Jump to content

Major Security Threat - Authenticator useless

exovangam

By exovangam
in General Discussion

 Share

Recommended Posts

marshalleck

marshalleck

Posted
Posted (edited)
No, it was not. The authenticator protects SWTOR and ONLY SWTOR and it did that correctly, if youchoose to link accounts to services that have no authenticator then thats not a failure of the Auth system.

 

There is no choice in this. An EA account is automatically linked to SWTOR and vice versa.

 

Bottom line: under no circumstance should an unprotected account be allowed to make changes to a protected account without satisfying the protected account's security requirements first.

Edited by marshalleck
Link to comment
Share on other sites
  • Replies 131
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

MrTijger

MrTijger

Posted
Posted
Psst. EA/Bioware chose to do this on your behalf a few months ago. Even if you haven't signed up for Origin you now have an origin account.

 

Make sure you send them a thank you note.

 

Already had one and I purposely bought my copies via Origin, I w as also aware of the linking, still doesnt make any difference to anything, the Auth key stopped them from getting into SWTOR which is its only job.

Link to comment
Share on other sites
Kelvian

Kelvian

Posted
Posted

I have a question and hope you all can answer. I have an account for TOR, its a valid account. I use the same information to log into EA or Origin and get "User Name or Password is Invalid." Are these accounts truly linked and why don't my credentials work on those sites?

 

Maybe because they are not truly linked, I have my origin account under a different email account as well as a different on for my EA account. I have some 10 different email accounts including my 3 business accounts. If your accounts are actually linked I would suggest either changing that information or having those accounts closed or removed, if you do have them linked then it does create a bit of a risk.

Link to comment
Share on other sites
MrTijger

MrTijger

Posted
Posted
There is no choice in this. An EA account is automatically linked to SWTOR and vice versa.

 

Bottom line: under no circumstance should an unprotected account be allowed to make changes to a protected account without satisfying the protected account's security requirements first.

 

You can use a seperate email adress to make a new account.

 

The Auth system protects SWTOR, nothing else, thats the bottom line.

Link to comment
Share on other sites
GHeissi

GHeissi

Posted
Posted
Already had one and I purposely bought my copies via Origin, I w as also aware of the linking, still doesnt make any difference to anything, the Auth key stopped them from getting into SWTOR which is its only job.

 

Please read some information about two factor authentication. The whole system builds around the fact that protected information can not be accessed without the two credentials. If you are certain that your security token was not compromised, then a third party could not have accessed your informations.

 

But this is not the case. Even if your token has not been compromised, your information could have been, thus invalidating the additional security of a two factor authentication system.

Link to comment
Share on other sites
Kelvian

Kelvian

Posted
Posted
There is no choice in this. An EA account is automatically linked to SWTOR and vice versa.

 

Bottom line: under no circumstance should an unprotected account be allowed to make changes to a protected account without satisfying the protected account's security requirements first.

 

I have to disagree with you. I can not log on to EA using my SWTOR account information. I get "Your user name and/or password are invalid." My EA account is under a competely different account then my SWTOR account.

Link to comment
Share on other sites
MrTijger

MrTijger

Posted
Posted
Please read some information about two factor authentication. The whole system builds around the fact that protected information can not be accessed without the two credentials. If you are certain that your security token was not compromised, then a third party could not have accessed your informations.

 

But this is not the case. Even if your token has not been compromised, your information could have been, thus invalidating the additional security of a two factor authentication system.

 

Again, that is not what the Authenticator is for, its there to protect access to the game which it did, if you get a keylogger you are already beyond compromised to begin with.

Link to comment
Share on other sites
Ellif

Ellif

Posted
Posted
5 minutes? Source?

 

15-30 seconds is standard for this sort of device.

 

Just tried this, went to log into the launcher. Put in my authenticator code (android app) and then wandered off without pressing login. Came back just over 5 minutes later and hit login.

 

It accepted the code. Not sure what the actual timeout is for these but it seems set way to long.

Link to comment
Share on other sites
corbanite

corbanite

Posted
Posted
Yes, it was bypassed.

On the SWTOR system itself you need it to access the 'my account' area.

You don't need it to change the protected info when you go through the origin system.

 

Nope you got keylogged.. Info sent and input immediately to log into your account. Code is good for a good many seconds.

Link to comment
Share on other sites
GHeissi

GHeissi

Posted
Posted (edited)
Again, that is not what the Authenticator is for, its there to protect access to the game which it did, if you get a keylogger you are already beyond compromised to begin with.

 

Wrong. Only one factor was compromised (RSA implementation ensures that a valid token can only be entered once), this is the reason to implement multiple factors, you need a valid combination of all factors to compromise the system.

Edited by GHeissi
Link to comment
Share on other sites
corbanite

corbanite

Posted
Posted
Nope you got keylogged.. Info sent and input immediately to log into your account. Code is good for a good many seconds.

 

 

 

err hope they do not stop the security question security if you use an authenticator because security questions protect against change of ip

Link to comment
Share on other sites
GHeissi

GHeissi

Posted
Posted
Nope you got keylogged.. Info sent and input immediately to log into your account. Code is good for a good many seconds.

 

Nope, a valid code will be invalidated, once entered. Of course the whole system would be pointless, if you can use a keylogger to circumvent the authenticator.

Link to comment
Share on other sites
Mikkeos

Mikkeos

Posted
Posted
Nope, a valid code will be invalidated, once entered. Of course the whole system would be pointless, if you can use a keylogger to circumvent the authenticator.

 

Negative.

The code is not invalidated by a wrong logon attempt.

EA chose not to do that.

 

Once I had caps lock on and tried to log on a couple of times (5 or 6) with the very same code. After clearing the password and typing it in correctly I could log on fine - still with the first code generated.

Link to comment
Share on other sites
GHeissi

GHeissi

Posted
Posted
Negative.

The code is not invalidated by a wrong logon attempt.

EA chose not to do that.

 

Once I had caps lock on and tried to log on a couple of times (5 or 6) with the very same code. After clearing the password and typing it in correctly I could log on fine - still with the first code generated.

 

Wow. You enter the valid authenticator code and an invalid password and the authenticator code is still valid after that? That's a problem. :eek:

Link to comment
Share on other sites
Mikkeos

Mikkeos

Posted
Posted
err hope they do not stop the security question security if you use an authenticator because security questions protect against change of ip

 

I have not seen a security question pop up since I enabled the iphone authenticator.

 

I can switch ISP without having to log back into the game. I am just being kicked to the server select screen and can continue from there.

 

EA/BW play clueless when it comes to security concerns.

Link to comment
Share on other sites
Verain

Verain

Posted
Posted

OP is completely right. The only way to remove an authenticator is by using the authenticator (preferably twice), or calling customer support- basically, just copy Blizzard, who did it correctly.

 

 

As to all of you with ludicrous non-advice such as "herp derp don't browse teh pornoz" and "guard your machine and you'll be fine"...

 

There's PLENTY of ways to get logged. Some actually don't involve doing anything "wrong"- you could be running a fully secure computer and get logged, without one opcode of malicious code ever running locally. Secondly, some people don't have multiple computers per household, or only have one gaming box that is entertainment to others. If you have a kid sister, mother, or grandmother using your machine, you simply need a way to deal with the virii once they hit, because they will, and it is not always obvious when you need to reinstall, when you need to just run antimalwarebytes, and when you need combofix.

 

 

Browsing mainstream sites, I got a drive-by-download once in Opera of all things (normally considered a pretty secure browser). I knew it RIGHT away, and I powered off and continued playing on my laptop. But pulling it out of the machine took nearly a week (it was the "antimalwaredoctor" malware thing). Some people could be fooled by the fake scan, and others could just never notice- if anyone but me had seen it happen, nope, it would be terrible. As it was, what I did to "deserve" it was running the latest version of a browser (that I no longer really trust- I browse most sites with firefox with noscript, and known good sites I will browse in chrome at times), and it had some mouseover exploit thing going on where mousing across an advert launched the malware downloader.

 

Long story short: authenticator is necessary and great, but everything that the OP said needs addressing.

Link to comment
Share on other sites
DavesTheName

DavesTheName

Posted
Posted

You know, I've never had any sympathy for people who get hacked. 3 years of WoW, 1 year of LotRO, 2 years of EVE (on and off) oh and 1 year of Maplestory (my guilty little secret). For only 1 year of all that time did I actually use an AV, and a free one at that. For all of it I had my firewall off. Never been hacked.

 

How you can have all that security as well as an authenticator and STILL get hacked... I can only imagine what kind of websites you've been downloading things from.

Link to comment
Share on other sites
Saitada

Saitada

Posted
Posted (edited)
You cant even log into the swtor.com website and change the info without the Auth key.

 

Nope.. but you CAN change your SWTOR info vie an EA/Origin account WITHOUT an auth key.

 

Which is the point the OP is making. His EA/Origin account was compromised, and e-mails/passwords were changed for his SWTOR account, through the EA/Origin account, when the persons who hijacked his account, changed the information on EA/Origin.

 

I'm not understanding how you guys are unable to understand how this is a serious security issue.

 

It doesn't matter if you have a security fob if you can get all your account info changed for SWTOR, by someone nailing your EA/Origin account. You get locked out of the game, because this method of tying in accounts like they have done is inherently dangerous and in effect, bypasses the entire point of having an authenticator because even though they may not be able to get into the game, they can still change your account information through EA/Origin. That is a major, glaring flaw in basic security of your account on their end.

 

Not to mention, not everybody has an authenticator. I'd venture to suggest that at least 1/2 the players if not more don't (just a guess, no info to back this up, but knowing gamers.. it wouldn't surprise me if less than half the accounts were not tied to authenticators).

 

~Saitada

Edited by Saitada
Link to comment
Share on other sites
Amarinth

Amarinth

Posted
Posted (edited)
Well i learned through my ordeal that since your Origin and SWTOR accounts are linked that if your Origin / EA account is compromised and the password or Email is changed it completely bypasses your security authenticator and changes your SWTOR info.

 

I pointed this problem out weeks ago to Bioware. They didn't even read my ticket and gave me some crappy auto-response about how authenticators work... :rolleyes:

Edited by Amarinth
Link to comment
Share on other sites
thomasgallant

thomasgallant

Posted
Posted
I pointed this problem out weeks ago to Bioware. They didn't even read my ticket and gave me some crappy auto-response about how authenticators work... :rolleyes:

 

you can not be sure they didnt read your ticket even if you recieved an auto response..the auto responses are ...well...automatic and they choose keywords from your ticket...well .. automatically and send a reply automatically with said keywords it chose...

 

automatically

 

 

it still doesnt mean that it isnt read by someone

Link to comment
Share on other sites
Saitada

Saitada

Posted
Posted (edited)
you can not be sure they didnt read your ticket even if you recieved an auto response..the auto responses are ...well...automatic and they choose keywords from your ticket...well .. automatically and send a reply automatically with said keywords it chose...

 

automatically

 

 

it still doesnt mean that it isnt read by someone

 

True... however.. it also doesn't mean someone does. I've had drone messages sent to me in response to bug reports, that literally had NOTHING AT ALL to do with the bug report.. that were then closed w/o any further clue as to whether someone actually read it or not.

 

Hate to say this about a company I really want to like.. but their Customer Service and in game petition responses and follow up... are horrid.

 

~Saitada

Edited by Saitada
Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...