marshalleck Posted January 29, 2012 Share Posted January 29, 2012 (edited) No, it was not. The authenticator protects SWTOR and ONLY SWTOR and it did that correctly, if youchoose to link accounts to services that have no authenticator then thats not a failure of the Auth system. There is no choice in this. An EA account is automatically linked to SWTOR and vice versa. Bottom line: under no circumstance should an unprotected account be allowed to make changes to a protected account without satisfying the protected account's security requirements first. Edited January 29, 2012 by marshalleck Link to comment Share on other sites More sharing options...
MrTijger Posted January 29, 2012 Share Posted January 29, 2012 Psst. EA/Bioware chose to do this on your behalf a few months ago. Even if you haven't signed up for Origin you now have an origin account. Make sure you send them a thank you note. Already had one and I purposely bought my copies via Origin, I w as also aware of the linking, still doesnt make any difference to anything, the Auth key stopped them from getting into SWTOR which is its only job. Link to comment Share on other sites More sharing options...
Kelvian Posted January 29, 2012 Share Posted January 29, 2012 I have a question and hope you all can answer. I have an account for TOR, its a valid account. I use the same information to log into EA or Origin and get "User Name or Password is Invalid." Are these accounts truly linked and why don't my credentials work on those sites? Maybe because they are not truly linked, I have my origin account under a different email account as well as a different on for my EA account. I have some 10 different email accounts including my 3 business accounts. If your accounts are actually linked I would suggest either changing that information or having those accounts closed or removed, if you do have them linked then it does create a bit of a risk. Link to comment Share on other sites More sharing options...
Arenzael Posted January 29, 2012 Share Posted January 29, 2012 Authenticators can be easily hacked by a Man in the middle attack no protection is 100% ever http://en.wikipedia.org/wiki/Man-in-the-middle_attack Link to comment Share on other sites More sharing options...
MrTijger Posted January 29, 2012 Share Posted January 29, 2012 There is no choice in this. An EA account is automatically linked to SWTOR and vice versa. Bottom line: under no circumstance should an unprotected account be allowed to make changes to a protected account without satisfying the protected account's security requirements first. You can use a seperate email adress to make a new account. The Auth system protects SWTOR, nothing else, thats the bottom line. Link to comment Share on other sites More sharing options...
GHeissi Posted January 29, 2012 Share Posted January 29, 2012 Already had one and I purposely bought my copies via Origin, I w as also aware of the linking, still doesnt make any difference to anything, the Auth key stopped them from getting into SWTOR which is its only job. Please read some information about two factor authentication. The whole system builds around the fact that protected information can not be accessed without the two credentials. If you are certain that your security token was not compromised, then a third party could not have accessed your informations. But this is not the case. Even if your token has not been compromised, your information could have been, thus invalidating the additional security of a two factor authentication system. Link to comment Share on other sites More sharing options...
Kelvian Posted January 29, 2012 Share Posted January 29, 2012 There is no choice in this. An EA account is automatically linked to SWTOR and vice versa. Bottom line: under no circumstance should an unprotected account be allowed to make changes to a protected account without satisfying the protected account's security requirements first. I have to disagree with you. I can not log on to EA using my SWTOR account information. I get "Your user name and/or password are invalid." My EA account is under a competely different account then my SWTOR account. Link to comment Share on other sites More sharing options...
MrTijger Posted January 29, 2012 Share Posted January 29, 2012 Please read some information about two factor authentication. The whole system builds around the fact that protected information can not be accessed without the two credentials. If you are certain that your security token was not compromised, then a third party could not have accessed your informations. But this is not the case. Even if your token has not been compromised, your information could have been, thus invalidating the additional security of a two factor authentication system. Again, that is not what the Authenticator is for, its there to protect access to the game which it did, if you get a keylogger you are already beyond compromised to begin with. Link to comment Share on other sites More sharing options...
Ellif Posted January 29, 2012 Share Posted January 29, 2012 5 minutes? Source? 15-30 seconds is standard for this sort of device. Just tried this, went to log into the launcher. Put in my authenticator code (android app) and then wandered off without pressing login. Came back just over 5 minutes later and hit login. It accepted the code. Not sure what the actual timeout is for these but it seems set way to long. Link to comment Share on other sites More sharing options...
corbanite Posted January 29, 2012 Share Posted January 29, 2012 Yes, it was bypassed. On the SWTOR system itself you need it to access the 'my account' area. You don't need it to change the protected info when you go through the origin system. Nope you got keylogged.. Info sent and input immediately to log into your account. Code is good for a good many seconds. Link to comment Share on other sites More sharing options...
GHeissi Posted January 29, 2012 Share Posted January 29, 2012 (edited) Again, that is not what the Authenticator is for, its there to protect access to the game which it did, if you get a keylogger you are already beyond compromised to begin with. Wrong. Only one factor was compromised (RSA implementation ensures that a valid token can only be entered once), this is the reason to implement multiple factors, you need a valid combination of all factors to compromise the system. Edited January 29, 2012 by GHeissi Link to comment Share on other sites More sharing options...
corbanite Posted January 29, 2012 Share Posted January 29, 2012 Nope you got keylogged.. Info sent and input immediately to log into your account. Code is good for a good many seconds. err hope they do not stop the security question security if you use an authenticator because security questions protect against change of ip Link to comment Share on other sites More sharing options...
GHeissi Posted January 29, 2012 Share Posted January 29, 2012 Nope you got keylogged.. Info sent and input immediately to log into your account. Code is good for a good many seconds. Nope, a valid code will be invalidated, once entered. Of course the whole system would be pointless, if you can use a keylogger to circumvent the authenticator. Link to comment Share on other sites More sharing options...
Mikkeos Posted January 29, 2012 Share Posted January 29, 2012 Nope, a valid code will be invalidated, once entered. Of course the whole system would be pointless, if you can use a keylogger to circumvent the authenticator. Negative. The code is not invalidated by a wrong logon attempt. EA chose not to do that. Once I had caps lock on and tried to log on a couple of times (5 or 6) with the very same code. After clearing the password and typing it in correctly I could log on fine - still with the first code generated. Link to comment Share on other sites More sharing options...
GHeissi Posted January 29, 2012 Share Posted January 29, 2012 Negative. The code is not invalidated by a wrong logon attempt. EA chose not to do that. Once I had caps lock on and tried to log on a couple of times (5 or 6) with the very same code. After clearing the password and typing it in correctly I could log on fine - still with the first code generated. Wow. You enter the valid authenticator code and an invalid password and the authenticator code is still valid after that? That's a problem. Link to comment Share on other sites More sharing options...
Mikkeos Posted January 29, 2012 Share Posted January 29, 2012 err hope they do not stop the security question security if you use an authenticator because security questions protect against change of ip I have not seen a security question pop up since I enabled the iphone authenticator. I can switch ISP without having to log back into the game. I am just being kicked to the server select screen and can continue from there. EA/BW play clueless when it comes to security concerns. Link to comment Share on other sites More sharing options...
Verain Posted January 29, 2012 Share Posted January 29, 2012 OP is completely right. The only way to remove an authenticator is by using the authenticator (preferably twice), or calling customer support- basically, just copy Blizzard, who did it correctly. As to all of you with ludicrous non-advice such as "herp derp don't browse teh pornoz" and "guard your machine and you'll be fine"... There's PLENTY of ways to get logged. Some actually don't involve doing anything "wrong"- you could be running a fully secure computer and get logged, without one opcode of malicious code ever running locally. Secondly, some people don't have multiple computers per household, or only have one gaming box that is entertainment to others. If you have a kid sister, mother, or grandmother using your machine, you simply need a way to deal with the virii once they hit, because they will, and it is not always obvious when you need to reinstall, when you need to just run antimalwarebytes, and when you need combofix. Browsing mainstream sites, I got a drive-by-download once in Opera of all things (normally considered a pretty secure browser). I knew it RIGHT away, and I powered off and continued playing on my laptop. But pulling it out of the machine took nearly a week (it was the "antimalwaredoctor" malware thing). Some people could be fooled by the fake scan, and others could just never notice- if anyone but me had seen it happen, nope, it would be terrible. As it was, what I did to "deserve" it was running the latest version of a browser (that I no longer really trust- I browse most sites with firefox with noscript, and known good sites I will browse in chrome at times), and it had some mouseover exploit thing going on where mousing across an advert launched the malware downloader. Long story short: authenticator is necessary and great, but everything that the OP said needs addressing. Link to comment Share on other sites More sharing options...
thomasgallant Posted January 29, 2012 Share Posted January 29, 2012 the general forums however are probably not the best place to tell the world that there is a major security leak that people can abuse to hack into other accounts....Id have suggested a call or an email to CS or something less public. Link to comment Share on other sites More sharing options...
unclekaula Posted January 29, 2012 Share Posted January 29, 2012 Soo... The key authenticator worked and she's saying it was supposed to stop people from logging into her origin account too? Isnt it supposed to only stop them from logging into the game/swtor account? Link to comment Share on other sites More sharing options...
DavesTheName Posted January 29, 2012 Share Posted January 29, 2012 You know, I've never had any sympathy for people who get hacked. 3 years of WoW, 1 year of LotRO, 2 years of EVE (on and off) oh and 1 year of Maplestory (my guilty little secret). For only 1 year of all that time did I actually use an AV, and a free one at that. For all of it I had my firewall off. Never been hacked. How you can have all that security as well as an authenticator and STILL get hacked... I can only imagine what kind of websites you've been downloading things from. Link to comment Share on other sites More sharing options...
Saitada Posted January 29, 2012 Share Posted January 29, 2012 (edited) You cant even log into the swtor.com website and change the info without the Auth key. Nope.. but you CAN change your SWTOR info vie an EA/Origin account WITHOUT an auth key. Which is the point the OP is making. His EA/Origin account was compromised, and e-mails/passwords were changed for his SWTOR account, through the EA/Origin account, when the persons who hijacked his account, changed the information on EA/Origin. I'm not understanding how you guys are unable to understand how this is a serious security issue. It doesn't matter if you have a security fob if you can get all your account info changed for SWTOR, by someone nailing your EA/Origin account. You get locked out of the game, because this method of tying in accounts like they have done is inherently dangerous and in effect, bypasses the entire point of having an authenticator because even though they may not be able to get into the game, they can still change your account information through EA/Origin. That is a major, glaring flaw in basic security of your account on their end. Not to mention, not everybody has an authenticator. I'd venture to suggest that at least 1/2 the players if not more don't (just a guess, no info to back this up, but knowing gamers.. it wouldn't surprise me if less than half the accounts were not tied to authenticators). ~Saitada Edited January 29, 2012 by Saitada Link to comment Share on other sites More sharing options...
Amarinth Posted January 29, 2012 Share Posted January 29, 2012 (edited) Well i learned through my ordeal that since your Origin and SWTOR accounts are linked that if your Origin / EA account is compromised and the password or Email is changed it completely bypasses your security authenticator and changes your SWTOR info. I pointed this problem out weeks ago to Bioware. They didn't even read my ticket and gave me some crappy auto-response about how authenticators work... Edited January 29, 2012 by Amarinth Link to comment Share on other sites More sharing options...
thomasgallant Posted January 29, 2012 Share Posted January 29, 2012 I pointed this problem out weeks ago to Bioware. They didn't even read my ticket and gave me some crappy auto-response about how authenticators work... you can not be sure they didnt read your ticket even if you recieved an auto response..the auto responses are ...well...automatic and they choose keywords from your ticket...well .. automatically and send a reply automatically with said keywords it chose... automatically it still doesnt mean that it isnt read by someone Link to comment Share on other sites More sharing options...
Toweleeeie Posted January 29, 2012 Share Posted January 29, 2012 Virus protection is for noobs. They really dont help very much. Smart surfing is much better then any antivirus. Link to comment Share on other sites More sharing options...
Saitada Posted January 29, 2012 Share Posted January 29, 2012 (edited) you can not be sure they didnt read your ticket even if you recieved an auto response..the auto responses are ...well...automatic and they choose keywords from your ticket...well .. automatically and send a reply automatically with said keywords it chose... automatically it still doesnt mean that it isnt read by someone True... however.. it also doesn't mean someone does. I've had drone messages sent to me in response to bug reports, that literally had NOTHING AT ALL to do with the bug report.. that were then closed w/o any further clue as to whether someone actually read it or not. Hate to say this about a company I really want to like.. but their Customer Service and in game petition responses and follow up... are horrid. ~Saitada Edited January 29, 2012 by Saitada Link to comment Share on other sites More sharing options...
Recommended Posts