"
xAdApt wrote:
good idea
could also add a PIN for your stash maybe?
once you log in and unlock your stash it will stay unlocked until you log out again
how about a code for attacking? ::) no dude.. a code for using the stash would be just too much.
The only thing that concerns me is what about the players that have like 15ish characters? 15 codes?
I still support the character-code idea though. I rather put codes than fear for people stealing my stuff.
I smell blood, something is calling me..
|
Posted bynomak#3690on Feb 24, 2013, 6:17:13 PM
|
"
Hey guys,
Since some days many people get hacked and I think it's a serious issue for everyone, even for people who didn't get hacked (yet). There, the game needs a new, additional and different security layer, which is not based on the keyboard, because phishing programs can easily find out what you typed in when entering the password.
The idea is a mouse-click based security feature. When you log in into your account, a windows appears with 10 numbers (9-0) on it. The number positions are randomized after every click, so a phishing tool can't know which number got clicked due to the mouse positioning. The password there will/must be a 4 digit number. This will take like 10 seconds for you to type in (guess even less), but it will provide a much tighter security level. So even if the hacker knows your normal password, he can't figure out your number so easily. After 5 failed tries, your account get locked for 1 hour and you get an email and a private message in the forum, that someone tried to log in 5 times and failed. With this information, you can change your main password and after 1 hour of waiting, you can play again.
For the case you forgot your 4 digit number, it would be useless to implement a "Forgot number? We sent an email so that you can change it"-feature. Because it is highly possible that the hacker would have your. The only way to reset your 4 digit number is the support. You have to identify yourself in a way, so that GGG can see that that is your account. Then they can reset your digit password and you can choose a new one. Another option would be, that you have to type in your handy number when creating an account and in case you forgot the number, you can receive a SMS with a number/password which lets you reset the digit password. So it's highly recommended that you don't forget it.
I know that this isn't the suggestion area, but it is such a big deal right now that I feel this is really important. OF COURSE if you have a better suggestion or would like to add something to this idea, feel free to post it here! But I think we should fix this issue asap, because this hacking wave can ruin many players hard work and on top of it it can ruin the economy sooner or later...
I'm not entirely sure of what this is an implementation of so I'll make a few remarks:
- Any client side software can be reverse engineered. The best that can be done is make it excessively convoluted to pour through (e.g, Warden was a particular nuisance, however patience pays off)
- Random is not random in computing, rather it emulates what appears as chaos to humans while being fundamentally deterministic.
- Phishing entails coaxing a user into providing their key; however this key is encoded it must be capable of being decoded by the server (legitimate or otherwise)
- CAPTCHAs, or any generalization thereof, are solvable with negligible error margins.
I commend you on your effort, regardless.
"The problem is there ARE secure netcodes" -- Pewzor Last edited by Emjayen#1133 on Feb 24, 2013, 8:09:14 PM
|
Posted byEmjayen#1133on Feb 24, 2013, 8:04:39 PM
|
"
Emjayen wrote:
"
Hey guys,
Since some days many people get hacked and I think it's a serious issue for everyone, even for people who didn't get hacked (yet). There, the game needs a new, additional and different security layer, which is not based on the keyboard, because phishing programs can easily find out what you typed in when entering the password.
The idea is a mouse-click based security feature. When you log in into your account, a windows appears with 10 numbers (9-0) on it. The number positions are randomized after every click, so a phishing tool can't know which number got clicked due to the mouse positioning. The password there will/must be a 4 digit number. This will take like 10 seconds for you to type in (guess even less), but it will provide a much tighter security level. So even if the hacker knows your normal password, he can't figure out your number so easily. After 5 failed tries, your account get locked for 1 hour and you get an email and a private message in the forum, that someone tried to log in 5 times and failed. With this information, you can change your main password and after 1 hour of waiting, you can play again.
For the case you forgot your 4 digit number, it would be useless to implement a "Forgot number? We sent an email so that you can change it"-feature. Because it is highly possible that the hacker would have your. The only way to reset your 4 digit number is the support. You have to identify yourself in a way, so that GGG can see that that is your account. Then they can reset your digit password and you can choose a new one. Another option would be, that you have to type in your handy number when creating an account and in case you forgot the number, you can receive a SMS with a number/password which lets you reset the digit password. So it's highly recommended that you don't forget it.
I know that this isn't the suggestion area, but it is such a big deal right now that I feel this is really important. OF COURSE if you have a better suggestion or would like to add something to this idea, feel free to post it here! But I think we should fix this issue asap, because this hacking wave can ruin many players hard work and on top of it it can ruin the economy sooner or later...
I'm not entirely sure of what this is an implementation of so I'll make a few remarks:
- Any client side software can be reverse engineered. The best that can be done is make it excessively convoluted to pour through (e.g, Warden was a particular nuisance, however patience pays off)
- Random is not random in computing, rather it emulates what appears as chaos to humans while being fundamentally deterministic.
- Phishing entails coaxing a user into providing their key; however this key is encoded it must be capable of being decoded by the server (legitimate or otherwise)
- CAPTCHAs, or any generalization thereof, are solvable with negligible error margins.
I commend you on your effort, regardless.
Pretty much spot on.
|
Posted byLask001#4507on Feb 24, 2013, 9:54:30 PM
|
"
Ivolution wrote:
"
xAdApt wrote:
good idea
could also add a PIN for your stash maybe?
once you log in and unlock your stash it will stay unlocked until you log out again
how about a code for attacking? ::) no dude.. a code for using the stash would be just too much.
The only thing that concerns me is what about the players that have like 15ish characters? 15 codes?
I still support the character-code idea though. I rather put codes than fear for people stealing my stuff.
No, just a code for the account should be good. That said, it's a very good idea.
Invited to Beta 2012-03-18 / Supporter since 2012-04-08
|
Posted byVideoGeemer#0418on Feb 24, 2013, 10:31:26 PM
|
"
VideoGeemer wrote:
"
Ivolution wrote:
"
xAdApt wrote:
good idea
could also add a PIN for your stash maybe?
once you log in and unlock your stash it will stay unlocked until you log out again
how about a code for attacking? ::) no dude.. a code for using the stash would be just too much.
The only thing that concerns me is what about the players that have like 15ish characters? 15 codes?
I still support the character-code idea though. I rather put codes than fear for people stealing my stuff.
No, just a code for the account should be good. That said, it's a very good idea.
It's a good idea conceptually. In actual practice it would do little to nothing. For something to be 2 form authentication they have to be on separate systems. What's the point of having them on the same - if one is compromised, they both are.
|
Posted byLask001#4507on Feb 24, 2013, 10:33:51 PM
|