Account Security

Yesterday while waiting for Wings of the Goddess to patch, I went to click around the alla forums and found out someone on our server got hacked. Its not the first time that MMO accounts been stolen.

Full article here.

It happened to Caldor, could it happen to you? According to most computer security experts, “Its as easy as going to the wrong web page”.

Most people only told to “use Firefox” or “use strong passwords” or “not to click on random websites”, but was never told the reasoning why. Sure you might have taken these precaution, but that still doesn’t safeguard you from account thief. Before I go explain why, lets look at how people steal accounts. From researching, asking web administrator that owns high Alexa ranking website and just personal experience myself (I was pretty bad back in high-school xD, mess around with school’s PC lol)

Installing Crap

Is probably the most easiest way to get your account compromised. You might think you’re installing Fraps, but that Fraps was actually Fraps + Keylogger. Who uses Fraps the most? MMORPG players who tend to show off, have bleeding edge equipment etc etc. There are programs out there which combines 2 Programs into 1. All I have to do is attach Fraps + Keylogger and call it Fraps.exe, and you are completely fooled.

Most of us uses Windower, and with the ability to run Windower, you also have the ability to run a variety of 3rd party application such as MapMon or Parser. Take caution when downloading these addons, and ensure that they are from official source (eg. Windower forum), and not some random links on forums.

Windower forum has taken precaution into protecting us, and separated programs into “Approved” and “Unapproved”. I wouldn’t go randomly test stuff from Unapproved unless you know how to read codes.

FFXI Account Security

Don’t randomly click links!

Visiting random Crap

Probably the second most method of getting your account jacked, and is probably the case for Caldor. Accidentally visited a random URL with harmful codes. (Since he claim he doesn’t use 3rd party stuff, strong password etc)

Random websites, such as the StarOnion you’re visiting, could be from a bad author. I could be executing codes in your PC as you are reading this line. I don’t do this though ^^ But no guarantee others won’t.

The web has been evolving and to make enjoyment to a higher level, new functions are constantly being added to browsers. But when new functions are added, there are more chances to make errors in codes. Imagine the new function that was added was not nicely coded, and allows webpage to run codes on your PC. The user did nothing wrong, he just simply visited the new webpage, but because your browser was flawed, the attacker could now run codes onto your PC, eg. Keyloggers. Since people who visit here are mostly FFXI players, its safe to say that if I execute a FFXI account miner code, I’d get something at least 1/10 PC’s that comes for a visit.

That’s why people tell you to use Firefox. Its not that Firefox have smarter coders, but flaws in their browser are patched as they were found (Firefox even download the patch, and tell you its ready to be installed). Microsoft don’t give a shit to their customer because since IE is installed in all Windows PC, most people will use it regardless of the effort they put in. Firefox simply shines because they care about flaws, and want to keep their user secured from attacks like those mentioned above.

So when visiting websites, or just any websites, make sure you read what the URL is. If you’re afraid of clicking the wrong link, then make sure you use a secured browser like Firefox, which doesn’t allow these bad websites to execute codes as you view their website.

http://www.staronions.com/maiev
is not the same as
http://www.staronion.com/maiev

Check what you are about to click too. The author might had it right, but if the web server itself is compromised, then chances are their URL that they link to are all compromised too! Careful, it only takes 1 bad click to get your account compromised.

FFXI Account Security

Strong password!!!

Strong Passwords / Different Passwords

We hear about this all day, to use strong passwords. This is simply to prevent dictionary attacks. People tend to use passwords that are easy to remember, such as their birthplace, simple words that you see everywhere, so no need to explain this one.

Different passwords is also important. That’s because when you enter a password, the administrator of the website stores them. Say you register a forum, and your password is “secret”. The forum is very secured, and encrypt your password.

secret — (Encryption) –> asdf89q2rkasdf
and Stores this into their database, but an unethical administrator can turn your
asdf89q2rkasdf — (Decrypt) –> secret

Chances are if you sign up on a FFXI forum, you play FFXI and its safe to say some people will have their forum password to be the same as their FFXI account passwords. Once they have your passwords, there’s motivation to get your POL Account ID, since the hard part is done =P

That’s why it is important to use different passwords. Blizzard have their own forums, and take this risk out, but FFXI don’t! We probably have lots of forums that we visit and sign up for numerous accounts. Make sure these passwords are not the same as your FFXI account passwords.

I personally don’t like phpbb forums (the BG type), since they don’t get patched often. The one I deploy for my duck is vBulletin, a paid forum. Not only its easier to manage, but they patch security flaws just like Firefox so attacker cannot execute codes to my forum database and get passwords. I also use different database so should one get compromised, others wouldn’t be affected.

Email passwords

Its something we type everyday, something we check everyday and lets be honest here, some of you would pick something easy to remember, but lets keep in mind, your email is your backup for everything. When you sign up for any forums and forgot passwords, they deliver them to your email account. Basically when you “Forgot Passwords?”, they email them to your main email account.

For this reason, not only your email password must be secured, but also it should not be able to be brute forced. What I mean is… when you forgot your email passwords, most of them tells you to answer your birth date, full name etc etc, which forum administrator have access to. What does that mean? Not only you shouldn’t really put full information when signing up on forums, but make your “Secret Question un-guessable”

What’s your monter maiden name? Mines is random smashing of keys on my keyboard. To be honest, I don’t even know what it is. If I forgot my email password, I’m fuked, but by not answering or having a secret question, the only way into your email account is your strong password.

Its easier to ask for the password than to hack into a secure system.

FFXI Account Security

Don’t trust a computer idiot with your account!

Your trusted friends.

Do you trust your friends? I do. But even if you have taken all the precaution above, your friends might not have taken them. So if they have your account and they click on a bad link? You’re fuked. You might trust your friends, and yes they didn’t tell anyone verbally, but they did it electronically by clicking some random websites or install spywares.

By allowing one friend to use your account, you just doubled your chance of your account being compromised, since there’s now double the chance to visit a wrong website.

Of course, there’s also friends who simply steal your account for revenge. The underhanded way. or this reason, don’t trust crazy friends with your account ^^

I do trust my close friends, but I trust my smart friends who also know how to keep their own account secured and that I have connection to them in real life (meaning, I see them physically).

Summary:

What the Internet and your mom always tell you to do:

  • Patch your OS
  • Use Firefox, the latest one (www.getfirefox.com)
  • Don’t use Internet Explorer, they don’t care about you
  • Don’t share account (SE”s reminder again)
  • Don’t visit random URL’s, highlight the “link” and check the URL on the bottom left of your browser before clicking on to it.
  • Use strong passwords, that means with alpha-numeric characters.

What I want to add in.

  • Don’t trust a computer retard with your account should you share your account.
  • Tell all your friends who have your account info, to not give it out at any cost, including if they ask in-game. If your account is compromised, its easy to go on your friend list, see who’s your friend and ust randomly ask “What’s your account info again? I want to PL with you later”
  • Don’t use your POL password anywhere else on the internet
  • Forums are fragile, assume your password can be seen by everyone.
  • Don’t make a secret question for your email accounts, just smash your keyboard for an answer.
  • When typing in passwords, either copy and paste them (most keylogger can’t read clipboard), or type “sect”, then use your mouse to click between “c and t” and add in “re” to make “secret”, so even if your PC get a keylogger, the person would read the log as sect+re as what you type.
  • Antivirus only protects you from old attacks, not new ones. Some Antivirus do detect malicious execution of codes, which is a good step in taking precaution against new attack, but still, don’t assume your Antivirus is god and will protect you.

One last thing I want to add in, when visiting websites. Ask yourself, are you curious hence visiting? or did you want to visit the website yourself. Malicious websites tend to lure you in with curious content, or say 1 dollar per 1M of gold! The account that got jacked on Fenrir, ended up being with RMT and fishing and if you ask me, he was visiting cheap gil website, or was curious of what’s the latest price on gil. Places to buy gil are owned by RMT, and could include codes that attempt to jack your password when you visit them with an insecure browser.

Don’t check on gil prices =P Its always fun to see how much you’re worth, but by doing so, you risk your account being compromised ^^

3 Responses to “Account Security”

  1. eeto says:

    Well, not that IE doesnt care, but this is a bit of a controversial topic.

    As you’ve said, IE is built-in to whoever installs winxp onwards, considering there are so many companies with winxp installed, it wasnt feasible for them to release security patches too often. In fact, they use to do it frequently with upto multiple patches a week, and got out of hand that the computer administrators are complaining that they release updates too frequently (imagine as a compu admin, you have to update your few hundred computers to verify they comply). So Bill Gates then promised on new policy. Based on security risk classification and tried to limit to one big update per month.

    Another reason to why IE doesn’t patch as often compare to Firefox (FF), is the nature of FF as an open-source software as to IE’s closed-source model. The problem is obvious. FF has an army of users to debug, discuss and deploy fixes. Microsoft, ironically for such a big company doesn’t. They have to hire people to do that, or rely on security-companies to help with it. While FF is more like a fanbase/community base effort. Afterall, its easier for FF to fix things than IE.

    I’ve seen Firefox improve and getting better, and also stopped using IE the day my computer got hacked through security flaws viewing a webpage.

  2. Ledian says:

    well i’m trying to get my password for my playonline mail and i ask playonline.com service & support bu they keep sending me the information i need to my playonline mail address ; ;

Trackbacks/Pingbacks

  1. […] you’re bored, you can read another article where I outline basic account security. Stuff which you might not have thought […]


Leave a Reply