How About a Little More Security With Our Security?

[Connor_Graham]

During one of my bi-weekly virus scans yesterday I found a virus had embedded itself in my EA Games file (I'm still going through my history to figure out from where as I haven't been to any sites I haven't been to before). Once I removed the offender, the first thing I did was go to my EA account and change the password. Later on, I realized that I hadn't updated my credit card info to account for the new expiration date on the card I have on record. Once this was done, I'd gone over to my email account and responded to an email I'd received eariler, and found 2 emails from EA that basically said "xxx has been changed". This struck me as strange that a company as large as EA wouldn't have some type of "confirmation required" email. If someone got hold of an account's password, they could change the email to whatever email they wanted to, then the notification would get sent to the new email and not the old. Whomever the account belonged to would never receive any kind of notification, and wouldn't know their account had been hacked until they actually tried to log in. If the security had the check in place that any changes to the email address had to be verified by clicking on a link on the OLD email address, with no changes to the account being accepted until this was done, it would go a long way toward the basic security that most people expect from secure sites.

So how about it EA/Mythic? Can we get a little security with our security?

 

[Kith Kanan]

prob is if you suddenly cant acsess that mail account anymore , I used a free mail client for signing to free shid and stuff , and the site got shut down and sold with no warning what ever l, if that been my uo email what should I've done ???

 

[Connor_Graham]

prob is if you suddenly cant acsess that mail account anymore , I used a free mail client for signing to free shid and stuff , and the site got shut down and sold with no warning what ever l, if that been my uo email what should I've done ???

I would have suggested at the beginning not to use a free site like that for any type of account that you pay for. My suggestion would be that any account, such as credit cards, banking, UO account, etc, use the email that is provided with your internet service provider, and ONLY use that email for accounts of this nature. Most internet providers allow you to create a sub account connected to the primary, that allows you to use a different password for access to it, and gives you an alternative email to use for your "free shid and stuff" without compromising your primary account. This also keeps the spam email almost completely out of the primary account, which is a nice bonus.

 

[DevilsOwn]

During one of my bi-weekly virus scans yesterday I found a virus had embedded itself in my EA Games file (I'm still going through my history to figure out from where as I haven't been to any sites I haven't been to before).

oooookay, this is scarey..... please be sure to let us know what you find

 

[Erekose]

Unfortunately a common vector these days is banner ads, so even if you visit sites you usually trust you can get infected with a trojan or virus if you aren't paranoid and careful.

Use Firefox and adblock/flashblock

 

[Lady-Tor]

What i find even more frustrating then this is that we cannot change out account names. Everyone knows that occasionally an account gets hacked, and like me is upset to get it back completly stripped, and if your lucky not have your chars deleted. Anyway, somone out there knows your account name, you can change your password/emails/payment info, everything but the realy important one. Why cant we change account names?

 

[Revenant2]

This struck me as strange that a company as large as EA wouldn't have some type of "confirmation required" email. If someone got hold of an account's password, they could change the email to whatever email they wanted to, then the notification would get sent to the new email and not the old. Whomever the account belonged to would never receive any kind of notification, and wouldn't know their account had been hacked until they actually tried to log in. If the security had the check in place that any changes to the email address had to be verified by clicking on a link on the OLD email address, with no changes to the account being accepted until this was done, it would go a long way toward the basic security that most people expect from secure sites.

So how about it EA/Mythic? Can we get a little security with our security?

They wouldn't force a confirmation email for a password change because someone could have compromised your email account (whereas you personally are supposed to have your account password stored in your brain).

The real ownership is intended to be with you, not the email account. In fact, I hear that if all your stuff gets hacked out the a$$, you can call them and as the owner/controller of the credit card that they've been using for the billing in the recent past, they will get you control of your account back.

They aren't set up to arrange return of your deleted characters or stolen items and that's a travesty of customer service, though. They absolutely should make a means to retrieve deleted characters (and they CAN do this without much trouble, they can make servers store supposedly deleted characters silently and invisibly for a time). Returning stolen items in production UO is admittedly hard, but the action plan of "we do nothing to help with lost items" is not a good answer.

 

[Llewen]

What i find even more frustrating then this is that we cannot change out account names. Everyone knows that occasionally an account gets hacked, and like me is upset to get it back completly stripped, and if your lucky not have your chars deleted. Anyway, somone out there knows your account name, you can change your password/emails/payment info, everything but the realy important one. Why cant we change account names?

We need to be able to change account names, and we also need to be able to include symbols in our passwords, and for the security challenged, you should simply not be able to create an account with a password less than eight characters long.

And yes, absolutely you should be running Firefox with NoScript and AdBlock Plus, and only using that browser to browse. It isn't just a good idea, it is something you absolutely should be doing.

oooookay, this is scarey..... please be sure to let us know what you find

You want to hear something really scary? I just heard a news report on a security vulnerability in the current general internet infrastructure which would allow an attacker to reroute traffic from or to a particular source, without you even knowing it has happened.

This means you can think you are connecting to your online banking site when in fact you are connecting to some organized crime site where the purpose is to steal your personal and financial information, all without you clicking on any bad link, or doing anything stupid, whatsoever.

Your only defence in this kind of scenario is something like NoScript and paying attention to the url that you are connecting to. If you were running NoScript you would connect to that site and NoScript would block the scripts. So if you connected to a bad site when you thought you were connecting to a good site you had connected to before, NoScript would warn you, but if you weren't running something like NoScript you would have no defence whatsoever.

Hopefully this particular vulnerability will be addressed, and soon.

 

[DevilsOwn]

just to be certain, this is the one you're talking about?

linky to NoScript

already running Firefox

 

[Llewen]

just to be certain, this is the one you're talking about?

linky to NoScript

already running Firefox

Yes, you can download and install the addon easily here.

 

[DevilsOwn]

did and done!

thanks to Llewen and Erekose for the help!

 

[Prince Erik]

Llewen,

I demonstrate ARP Cache poisoning on occation to people who believe they're secure. Most of them don't want to turn thier computer on after that.

-P.E.

 

[Nine Dark Moons]

i definitely think we should be able to change the account names. i bought an account a few months back and the account name is rediculously short. that's the account that was hacked 2 weeks ago. when i called ea after the hack, i told them i wanted to change the account name and the indian man i talked to said that wasn't their policy, even when you buy that account from someone else, and go through ea's official transfer process. i think during that process you should be allowed to change the account name. my other account has a very long name with numbers and characters.

i also think you should have to answer security questions before being able to change an account password. while that might not stop a hacker from stripping our accounts, at least it would allow us to still login after they're done. i think it's pitiful they don't even have THAT enacted.

 

[Dermott of LS]

...

Yep, Firefox with security and blocker extentsions is ABSOLUTELY the way to go. Even though it kills the ads here and certain admin don't like that (which generally causes a nice uproar of a thread when a bad advertisement "slips" through to the site), the security of my system to me is a bit more important than a fan site (even if I've been posting here for 10+ years).

 

[Doomsday Dragon]

Unfortunately a common vector these days is banner ads, so even if you visit sites you usually trust you can get infected with a trojan or virus if you aren't paranoid and careful.

Use Firefox and adblock/flashblock

I agree firefox with adblock+ works pretty good that is what I have been using for a while now.

 

[THP]

Firefox sucks

 

[Erekose]

Firefox sucks

Thank you for the cogent and helpful contribution to the discussion on security. Are you sure you were not commenting about yourself? It's ok; self esteem problems are common and can be addressed with proper therapy.

 

[THP]

Thank you for the cogent and helpful contribution to the discussion on security. Are you sure you were not commenting about yourself? It's ok; self esteem problems are common and can be addressed with proper therapy.

Alas i started a link of my own ages ago about account security ....and firefox was not a issue at all..... just stop this crap that firefox is the god when it is not..

 

[Erekose]

Alas i started a link of my own ages ago about account security ....and firefox was not a issue at all..... just stop this crap that firefox is the god when it is not..

Nobody said it was. Show me the IE plugins that let you avoid ads and flash. What? None? Take a chill pill

EDIT: Btw, if you know so much about computers maybe you could have actually contributed to the discussion instead of thread crapping and trolling.

 

[Llewen]

Nobody said it was. Show me the IE plugins that let you avoid ads and flash. What? None? Take a chill pill

And IE never will, because Microsoft is all about big business, and advertising is big business. For this same reason they will never have anything like NoScript either, as advertisers often rely on scripts of one sort or another. NoScript all by itself makes Firefox an infinitely more secure option for surfing the web.

Beyond that, these addons are possible because people with the skills and resources in the GNU community go to the trouble to create them, and none of them are ever going to create anything like that for a Microsoft product if they don't have to, for all kinds of reasons...

 

[Surgeries]

I just switched over to Firefox...wow...pretty darn excellent!

I am not technically inclined at all, and it was a breeze to install, get the add ons working...everything.

Not only that, I no longer have to look at the ads on Stratics!!!

Thanks folks, for the info. I like it!

 

[Halister Marner]

Firefox + Adblock Plus + Noscript = extremely secure.

 

[THP]

So does NASA use firefox?????????? .. oh they got hacked by a computer genious....on his laptop.......... whatever!!!!

 

[Halister Marner]

So does NASA use firefox?????????? .. oh they got hacked by a computer genious....on his laptop.......... whatever!!!!

Those had nothing to do with what browser they used, they were server vulnerabilities, I believe Cisco, Solaris and an SQL vulnerability were the sources of the various NASA hacks. Weak passwords being a contributing factor.

 

[Eslake]

Firefox + Adblock Plus + Noscript = extremely secure.

Firefox, even with all of the nifty little addon security subs, is only secure until the scum out there decide to target it.

It is the same reason Mac users love to brag about how they never get a virus. Well duh! When less than 10% of computers are Mac, why would a virus creator bother? They want to do damage so they go for the popular OS and hardware.

The more popular Firefox becomes, the less secure it gets. As you probably already know, it has had its serious security flubs already. The more it brags about its security, the more the hackers want to prove how vulnerable it is. And as an internet interface, it is always going to be vulnerable.

Point of fact, it doesn't matter what you use to browse the net, or even if you Do. Just having an active connection allows "brush" tests of your security without you ever opening a browser.

 

[Llewen]

Firefox, even with all of the nifty little addon security subs, is only secure until the scum out there decide to target it.

Partly true, but three points. The first point is, I'll take security in whatever form it presents itself. "Security by obscurity" is just as valid as any other form of security, and sometimes it is the best form of security. One of the major reasons Linux is so secure is no one is writing crap for it.

Point two: Microsoft is not very well liked by many of those who are capable of creating hacks and exploiting vulnerabilities. This is in part Microsoft's own fault. Microsoft gained it's position of dominance by playing the corporate bully, and it is paying for that through losses in the resulting lawsuits, but also in the form of a very strong anti-Microsoft sentiment among many in the coding and hacking community.

Point three: Firefox is developed under a different model than Microsoft's products, one that has a much better record when it comes to finding and fixing security vulnerabilities, it is called the "open source" model. "Open source" at it's most basic means that the source code for the project is available for anyone to look at, and anyone can write and submit code which improves the product, and fixes problems like security vulnerabilities.

This means that you have, potentially, millions of coders acting as quality control for your product, and submitting fixes for any problems they may find. The more successful the product is, the broader the development base for the product becomes, and the faster security vulnerabilities are detected and fixed.

So yes, the more popular Firefox becomes, the more the bad guys will target it, but on the flip side of that coin is a broader and deeper pool of potential contributers to the product, with the ability to find and fix any of the security vulnerabilities that the bad guys may wish to exploit. The "open source" model of software development isn't perfect, but it does work, and has a much better record for finding and fixing problems quickly, such as security vulnerabilities, than the proprietary model used by Microsoft.