Tag Archive: Online Security

Oct 20 2011

Partitions…

Categories:

Tim

by Tim

October 20, 2011

Previously on How To Murder Time! “…Information security is one of those tiresome airy-fairy subjects until something goes wrong on your own patch…”

And now the conclusion! In rather predictable fashion I’ve now become a little bit RAGING PARANOID about online security and passwords as a result of it all, although it is somewhat reassuring to note that it wasn’t just me, and news sites seem to now be picking up on what turns out to be a fair sized rash of identical hacking stories to my own:

Eurogamer: XBL accounts hacked to buy FIFA packs

Ars Technica: As Xbox Live-FIFA 12 fraud continues, Microsoft’s response becomes maddening

Giant Bomb: Microsoft, EA Claim FIFA Isn’t Causing Rash of Xbox Live Hacks

Lots of mealey-mouthed damage limitation fluff from EA and MS there “We don’t comment on security”, “Don’t give out your passwords”, and so far, my own account is still suspended and under investigation (at my own request), and I’m still £60 out of pocket on the credit card.

My raging paranoia hasn’t been helped by receiving an unrelated email from Turbine, telling me that they think their forums were just hacked, and would I like to think about changing my password?

The nature of the medium throws doubt and uncertainty on the innocent and the victim. “Are you sure it isn’t your fault somehow?” they ask. Well, I was, but now I’m not so sure, hence my newfound paranoia, and associated Twitter ranting. It’s a vicious spiral of distrust which eventually ends up with me demanding to be paid my salary in gold nuggets, which I then stuff under my mattress, in my house that I never leave!

 

Get a grip, I hear you think, and indeed, that is the trick. Somewhere between just tweeting my bank details and hoping everyone only takes what they need, and becoming some shotgun-totting backwoods hermit who fears electricity and hates government, there must be a middle ground, combining caution and usability, suitable for continuing to usefully live in an increasingly online digital age.

I can’t do much about the original problem itself, squarely an EA/MS fault, but there were things I could have done differently and better. Here are some security tips I’m currently implementing which should help stop this kind of thing in future. Many of them were suggested by Askgar in previous comments! Feel free to add your own or dispute these – only YOU can stop me being robbed again!

 

Unique Usage Passwords

Use a different password for every online service. It may help to use a different account name as well. The reasoning here is straight forward. If, to pick a random example, EA are flipping idiots and just give out Xbox Live passwords to anyone who phones them up and asks nicely, then that’s bad. The Xbox Live account is in for a clearing out that its legitimate owner won’t forget in a hurry!

Much worse though, is when that Friend of Humanity goes on to successfully log into PSN, WoW and your bank with the same details. It makes sense to try the login on multiple similar services, because some people are lazy, or just have trouble keeping forty or more different usernames and passwords straight in their heads.

I did this a lot, but have now made them all unique. I’ve re-learnt how to write letters with a pen, and now I keep them in a physical book. Old-school! I’m in trouble if my flat is burnt down or robbed, but it’s more about making disaster less likely, than removing it altogether. They might take the PC, but probably won’t take the innocuous looking book under the pile of junk on that other shelf.

Particularly important with peripheral systems; forums, fan sites, etc. While Triple-A MMO Corp may have watertight security, do you really know or trust amateur owner-admin of Triple-A MMO Fansite dot com? I don’t. Using the same password for both makes the MMO’s security dependent on the integrity of the fansite owner. If you’re happy that everyone who ever asked you to create a password online is to be trusted, then you can probably ignore this one.

 

Strong Passwords

See XKCD comic here: http://xkcd.com/936/

Long beats complex, although in my recent paranoid password reset adventures, it’s dismaying to see that some online systems have password length limits of as little as eight characters. In these cases, use them all, and go with the punctuations and numbers, as suggested. EVE Online wins here with a staggering 64 character password limit. I approve!

Online systems could do more to improve this, but within reason. Runes of Magic wins the HtMT Ultimate Security Award here. On my recent attempt to retry the game, I went through all the forgot/reset password stuff to get back in after long absence, only to find it then wants a second password at character select, the resetting of which proved to be so bureaucratic and awkward that I gave up and will probably never play it again! I wish I’d written that down two years ago, and it does illustrate the dangers of security, which can become so secure even authorised users are kept out!

 

Remove Payment Methods

This one is what got me. If my XBL account didn’t have a permanent set of credit card details saved as part of itself, the Friend of Humanity would have just stolen 120 leftover MS points I wasn’t using anyway and then moved on, rather than gone on a 6120 point spree. I’d still be cross, but would not now be distrustful of all online payment as a whole. This is because online shops value One-Click Impulse Purchasing over security and this should not be encouraged.

Of course it suits Microsoft for me to be able to give them money by just pressing ‘A’ four times. (I’ve heard stories of six year olds, and dogs, racking up huge bills because of this sort of nonsense.) However, it doesn’t suit me that someone pretending to be me can steal £60 from me by just pressing A four times, thanks to their own flawed security procedures.

It’s not just MS though, and it is telling that in Turbine’s account management pages, upgrading to a subscription or buying Turbine Points is a one-click operation, but to remove attached credit card details, (because, to pick an example at random, their forums have just been hacked), requires a string of grovelling emails, and probably will each time I want to buy stuff from them in future.

In a sensible world, we should be required to re-enter our details every time we want to actually buy a thing, after which, those details should be deleted. It’s more awkward for us, but serves to disconnect automatic links which can be easily abused, as I found out to my cost. As it is, I am not happy with online services having my credit card details any longer than is absolutley necessary to make a purchase or renew a subscription.

I guess the real point here is not distrust of the service provider so much, but prevention of hackers stealing from you by tricking the service provider into thinking they are you. I’m fairly sure Microsoft isn’t out to steal from me themselves, but some other bugger did trick them in to being an accomplice in a theft of my stuff anyway.

 

Game Cards and Paypal

On the subject of not just leaving your credit card details on a post-it note stuck to the shop till, why use one at all? Many online services have one-off points/time cards which provide an identical service, in a more secure manner. The underlying account isn’t any more secure, but at least it contains no onward money links. My paranoia recently sent me to GAME to test this out. I bought two £9 Station Cash cards (worth 3000 SC or two months of subscription for thier non-F2P games), which I then took home. Scratch off the back, enter the code and then spent the points on EQ2X Silver and one of those floating island player houses I was going on about a while back. Still have some points left, but it’ll only be those that get lost if my Station account gets hacked. Oh…did I mention the latest SOE account security panic, making for three security incidents relevant to my interests in as many weeks. These buggers are at it all the time, and everywhere!

Paypal is a useful alternative, requiring another password on a different system to be entered before cash is dispensed. This password is different to the purchasing applications one – see point one, above. I guess one day Paypal will be hacked, but I guess we’ll all have bigger problems than missing EQ2 points to worry about on that day.

Sadly, some systems offer neither points/time cards or Paypal options – Amazon being one example. Treat these with caution, and try not to leave the payment details on file unless actually in the process of paying. Remove them after the pruchase, if you can. With an increasing move to F2P design, it should become easier to find risk free ways to charge up the MMO MicroPoints that don’t expose the credit card.

 

Authenticators

My bank now makes me use one of these, a physical gizmo that tells me a number to type in when asked by the website. I do worry what happens when I put the authenticator on a 40C Non-Coloureds Spin Cycle, as I inevitably will one day, but anything that requires a physical object present to log in, can only help. CCV numbers on the back of credit cards work in a similar manner – you need the card in your hand to use it – and since the primary worry I have is people in remote places across the world pretending to be me online, this sort of thing does the job. WoW offer  these and I think SOE have one too. It’s annoying that we have to pay extra for them, but they are probably worth the cost for extra peace of mind. You only have to worry about burglary or assault now!

 

Secret Questions

Quick tip here; lie. The person at the other end of the Lost Password Helpdesk isn’t marking you for accuracy. All they care about is that the answer you give matches the answer you said you would give when you filled out the form two years ago. Treat it as another kind of password rather than a General Knowledge Quiz with “You” as the specialist subject. When asked for your mother’s maiden name, make one up. With surprisingly little effort, some Friend of Humanity can look up your mother’s maiden name, but unless they’re already inside the system they are trying to break in to, they won’t know exactly how you lied about it on the original form. As long as you can consistently remember the lie and repeat it back correctly later on, you’re fine.

More advanced setup forms of this type have a user-enterable questions instead, which helps a lot here. Make it fairly obscure, but memorable to you!

 

Many of these tips are designed to deliberately break linkages, to internally compartmentalise our online selves. It can be very easy to create an online gestalt which is made up of many interlinked systems; accounts, logins, forum personas, avatars and so on, all of which lie behind only one universally shared and  weak password. Get that from some weak link out on the periphery and the entire online you is laid bare, including the important stuff in the middle; the bank, the credit card, the employment records, the real you.

By resisting the pressure from these online services to create a unified one-button purchasing network around ourselves, and by resisting our own laziness, we can partition our online lives; insulate them from each other, so that if one element of it is compromised, the rest of them remain untouched. Pre-emptive damage limitation is fairly easy, but takes a moderate and sustained effort to keep it up.

All in all, I’ve learnt a lot in these last few weeks, so that’s something I suppose! I don’t even do MyFriends or BookFaces or SpaceVilles or the like, so have no security ideas for those, other than to not bother in the first place. Hopefully someone can comment on those!

 

With any luck, I’m preaching to the choir here and you all know all this stuff anyway, but if anyone reading this has learnt something, then that’s good too! If not, then I hope I’ve amused somewhat with tales of my own naivety! Regardless, good luck out there, remember that they are all out to get you, so don’t let the buggers get your monies!

Back to talking about things that aren’t online security soon!

Tags: ,

3 comments

Permanent link to this article: http://howtomurdertime.com/blog/2011/10/20/partitions%e2%80%a6.html

Oct 07 2011

Investigations…

Categories:

Tim

by Tim

October 7, 2011

So I was hacked. Information security is one of those tiresome airy-fairy subjects until something goes wrong on your own patch, and then suddenly it becomes an obsession to be shared with anyone who will listen!

TLDR; EA allow people steal to money from random XBOX LIVE users, using FIFA 12.

The long version where I show my working;

So I get home and get on with some unrelated stuff that doesn’t involve the PC or Xbox360. Later on, I check my email and find that Microsoft are grateful for my recent purchase of 1000, and then 5000 Microsoft points, for a total of about £60. Uh-oh, thinks I, and go into full-on paranoid detective mode.

Various checking about my various membership and account web pages at Xbox Live shows a surprising chain of events. Apparently, at about 6:45pm I used an Xbox in an entirely unknown location to buy myself 6000 Microsoft points, then log in to FIFA 12, a game I don’t own and over the course of about an hour, spend a total of 6140 points. A neat trick considering that at the time, I was watching telly and staring at my 360, which was off. On the plus side, I also managed to complete 4% of FIFA 12 and gain 2/45 achievements; “New Club In Town” (Create your FIFA 12 Ultimate Team club) and the ironically named “I’ll Have That One” (Open your first pack in FIFA 12 Ultimate Team).

The purchases were confusing; 25 x “GOLD PACK  Game Consumable” for 60 points each, 25x “PREMIUM GOLD PACK Game Consumable” for 120 each and 25x “PREMIUM SILVER PACK Game Consumable” for 60 points a go. I wish it said somewhere what game those were for, but I did my Googling and found these interesting threads:

Giant Bomb: Live account hacked? FIFA 11 related

and

Xbox.com: Fraudulent Charge of Premium Gold Packs

Of particular interest is the Giant Bomb thread, which is talking about identical problems in FIFA 11, yes Eleven, which seem not to have been remedied for FIFA 12. Fascinating post by ‘eatkill’ further in which I’ll quote:

happened to me last week . $110 worth of xbox live points spent on “in-game consumables” in FIFA 2011. Contacted EA also since my password was changed also. The rep told me its a problem with the game, there is some way that someone can trick xbox and EA into gaining access to your accounts. I was told they have been trying to fix the problem for months, but it wont be a problem with FIFA 2012.  I’m still waiting a resolution.

I find it very concerning that someone can create a product I don’t use that puts my account at risk.

You and me both, pal. A bug or design flaw which allows random strangers to be robbed of real life money goes unfixed for a whole year.

 

So heres how I think it goes, The Great FIFA 12 Wayne Rooney Caper:

  • Friend of Humanity uses Mystery Method X (which I wouldn’t reproduce here even I knew what it is) to trick EA Support into somehow GIVING THEM ACCESS TO RANDOMLY CHOSEN XBL ACCOUNT WITH CREDIT CARD LINKAGE, in this case mine. (Anecdotal, from Giant Bomb thread)
  • FoH uses Gamer Tag Recovery system to make XBL think their Xbox is actually mine.
  • FoH uses my previously saved Credit Card details to buy 6000 points. (As per Billing Website log and emailed receipts)
  • FoH uses their own FIFA 12 disc to set up an “Ultimate Team”, which I gather is a cynical EA Magic-The-Gathering style virtual collectable card game shakedown exercise. (See Achievement 1)
  • FoH then uses 6140 points to go ape-mental in FIFA 12’s stupid MtG Style CCG booster shop. (Achievement 2, and Point Spend History website)
  • FoH opens packs, plucks out rare/powerful footballist wizard cards and footasaurus artefact cards and somehow transfers/trades them to another account. If he’s smart, that one isn’t a real one either and multiple stages will be involved. I severely doubt EA keep logs of this, but you never know.
  • FoH cackles off into the sunset to win lots of important pretend football matches online by cheating. He pauses only to render my XBL account inoperable on the way out – changed password, that sort of thing.
  • FoH possibly then sells on the cards for real money some how? Not sure how that side of it works what with me having NEVER PLAYED FIFA 12 and all. Probably facilitated by shady message boards and the like. Fencing has never been so easy!

Some amount of guess work up there, after all, I’ve never actually played FIFA 12, but it is backed up with reasonable internet corroboration. There is a definite Step 3 Profit here, a somewhat convoluted cyber smash-and-grab which by the sounds of it, goes on all the time. Not an especially glamorous caper, but a sound and repeatable one.

 

And this is just me, googling about. I imagine the nice Microsoft Support Lady that I immediately phoned, who should have the entire audit trail in front of her, is likely to find out a lot more. I talked to them and got the account frozen and promises of investigation and reimbursement, although it’s probably going to be a fortnight or so before its all back to normal. Annoying because the 360 has an irritating necessity to tag many of its save games to a profile I can’t now get at for the duration of the investigation. I am NOT restarting Final Fantasy XIII again – I may not live to see the end of a second play through!

The support lady reassured me that all they’d have seen was a bunch of x’s with four digits on the end from inside the Xbox UI, so its unlikely my “FIFA Fagin” will be able to use the card for outside general purchases, but now I still have to do the usual watchman’s round of online systems, checking all the other metaphorical padlocks are still unbroken. I’m just glad my online bank recently introduced physical authenticators.

To their credit, MS Support were professional, helpful and reassuring, so I’m not too worried about it all, but it does make me cross, and mostly with EA.

 

Summing up; FIFA 12 is a den of cheating scumbags, EA are cynical profiteering idiots, Microsoft are surprisingly helpful but should put some serious pressure on EA, and probably should think about introducing an authenticator for in-console point purchases.

And I probably should have known better than to leave my payment info linked as part of the profile. If I did anything wrong here, it was that. I might trust Microsoft, but do I trust everyone Microsoft trusts, and everyone they trust?

Much as it might suit Microsoft (Or Sony, or Nintendo, or Steam, or whoever), the console has NO need to constantly have access to payment details – these should be a one-off thing that must be entered each and every time I want to buy stuff.

None of this is possible without a one-click attitude to online shopping that we should all learn to do without. We don’t just leave our wallets behind on the counter in real life shops to make things easier next time we visit the shop – we shouldn’t do it online either.

 

The Information Age is a double edged sword. We become the centre of an increasingly fragmented, attenuated and ephemeral sphere of connections, passwords, accounts and security questions, all only as strong as our own memories and the competences of the system designers involved, and with the increasing complexity of it all, we lose more and more control over who we are and what we own.

At the same time, with more and more systems and logs and audits in place, time itself becomes a more controlled thing. If things happen that weren’t intended, time can indeed be rewritten. Backups, rollbacks, simple remote controls that make the last twenty four hours never have happened, as far as the credit card or account status system cares at least. Goods and values can be remotely evaporated and recreated anew, from nothing, at the press of a button.

If I’ve learnt anything from this experience, it’s that knowing the password is nowhere near as important as knowing the answer to the secret question. As long as you can still prove that you are you, everything else is editable.

Tags: , , ,

8 comments

Permanent link to this article: http://howtomurdertime.com/blog/2011/10/07/investigations.html