Page 2 of 4 FirstFirst 1234 LastLast
Results 21 to 40 of 68
  1. #21
    Founder Solmage's Avatar
    Join Date
    Feb 2006
    Location
    Top of the world, aka Canada
    Posts
    4,119

    Default

    Quote Originally Posted by bigolbear View Post
    So... When you gona put a seperate password check on credit card purchases of ddo points. That would be a good measure towards our security that is totaly in your hands.
    I recommend not putting a credit card on file and using a paypal verified account to pay for your point purchases. (You can even use paypal to pay with a credit card if you so desire)
    Devs: Thanks for making Druids available to VIPs without the pack. This more than anything, has made me want to buy the pack.

  2. #22
    Community Member English_Warrior's Avatar
    Join Date
    Dec 2009
    Posts
    632

    Default

    Quote Originally Posted by KraahgDaAxe View Post
    Actually most security experts now state that changing passwords frequently isn't as beneficial as you are lead to believe. It's more of a "It's changing therefore it must be secure" feeling for the users. In all reality, strong passwords that change less frequently are better then weak passwords you change weekly. Alot of companies are moving to passphrases instead of passwords because of this.

    Kraahg
    Sure, keeping a compromised password active for longer is better than changing it asap

    The only people that strong passwords protect you from are your friends/family/co-workers. If you can't trust your friends and family then you have bigger problems...and if you are logging into a secure personal account on a work PC you are asking for trouble.

    The reason businesses require strong passwords is because they don't want their employees hacking into restricted accounts and into each others accounts... in that case strong passwords are exactly what you need to protect info from curious people who know each other and have a lot of "sitting infront of PC time" to guess a buddys/the bosses password.

    When you are talking about criminal identity fraud the VAST majority of the time the crooks already have your password....it doesn't matter how strong/weak it is.
    Sarlona
    Main Toons = Alphasixsix - Blackbell - Ironsack - Deltasix - Ironflute
    Euro Refugee...both in game and out.

  3. #23
    Hero Phoenix-daBard's Avatar
    Join Date
    Dec 2009
    Location
    Beaverton, Oregon
    Posts
    1,257

    Default

    Quote Originally Posted by English_Warrior View Post
    The whole weak/strong password thing is a total red herring.
    You should see the number of dictionary attacks I have seen against my servers. We have intrusion detection systems in place to catch this but not everyone does. So yes a dictionary password is a bad idea.
    Last edited by Phoenix-daBard; 01-18-2011 at 02:04 PM.

  4. #24
    Community Member KraahgDaAxe's Avatar
    Join Date
    Feb 2009
    Posts
    346

    Default

    Quote Originally Posted by English_Warrior View Post
    Sure, keeping a compromised password active for longer is better than changing it asap
    This is obviously a trollish statement or a bad attempt at a joke. You are probably attempting to joke, but in reality you are deflecting from a very serious problem.

    Quote Originally Posted by English_Warrior View Post
    The only people that strong passwords protect you from are your friends/family/co-workers. If you can't trust your friends and family then you have bigger problems...and if you are logging into a secure personal account on a work PC you are asking for trouble.

    The reason businesses require strong passwords is because they don't want their employees hacking into restricted accounts and into each others accounts... in that case strong passwords are exactly what you need to protect info from curious people who know each other and have a lot of "sitting infront of PC time" to guess a buddys/the bosses password.

    When you are talking about criminal identity fraud the VAST majority of the time the crooks already have your password....it doesn't matter how strong/weak it is.
    I don't know where you work but where I work and have worked in the past, social engineering is a serious threat. I have been on the IT side of numerous calls where somebody was attempting to garner a password that wasn't theirs. They didn't already have the password. This is mainly because password security was way behind software/operating system security. This has been changing in the past 5 years or so, but it's still behind. The main reason it's still behind? Because normal computer users don't want complicated passwords because complicated is complicated.

    From my 10+ years in IT, social engineering has, BY FAR, been the most prevalent "hack" for getting passwords for corporate workplaces. Personal computers are different, as the onus is on the user themselves to keep their virus/malware software up to date, but this is drastically changing as alot of ISPs are now providing free virus software with their service in an effort to lower tech support calls, lower the user's cost and therefore making it far more likely they have up to date virus/malware software.

    Kraahg
    Stillz Azgoth:
    11 Dwarf Light Monk - 7th Life
    1st-Ranger-tri-class-gimp;2nd-Fighter;3rd-Pallie/Monk;4th-Pallie/Monk;5th-Dwarf-Light-Monk;6th-Fighter/Dark-Monk-yuck

  5. #25
    Community Member English_Warrior's Avatar
    Join Date
    Dec 2009
    Posts
    632

    Default

    Quote Originally Posted by KraahgDaAxe View Post
    I don't know where you work but where I work and have worked in the past, social engineering is a serious threat. I have been on the IT side of numerous calls where somebody was attempting to garner a password that wasn't theirs. They didn't already have the password. This is mainly because password security was way behind software/operating system security. This has been changing in the past 5 years or so, but it's still behind. The main reason it's still behind? Because normal computer users don't want complicated passwords because complicated is complicated.

    From my 10+ years in IT, social engineering has, BY FAR, been the most prevalent "hack" for getting passwords for corporate workplaces. Personal computers are different, as the onus is on the user themselves to keep their virus/malware software up to date, but this is drastically changing as alot of ISPs are now providing free virus software with their service in an effort to lower tech support calls, lower the user's cost and therefore making it far more likely they have up to date virus/malware software.

    Kraahg
    Oh boy...don't you even realise you are agreeing with me? I agree social engineering is by far the most prevalent way to hack accounts (that is what I said in my first post)....and thats exactly why a strong password makes no difference.

    For the third time (hopefully it will sink in this time) it makes no difference how strong your password is if it ends up in the hands of the wrong person....and in the vast majority of cases it ends up in the wrong persons hand, not because they guessed a weak password, but because you or somebody else gave it to them (or had it taken).
    Sarlona
    Main Toons = Alphasixsix - Blackbell - Ironsack - Deltasix - Ironflute
    Euro Refugee...both in game and out.

  6. #26
    Community Member Mister_Peace's Avatar
    Join Date
    Oct 2009
    Location
    Cyre
    Posts
    860

    Default

    Quote Originally Posted by Hafeal View Post
    Except perhaps, from Turbine itself, who has yet to deliver a regular statement of TP activity of both using and acquiring said points ...
    Hear hear!
    Quote Originally Posted by havokiano View Post
    you are boring. And you rosik a lot. bye.
    Quote Originally Posted by suitepotato View Post
    With the amount of facepalming we do, it's a wonder DDO players have any noses left.

  7. #27
    Community Member darksol23's Avatar
    Join Date
    Oct 2006
    Location
    Indiana
    Posts
    708

    Default

    Quote Originally Posted by Vordax View Post
    Any thought of adding a SecurID type authentication option?

    http://en.wikipedia.org/wiki/File:Se..._token_new.JPG

    Vordax

    (one of your competitors offers it, would be nice to have)
    +1, I'd personally have no problem paying $10 or whatnot for peace of mind.
    Officer of the Platinum Knights of Cannith, Founder of the guild GHOSTBANE of Cannith
    Main - Death - Completionist and then some...
    Other Characters - Holy, Leap, War, Optimusprime, Intimitank, Lanfear, Can, Afkbiobrb, Garagesale, Leverpuller and many more

  8. #28
    Community Member English_Warrior's Avatar
    Join Date
    Dec 2009
    Posts
    632

    Default

    Quote Originally Posted by Phoenix-daBard View Post
    You should see the number of dictionary attacks I have seen against my servers. We have intrusion detection systems in place to catch this but not everyone does. So yes a dictionary password is a bad idea.
    Now that part I agree with...but you would be hard pressed to find a legit website on planet earth that doesn't block dictionary attacks against its account passwords. Its so easy to do it would be criminally negligent not to do so.

    Interesting fact though....most "unique" passwords actually contain proper nouns that do not occur in a standard dictionary
    Sarlona
    Main Toons = Alphasixsix - Blackbell - Ironsack - Deltasix - Ironflute
    Euro Refugee...both in game and out.

  9. #29
    Community Member Lorien_the_First_One's Avatar
    Join Date
    Dec 2006
    Posts
    17,767

    Default

    Quote Originally Posted by bigolbear View Post
    So... When you gona put a seperate password check on credit card purchases of ddo points. That would be a good measure towards our security that is totaly in your hands.
    +1

    This is a HUGE failure of security on Turbine's part. It's even a violation of the security standards for visa/mc banks in some countries.

  10. #30
    Community Member NeutronStar's Avatar
    Join Date
    Apr 2006
    Location
    Butte, Montana
    Posts
    1,292

    Default

    Quote Originally Posted by TurbineCS View Post
    Hello everyone,

    Given the recent news about a number of popular gaming websites and online games suffering security breaches which left their account details exposed, Turbine would like to discuss account security and some steps you can take to secure your account. Account theft is an ever-present issue in the game industry. It’s also a top priority at Turbine - one that we spend significant time and resources to address every day.

    On a continual basis, the Turbine fraud team monitors all player reports, network activity, in-game behavior, and other information that may indicate fraudulent activity or account theft. We then investigate and respond in accordance with our policies. To date, all indications are that most compromised accounts have been the result of account information stolen from other gaming websites and online games.

    This is possible because many people use the same credentials to log into multiple sites and games. Additionally, other players share their usernames and passwords with people such as roommates, guild members, etc. A smaller percentage of users appear to have fallen victim to keylogging, phishing, or other technology-based attacks. While it is difficult to get to the root cause of every reported incident, there is no data to suggest that account information stored with Turbine is in any way at risk.

    Even though we are satisfied that our account system remains secure, we will continue our ongoing efforts to defend our services against known and emerging security threats. In the meantime there are several steps players can take to help protect their accounts against the most common types of account theft:
    • Change your password regularly to a new, unique password that you have never used for any other product or website.
    • Never share your username and password with anyone else or allow them to log into your account.
    • Use a home network firewall at all times and check the exception list regularly for new entries.
    • Run antivirus and malware scanning tools on a regular basis with the latest definition files.
    • Beware of phishing or spoofing scams that you receive in your mailbox, either in-game or out-of-game. In general, you should avoid clicking links in e-mail you have not requested. If you have any questions about an e-mail or chat you’ve received that claimed to come from Turbine, please contact our Customer Service team at support.turbine.com.
    • Lastly, do not purchase in-game currency from gold sellers. Never encourage your friends to purchase gold. The cash market for in-game gold is the driving force behind most account theft. If players did not buy gold, sellers would not need to steal and strip accounts. We investigate and take action on all players that receive gold from gold sellers, up to and including a permanent account suspension.

    Your security is important to all of us at Turbine, and we hope this information will help address concerns and misinformation about why account compromises occur. If you have any questions or suggestions, you may contact our Customer Service team at support.turbine.com.

    Sincerely,
    Turbine’s Anti-Fraud Supervisor
    tl;dr - don't go to porn sites and don't tell anyone your username and password.

  11. #31
    Community Member
    Join Date
    Sep 2006
    Posts
    2,012

    Default

    Quote Originally Posted by Lorien_the_First_One View Post
    +1

    This is a HUGE failure of security on Turbine's part. It's even a violation of the security standards for visa/mc banks in some countries.
    But not the USA where ALL the transactions occur. So your point is not applicable.

    Thank you and if they passed the PCI DSS compliance then they are good.

  12. #32
    Community Member
    Join Date
    Sep 2009
    Posts
    458

    Default Ok,

    Quote Originally Posted by darksol23 View Post
    ...no problem paying $10 or whatnot for peace of mind.
    Give it to me. I promise to tell you everything is fine.
    Like almost all security, it is 90% theater to give you peace of mind.

  13. #33
    Community Member rest's Avatar
    Join Date
    May 2006
    Location
    Burque
    Posts
    5,602

    Default

    Technically, thats 509 words.

  14. #34
    Community Member Rumbaar's Avatar
    Join Date
    Oct 2009
    Location
    Melbourne, Australia
    Posts
    4,377

    Default

    Interesting, even Tolero doesn't like being the face of these posts anymore. Thought the CUBE could be the generic face of Turbine?

    Anyways, good tips for those that don't already follow them.

    Quote Originally Posted by TurbineCS View Post
    We take the ability to purchase points with payments methods very seriously, and your store purchases have additional layers of anti-fraud security to prevent abuse.
    But at the very least you should be able to remove the credit card details once they are placed there.

    It's a shame the only method is to cancel the card and leave the incorrect details there.
    Leader - Ωmega Syndicate [L41] guild of Khyber|Orien - www.os.rumbaar.net
    Khyber - Eldraine - Monk | Eldaline - Favored Soul | Eldnuker - Sorcerer
    █████ - Eldalorne - Wizard | Elarawr - Fighter | Eldrainge - Ranger/Rogue

  15. #35
    Community Member
    Join Date
    Sep 2009
    Posts
    458

    Default hey!

    Quote Originally Posted by NeutronStar View Post
    tl;dr - don't go to porn sites and don't tell anyone your username and password.
    There is nothing anymore dangerous about porn than anything else.
    Can't tell you how many times, while explaining how to or removing a virus, I hear, "But I don't go to porn sites!"
    99.99% of viruses are from clicking email link, not updated plug ins, or severs that are compromised or serving adds that are.

    Church lady may wish to claim "porn" as the source for all sins but it is just an attractive avenue, nothing special.

  16. #36
    The Hatchery sirgog's Avatar
    Join Date
    Apr 2007
    Posts
    17,129

    Default

    Quote Originally Posted by TigrisMorte View Post
    There is nothing anymore dangerous about porn than anything else.
    Can't tell you how many times, while explaining how to or removing a virus, I hear, "But I don't go to porn sites!"
    99.99% of viruses are from clicking email link, not updated plug ins, or severs that are compromised or serving adds that are.

    Church lady may wish to claim "porn" as the source for all sins but it is just an attractive avenue, nothing special.
    Download 'something' free sites are some of the worst malware sites (particularly for keyloggers).

    The number 2 source of WoW hacked accounts? Malware installed on sites purporting to offer free downloads of WoW-related software. (#1 is former customers of gold-sellers that shared their passwords for power levelling purposes; the gold seller waits three months or more, then clears the account out).

    Porn sites, however, are more likely to be looking for credit card information in their keyloggers than game passwords.
    I don't have a zerging problem.

    I'm zerging. That's YOUR problem.

  17. #37
    Community Member Lorien_the_First_One's Avatar
    Join Date
    Dec 2006
    Posts
    17,767

    Default

    Quote Originally Posted by Lorz View Post
    But not the USA where ALL the transactions occur. So your point is not applicable.

    Thank you and if they passed the PCI DSS compliance then they are good. You should really learn more about such things because it makes you look foolish.
    First off what makes you think they passed? (I know its shocking...but not all merchants comply, and some lie on the self eval to pass)

    I do not believe they would pass PCI DSS. For example, you may wish to check PCI DSS SAQ D 2.0, section 3.1. They retain untruncated credit card data without due cause.

    I have certified online credit card systems, I do know a bit about how they work.

    The personal insult was uncalled for and reported.

  18. #38
    The Hatchery bigolbear's Avatar
    Join Date
    Dec 2009
    Posts
    1,804

    Default

    Quote Originally Posted by Lorien_the_First_One View Post
    First off what makes you think they passed? (I know its shocking...but not all merchants comply, and some lie on the self eval to pass)

    I do not believe they would pass PCI DSS. For example, you may wish to check PCI DSS SAQ D 2.0, section 3.1. They retain untruncated credit card data without due cause.

    I have certified online credit card systems, I do know a bit about how they work.

    The personal insult was uncalled for and reported.
    On the subject of them not passing these regs, When i first purchased turbine points my credit card company (barclay card) rang me to confirm the purchace and warned me that the company involved 'ie turbine' had been a source for investigations with other customers, they felt it was necessary to contact me due to this fact and the fact it registered as an overseas purchase. At that point i substantialy lowered the limit on my card that i use to make internet transactions, i would encourage others to do the same.

    I cant stress this point enough - if barclaycard think turbines security and transaction handling are a problem then its a problem.

  19. #39
    Community Member Bogenbroom's Avatar
    Join Date
    Jun 2006
    Location
    New Hampshire
    Posts
    1,766

    Default

    Some feedback... I've been working in IT Security for the past ten+ years in a place where usability is frequently overshadowing security ( an edu .) From that perspective I would like to share...

    - password suggestions are nearly useless. They *need* to be enforced via the software. We've been yelling into the wind at our constituents for years. It wasn't until we were able to enforce that any traction was seen. We could had been able to see many users with 10-15 year old passwords before we made them change them. Reasonably strong passwords with somewhat frequent enforced changes are a good middle ground between security and ease of use.
    - there are numerous ways to enable ip based or attaching computer based restrictions that could heavily dent unauthorized access. Not perfect, but extremely useful for the type of targeting involved here.
    - turbine really needs a good go-to contact for security related issues. I, myself, reported a pii issue last month and never even received a response.
    - automated and self-remediate-able lockouts can provide some useful coverage for anomalous behavior, and are generally visible enough to send a positive message to the community... If they are not overdone.

    I won't speak to the store, as my background isn't ecommerce.
    Last edited by Bogenbroom; 01-18-2011 at 11:40 PM.
    Bogenbroom's DDO Wishlist.......Tolero's guide to actionable feedback
    Bogenbroom's legion... 83 characters, 3 accounts, and 1 irate wife.

  20. #40
    Community Member Lorien_the_First_One's Avatar
    Join Date
    Dec 2006
    Posts
    17,767

    Default

    Quote Originally Posted by Bogenbroom View Post
    - automated and self-remediate-able lockouts can provide some useful coverage for anomalous behavior, and are generally visible enough to send a positive message to the community... If they are not overdone.
    At one point I was trying to help my gf reopen her account after things went F2P. We weren't sure about what email address was used, and we didn't know the password. We must have guessed 20+ times before we got it right. Shocking that there wasn't an auto-lockout.

Page 2 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

This form's session has expired. You need to reload the page.

Reload