Display Name Only Log In - Coming April 2, 2013

[drgnmstr_]

I notice that you purposely avoided answering the most logical way to make our accounts more secure, my suggestion to have us all create New Unique Account Names, instead of using names that can be easily gleaned off any forum we use.

 

I myself play many Online Games and use many forums and I use the same Display Name (aka. Forum Handle) in all of them. Using that as my login is not a more secure way of doing anything. What kind of "Security Expert" can ignore that simple logic?

 

 

This. If you don't do this then you're not taking the security of your player base in to account.

 

First off, we should NOT be able to use display name at the present time. you need to turn that off now.

 

Second, In your database, add a new column called ForumHandle. Update the registration form and user account to allow players to change that value. maybe initially default it to current user name.

 

If you do those things and people don't go change their forum handle, then that's their fault and they didn't take it seriously. While what you want to do is sound in a way, you're still making a vulnerability by not letting us change it. In fact that's exactly what STEAM allows us to do. There's a reason you shouldn't reinvent the wheel, so take a hint from your peers.

[DarthTHC]

Forget about security for a second. You are not giving us control over whether the username is hidden or visible, and lack of control is obviously what's making us "vocal." It doesn't matter whether a hidden username actually increases security or not; in our minds it does. Consider the cost of implementing a hidden username or non-login forum name solely against the benefit of shutting us the hell up and having happier customers.

 

It's what you're doing with your posting, anyway, trying to get us to be less vocal. It's not working for some of us. You're using reason and logical explanations to argue agains how we feel. It's not working.

 

Your user name has been visible from the minute you first posted to the forums and you had to have known that the first time you posted to the forums. If you're that upset about your user name being public, why post to the forums?

[LarryRow]

If it is any consolation, I've only spent a few minutes responding to these posts,

 

I call BS. This level of detail and attentiveness requires a much larger time commitment.

 

Don't stop the sass, Phillip. These guys need to know that

1. British people are the funniest.

2. Amateurs and arm-chair analysts are not qualified to weigh in on internet security

[johnnyreece]

A couple of people have noted I use a bit of 'sass' in my replies.

 

I'm just glad you don't have to use the same sugary tone the rest of the yellow posters have to. I enjoy the frankness of your posts. Carry on.

Edited March 7, 2013 by johnnyreece

[Pscyon]

Eh. Can't say I mind the change. I don't really care one way or the other. It probably varies based on the provider, but I'm pretty sure Bioware's login name is more secure than my email address. Especially considering the fact the former has an authenticator, the latter only has a password. At the end of the day it doesn't matter what security measures are implemented though since people will keep invariably biting on phishing and/or filling their computers with malware, only to blame everyone but themselves for losing their accounts... Edited March 7, 2013 by Pscyon

[Iaitanto]

Hello,

 

Just in advance: I'm no native speaker so I apologize for bad or clumsy english beforehand.

 

Claim:

This new change to the log in procedure is being implemented for several reasons. This change increases the security of our game authentication system, which helps continue to keep the game protected from many security threats including account takeovers.

 

Security Tokens improve security. Answers to questions only the person asked should know improve security. Enforcing strong passwords increases security. But the above doesn't. Just to make it clear in advance: I don't mind if either display name or e-mail address are used for identifying the user. Because both are equally 'secure' or 'insecure'. They are neutral pieces of information, that are known to the public. Public meaning here "other people than you". They identify an account, and don't authenticate or authorize. E-mail addresses are usually public, because otherwise it would defy their purpose (which is, that other people can reach you), display names are public, because you can see them in a public accessible forum.

 

However, thinking it would improve security by switching the identifying part of user credentials is in my book hand-waving, smokes and mirrors. Or among security people better known as an attempt of "security through obscurity". STO of course, is no security at all. I could have accepted if BW simlply said something along the lines of "it's needed for some reorganisation of IT/security systems", but the claim of this change increasing security is counter-productive in my opinion, as it conveys a false sense of security.

 

If you really want to improve security, think along the lines of PKI. Have people generate their private/public keys, with the private key being protected by a strong passphrase. Offer some GUI for this purpose. Then encrypt the traffic between the user's machine and the game servers. Of course this takes a toll on convenience and performance, but this is the price usually paid for security. And even such a system is not 100% secure.

 

But please, don't claim 'more security' where in truth there isn't.

 

Best regards,

- Iaitanto

[PeterGun-SWE]

I don't mind being asked at all! I can only apologize for the delay, and can assure you that we are working on this. I don't have an actual date for when we can get the key-fobs available for purchase again. I can say that even today I had various emails specifically on this topic with the teams in Europe that control the EU side of the Origin store, and therefore the availability of the key-fobs themselves.

I really do want everybody to have a Security Key or at least the choice on if they want to get one - this has been a hot topic with me (as many people internally know) ever since we had to take the key-fobs off the store last year.

 

Once again... a BIG thanx to you Phillip_BW, for trying to anwser all our questions. You are a true Master of Patience.

 

Just let me ask one last question on Security Keys, and then ill let you of the hook. Is there a Security Key app in the works for Windows phones? And if so, when might it be released. Cause i wouldnt mind following your advice and use a Security Key, preferably a physical key, but i can use a app untill then.

 

And once again thanx for trying to explain all this to us security laymen...

Cause... No matter how secure a target the user is always the weakest link.

[Merouk]

Your user name has been visible from the minute you first posted to the forums and you had to have known that the first time you posted to the forums. If you're that upset about your user name being public, why post to the forums?

 

Actually, no, I created the account at game release in 2011 and AT THAT TIME my username (= my email) was not visible to any of you, so I went ahead and created a forum title and started posting. I even had the option to change my forum name (Merouk) to whatever I wanted, any time I wanted, and it was just a forum name. I didn't choose it with the understanding that it was going to be part of the logon security.

 

I did choose the email address specifically for logon security.

 

When they went F2P, without notifying anyone, they enabled the forum handle to be used for logging into the game. I didn't realize it or I would have complained about it then. Suddenly the forum handle became fixed / unchangeable, and they gave us the option to change email addresses. Except they didn't notify anyone that they were going to do that.

 

So, NO, they pulled a bait-and-switch, and now I have NO OPTIONS to keep my login hidden like my email was. I am frustrated.

 

Why continue to post? I usually post newbie help or tech support answers; I can certainly stop doing it. Also stop sending bug reports, because, FU EA/Bioware, why continue to try to be helpful when you make it frustrating and dangerous.

Edited March 7, 2013 by Merouk

[DarthTHC]

Actually, no, I created the account at game release in 2011 and AT THAT TIME my username (= my email) was not visible to any of you, so I went ahead and created a forum title and started posting. I even had the option to change my forum name (Merouk) to whatever I wanted, any time I wanted, and it was just a forum name. I didn't choose it with the understanding that it was going to be part of the logon security.

 

I did choose the email address specifically for logon security.

 

When they went F2P, without notifying anyone, they enabled the forum handle to be used for logging into the game. I didn't realize it or I would have complained about it then. Suddenly the forum handle became fixed / unchangeable, and they gave us the option to change email addresses. Except they didn't notify anyone that they were going to do that.

 

So, NO, they pulled a bait-and-switch, and now I have NO OPTIONS to keep my login hidden like my email was. I am frustrated.

 

Why continue to post? I usually post newbie help or tech support answers; I can certainly stop doing it. Also stop sending bug reports, because, FU EA/Bioware, why continue to try to be helpful when you make it frustrating and dangerous.

 

 

 

OK. I'm not going to do the research but I'll agree with your timeline.

 

But still, after having read Phillip-BW's latest dissertation, what exactly is the harm of someone knowing your user name? In order to log into your account, they still need:

 

1) Your password

2) Your authenticator's code, if you've done the smart thing and associated one to your account

3) If you have no authenticator and they're at an IP you haven't used, the answer to one of your security questions

 

I thought as you do right up to the point I read Phillip_BW's post. Things are going to be even MORE secure because of other things they're doing behind the scenes with this change, which, of course, they cannot tell us the intricate details of because that would compromise their plans, right? Plus, it looks like things are going to be even more self-servicy once Phillip_BW gets all his ducks nicely lined up so that's yet another benefit.

 

And the only downside is... someone may not have to guess your user ID but they still have to guess your password and crack your authenticator or guess a security question's answer.

 

Go ahead. Log in as me and transfer all my credits to one of your characters then delete all of mine. My user ID is DarthTHC.

[Gainward]

well nice with the disblay name thingy......but the thing i would love is a real ID so u dont need to add like a million names caus of ur friends have alot of alts and stuff

[DarthTHC]

well nice with the disblay name thingy......but the thing i would love is a real ID so u dont need to add like a million names caus of ur friends have alot of alts and stuff

 

Not RealID. How about something like this:

 

If you ignore a character, then all of that account's characters are ignored on all of your account's characters. You ignore for player behavior; not character behavior.

 

If you friend a character, you get an option to ask to friend all that account's characters. If you choose to do that, the other player gets a chance to confirm or deny that request. If it's confirmed, all that player's characters are friended on all of yours.

[Merouk]

I'm not going to try to hack you; I'm not a hacker and I'm not a malicious person.

 

They took away (some of) my control over my login process. They're doing all these wonderful things on their end (which they're not disclosing, only promising), and they're taking away my options that I can do on my end at the same time. If you trust them, it's awesome; if you don't trust them, it sucks. You seem to trust them based on 2 posts by their security guy. I don't trust them to do things right based on about a year of seeing and interacting with them (specifically, with their customer support / QA departments, bugs, and issues).

 

In any case, I DO NOT LIKE LOSING CONTROL that I had before.

Edited March 7, 2013 by Merouk

[GizmoBill]

firstly you make us have 5 more security questions which are like passwords to strengthen the security than you do this bs, are you insane? who took this utterly idiotic decision?

[DataBeaver]

As it is sure to come up, let us be clear that Security Questions and Answers (SQA's) are not truly two-factor. It's the first factor applied twice, so leaves us in a hybrid/grey area which counter-intuitively is actually very secure. Just not as secure as a true two-factor system.

I'll butt in here and note that "security questions" are usually not very secure at all, and in many cases may even provide negative security.

 

In SW:TOR's case the available questions are predetermined, and most of them are bad. A majority is of a format "what's your favorite <thing>", which is basically useless since such favorites may change over time, and some people may not even have strong favorites. Many others concern aspects of personal life and are fairly easy to find out by social engineering, especially if the person actively uses social media. There's a single genuinely good question: library card number. That's something that won't ever come up in a casual conversation.

 

The really bad implementations allow password resets based on a security question alone, without email verification. This means that the a potential attacker only needs to learn the answer to the security question, which is vastly easier than figuring out the password or gaining access to an email account. Effectively, the security question becomes an alternative, really weak password.

[Imbafedor]

you'd better resolve the known bugs and the latency issues rather than going around with this bs. I think you are mocking us and this is the last problem you should handle, there will be more problems with people who won't be able to log in in the end.

[DarthZak]

Just wanted to say massive respect for you actually taking time to answer us ^_^

 

Also, I really dont like the change. Not because I feel my security will be harmed in any way (try finding out MY password lol) but more that Ill be confronted with this name that I picked at 4am in the morning and I really really REALLY regret haha xD

[DarthZak]

you'd better resolve the known bugs and the latency issues rather than going around with this bs. I think you are mocking us and this is the last problem you should handle, there will be more problems with people who won't be able to log in in the end.

 

Security and developers are 2 different departments. Theyre capable of working independently of each other

Its not like the guy can fix bug in game code (ok maybe he could but still)

[DarthTHC]

Are you incompetent EA? Well don't answer that we already know the answer. Why would I want people to know half of my login information? Take a lesson from steam already.

 

LULZ. You're not reading Phillip_BW's posts, are you?

 

Incompetent? He seems extraordinarily competent!

[DarthTHC]

I'm not going to try to hack you; I'm not a hacker and I'm not a malicious person.

 

They took away (some of) my control over my login process. They're doing all these wonderful things on their end (which they're not disclosing, only promising), and they're taking away my options that I can do on my end at the same time. If you trust them, it's awesome; if you don't trust them, it sucks. You seem to trust them based on 2 posts by their security guy. I don't trust them to do things right based on about a year of seeing and interacting with them (specifically, with their customer support / QA departments, bugs, and issues).

 

In any case, I DO NOT LIKE LOSING CONTROL that I had before.

 

You had no control before. Well, you had no control from the moment f2p started.

 

For most professional institutions you also have no control. My login ID for my employer was given to me by my employer. I frequently get login ID's from customers, and those are given to me by those customers. Everyone at all those organizations knows my login ID, just by looking me up in their mail system.

 

In general, I do not trust EA to "do the right thing". If you check out my post history, you will find that I call them out quite frequently when I believe they're doing boneheaded crap.

 

However, after reading Phillip_BW's posts, I absolutely believe he's a highly competent professional in the field of network security and if his system is a reflection of his competence, it will be even more secure than it is now.

 

As to how secure it is now, when's the last time you heard of a SWTOR account being hacked? Let's contrast that to the last time you heard of a WoW or Rift account being hacked.

 

And it's going to get more secure with the changes Phillip_BW is describing...

[Mogic]

you'd better resolve the known bugs and the latency issues rather than going around with this bs. I think you are mocking us and this is the last problem you should handle, there will be more problems with people who won't be able to log in in the end.

 

Really? This argument again? I mean don't get me wrong I love the classics, but can we stop using this obviously dumb retort. The Content Team, is a different team than the Security Team, is a different team than the Network Team, is a different team than the Database Team, is a different... see where this is going? Why would you put one teams work on hold while another does stuff. Thats just asinine.

[DarthTHC]

you'd better resolve the known bugs and the latency issues rather than going around with this bs. I think you are mocking us and this is the last problem you should handle, there will be more problems with people who won't be able to log in in the end.

 

Wait... you want EA to fix a problem that's between your house and your ISP?

 

What does this site: http://www.speedtest.net/ tell you about your connection? What does it tell you about your connection if you alt-f4 out of SWTOR when you experience "latency" and run it right away? Anyone in your house downloading movies or music or doing anything else big on your internet at the time of your latency?

Edited March 7, 2013 by DarthTHC

[GizmoBill]

I have that on my list of things to look at already. That is a much harder challenge to change though as Display Name is also a unique reference, and changing the unique reference can create a ton of data inconsistencies. Technically possible, but not technically easy to accomplish. I wouldn't hold your breath on this one.

Why would you want to design your system to rely on a display name as an unique key rather than using some id? Haven't you guys thought of things like the ability to change that at some point? I work as a software developer for almost a decade now and in every project I've been this was a just common sense...

[DarthTHC]

Why would you want to design your system to rely on a display name as an unique key rather than using some id? Haven't you guys thought of things like the ability to change that at some point? I work as a software developer for almost a decade now and in every project I've been this was a just common sense...

 

Display name has to be a unique reference. If there were multiple DarthTHC's or GizmoBill's posting on the forums, imagine the havoc it would wreak!

Edited March 7, 2013 by DarthTHC

[kcabnibats]

My display name is the same as my Legacy name because I didn't know it was spose to be private. This is, once again a completely dumb move by EA. WoW has been doing this for waaaay longer than SWTOR and the fact that they still use e-mail is a dead giveaway. E-mail address is the safe and secure answer. So if I forget my p-word are they gonna send it to my swtor.com account that I can't access w/o my p-word or my e-mail? This just proves they have no idea what they are doing.

[DarthTHC]

My display name is the same as my Legacy name because I didn't know it was spose to be private. This is, once again a completely dumb move by EA. WoW has been doing this for waaaay longer than SWTOR and the fact that they still use e-mail is a dead giveaway. E-mail address is the safe and secure answer. So if I forget my p-word are they gonna send it to my swtor.com account that I can't access w/o my p-word or my e-mail? This just proves they have no idea what they are doing.

 

Alll that statement proves is you haven't been reading Phillip_BW's posts.

 

Try this: http://www.swtor.com/community/devtracker.php

 

Also, if you're using WoW as the benchmark for account security, please compare and contrast the number of WoW accounts that have been compromised with the number of SWTOR accounts that have.

Edited March 7, 2013 by DarthTHC