Hacked Accounts

"
MonstaMunch wrote:
"
Illyasviel wrote:
"
rickrock wrote:
So many people got hacked today and its our fault? Sure...


Is there something implausible about it?


Yes. There is also something missing from the explanation we were just given.

This whole line of "if they were really hacking accounts they would have done me and kripp, it's mainly medium to low level accts" thing is completely off base. It implies that the only way sessions could be hijacked is for specific accounts to be targeted.

If someone was sidejacking sessions by intercepting session keys, they wouldn't be able to target specific accounts. They would be sidejacking random sessions, which on average are....... you guessed it; low to mid level accounts.

He could be right, I don't know. It just seems presumptuous to blame it all on users and virtually rule out the possibility of anything else.



More often than not it IS the user's fault and if you deny that you're ignorant on the subject. I will agree with you that there is a possibility that it's on their side but I'd rather side with the most plausible argument.
IGN: Xilfie
"
Chris wrote:
Imagine how much it'd be worth to compromise my account? Kripparrian's? The top people on the ladder? These people have not lost their passwords.


Approximately $1000, which these hackers sell in a day. Your inventory, and Kripparrian's inventory gets stole and sold in 1 day. LOL.
I saw this because one selling site has:

Seller will deliver: 9,980 Orb of Fusing
Price: $7,485.00
Just tested and found that the PoE doesn't prevent re-entry of password should a user entered the wrong password 3 or mote times.

I guess we now know what's the exploit is. Brute-forcing is never been this easier before.
"
Illyasviel wrote:
More often than not it IS the user's fault and if you deny that you're ignorant on the subject. I will agree with you that there is a possibility that it's on their side but I'd rather side with the most plausible argument.


I'm many things, but I'm far from ignorant on this particular subject. Chris was talking about someone gaining direct and full access to their database. He's right, clearly that hasn't happened. It does nothing to address the possibility of sidejacking, which seems entirely plausible given that most of the people reporting this seem to be online when it happens. Again, if that was happening, they would be gaining access to random accounts. The accounts getting hacked (which Chris stated are mid to low level) are representative of what you would expect to find if that was what was happening.

It's also ridiculous to suggest that top players aren't also using questionable websites, or that somehow because they are better at merci ledge farming, that they are better at protecting their pc's. It's just nonsense. If someone was going phishing, those are the people who would be getting targeted.

Like I said, it's entirely possible that he's right and it's all the users fault. I also think it's possible he's being presumptuous.
"
darkro90 wrote:
Just tested and found that the PoE doesn't prevent re-entry of password should a user entered the wrong password 3 or mote times.

I guess we now know what's the exploit is. Brute-forcing is never been this easier before.


If this is true then it should be fixed. Brute-forcing, while one of the simplest means of security penetration, is highly effective against systems that do not have some sort of account lock on multiple tries for password entering that's incorrect. I'm sure MOST people using PoE use dictionary based passwords that can be easily brute-force hacked with minimal effort on the offenders part.
"
darkro90 wrote:
Just tested and found that the PoE doesn't prevent re-entry of password should a user entered the wrong password 3 or mote times.

I guess we now know what's the exploit is. Brute-forcing is never been this easier before.


Just tested and confirmed. JtR would have a field day with this :|
"
Elynole wrote:
"
darkro90 wrote:
Just tested and found that the PoE doesn't prevent re-entry of password should a user entered the wrong password 3 or mote times.

I guess we now know what's the exploit is. Brute-forcing is never been this easier before.


If this is true then it should be fixed. Brute-forcing, while one of the simplest means of security penetration, is highly effective against systems that do not have some sort of account lock on multiple tries for password entering that's incorrect. I'm sure MOST people using PoE use dictionary based passwords that can be easily brute-force hacked with minimal effort on the offenders part.


This also explain the recent mass-hacking. It seems the hacker developed some kind of brute-force cannon program that exploits the game's lack of security. Worse is, I think in this case the dev only checked the hacker's logs INSIDE the account, while not taking notes of the hacker's action outside like logs of logging in, etc.

GGG really needs to step up their security system if they do not want any further bad publicity to PoE. This, coupled with other prominent problem such as desyncs could instantly turns down any new player's excitement of playing this game.
Honestly i don't understand why a lot of people are so aggressive, really what's the point?

People can make mistakes, those who did get hacked aren't necessarily cheaters, or idiots, or totally incompetent with computers, just look at Chris post and his D3 account. Those who didn't might not be 100% bullet proof as they think, and even if they are, coming in the forum calling those who have been hacked idiots doesn't make the situation any better.

The thing is, while an announcement has been made about improved security features, the game at this point has none. Which for an online only game is a shame, especially when you consider the type of game, usually plagued with hackers, bots, sellers, infinite accounts possible being f2p, and members of the developing team who had previous security issues themselves. Even if it's the users fault ultimately it doesn't mean that you can't and shouldn't limit those issues with methods widely available in other games.

And some questions are perfectly legitimate, rollbacks for instance. Again while you can understand concerns for the economy, other games do it without them being huge market distortions. Obviously if you have no way to track where items went, no way to track IP logins and so forth so are making your life harder, you can't ban hackers, you can't give back items without duplicating them, you can't rollback all the accounts to a previous state after all only a small subset of player are concerned, so hackers won, you loose everything.

It's not a news that a single password isn't a great security system, why do I use tokens, 2 step security on my google accounts, blizzard products, gw2, facebook? why other important services, like your bank for example have additional security layers? you can be careful all you want, but shit can happen, like it did for me, never had an issue online with any of my accounts and it happened. I'm not even that pissed off, in a way it gives me an excuse to go full hardcore league, but I'm still not sure on how they got my password that's the part that worries me.
Last edited by Kurtosis on Feb 20, 2013, 12:09:49 PM
I really recommend that everyone invest some time in learning and using password management software (I use 1password). Everyone who types their password manually has a handful of password variations they use for different sites. We are all constantly signing up passworded accounts in different places, and it's impossible to know whether or not a site has good security practices or even if the owner won't sell your password anyways. It's only a matter of time before someone will get a hold of one of your passwords, comprising possibly dozens of your online accounts.

Two-step authentication is definitely needed in PoE (and the devs have hinted that this is coming soon), but you can't expect every website you use and game you play to have this feature. If you want to guarantee security for yourself, you should use a different (and complex) password for every single account you have, everywhere. There are plenty of tools that will manage and automate this process for you. I use four different computers every day, including my phone, and I have had no problem synchronizing my password database across all of them, nor is much of an inconvenience to enter my passwords. Seriously, check out 1password, or any of the free alternatives.

Report Forum Post

Report Account:

Report Type

Additional Info