2012年4月18日星期三

Poll: Account Security Solutions

So we've had a few threads regarding account security recently. In amongst the commiseration and speculation has been some discussion about possible solutions. Here's a summary of some of the more popular ones and a poll to gauge which ones appeal the most to the community. You can select multiple options in the poll, but do try to prioritize the couple items that you would MOST want to see added.



Here are the descriptions of the options so you don't have dig back through pages of old threads.

Static IP/MAC/HW checking

This is used by some banks. If you try to access your account from an IP or MAC address that is foreign to that account (meaning you haven't used it before or haven't used it recently), then you are asked additional account security questions before access is allowed.

Similar to the IP/MAC address check, a hardware configuration check will compare some aspect of the hardware with which you are currently using to access the account. Additional security questions will be asked if the information is mismatched.

Strong password policy

Password policies prevent you from using passwords that are too easy to crack. Some factors include password length, similarity to previous passwords, repeated characters, and use of non-alphabeticals. Password policies can also enforce minimum and maximum password ages. ArenaNet has already confirmed they have some throttling technology on their end to thwart "brute force" password hacking but strong passwords are still an important part of account security. Strong passwords are still easily broken by key loggers.

SecurID authentication option

This is already in use by Blizzard as an optional account security measure. You get either a device or an app that can be loaded on a mobile device like an iphone. It uses two-factor authentication. You have your usual login method (account name + password) and then you'll be asked for your secure id. You hit a button on the device and it displays a code for you to input.

Short version: you have a second password that is changed automatically every 60 seconds.

"NO DELETE/SALVAGE/TRADE" option on characters/items

With this option you'd be able to mark certain characters or items as undeletable and untransferable. Some variations of this suggestion allow for this option to be toggled on and off using a second factor authentication (second password) or an account security question. Obviously this doesn't make it harder to gain access to your account but it could protect the things you value most.

Additional authentication for Xunlai storage access

Similar to the previous option, this would allow you to add an additional password to your Xunlai storage. You therefore have additional protection around some of your gold and items. However, since you would likely use this password every time you play, it's just as vulnerable to keyloggers as your account password.

Randomized point and click gui for password input

This option would put an image of a keyboard on the screen for you to point and click each character of your password. The keys would be randomized each time to remove the possibility of a keylogger recording the pixel locations of each click and engineering the password based on a standard keyboard layout.

Compromised account restorations

This is already provided by many MMOs. Once the account has been compromised, game support can go back and verify which items were removed and restore them to the compromised account. ArenaNet has always stated they cannot restore items on live servers. Whether this is a technical or a budgeting limitation is up for speculation, but the inevitable comparison has been made and this capability has been requested.

Other H/W solution

Specify in a post if you want other features that require specific hardware.

(e.g. thumbprint scanners)

Other S/W solution

Specify what other software features you'd like to see implemented.

(e.g. Human verification images)

No solution required

Choose this if you don't want any changes.|||Isn't this basicly the same like the thread you just closed bella?

http://guildwars.incgamers.com/showthread.php?t=492696|||Quote:






View Post

Isn't this basicly the same like the thread you just closed bella?




Uh, no? That was "Boohoo if you guys don't do something I won't buy GW2."

This is a poll showing which option people would prefer to use for security.

--------------------

The Blizzard authenticator is the way to go. It's only 6 dollars for a little device you can clip on a keychain, or you can download a free app for the iPhone if you're lucky enough to have one. (Windows Mobile/Android users are **** out of luck though, thanks Blizz.)

This latest patch Blizzard added another reason to get an authenticator (other than, you know, making your account unhackable): You get a free puppy!|||Quote:






View Post

Isn't this basicly the same like the thread you just closed bella?

http://guildwars.incgamers.com/showthread.php?t=492696




No, that one is a petition asking ANet to do something without specifying what and leaving no room for discussion. This one is basically the complete opposite, though it is still biased in a way that it suggest that ANet SHOULD implement additional security measures. Then again, it would be hard/dumb to say no to better security.



Having said that, I have a question. Do banks REALLY use Static IP/MAC/HW checking? It seems to me that if you've managed to get keyloggers into someone's system, it's fairly easy to detect one's IP/MAC address as well. Spoofing one's MAC address can be done as well, and IP addresses are more often than not dynamic instead of static (around here anyway).|||Quote:






View Post

Static IP/MAC/HW checking




The main problem with this one is that it mostly defeats the point of being able to play on any computer. I mean sure, it could ask me a security question... but unless I use it regularly or use a stupid answer I'm probably going to forget, and then I'll go and switch computers without authorizing the new one first...

On the other hand, it's reasonably strong security. Unless you get a keylogger (which could check IP/MAC/HW before it phones home...) or an alternative Trojan or visit an infected site, or ANET gets hacked, or you use your same PW on another site that happens to collect IP addresses, or you don't *have* a static IP...

On the third hand, it isn't going to hurt anything to make this available as an option.


Quote:




Strong password policy




Bad idea. Well, "no dictionary words" is about all I'll agree to. Now, obviously *I* use password that contains special characters and mixed capitalization even when I don't use a fully random password... but most people will be frustrated by it and then write down the password. Or worse yet have a shortcut that includes their account name and password for any passing virus to read as plaintext.


Quote:




SecurID authentication option




I know several major corporations use this for secure logins, and if implemented correctly this type of two-factor security is pretty damn secure. Of course, someone with physical access to your PC could still screw you over, but if someone has physical access there's nothing you can do. Then again, for a game with no monthly fee the cost to keep something like this running could be prohibitive.


Quote:




"NO DELETE/SALVAGE/TRADE" option on characters/items




Allow me to say "YES" on characters, "maybe" on items.

For characters I'd be happy with e-mail confirmation before allowing a marked character to be deleted, though that'd probably be a bit much for items.

For items you could just make "customized" make things harder to sell/trade/delete (harder then just a confirmation box, that is...). Of course, as with the first option it's quite possible that this could be compromised along with your email/password, especially if you use it often.


Quote:




Additional authentication for Xunlai storage access




No. This one is a paper shield at best, and a really annoying one.


Quote:




Randomized point and click gui for password input




Ugh, hate these. No.


Quote:




Compromised account restorations




There are database issues that make it impossible for GM's to spawn items. Tracking down individual ones and forcing them back to the original owners would be difficult and the mechanic would be possible to abuse. A nice idea, to be sure, but I feel like you might as well have "stop letting people steal ****" as a suggestion as far as "helpfulness" goes.|||SecureID for sure.|||The static IP thing would be a problem if done over non static IP connections, and with multiple computers.

IF however, it can be done at a reasonable rate, I would consider this as a good secondary line of defense, as the game could log where you regularly log in from, and any major changes to that IP, as in you're logging in from someplace very different then usual, then there would be a secondary password or something popping up, with only a given number of tries for it to succeed, might be something to look at.

Key thing here is level of easy for Anet to impliment, and the ease of useage for players.

If it's a bit much to deal with on both sides, then I'd say skip it for now.

Forcing stronger passwords is good, but... hopefully they don't go in and decide 'these passwords are all no good, throw them out, give them all new ones'.

The reason for that is, for those of us who have, for whatever reason, no longer have an email matching the one that started the account, and can't change it for whatever reason.

Implementing this on NEW accounts, and any password changes is good.

SecurID

This can be good and bad.

Good, in that it's probably one of the strongest security measures around.

Bad in that it probably costs a lot of money to impliment and maintain.

My guess is it'd probably cost THIS company something like... 20$ per account to start up. Or maybe 20$ per key, and maybe you can use it for multiple accounts? Also would it require a monthly fee as well to keep it going?

Not sure how that'll work. I'd like more info on something if anet were to look at this as an option before saying yes or no, even before an option to sign on.



No Delete option.

Not just a yes, but a HELL yes!

Interestinly enough, the chara deletion issue comes NOT from account robbers, but from ex bf/gf issues. More then once I have seen someone in GTOB spouting off racial slurs, doing whatever they can to piss people off, and when someone asks why they're doing that, it's because they want the account banned.

"My BF is being a d***, so I'm trashing his account! **** youuuuuuu!"

More hoops for xunlai?

That'd be nice if it'd actually work. I don't expect it to work, and having to type in ANOTHER password just to open storage...

I don't know, maybe a locked section of storage? If people are willing to buy extra panes, maybe have lock options for said panes?



The onscreen GUI thing actually I feel isn't a bad idea, but instead of a full keyboard, how about just a secondary number code from a 10 key pad?



Compromised account restorations.

Personally, I feel they need to do a bit more on this regard, as we have been told they CAN track any and all items in the game.

If they can't create items in the game, they DO have access to accounts that were compromised, and then shut down. Known chinese farmer and botter accounts.

Just move them to a stable where they can take from these accounts, items that are on them, and use said items to help restore items that were taken/destroyed by robbers.

Maybe make a couple of intern positions at anet for doing nothing but this. The stuff is out there, it just needs to get moved back to where it needs to go.



Other Hardware. Thumb scanner.

No. As good as that tech may be, I just... shtuff happens, and said hand may be mangled, or at the least, wrapped in a cast, and you can't use it, and then what do you do?



Software imaging

Let the game take my picture? No way.

Besides, who among you has a picture that hasn't changed inside of a few years?

Tell me that that photo ID that looked like crap when you first had it taken, now looks better then you when you show it to someone?



Something I'd like to see, is a anet 911. Unfortunately, that would require people manning the 'line' as it were, for such emergancies. We already do not have in game GMs to contact, so... But if there was a way to quickly contact someone, and alert them and say "I think my friend/SO's account is getting robbed! please do something quick!" would be good.

In the end, something needs to be done. Arenanet will never admit that any of this is their fault, in any way shape or form, weather it is or is not their fault. Not unless incontrovertible evidence shows up to prove that something IS their fault.

At which, is impossible since it would require being on the inside.

And... I'm not nessisarrily saying that anything IS their fault, but the admission of such a thing would open up such a can of worms, it would look like an infestation.

But I can't entirely believe that this is all the result of player negligence either.



So the problem is, we wait to see if anything can be done, and hope to god our account won't be the next one hit.|||Quote:






View Post

Do banks REALLY use Static IP/MAC/HW checking?




My credit union uses a cookie-based check. Whether or not that cookie has my IP address recorded, I'm not sure.

But I do know that if I try to log in from a different computer or a different web browser, I get asked the additional security questions. I haven't been able to fully test this, since I don't get assigned a new IP address very often.

Aside from that... I voted on SecurID, No delete/salvage/trade, and Compromised Account Restorations. I agree with Drec Sutal's post fully, though -- including the possible limitations of the last option I chose.

Additionally, the company I work for has a "strong password" policy. It's pretty useless. It requires upper and lower case letters, at least one number, and at least one special character. No dictionary words can be used. Also, passwords expire after 90 days and cannot be re-used for five iterations (that is, your current password cannot be the same as any of your four previous passwords).

So per that policy, the following weak passwords are acceptable:

S3cret!

M0nkeys.

pAssw0rd?

And with the rotation policy, it's possible that forgetful people are using simple iterators. Like "Secret1!", then "Secret2!", then "Secret3!" and so on. (OK, those examples would fail the "no dictionary words" bit, but I hope my point is clear enough)

The policy forces people to use more secure passwords than what they may have chosen, but people can still use dumb passwords.|||I want the Blizz-authenticator and a puppy.|||SecuID gets my vote.

没有评论:

发表评论