-Disposable|Heroes-

inside a whale since 2003.
It is currently Thu Mar 28, 2024 8:35 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Apr 17, 2009 7:50 am 
Offline
The Eventress

Joined: Mon Oct 06, 2008 9:49 am
Posts: 476
Folks have started receiving security tokens the past few days and some research and testing on the units has begun. There have been some interesting finds that I thought I would share:

It appears that when you press the red button on the token to generate a one-time password, this password stays "active" (read: useable) for a full 27 minutes before expiring. This is slightly different than most security tokens which have a 30-60 second expiry on each password before it automatically defaults to a new password.

Another discovery was that if you generated 5 passwords prior to logging into the account, and used the very first password of the 5 (the oldest), you could enter provided it was still under 27 minutes. However, the remaining 4 passwords would also stay useable for the next 27 minutes as well.

Now, if you generated 5 passwords prior to log in, but this time used the 5th (or newest) password, it would deactivate all prior passwords generated, regardless of when they were generated.

Another major annoyance that has surfaced is that despite accounts being safer than ever before, because of the security token, and the SquareEnix accounts, folks are now susceptible to random boots from their accounts. By that I mean, if someone knows your POL ID, and attempts to log into it using even an incorrect combination of an SE ID and a random token PW, they will indeed be denied access, however as a side effect, you'll be booted from your account and forced to log in again... Because of this, I'd be careful about who has your account info, regardless of how protected it is!

/facepalm @ SE... STOP FAILING!

Anyway, there's a lot of discussion happening on BG about this, I'll keep you all posted if any new developments arise.


Top
 Profile  
 
PostPosted: Fri Apr 17, 2009 9:06 am 
Offline
Tarutaru Murder Suspect
User avatar

Joined: Sat Aug 02, 2008 6:07 pm
Posts: 995
Location: The land of a million galka...
Gender: Male ♂
IGNs: Floressa, Yururu, Cheetah, Donorise
Image


Top
 Profile  
 
PostPosted: Fri Apr 17, 2009 9:27 am 
Offline
The Eventress

Joined: Mon Oct 06, 2008 9:49 am
Posts: 476
Update: It seems that the token key you enter and use to log in also stays useable for 27 minutes.

(i.e. You generate a key, use it to log in, you then dc 10 minutes later. You can use the same key again to log in as the 27 minutes has not yet expired.)

This really doesn't fix the threat of keyloggers, and almost makes this entire thing pointless...


Top
 Profile  
 
PostPosted: Fri Apr 17, 2009 10:02 am 
Offline

Joined: Sun Apr 12, 2009 5:30 pm
Posts: 4
Sounds like SE has tried to reinvent the wheel with this OTP they are trying, but the problem looks like they don't have OTP but a random password with an expiration. Epic fail. Does anyone test anything before they deploy it?

*Edit: I bought one, but really just for the storage.


Top
 Profile  
 
PostPosted: Fri Apr 17, 2009 10:08 am 
Offline
User avatar

Joined: Fri Jan 09, 2009 6:26 pm
Posts: 55
Location: Finland
Gender: Male ♂
IGNs: FFXI: Lituwotu
FFXIV: Aiden Ren
this thread lacks this picture
Image

_________________
Image


Top
 Profile  
 
PostPosted: Fri Apr 17, 2009 10:14 am 
Offline
Soloable by "most" jobs.
User avatar

Joined: Sun Aug 03, 2008 9:04 am
Posts: 438
Gender: There are no girls on the internets.
IGNs: Arynel, Arinel, Elvynel, Hairynel, Meowynel
Mine arrived today! Gonna use it once, get my satchel and never use it again!

_________________
Image


Top
 Profile  
 
PostPosted: Fri Apr 17, 2009 10:27 am 
Offline
The Eventress

Joined: Mon Oct 06, 2008 9:49 am
Posts: 476
Katsuko wrote:
Update: It seems that the token key you enter and use to log in also stays useable for 27 minutes.

(i.e. You generate a key, use it to log in, you then dc 10 minutes later. You can use the same key again to log in as the 27 minutes has not yet expired.)

This really doesn't fix the threat of keyloggers, and almost makes this entire thing pointless...


Okay it looks like the initial tester jumped the gun on this one.

Some more info came in, and it turns out that the code you use, plus all additional codes generated by the token prior to the one you just used, get burned once you log in.

It looks like the token hashes a new password every 40 seconds, each of these passwords stay active for about 25 minutes, and when you hit the red button on the token, it just supplies you with the most recently created password. This means that at any given time, there are about 40 different token passwords that can be used, all of which unique to your token.

The token passwords are 6 digits long, with a possible 10 characters per digit, this means that it would take them almost 140 hours to have attempted each possible combination. As for random guesses and blind luck, they would have a 1/25,000 chance at guessing the token password correctly on a whim.

However! Now keep in mind that they would also need your POL ID, your POL PW, your SE ID, and SE PW.

So breathe a sigh of relief, once this token is in place on your account, the chances of you getting hacked is nearly astronomical.

Still, I would feel even a bit more comfortable if they were to reduce the natural password expiry to 5 minutes..


Top
 Profile  
 
PostPosted: Fri Apr 17, 2009 10:32 am 
Offline
The Eventress

Joined: Mon Oct 06, 2008 9:49 am
Posts: 476
Arynel wrote:
Mine arrived today! Gonna use it once, get my satchel and never use it again!


Given the new info, you'd be crazy not to use it!

Isn't the extra 20 seconds at log in worth protecting everything you'd worked so hard on for years?


Top
 Profile  
 
PostPosted: Fri Apr 17, 2009 1:07 pm 
Offline
Soloable by "most" jobs.
User avatar

Joined: Sun Aug 03, 2008 9:04 am
Posts: 438
Gender: There are no girls on the internets.
IGNs: Arynel, Arinel, Elvynel, Hairynel, Meowynel
Katsuko wrote:
Arynel wrote:
Mine arrived today! Gonna use it once, get my satchel and never use it again!


Given the new info, you'd be crazy not to use it!

Isn't the extra 20 seconds at log in worth protecting everything you'd worked so hard on for years?


I'm on Vista, I don't have the security problems you lowly XP users have!!!!!!! :P

_________________
Image


Top
 Profile  
 
PostPosted: Fri Apr 17, 2009 2:13 pm 
Offline
The Eventress

Joined: Mon Oct 06, 2008 9:49 am
Posts: 476
Arynel wrote:
Katsuko wrote:
Arynel wrote:
Mine arrived today! Gonna use it once, get my satchel and never use it again!


Given the new info, you'd be crazy not to use it!

Isn't the extra 20 seconds at log in worth protecting everything you'd worked so hard on for years?


I'm on Vista, I don't have the security problems you lowly XP users have!!!!!!! :P


For now anyway, I'm sure it won't be long before they come up with something, If they haven't already.

I'm on Vista too btw! /highfive :lol:

Denruki wrote:
Has anyone confirmed that you keep sachel access if you de-activate one time pass token linkage to account?..cause i sorta doubt it...

I read the whole general use/tos crap and it said that first of all once you link a POL ID to your SE ID you can never unlink it, then once you link a Token to it then unlink token that token can never be used again, so that would be wasting 10$ >_>

but anyways as i said before I'm still not buying one of these until all the kinks get worked out of the system, i'm going to buying it for the extra security cause im that paranoid....srsly. *goes back to only websurfing on laptop and purely gaming on desktop*


Yea, someone has already done some testing and the satchel does stay active without the constant use of the token, you only need the token on the first time to activate it, and while you can't unlink your POL ID and SE ID, you can unlink the token.

I don't blame you for being paranoid really, they've proven time and time again that they're very resourceful, and aren't willing to give up. It won't be long until this thing is near mandatory, because once this hits, they're going to become even more ruthless, getting what they can from the people without tokens.

Personally I'll happily be inconvenienced for 20-30 seconds to ensure the safety of 6 years of my time and hard work.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 44 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group