How to make login more secure

[e-lite]

Good morning everyone.

Well we all know about the recent and increasing amount of "hacked accounts". The problem here isn't that the account where "hacked". It happens simply because the victims PC is infected with a trojan keylogger that sends the users login name and password to the "hacker". I think this is the most common scenario. Then there can be other reasons, the list is endless.

One of the best solutions is to get yourself a gold card. But there's still things that MindArk can do to both implement additional security to the login procedure, and increase security for them who do not have a gold card. The feature I have come up with will work as follows:

MindArk announces the new feature, and everyone have to login to client loader and activate the settings under user preferences.

Under user preferences the user must now choose a "keyword" from a static list over perhaps 50-100 words. The user must also choose a "color" from a static list over 20-30 colors.

The "keyword" and "color" that the user selected will now be associated with his/hers username and password, and will be relative to it. (This will require for MA to add two more columns to the user database)

From now on the user have to pick the keyword and the color from the pop-up menus in the client loader everytime he/she wants to login. The pop-up menus will show the same static list, but in a random sequence every time.(Se screenshot) If the user have choosen "yellow" and "Fungoid" his/hers username and password will only work when "Fungoid" and "Yellow" is selected.

This feature implements additional security even if the users PC is infected with a keylogger or trojan, simply because selecting the keyword and color is almost impossible to "keylogg". So the hacker might be able to get the username and password, but he still has no clue what the keyword and the color is.

[br]Click to enlarge[/br]

 

[Oye]

That sound like a very good idea.

Sould not be to much work for MA either. Only question is if MA will do anything like this, since it might lead to less sale of the Gold-card.

I really think MA should have done something like this, to prove that they have focus on security.

 

[KapokWu]

I hope that list of 50-100 alternative keywords is generated
anew each time. Also, each avatar should be sent a message
about the new MA generated email address, which is for their
account management only

 

[q Slane q]

Yeah, and implement GC for logging in to "My Section" on the website. Dont want any looney depositing my salary for me ;-p

 

[Rapido]

Nice suggestion there E-lite, I like it very much. Wonder what MA say about it?

Yes I should buy a goldcard and probebly will soon, the reason (for me anyway) is, if you dont have a lots of peds, you easely use them for other things instead...

Rapido

 

[Nakia]

very good idea, would be nice if something like this was made

+rep for a nice idea and good explanation

edit I must spread some before giving it again

 

[Noggin]

Great idea... Alternatively a method online banks use is quite a good method too;

When you create your account, type in a word or phrase between 10 and 15 characters long. When you log in each time, the login process asks you for 3 random characters from this phrase which you select from listboxes.

So for example, if your memorable word was "Cornundacuda", it might ask you for letters 3, 9 and 11 of this phrase (r, c and d). This is a very simple way to reduce the effectiveness of keyloggers... this could also be applied to the login for the website too (an area which isn't protected even if you have a gold card!).

Anyways, +reps for the idea!

 

[Moser]

Good idea. Another option would be a picture with numbers and letters popping up, and you needing to write then in to login.

 

[Jac]

Good idea. Even simplier online-banking is done. You have to "human-read" some graphical manipulated digits and "click" them in via a pop-up-keypad (not typing it, keyloggers!).

[br]Click to enlarge[/br]

Advantage for MA: No change of the database needed, just some more code for the authentification-process...

Explanation: The digits are generated randomly and dont need any relationship to the account. Its a picture to prevent them being read from screen via Windows-API... even OCR-Software cant read this properly.


Jac


EDIT: damned, Moser was quicker... lol

 

[Noggin]

Explanation: The digits are generated randomly and dont need any relationship to the account. Its a picture to prevent them being read from screen via Windows-API... even OCR-Software cant read this properly.

Excuse me if I'm being dense, but I don't think I get how this will protect accounts from hackers -- isn't this simply a bot-prevention? If the numbers are not related to the account, then can't the hacker simply type them in when challenged?

This is my understanding of what you just said:

Player logs in as normal with usual account name and password. Player is then prompted to input a number sequence generated within a bitmap.

Surely anybody who logs in will get a randomly generated number? I don't see how this is related to the user to increase security, simply to stop some sort of login automation!

Again, it's early and my brain hasn't started working properly yet

 

[Northman]

Good idea E-lite, +rep for that

 

[e-lite]

I hope that list of 50-100 alternative keywords is generated
anew each time. Also, each avatar should be sent a message
about the new MA generated email address, which is for their
account management only

No actually the list with key words and colors are the same for everyone, but in addition to your username and password it will be "unique". Think about how meny combinations you can do with "yellow". You will have yellow*keyword(100)+username+password, red*keyword(100)+username+password and so on. The combinations possible will be more or less unlimited. That is why there "only" have to be a static list with 50-100 keywords and colors for everyone.

Also this is not to replace the Gold Card, it is to give additional security even if you have one, but also to protect the ones that do not have one.

 

[Jac]

Again, it's early and my brain hasn't started working properly yet

Hehe, i had my first can of tea already... so the brain now gets started. Hm, but you are right, this usually prevents from being hacked by bots.

But then we can make it easier (but less secure!) than e-lite's version with dangerous yellow fungoids . Just set up a virtual keyboard for login, and then the user has to click-in the password.... not typing it.

Jac

 

[andyzammy]

very good idea.

i dont know if its right to do this, as it may give shady people an insight into how they work, but i really would like to know how the gold card actually works. what makes it so that your avi can't be hacked?? ofc i trust eveyone sying "o u gotta buy a gold card", i will get one no question, but i would like to judge for myself how secure its gonna be. i mean how does it work for the game but not for the site? what is involved in logging onto the game with a gold card? is there a code you need to type in? i dont think so, as a key logger would catch that as easily as your username. perhaps someone should pm me if nobody feels comfortable divulging such info. its beyond me (right now) how a plastic card stops an account getting hacked :S

but yeah, good idea e-lite, +rep if i can give you it, i kno i already gave you some for the teamspeak thing.

 

[andyzammy]

a snag?

actually, ive just thought of a possible snag.

ok, say someone w/o a gold card obviously gets their username and password "found out" by a trojan (or whatever), and then a hacker then gets a hold of it. im no expert (yet ) but wouldnt they be able to make a program that automatically inputs the user and pass, and then repeatedly goes through each possible combination untill it gets let in? i'd expect that to be pretty easy to make, i myself have done it with a physicall combinational lock, when i forgot my number: it only had 3 different numbers, so i got through it pretty quick. 4 is do-able, but when we're talking computer programs time is nothing, and is only measured by the speed of the internet connection. hell, the hacker dont care, he could wait for a week as long as the loot's good enough, lets face it. i may be wrong though, it still could work, as long as there is a minimum number of times you are allowed to enter your combinaton of user+pass+colour+keyword.

zammy

 

[e-lite]

actually, ive just thought of a possible snag.

ok, say someone w/o a gold card obviously gets their username and password "found out" by a trojan (or whatever), and then a hacker then gets a hold of it. im no expert (yet ) but wouldnt they be able to make a program that automatically inputs the user and pass, and then repeatedly goes through each possible combination untill it gets let in? i'd expect that to be pretty easy to make, i myself have done it with a physicall combinational lock, when i forgot my number: it only had 3 different numbers, so i got through it pretty quick. 4 is do-able, but when we're talking computer programs time is nothing, and is only measured by the speed of the internet connection. hell, the hacker dont care, he could wait for a week as long as the loot's good enough, lets face it. i may be wrong though, it still could work, as long as there is a minimum number of times you are allowed to enter your combinaton of user+pass+colour+keyword.

zammy

Yes, that can be done, it's called "brute force". But when authentication failed 3 times in a row your account is blocked for an hour, so it would take an enormous amount of time since you could only test 3 combinations per hour.

 

[Wot]

1. Good idea but list should has static content and random sequence. Key, mouse logger can save a clicks and window state and repeat.

2. Another idea. Age before when I have dial-up , my ISP has white list with numbers and it is close any issues with most hackers technologies.
I propose to make IP's mask as user preferences and
- hard constraint - do not allow any other
- soft constraint - allow any trying but inform to mail for wrong IP's.

 

[andyzammy]

But when authentication failed 3 times in a row your account is blocked for an hour, so it would take an enormous amount of time since you could only test 3 combinations per hour.

ah rite, though i coulda sworn that once i just couldnt type for like 5 minutes, (i think i coulda bin drunk ) but i think it "tried" more than three times. ah well, i musta beaten the computer into submission

 

[Joat]

I've been thinkin on something that looks like a Combination lock, with 6 or 8
numbers. When I saw Zammy mentioned the lock, I remembered the old idea...
It can change the values with controlls, and not be typed in.
Every number has it own controll, one increase and one decrease, but with
no end, so you can decrease a couple of loops if you want f.ex.
You get a randomly new combination everytime you start the CL up, just
so a "logger" can't reg how many increase or decrease you do at every number.

 

[e-lite]

1. Good idea but list should has static content and random sequence. Key, mouse logger can save a clicks and window state and repeat.

2. Another idea. Age before when I have dial-up , my ISP has white list with numbers and it is close any issues with most hackers technologies.
I propose to make IP's mask as user preferences and
- hard constraint - do not allow any other
- soft constraint - allow any trying but inform to mail for wrong IP's.

Right, very smart. Static content, but random sequence. I will add that, it's very good!

 

[Oye]

I use this thing, to log on to some credit contol program I use.

To login, I have to press a 8 digit code on the panel, and the number on the panel are randomly located. Same code but different places every time.

Since it's used by there kind of companys, I guess its safe.

Might be a bit of work for MA to change the whole login thing though.
Still like Your idea E-lite

 

[KapokWu]

I like Oye's design. But I am not especially fond of accounts and
passwords at all, and would be happy to see user verification outsourced.

We already have a problem within the unofficial player community.
There are two forums, several services (starting from PE Ranking
and such...). They all could use a simple user verification server,
which logs us in (not into the game, but to these secondary
sites).

And gamesites itself could have verification outsourced. I would
log with the same account to Wxx, Eyy Yyyyyy, Tzz Zzzz zz zzz Zzzzzzz
and so on. I just changed a new part to my bike and tought how
big pain it must have been to develop those few universal nuts and
bolts standards...

Edit: added the right starting letters of the games.

 

[Noggin]

but i really would like to know how the gold card actually works.

Well... here goes!

The Gold Card system is based upon a public key algorithm system, in theory very secure.

The EU servers have a secret unique key (most likely a 128 or 256 bit code specific to MA) which is combined with an algorithm encompassing the ID of each card given out.

There is a public key programmed into each of the smartcards, which combined with the individual ID of each smartcard will generate a 6-digit number each time it is used.

This 6-digit number is then entered by the user after their username and password. This authenticates with the server, and the server increments the number of logons by one digit.

If all information is correct (I think the generated codes can be offset by up to 3 attempts) then the user will be allowed to log on.

The security in this method comes from:

a) Nobody but the inner-sanctom of MA staff knows the private key
b) Nobody in MA (most likely) knows the algorithm
c) The algorithm should be complex enough to be almost impossible to decipher without full knowledge of the private key, and access to hundreds of millions of logon attempts
d) Use this in combination with the general usernames and passwords means an additional level of security.

So, you can see that the likelihood of somebody being able to hack your account is almost nil, even if they did have access to the private key. With a 256bit private key, and a 128bit public key, the number of possibilities is about 1.8^308 (a shitload). To put this into context, a high-powered desktop would take approximately 160 years to decipher the code, given an unlimited number of attempts on the server!

Apologies for the nerd speak, but I hope that goes some way to explaining how the system works.

 

[andyzammy]

Well... here goes!

The Gold Card system is based upon a public key algorithm system, in theory very secure.

The EU servers have a secret unique key (most likely a 128 or 256 bit code specific to MA) which is combined with an algorithm encompassing the ID of each card given out.

There is a public key programmed into each of the smartcards, which combined with the individual ID of each smartcard will generate a 6-digit number each time it is used.

This 6-digit number is then entered by the user after their username and password. This authenticates with the server, and the server increments the number of logons by one digit.

If all information is correct (I think the generated codes can be offset by up to 3 attempts) then the user will be allowed to log on.

The security in this method comes from:

a) Nobody but the inner-sanctom of MA staff knows the private key
b) Nobody in MA (most likely) knows the algorithm
c) The algorithm should be complex enough to be almost impossible to decipher without full knowledge of the private key, and access to hundreds of millions of logon attempts
d) Use this in combination with the general usernames and passwords means an additional level of security.

So, you can see that the likelihood of somebody being able to hack your account is almost nil, even if they did have access to the private key. With a 256bit private key, and a 128bit public key, the number of possibilities is about 1.8^308 (a shitload). To put this into context, a high-powered desktop would take approximately 160 years to decipher the code, given an unlimited number of attempts on the server!

must admit, thats damn hard to understand...

There is a public key programmed into each of the smartcards, which combined with the individual ID of each smartcard will generate a 6-digit number each time it is used.

This 6-digit number is then entered by the user after their username and password.

ok i assume this 6 digit number is different each time its used?? otherwise, if the same number is always entered, couldnt it be keylogged? and then couldnt the account be accessed from his own computer? i still fail to see the security. :S
also, you call it a smart card (which ive always assumed it was too). but wouldnt that mean you'd have to "use it" ie. swipe it on a card reader? and then perhaps the card reader gives a randomly generated 6 digit number to enter on login. i could see how that would work, but no other way...

 

[DarkMatter]

Well... here goes!

The Gold Card system is based upon a public key algorithm system, in theory very secure.

The EU servers have a secret unique key (most likely a 128 or 256 bit code specific to MA) which is combined with an algorithm encompassing the ID of each card given out.

There is a public key programmed into each of the smartcards, which combined with the individual ID of each smartcard will generate a 6-digit number each time it is used.

This 6-digit number is then entered by the user after their username and password. This authenticates with the server, and the server increments the number of logons by one digit.

If all information is correct (I think the generated codes can be offset by up to 3 attempts) then the user will be allowed to log on.

The security in this method comes from:

a) Nobody but the inner-sanctom of MA staff knows the private key
b) Nobody in MA (most likely) knows the algorithm
c) The algorithm should be complex enough to be almost impossible to decipher without full knowledge of the private key, and access to hundreds of millions of logon attempts
d) Use this in combination with the general usernames and passwords means an additional level of security.

So, you can see that the likelihood of somebody being able to hack your account is almost nil, even if they did have access to the private key. With a 256bit private key, and a 128bit public key, the number of possibilities is about 1.8^308 (a shitload). To put this into context, a high-powered desktop would take approximately 160 years to decipher the code, given an unlimited number of attempts on the server!

Apologies for the nerd speak, but I hope that goes some way to explaining how the system works.

I think this sums up why MA will not implement E-Lite's idea, even if it is a fantastic idea. They make money on the gold cards, why would they implement something this easy to implement, that provides very good security, that takes money out of their pocket? They won't.

The gold card is very secure. Someone would have to break into your house, steal your card or at least use your card while there, to be able to circumvent it. Most people aren't going to take that risk. That turns it into hacking, burglary and theft. All felonies in the U.S.

Great explanation Noggin and Great idea E-Lite. +rep to both of you.

DarkMatter

 

[aridash]

Well, i admire your attempt to address the problem of hacking, and on the surface it seems a reasonable idea. At the same time im surprised that noone else has pointed out that it is hopelessly flawed.

The flaw is based on this misconception:

This feature implements additional security even if the users PC is infected with a keylogger or trojan, simply because selecting the keyword and color is almost impossible to "keylogg". So the hacker might be able to get the username and password, but he still has no clue what the keyword and the color is.

Put simply, if i have a trojan that can log key stokes, i can just as easily monitor just about anything else on your system. I could intercept the signal to the server or i can read the screen buffer to know what you selected.

The problem is that as soon as you use static data in a system it can be captured and reused by anyone else. The GC works because its a one time use.

Sorry.

@ Zammy, you cant use random either otherwise the server wouldnt know that is valid. You use a complex maths algoritm that is simple but insanly hard to crack. Checkout RSA website they have loads on how their algoritms work, i dont fully understand it myself.

@ DarkMatter, given the cost of RSA tags, id say that the GC is not a source of revenue.

 

[e-lite]

Well, i admire your attempt to address the problem of hacking, and on the surface it seems a reasonable idea. At the same time im surprised that noone else has pointed out that it is hopelessly flawed.

The flaw is based on this misconception:



Put simply, if i have a trojan that can log key stokes, i can just as easily monitor just about anything else on your system. I could intercept the signal to the server or i can read the screen buffer to know what you selected.

The problem is that as soon as you use static data in a system it can be captured and reused by anyone else. The GC works because its a one time use.

Sorry.

Well yeah, you are correct. But a "keylogger" like the one you describe is very complex, and requires alot more "hacker" skills to use. But sure, if you want to get hard on it, the gold card can be cracked too. I probably could do it myself if I had the time and equippment to do it. Atleast my feature is better then nothing, and "nothing" is what we have today. It doesn't make it impossible to hack an account, it simply adds a oh so few levels extra in complexibility to hack it. Perhaps enough to make it not worth it.

 

[aridash]

skills? i download an app from H4xx0rs R u$, i set the phone home address, and put it up on my web site, "look at my cool hunting pic/hunting map/video of dude with light sabre". You download, login to PE an hour later... pwned.

you dont need skill to be a script kiddie, just the inclination.

The gold card is indeed crackable too. in about 4 years. on a cluster of hundreds.

Whats most important is keeping your system clean and trojan free, for the sake of everything else you use it for too besides PE.

 

[e-lite]

skills? i download an app from H4xx0rs R u$, i set the phone home address, and put it up on my web site, "look at my cool hunting pic/hunting map/video of dude with light sabre". You download, login to PE an hour later... pwned.

you dont need skill to be a script kiddie, just the inclination.

The gold card is indeed crackable too. in about 4 years. on a cluster of hundreds.

Whats most important is keeping your system clean and trojan free, for the sake of everything else you use it for too besides PE.

Okay, I believe you it is so easy. Please PM me a link to such an easy "keylogger" so I can try it out on my monitoring system.

 

[Aragon]

Very good idea!!!!