Page 3 of 4 FirstFirst 1234 LastLast
Results 41 to 60 of 68
  1. #41
    The Hatchery sirgog's Avatar
    Join Date
    Apr 2007
    Posts
    17,127

    Default

    One thing I strongly suggest to Turbine to prevent keyloggers:

    Have the client require, in addition to a username and password, that you select your date of birth (or a 3-4 digit passnumber) from drop-down menus.

    That way, someone that installs a keylogger on your system won't be able to steal your password unless they are also screenwatching you. Screenwatching is *very* resource intensive on the computer being observed, and is thus very easy to detect (the computer that is playing DDO while screenwatched will be slowed noticeably). Plus, it's just not worth the effort for hackers.
    I don't have a zerging problem.

    I'm zerging. That's YOUR problem.

  2. #42
    Founder & Hero Vordax's Avatar
    Join Date
    Feb 2006
    Posts
    2,222

    Default

    Quote Originally Posted by Bogenbroom View Post
    - password suggestions are nearly useless. They *need* to be enforced via the software. We've been yelling into the wind at our constituents for years. It wasn't until we were able to enforce that any traction was seen. We could had been able to see many users with 10-15 year old passwords before we made them change them. Reasonably strong passwords with somewhat frequent enforced changes are a good middle ground between security and ease of use.
    Forcing password changes I think is counter productive. At my work IT has a 90 day password change policy. Me and the other developers were talking about this and everyone did one of 2 things. They either wrote the password down and kept it under their keyboard, or like me kept the same password and alternated which letter in the password was capitalized. Neither of these 2 options make anything any more secure.

    Vordax

    Politics is supposed to be the second oldest profession. I have come to realize that it bears a very close resemblance to the first. - Ronald Reagan

  3. #43
    Community Member Bogenbroom's Avatar
    Join Date
    Jun 2006
    Location
    New Hampshire
    Posts
    1,766

    Default

    Quote Originally Posted by Vordax View Post
    Forcing password changes I think is counter productive. At my work IT has a 90 day password change policy. Me and the other developers were talking about this and everyone did one of 2 things. They either wrote the password down and kept it under their keyboard, or like me kept the same password and alternated which letter in the password was capitalized. Neither of these 2 options make anything any more secure.

    Vordax
    I would agree that overly aggressive change schedules are counter productive. And, believe me, that is a conversation we had here in our IT SecCom meetings. Our needs here are different since we have users handling other peoples PII, including things covered by FERPA and HIPAA, but for a system like this this... being a game giving access to CC access (even if the CC info isn't retrievable, just usable) a yearly basis should be more than adequate.

    While that won't do a whole lot to lock out an already compromised account it does achieve at least 2 important goals.

    1) It will tend to make your DDO account password not sync up with every other password you use, or at least help toward that goal, and
    2) It will allow for changes to password policy. Without it you have an issue getting changes into old passwords... since those passwords never have to be changed. We had that problem here for a long time.
    Bogenbroom's DDO Wishlist.......Tolero's guide to actionable feedback
    Bogenbroom's legion... 83 characters, 3 accounts, and 1 irate wife.

  4. #44
    Community Member Anthorin's Avatar
    Join Date
    Jun 2009
    Location
    London
    Posts
    233

    Default

    Quote Originally Posted by delicious.crab View Post
    I've always been a fan of the initial letter mnemonic.
    We the People of the United States of America = wtpotusoa
    when in the course of human events it becomes necessary = witcoheibn
    add punctuation where it occurs.
    song lyrics work pretty well too.

    fairly random, yet easy enough to remember.

    So "delicious.crab" would be DC. I think I know you from online ;-P

  5. #45
    Community Member
    Join Date
    Nov 2009
    Posts
    4,822

    Default

    For those wanting an extra password:

    https://usa.visa.com/personal/securi...ient=firefox-a

    Get an extra layer of security when you shop online

    In addition to our other ways of preventing, detecting, and resolving fraud, we offer Verified by Visa, a free, simple-to-use service that confirms your identity with an extra password when you make an online transaction.

    How it works

    1. Activate the Verified by Visa feature
    Enroll your credit or debit card in the Verified by Visa program now, on your participating card issuer's website or while shopping online.

    2. Shop at participating online merchants
    Visit online merchants that display the Verified by Visa symbol for an added layer of protection.


    3. Enjoy enhanced security
    Enjoy added peace of mind. Activate Verified by Visa on your Visa credit and debit cards.
    (4. ???? and 5. Profit)

    Only thing is, turbine is not a #2


    Quote Originally Posted by MajMalphunktion View Post
    *Handwraps. Yes we know. Here is my known issue for handwraps. Hand wraps in assorted flavors are borked.

  6. #46
    Community Member KraahgDaAxe's Avatar
    Join Date
    Feb 2009
    Posts
    346

    Default

    Quote Originally Posted by KraahgDaAxe View Post
    This is obviously a trollish statement or a bad attempt at a joke. You are probably attempting to joke, but in reality you are deflecting from a very serious problem.



    I don't know where you work but where I work and have worked in the past, social engineering is a serious threat. I have been on the IT side of numerous calls where somebody was attempting to garner a password that wasn't theirs. They didn't already have the password. This is mainly because password security was way behind software/operating system security. This has been changing in the past 5 years or so, but it's still behind. The main reason it's still behind? Because normal computer users don't want complicated passwords because complicated is complicated.

    From my 10+ years in IT, social engineering has, BY FAR, been the most prevalent "hack" for getting passwords for corporate workplaces. Personal computers are different, as the onus is on the user themselves to keep their virus/malware software up to date, but this is drastically changing as alot of ISPs are now providing free virus software with their service in an effort to lower tech support calls, lower the user's cost and therefore making it far more likely they have up to date virus/malware software.

    Kraahg
    I guess I grossly misunderstood what you were saying then. To me, stating "They already have your password" =/= "They social engineered your password" as there are a ton of ways to get your password. Guess I need to learn to read your mind instead of what you write.

    Kraahg
    Stillz Azgoth:
    11 Dwarf Light Monk - 7th Life
    1st-Ranger-tri-class-gimp;2nd-Fighter;3rd-Pallie/Monk;4th-Pallie/Monk;5th-Dwarf-Light-Monk;6th-Fighter/Dark-Monk-yuck

  7. #47
    Founder Dex's Avatar
    Join Date
    Feb 2006
    Location
    Northern Virginia
    Posts
    281

    Default

    Agreed, and formally seconded.

    Really Turbine, there is no reasonable excuse for not implementing this, and it is a proven method.

    Like I need another rsa key to hang off my already crowded key chain, it's a great idea.

    +1 rep for the op.

    Quote Originally Posted by Vordax View Post
    Any thought of adding a SecurID type authentication option?

    http://en.wikipedia.org/wiki/File:Se..._token_new.JPG

    Vordax

    (one of your competitors offers it, would be nice to have)
    Dex (HU) - Pal 14 TR2 || Grue (DF) - Monk 12
    Dux (DR) - Bard 18 || Dox (HU) - Cleric 20
    Dax (HU) - Fighter 15 || Tyrael (HU) - FvS 13
    Broken Alliance

  8. #48
    Founder & Hero Vordax's Avatar
    Join Date
    Feb 2006
    Posts
    2,222

    Default

    Quote Originally Posted by Dex View Post
    Agreed, and formally seconded.

    Really Turbine, there is no reasonable excuse for not implementing this, and it is a proven method.

    Like I need another rsa key to hang off my already crowded key chain, it's a great idea.

    +1 rep for the op.
    The competitor charges like $8 for the key but they give a new pet to all characters. Since DDO doesn't have pets, they could give TP's instead or a maybe a special cosmetic item like the bunny hat.

    Vordax

    Politics is supposed to be the second oldest profession. I have come to realize that it bears a very close resemblance to the first. - Ronald Reagan

  9. #49
    Community Member stainer's Avatar
    Join Date
    Oct 2009
    Location
    sixty-sixth layer of the Abyss
    Posts
    4,666

    Default

    Be careful on open wifi networks too. This works. Umm, someone told me.

    http://en.wikipedia.org/wiki/Firesheep

    Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.

  10. #50
    Community Member Lorien_the_First_One's Avatar
    Join Date
    Dec 2006
    Posts
    17,767

    Default

    Quote Originally Posted by stainer View Post
    Be careful on open wifi networks too. This works. Umm, someone told me.

    http://en.wikipedia.org/wiki/Firesheep

    Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.
    Nice

  11. #51
    Community Member suitepotato's Avatar
    Join Date
    Sep 2006
    Location
    Dystopia, CT
    Posts
    2,253

    Default

    Quote Originally Posted by sirgog View Post
    One thing I strongly suggest to Turbine to prevent keyloggers:

    Have the client require, in addition to a username and password, that you select your date of birth (or a 3-4 digit passnumber) from drop-down menus.

    That way, someone that installs a keylogger on your system won't be able to steal your password unless they are also screenwatching you. Screenwatching is *very* resource intensive on the computer being observed, and is thus very easy to detect (the computer that is playing DDO while screenwatched will be slowed noticeably). Plus, it's just not worth the effort for hackers.
    Visuals are best. Customers should upload their own image or select from one of hundreds. At verification use, a group of images including the proper pre-selected one is display. It is in a random place in the display order every time. You click the one you and you alone know that is correct.


    Welcome to Dungeons and Dragons Online: Franz Kafka Unlimited

  12. #52
    Community Member Ziindarax's Avatar
    Join Date
    Jun 2010
    Posts
    1,558

    Default

    Quote Originally Posted by English_Warrior View Post
    Sure, keeping a compromised password active for longer is better than changing it asap

    The only people that strong passwords protect you from are your friends/family/co-workers. If you can't trust your friends and family then you have bigger problems...and if you are logging into a secure personal account on a work PC you are asking for trouble.

    The reason businesses require strong passwords is because they don't want their employees hacking into restricted accounts and into each others accounts... in that case strong passwords are exactly what you need to protect info from curious people who know each other and have a lot of "sitting infront of PC time" to guess a buddys/the bosses password.

    When you are talking about criminal identity fraud the VAST majority of the time the crooks already have your password....it doesn't matter how strong/weak it is.
    I like to know where you are getting your findings about the crooks already having your password. However, I do concur with the point you are making with your last paragraph.

    Since Turbine wants to talk security, they would be wise to get rid of those ads that appear on the top of the screen of every page on this forum since Ads can be corrupted by hackers (surely, Turbine can't be THAT hard up to need ads to pay for a simple forum).
    Ziind Stargazer - Level 12 fighter/6 Barbarian/2 rogue Half-Orc (Neutral Good) - Formerly a level 20 Paladin Human - Orien

    Fernian Summer Carnival

  13. #53
    Community Member Ziindarax's Avatar
    Join Date
    Jun 2010
    Posts
    1,558

    Default

    Quote Originally Posted by KraahgDaAxe View Post
    This is obviously a trollish statement or a bad attempt at a joke. You are probably attempting to joke, but in reality you are deflecting from a very serious problem.



    I don't know where you work but where I work and have worked in the past, social engineering is a serious threat. I have been on the IT side of numerous calls where somebody was attempting to garner a password that wasn't theirs. They didn't already have the password. This is mainly because password security was way behind software/operating system security. This has been changing in the past 5 years or so, but it's still behind. The main reason it's still behind? Because normal computer users don't want complicated passwords because complicated is complicated.

    From my 10+ years in IT, social engineering has, BY FAR, been the most prevalent "hack" for getting passwords for corporate workplaces. Personal computers are different, as the onus is on the user themselves to keep their virus/malware software up to date, but this is drastically changing as alot of ISPs are now providing free virus software with their service in an effort to lower tech support calls, lower the user's cost and therefore making it far more likely they have up to date virus/malware software.

    Kraahg

    I strongly agree with you about social engineering.

    Prior to my break from DDO to play other games, I've been noticing supposed "kids" going around on Orien (and most likely other servers) asking if they could play other people's characters. Don't let them as these are social engineers trying to steal your account, the money and items on your character, as well as any personal information tied to the account they are seeking to compromise. If someone asks if they could play your character, discreetly send a ticket reporting them (you can do this by going to "Help, and then look "New Ticket". Once there, you can report the attempted social engineering under the "cheating" category, and file it under "Other" [Account Compromise does not let you name any individual who tries to utilize social engineering to get into your account]. Be sure to remember the name of the person attempting the social engineering).
    Last edited by Ziindarax; 01-24-2011 at 08:11 AM. Reason: Added additional advice.
    Ziind Stargazer - Level 12 fighter/6 Barbarian/2 rogue Half-Orc (Neutral Good) - Formerly a level 20 Paladin Human - Orien

    Fernian Summer Carnival

  14. #54
    Community Member picaisfun's Avatar
    Join Date
    May 2009
    Location
    Portland, OR
    Posts
    179

    Default

    I tried to change the credit card billed for vip service. I changed all the required fields in change billing options and entered new credit card to system and the old card and new one were charged. True story. Gonna call customer service today. Free to play here I come or just done

  15. #55
    Community Member altrocks's Avatar
    Join Date
    Nov 2009
    Location
    In my mind, unless I'm out of it
    Posts
    684

    Default

    Quote Originally Posted by MajMalphunktion View Post
    as for voice actors I wanted Betty White for Lolth but I got voted down.
    Khyber: Alelric - Wiz 5 (Hero), Arayaleth - Ranger 20 AA (Champion), Altrocks - Cleric 20 Radiant Servant (Champion), Zinnix - Rogue 20 Assassin (Champion)

  16. #56
    Community Member GypsasLT's Avatar
    Join Date
    Oct 2009
    Location
    in Spain
    Posts
    20

    Default How about this history >??<

    Date: 15/12/2011

    Today i becomed a VIP for 1 year and buyed 6200 turbine points.... haved problem with connection to play cuz i use wi fi connection and now trying to fix this problem.... i need to do this 4 steps and i cant find where to send them....
    -the last 4 digits of the credit card on file
    -the name of the card holder
    -the billing address on file
    -the email address you want to have on file.

    did a ticked and did forgotten password recover but no one sending me nothing.... i think they changed email adress too ;/

    PLEASE HELP ME !!!
    4hours passed: I click on Forgotten your username? in myaccount.turbine.com and they send me not my main user name... only 1 of 2... i click on Forgotten your password? and they send me nothing.... *** is going on ?

    1hour 30minits passed: i just remembered that i have a bad email on my main account, my first email is hacked long time ago 2009year and my main account was with this email.... well i hope i get back hacked email , waiting for answer from msn.net and turbine support

    7Hours passed: Got email from hacked email recover that i cant recover my old email.... ofcourse cuz i used it so long time ago.... nothing new from turbine support ;/

    1hour 30minits passed: Send again ticked with -the last 4 digits of the credit card on file
    -the name of the card holder
    -the billing address on file
    -the email address you want to have on file. Correct 100% now. and checked my bank account in the mutibank -45.99euro for 6200turbine points and -89.99euro for 1 year VIP membership. Nothing new.....

    10Minits passed: omg i was about to laught i clicked on Edit Your Details in this forums and there is Old email that i dont have a password from it but cant change it it says this > The password you have entered does not match your current one. Please press the back button, enter the correct details and try again. Don't forget that the password is case sensitive. Forgotten your password? Click here!
    < (((((((((((((((((( cant change email... but can login into forums with this account OMG !! what do i do ! cant wait ! i wanna play !!

  17. #57
    Founder & Hero Vordax's Avatar
    Join Date
    Feb 2006
    Posts
    2,222

    Default

    Quote Originally Posted by GypsasLT View Post
    ......
    CALL THEM!! The number can be found here.

    Vordax

    Politics is supposed to be the second oldest profession. I have come to realize that it bears a very close resemblance to the first. - Ronald Reagan

  18. #58
    Community Member Xynot2's Avatar
    Join Date
    Nov 2009
    Posts
    2,243

    Default

    Quote Originally Posted by bigolbear View Post
    So... When you gona put a seperate password check on credit card purchases of ddo points. That would be a good measure towards our security that is totaly in your hands.
    Hows about you taking responsibility for your own financial security. There is only so much Turbine or anyone you purchase something from online can do to secure your credit card. A fine example is the banking industry hacks, Sony games and Xbox gaming. If you use a full blown CC to purchase anything online, you absorb that risk.

    I use a prepaid credit card. I only put on the card what I intend to spend plus $5 to cover any fees for using a prepaid. That way, if it gets hacked, the thief gets squat. Turbine upholds it's end of the security and now you need to uphold yours. If a bank can get hacked, anyone can get hacked. Hell, there was a credit card industry hack where the hackers inserted a program into the card processing computers.

    Im not saying Turbine doesn't have to provide security. They do have to and they fulfill that on a continual basis. But you need to shoulder some of the responsibility as well.

  19. #59
    Community Member Rog's Avatar
    Join Date
    Mar 2006
    Posts
    1,329

    Default

    I tred and was running misery peak out in korthos island and got a tell from a web site trying to sell my plat and items for hundreds of dollars i sent in a spam report but you never know if any action was tooken it was about 0230 east coast time zone.
    mojo

  20. #60
    The Hatchery bigolbear's Avatar
    Join Date
    Dec 2009
    Posts
    1,804

    Default

    Quote Originally Posted by Xynot2 View Post
    Hows about you taking responsibility for your own financial security. There is only so much Turbine or anyone you purchase something from online can do to secure your credit card. A fine example is the banking industry hacks, Sony games and Xbox gaming. If you use a full blown CC to purchase anything online, you absorb that risk.

    I use a prepaid credit card. I only put on the card what I intend to spend plus $5 to cover any fees for using a prepaid. That way, if it gets hacked, the thief gets squat. Turbine upholds it's end of the security and now you need to uphold yours. If a bank can get hacked, anyone can get hacked. Hell, there was a credit card industry hack where the hackers inserted a program into the card processing computers.

    Im not saying Turbine doesn't have to provide security. They do have to and they fulfill that on a continual basis. But you need to shoulder some of the responsibility as well.
    I do, I use a card with a (artificialy low) max limit of £150 for online purchaes. I still think turbione should be using verified by visa, or somethign similar.
    Ex Euro player from devourer: Charaters on orien(Officer of Under Estimated & Nightfox): Wrothgar, Cobolt, Shadeweaver, TheMetal, Metaphysical, Allfred, Razortusk and many more.
    stuff by me: http://forums.ddo.com/showthread.php...02#post4938302

Page 3 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

This form's session has expired. You need to reload the page.

Reload