- the StarOnion – FFXI Fenrir to FFXIV Excalibur - https://www.staronion.com/maiev/nfblog -

Login Verification (Account Security)

Posted By Maiev On In Final Fantasy XI | 7 Comments
Login Verification, Account Security, FFXI, Square Enix

Securing your Membership Info!

Somepage is fuked again

So like if you read the BG… you’d notice there are people getting hacked again. Our famous Somepage exploit is back. You can read more about it on BG [1]. There’s even a thread on BG regarding trojans on Dynamis websites. Also it looks clean but.. here it is on BG [2]if you want to read about it.

So I’m going to outline a few things that a lot of people might miss, that can significantly help you prevent or reduce the loss of your account should it gets compromised.

There are two possible ways the hackers to jack your account.

For Saved Password: Jack the FILE that stores your auto login/pw information OR
For people who Type their Password: Simply “Take Screenshot” of your desktop when POL.exe is launched (which gets your POL Login ID), and keylogged what you type in to counter those that “type” in their password.

Either way… if your PC gets compromised, you’re fuked. So I’m going to go over simple stuff that a lot of people forget, to minimize the impact should you be the unlucky person to have their account jacked.

Enable Login Verification, FFXI, Account Security, Square Enix [3]

Enable Login Verification

Enable Login Verification

Lots of times when a hacker gains control of your account, they will change your password, payment information and yada yada, but did you know there was a mechanism built into PlayOnline Viewer that asks for your password once more? If you get keylogged then this wouldn’t do a thing (people that rather type PW over using the save password feature) BUT if the hacker simply “steals” the file that saves your password, then it won’t help since that file only contains the encrypted version of your password but POL asks you to type the “real” password.

The “Login Verification” features asks your password one more time when you login to the members section, where you can perform world transfer, change payment information etc. If you got keylogged because you rather type your password everytime then this won’t help you but… if you use the Save PW feature, then this would save you! Here’s how you do it

  1. Login to PlayOnline Viewer (4th Button)
  2. Membership (4th Button)
  3. Click the Pull Down menu and go all the way to the bottom, LOGIN VERIFICATION
  4. Change it to ON, and hit Confirm!

Next time you login to the members section (you or the hacker), it will asks your your password! Make sure you DO NOT SAVE that password, else it defeats the whole purpose of it.

Save or Type Password?

For the longest time, I’ve been typing it thinking its more secure but ever since I found out about that feature.. roughly a few months ago.. I just use Auto Login. The reasoning why is.. say I got the whatever program… that attempt to jack my PW. They find out I use Auto Login, so it sends that “file” to the hacker. He gains the ability to “auto login” to my account. Great, we’ll just play kick each other off game but.. when they try to access the POL page and change PW/Payment, it will ask for their password and since that file contains an “encrypted/scrambled” version of the password and PlayOnline is requesting the “real” password… so that means they cannot login to the members section. In that case I’ll keep playing kicking each other off game until a GM locked my account, and ask a friend with a secure PC to change the PW FOR ME (don’t change it yourself… I mean you’re PC was already compromised in the first place).

They might probably have a script that auto change PW etc but hay, without the real PW, still not too much use!

For those that still aren’t convinced, here’s a line from the “Windower” people.

Save your PlayOnline Password!!!! – No, The trojans ARE NOT downloading your saved password file and decrypting it. The recent trojans have been investigated and they are simple key loggers, they are not stealing files, and to our knowledge the encryption scheme has not been cracked by the RMT yet.

Saving your password is a great idea, as you no longer have to type it to log in! Cant be key logged now.

If you have people who use your PC, simply put a ‘Member Password’ or what ever its called on your login account. Thereful you still need a password to login, but MAKE THIS PASSWORD COMPLETELY DIFFERENT!
So if you do get key logged, they get a completely useless password.

At worst, they can steal the file and login with it, but without your current password they can not take it over. so, while not a fully safe solution, it still helps protect you from permanently losing your account (and being transferred, doesnt that require your password?). If your security is broken and you get hacked, I think youd least be happy knowing you got to keep your account — also you can keep knocking them off if your online when they attempt to and change your password quickly and stop them before they even get a chance. Saving your password into POL gives you more options to keeping your account even if you do get hacked.

Source: Windower Forum. [4]

Although its not a 100% safe solution, at least you still have ownership of the account. Rather than waiting for a week so they can have all the time in this world to liquidate your account.

For saved passwords, you’d never have to type your password in any given time so… if they wanna steal your stuff, they got to “auto login” and by then, you would have notice. But at least what they don’t have is your real password, so they cannot change infos. But if you type in ur PW everytime. Sooner or later you got to type in ur PW and its more risky to type, then you’re increasing your chance of exposing your password. So.. just save it. Doesn’t sound too secure, but with Login Verification, its more secure than typing.

Safeguarding your PC / Browser.

If you still have Real Player.. just remove that piece of trash. If you really need Real Player because you need to watch .rmvb like me, install the “codec” itself. A codec is a piece of program that instruct your computer how to play a video. With the codec, even Windows Media Player can play Real Media files! You can download Real Alternative here [5].

If you’re bored, you can read another article where I outline basic account security [6]. Stuff which you might not have thought about.

And last but not least… seriously.. don’t use somepage. If you want the Power Search. FFXIAH (or Scragg), has been actively working in the back end to improve all kinds of security. From installing/configuring server firewalls, blocking out threats, changing to other advertising agencies (the same one as allakhazam), coding a home-grown message board/PM system to even getting a service that rings his phone should there be a treat to the AH server. So like… honestly… don’t worry =P. The advertisement does suck but.. its hard to dish out a few hundred bucks per month running FFXIAH, something even Scragg doesn’t want to do but must.. to keep it free…

Don’t use IE =P Its been said multiple times :) Its a piece of crap :3