Account security - what are you doing?Follow

Hi all,
Years ago, my FFXI account got hacked. I was fully decked out, back when the lvl cap was 75 and having 3-4 prices of AF2 was "Godly."
I'll never forget how hopeless I felt, and when I did get back in, seeing ALL my gear dropped (dropping AF2 etc is just plain cruel!). They offered the "one time account restore" and I've been paranoid ever since.

Anyway, there were a bunch of threads on the (crap) OF about ppl getting hacked in 14 and CS doing nothing about it.

So what's your plan for account security? I use a token, NEVER visit any ffxiv related Website from my PC. ONLY visit FFXIV sites from an iOS device or my Mac, and STILL I'm paranoid to use the PC and been sticking with the PS3 for the past 2 weeks.

I'm traveling on business soon, and will need to use the laptop to play. Am I taking this too far? What are you guys doing?

I have had a token since they first came out in FFXI.
I also have a password which is unique to SE account- I don't use it anywhere else on the web.
I only visit Zam and the official forums.
I play on PS3 and browse on my PC.
I never respond to emails that tell me my account is compromised and to go here and enter my name and password.
The funniest of these emails was for a Diablo 3 account for a game I never purchased = all I did was create a Battle Tag for the forums.
So it seems some forums are easy to hack and anyone who uses their actual game log-in are very vulnerable.
Oh and I use Firefox with noscript and addblock plus enabled

Edited, Sep 17th 2013 7:41pm by KissMyPixel

Thanks guys!!! Actually, I did not think about the "free wi-fi" at the hotel I'm staying at, and will be using my personal hotspot while away.

Pickins, you're killing me!!! I'm a Java development manager :), but I deffinatelly hear ya on java security concerns, but the JRE/JDK 1.7x has proven pretty secure =) just make sure you upgrade when it asks you =). Funny comment though, the business trip I'm going to is the anual Java One conference LOLOLOL! I'll HAVE to bring this up!

Lol! But a good point here (not the butt thing) I just thought of. If SE is STILL using DX9, they are likely still using NTLM for authentication. Having a "long" password, of 15 characters, will eliminate the possibility of a reverse hash. Time to make my password 15 + characters (and watch they are using Kerberos or better lol...)

As a software dev (mostly .Net), I have no problem with in-house java apps or those that are run server-side. I just don't trust the JRE to run 3rd party apps/applets safely. IMO, Oracle has really dropped the ball after they took over for Sun.

FWIW, I uninstalled Java from all my machines at home and my dev workstation several months ago, and haven't missed it (other than for Dells crappy DRAC controller app). Should I encounter something that I need that requires it, it's a quick install. In the mean time, I'm not susceptible to any number of zero-day exploits that may be in the wild. (http://java-0day.com/)

mmmm java

I'm kind of sad that I'm an analyst for a team that's working in .NET and a few other things and not Java, because I can fiddle around a bit in Java myself (had to get through 2nd semester of Java server-side for my master's degree in Internet programming.)

That video was hilarious.

I never played WoW, and received multiple e-mails about my WoW account being compromised and how it would be closed if I didn't respond. If you get any kind of e-mail from someone claiming to be from SE, contact support desk through the game or official forum.

I always read these threads, and every time I walk away shaking my head.

As the boxing adage goes, 'the best way to take punch is to not be there when it lands'. I have practiced this for almost 30 years of computing (hello bbs phone bill - i still hate you). I have ONCE had a breach bad enough that it required a restore, I think that was Win Millennium era.

IT is my career field, I work with advanced database administration and biz intelligence software. I work at all levels of the stack from database, to applications and hardware, as well as systems administration in Linux(RHEL, OEL, Solaris, hpUX, etc) and Windows (Desktop, Server, Exchange, Sharepoint, etc). I am far from a 'casual user'.

Essentially, don't frequent sites that participate in illegal things - that's kind of a no brainer and typically the first rule people violate - either with intent or out of curiosity. Those sites serve one purpose, to engage in illegal activity - esp. via your information.

Next, if you MUST engage in such things (you adult material crowd, not that I would ever engage in such behavior, of course) - learn how to create an environment that DOESN'T get infected. The old days used to require tightening browser settings; turning off Java/ActiveX, etc. These days, there is ZERO excuse to not use something like Chrome Incognito or similar tech.

Also, free stuff like Spybot Search n Destroy has kept me virus free for over a decade.

I may be in the minority, but I have never used anything like Kaspersky, AVP or whatever flavor of "security guard" crap they are pushing. Fixing almost anything usually requires turning it off anyways!

Doing things like turning off java just doesn't make a lot of sense for the average user - there is nothing inherently 'evil' about java, you can just as easily be infected with ASP content, PHP injections and 'Browser Addon stuff' like the stupid tool bar junk that everyone pushes (oddly, incl. java or Adobe, forget which).

Learn how to use the tools you have, knowledge is power. Sorry about wall of text, but have added to these mental notes for decades now..lol

Yes, well you should since it's just a SE security token and not game specific.

My token came in the mail yesterday. That was really quick, 2-3 days max from when I ordered.

I'm on a coffee break, so I only have time to respond to these two points:



It's almost as dangerous to frequent MMO related websites. Lots of people have been hacked via ads that contain malicious code. The website itself doesn't have to be shady for you to be at risk.



IMO, installing JRE makes little sense for the average user as client side java is becoming less and less relevant. Closing one more attack vector (that most people don't use) is a good thing, regardless of the other ways one may be attacked.