Keylog Attack ~How My Story Ended~Follow

Same can be said for anything else. It has nothing to do with POL's security or lack thereof. I log into my bank account online too. If I downloaded a keylogger, and thusly transmitted my login information for my bank account to this thief, he would be able to access my bank account as well. Same with other online games, and other online sites that require you to enter a username and password to log on.

Also, since you're such the genius, apparantly, on website/MMORPG security, what changes would you make. How would you rather have us log in. Maybe SE should supply everyone with thumbprint readers, and blood and urine analyzers, and a retina scan just to be able to play the damned game. Would that be enough security for you? How would you rather "hide" this information that apparantly is in such plain view. If you can see the holes in their security, you should be able to tell me what you would do to cover them. While you're at it, tell SE so they can implement them immediately, because regardless of what some of you think, I know Square-Enix IS concerned about thier security, and would immediately remedy any flaws you were able to find. Security is a big thing for any company, and something that isn't taken for granted. Thing is, they already know about all this keylogger, stolen account stuff. Do you think they're stupid? They know what's going on, and I'm sure they've reviewed their security time and time again. If they noticed a problem, I'm sure they would address it. I honestly don't think they've noticed a problem. But apparantly, Erawyn, you know so much more about their security than their programmers do because you can see all these flaws in their security. Why don't you write a letter and tell them about these security risks. Maybe you'll get a big fat reward? Or maybe They'll realize you're just another whiney little complainer like everyone else who thinks they understand how SE's security should work, but really haven't even the slightest clue about what safegaurds they've put in place, and why. *****, *****, *****, all you want people. Bottom line is SE/POL knows more about what's going on here than any of you do, and I'm sure they know how to handle their asses. They employ people strictly for matters like these.

The bank can potentially lose a lot of money in identify theft of bank account information.

But in SE case, it is quite different. First, it is stated in TOS that the end user are responsible for the account security and it is also a violation to buy/sell account (that will assume a transfer of account log in to another person). Secondly, SE can only lose 12 bucks per month for doing that. Yes, I hate to say this, but 12 bucks is literally 1 (may be 2, but I assume SE don't pay their employees like McDonalds) hour of salary. So from a money perspective, it is also nonsensical to do that; that same 1-2 hour can be used to deal with more useful problems in the game (like supporting other players, deal with RMT, make new content) then someone that may have violated TOS and ignorance of internet security.

This may be true, but you OWN what's in your bank account. In FFXI you DO NOT own your character, or any items that are collected. They are SE's property as outlined in the TOS agreed to every time you log in to the site. If they were to pursue every situation like this, they would be expending resources to validate the claims, which they shouldn't have to provided each OP covered their own asses. They should not have to expend their resources to correct a mistake someone else made. How is that fair? Not to mention, by the time they are even able to verify the validity of it, the thief would probably already have the character cleaned out. Also, if SE bends on this, you don't think there would be a rise in scams by people claiming they were victim's of keyloggers, when actually they just used another computer to log in and sell off their own stuff because they new SE would just re-instate their character anyway? This is why they aren't doing anything for the guy. Maybe at some point they will, but they need to stand firm on this for good reason. It's not a matter of SE being a buncha ***** that don't want to help anyone as you all make it seem. They aren't doing this because they just don't care about their players. If anything, the rise in other MMORPG's, among other things, has caused people to move away from FFXI, so I'm sure SE is not going to try to do anything to push users away. They care more than you know, but they aren't re-instating this guy's account because of what he did. He compromised his own security, and you people seem to think that SE needs to take care of it. It would be a bad, bad move on their part to just give him his account back.

Is this the only online game that you're ever played? How many other games do you know that have a security question? Actually, how many websites do you even know of that have a security question besides major financial institutions? There aren't many. Plus as stated before, that can still be grabbed with a keylogger just as easy as a username and password. It's redundant. Just another little thing some websites use to make people feel all warm and cozy that their information is being protected. It doesn't do jack crap. As stated before, multiple times, this being yet another one, the only way this would be beneficial is if your had your username/password/security question answer in a text format somewhere and would copy & paste them into the fields. This protection is again, only as good as the user ability to do it. As far as I'm concerned logging in takes too long already, I don't want to add steps. I'm smart enough not to download keylogger's and give up my account information. It's not my fault others aren't. Use your head a little bit, I know it might hurt some, but the pain will go away. ANYTHING SE does to the log in,ANY questions that need to be answered, ANY actions that you are required to perform to log in to POL, can be duplicated by ANYONE else if you give them the information to do so, which is exactly what the OP did in this case, even if it wasn't willingly. Get it through your damn heads!

Quick Question.

Would requireing info that is not used or typed in (address, phone number etc) That is only entered at account creation used as a Verification for password changeing be a good security measure against accout stealing? This would not save stupid people who allow thier password and ID to get stolen from loseing all their gil and gear and possiably the person deleeing thier character, but at the least they might still be able to keep thier character.

Thanks thats the kind of solution I was looking for. It's a fact of life that most people have this mentality of invincability........until they are the victim of a crime.

I had a similar thing happen to me. Came home one night, plopped down the couch and forgot to lock the door. Got robbed at gunpoint when teh gun man just walked into my home. The door is always locked no matter what now.

Basicly I think SE should impliment something like above because I guarantee after a person loses all of their stuff they will take thier comp security more seriously and at the same time SE will not have to worry about questions of not stepping in to return accounts.

How does this thread have 6 pages? oh right, Alla.



Brilliant? hardly.

responsibility goes to SE to get this fixed. nuff said, nothing more to see here.

No, scchan did not. And this thread is 6 pages because people like you and him are too stubborn to concede that SE's reaction to this type of event is ridiculous.

I have already answered this argument here. In that post, I clearly identify the following:

1. SE's policy is very clear. They are not legally bound to do anything.
2. SE's policy is stupid for reasons clearly outlined in the other post.

As I said in my argument:

"it would then be incredibly easy for SE to simply reset the password, disable the account, or take a number of other corrective actions."

Your argument is not solid, because either extreme end of the situation results in the malicious person(s) being able to manipulate the system. Are you trying to say that you would rather the crooks be able to steal without fear of consequence than have one or two individuals take advantage of a system designed to prevent such theft? (and by theft here, I mean theft of time and effort and reputation)

At least if an individual were to try to take advantage of the latter, it would more likely than not be caught after the first few attempts, whereas the current system allows continuous and unrestricted grief.



I'm sorry, but what the hell do you think the customer relations team is for? While I agree that every single incident cannot be addressed as if the world were crashing down upon the player, certain incidents imply widespread malicious activity and warrant further investigation, rather than a mere shrug of the shoulder. It would take a team of no more than 1-2 customer relations employees and MAYBE 1 developer to fully investigate this issue and determine a) the scope of the problem and b) the best course of action.



This is probably the most intelligent (if not accidental) counter argument I've heard so far. I know I absolutely would not be opposed to a "research fee" being applied in this situation. This fee could go as high as $100.00-$200.00 and still be reasonable I think. It would act as a deterrent for those attempting to fraud the system, and would also allow SE to recoup at least some of the expense of having to investigate the issue. Additionally, it would be the icing on the cake in convincing the victim to be more cautious in the future.



Very true, but do you expect perfection out of every thing in life? If so, you're in for a long road of many terrible disappointments. IMO, it is ludicrous for you, SE, or anyone else to expect that 100% of its customers excercise 100% caution in any and all online endeavors, and there has to be some allowance for stupid mistakes in any event. If 98% of the customers never have any problems, are we (or SE) to deny assistance to the 2% who @#%^ up strictly on the basis of the "You were too stupid to listen" principal? I think not...

Edited, May 22nd 2007 9:39am by StubsOnAsura

GM[Dave] ridiculed people who accidentally throw their Bomb Cores, saying it was their fault they were stupid. Reading his essay, I thought "This man is going to be very bitter if he ever tosses his Bomb Core." This thread reminds me of that.

I agree that it's silly to download an unknown file. In the OP's case, curiosity got the better of him, and he decided to take a look and just see what the file was. He thought that if he did not run the .exe file that his system wouldn't be hacked. Unfortunately, he was wrong.

I don't think he was stupid. I think he was morbidly curious, and ignorant of the technical issues (at least, as ignorant as I was before reading this thread). Even if he was a complete idiot, though, and downloaded and ran an .exe file, I'd still feel sorry for him. He's been playing for years, and has put a lot of work into his char.

I'd feel terrible if my account got hacked and I lost my char, no matter whose fault it was. At least I have friends who would offer support.

Way to scroll to the bottom of the post and only read the last part...