Account Security and You!
Hello Eve People,
By way of introduction I am CCP Sreegs. I am CCP's Security Administrator and I basically sit in both the Virtual World Operations and Internal IT departments. I've been on board since August and I think now's as good a time as any for us to sit down for a chat. I do not design spaceships, space dragons, stars or any other interesting game mechanics. I'm not an artist and I have absolutely nothing (depending on the cause) to do with reducing lag, writing on post-it notes, or pretty much anything else you typically read a dev blog about. My job is, in essence, to think about bad people doing bad things to you, TQ and CCP in general and try to reduce all of our collective risk. Today, specifically, I'm here to talk to you about your accounts and the security thereof, and some steps that you can take in order to keep all your stuff from being taken from you by terrible bad people.
How do they get your login credentials?
In a typical compromised account situation the malicious dude will somehow get a hold of your account credentials. This can happen any number of ways but I'll bullet point some of the most prevalent for you so that you can BE VIGILANT.
1. You give it to them (account sharing) - This is the non-phishing version of you just handing someone your credentials. It DOES happen, so it goes on the list. I make the list so I get to decide what's on it.
2. A forum you use is compromised - This happens quite regularly and there's nothing we can do about this. When a forum gets compromised a typical step is to pull down the user table of the forum's database and crack the username/password pairs to use the information elsewhere or maintain persistence. If you use the same username/password pair on pretty much any other external service out there then your account is at the mercy of whomever maintains those forums.
3. You buy ISK from an illegal ISK seller - There's a number of layers to this and typically people aren't daft enough to give someone their login credentials on an ISK selling site, but what this DOES tend to lead to is a database owned by the ISK sellers which now contains known good email addresses of EVE Online players and potentially their character names. From these, much more detailed phishing attacks can be crafted which can trick you into handing them your account credentials. In many cases once one of these shops has stopped making money selling illegal ISK they then move on to cannibalizing their customer base by trying to gain access to their accounts or using their credit card information for their own profit. These are not nice or good people to do business with ever. They will do whatever they can to get money from you and they tend to operate from countries that make it difficult if not impossible for you to get any kind of restitution.
4. You do some form of character standings grinding service - Usually this is handled by companies that also sell ISK. Same bad dudes. They now have your account information because you gave it to them to login to your account. Even should you change your password at the very least they have a valid username and email address to use as a starting point for any number of attacks.
5. You click a link in an email or instant message that contains a fake login page - This is known as a Phishing attack. In essence the attacker disguises a page to look like an Eve login page, sends you an email, instant message, evemail or some other communication making it sound as if you need to login to confirm something, such as "YOU ACCOUNT WILL BE DISABLE IF YOU ARE NOT TO CLICK THIS LINK AND LOG IN". You click the link, see what looks graphically like the EVE Online login page. Enter your username, password and character challenge information, then the page submits this information to the bad guy who then logs into your account and steals all your stuff.
6. You install some "hack" or run some other third party executable that installs malware (Keystroke logger or otherwise) - I know some of you will roll your eyes and go "OH WHAT A BIG JERK HE'S TRYING TO SAY ALL HACKS STEAL OUR PASSWORDS TO MAKE US NOT USE THEM", which is a fair thing to think I suppose, except that when we catch you using hacks we're going to ban you out of hand. If I wanted to make sure I was getting EVE Online logins or any other game or services logins, then I'd want to make sure that I know that the people who are using my malware are people who play the game or use the service. A good method for doing that would be to distribute it as something which appears to have something to do with the game. I don't think it takes a huge leap of logic to see that someone who might attempt to manipulate a client to cheat at a game may install a backdoor on your machine to make a lot of money.
What do they do with your login credentials?
Some people don't understand why someone would hack an account for a videogame. The underlying reason in most cases is because the stuff that exists in EVE Online has value. When something has value it tends to be quicker to get that value out of it if you steal it from someone rather than making it yourself. It would certainly be much quicker for me to steal a Ferrari than to save up for one. The same holds true with EVE Stuff (Despite the fact that CCP really owns it all and buying ISK is explicitly forbidden).
In EVE all of our items have value. The currency used to determine that value is ISK. In essence once someone has gained access to your account their primary motivation in most cases is to liquidate as much as possible into ISK, then attempt to sell that ISK to someone for real cash, before we can catch them. In the vast majority of cases they really don't care about your character, your standing in the universe, or your awesome faction battleship. All you are is a cash machine. What has caused an uptick in hacking cases in the past couple of years globally, not just in Eve, is the fact that The Bad Guys have discovered more and more ways to monetize malicious activity. That could be sniffing the wireless access point at your nearest convenience store to steal credit card numbers, or it could be tricking you into giving them your login information to illegally sell ISK. There is still a desire to get cold hard cash at the end of the day, though probably not REAL ISK because that is worthless.
So what is CCP doing about this?
While I can't get into technical specifics TODAY I can say that in theory, the best way to keep your things safe is to make it more difficult to monetize in-game material. This requires a multi-tiered approach, some of which you've seen in action (character challenge), much of which is behind the scenes (secret), and much more of which is currently worming its way into the development cycle. One tier is making it harder to get access to your account. Another could be making it harder to liquidate your assets and a third could be making it harder to sell the isk once all of this is done. While you may not quite have viewed it this way, PLEX is in and of itself a counter-hacking measure as it provides a legal way for you to purchase in-game currency with real-life cash at no risk. Well, no risk provided you're not transporting a giant pile of them around New Eden. This is what I mean by multi-tiered. When it no longer becomes profitable people will stop selling isk, which means a large reduction in the number of bad dudes trying to get into your account.
Keep an eye out here for upcoming changes. As publically-facing measures are introduced we'll be certain to let you know about them. There's a lot going on in this arena that would be premature to mention today but I'm at least really excited.
So what can I do to keep from being hacked?
I'm glad you asked this, though it is always a challenging question to answer for a number of reasons. It is difficult as a company to be too prescriptive. If I were to tell you "Install this magic widget" and you still got hacked then as a customer you're going to go "I INSTALLED THE WIDGET AND GOT HACKED ANYWAY YOU ARE SO DUMB". There is no magic security button that's going to make you bulletproof which is why we go crazy coming up with ways to handle things from our side instead of simply handing out magic widgets. I will however outline a few steps which will go a long way to keeping you safer if you're not already doing these things.
1. Constantly run an antivirus package with up-to-date signatures - There are free AVs out there that work if you don't want to spend your money. They do all kinds of interesting stuff. If you're not running one you really should be.
2. Turn on malicious site and forgery blocking in your web browser - The big three (Firefox, IE and Chrome) all have this in some fashion. Many of the sites I get sent to me as phishing or malware sites are flagged by these. I guess you could get some false positives, but our login page should never ever be one of them.
3. Run your browser in a sandbox - This separates your browser from your operating system making it much harder to get infected with terrible things, provided you empty out the sandbox regularly. Sandboxie is a free example of one such piece of software. I've personally used it quite a bit when I don't have access to a clean environment.
4. Don't click on everything you see - Just stop clicking on every single link you get. Many of them lead to terrible websites or bad posts, and many of the rest contain malware or false login pages.
5. Be careful clicking links in your email also - The entire point is for them to try to look like us. Sometimes we will send you an email. Rarely will it be because we want you to login to something. If you want to know for certain if an email is legit file a petition or forward it to firstname.lastname@example.org. If that gets abused I'll be angry.
6. Report suspected malicious activity - File a petition and let them know what you think is wrong. If you don't get a response or something send an email to email@example.com. Even if something tricked you, letting us know what's out there can help the next guy.
7. Check account settings and make sure your email is correct - Firstly, we need a way to get in touch with you legitimately. Secondly, everyone and their mothers knows this is a way to reset passwords and savvy badguys will change this address to maintain persistence. Check it. Check it often. Make sure it's correct. A lot.
8. Change your password - ALL THE TIME BE CHANGING YOUR PASSWORD. I try to change mine every month or so. You may change it more or less often, but the bottom line is that you should be changing it with a great deal of regularity. If your password is different than what the badguys got they can't get into your account.
9. Always make sure your browser and OS are patched and up to date - Do it.
10. NEVER EVER EVER USE THE SAME USERNAME OR PASSWORD ON ANOTHER SITE ON THE INTERNET ANYWHERE EVER - :mad:
I suspect that's enough words for now. We have a lot to talk about in the future though and please reply in the blog thread or via one of the above listed resources if you have an issue you think should be brought to our attention. I can assure you it will be read and I can always learn something new.