security stuff

Rogue tanking was clearly the best, amirite?
User avatar
moui
card carrying atheist
Posts: 3287
Joined: Mon Jan 23, 2006 8:00 pm

security stuff

Post by moui » Wed Mar 16, 2011 9:22 am

Scott Hartsman talked about some of the security stuff they are working on during his PAX interview with massivly:
The next thing we're working on is a mechanic called coin-locking your character. If we detect that you're logging in from a fishy location, which is generally the case if you're getting hacked, your character will be coin-locked. Until you authenticate some sort of other way, you will not be able to get rid of anything on your character. You won't be able to sell it off; you won't be able to destroy it.

We're also working on two-factor authentication, via both cell phone app as well as text message. We're not going to go with a separate hardware authenticator, because these days, pretty much everybody has the ability to receive a text message or use an app. So we're going to go out with that, because it's a lot cheaper for everyone involved, and people are more likely to use it if they can download it (as opposed to something they have to order and ship and wait for). And the goal for use is that we want these things to be used.
That last sentence is really poignant: And the goal for use is that we want these things to be used.

For serious, though, it seems like a good idea.

whole article: http://massively.joystiq.com/2011/03/15 ... -hartsman/

User avatar
Ostrich
1337+
Posts: 1829
Joined: Thu Feb 16, 2006 11:56 am
Location: covered in feathers

Post by Ostrich » Wed Mar 16, 2011 11:46 am

Define "fishy location". Are the talking about something similar to what Facebook uses? (If Facebook doesn't recognize the IP address as one you normally use it makes you go through your secret questions.)

Kudos on implementing a secondary verifier (app/txt).
:>---O==={
Time falls away, but these small hours
These little wonders still remain

User avatar
Xelissa
GM of DOOM!!
Posts: 3476
Joined: Wed Jan 25, 2006 1:43 am

Post by Xelissa » Wed Mar 16, 2011 12:11 pm

Full details on coin lock and hacked accounts:

We are aware that there are still issues with some of you being hacked. This is a top priority for us here at Trion and the team has been working to address the situation. As we posted last week, there have already been a number of updates put in place. We are also introducing another function that should make it into the game early this week.

Coin Lock

Users will be coin locked if they log in from a significantly different location or computer.* When their account is coin locked, they will be sent an email to the address that they have on their account (their login email) with a code to enter into the game.

Users will see the Coin Locked icon in the spot where their tutorial button shows up. Deactivating the tutorial tips will not turn off the Coin Locked button.

While in a Coin Locked status, users will have the following limitations:
• No access to the auction house
• No ability to SEND mail. Users can still receive and view mail as well as remove items from mail
• No ability to SELL to vendors. Users can still purchase items from vendors
• No ability to salvage, runebreak or destroy items
• No ability to trade
• Users can continue to play and gain coin and items, but cannot get rid of them.

If you are Coin Locked, simply click on the Coin Locked icon and enter the code found in your email from Trion.

*You will only have to enter the code once for each computer at a given location. If you play from multiple locations, or on multiple computers, you will have to enter your code the first time you log in from each new location or computer.

If you log in and your account is coin locked, check your email! Someone may have logged in from another location with your account.

If you do not receive the email, please click on the Coin Locked icon and click the “Resend” button to have the email resent to you.

If you cannot access your email or you are otherwise unable to change your Coin Locked status, please contact Customer Service.

We're also working on the addition of two-factor authentication at the login level, which will let you use an app or a cell phone as a way to ensure that you're the one logging on. (You may have heard of this in other products as a SecurID or an Authenticator.) We'll be sharing specifics on that as soon as we can as well.

If you have been hacked:

Contact Customer Support immediately. The CS Team is responding as quickly as possible to restore accounts for those who have been hit.

We assure you this matter is very important to us and we are doing everything we can to resolve your issues and safeguard your account.

User avatar
Xelissa
GM of DOOM!!
Posts: 3476
Joined: Wed Jan 25, 2006 1:43 am

Post by Xelissa » Wed Mar 16, 2011 12:12 pm

Hacked Account what-to-do:
At this time we are experiencing an extremely high volume of requests for support and are taking a much longer than expected time to get to your requests. We do appreciate your patience, as well as your part in helping to create this wonderful problem to have.

Please know that this is not the level of customer service, nor the speed of response that you should expect from Trion Worlds Inc. We are taking steps to correct this situation as quickly as possible, however it will take us some time to get to the level of staffing necessary to provide the support that you deserve.

There are a couple of things that you may be able to do to help us get you the assistance you need as quickly as possible.

1. Our first priority is helping anybody whose account may have been compromised. If your account has been compromised please know that you are our top priority and we are getting to you as quickly as possible. When submitting a ticket for assistance of this kind please ensure that you select “Hacked Account” as your category in order to get the fast possible resolution. Please also title your page as “hacked account” and include the character name and shard that has been compromised.

2. If your issue has self-resolved or if you no longer need assistance please close your ticket by typing /cs and then hitting the “Close Issue button”.

3. If you are reporting somebody trying to sell plat (which you shouldn’t be seeing much of anymore) then please left click the player’s name and use the report spam option. This allows us to both investigate the issue as well as consistently improve our spam filter to get these aggravations out of Rift.

Thank you for helping to make Rift the success that it is. We greatly appreciate your support and value you as a customer. We apologize for delays in responding to your requests and thank you for your continued patience while we make the changes necessary to provide the customer support and experience that you should expect from Trion.

GM Giant
Manager - In-Game Support

User avatar
shimdic
Yeah, I probably hate your team.
Posts: 2737
Joined: Sun Jul 16, 2006 3:30 am
Location: Arizona
Contact:

Post by shimdic » Fri Mar 18, 2011 1:32 am

All I got was a generic response, same thing posted on their forums. How much longer do I need to wait?

User avatar
Xelissa
GM of DOOM!!
Posts: 3476
Joined: Wed Jan 25, 2006 1:43 am

Post by Xelissa » Sat Mar 19, 2011 2:02 pm

From the forums it sounds like you have two options:
1. Wait for your account to get rolled back to the pre-hacked state
2. Apply to have your money restored (sounds like turn-around for this is much, much shorter) and forge onward.

It also seems like people who call CS have their issues resolved much quicker in most cases.

User avatar
shimdic
Yeah, I probably hate your team.
Posts: 2737
Joined: Sun Jul 16, 2006 3:30 am
Location: Arizona
Contact:

Post by shimdic » Sat Mar 19, 2011 4:44 pm

I've been trolling the official forums and phone calls don't seem to help always. Also, read this quote from the forum, some guy find an exploit in the security functions:
ATTENTION TRION - I HAVE VERIFIED THE AUTHENTICATION SYSTEM CAN BE BYPASSED, BY SUCCESSFULLY LOGGING INTO ANOTHER ACCOUNT WITHOUT NEEDING ITS CREDENTIALS.

Just successfully logged into a friend's account (with his permission, and while he watched) without knowing his username or password, by bypassing the auth system entirely. Worse, all it took was about thirty seconds of time once I got all of the details locked down.

I did trigger Coin Lock, but I was fully able to access that handy delete-character button, so this exploit is a griefer's dream.


This is a huge security hole. Accounts can be accessed without needing any information at all from clients.


I will not post details on how to do this (so don't ask), but I'm positive that I can reproduce this at will and likely on any account on the system. Someone at Trion probably needs to send me a PM, very, very quickly so we can go over the exploit's specifics and how to detect - and stop - it. (Or I could always log into a GM account and watch the fun that would ensue.)


As an aside, this is one of those times I wish I wasn't correct about a suspicion...

User avatar
shimdic
Yeah, I probably hate your team.
Posts: 2737
Joined: Sun Jul 16, 2006 3:30 am
Location: Arizona
Contact:

Post by shimdic » Sat Mar 19, 2011 4:54 pm


User avatar
Nokturnal
Frenzy Spammer
Posts: 2965
Joined: Fri Jan 27, 2006 4:12 am

Post by Nokturnal » Sat Mar 19, 2011 6:06 pm

That's awesome

User avatar
shimdic
Yeah, I probably hate your team.
Posts: 2737
Joined: Sun Jul 16, 2006 3:30 am
Location: Arizona
Contact:

Post by shimdic » Sun Mar 20, 2011 3:34 am

Good thing there wasn't a guild vault to raid. My patience is running thin, too.

Locked

Who is online

Users browsing this forum: No registered users and 4 guests