Coffeehouse Thread

25 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Windows ID and Hackers

Back to Forum: Coffeehouse
  • User profile image
    Craig_​Matthews

    , cheong wrote

    Since you mentioned this, I want to bring up another more serious "daisy chaining" issue - password recovery question.

    You see... there's a lot of website providing similar question sets for user to recover their passwords. But AFAIK, while most of the companies stores passwords in encrypted form, more than a dozen of them I know of stores answers to such question in plain text. (So their CS staffs can read them and confirm customer identity on phone).

    Remember the 2 big password database leaks earlier this year? What happens if the hackers target these questions instead of these (supposed) difficult to recover passwords?

    What's worse? A lot of these companies happens to store the password recovery email address in plain text too! That means if you use similar password recovery questions in the email service you use to receive recovery password, the hacker would know what "question and answer" to use for breaking in that email account.

    If you happens to be a developer maintaining such systems, please be sure to at least do some basic two-way encryption to them, or in one of the next waves of network attacks your company would have embarrassing moment. Thank you for your attention.

    Good timing. Blizzard just had a slew of email addresses and the answers to secret questions compromised. http://us.battle.net/support/en/article/important-security-update-faq#1

     

  • User profile image
    evildictait​or

    , Craig_​Matthews wrote

    *snip*

    Good timing. Blizzard just had a slew of email addresses and the answers to secret questions compromised. http://us.battle.net/support/en/article/important-security-update-faq#1

    Screw email addresses and secret questions. Blizzard has much better information than that which might have been leaked.

    http://us.battle.net/support/en/article/battle-net-terms-of-use-form;jsessionid=EEE6938D2D5D542A9B6676A59F05A242.blade32_02_bnet-support

    So Blizzard basically has access to each player's:
    * Email address
    * Full name
    * Full Address
    * Credit card information
    * Their answer to a secret question (e.g. Mother's maiden name)
    * A scan of their passport, drivers licence or other non-expired government issued ID.
     
    In other words, Blizzard has enough information about most of its players to get a mortgage out in their name, and they just got hacked :/
  • User profile image
    cheong

    @evildictaitor: *facepalm*

    While they need these information in situations described in the article only, let's hope they don't store these document for longer than they're needed.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    Sven Groot

    @Craig_Matthews: The real problem with "secret questions" is that they're often predefined questions, and most of the times they're things that anybody who knows me reasonably well would be able to answer. Heck, most of the answers to questions like that (mother's maiden name, birthplace) can be found on Facebook.

    Even more ridiculous is if there's a length restriction on them. I can't help it that my mother's maiden name has only five letters, and all our pets had four letter names.

  • User profile image
    Proton2

    @Sven Groot: I have heard of the suggestion of creating a fake persona for those "secret questions". There is no reason that your answers have to have anything to do with the question.

  • User profile image
    AndyC

    , cheong wrote

    @evildictaitor: *facepalm*

    While they need these information in situations described in the article only, let's hope they don't store these document for longer than they're needed.

    No. Just really no. There is absolutely no reason a video game manufacturer should ever need that much information about someone. I mean, a scan of your drivers license FFS! It's a video game we're talking about here, not a matter of national security.

    It's about time companies started getting heavily fined for over-collection of this sort of data and doubly so if they then manage to leak it all over the place. Although I also hope this makes at least some people think twice about whether handing this information over to a third party is an appropriate risk for the service they're recieving and to vote with their wallet when it clearly isn't.

     

  • User profile image
    cheong

    @AndyC: I think those extra documents are probably needed to setup account linkage to bank because of the real money auction house. In some sense you can see a battle.net account as a real bank (stock market trading) account so similar set of prove document would be required.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.