User talk:Gaile Gray/Support FAQs/New NCMA Security Feature
What "Now" Means[edit]
It occurs to me that I wrote that you can add those security questions "now" when the system won't be in place until tomorrow. So hold off on trying to do that, players, until you see the website announcement that the new feature is good to go. Thanks! -- Gaile 02:11, 2 March 2011 (UTC)
- I should clarify, as I have on the main page. The system is not using new security questions. The system uses the security questions that are presently linked to your personal NCMA. If you have questions on file, it will look at those for ownership verification. If you do not have questions on file, you may go into your NCMA and add them. And if you'd like to change your questions, feel free to do so through the Support System interface. Finally, if you do not have questions on file, there are alternatives that the system may request that will perform the same function of trying to block unauthorized access. Personally, I'd recommend setting up a few really tough, personal questions, as I think that will take advantage of this new system in the best way. -- Gaile 17:58, 2 March 2011 (UTC)
Thank you so much![edit]
Woohoo! New security features! Thanks a bunch!! :-). --Lania 03:07, 02 March 2011 (UTC)
- I am pretty darn happy about this one, too. We need to put as many stumbling blocks to those #*%&! account thieves while still making it easy for us legit people to get onto our accounts. :) -- Gaile 05:19, 2 March 2011 (UTC)
- Indeed! — Tennessee Ernie Ford (TEF) 05:25, 2 March 2011 (UTC)
- This is very much appreciated. I'm glad ArenaNet and NCSoft acted to decrease account theft risks. --Adul 08:51, 2 March 2011 (UTC)
- I've been bitten by some stupid loser who tried to hack into my NCMA. It was a nightmare. If you need a strong password, you can have one generated for you using this site: http://strongpasswordgenerator.com/ Yes, it'll be a pain to remember. But it is better than using the same password for everything else. — Sixshot 12:12, 2 March 2011 (UTC)
- Yesterday, I read the page, got super excited about it, and immediately signed into my NCMA to set it up for this update. Then saw that it wouldn't be up until today. XD I'm certainly looking forward to it, but I have a few questions: will this be only for the NCMA, or will it be for GW itself, too? Can we set it up so that GW can only be accessed by the computers on that safe list? If not, are there any plans to make it that way, too?--Res 13:26, 2 March 2011 (UTC)
- @sixshot, Call me paranoid but I wouldn't trust any online sources of passwords, even if it is "randomly" generated. Even though that site is legitimate, it is not secured by SSL. It would be better to just make up a random password. --Lania 15:25, 02 March 2011 (UTC)
- Actually that page generates passwords locally through Javascript. SSL isn't required to secure it. --Valshia 18:38, 2 March 2011 (UTC)
- Ah, yeah that's right (There are other ones that run server-side so I just assumed...). The script is publicly available too at http://strongpasswordgenerator.com/Strongpasswordgenerator.js. From reading the script it does seem well constructed to produce a seemingly random password.... But I still won't recommend using it... The Math.random function (which that scripts depends on), just like any other computational random number generator, produces pseudo-random numbers and not true random numbers, and thus the passwords aren't truly random either. pseudo random key generators have been cracked multiple times in the past, and while the likelihood of a hacker successfully guessing the seed for the math.random functions that generated the password is very low... it's still not, IMO, as secure as possible... If the hacker knew exactly when you made the password down to milliseconds (which can be done using various computer key, mouse click, and IP packet monitoring methods...) the hacker can with some difficulty obtain the correct password.... Yep you can call me paranoid and I won't be offended :-). --Lania 19:48, 02 March 2011 (UTC)
- Yay! My account was hacked on Monday, but this'll hopefully keep it safer when I get it back. -- pling 20:28, 2 March 2011 (UTC)
- As you know, Pling, we're working on your case. I hope everything is just fine when you regain access to your account; I was very sorry to hear you were a victim of account thieves. :( -- Gaile 20:48, 2 March 2011 (UTC)
- Yep, replies have been quick so far, thanks. (If you read the original report, I apologise for its um... sternly-wordedness. It must be the Brit in me. :/) -- pling 21:45, 2 March 2011 (UTC)
- Hey Pling, I totally understand. Having someone steal your game account is extremely nerve-wracking. We all try to give a lot of latitude for the stress factor. :) -- Gaile 21:47, 2 March 2011 (UTC)
- Yep, replies have been quick so far, thanks. (If you read the original report, I apologise for its um... sternly-wordedness. It must be the Brit in me. :/) -- pling 21:45, 2 March 2011 (UTC)
- As you know, Pling, we're working on your case. I hope everything is just fine when you regain access to your account; I was very sorry to hear you were a victim of account thieves. :( -- Gaile 20:48, 2 March 2011 (UTC)
- Yay! My account was hacked on Monday, but this'll hopefully keep it safer when I get it back. -- pling 20:28, 2 March 2011 (UTC)
- Ah, yeah that's right (There are other ones that run server-side so I just assumed...). The script is publicly available too at http://strongpasswordgenerator.com/Strongpasswordgenerator.js. From reading the script it does seem well constructed to produce a seemingly random password.... But I still won't recommend using it... The Math.random function (which that scripts depends on), just like any other computational random number generator, produces pseudo-random numbers and not true random numbers, and thus the passwords aren't truly random either. pseudo random key generators have been cracked multiple times in the past, and while the likelihood of a hacker successfully guessing the seed for the math.random functions that generated the password is very low... it's still not, IMO, as secure as possible... If the hacker knew exactly when you made the password down to milliseconds (which can be done using various computer key, mouse click, and IP packet monitoring methods...) the hacker can with some difficulty obtain the correct password.... Yep you can call me paranoid and I won't be offended :-). --Lania 19:48, 02 March 2011 (UTC)
- Actually that page generates passwords locally through Javascript. SSL isn't required to secure it. --Valshia 18:38, 2 March 2011 (UTC)
- @sixshot, Call me paranoid but I wouldn't trust any online sources of passwords, even if it is "randomly" generated. Even though that site is legitimate, it is not secured by SSL. It would be better to just make up a random password. --Lania 15:25, 02 March 2011 (UTC)
- Yesterday, I read the page, got super excited about it, and immediately signed into my NCMA to set it up for this update. Then saw that it wouldn't be up until today. XD I'm certainly looking forward to it, but I have a few questions: will this be only for the NCMA, or will it be for GW itself, too? Can we set it up so that GW can only be accessed by the computers on that safe list? If not, are there any plans to make it that way, too?--Res 13:26, 2 March 2011 (UTC)
- I've been bitten by some stupid loser who tried to hack into my NCMA. It was a nightmare. If you need a strong password, you can have one generated for you using this site: http://strongpasswordgenerator.com/ Yes, it'll be a pain to remember. But it is better than using the same password for everything else. — Sixshot 12:12, 2 March 2011 (UTC)
- This is very much appreciated. I'm glad ArenaNet and NCSoft acted to decrease account theft risks. --Adul 08:51, 2 March 2011 (UTC)
- Indeed! — Tennessee Ernie Ford (TEF) 05:25, 2 March 2011 (UTC)
How do you identify a computer?[edit]
How does the website identify our computer to be able to tell it's authorized? IP address? Cookie? Yanna Cor & family 15:16, 2 March 2011 (UTC)
- I don't know the answer to that, but I imagine that this is information that we may not wish to make public, since account thieves would love to know as much as possible about the system to attempt to develop a work-around. If I am given clearance to give more details, I will. If I am asked to not get into specifics, I hope you'll understand that in this case, the less said the better, in the interests of keeping player accounts safe. -- Gaile 17:53, 2 March 2011 (UTC)
- Sorry Gaile, but security through obscurity is rarely useful in preventing attacks, and is likely cause people to mistrust the new security system. This is actually a significant concern to many people (and should be to most) as a poorly chosen identifier could fairly easily result in either an inadvertant or malicious misidentification of an unauthorised machine as authorised and vice versa (e.g. IP address -> inadvertant misidentification due to DHCP assigning new address and reassigning old one). The only mechanism I can think of off the top of my head that's likely to be reasonably secure to permanently authorise a computer (or rather, a web browser on a particular machine) is to generate a one-off SSL client certificate for that machine and have the web site require that it be presented during authentication i.e. during the SSL session both client and server must authenticate themselves to each other using public/private keys. If that's the mechanism, publically announcing it won't assist attackers, but would definitely increase trust in the new system. (Side not: damned run-on sentences ...) -- Magao 20:31, 2 March 2011 (UTC)
- Are you disagreeing with the new system, or with my declining to give details? With the latter, so be it. With the former, I feel differently. Having a system in place that notes "Hey, this person usually logs in from [this computer, this location, this whatever] and he's now logging in from another continent" seems only a good thing. And in most "hacks" (which are more accurately called "account thefts") that is what happens. Someone is playing happily from Bordeaux, Berlin, or Brooklyn, and the account suddenly logs in from Beijing. Raising a flag in those instances seems a very good concept. Asking someone a few questions that they themselves developed is just another step, beyond user name and password, to verify they are who they say they are. What's not to like with that? :) -- Gaile 20:47, 2 March 2011 (UTC)
- I think the concern is that the new security measures track the player's internet usage without disclosing how that tracking is done. If you track a player's internet usage without telling that player how you're doing it, that player may be concerned that you're also gathering other information he might not wish for you to have--TahiriVeila 20:52, 2 March 2011 (UTC)
- I understand more clearly, now. Thanks for that added info. I'll see what I can find out. :) -- Gaile 21:07, 2 March 2011 (UTC)
- I did a bit of testing and from appearances the system isn't too different from how other online banking systems ID computers. Right now most places use flash objects to ID various aspects of that person's computer and the info is stored remotely in a secure server. Most online banking privacy notices and agreements contain rudimentary information like about flash objects. I'm not sure if NCsoft MA uses flash objects (I didn't test that far yet) but I think it's something similar since its definitely not cookies. Maybe it would be a good idea to have something like that into a new version of NCsoft's privacy policy? --Lania 21:20, 02 March 2011 (UTC)
- This is all good input, and I have shared it with the team. -- Gaile 21:28, 2 March 2011 (UTC)
- I did a bit of testing and from appearances the system isn't too different from how other online banking systems ID computers. Right now most places use flash objects to ID various aspects of that person's computer and the info is stored remotely in a secure server. Most online banking privacy notices and agreements contain rudimentary information like about flash objects. I'm not sure if NCsoft MA uses flash objects (I didn't test that far yet) but I think it's something similar since its definitely not cookies. Maybe it would be a good idea to have something like that into a new version of NCsoft's privacy policy? --Lania 21:20, 02 March 2011 (UTC)
- I understand more clearly, now. Thanks for that added info. I'll see what I can find out. :) -- Gaile 21:07, 2 March 2011 (UTC)
- I think the idea is excellent (and would be worthwhile to apply to the GW client as well) - I was disagreeing with preferring not to give information about the implementation. Sorry for the confusion. I'm not really concerned with tracking (as someone guessed above), but with minimising the possibility of misidentifying a machine as authorised when it's not (false positive - very bad) and to a lesser extent failing to recognise a machine as authorised (false negative - inconvenience for player). The worst case scenario (for both NCSoft and players) would be for NCSoft to incorrectly accept a hack attempt because it came from an "authorised machine" that wasn't. -- Magao 03:33, 3 March 2011 (UTC)
- All very good points. (And I totally agree that I would love this "double check" on the game client, too!) I'm trying to learn more so that I can share more info about this. I'm not being cagey, I honestly need to learn the details. There was even a bit of confusion about whether this new feature asked for new security questions, or additional security questions. In fact, it does not. You can change the ones you have on your NCMA, or you can add security questions if you didn't have them in the past, but this isn't asking for more, it's simply using those on board in a new way. (I amended the text on the topical page to reflect this fact.) -- Gaile 04:22, 3 March 2011 (UTC)
- Never meant to imply that you were being cagey - I fully understand that your current knowledge of the implementation is limited and I appreciate your efforts to find and divulge more information. I guess what I'm getting at is that if there is felt a need to hide how it's implemented then it's either probably not secure enough (and in the end only the attackers will know that for sure), or going to be perceived as such. BTW I apologise if you felt anything I wrote was an attack - it wasn't meant to be (I've found it can often take several attempts to get what is so clear in my head into the right form in text). Cheers -- Magao 12:33, 3 March 2011 (UTC)
- All very good points. (And I totally agree that I would love this "double check" on the game client, too!) I'm trying to learn more so that I can share more info about this. I'm not being cagey, I honestly need to learn the details. There was even a bit of confusion about whether this new feature asked for new security questions, or additional security questions. In fact, it does not. You can change the ones you have on your NCMA, or you can add security questions if you didn't have them in the past, but this isn't asking for more, it's simply using those on board in a new way. (I amended the text on the topical page to reflect this fact.) -- Gaile 04:22, 3 March 2011 (UTC)
- I think the concern is that the new security measures track the player's internet usage without disclosing how that tracking is done. If you track a player's internet usage without telling that player how you're doing it, that player may be concerned that you're also gathering other information he might not wish for you to have--TahiriVeila 20:52, 2 March 2011 (UTC)
- Are you disagreeing with the new system, or with my declining to give details? With the latter, so be it. With the former, I feel differently. Having a system in place that notes "Hey, this person usually logs in from [this computer, this location, this whatever] and he's now logging in from another continent" seems only a good thing. And in most "hacks" (which are more accurately called "account thefts") that is what happens. Someone is playing happily from Bordeaux, Berlin, or Brooklyn, and the account suddenly logs in from Beijing. Raising a flag in those instances seems a very good concept. Asking someone a few questions that they themselves developed is just another step, beyond user name and password, to verify they are who they say they are. What's not to like with that? :) -- Gaile 20:47, 2 March 2011 (UTC)
- Sorry Gaile, but security through obscurity is rarely useful in preventing attacks, and is likely cause people to mistrust the new security system. This is actually a significant concern to many people (and should be to most) as a poorly chosen identifier could fairly easily result in either an inadvertant or malicious misidentification of an unauthorised machine as authorised and vice versa (e.g. IP address -> inadvertant misidentification due to DHCP assigning new address and reassigning old one). The only mechanism I can think of off the top of my head that's likely to be reasonably secure to permanently authorise a computer (or rather, a web browser on a particular machine) is to generate a one-off SSL client certificate for that machine and have the web site require that it be presented during authentication i.e. during the SSL session both client and server must authenticate themselves to each other using public/private keys. If that's the mechanism, publically announcing it won't assist attackers, but would definitely increase trust in the new system. (Side not: damned run-on sentences ...) -- Magao 20:31, 2 March 2011 (UTC)
- I had a question... would there be any way to make it so that people can manage their authorized locations? I think this would be useful if people move to a new place and no longer wants to keep a different location under the authorization list or if someone accidentally adds a connection on a public wifi network to the authorized list etc. Would it also be possible to show approximate location and the name of the ISP provider too by pulling the info from the IP whois database? I think that would help with people who aren't familiar with IP addresses to manage their authorized connections. --Lania 19:07, 04 March 2011 (UTC)
The end for character names as login security?[edit]
First, WOOT for the new security! Now the point... As I see it, character names for GW login were a shield against NCsoft master account breaches, since they were not visible in the master account. But character names as part of login security ain't pretty, and discourages posting IGN's in forums etc. Are these new security features (shoring up security at NCsoft's end), a means to eliminate character names for game login? At least for GW2? I hope so! Although I'm also still hoping GW2 will have the option of SecurID-style hardware keys for login too.194.216.237.25 09:22, 3 March 2011 (UTC)
- I'm wondering this as well, Gaile. Does this replace the character name login? - 129.81.99.5 18:34, 3 March 2011 (UTC)
- I really hope not. The requirement for a character name stops a lot of attacks that come from people using the same password/email everywhere, regardless of what goes on with the NCMA. I'm still hoping for an increase in game log on security (ideally with a SecurID option), not a decrease. Alara 21:43, 3 March 2011 (UTC)
- Alara, I understand your point - but I'd rather there were additional security mechanisms that do NOT involve your IGN. IGN's simply shouldn't be part of login security. As it is, I refuse to post my IGN anywhere public - and that isn't right. I should be able to freely tell people how to contact me ingame, without worrying that I just gave away 1/3rd of my login info. 194.216.237.25 11:17, 14 March 2011 (UTC)
- Character naems can be sought out through social engineering (looking at peoples blogs, forum posts, etc) but security questions that get prompted after a "non-trusted" computer logs in to your computer? Absolutely brilliant and better preferred. - 129.81.99.5 15:41, 4 March 2011 (UTC)
- I really hope not. The requirement for a character name stops a lot of attacks that come from people using the same password/email everywhere, regardless of what goes on with the NCMA. I'm still hoping for an increase in game log on security (ideally with a SecurID option), not a decrease. Alara 21:43, 3 March 2011 (UTC)
Variable IP[edit]
After verifying 'the machine' in the NCSoft master account, I received an e-mail message saying that a particular IP was added to the list of accepted machines that can enter the account, but my IP is variable, I change IPs on a daily basis. Will that mean that I'll have to verify my account every time my IP changes? Will that also mean that those that get that IP after I no longer have it won't need to verify the account? MithTalk 14:19, 5 March 2011 (UTC)
I share this concern and was actually checking if anybody already asked. If the authorized location indeed uses the IP for the authorization, then I can't make use of this feature (i.e. I'll have to answer the security question every time). Given that I will un-reserve this particular IP in less than a day, is it possible to revoke the authorization? I couldn't find any way to do this on PlayNC page. Shillo 22:39, 5 March 2011 (UTC)
- This needs to be brought up over at NCsoft. It's nice that they're implementing new security features in order to safeguard our accounts. However, the majority of us are on connections with dynamic IP addresses. Locking a computer's "location" based on the IP address of said connection is a bad idea. Granted, there are those like myself who "maintain" a 24/7 connection. The account management page needs to be updated to take advantage of the new security feature to revoke the authorized location. Please forward these concerns to the NCsoft support/technical staff so they can look into it. — Sixshot 13:39, 8 March 2011 (UTC)