Welcome, Guest. Please login or register.
September 21, 2020, 06:34:15 AM

Login with username, password and session length

Search:     Advanced search
*
Home Help Search Login Register
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  RIFT  |  Topic: So, I got coin locked today 0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 Go Down Print
Author Topic: So, I got coin locked today  (Read 13969 times)
Cadaverine
Terracotta Army
Posts: 1643


on: March 18, 2011, 12:15:18 PM

I checked my email this afternoon, and I had an email from Trion saying my account was coin locked due to someone at a strange IP address trying to access my account. 

The email had a 5 digit number for me to enter in game, which I did.  That was that as far as the coin lock.  Wasn't terribly painful, or anything.  Though, if someone were to use the same password for their email, as they did the game, then it'd be pretty simple for whoever was trying to get at the account to bypass the coin lock.

I'm curious how they got my info, though.  Running Malwarebytes now, but aside from the combat parser from Rift Junkies, I haven't downloaded anything, or signed up to any sites related to Rift.  I hope they get their authenticator out soon, as I can only see this getting worse.

Fake edit:  After checking all my characters, I see that, despite being coin locked, all of them have been stripped of their cash.

Every normal man must be tempted at times to spit on his hands, hoist the black flag, and begin to slit throats.
Threash
Terracotta Army
Posts: 8508


Reply #1 on: March 18, 2011, 12:28:09 PM

Either they brute forced your password or you used the email/pw on a site they had access too or hacked into.  I got hacked the other night too, they responded the next day and said they would return my plat.  Real edit: i assume you DID change the pw before turning off the coin lock?

I am the .00000001428%
Draegan
Terracotta Army
Posts: 9847


Reply #2 on: March 18, 2011, 12:49:41 PM

Something strange is going on with hacked accounts.  There are people who don't use my site, don't use zam, that get hacked, people who do use my site, people who do use my parser and don't get hacked.  It's all random.

You have people who made a new email, a new password specifically for Rift and they get hacked.

I have a sneaking suspicion something is going on between the client and the servers and not anywhere else.  However I can't prove anything at all since I'm not savvy in the world of network security in any way.  My suspicion comes from a few different posts by people who seem to know what they're talking about.  But again, it's the internet, so what do I know.

I just know it has nothing to do with my parser, that's for sure.
kildorn
Terracotta Army
Posts: 5014


Reply #3 on: March 18, 2011, 12:52:51 PM

Curious: did they tell you the strange IP that connected?

If so, toss it into ARIN (or the locality it tells you to use) and see if it's near you. If not, paste the netblock info up here.
Cadaverine
Terracotta Army
Posts: 1643


Reply #4 on: March 18, 2011, 01:02:23 PM

I changed my email, and password, and went the extra mile, and used the on screen keyboard in Windows to put them in.

After checking out the Rift forums, it looks like it's possible to have an item sent to the coin locked account COD, and get the money off of it that way, which is how I assume they stripped the coin off my characters, as I was playing up until around 7 PM CST last night, after having installed the patch.  All four characters were standing at the mail box when I checked them, which none were when I logged out.

Every normal man must be tempted at times to spit on his hands, hoist the black flag, and begin to slit throats.
Cadaverine
Terracotta Army
Posts: 1643


Reply #5 on: March 18, 2011, 01:04:07 PM

Curious: did they tell you the strange IP that connected?

If so, toss it into ARIN (or the locality it tells you to use) and see if it's near you. If not, paste the netblock info up here.

Nope, it just says: "We have noticed that your account has been logged in from an unknown location. As a result, it has been put into a Coin Locked status."


Every normal man must be tempted at times to spit on his hands, hoist the black flag, and begin to slit throats.
Chimpy
Terracotta Army
Posts: 9779


WWW
Reply #6 on: March 18, 2011, 01:18:17 PM

They should never switched to email addresses being your login for the forums/game.

Accidental dissemination or theft of userlists are way too common a security breach to ignore. Being able to simultaneously brute force the game login AND the email address that is linked to the account is not good. It also gives phishers a much easier path to targeting their scams.

(Not that this has any real bearing on this coin-locked thing).


'Reality' is the only word in the language that should always be used in quotes.
lac
Terracotta Army
Posts: 1657


Reply #7 on: March 18, 2011, 01:42:17 PM

I got coin locked too today when I logged in from work - I had logged in from home before. Took about ten seconds to undo it. If they can make it watertight (none of that cod crap anymore), the IP range whitelisting looks like a good idea.

As to all the hacking going on, I've recently seen quite a lot of pc's that got infected with spyware that came in through ads provided by very legit sites, national newspapers and such. If you can buy ad space on rift related sites and use that vector to attack unpatched flash, java or browser software with tailormade trojans (a lot of people who got hacked report no antivirus warnings and people who have ran the presumed trojan through sites like www.virustotal.com say no antivirus software recognises the trojan)  you have a very sweet deal. The people who expose themselves to your exploit are very likely to have exactly the information you are looking for and that information can make you good money.

Instead of employing a sweatshop of goldfarmers, it makes more economic sense to spend a couple of thousands of dollars in a 0-day exploit auction and distribute the ready made package you bought through targeted ads aimed at your demographic of choice. You can lay off half your sweatshop and have the remainder run between banks and mailboxes while you laugh your way to the bank.

That's why coin lock is a good idea for now. It doesn't matter if you get infected or not. People can't log into your account and steal your stuff. Until they modify their trojan to bounce the connection through your pc that is why so serious?.
Abelian75
Terracotta Army
Posts: 678


Reply #8 on: March 18, 2011, 02:04:56 PM

This seriously must be a nightmare for them.  Obviously none of us have hard data, so it's all anecdotal and shit, but it really does seem like they are getting hit crazily hard by this.  Like, super-crazy hard.  And yeah, there are possible explanations... they're one of the biggest post-WoW targets, there's a large database of email/pass combinations out there undoubtedly, probably a lot of compromised WoW accounts that are authenticator enabled that never got noticed due to the authenticator protecting them, etc.  But... man.  It does seem really bad.  Really bad.

The COD thing sucks and I imagine that's why the patch today was cancelled (so that they could get that fix in there as well, given that it's actually the more important problem).
Lakov_Sanite
Terracotta Army
Posts: 7590


Reply #9 on: March 18, 2011, 02:48:46 PM

Trion entered an arms race between superpowers they didn't even know existed.

~a horrific, dark simulacrum that glares balefully at us, with evil intent.
March
Terracotta Army
Posts: 501


Reply #10 on: March 18, 2011, 04:24:23 PM

Trion entered an arms race between superpowers they didn't even know existed.
Somewhere, Mark Jacobs is preparing an internet post.
01101010
Terracotta Army
Posts: 11340

You call it an accident. I call it justice.


Reply #11 on: March 18, 2011, 04:49:10 PM

Trion entered an arms race between superpowers they didn't even know existed.
Somewhere, Mark Jacobs is preparing an internet post.

 Heart  awesome, for real

"I want to watch it all burn in an orgy of smashed Coke machines and weasel rape." - HaemishM
Comstar
Terracotta Army
Posts: 1846


WWW
Reply #12 on: March 18, 2011, 05:15:17 PM

For those of you getting coin locked..how simple was your password?

From personal work experience, all the people who got their password hacked that was attached to an email address had the following passwords:

1234
12345 (Yes, people use the same combination on their luggage).
123456
password
Same as their username.
Same as their first name or surname.
(Much less often): A word from the dictionary with no symbols, numbers or capital letters.

Once a system was set up to prevent dictionary attacks, the amount of hacked accounts dropped to near 0. I suspect Trion has not done that, but simply having a number and special character should prevent it.

That said, not having an authenticator is really dumb in Trions part. And despite being one of those "IT professionals", I'm not a high level security guy and can get hacked just as easily as anyone else.


Edit - come to think of it, I went and changed my own password too.
« Last Edit: March 18, 2011, 05:24:32 PM by Comstar »

Defending the Galaxy, from the Scum of the Universe, with nothing but a flashlight and a tshirt. We need tanks Boo, lots of tanks!
Sobelius
Terracotta Army
Posts: 761


Reply #13 on: March 18, 2011, 06:00:55 PM

It's by no means failsafe from outside attack, but I've seen network logins that *require* users to have an 8 character password, minimum, using their choice of 3 of these 4 elements:

- lowercase letter
- capital letter
- number
- special character

And on top of that, having to reset it every 60 days. Quite the pita. MMOs should have at least this much as a minimum account password requirement. (Maybe without the reset requirement.)

"I may not agree with what you have to say, but I will defend to the death your right to say it." -- Voltaire
"A world without Vin Diesel is sad." -- me
kildorn
Terracotta Army
Posts: 5014


Reply #14 on: March 18, 2011, 06:04:54 PM

MMO security is in general terrible. What I often see in them is the password submission silently lowercasing your password, so case doesn't matter, and occasionally (thankfully rare) truncating it without telling you (so only the first 8 or so characters "count")
Ice Cream Emperor
Terracotta Army
Posts: 654


Reply #15 on: March 18, 2011, 07:16:00 PM

MMO security is in general terrible. What I often see in them is the password submission silently lowercasing your password, so case doesn't matter, and occasionally (thankfully rare) truncating it without telling you (so only the first 8 or so characters "count")

When I signed up for my Trion account I tried to use a high-strength password that included the @ symbol and a bunch of numbers -- despite the fact that they let me complete the registration process (including my typing in the password twice to confirm), I could not actually log in using the password. I had to go through the 'forgot your password?' process the moment after I registered, because (as far as I can guess) their registration process had somehow altered my password significantly enough that a dozen tries later I could not guess what they had done to it (stripped out the @? replaced the numbers? changed the capitalization?) So now I have a lower-strength password for my account.
Draegan
Terracotta Army
Posts: 9847


Reply #16 on: March 18, 2011, 07:22:32 PM



http://forums.riftgame.com/showthread.php?127127-Account-Security-Discussion&p=1747442&viewfull=1#post1747442

Quote
   ATTENTION TRION - I HAVE VERIFIED THE AUTHENTICATION SYSTEM CAN BE BYPASSED, BY SUCCESSFULLY LOGGING INTO ANOTHER ACCOUNT WITHOUT NEEDING ITS CREDENTIALS.

    Just successfully logged into a friend's account (with his permission, and while he watched) without knowing his username or password, by bypassing the auth system entirely. Worse, all it took was about thirty seconds of time once I got all of the details locked down.

    I did trigger Coin Lock, but I was fully able to access that handy delete-character button, so this exploit is a griefer's dream.


    This is a huge security hole. Accounts can be accessed without needing any information at all from clients.


    I will not post details on how to do this (so don't ask), but I'm positive that I can reproduce this at will and likely on any account on the system. Someone at Trion probably needs to send me a PM, very, very quickly so we can go over the exploit's specifics and how to detect - and stop - it. (Or I could always log into a GM account and watch the fun that would ensue.)


    As an aside, this is one of those times I wish I wasn't correct about a suspicion...

« Last Edit: March 18, 2011, 07:24:12 PM by Draegan »
Ice Cream Emperor
Terracotta Army
Posts: 654


Reply #17 on: March 18, 2011, 07:28:37 PM

 ACK!

That is one appropriate graphic.

Edit: I wonder if this explains why I am getting DCed approximately every two-three hours of game time. Is anyone else getting that? Just a spontaneous, controlled DC (with a box asking if you want to reconnect or quit the game.)
« Last Edit: March 18, 2011, 07:33:19 PM by Ice Cream Emperor »
Lakov_Sanite
Terracotta Army
Posts: 7590


Reply #18 on: March 18, 2011, 07:38:51 PM

They are taking the game down now, I wonder if this is the reason.

~a horrific, dark simulacrum that glares balefully at us, with evil intent.
Nerf
Terracotta Army
Posts: 2421

The Presence of Your Vehicle Has Been Documented


Reply #19 on: March 18, 2011, 07:56:30 PM



http://forums.riftgame.com/showthread.php?127127-Account-Security-Discussion&p=1747442&viewfull=1#post1747442

Quote
   ATTENTION TRION - I HAVE VERIFIED THE AUTHENTICATION SYSTEM CAN BE BYPASSED, BY SUCCESSFULLY LOGGING INTO ANOTHER ACCOUNT WITHOUT NEEDING ITS CREDENTIALS.

    Just successfully logged into a friend's account (with his permission, and while he watched) without knowing his username or password, by bypassing the auth system entirely. Worse, all it took was about thirty seconds of time once I got all of the details locked down.

    I did trigger Coin Lock, but I was fully able to access that handy delete-character button, so this exploit is a griefer's dream.


    This is a huge security hole. Accounts can be accessed without needing any information at all from clients.


    I will not post details on how to do this (so don't ask), but I'm positive that I can reproduce this at will and likely on any account on the system. Someone at Trion probably needs to send me a PM, very, very quickly so we can go over the exploit's specifics and how to detect - and stop - it. (Or I could always log into a GM account and watch the fun that would ensue.)


    As an aside, this is one of those times I wish I wasn't correct about a suspicion...


I'm curious as to how he could login without knowing the username, maybe some client hack that lets him login with an identifier that's broadcast with each characters name ingame?
kildorn
Terracotta Army
Posts: 5014


Reply #20 on: March 18, 2011, 08:16:50 PM

I'm going to bet it's something hilarious.

Like the auth success being user/password based, but the authed user field being client side (essentially, I log in as me, get a token with the server saying we're in, and then pass it "and I'm really username X" and it runs with it.

It would explain a LOT.

But if it's something that evil, the quickie patch probably doesn't address it.

edit: reading through, it seems that's the trick, but dumber. He's using the in game character name to display the account, it seems.

edit: LOOOOL. Okay, so coinlock is also just broken.

I log out because the servers are coming down. I log back in the second they're up (was sitting on the server screen)

My account is now coinlocked. My public IP is the same. My character is in the exact same location.
« Last Edit: March 18, 2011, 08:21:24 PM by kildorn »
Cadaverine
Terracotta Army
Posts: 1643


Reply #21 on: March 18, 2011, 08:24:51 PM

My account is now coinlocked. My public IP is the same. My character is in the exact same location.

That's supposed to happen.  Just before they brought down the servers, they announced that all accounts would be coin locked after the patch.

Every normal man must be tempted at times to spit on his hands, hoist the black flag, and begin to slit throats.
Abelian75
Terracotta Army
Posts: 678


Reply #22 on: March 18, 2011, 08:40:16 PM

Wow.  This is becoming fascinating.  Without even an account name?  If true, that's nuts.  Wowza.
Threash
Terracotta Army
Posts: 8508


Reply #23 on: March 18, 2011, 08:48:58 PM

You know, there's been times ive crashed and logged back in without having to go through authorization either.

I am the .00000001428%
Comstar
Terracotta Army
Posts: 1846


WWW
Reply #24 on: March 18, 2011, 08:59:49 PM

ManWitDaPlan http://forums.riftgame.com/showthread.php?127127-Account-Security-Discussion/page69
Quote

    Okay, caught up (more or less)...

    Before I start with the sea of replies, I must shine the spotlight on some people.

    First off, if I didn't find this hole the_real_seebs would have - he was hard on the heels of this thing and it was more a matter of who found the secret handshake first. So everyone should give him kudos for also working the issue and finding the same things I did.

    Secondly, I gotta also hand out mad props to TheScoo for letting me break into his account and delete his test toon (kicking him off the game in the process), and HomeFry for helping me iron out some details and run some LAN-level tests to verify where the problem was manifesting.

    Last but certainly not least, I must also sing the praises to Trion. Most companies do their level best to hide critical security issue sand sneak in fixes. Trion responded to the news by contacting me within the hour, discussing the details in detail, and responding within minutes of getting info that they verified the issue and were expediting a solution. A couple hours later, everyone gets to try out Coin Lock and the hole is plugged with steel-reinforced concrete under twelve feet of kevlar policed by sharks with frickin' lasers on their frickin' heads.



    Okay, on to the replies - look for yours!



    Quote Originally Posted by Snarf. View Post
    Thanks for reporting this exploit.

    I hope Trion will validate that they in fact had such a hole after it is fixed.

    My alternative is spending many hours reinstalling my OS to clear any potential holes after being hacked this afternoon.

    Please post as candidly as possible when it is fixed Trion, so that those of us who were hacked won't have to go to great time and expense to "fix" systems that likely aren't broken.
    That's up to them. Obviously one won't want to expose too may details of one vulnerability in case it hides others.



    Quote Originally Posted by Siegmund View Post
    Did you do this from your computer or his? You can bypass the authentication on your own account on your own computer from time to time due to a bug but I didn't think you could do another account from your computer.
    Used mine to log into his. In theory, it would have worked on any account, probably including the accounts used by GMs and Trion staffers themselves.



    Quote Originally Posted by xtorma View Post
    Wonder how many people are going to post appologies for saying we deserved to be hacked and we should not get anything back.
    Not gonna hold my breath for that one, hahaha...



    Quote Originally Posted by atso View Post
    The security hole, does it give the hacker access to all the account information, it only allows to login into the game... in short, has all our account data been stolen?
   Please let me make it very clear that the vulnerability I found only allowed game logins and access to game characters and any assets they had. It did not, I repeat not, expose personal or billing information.




    Quote Originally Posted by Abyssus View Post
    Ok folks, its time to put your conspiracy theory and key-logging bonanzas aside for one moment and read this.

    For those who don't know, a while back Trion didn't use SSL certs(?) for logging in, this was an oversight on their behalf.

    The consequence is, the hackers probably have a large database of unencrypted email addresses and passwords from people logging into the Rift website/forum prior to the introduction of the SSL certs(?).

    Trion now has SSL certs(?) when logging in, so if you haven't already, login and change your password. After doing this, the chances of you getting hacked should be significantly lowered.

   THIS. Everyone should change their passwords right now, and to secure ones.

    BTW, the Trion crew told me that they had a lot of hacks through idiots reusing old WoW account credentials, etc. that were already known to game account thieves. If you get hacked from now on and were reusing account creds from elsewhere, you no longer have an excuse.



    Quote Originally Posted by Siegmund View Post
    I am sotra confused, can you say log into bob's account from jim's computer with this, or just bob's account from bob's computer.

    I have had bugs where you bypass the authentication on your own computer but I never tried to follow up on it with regards to a different persons account.

    Basically I am not seeing how you can access someones account from your computer.
    The exploit allowed one machine to bypass the game's normal authentication process. As a result, the exploiter can "become" any valid game account, knocking off the actual account holder if they're logged in at the time.



    Quote Originally Posted by Shaedence View Post
    Major Props to you guys, I wasn't very suprised that it wasn't the player's fault that they were hacked. It's still nice to see Trion fixing this so quickly.

    I've been hacked before (in WoW) so i know your pain. At least it'll be fixed shortly. This is prolly the best patch we could get at primetime on a Friday :P
    That's one of the reasons I gave Trion a shout-out up top - the time to fix a critical hole is now, not Monday. Sure it'll annoy some players, but if it makes a million plus game accounts safer, great.

Change your password right now.


« Last Edit: March 18, 2011, 09:04:23 PM by Comstar »

Defending the Galaxy, from the Scum of the Universe, with nothing but a flashlight and a tshirt. We need tanks Boo, lots of tanks!
Cadaverine
Terracotta Army
Posts: 1643


Reply #25 on: March 18, 2011, 10:10:45 PM

Welp, I guess that answers how the hell I got hacked.   awesome, for real

Every normal man must be tempted at times to spit on his hands, hoist the black flag, and begin to slit throats.
Lakov_Sanite
Terracotta Army
Posts: 7590


Reply #26 on: March 18, 2011, 10:59:50 PM

So on the list of bad game launch mistakes.....?

~a horrific, dark simulacrum that glares balefully at us, with evil intent.
Chimpy
Terracotta Army
Posts: 9779


WWW
Reply #27 on: March 18, 2011, 11:18:32 PM

They didn't have SSL turned on?

Really?

 ACK!

'Reality' is the only word in the language that should always be used in quotes.
Zetor
Terracotta Army
Posts: 3106


WWW
Reply #28 on: March 19, 2011, 01:28:45 AM

lolwut. It's 2011 and people are still failing Authentication 101?

Would be nice to get an official Trion statement on this, or at least a dev post. I also wonder why mmo companies don't hire firms to do security evaluations of their games... a couple of $10k is a drop in the bucket when your game's dev costs are $50mil or more.

Distinct
Terracotta Army
Posts: 17


Reply #29 on: March 19, 2011, 02:21:04 AM

My impression was that every account is/was coin locked when first logged in as a deliberate act.

Login in first time after coin lock switched on

Verify this is your normal IP location with coin lock

Carry on and never have a problem unless something bad has happened.

I use a Email address specifically created just for the game . Completely seperate from anything else. I view it more as an Off site created account name and completely removed from my public email addresses.

However I will change my password - just in case
Chimpy
Terracotta Army
Posts: 9779


WWW
Reply #30 on: March 19, 2011, 03:42:24 AM

I use a Email address specifically created just for the game . Completely seperate from anything else. I view it more as an Off site created account name and completely removed from my public email addresses.

The point is, this SHOULD NOT BE NECESSARY. What you did is basically went and independently re-created a layer of security that Trion removed for no valid reason. Any company that deals with online commerce should not be passing the account security ball to their customers in such a manner.

'Reality' is the only word in the language that should always be used in quotes.
Quinton
Terracotta Army
Posts: 3321

is saving up his raid points for a fancy board title


Reply #31 on: March 19, 2011, 04:14:31 AM

Some facts about people:
- they will often use the same username on many different websites and services
- they will often use the same password on many different websites and services
- they will often use the same email address on many different websites and services

Keeping that in mind:
- If you use the same set of credentials on N sites, you are only as secure as the weakest site you interact with.
- Most web forum systems and sites have *terrible* security implementation and practices.  I would not count on any data I provide to an arbitrary fansite or game related utility site being secure in any way.

Unless you're connecting to the Internet over open wireless transports, the likelyhood that your credentials are being sniffed by something between your computer and the computer on the far side is pretty low.  It's far more likely that you'll be compromised by a local exploit (malware, keyloggers, etc) on your machine or by poor security (passwords stored in plaintext, poor access control, unscrupulous operators, etc) on the far side.

Obviously using encrypted transports is worthwhile, but that doesn't protect you against compromised security on your machine or the remote machine -- in many cases those are far easier points of attack.

You're better off using a strong password (not a simple dictionary word, etc) than a weaker one.
You're better off never using the same password on multiple sites.
You're better off never using the same email or username on multiple sites -- because even if they're going to re-use, guess, or brute-force your password that can only work if they also have your username.
kildorn
Terracotta Army
Posts: 5014


Reply #32 on: March 19, 2011, 08:03:39 AM

You forgot "only an idiot forces the use of your email address as the username" :P

And also: "seriously, MMOs, eat the customer service costs and lock the account after 10 failed password attempts in a row. Brute force attacks should not work in 2011."
Lantyssa
Terracotta Army
Posts: 20848


Reply #33 on: March 19, 2011, 08:17:32 AM

Yeah.  I wasn't happy with that change.

Hahahaha!  I'm really good at this!
Abelian75
Terracotta Army
Posts: 678


Reply #34 on: March 19, 2011, 10:44:22 AM

It must feel pretty good to have the crazy torch-bearing hordes get off your nuts, Draegan.

That said, given the idiocy of humans, I would not be surprised to see people still say your site is dangerous.
Pages: [1] 2 Go Up Print 
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  RIFT  |  Topic: So, I got coin locked today  
Jump to:  

Powered by SMF 1.1.10 | SMF © 2006-2009, Simple Machines LLC