Account security - linking to UO account
While having forums back again is a good thing. I really do not recommend forums to use the account user/pass.
This should have been a separate password that can be set in UO / mythic account portal.
+10 years in IT security, and worked for a number of MMOs/games. I can assure you this is a very very very bad idea.
This should have been a separate password that can be set in UO / mythic account portal.
+10 years in IT security, and worked for a number of MMOs/games. I can assure you this is a very very very bad idea.
Comments
I could imagine that if something goes wrong, there will be no active account left to post here.
What? You don't have at least one "Mule" full account?
Suuuure! :-D
As you Americans say: "Pull the other one, it got bells on"... ;-)
Cheers
Ivenor
Please check by yourself just a little example of USR/PSW DB broken in the last years:
https://haveibeenpwned.com/
Nobody is too small to risk to be casually caught in today cyberscammer's "bottom trawling" phising.
And they ask to be paid in BitCoins and such: I don't think they will accept UO Gold...
Someone come get me when things are better. Sorry, BS/EA ... this is a deal-breaker for me.
And they also authenticate new logins to the game before it'll let you on. (Bnet, HoN, LOL etc)
Many companies also allow setting a separate forum password. (BIStudios)
UO (at least a year or so ago) didnt allow long passwords or special characters. Wasnt until recently this got fixed.
This forumboard is untested. We dont know if it's an inhouse designed board (it seems like it, if you look at the login prompt - this if anything seems very insecure). Has it been pentested?
Developer of Ultima Mapper
for
Treasure Hunters
That said, most MMOs do have their official forums this way. People tend to pay more attention to their words when they must consider the consequences of choosing them poorly.
On a side note, I wish the edit post function had no time limit. This extra comment to clarify creates clutter imo!
Think about it - if someone did figure out how to hack these forums, I'd have thought Mesanna's account would be the first target, closely followed by Kyronix and Bleak's accounts - not a player's account, no matter how many rares they own.
I may be overly optimistic, but if this is their choice of security models, then I doubt they've gone into it without thinking it through.
So, even cosidering that maybe UO is a "low yeld" target for script kiddies and such underlife (double class IDOC scripters/cheaters beside... ) having same creds for multiple functions online is ALWAYS BADBADBAD!
We have already different creds between Mythic Account & Game Account, so why not a differente set of them for the Forum too? Yes, I undestand that maybe it is to have only "legit" (i.e. "paid account(s) holders") posting on this forum, but, but...
Cheers
Ivenor
PS: Here is a little very basic introductory link about net security today, to make your nights go without sleep for some other motivation that playing UO: https://www.theregister.co.uk/
Namely:
- a basic IP restriction of which IPs can use the account .
- Separate account from privileged administrator / elevated accounts (perhaps requiring employees to VPN to office network if they want to login as privileged account, see above).
To rely on patching vanilla forum, integrating your own SSO , it adds so many layers of fck up that can happen. It's just bad security.
Giving us 2FA and IP restrictions would solve many of my concerns and be "good enough".
Preferably allowing us to set a separate forum password would be great!
I'm working in the MMO business. This is a lesson that we've learnt time and time again when companies repeat these mistake.
https://us.battle.net/heroes/en/blog/20815191/keep-your-account-secure-with-the-blizzard-authenticator-6-6-2017
Mort: Mystic Mage
Siw: Tamer
Developer of Ultima Mapper
A lot of Brokers/Rare collector/traders has been hacked without any reasons. It's hard to believe but it's true and i can give a list.
Broadsword uses mythics Auth. Not as widely attacked but trust me when I say that adding more services integrated into the same authentication always increases risks.
High? Probably not. But I don't like my forum credentials being used for an important game too. Forum credentials get entered via a web browser whose walled garden / VM could be exploited separately to log and pass on my password elsewhere.
https://www.polygon.com/2015/10/16/9556137/ea-account-details-leaked-as-part-of-data-dump
Suspected leak 2012:
https://www.theverge.com/2012/11/14/3645214/electronic-arts-origin-hack
There are older ones too, but these are the most fresh ones I know about.
Note that EA/origin was always very quiet about anything that might affect their stock value. Hence very little info except password reset.
Not all accounts have been affected as only partial lists were leaked on pastebin, but you may be able to check if your account was ever affected on https://haveibeenpwned.com/ (enter email and see if an account matches any of the dumps for many known leaks).
Most of EA's "hacking" woes relate to Pogo and Origin, revolving around credit card fraud. It wasn't just stolen cards, but purchases being made on user's accounts with the end product(s) going to someone else - this was mainly focused on FIFA.
As ridiculous as it sounds, EA/Origin also has a serious problem with randomly charging people's cards from other countries for their UO accounts. Most bank's fraud alerts go off when this happens and they sometimes block the charges (or charge back) which tends to cause EA to myopically ban the account for their own malfeasance.