our part would solve the problem, but as not every account has been cleaned out on a given server, this is obviously not the case. Unfortunately, as the processing power of the common PC rises, so too does the ability to brute force. Studies in the IT industry have shown that a large percentage of compromised information outside of user error is caused by brute force methods, and the number has been on the rise since the early 2000's. I don't have a link handy, but I encourage you and all others who are curious to do research on the subject.

Also, 'modern' iterations of browsers update almost as often as antivirus suites to plug holes and bugs in the programs, as do operating system updates. If such methods as described are too dated to work or moot, this would not be necessary. However, the fact that these issues need to be fixed is proof enough that security can be circumvented, and it does indeed happen all the time. Security is not something you slap on and be done with; any IT professional will tell you the same thing. Please try not to spread misinformation by drawing only on your own experiences as a source. The fact is, nothing you do will ever completely secure you against all attacks. However, layering security provides deterrents which are effective against all but the most dedicated attackers, and they have much bigger targets than you or I.

Just as well, my topic is about what the user can do in regards to the specific problems that are likely in play as far as people's accounts being compromised. It may well be a social engineering scheme, unlikely as it may be, but that's out of the general user's hands.

[Endy]

Bumping to keep information on frontpage.