User:Lania Elderfire/Rant/Account Security

Current criticisms of Anet/NCsoft security[edit]

===Password changes are direct without intermediate authorization steps.===

The NCsoft master account account allows anyone to change the game password without knowledge of the current game password. After the password change, the victim is only informed that the password has changed and to contact support immediately if they did not change the password. This makes it such that the attacker would only need the credentials for the NCsoft master account to steal your game account.

Recent changes to NCsoft Master Account makes this a lot less important

There are no mechanisms in place to defeat keyloggers.[edit]

Lets face it, tens millions of computers around the world are infected with some type of virus/worm/keylogger/malware/etc etc. No single antivirus solution is able to detect 100% of these threats, and there are many new variants that can’t be detected by any antivirus that lacks good heuristics. Even the industry leading behavioral engine can only detect up to 75% of new threats that isn’t contained in the virus definition file. On top of that, windows firewall is not very good at detecting unauthorized outbound connections that keyloggers use to send their payload to a remote server.

There are certain things you can do to reduce the chance getting keylogged... When logging into NCMA allow the browser to remember the password, if you are using a private computer. This will allow logins without typing anything. Using a browser that allows the user to set a master password will add another layer of security since even if they keylogged the master password, they still can’t keylog the actual account credential. Also, again if you have a PRIVATE computer that ONLY you use you can use command lines for character, password, and email such that you don’t need to type anything. Now this will open the computer up to remote attacks designed to steal credentials stored in short cuts, and browser profiles. Ones that steal credentials from short cuts are very rare... in fact I’ve never heard of such a thing. However, malware that steals browser profile files do exist, but no where as common as keyloggers, but that can be mitigated by using master passwords to protect the saved passwords, if the browser supports it.

Secondary credentials needed to access the account is widely known[edit]

Character name. Now that “did” add one more level of security, however many people use their exact character names for forums and wiki user pages, while other people use variants of their in game name which can be easily matched by guessing. This made the “added” security meaningless for many people, while others forgot their ingame name because this system didn’t exist before when they quit the game. For hackers that don’t know the character name but knows the password and email, all the hacker would have to do is send a phishing email asking just for the character name. There are many ways to do this, for example, the phisher can say that” you have won a ingame prize for 15 ectos on a random NCsoft sweepstakes, please reply with your ingame name so that we can contact you in game to give you your prize.“ There are many variants to this and since they aren’t asking for the password, the victim is more likely to give away the character name. With the advent of the HOM calculator, people are more likely now to advertise their character name to show off their “stuff” despite the ability to use the in calculator link to hide the character name.

Fake emails and credentials could be used to open an GW account[edit]

Because some users used fake emails to open their GW account, when something does happen, the account owner cannot regain access to their account without a lot of hassle. Usage of fake credentials also leads to users forgetting what information they typed in when they initially registered their account, which also leads to users not being able to efficiently regain access to their account. Many users urged Anet to allow users to change the email address that is registered with the account, but so far has been met with inaction on that front. Also when emails become invalid due to changing ISP's communication using that email also becomes impossible.

===NCsoft support login is not encrypted===

This is not the NCsoft master account, it is the support page at NCsoft, here... http://help.ncsoft.com/cgi-bin/ncsoft.cfg/php/enduser/acct_login.php. If you notice, there is no https on that site. When you log into the system the login name and password is sent through as plain text, which can be easily intercepted using password sniffers in the local area network. This becomes a problem when someone has the same login name and password as the NCMA for the NCsoft support system. An easy way to avoid this issue is to simply change your password such that it is different than the NCMA. Remember there are two different log in system for NCsoft... one for support, and the other for the master account. The one for support is not encrypted while the one for NCMA is. Also if you had communicated about account keys, the hacker can take these keys from the support logs associated with the account, leading to another way of stealing your account.

Implemented. NCsoft help is encrypted.

Vulnerabilities not directly associated with NCMA or the game system.[edit]

Forums have atrocious security[edit]

Now most have heard that fourms are unsafe, don’t use the same password for everything etc etc... Why aren’t they safe? Well to start, most forums do not use SSL or any encryption techniques to encrypt the password as it gets sent for authorization. For example, Aionsource’s forum’s login and GWW/Gwiki/etc is sent via standard HTTP with no encryption. If someone on the network is using a man in the middle attack with a password sniffer, it can be easily extracted from the packet or packets containing the credentials. Guildwarsguru is a bit smarter. Their login is still unencrypted but the password is hashed via MD5 encryption. So if someone is using a password sniffer, they would get the MD5 hash for the password instead of plain text. While MD5 provides some security it is still quite easy to decrypt MD5 hashes.

Now what the heck is a man in the middle attack? This is a problem with institutions that have very large networks. The most common source of these attacks occur in corporations, universities, and generally the attack must occur locally. The attacker would either poison an unprotected wireless router with fake ARP requests to spoof the attacker’s MAC address with the victims. Now this is a multi-step process but there are malicious tool kits available that automates this. Once its’s successfully spoofed, the router sends the information to the attacker’s computer, allowing the attacker to capture packets. On a wired connection, another thing an attacker can do is to plug in their computer to a monitoring port on network routers.

Now there are ways to do with remotely, but is a lot more difficult. One would have to spread at bot-net that performs the same function as an attacker that captures passwords and poisons ARP requests automatically, as it sends captured passwords to a remote server. Also, same kinds of malware can be uploaded to major ISP’s and with knowledge of their internal network structure, they can capture any password that goes through that local ISP.

So... this is why you don’t use the same passwords for everything.

Can someone sniff my password when I log into the NCMA or when I log into guildwars?[edit]

To put it simply, that would be quite difficult to do. The NCMA login system uses SSL encryption, and while SSL is not fool proof, it would take a very dedicated hacker to crack it... and only to crack one password. It’s just not efficient to harvest passwords in this manner. The guildwars log in at first glance seems unsecure. It uses an unencrypted HTTP connection though port 80. But the login credentials are obfuscated and uses an unknown encryption scheme. But the packets containing the credentials is only about 300 bytes so it wouldn’t be unreasonable to expect that a dedicated hacker can crack it... but again we run into the same efficiency problem. Like I said before, using a keylogger is much simpler than trying to crack the encryption.