Slashdot Mirror
Trion Worlds' Rift Account Database Compromised
New submitter Etrahkad writes "Trion Worlds, publisher of MMORPG Rift, has announced that somebody broke into one of their databases and gained access to user information. First Sony and now Rift... my identity has probably been stolen several times over, now. From the e-mail: 'We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards. ... there is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way." Are game companies not concerned with preventing these attacks?"
To the cloud...
Granted, it could be a simple ROT13 but the mere fact that the passwords were "encrypted" and that the data didn't contain the entire credit card number indicates that the company or somebody inside the company at least put a little bit of effort into securing the data. Unfortunately, securing data is hard and it only takes one oversight to make it vulnerable. The true test will be what the company does now that the breach has occurred.
I wouldn't say they're not concerned with security.. but rather, they're probably the most targeted.
-Troll, Flamebait, and Offtopic are NOT equivalent to disagreement.
dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards
Why be concerned? That's only everything you need to do serious financial damage. It's not like they stole full credit card information or something.
That credit card was already stolen and canceled thanks to Sony!
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
They do not have to adhere to the information standards that financial companies do... And, it's probably good.. because some of the smaller gaming companies could never afford it.
My handy reference guide for online gaming:
1) Change all your information to complete and utter BS. Store your BS information somewhere so you can parrot it back if you have to call support.
2) Pay with game cards. If you can pick them up at Walmart even better. But, you can buy codes online.
3) Nothing to lose now... So you don't care if they are hacked.
Just my 2 cents.
Steam got hacked as well. http://www.forbes.com/sites/danielnyegriffiths/2011/11/10/steam-hacked-newell-watch-your-credit-card/
I used to use a "throwaway" password for most sites, that I used for a lot of things. Over the past 10 years I realized that a single password was leaving me vulnerable, so I just started using a password gen plugin in chrome and that seems easy enough to use. I don't even bother writing down the password, I figure if I need it again, I'll just use the password recovery down the road.
moox. for a new generation.
leads to losing real world identity
literally and figuratively
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
We'll see how far you get at the next weekly meeting when you mention to your project lead your concerns about security. Your employer has already battled layoffs and the CIO is on vacation. You're behind schedule with your "texture skins" assignment and last week's priority of fixing that model bug that arises when lighting is reduced by 80% is something you need to go back and revise for the sprites your game uses in the 2.5 beta test. But never mind all that... It's pushing 8:00 PM now and after working 60+ hours this week to make the due-date, you're entitled to some time with your family. Fuck, it's Friday. I mean, we're not slaves... The kids are expecting you to see their school play and your wife doesn't want to see you miss another one.
Don't forget to mention to your boss that issue you had with your database security that the "database guy" disregarded last time you e-mailed him about it... Eh, just forget it. That guy knows what he's doing after all, right? RIGHT? Whatever you do, just make sure you fill out a ticket request form for "Reviews and Auditing" because last time you tried to bring this stuff to their attention, you forgot to include a subject and when that happens, the department manager gets a little pissed...
(This is why this shit happens.)
With Sony even though the hack was much larger and affected more people and they were slower fixing the problem... They actually did something about it. When my real world information is stolen I want credit monitoring to make sure that I am not going to loose my house, not 3 days of game time and some additional virtual gold. That's just a joke, shame on you Trion.
That is now the fifth time I've had someone manage to fubar and let a DB with my information get out there in the last 6 months or so. I'm literally running out of ways to manipulate my passwords to maintain a unique and secure, but rememberable password. If you just lost my previous password, do you really think I want to have to invalidate the entire approach to passwords I was using and then use one of my more secure techniques with your system (thanks to the even more absurd password requirements) and risk it getting compromised too. Thanks a lot assholes. Glad SWTOR is out now so I can cancel my Rift subscription.
AJ Henderson
Disclaimer: I'm a pretty big RIFT fan. (I post there as the_real_seebs.)
Database compromises happen, and Trion's a newish company that has a lot of customers, and is thus a very good target.
This is the second security problem Trion has ever had, and the only one that made it possible to leak any personal information. (The first was an authentication hole that let you log in to game servers on arbitrary accounts without name or password -- but did not disclose the account name to you.) In each case, they reacted quickly, they announced it, they sent email to people to make sure people who don't watch the site found out, they disclosed what information was compromised, they took steps to correct it...
Now, I know comparing someone favorably to Sony is damning with faint praise, but compare this with Sony's handling of their systems leaking complete credit card numbers and unencrypted passwords.
IMHO, Trion's doing it right. Yeah, it'd be awesome if nothing ever got compromised. But anyone who has the ability to run active services which can be accessed at all, and which cannot be compromised, has clearly made enough money to be able to buy the company and fix it. :)
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
This is why I use software to generate and store passwords. It's a risk, but it's a smaller risk than I would be taking otherwise.
And... TOR's a great game, doubtless, but are you seriously telling us you think EA is going to be more secure?
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
I'd like to see a law firm launch a class action suit against a company that has failed to take reasonable measures to protect customers data. Hell I'd go so far as to say that it's the best use of a class action lawsuit ever. AFAIK there is no effective legislation that is doing the job. All it takes is one lawsuit to set a precident right? Hell lawyers are supposed to be good at identifying this kind of opportunity so what's the deal? Are they too busy chasing ambulances?
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
When you were saying you hoped someone put time into considering database security...Trion did long ago. Given the fact no credit card numbers were extracted, and the info was encrypted (far as we know), then the only thing left is account access. Well Trion Worlds implemented the "coin lock" system about 6+ months ago. Meaning if you login from a different IP address that the last one they saw you come from (yes, even if your ISP changes your address via DHCP)...your game account will get "coin locked" meaning you can't sell or transfer any character items or transfer money out, etc. Seems to me like they pretty well locked it down. Also, I just went to login to Trion to change my password (which everyone should do) and noticed that Trion is FORCING people to change their passwords, secret questions, AND their authenticator codes. Authenticator codes are also required for account management. So it's not like Trion didn't think and do alot of preparation. Determined hackers will always find some way in, it's a matter of motivation, effort and time.
If your biggest worry is coming up with a new password and remembering it then frankly, suck it up. You should be changing it every 6months at a minimum anyway. You shouldnt even be using the same password for everything either. They should all be unique. There are a number of free applications that will encrypt and store passords. You can put them in the notes of your smartphone. You can write a bs note to your girlfriend that contains hints to yourself to remind you what the password is and stick it in your wallet or email it to yourself. Worst case if you forget and lose the password(s), almost all companies provide password recovery or reset services.
If you cant be bothered to spend an hour a year helping to protect yourself then your self-righteous indignation at a company that is a primary attack target of sophisticated hacking organizations is a freakin joke.
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
Yes, if only because they have written their authentication system as part of a much larger system to be shared with both a) a store and b) multiple development shops. The amount of effort that in theory should have gone in to their authentication system is much higher, so I would hope it is more securely held as a result.
AJ Henderson
Why exactly should I be changing my password every six months? Does it somehow magically become a pumpkin or mysteriously leak itself? I use a series of several different systems to generate passwords (with different security levels for each system of use) that would not be easily guessed unless you knew the underlying system. This both ensures that passwords are not shared and that it is not easy to compromise other passwords if one is compromised. The main reasons for changing a password every six months are either a) the assumption that it may have been compromised and therefore should be changed, but yet somehow the issue wouldn't still be present allowing the new password to ALSO be compromised or b) the much more justifiable reason, that someone's carelessness (for example writing the password down) may have resulted in an individual password being compromised without a systematic breach.
As I am very careful with my passwords and do not write them down, b is not so much an issue for me, particularly for low security stuff like a video game. Using an app to store a bunch of passwords is both a single point of failure as well as a major headache to actually use for every low priority site that you use. Having a systematic approach to determining unique passwords is far more effective and easy to use. What you are suggesting is that I should compromise my own security by writing down passwords instead of using a system that doesn't permit systematic breakage of my passwords while allowing them to remain in my head.
I am a software developer and a security professional. I take security very seriously when necessary and have a great deal of training on it. While this breach isn't as bad as Sony's it still is a situation that should not occur for a production system. There is no reason why the data should be accessible outside the computer hosting it to anything other than web services (or some similarly secure mechanism) querying in to it via hardened calls that only allow verification of identity and do not allow the information out. It is not hard to implement and I have personally written several systems that do just that. Simply put, the data that was taken should never, under any circumstances be available to a system that connects directly or indirectly to the internet other than through a locked down, single purpose interface. If they were doing this and someone managed to actually exploit that interface or if it was a work of internal abuse, then I'd be willing to cut them a little more slack as those attacks would be harder to protect against.
AJ Henderson
Comment removed based on user account deletion
If you are indeed a "software developer and security professional", I truly hope that I am not a consumer of the products you build. Many of your statements show a very cavalier (or ignorant) attitude about systems security that borders on negligent. Of course, that kind of attitide might well be at the root of these types of penetrations...
1) From your statements its obvious you're assuming the threat is only external, or only code based, or only protocol driven, etc. A "software developer and security professional" would know better and never think in those terms.
2) A "software developer and security professional" would never refer to an account or database with PII and financials as "low priority".
3) A "software developer and security professional" would understand that just because there is no evidence of penetration and no apparent damage, one must always assume that the systems can and potentially are compromised.
4) A "software developer and security professional" knows that he must assume that more than one set of services by multiple vendors could be compromised. And while guessing a single password might be difficult or nearly impossible, understanding a particular user's "system" is quite possible if you're able to view two or more examples of the outcome of that "system".
5) A "software developer and security professional" would understand full well that hacking database1 might produce no immediate fruit for the hackers. Nor databse2 or 3 or 4. But those 4 breaches combined can be used to create all necessary keys to break accounts on database5, which was the real target all along.
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
My bank account is successfully protected by a 4-digit PIN that never changes. If you write a system which requires more from your users than remembering a 4-digit unchanging password, you're doing it wrong.
On the backend, encrypt all data at rest, and do your best to detect intrusions, and you'll be doing quite well by today's standards. So few businesses even take those simple steps - it's pathetic, really.
Socialism: a lie told by totalitarians and believed by fools.
Ok, well I can see you clearly are not a security professional (or not a good one) as your risk assessment doesn't even make sense. I shall respond to each point directly.
1) I did not say anything that would indicate that I do not believe internal threats exist. They account for something like 80% of breaches. For passwords, changing them every six months doesn't help against internal attacks unless the person has left the company and the company failed to notice or notify about the breach. As for my suggested system, it wouldn't just be hardened against external threats, but internal as well.
2) I referred to the password for accessing a game account as low priority. If they are able to compromise the DB itself, my password no good protecting my information and if they are able to break my password and access my account, the most they can do is get information available in public records or buy me more game time. Thus it is a low priority password as a compromise of that password does not cause any direct loss of control of non-public information or any financial loss.
3) Yes, you always assume a system can be compromised, but unless you detect and fix a compromise, there is nothing preventing it from being continually compromised, therefore changing passwords routinely does nothing to counter this. The only exception to this would be if you were to accidentally fix a vulnerability without realizing it or if a company found a vulnerability and fixed it without realizing it had been exploited. In either case, I have no way of determining when/if that occurs and do not feel like the small risk for lower priority passwords justifies the need to write them down and store them externally with a single point of failure.
4) Yes, I do not design my security for low and medium risk sites to withstand a targeted attack. If someone really wants to target me though, there are far more direct ways to go about it. Security is about making it harder to get you than the next guy. A criminal doing a large scale hack isn't going to spend time trying to break my system when they can get tens of thousands of other credentials through automated means. If I had reason to believe it would be worth while to directly target me, I would alter the practice. Also, I consider more than one breach on a password system to invalidate that password system for medium or higher security passwords. That is a big part of the reason for my frustration.
5) Your fifth point is valid, but again, not in the context of an individual user. If someone broke in to 5 systems, without being detected, to try and go after my information, they are pretty damn determined to go after me and the situation is pretty unlikely to occur. (As you were quick to point out, the majority of breaches are internal.) Even if the DBs were simply sold and compiled by another third party, again, a simple, non-trivial system for generating passwords is sufficient to defeat automated tools that would try to find links between the DBs and thus protects against all but determined, targeted attacks.
Please try to think through your arguments and analysis more clearly before you try to lampoon someone's understanding of a topic.
AJ Henderson
It was ROT26.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I will add two things to that. The system needs to limit unauthorized attempts before locking out, such that it is immune to brute force and the data needs to be internally isolated such that it can only be accessed internally (if absolutely necessary) by two or more individuals both mutually authorizing the access. Take your root of trust, make it as simple as possible, defend it as much as possible and build everything off of that root of trust in as simple and straight forward of a way as humanly possible to prevent exploitable gaps from being introduced.
AJ Henderson
I noticed a fraudulent subscription payment when I reconciled my accounts this month. apparently I was charged a subscription fee when I had cancelled my account 6 months back and hadn't been charged since.
I promptly logged on to their site, changed my password and deleted my credit card info. I'd advise that anyone who may have purchased the game (or been forced to provide a card for the beta) delete their information and check their bank statement.
Why the first and last four ?
On the web site, the payment methods only display the last four. Are you telling me they kept the first four "just in case" ?
One could hope they store the last 4 four digits separately, and the full one in a place that can only be written and not read by the web site systems. But then, one could hope the one(s) responsible for this understand the basics of security.
And then again ... first and last four ? How so ?
A) 1234-XXXX-XXXX-5678 ? Waste of space ? Really ?
B) 12345678 ? Then why tell they are the first and last four digits ? Did the thief really needed more information on what he got ?
C) 1234-9999-9999-5678 ? Call me paranoïd but given the "first and last" I can't help but think it's likely.
My subscription is cancelled already and I'm cancelling my credit card right now.
Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.