hacking and currency exploitation

The only action somebody can take with your username is a brute force attack on the log-in server and given Chris joy of statistics, I think we can take it for granted that this is both tracked and would be spotted faster than any serious damage could be done.
Is the Database is actually breached, they would gain encrypted passwords and there is a server reset. Annoying, but no real harm done for something that might happen once a decade. Simply use a different salt afterwards, that way you prevent people from abusing the data they gained and force everybody to recover the account via email, which shouldn't be affected.

I've worked as volunteer Gamemaster for a commercial MMORPG and I can ensure you that there were hundreds of thousands people claiming to be "hacked". If you'd investigate further, they had downloaded a bot, shared their account information, sold their account, and whatever other stupid thing you can imagine. Not a single case I found was an actual "hack", even though there was the occasional script kiddy.

 

Ok, this must be a miss understanding on my part then. Haven't been following along in to much detail on their client/server architecture. I just remember reading/hearing about how some scenes/information are hosted and processed on the portalarium servers, and other things are being hosted/processed on, I think the term is the scene master?? Which is a player machine.

But like I said, I haven't been following along with the client/server stuff to much, as I deal with those sort of things at work enough, that I tend to avoid it in my free time.

Sent from my LG-P930 using Tapatalk

 

Right on, but as one of the examples I linked. It was the main site of the game getting hacked. Granted as I said they were a terrible company and I'm sure our devs have systems in place/ in mind to help combat the plague. I appreciate all of your feedback on this.

 

sure, I'll even use the WoW article to explain:

"This exploit has already been hotfixed, so it should not be repeatable. It's safe to continue playing and adventuring in major cities and elsewhere in Azeroth," the company said in a statement posted on a WoW forum. "As with any exploit, we are taking this disruptive action very seriously and conducting a thorough investigation."

exploit, not a hack.

Hacking is to remotely enter into someone elses computer. Brute force, SQA guessing, social engineering, exploiting ect isn't hacking. People toss the work "Hacked" around like crazy. You see people post all the time on Facebook "hacked by your love!!". I seriously doubt their "love" backdoored into Facebooks main server farms, downloaded the information, decrypted it and took the password. No, they either guessed it (brute force), or knew it (social engineering).

I'm not making the claim that exploits, brute forces ect are not TERRIBLE. I'm just saying I do not worry someone is going to Hack SoTA. If someone was that good at hacking, they'd target something much more profitable.

I didn't hear about the other article, might have been a legitimate hack then (or script kiddie). However, that reminds me. People use to use Mods on WoW, then claim they were hacked. When they simply downloaded a trojan. Anywho, it's all serious, but a company getting hacked doesn't happen often. And when they do, they normally take the steps to correct it. Or stay offline forever... stupid Sony.

 

Ask for an authenticator as an option to log in. So even if you make all your passwords the same, someone actually hacks the website (or gains access to an admins account), they will know your info. But they can not log into the game.

P.S. If your passwords are the same, I'd worry more about your emails then an MMO

EDIT: in that link it said;
"The user information obtained during the break in includes log-in e-mail addresses for the official forums and the game itself, along with the encrypted passwords associated with those addresses. No user payment information was compromised, however, as payments are handled by a third party company that operates outside of OP Production's ecosystem."

so the worst that happened is they got the emails and usernames. Yeah, people might be scared by that. But look at all the big name guys on YouTube that game with their subs. All of their info is shared with a lot of people. But they are not at risk.

I only have 10,000 YouTube subscribers, and I give out my personal email and game names (some of them have to be the log in, depending ont he game). But the best thing to do? Make your email passwords a seemingly random string of numbers and letters (can not be brute forced, ever). And make the answers to your SQAs NOTHING to do with the question. Now you're safe from brute force and social engineering. That will eliminate 99% of the "hacks" people commit.

 

I think we should have authenticators, but they do add a huge cost.

Maybe it could be done cheaper via using a mobile app, but again, that is expensive to develop, even if it could be done quickly.

 

Not sure what's involved with creating an authentication app, but SWTOT had an ios and android app that acted like a stand alone authentication. It seemed like it was developed as an after thought. they first produced standalone, hardware authenticators that, if I remember correctly, sold for $5.

 

No need to create an app. Just use the existing Google Authenticator app and integrate with their API. It's relatively simple to do but the amount of work involved depends on how complicated your own website's authentication procedures are.

 

I think an authenticator is a great idea. The google app would work for me but is it on the apple store (I'm assuming not, do they have something to use?)