GOA subscriptions security weaknesses

[GReaper]

As [thread=197345]Elkie's thread[/thread] and quite a few others have seen in the past, some account hackers use weaknesses in other email hosts to get a new password generated for the account.

Why does GOA rely on a system to send passwords and other account details by email? All it takes is someone to figure out an easy password for an account, or use a password reset and find an easy question (favourite football team, birthplace), then they've got the email account. Once they've got the email account they can generate new passwords for the DAoC account very easily.

I have no idea how many accounts have been hacked in this way (only GOA will know), it might not even be that many. I know it's not a direct problem with GOA's systems, but relying on the security of email to instantly send password resets and game passwords probably isn't the best idea.

Am I just being paranoid or is this something that GOA should be more concerned about?

 

[Aeris]

well when it happened to me yesetrday i was shocked that it was just so easy to say i forgot my password and voila you got a new one supplied to the email....i guess goa trust you to have a secure email.....

 

[Azathrim]

Which seems like a fair assumption really.

Next thing, people will start to complain about their computers being hacked and a key logger being installed to catch the passwords.

What is most secure: Your windows box or a hotmail account?

 

[Aeris]

yeah i agree its a fair assumption, but they could at least stick a security question on the forgot passwords section..not just enter email and boom

 

[UndyingAngel]

yeah i agree its a fair assumption, but they could at least stick a security question on the forgot passwords section..not just enter email and boom

What ever happend to the secret word we had to supply when we first open out accounts many years ago

 

[[HB]Jpeg]

As [thread=197345]Elkie's thread[/thread] and quite a few others have seen in the past, some account hackers use weaknesses in other email hosts to get a new password generated for the account.

Why does GOA rely on a system to send passwords and other account details by email? All it takes is someone to figure out an easy password for an account, or use a password reset and find an easy question (favourite football team, birthplace), then they've got the email account. Once they've got the email account they can generate new passwords for the DAoC account very easily.

I have no idea how many accounts have been hacked in this way (only GOA will know), it might not even be that many. I know it's not a direct problem with GOA's systems, but relying on the security of email to instantly send password resets and game passwords probably isn't the best idea.

Am I just being paranoid or is this something that GOA should be more concerned about?

i cant see how any1 can hold GOA responsible for people getting there passwords etc stolen.

in many cases its the persons own fault... sometimes there email acc is hacked...

can any1 think of another way there paswords cant be sent cheaply ?

snail mail is to slow! (activate cd's and then wait 2-5 days for snail mail isnt acceptable imo)

goa phoning you to give you the information on the phone would cost a lot of money due to them having to have a telephone support person avaliable 24/7 to giv people quick passwords etc.


the security different email clients have for there customers is not goa's fault
its places like bt ..hotmail . msn and aol and lots of other clients u need to ask these security questions about.. not goa.


regardless of how people were to recieve there passwords... there are still gonna be people postiong threads about how they got there acc hacked.

 

[GimmlyPublic Enemy#1]

People are idiots and still have there daoc accounts registered on there msn e-mail account. That alone is a serious bad combo, Aeris you didn't get hacked by that e-mail its imposable, its the usual social engineering to give people to give up info or guess there stupid secret questions i.e like "what is my last name"

 

[UndyingAngel]

Join Date: 29th May 2006
Posts: 0

you joined teh forum today just to wright abuse ? well tbh fuck off back where you came from.

 

[soze]

Isn't the email me my password just the support password? I did not think you could reset the game password without logging onto the sub page needing the sub logon and i dont think RN will reset that with out game codes ect?

Unless i have missed another password reset page.

 

[UndyingAngel]

Isn't the email me my password just the support password? I did not think you could reset the game password without logging onto the sub page needing the sub logon and i dont think RN will reset that with out game codes ect?

Unless i have missed another password reset page.

you can goto the sub page, and click on the forgotten password and enter the email of the account this will then send you an e-mail with a link which will then reset your subscription password, at this point you can do anything with the account you want, but you have to have access to the persons in BOX. tbh people should just stop using Hotmail etc and get an ISP Email and if your ISP doesnt provide the option I would defo change ISP.

 

[Elkie]

for record again il say it again my daoc pwrds aint even on the computer

 

[GimmlyPublic Enemy#1]

you joined teh forum today just to wright abuse ? well tbh fuck off back where you came from.

No I didn't and that’s not abuse, its reality. You want abuse? Fuck off and get a life ginger man.

 

[UndyingAngel]

Fuck off and get a life ginger man.

wow, that abuse really hurt me I think I might go craw in a corner and start craying any minuite now.

 

[GimmlyPublic Enemy#1]

wow, that abuse really hurt me I think I might go craw in a corner and start craying any minuite now.

I would if I was as ugly as you are, quite possibly the ugliest thing I have seen.

 

[soze]

you can goto the sub page, and click on the forgotten password and enter the email of the account this will then send you an e-mail with a link which will then reset your subscription password, at this point you can do anything with the account you want, but you have to have access to the persons in BOX. tbh people should just stop using Hotmail etc and get an ISP Email and if your ISP doesnt provide the option I would defo change ISP.

Ok thanks.

 

[Mey]

If Bans get handed out because of this thread, i would like to see the mods' ban Undyingangel also, for provoking a response that could be seen as trollish.

 

[UndyingAngel]

If Bans get handed out because of this thread, i would like to see the mods' ban Undyingangel also, for provoking a response that could be seen as trollish.

tbh, I couldnt care less but your reply was nothing more than just trolling though the forums and giving your opinion so I dont see the differance ?

 

[Alan]

People are idiots and still have there daoc accounts registered on there msn e-mail account. That alone is a serious bad combo, Aeris you didn't get hacked by that e-mail its imposable, its the usual social engineering to give people to give up info or guess there stupid secret questions i.e like "what is my last name"

Do you think that returning to the forums and posting is acceptable after your original account here was banned.

Me neither - now fuck off to bancity.

 

[UndyingAngel]

Do you think that returning to the forums and posting is acceptable after your original account here was banned.

Me neither - now fuck off to bancity.

<3 <3

 

[Bugz]

<3 <3

Let's hope he didn't run out of tissues when he took a dump this morning - for your sake.

 

[UndyingAngel]

Let's hope he didn't run out of tissues when he took a dump this morning - for your sake.

????

 

[Tilda]

tbh lets delete the website all together.
Accounts will be paid for by direct debit, or by a cheque or postal order.
Account passwords will be posted, or if you pay extra, carried by courrier to your door.
Chronicles info will be published in a yearly stats book.
I call this process modernisation! <smerk>

 

[Pirkel]

tbh lets delete the website all together.
Accounts will be paid for by direct debit, or by a cheque or postal order.
Account passwords will be posted, or if you pay extra, carried by courrier to your door.
Chronicles info will be published in a yearly stats book.
I call this process modernisation! <smerk>

:worthy:

 

[GReaper]

GOA could at least add a basic verification question before sending a password reset mail though, something to stop the mails being instantly sent. Maybe block some of the problematic email providers (hotmail).

 

[LordjOX]

The system used for subscriptions are handled through the login client on the US version. works like a charm imo. And the secret word is used to change password etc, but ofc you don't give acc details away

 

[Flimgoblin]

GOA could at least add a basic verification question before sending a password reset mail though, something to stop the mails being instantly sent. Maybe block some of the problematic email providers (hotmail).

so then all you need is two "What is my favourite colour?" questions to hack an account on hotmail instead of the one.

 

[Ingafgrinn Macabre]

I guess this is what happened..

Dude requests new passwords on hotmail email addresses from people on this site
Dude "hacks" into those hotmail addresses and follows the link in the goa email messages receiving the new passwords
Dude adds those hotmail people on msn
Dude asks if they had mail from Goa yadda yadda


This to me seems the most logical way to approach this.. but then again, who said this guy acts logically and that my logics are correct...


I just hope for those affected that you get your accounts and stuff back, and that the dude doing this gets some serious attention from the cops...


[EDIT] bah, wrong thread should've been elkie's thread :/

 

[Howley]

imo it is too easy to get new passwords ... and ye some emails might be a bad choice but goa can help us keep our accounts secure by changing their system a little bit ? like having a little box underneath the for my password box, this box will let u key in ur cd key(s) which verifies that the acc is in fact urs and ofc people .. never ever have ur subs/ ingame p/w / or deffo ur cd keys saved on ur computer !

 

[Flimgoblin]

I guess this is what happened..

Dude requests new passwords on hotmail email addresses from people on this site
Dude "hacks" into those hotmail addresses and follows the link in the goa email messages receiving the new passwords
Dude adds those hotmail people on msn
Dude asks if they had mail from Goa yadda yadda


This to me seems the most logical way to approach this.. but then again, who said this guy acts logically and that my logics are correct...


I just hope for those affected that you get your accounts and stuff back, and that the dude doing this gets some serious attention from the cops...


[EDIT] bah, wrong thread should've been elkie's thread :/

Guessing it's more:

Dude see's msn.
Dude requests password to msn address.
Dude asks people if they got message from GOA and implies it's haxxor!
He then asks for the link (easy time of it if they respond - voila one password).
Failing that if they said they did have the email then he knows that the hotmail account is worth haxxing, so uses the password recovery tool for hotmail and if it's a reasonably easy question - baddabing one account.

 

[Ivynoxia]

I guess this is what happened..

Dude requests new passwords on hotmail email addresses from people on this site
Dude "hacks" into those hotmail addresses and follows the link in the goa email messages receiving the new passwords
Dude adds those hotmail people on msn
Dude asks if they had mail from Goa yadda yadda

This to me seems the most logical way to approach this.. but then again, who said this guy acts logically and that my logics are correct...

I have the same theory. I study Computer Science at uni, second year now and I've actually seen a hotmail hack done before, there's a hard way and a easy way (easy if u can get physical access to machine), any web mail login that has the option of remembering your password for next time is vulnerable. I won't go into the details but if you are really interested it's just a few google clicks away with the right search words.

To be honest the reset password step should take more than just an email that matches in the database, you can easily bruteforce a system like that. It's lazy and unprofessional programming for a system that should require many more security checks. Secret question, request confirmations and safety delays.

Guessing it's more:

Dude see's msn.
Dude requests password to msn address.
Dude asks people if they got message from GOA and implies it's haxxor!
He then asks for the link (easy time of it if they respond - voila one password).
Failing that if they said they did have the email then he knows that the hotmail account is worth haxxing, so uses the password recovery tool for hotmail and if it's a reasonably easy question - baddabing one account.

Yeah if they give the link then it's the super easy way hehe @ password recovering tool.. is there actually one out there? :O i guess it's just a program that tries every word in a dictionary .. but that's too slow to get in, the link expires in 1 hour,