Account security - linking to UO account

While having forums back again is a good thing. I really do not recommend forums to use the account user/pass.
This should have been a separate password that can be set in UO / mythic account portal.

+10 years in IT security, and worked for a number of MMOs/games. I can assure you this is a very very very bad idea. 
«1

Comments

  • Lord_BritishLord_British Posts: 9
    edited February 2018
    Just be happy that they finally arrived in 2000 and don't complain ...  :) Just joking, but I am with you.
    I could imagine that if something goes wrong, there will be no active account left to post here.
  • Many (almost every?) other video game companies uses the same login for their forums as their game.
  • I couldn't agree more with the OP, if this forum gets hacked it would be very bad...

  • Yeah even WoW does this, your forum account _is_ your account
  • Sure, they do, but not like UO/EA/BS handles their accounts/logins. If you can't figure out as a customer, why should there anyone @ BS/EA /UO?  ;)
  • IvenorIvenor Posts: 1,216
    edited February 2018
    A "quick and dirty" solution: until/if there is no separate PSW (I TOTALLY agree: ***VERY*** bad idea using the same PSW of the gaming accout to access the forum, expecially in today version of the cyberspace ("we are not in Neuromancer anymore, Toto!"), use the most "useless" of your accounts to register to this Forum. You know: the one whose chars/toons you only use as "mules" to hang-on at big IDOC, hoping to get some of the scraps the double class cheater/scripter guys don't hoover.
    What? You don't have at least one "Mule" full account?
    Suuuure! :-D
    As you Americans say: "Pull the other one, it got bells on"... ;-)
    Cheers
    Ivenor
  • PapaSmurfPapaSmurf Posts: 112
    Tin foil on the windows, we'll be fine....

  • IvenorIvenor Posts: 1,216
    edited March 2018
    Better if bulllet-proof glass... :D B)
    Please check by yourself just a little example of USR/PSW DB broken in the last years:
    https://haveibeenpwned.com/
    Nobody is too small to risk to be casually caught in today cyberscammer's "bottom trawling" phising.
    And they ask to be paid in BitCoins and such: I don't think they will accept UO Gold... >:)

  • SpartanSpartan Posts: 1
    Agree with the OP ... I am retired after 40 years IT and the linkage of forums to account in any manner is really unsafe.  TBH, I feel safer (account-wise) on other boards.

    Someone come get me when things are better.  Sorry, BS/EA ... this is a deal-breaker for me.
  • LexLex Posts: 38
    At least the other games usually allow two-factor authentication.
    And they also authenticate new logins to the game before it'll let you on. (Bnet, HoN, LOL etc)
    Many companies also allow setting a separate forum password. (BIStudios)

    UO (at least a year or so ago) didnt allow long passwords or special characters. Wasnt until recently this got fixed.

    This forumboard is untested. We dont know if it's an inhouse designed board (it seems like it, if you look at the login prompt - this if anything seems very insecure). Has it been pentested?
  • MadMartyrMadMartyr Posts: 61
    These forums are based on Vanilla Forums. Not sure what Single Sign-On solution they're using.
    UWF Emissary
    Developer of Ultima Mapper
  • DrakelordDrakelord Posts: 1,788
    You do know that once you started here you could go back to https://accounts.eamythic.com/ and change the password for the account you are using here?  I did
    Remove Trap = Bad News
    for
    Treasure Hunters
  • TanagerTanager Posts: 634
    I have to confess, my game account is precious to me. Even the most robust online system has its weaknesses, and so I chose the lesser of two accounts for this. Then, as Drakelord pointed out, I promptly changed the password for the account afterwards.

    That said, most MMOs do have their official forums this way. People tend to pay more attention to their words when they must consider the consequences of choosing them poorly.
  • Dean478Dean478 Posts: 9
    Would have been nice if the forum system implemented some sort of character connection. A lot of other MMOs will let you select the character you wish to "post as".
  • TanagerTanager Posts: 634
    Changing the password at Mythic changes it here also. I tested this by trying to sign in with a different browser.

    On a side note, I wish the edit post function had no time limit. This extra comment to clarify creates clutter imo!
  • I notice several EMs have already posted in the new forums, and I imagine the devs will be as well. That, right there, is reason to believe that security is a high priority for Broadsword.
    Think about it - if someone did figure out how to hack these forums, I'd have thought Mesanna's account would be the first target, closely followed by Kyronix and Bleak's accounts - not a player's account, no matter how many rares they own.
    I may be overly optimistic, but if this is their choice of security models, then I doubt they've gone into it without thinking it through. 
  • IvenorIvenor Posts: 1,216
    edited March 2018
    I notice several EMs have already posted in the new forums, and I imagine the devs will be as well. That, right there, is reason to believe that security is a high priority for Broadsword.
    Think about it - if someone did figure out how to hack these forums, I'd have thought Mesanna's account would be the first target, closely followed by Kyronix and Bleak's accounts - not a player's account, no matter how many rares they own.
    I may be overly optimistic, but if this is their choice of security models, then I doubt they've gone into it without thinking it through. 
    Unfortunately, IMO, for how the cyberworld goes today, I fear unfortunately that you ARE overly optimistic, as even some other IT security guys too already noted above in this thread.
    So, even cosidering that maybe UO is a "low yeld" target for script kiddies and such underlife (double class IDOC scripters/cheaters beside... >:) ) having same creds for multiple functions online is ALWAYS BADBADBAD!
    We have already different creds between Mythic Account & Game Account, so why not a differente set of them for the Forum too? Yes, I undestand that maybe it is to have only "legit" (i.e. "paid account(s) holders") posting on this forum, but, but... :#
    Cheers
    Ivenor
    PS: Here is a little very basic introductory link about net security today, to make your nights go without sleep for some other motivation that playing UO: https://www.theregister.co.uk/ :s :)

  • LexLex Posts: 38
    I notice several EMs have already posted in the new forums, and I imagine the devs will be as well. That, right there, is reason to believe that security is a high priority for Broadsword.
    Think about it - if someone did figure out how to hack these forums, I'd have thought Mesanna's account would be the first target, closely followed by Kyronix and Bleak's accounts - not a player's account, no matter how many rares they own.
    I may be overly optimistic, but if this is their choice of security models, then I doubt they've gone into it without thinking it through. 
    I hope that Broadsword would offer their own players the same security as they should on their employee accounts.
    Namely:
    - a basic IP restriction of which IPs can use the account .
    - Separate account from privileged administrator / elevated accounts (perhaps requiring employees to VPN to office network if they want to login as privileged account, see above).

    To rely on patching vanilla forum, integrating your own SSO , it adds so many layers of fck up that can happen. It's just bad security.
    Giving us 2FA and IP restrictions would solve many of my concerns and be "good enough".
    Preferably allowing us to set a separate forum password would be great!

    I'm working in the MMO business. This is a lesson that we've learnt time and time again when companies repeat these mistake.
  • IvenorIvenor Posts: 1,216
    Lex said:
    I hope that Broadsword would offer their own players the same security as they should on their employee accounts.
    Namely:
    - a basic IP restriction of which IPs can use the account .
    - Separate account from privileged administrator / elevated accounts (perhaps requiring employees to VPN to office network if they want to login as privileged account, see above).

    To rely on patching vanilla forum, integrating your own SSO , it adds so many layers of fck up that can happen. It's just bad security.
    Giving us 2FA and IP restrictions would solve many of my concerns and be "good enough".
    Preferably allowing us to set a separate forum password would be great!

    I'm working in the MMO business. This is a lesson that we've learnt time and time again when companies repeat these mistake.
    <3 <3 <3 ;)
  • They should setup "2 factor authentication" the same way Blizzard does it for their games.

    https://us.battle.net/heroes/en/blog/20815191/keep-your-account-secure-with-the-blizzard-authenticator-6-6-2017

    Zayin: Paladin
    Mort: Mystic Mage
    Siw: Tamer
  • MadMartyrMadMartyr Posts: 61
    2FA should be incorporated for all account functions, and really should've been done long ago, but they do what they can.
    UWF Emissary
    Developer of Ultima Mapper
  • BilboBilbo Posts: 2,834
    When was the last time UO/BS/EA was hacked?  I have been here for 20 years and I have never heard of them ever getting "HACKED"  Have there been people lose accounts/items, yes.  Does that mean UO was HACKED, no  Most so called Hacked Accounts are from mistakes by the person using little to no common sense.
  • FeigrFeigr Posts: 512
    For things I log into frequently I change my passwords weekly.  
  • GandalfGandalf Posts: 116
    Bilbo said:
    When was the last time UO/BS/EA was hacked?  I have been here for 20 years and I have never heard of them ever getting "HACKED"  Have there been people lose accounts/items, yes.  Does that mean UO was HACKED, no  Most so called Hacked Accounts are from mistakes by the person using little to no common sense.
    In the years 2000, there was some SQL errors in the official account management. With this exploit, the hacker has the possibility to get username/pass/mail/master question answer....

    A lot of Brokers/Rare collector/traders has been hacked without any reasons. It's hard to believe but it's true and i can give a list.
  • GandalfGandalf Posts: 116
    and it wasn't fixed until the new account management for info's....lol
  • BilboBilbo Posts: 2,834
    Gandalf said:
    Bilbo said:
    When was the last time UO/BS/EA was hacked?  I have been here for 20 years and I have never heard of them ever getting "HACKED"  Have there been people lose accounts/items, yes.  Does that mean UO was HACKED, no  Most so called Hacked Accounts are from mistakes by the person using little to no common sense.
    In the years 2000, there was some SQL errors in the official account management. With this exploit, the hacker has the possibility to get username/pass/mail/master question answer....

    A lot of Brokers/Rare collector/traders has been hacked without any reasons. It's hard to believe but it's true and i can give a list.
    This is the best kept secret because there is ZERO mention of this and I have been here for 19 years and none of my accounts have a secret question  Please provide a link to said HACKING or are you talking all those accounts that Drac deleted in 2006
  • LexLex Posts: 38
    EA has had credentials leaked on a number of times after. Most of the times you just get an email saying your password has been reset as a security measure. 

    Broadsword uses mythics Auth. Not as widely attacked but trust me when I say that adding more services integrated into the same authentication always increases risks. 
    High? Probably not. But I don't like my forum credentials being used for an important game too. Forum credentials get entered via a web browser whose walled garden / VM could be exploited separately to log and pass on my password elsewhere. 
  • BilboBilbo Posts: 2,834
    Lex said:
    EA has had credentials leaked on a number of times after. Most of the times you just get an email saying your password has been reset as a security measure. 

    Broadsword uses mythics Auth. Not as widely attacked but trust me when I say that adding more services integrated into the same authentication always increases risks. 
    High? Probably not. But I don't like my forum credentials being used for an important game too. Forum credentials get entered via a web browser whose walled garden / VM could be exploited separately to log and pass on my password elsewhere. 
    Interesting, been here for 19+ years and have all my accounts on auto renew and I have NEVER received one of these E-Mails.  Also checked with some friends that played nonstop pre AoS and they never heard of this Hack or received any E-Mails ether.
  • LexLex Posts: 38
    EA had master accounts leaked in 2015:
    https://www.polygon.com/2015/10/16/9556137/ea-account-details-leaked-as-part-of-data-dump

    Suspected leak 2012:
    https://www.theverge.com/2012/11/14/3645214/electronic-arts-origin-hack

    There are older ones too, but these are the most fresh ones I know about.

    Note that EA/origin was always very quiet about anything that might affect their stock value. Hence very little info except password reset.
    Not all accounts have been affected as only partial lists were leaked on pastebin, but you may be able to check if your account was ever affected on https://haveibeenpwned.com/ (enter email and see if an account matches any of the dumps for many known leaks).




  • Dot_WarnerDot_Warner Posts: 234
    I too find it concerning that these forums are directly linked to our master accounts, though I doubt the forum's backend stores our user credentials. Hopefully, there is something like a "user is authorized" property after registration - though I'd feel more secure if we could change our forum passwords to something else...

    Most of EA's "hacking" woes relate to Pogo and Origin, revolving around credit card fraud. It wasn't just stolen cards, but purchases being made on user's accounts with the end product(s) going to someone else - this was mainly focused on FIFA.

    As ridiculous as it sounds, EA/Origin also has a serious problem with randomly charging people's cards from other countries for their UO accounts. Most bank's fraud alerts go off when this happens and they sometimes block the charges (or charge back) which tends to cause EA to myopically ban the account for their own malfeasance. 
Sign In or Register to comment.