Pulled this off Everlore:

The EverQuest team posted a reminder to the boards today regarding account security:

As the population of Norrath increases, so too do issues regarding stolen or compromised accounts, and/or accounts that have been transferred from one player to another in violation of the User Agreement. These issues - and the time it takes to investigate and attempt to resolve them - hugely detract from the time that SOE’s customer service staff have to devote to providing quality customer service to issues that impact upon the gameplay experience. Accordingly, SOE must remind all players that:

(1) Account security -- whether it be password protection, running virus checks, disabling file sharing, or any other element of making sure accounts are not stolen or compromised -- is the sole responsibility of the account owner.

(2)Any and all stolen and/or compromised accounts that are reported to SOE will be banned, and no items will be reimbursed. Any player found to be involved in an account theft will have any and all of his/her accounts banned.

- The EverQuest Customer Service Team

In other words, if your account is stolen or hacked, it's your fault.

/boggle

Um, isn't it your fault?

The only way to lose your account these days is to give out your login/pw to someone untrustworthy. Players know this, Verant knows this, and Verant probably got sick of reimbursing players who they have told repeatedly "Do not give anybody your info under any circumstances."

Exactly my point.

People don't just go around trying to hack people's EQ accounts guys. The only way you are going to get hacked is if you are careless with PRIVATE information.

<<People don't just go around trying to hack people's EQ accounts guys. The only way you are going to get hacked is if you are careless with PRIVATE information.>>

I had my account 'hacked' once, and I am the only person in the world with my account information.

Turns out someone who didn't like me in game found my ICQ number. One day I forgot to turn ICQ off when I was logging in and they used ICQ to backdoor into my computer and get my EverQuest password when I logged in.

So hah!

And that pretty much makes it YOUR FAULT. Or is verant responsible for making sure you shut down ICQ?

Snootay,
Id caution you about thinking ICQ was the culprit in any Attack on your system. I just did a couple of searches at CERT and a few other places, and there are no known Trojan vulnerabilities within ICQ. You may want to keep looking through your system and find the culprit application.

The guy ICQ'd me after he was caught and banned telling me he did it through ICQ. This was almost a year and a half ago so maybe you can't do that through ICQ anymore. I know nothing about computers. I just use them. (Don't use ICQ anymore, though. ICQ is the DEBUL!)

And geliel, learn to read plz kk thx la~(Did I blame anything on Verant?)

I read quite well and you were clearly attempting to state that it wasn't your fault. So whos fault was it? It was a rhetorical question. No where did I say that you blamed verant.

its not always the customers fault,about a year ago on brell we had a incident happen,not totally sure how it was done but the hacker with some program was able to create a new account with the person he wanted to hack by making a lvl 1 character with the same name and class,it would only work on the older accounts before they fixed it,what he then did was to log on the lvl 1 at the same time as the person he was hacking and thered be 2 people on at the same time with the same name,when the person he was gonna hack zoned he would zone at the same time and it would confuse the program and when he came out the other side it reproduced his equipment on the hacker,well somehow it messed up one time and when the person being hacked got done zoning one time he came out the other side with no gear and was lvl 1,so you tell me how that was his fault?

Cisro Tiberious 60 ranger Watchers~brell serilisEdited by: cisro tiberious at: 6/10/01 12:51:25 am

Well if it was stated so clearly..

..then how come the person who wrote it didn't know he stated it?

(All I said was it wasn't always someone giving people their account info as Kambic said, stop reading so much into what is said. )

Used to be whenever you posted on the Flameplay boards, it would send a cookie with your username and password. Intercept that, and whee! Instant account information.

With Flameplay gone, though, I imagine incedents of that have dropped off considerably. Raxee L'Noamuth, 51st season Rakess of Fennin Ro

The player on Brell petitioned over and over again, other players saw the fake (1st level Paladin compared to the 50+ paladin) and petitioned as well. It took VI over a year to fix the account, and ban the player(s) incidentally.

In this case, it was not his fault, but VIs.



Xlyck

Comparing apples to oranges here...one is character duping (I believe if you create a character of the same name while that character is zoning, you become that character essentially) and one is the actual ACCOUNT being taken over by someone else. Bronus Blackblade
59th Blackguard of the Tribunal
"Level edge...backs against the ledge...no knives, the stone hard eyes..."

I'm referring to someone else logging onto your account. That's going to be pretty tough to do, and seriously how many people out there are going to slave and labor to track you down to the point where they can hack your account? It would probably be much easier to just buy someone else's account and !@#$ you up ingame heh. Besides, I would rate this as so rare that it is next to not happening at all. I stand by my statement that if someone you do not want logs into your account there is a 99.999% chance that it is YOUR FAULT.

Bummer thought this was going to be a dirty post but its just a dead horse....wait...dead horses are dirty....

as to why would someone go through the trouble and try to hack another persons account? Dunno why do arseheads do anything now a days?

Verant has set it up so that if a new program say something called EQpassha><or is written and then used just a bit so as to not arouse to much suspision then the culprit gets away and the user gets screwed...fantsy? well probably but with Verants not so spotless CS record I wouldnt be suprised if this blows up in their face. They have some (a bit even if small) resposibility for password saftey.

Don't get me wrong though I have no pity for people who give their account passwords away all to often you dont know the person your dealing with as good as you think you do.

Well they updated their post.

Anyway, the most reliable way to hack someone like this would be one of those viruses that can trace keyboard input.

You'd be amazed what zombie code can do and how easy it is to get it.

Yeah, zombie code might be pretty good, but skeleton code was nerfed shortly after Fear was released because necros were soloing there.

When do necros get summon zombie anyway?

::grins evilly::

Read this article and then tell me how hard it is to hack peoples machines and spy on them.

grc.com/dos/grcdos.htm

What if someone else wrote the IRC clients this guy wrote and told it take special note when the program eqgame.exe ran.

Stealing the PW of people without a good Firewall is cake you if get one of these suckers installed. Hell you could just have it email you the log of your keystrokes after a certain executable was run.
Thump Ghoulsbane
53rd Vicar of Brell (retired)
Alderion 24 Ranger
Elonian 26 Bard
Woodwynd 37 Druid

hehe they only caught the dupers on brell since one of em hacked the other so the other confessed and gave all the people involved.



as far as people hacking your stuff. run zone alarm. comes from www.zonealarm.com i believe and its free. It wont let anything reach the internet unless you ok it ;) its a little annoying at first, but stops contact in and out unless you ok it.



EDIT: Please read our sig rules at the top of the forum. Your sig is 300+ KB, more than 20 times our allowed limit. Please optimize your sig with our modem users in mind. (1 out of every 4 of Safehouse users is on dial-up.) -Kez Edited by: Kezzek at: 6/20/01 8:43:08 am

It is not that hard to brute force and figure out any login you want on EQ. It won't be a specific person, but who cares? If you tried all the combinations from
Login:a
Password:a

to

Login 00000000
Password:00000000

then you would get all the logins in the game except for someone that changes their password regularly.

As sooon as you got in you could do anything you wanted to with the characters, delete them or whatever and the person could not report it or they would get their account banned.


It is a lame decision and simply mind boggling to come up with this when there are so many other games coming out so soon. At the very least, restore the person'c character naked with nothing in the bank. It would punish them but be less likely to make them quit the game and not be a paying customer again.

Dorian Brytestar
High Priest of Tunare,

Well A) Bruteforcing is an incredibly obvious tactic. We all hope that Verant has enough of a clue that if you louse up your password a couple of times it bars you from trying to log in. Never tested that, but I think it does.

B) I've read the article on GRC.com, and well, to put it simply, if you're computer gets hit by a zombie, it's your own damn fault for not having security in place. There's FREE software out there that prevents this stuff. (or at least, prevents the 99% of the people who use the stuff but don't really grasp how it works.) No excuses.

How is an everyday joe that doesn't know the first thing about computers to be expected to secure his system. I know people that play everquest that couldn't figure out how to install the game themselves, how will they be able to cover all the security holes in Win whatever?

-Ciba

Most users will never gain the level of knowledge required to prevent amateur hackers. Some people have the time and interest to put up a good defense. They can still be hacked, it's just less likely.

I am sure VI does not want to be so harsh to the legitimate customers that WILL get hurt by this policy. But currently I don't see much else they could do at this time.

As far as passwords go, I hope the gaming industry goes to using a hardware token (smartcard/dongle) for passwords. Users PIN is for the token only. The authentication key to get into the game would be in the token. That key can only come out wrapped by a session key (yes some tokens can handle in-token session key support).

That does not solve all potential attacks but does hit two problems.

1. Kind of hard to share your smartcard unless you know the person in RL. But then you know who just spanked you.
2. Brute force would be the only viable attack on the actual authentication key. But because it does not have to be human recognizable it can be significantly more complex.


Umbo