Warframe Accounts Need More Security.

[Xylia]

So, in the thread about Clan Leader Power, I was reading about people who are getting hacked.

 

This game is still in Beta, and it is starting to get more widely known in the months coming up to the PS4 release.

 

When the game leaves Beta and goes to Full Release, I would not be surprised if we don't see a sharp increase of hacking.

 

Right now, Warframe has very little security -- a simple Login/Password (and I think there's a security question) is all you need to grab someone's account and wreak a lot of damage to someone's account, such as joining the hacker's dojo and dumping resources into the dojo rooms then leaving the clan and leaving the victim with nothing.

 

Many games are using an Authenticator Keychain Dongle nowadays; all Blizzard games use it, Square-Enix games use it, and I've heard of others using them too.

 

They are very successful and they add a lot of security and they are incredibly hard to bypass.

 

You'd need to make it Optional, not everybody wants to spend the $6 for their keychain dongle.

 

I can't speak for all the other Masters/Grandmasters, but I certainly would. I wouldn't want some hacker to ruin my account in a few minutes and be off and on his merry way before I even knew what happened.

 

I invested a lot into this game, $250. That's a lot to invest into a Beta. I did so because I enjoy the concept of this game, as it is truly unique.

 

I don't, however, enjoy the worries that nag the back of my mind; all it takes is for one malicious javascript and you lose everything. Or it is possible to brute-force a UN/PW if you can guess someone's email address. Etc.

 

We need more Security and perhaps a better Account Recovery (the guy in the other thread said he didn't get everything back, esp the 2 million credits) as well.

 

This WILL become a problem later if we don't nip it in the bud, Now.

 

People whose accounts get destroyed by hackers are more likely to quit entirely if they can't get their hard-earned stuff back. As a game grows bigger and more well-known, it also attracts hackers and similar types of people looking to make a quick buck or to cheat and better their own progress off of someone else's hard work.

 

To the Playerbase:

 

Don't ever give your email out. Use an email that you don't give to other people (make one JUST for game logins). If you're already using your Common Email that you give other people, it is highly advised you change it if Warframe allows (I dunno, does it allow you to change your email address?).

 

Don't ever use your Warframe Username inside of your email or vice-versa. If your in-game name is JoeSchmoe, don't use 1234JoeSchmoe@gmail.com.

 

Also, use ISP-provided emails when possible, hotmail, gmail, etc are far too common and easy to guess.

 

Stay safe out there, Tenno!

 

Some of your fellow Tenno are traitors.......

[Yanga]

Something nice would be a IP confirmation with the Email.

If there is a change in the IP, have a email sent to the account's email address as they try to log in at that IP. The account would be locked until that IP is given permission (code is confirmed from copy-paste into confirm box) and won't be able to do anything in the Dojo, shop, or selling Arsenal weapons.

Only thing allowed would be Solo mode and rank up the equipped weapons until the IP is given permission to do anything else.

[Nicodemus666]

Something nice would be a IP confirmation with the Email.

If there is a change in the IP, have a email sent to the account's email address as they try to log in at that IP. The account would be locked until that IP is given permission (code is confirmed from copy-paste into confirm box) and won't be able to do anything in the Dojo, shop, or selling Arsenal weapons.

Only thing allowed would be Solo mode and rank up the equipped weapons until the IP is given permission to do anything else.

I think something similar is used for steam account, and it seem to work well. 

[Weird_Stealth]

I did notice one suggestion in that thread I agree with, and that's an authenticators, my sister and her husband have the Blizzard keybob authenticators for their battle.net accounts, and I have the same deal, but mine is on my ipad and itouch.

 

Also I feel that Warframe should not only tie to Steam accounts and have a "Authorized computer" itunes like feature, that has a very small number of computers/IPs that are authorized to even log onto Warframe, without a two step authorization.  Also, in the military I have to reset my password on my AKO account every one to three months,  and I know Microsoft's account system does the same thing. this would be great for Warframe.

 

 

But in the meantime, people need to learn how to use stronger passwords. 

Here's the requirements for AKO passwords:

"The requirements for an AKO password are stringent; a password must contain at least two uppercase letters, two lowercase letters, two numbers, and two special characters. Passwords expire every 150 days, and may not be replaced by any password used the previous ten times. As of July 2010, if accessed without a CAC, users are also required to answer three out of fifteen personal questions of their own choosing in order to further validate that the legitimate user is trying to access the site"

 

If Warframe does adopt the rotating password requirement, they should also do a similar requirement that AKO, where you can't use the same password as the last ten passwords.

Edited July 9, 2013 by Weird_Stealth

[Xylia]

A two-step Authorization for different computers/IP addresses could work too.

 

That way they'd need both your Warframe Login AND your Email Login at the same time.

 

Authenticators would work the best but I think there are licensing fees, sadly.

 

But a two-step "If you log in from a different computer, you have to open your email and authorize it" would be fairly effective too.

[Zhoyzu]

The game by jagex "runescape" had a feature where you enter your ISP and/or IP  so that if an alternate IP tried to access your account it would lock your account down until you confirmed it was your IP or until you unlocked it with your security information.  It also allowed for multiple IP's to be associated with the account for multiple computer owners/users.

 

This system worked flawlessly unless you gave away your information, in which case it failed.

 

If this were implemented into the game it would go a long ways to prevent hacking in malicious ways. the only way to get hacked is if you give away your info.

[Weird_Stealth]

Authenticators would work the best but I think there are licensing fees, sadly.

Maybe, but where they have their foot in the door with Valve and Steam, and they are going to release Warframe on the PS4, they might find a way to clear some of that red tape.

[Weird_Stealth]

The game by jagex "runescape" had a feature where you enter your ISP and/or IP  so that if an alternate IP tried to access your account it would lock your account down until you confirmed it was your IP or until you unlocked it with your security information.  It also allowed for multiple IP's to be associated with the account for multiple computer owners/users.

 

This system worked flawlessly unless you gave away your information, in which case it failed.

 

If this were implemented into the game it would go a long ways to prevent hacking in malicious ways. the only way to get hacked is if you give away your info.

I've heard of that, and tho that is a very good way to keep accounts safe, I'd still feel safer if there was a secondary means of authenticating your actions.

[Azure_Kytia]

It is not really that hard to make your own authenticator, which wouldn't require any licensing fees. 

 

Just set an authentification email address or phone number to your account, then "log into" your account. The Server makes an Authentication code, sends it to the private email address or phone number. The player then enters the Authentification code. Badabing badaboom, you've got yourself an Authentification system.

 

Of course, you'd want to make sure that it couldn't be intercepted as well, but the viruses and screenloggers running on your computer are your own business to take care of.

Edited July 9, 2013 by Azure_Kyte

[CrunkTanium]

When the game leaves Beta and goes to Full Release, I would not be surprised if we don't see a sharp increase of hacking.

 

Right now, Warframe has very little security -- a simple Login/Password (and I think there's a security question) is all you need to grab someone's account and wreak a lot of damage to someone's account, such as joining the hacker's dojo and dumping resources into the dojo rooms then leaving the clan and leaving the victim with nothing.

 

Many games are using an Authenticator Keychain Dongle nowadays; all Blizzard games use it, Square-Enix games use it, and I've heard of others using them too.

 

They are very successful and they add a lot of security and they are incredibly hard to bypass.

 

I use an authenticator for my Paypal account and it can be a pita at times.  Any game that forces this added security on me will prompt me to rage quit. Do whatever you want to protect the noobs but please make it optional as I have enough crap to manage as it is. In fact they added some stupid security thing to Vindictus which was mandatory and it was part of the reason I quit playing. Many of us have way to many passwords and security hoops we need to maintain and use on a daily basis. I have my mobile related crap, bank accounts, credit cards, various forums, game sites like Steam, Origin, Gamespot, MMORPG.com, shopping sites like Newegg, Amazon, Walmart and the list of online stores I buy from goes on for miles. In fact if not for KeePass managing it all for me I would have probably rage quit real life by now.

 

Furthermore I see no real point to have tons of security in this game. I spent hundreds buying WOW gold having played for almost six years. Many of my items were of real dollar value. But I never used an authenticator and never once got hacked. I actually got to know and crafted items for Chinese farmers which brought me a steady supply of legit gold. Course not all players are as smart as me and many might actually need their hand held. But then again you cannot and should not even try to compare this game to blockbuster MMO's. There is nothing in this game worth hacking an account for really. You can't trade or gift items so there is little for the hackers to gain. Even if they implemented a trade system the items still won't be of enough value to make it worth hacking accounts on a large scale. There will always be idiots who download fake hacks and claim they got hacked. I don't download crapware, hacks, cheats and my accounts have never once been compromised so honestly I don't feel sorry for people who do get compromised.

[Xylia]

Furthermore I see no real point to have tons of security in this game. I spent hundreds buying WOW gold having played for almost six years. Many of my items were of real dollar value. But I never used an authenticator and never once got hacked. I actually got to know and crafted items for Chinese farmers which brought me a steady supply of legit gold. Course not all players are as smart as me and many might actually need their hand held.

 

So.........you support(ed) hackers.

 

That's nice.

 

*rolls eyes*

 

You know where the "Gold Farmers" get 90% of their gold, right? They get it from...... *drumroll*.......hacked accounts. People like you are the reason there are hackers in WoW in the first place. You buy their gold for real money, and give them a business. They get their gold by stealing it from hacked accounts.

 

But then I'm quite sure you've been told this before.

 

But yeah, you're part of the problem with the hacking going on everywhere.

 

And LOL. You buy WoW Gold? That's rich. What, doing 10min of questing every now and then is too hard for you or something?

[CrunkTanium]

So.........you support(ed) hackers.

 

You know where the "Gold Farmers" get 90% of their gold, right? They get it from...... *drumroll*.......hacked accounts. People like you are the reason there are hackers in WoW in the first place. You buy their gold for real money, and give them a business. They get their gold by stealing it from hacked accounts.

 

Yes in Vanilla I bought gold to buy uber rare world drops like many others. At that point in time for the average guy with a JOB gold was not so farmable as it became once Vivendi took over and made EZ mode gold farming available to noobs.

 

FYI (the real truth) not all farmers are Chinese nor do they need to hack accounts. The people I bought from with were not hackers and sometimes it would take them a day or two to cover my orders because they actually farmed. In fact I knew a few people from guilds I was in who would also farm from time to time and actually sold gold to resellers which they in turn used to cover their sub fees. And here you are buying Plat yourself as its become totally acceptable to buy your way in just because the developers are selling rather then farmers. But if I would have bought my gold from Blizzard directly I bet you would have had zero problem with that. And truth be told Blizzard did not like the idea of external sources controlling their economy so they painted people like me as big bad gold buyers.

 

Yes there are people in China and other places who hack accounts except they don't actually hack anything. In the majority of cases players fall right into their web and openly provide them access to their accounts. These are the players who download fake hacks, fake beta keys and opt into things that most of us know aren't legit. These people play on stupidity and greed which in the majority of cases those who get hacked will never admit how it really happened. These farmers don't just sit there and attempt to crack passwords all day because it's a total waste of time. Still some people are clueless enough to believe that farmers actually need to break into accounts. I mean seriously there are endless suckers handing over their password in exchange for cheap power leveling.

 

And then there is my belief because any WOW veteran knows how much the so called hackers could get away. They could spam the same website for 3-4 months before it would be filtered in the chat. In fact there were many clues that should tell you Blizzard had a hand in the action. Just think about it some of the biggest fan sites like Wowhead and Allakhazam were bought up by the biggest virtual currency broker on the planet and began planting key loggers in no time. Never once did Blizzard warn players to stay clear of these sites that were known to be infecting the masses. Instead they just sent out newsletters or made posts on the forums stating how it's your job to secure blah blah and be careful blah blah. You can believe there were people at the top of Blizzard who were getting paid or else they would have patched the many exploits like teleportation scripts that farmers used to farm super rare boss drops.

 

Oh and drum roll please.. you don't have a clue where the majority of gold comes from. But let me give you a hint as many players would farm for days to afford a crappy BOE Epic (zomg purplez) that was being sold well beyond it's REAL value. The entire BOE market was inflated by players since day one which is what created the need for players to actually buy gold. In fact NOBODY could afford a 500g staff back in Vanilla (but many did) unless they were either exploiting or buying gold. Just the opposite in GW2 they tried to counter the need for gold buying to the point everything in that game is totally worthless.

[Vitalidad]

Wait, so having a password that would make a nuclear launch code jealous is not the norm?

 

 

My motto for passwords is if it can be memorized and/or typed under 15 seconds, it is not a strong enough password.  

 

lol

 

On topic, I don't feel that paying even more for a f2p game account would be something worth while for many. Another issue is with a two step process would be how safe can DE store that extra data to keep it safe from hackers. Having to put phone # or more email addresses could make the devs a bigger target in order to affect many. (yes, I know. Nothing is "hack-proof")

Edited July 9, 2013 by Vitalidad

[Xylia]

Wait, so having a password that would make a nuclear launch code jealous is not the norm?

 

 

My motto for passwords is if it can be memorized and/or typed under 15 seconds, it is not a strong enough password.  

 

lol

 

On topic, I don't feel that paying even more for a f2p game account would be something worth while for many. Another issue is with a two step process would be how safe can DE store that extra data to keep it safe from hackers. Having to put phone # or more email addresses could make the devs a bigger target in order to affect many. (yes, I know. Nothing is "hack-proof")

 

A 2-Step Authentication doesn't necessarily need more of your personal data.

 

All it needs to do is send out an Email with a Verification Code anytime someone attempts to log onto Warframe from a different ISP. Your ISP info comes with any data you send on the internet, and is easily seen by the server. Therefore, if the ISP changes, the game will block the person from logging on until a verification email is sent out. The game will simply tell you to "Check your email to verify this login".

 

When you open your email, there's either a code, or a link you click to verify the new ISP.

 

If a hacker tries to get your account, you'll know about it instantly, because your account will be temporarily locked until that email is answered. When you attempt to log on the next time after this happens, the game will tell you to check your email. When you check your email, you'll see the code and the link.

 

Also in the email, would be a Password Reset in case you did not attempt to log on from a different ISP. Also in the email would be the IP Address and ISP that attempted to log into the game, that you could send with a ticket to help DE track hackers and people who try to gain unauthorized access to accounts.

 

All of this is done without giving away any more of your personal info, and none of this can be bypassed unless a hacker also has access to your email account.

[Fluffbane]

Also, re: 2 factor identification, there are also versions for smartphones and whatnot, though as noted I don't know to what extent they require licensing fees. They certainly don't require making the little plastic thing.

 

Also I do agree with the bit about the ISP email thing; note it doesn't come up unless something strange has happened, and therefore isn't an undue burden unless you have issues with frequent IP address changes. That of course might be an issue in regions which have heavy internet cafe use, but they have their own set of issues/solutions that must be addressed, and I can only speak of the home/occasional travel user personally.

[Xylia]

Yes in Vanilla I bought gold to buy uber rare world drops like many others. At that point in time for the average guy with a JOB gold was not so farmable as it became once Vivendi took over and made EZ mode gold farming available to noobs.

 

So basically, what you're saying that Vivendi turned it into "EZ Mode" but yet before that you had to buy gold and there was no in-between, right? Isn't that kinda the same thing? Seems to me, even "EZ Mode" gold acquisition is more effort than buying gold which takes no work whatsoever and is risking yourself a ban.

 

You couldn't handle the "challenge" in farming gold, you just bought it. That means you were lazy.

 

 

 

FYI (the real truth) not all farmers are Chinese nor do they need to hack accounts. The people I bought from with were not hackers and sometimes it would take them a day or two to cover my orders because they actually farmed. In fact I knew a few people from guilds I was in who would also farm from time to time and actually sold gold to resellers which they in turn used to cover their sub fees. And here you are buying Plat yourself as its become totally acceptable to buy your way in just because the developers are selling rather then farmers. But if I would have bought my gold from Blizzard directly I bet you would have had zero problem with that. And truth be told Blizzard did not like the idea of external sources controlling their economy so they painted people like me as big bad gold buyers.

 

Once upon a time, there were gold farmers. Nowadays it is simply easier to just hack. Back when WoW first started, you didn't have Javascripts on every freaking webpage on the internet. Now, in 2013, every webpage has some sort of Javascript, and NoScript is pretty much required on the internet today. These days, getting infected with Malware and Keyloggers is a lot more easy to do. Maybe you didn't buy gold RECENTLY, but you still contributed to the rise of RMT in WoW by buying gold back then. If nobody bought gold, then there wouldn't BE a gold market.

 

And BTW, the "EZ Mode" gold acquisition is part of the reason why you rarely see gold spam in WoW these days. Once in awhile they try it, but everybody just laughs at them, and the few idiots who do actually buy gold (seriously, 30k for $25 or something like that? Really? 30k is easy to make and isn't worth no $25) are either caught (they are a bit quicker about catching that lately) or they get hacked. That's right, go to their website to buy gold (which has malicious javascript) and then get hacked so they can steal the gold right back. Yes, they do that. They also sell powerleveling services.... don't understand why anybody is stupid enough to actually use these, but those who do quickly find out later that they wait until you amass a good amount of money and then they simply steal your account later on down the road.

 

 

 

Yes there are people in China and other places who hack accounts except they don't actually hack anything. In the majority of cases players fall right into their web and openly provide them access to their accounts. These are the players who download fake hacks, fake beta keys and opt into things that most of us know aren't legit. These people play on stupidity and greed which in the majority of cases those who get hacked will never admit how it really happened. These farmers don't just sit there and attempt to crack passwords all day because it's a total waste of time. Still some people are clueless enough to believe that farmers actually need to break into accounts. I mean seriously there are endless suckers handing over their password in exchange for cheap power leveling.

 

Back then, maybe. Today, read above.

 

 

 

And then there is my belief because any WOW veteran knows how much the so called hackers could get away. They could spam the same website for 3-4 months before it would be filtered in the chat. In fact there were many clues that should tell you Blizzard had a hand in the action. Just think about it some of the biggest fan sites like Wowhead and Allakhazam were bought up by the biggest virtual currency broker on the planet and began planting key loggers in no time. Never once did Blizzard warn players to stay clear of these sites that were known to be infecting the masses. Instead they just sent out newsletters or made posts on the forums stating how it's your job to secure blah blah and be careful blah blah. You can believe there were people at the top of Blizzard who were getting paid or else they would have patched the many exploits like teleportation scripts that farmers used to farm super rare boss drops.

 

Tinfoil hat much? Seriously. I used (and still do use) WoWHead and Allakahzam regularly and I've never been hacked. And the infectious code was coming from AdServe scripts, not the actual website, except for, I think 1-2 times. In all instances, the website was hacked into and they took it down and removed the code within hours.

 

 

 

Oh and drum roll please.. you don't have a clue where the majority of gold comes from. But let me give you a hint as many players would farm for days to afford a crappy BOE Epic (zomg purplez) that was being sold well beyond it's REAL value. The entire BOE market was inflated by players since day one which is what created the need for players to actually buy gold. In fact NOBODY could afford a 500g staff back in Vanilla (but many did) unless they were either exploiting or buying gold. Just the opposite in GW2 they tried to counter the need for gold buying to the point everything in that game is totally worthless.

 

So, basically, you were too lazy to get those "OMG Purplez" the right away (raiding) but yet you wanted the stuff that you didn't deserve so you went out and bought gold to buy these purplez. You, and everybody else who bought gold.

 

What I don't understand, is the mentality of playing a game, and then cheating (yes, gold buying is cheating, just like using a cheat code to give you infinite money in a J-RPG) to circumvent a large portion of the game.

 

BoE Epics too expensive? Don't buy them.

 

It is as simple as that.

 

For example, right now, I'd love to buy a Lionheart Champion. They routinely go for 12k+ gold. There's on the AH right now for 17,999. I have at least 184k across my characters.

 

Am I going to buy it?

 

Heck no. I'll wait until someone sticks one up for a reasonable price. 12-14k sounds fair. Usually what happens is that these idiots selling them for 18k wait until they end up in their mailbox a couple days and then they'll go "blah I already wasted 20 gold in listing fees... I'll lower the price some" and eventually it ends up in the 12-14k range and one of us blacksmiths will buy it.

 

Buying gold and buying the item regardless of what it costs only contributes to the inflation of the market (those who guy gold have no respect for the gold's value in most cases because they can always buy more gold). Gold buyers have only themselves to blame when they complain about BoE Epics being too expensive. Well if you guys wouldn't spend that much in the first place, the sellers would be forced to lower their prices.

 

And lastly.... (sorry about long post)....

 

 

 

And truth be told Blizzard did not like the idea of external sources controlling their economy so they painted people like me as big bad gold buyers.

 

Blizzard (along with other companies like Square-Enix who had their massive fight against the same Chinese Companies) do not like "gold buyers" (aka RMT) because the companies doing it usually use exploits, hacking, and other things that go against the Terms of Service. It also disrupts game balance (these items are SUPPOSED to be hard to get!), it disrupts the in-game market (inflation, there was a time when in FFXI, gil was nearly worthless because of the rampant RMT until they cracked down on it. Then there was a MASSIVE deflation of the market), and it makes legitimate players feel like they are not on a fair playing ground when people who are buying in-game currency have an advantage.

 

This is why Blizzard (and other MMO companies) hate Real-Money Trading unless the game was designed and balanced around it and the company themselves supplies the goods (Warframe, other F2P and/or P2W games).

 

EDIT: One more thing, again apologies for huge post... Most Legitimate Players dislike gold buyers because we see them as Cheaters, Lazy People, Self-Entitled, People with no respect for the game itself, gold buyers also oftentimes have horrible attitudes towards other players, and we know what kind of damage gold buyers are doing to the market, making things harder for Us to get.

Edited July 9, 2013 by Xylia

[Lluvia4D]

I need to change my email when will this happen?