Hacked Accounts
" Read my posts above. Most likely, it was via brute-force method. Whether you like it or not, GGG, you'd have to admit that this one was your fault, not the players. You have this simple yet deadly exploit in the security system for months and yet you didn't realize it. Even if you have special characters, numericals and alphabets, your password is never safe until GGG patched in this exploit that allows brute-force. No one is safe. I repeat, no one. Not even Chris himself, not even Kripp, not even you, not even me. |
|
I can say with utmost certainty. That if I get hacked, you have been breached GGG and not me.
If I get targeted shortly after posting this on your forums. Then its allmost certain its you. I'm sorry, but loads of the things you are writing in your post Mr-chris, seems like just a huge wall of "DEFENSE TEXT!" which most of your playerbase will shrug off too and probably be able to read between the lines.(cause we cant prove it.. We just have to take your word for it. Thing is.. we wish it was mutual). I understand that it can't be mutual tho, cause there are alot of shitkids out there, but I think there is more mature players then there are shitkids who would take advantage of a hacked situation. Most of us just want our timeconsumption reimbursed, so we can continue to play. On another note tho. Your stating that you cant reimburse hacked accounts cause you dont want to ruin the game economy ? What game economy ? This game dosent have a economy yet. Trades are based on what people think its worth FOR THEM at the exact given time the tradeoffer pops up in chat. There is however.. a common knowledge of the worth of certain items(But it really depends from person to person what they want to pay) So I find your grounds to not reimburse kind of faulty. Not entirely faulty, but kind of. From what I can see from your posts, you have taken measures to ban som IP's that have hacked player accounts.. so u got to have some sort of security in place to figure out who has done what ? So when u ban those IP's. You might catch it in the bun, and freeze that accounts assets before the contraband gets shuttled around to other accounts(Also keeping in mind that u dont have a trade log system?) - Just this little thing would help too not ruin what u call an "economy". I think you should rethink your way of thinking or how to phrase yourself. Just my 2 cents. Good luck everyone! Last edited by RealPesto#4359 on Feb 20, 2013, 12:26:37 PM
|
|
" This is pretty unlikely. Brute forcing even a modest eight character password (assuming it isn't made of dictionary words) would take tens of billions of requests. This would likely take several months per account, even without any kind of lockout as you described. Not to mention that the attacker would need to know that your particular email address was tied to a PoE account, and it isn't visible anywhere on the official website. I'm guessing that people jumping on this idea tried entering a wrong password at logon a dozen or so times, and at most a hundred. An attacker would need to commit several orders of magnitude more attempts to have a chance at guessing your password, and it's entirely possible that GGG has a system in place that does lock accounts after a large number of incorrect tries. Websites or games that lock accounts after only a few incorrect guesses do so to make users feel safe (security theater), not because it's useful. |
|
" Ever heard of a botnet? Brute forcing isn't a joke, and it isn't as random as you make it out to be. Edit: For clarification, I don't think brute forcing is what is going on here. I'm just saying the content of your post was incorrect, and that if someone wanted to brute force their way into accounts, it doesn't seem like there is anything to stop them. Last edited by MonstaMunch#6519 on Feb 20, 2013, 12:31:34 PM
|
|
" I guess you are referring to this part of Chris' statement: " Things would indeed change, because "hacker" b probably wouldn't keep the "stolen" items: (1) If all items get removed and restored: b could trade for other people's c items. If such a "hack" now gets reported by the "hacked" account a and all the taken currency/items are deleted from their current owners' c inventory/stash and restored to the "hacked" account a, c not only would lose said items, but also the items he traded to b, since b is probably going to be banned, but has allready traded/sent c's items to d. Ofcourse support could also track that, but automation could quickly get complicated. -> Also what if c uses the currency/items he got from b? c's new orbs may be used and gone, his gems leveled up, his armour got its mods rerolled. - Should c's progress be reversed*? a gets back his items, d has the items c traded to b - and c loses out. Maybe a and b even "know" each other and set this up to get c's items. d probably also knows/is identical with a and b. b's account ofcourse is removed, a and d proceed to create b1 to setup their next "tradehack". Targets are c1, c2, c3. This time d gets "hacked", ... (2) If only the leftovers get removed and restored: Maybe only currency/items should be restored to a, that still are in b's possession? What happens if b also took a1's and a2's stuff (eg. currency, which b mixes into the same stacks) and traded some of it to c? How much refund do a, a1 and a2 get? * If a gets his items restored while c is allowed to keep those he traded for - duping gets to be the issue. Seems like this is no trivial matter to deal with. Edit: Regarding brute-forcing - wouldn't GGG grow aware of a large amount of invalid login requests? That should be alot of additional traffic, I guess. [The Prison] Crawl a text-based dungeon - http://www.pathofexile.com/forum/view-thread/26299 Last edited by Azhubham#4599 on Feb 20, 2013, 12:38:16 PM
|
|
" As much as I want to agree with you, statistics says otherwise. Hackers are known for their tenacity, and let me tell you, you're in deep sh*t if 2 or more companies that profits from hacks and employs hackers targets your game, especially when they are still populated and peaking in popularity. They could easily have developed a brute-force program and most likely, coordinated in attempt to saves up time. For example: Hacker A employs range of words for the program from A to E Hacker B employs range of words for the program from E to J And so on. You'd best be reminded that black hat hackers often works cooperatively, and when that happen, you could expect many accounts simultaneously hacked, especially with faulty security system like what we're currently suffering. While it may be ineffective, it really does slows down the hacking process if GGG patched in a fix that prevent a user to enter a password again in short period should he/she entered wrong password in like 3 times. The hacker would be forced to change proxies/IP to evade the short-term block, and if this was coupled with a auto-locking account system by GGG that could only be opened again with confirmation with email or sorts, it could saves many accounts from the agony of losing some important items, namely exalts and valuable uniques. Like I said, currently, we are all vulnerable. What I hate the most is that GGG seems to be taking the stance of "it's your fault not ours" while their own security system was proven to be really need some serious overhauls and fixes. And this is coming from a user that is not been hacked until now. Last edited by darkro90#1163 on Feb 20, 2013, 12:37:11 PM
|
|
This should have been expected and you should have had account security in place before OB went live.
EVERY new game goes through this, every. single. game. Why? Because new games currency is worth boatloads when it first hits. Do a few Google searches and see how much PoE currency is going for atm. Last edited by darkjoy#6975 on Feb 20, 2013, 12:38:23 PM
|
|
" Regardless of whether or not anybody wants to point a botnet at PoE accounts, once again they would need the email address tied to your account, and anyways just because GGG doesn't lock accounts after ten incorrect guesses doesn't mean they don't lock them after a hundred. It's also unlikely that GGG wouldn't notice billions (or, like you said, if you consider that most people use weak passwords that are easy to guess, millions) of requests per account, and take action. Considering the number of players this game has, this would be a huge jump in the number of requests to the login server. They're in OB, network traffic is one of the biggest things they care about during this phase. Again, pretty unlikely this has happened to anyone. |
|
" The thing is, this is pretty well covered in the OP. If people were brute forcing accounts, they would do Chris and Kripp. I do believe that the hijacking could be something that has nothing to do with end users doing anything wrong, but I think you're barking up the wrong tree with this one. Again, I'd love to know why we're all so sure that sessions aren't being sidejacked through traditional interception. That has nothing to do with accessing the victim's computer or password. If they can intercept the session ID, they can probably impersonate the user without even needing the password for the account. It would also explain why the victims would be random. " Like I said, I don't think it has either. The point is it could easily happen to anyone. There are more logical explanations for what is going on than brute forcing mass accounts. Last edited by MonstaMunch#6519 on Feb 20, 2013, 12:42:08 PM
|
|
Bunch of scrubs tried to hack and they got their shit stolen. Serves them right. nothing more, nothing less.
same shit happened with d3 and everyone tried to claim it was blizzard that was hacked. |
|