Tobold's Blog
Tuesday, April 02, 2013
Best practices in account safety

I got a mail today from EA about my Star Wars: The Old Republic login:
Beginning today, April 2, 2013, you are only able to log in to the Star Wars: The Old Republic game or web site with your Display Name – Your email address will no longer be accepted from this point forward. ... These changes increase the security of our game authentication system, which helps to keep the game protected from many security threats including account takeovers.
Which was somewhat funny, because I just recently got another mail from Ubisoft:
The login process for Ubisoft’s Uplay service will undergo a few modifications on April 3rd. Past this date, if you connect to a Uplay Account, you will need to log in using your email address. Using the Uplay account name to login to your game will no longer be possible.
Of course Ubisoft is also claiming that this change will help account security. EA thinks that a display name is safer for login, reversing a previous decision to have people login with their email address. Ubisoft does the reverse, changing from login with a display name to login with an email address.

That pretty much tells me that there is no agreement on which method is safer. And frankly, I believe neither is any good. Both you displayed name and your email address are easy enough to find out, so potential hackers only ever need to guess your password. What would be safer would be a UserID and password for the account, with the UserID being *different* from both you displayed name and your email address.

At work I have 5 systems I need to regularly access, all with their own user/pass combinations, all of which need to be changed once a month to something that was never used before, and none of them can be the same.

I keep a paper taped up next to my computer with the current info for each, so I don't have to get a password reset every couple days when I forget it. Yay security.
Cryptic had it best IMHO with Champions Online back in the day.

Login Name - how you log in

Display Name - how people see you

Email Address - How they contact you

Using either Display Name or Email Address gives hackers half the data the need already! >.<
Please, this is obvious.

Login name/display name/whatever is obviously more secure than your email address.

Your email is used for other services, exposing more personal information, and is the recipient of password resets.
Yes, the login name being neither public-forum name or email is better.

It also depends on what "safer" means. It is probably easier to hack into the game itself with the charname(SWTOR). Yet that is arguably "safer"

I.e., you see that MasterTobold or DarthGevlon has posted on the SWTOR forums and you try to guess passwords for them. But since EA offers TFA authentication the risk is very greatly reduced for people who care about account security.

However, knowing your SWTOR name does not put you at risk outside of SWTOR. Whereas if you know the email address, you can try to hack the email site itself, many of which do not use TFA. The downside of someone getting into your email is far worse. Plus email addresses can be sold to spammers. Plus if other games/sites also use email, then you are at risk there.

I hope that in a few years we will regard current internet security as childish an inefficient.
Yep. You would think they'd put real thought into this, because hacked accounts usually require direct (human) customer service intervention, which is expensive. But even Blizzard uses your email address. Shrug.
I would argue that it doesn't really matter. Accounts get compromised in one of three ways:

1. Compromise of the user's computer or physical security, including keyloggers, losing written down passwords, or shoulder surfing. In this case both the login and password are lost at the same time.

2. Compromise of the company's servers. In this case all login information is immediately lost, though password information is hopefully hashed and will resist attack for a time. Notably, this is the only scenario where the actual complexity of the password helps against compromise.

3. Compromise of the password reset process, for instance calling customer support and providing personal information. This would require information even harder to obtain than a username/email address, so if someone is able to get that, the username/email is trivial by comparison.

People fear online brute-force attacks, but no reasonable server will let an attacker guess more than 10-20 passwords before locking them out of the account and probably IP blocking them. This is only 0.00000064% of the password space of a terrible 6-character lowercase password.
For years all MMOs required an Account name that no-one but you and the MMO company saw, plus a Password, ditto. You would choose a separate display name that would appear on the forums. In-game you would be known only by your character name and there would be no visible link between different characters.

That's the system I prefer. By all means add extra, optional layers so that people who want to be identified or found by others can make that happen, but the trend towards making everyone as visible as possible at all times is just asking for trouble and consistently finding it.
Brute force attacks are actually quite effective now that we have real password lists from hacked services floating around. But I agree, most compromises don't come from there.

Anyway, using users' email addresses to login is obviously the wrong way to go. In your situations 2 and 3, once you have the email address you're halfway there. Using a unique login name removes that exposure.
Using email address as the login ID is pretty dubious security. But switching to 'display name' seems like a pretty stupid move on TOR's part as well, to me. My email address isn't publicly viewable on the TOR forums, but my display name is. I guess their idea is that account compromises are mostly coming from external email phishing.

Unrelated: Do you use Skype? If so, I strongly suggest you collect/save some important data. My account was locked for suspicious activity recently, and they wouldn't unlock it without a boatload of data. Stuff I had no idea about. In the end, I was not actually able to use their customer service to unlock the account, and had to go back and create/reactivate an ISP email address (with a provider I no longer use) that matched the one I had registered with (in, like... 2003-4).

They want:
* Stored credit card details - first 4, last 4 digits. (Don't have a credit card? They want it anyway.)
* Date and receipt number of most recent purchase.
* Month and year of your registration.
* Email address you registered with (not your current address).
* Usernames (or display names? They refused to tell me which were acceptable) of five contacts on your contact list.

Apparently one wrong answer on any of the above results in a rejection.

Fun fact. There is no way of finding out what date you registered if you don't remember or didn't keep the 'welcome' email from, oh, maybe ten fucking years ago. If my account ever gets actually hacked instead of just flagged because I logged in from my phone and PC at the same time, and they change my contact email, I will be unable to recover the account ever again.
I think you're asking the wrong question. Not "which makes me more secure?" but "makes whom more secure?"

If your account is compromised by proxy (weak or shared credentials with other, more vulnerable sites), the company can soak the CS hit, and there will be almost no PR hit - all the major players would be hit roughly at the same time anyway, washing out the PR anyway.

Instead, they need to focus on avoiding "the next Sony." They need to keep their system safe from a PR-impacting incident. Especially since these aren't just MMO accounts, but full-fledged online accounts. These have full game license libraries and micro-transaction accumulations, while interfacing directly with first party vendors (now or in the near future, with first party being the hardware vendors).

They're merging authentication flows. It reduces possible weak-points, both in raw number, and in combination. These companies are bigger targets, with more potential attackers, than any raw MMO company of yore. The last thing they need is "oh, it's just the forum avatar system" resulting in a system breech.
This comment has been removed by the author.
A unique id is a better tool, so it is different from your regular email address and different from the account handle or a character name. For some games which use email addresses for login I create a specific email address just for that game. Not perfect, but better than my main email.
Honestly if you don't torrent you don't have much to worry about, assuming you have a small degree of common sense.
Switching away from using email makes lots of sense with huge lists of valid email/password combinations making the rounds. It's curious that Origin still uses email/password.

I had someone attempt to get into my Guild Wars 2 account this way, presumably with an email/password from Steam or Sony (although they didn't actually get in due to other NCSoft security measures.) I don't know what Ubisoft are thinking.

Nowadays every login I have gets a unique, impossible-to-guess password featuring letters, numbers and punctuation.
Someone asked Scott Hartsman about this during the Rift beta. He claimed that their data showed that the most common point at which people gave up on trying to sign up was at the step of picking an account name, finding their preferred name was taken, etc. Ensuring that the company would have a viable way of contacting the player was a secondary goal but the primary thought was that your personal email address would not already be taken.
Post a Comment

Links to this post:

Create a Link

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool