Login Verification (Account Security)
Posted in Final Fantasy XI on May 27, 2008 Email this post Print This Post
Somepage is fuked again
So like if you read the BG… you’d notice there are people getting hacked again. Our famous Somepage exploit is back. You can read more about it on BG. There’s even a thread on BG regarding trojans on Dynamis websites. Also it looks clean but.. here it is on BG if you want to read about it.
So I’m going to outline a few things that a lot of people might miss, that can significantly help you prevent or reduce the loss of your account should it gets compromised.
There are two possible ways the hackers to jack your account.
For Saved Password: Jack the FILE that stores your auto login/pw information OR
For people who Type their Password: Simply “Take Screenshot” of your desktop when POL.exe is launched (which gets your POL Login ID), and keylogged what you type in to counter those that “type” in their password.
Either way… if your PC gets compromised, you’re fuked. So I’m going to go over simple stuff that a lot of people forget, to minimize the impact should you be the unlucky person to have their account jacked.
Enable Login Verification
Lots of times when a hacker gains control of your account, they will change your password, payment information and yada yada, but did you know there was a mechanism built into PlayOnline Viewer that asks for your password once more? If you get keylogged then this wouldn’t do a thing (people that rather type PW over using the save password feature) BUT if the hacker simply “steals” the file that saves your password, then it won’t help since that file only contains the encrypted version of your password but POL asks you to type the “real” password.
The “Login Verification” features asks your password one more time when you login to the members section, where you can perform world transfer, change payment information etc. If you got keylogged because you rather type your password everytime then this won’t help you but… if you use the Save PW feature, then this would save you! Here’s how you do it
- Login to PlayOnline Viewer (4th Button)
- Membership (4th Button)
- Click the Pull Down menu and go all the way to the bottom, LOGIN VERIFICATION
- Change it to ON, and hit Confirm!
Next time you login to the members section (you or the hacker), it will asks your your password! Make sure you DO NOT SAVE that password, else it defeats the whole purpose of it.
Save or Type Password?
For the longest time, I’ve been typing it thinking its more secure but ever since I found out about that feature.. roughly a few months ago.. I just use Auto Login. The reasoning why is.. say I got the whatever program… that attempt to jack my PW. They find out I use Auto Login, so it sends that “file” to the hacker. He gains the ability to “auto login” to my account. Great, we’ll just play kick each other off game but.. when they try to access the POL page and change PW/Payment, it will ask for their password and since that file contains an “encrypted/scrambled” version of the password and PlayOnline is requesting the “real” password… so that means they cannot login to the members section. In that case I’ll keep playing kicking each other off game until a GM locked my account, and ask a friend with a secure PC to change the PW FOR ME (don’t change it yourself… I mean you’re PC was already compromised in the first place).
They might probably have a script that auto change PW etc but hay, without the real PW, still not too much use!
For those that still aren’t convinced, here’s a line from the “Windower” people.
Save your PlayOnline Password!!!! – No, The trojans ARE NOT downloading your saved password file and decrypting it. The recent trojans have been investigated and they are simple key loggers, they are not stealing files, and to our knowledge the encryption scheme has not been cracked by the RMT yet.
Saving your password is a great idea, as you no longer have to type it to log in! Cant be key logged now.
If you have people who use your PC, simply put a ‘Member Password’ or what ever its called on your login account. Thereful you still need a password to login, but MAKE THIS PASSWORD COMPLETELY DIFFERENT!
So if you do get key logged, they get a completely useless password.
At worst, they can steal the file and login with it, but without your current password they can not take it over. so, while not a fully safe solution, it still helps protect you from permanently losing your account (and being transferred, doesnt that require your password?). If your security is broken and you get hacked, I think youd least be happy knowing you got to keep your account — also you can keep knocking them off if your online when they attempt to and change your password quickly and stop them before they even get a chance. Saving your password into POL gives you more options to keeping your account even if you do get hacked.
Source: Windower Forum.
Although its not a 100% safe solution, at least you still have ownership of the account. Rather than waiting for a week so they can have all the time in this world to liquidate your account.
For saved passwords, you’d never have to type your password in any given time so… if they wanna steal your stuff, they got to “auto login” and by then, you would have notice. But at least what they don’t have is your real password, so they cannot change infos. But if you type in ur PW everytime. Sooner or later you got to type in ur PW and its more risky to type, then you’re increasing your chance of exposing your password. So.. just save it. Doesn’t sound too secure, but with Login Verification, its more secure than typing.
Safeguarding your PC / Browser.
If you still have Real Player.. just remove that piece of trash. If you really need Real Player because you need to watch .rmvb like me, install the “codec” itself. A codec is a piece of program that instruct your computer how to play a video. With the codec, even Windows Media Player can play Real Media files! You can download Real Alternative here.
If you’re bored, you can read another article where I outline basic account security. Stuff which you might not have thought about.
And last but not least… seriously.. don’t use somepage. If you want the Power Search. FFXIAH (or Scragg), has been actively working in the back end to improve all kinds of security. From installing/configuring server firewalls, blocking out threats, changing to other advertising agencies (the same one as allakhazam), coding a home-grown message board/PM system to even getting a service that rings his phone should there be a treat to the AH server. So like… honestly… don’t worry =P. The advertisement does suck but.. its hard to dish out a few hundred bucks per month running FFXIAH, something even Scragg doesn’t want to do but must.. to keep it free…
Don’t use IE =P Its been said multiple times :) Its a piece of crap :3
7 Responses to “Login Verification (Account Security)”
Trackbacks/Pingbacks
Leave a Reply
Nice post; I stupidly went to somepage the other day after thinking it was clean, I don’t know why. If there is a possibly way, could there be a file to delete that is affecting my PC In any way?
The fix:
Download HiJackThis ( http://www.trendsecure.com/portal/en-US … s/download ) and save to desktop.
Reboot in safe mode: Spam F8 while rebooting and choose safe mode.
Once in safe mode: Start > Run > type cmd > hit ok.
In command prompt type: regsvr32 /u C:WINDOWSSYSTEM32smart.dll
Hit enter.
Once in safemode run hijackthis, choose perform a system scan.
Look for O20 – Winlogon Notify: Fly – C:WINDOWSSYSTEM32smart.dll
Check it, hit fix checked.
Browse to C:WINDOWSSYSTEM32smart.dll and delete the file. If the file does not delete, try restarting in normal mode and deleting it.
Reboot normally, run HiJackThis for smart.dll, it seemed to not reinstall itself tho.
Source: BG http://www.bluegartrls.com/forum/viewtopic.php?f=2&t=34205
Also, most keylogger detects keystrokes only, good idea is to use an on-screen keyboard
Question: Is there a way to recover your password besides having it reset and physically mailed to you?
Reason: Ive been using Save Password for about 3+ years now. Normally not a problem since I use about 2-3 passwords throughout the internet, but when they changed the requirements for the password I altered my password to something i normally dont use. And now I cant remember it >_>
Nope. I’ve looked into it, its totally encrypted. I’ve previously also tried to recover the password for a friend who lost his password but also don’t have his CD… kinda in the same situation as you.
The best way is to keep a backup copy of your PlayOnline folder, as that folder (I forgot which file, but a file inside that) has your login information, and is not machine dependant, meaning if you copy it to another machine, you can start auto login there.
Actually I can login fine, Im trying to find my password so that I can use the Playonline community
um…how do i…nvm prolly a bad idea