Security, security, security

First off, I like EVE Online so far, a bit pricey and yet nice to play even FTP.
But then: Security Issues.

Let’s say I want to play for a year or so, and then with that comes making payments.
The ‘secure’ page isn’t coming from a single domain, but is like spaghetti
that has been sitting in the oven for two days.
FACT: Linking outside a secure payment page, not from the same domain,
is like asking for trouble. All content should come from the same domain,
for the security to be highest, if any of the outside linked stuff has a security breach
in it, you inherit it. So leave Facebook, Bing, Adnx and whatever out of it,
and only use stuff from the secure payment page’s domain.

After much consideration, and an unwanting wallet, I wanted to buy the $16 deal,
with the destroyer and such, but it wasn’t like “YES!!!” more like “Umm…well okay then.”
Then my browser starts by disallowing all the outside sites involved into making
the ‘secure’ page. And nope, I’m not gonna allow a whole slew of outside stuff
into a secure payment by CC.
So, too bad, not paying anything through this page any day soon.

Then, for players accounts, I also read on how much people got their accounts hacked,
and I wonder if after 1 year I’d like to get hacked or such. Big fat “NO !”.
So, if you wanna make people’s account’s secure, if they’re worth it,
offer two factor authentication, through SMS, yes, phone.
A small fee for the SMS sent, possibly payable in PLEX, like 1 Plex,
and now people get their account secondary login info by phone.
This makes for really good security, but instead you use a software tool.
Not good. if they want to hack someone, they can use keyboard logging,
they know about the tool, and whatnot. So, once again bad idea.

The two form, I’d call it “Two Form PLEX authentication”, would make any account
as hackproof as it can be, from the user perspective. And it minimal cost,
since 1 Plex is about $0.05 or 2.5M ISK ingame bought.

Now, I don’t think anyone at CCP will actually go through the trouble of even reading this,
since all they have to do is kick back and watch the money roll in, but if they do,
well, here it is.

If the ‘secure’ page ever gets stripped of anything but the payment domain, then maybe
I’ll start paying.

Anyways, that’s my for now 2 cents.
I’m going back to my Alpha gaming, hoping for something to improve.

FYI: Ask Moxie Marlinspike to try and check your security, he’s awesome.
(You can look on YouTube on some presentation he’s given on security.)

CCP doesn’t process payments, there will always be a 3rd party payment processor domain listed there, just like most of the internet, you must not buy a lot of things online, are any of the domains in question not served via HTTPS? if yes then you might have a valid concern, if they are all secured then you’re just being as paranoid as the person who came in to our store today because she doesn’t want to use cookies on the website lol

3 Likes

You talk about security and then complain because you want one of the least secure MFA (SMS messages) vs authenticator? I mean I personally wish I could lock down my accounts with my yubikey, However I’ll take an authenticator over SMS any day.

I’ve been subbed since 2009, never had a single issue.

2 Likes

Just buy a prepay CC under the name Mike Hunt and and link it to a gmail under the name Ben Dover.

Instant security.

Mr Epeen :sunglasses:

2 Likes

If only ccp had given any thought to two-factor authentication.

@CCP_Aurora @CCP_Convict @Brisc_Rubal @Mike_Azariah What do you think about ccp finally adopting this fresh feature idea?

There’s already at least two different forms of TFA available - you can use a third party authenticator (I use Google), and there’s email that can be sent to your email account (which I have for one account that was an old Steam account).

Not sure why they need more than that. As for the SMS stuff - you’re talking about having to set up a global SMS TFA system. That seems a bit excessive when there are other options available.

6 Likes

As I mentioned above the only one I’d like even more is supporting a hardware key. But that is overkill. I’d only want it as I already use a yubikey for so many other accounts. They certainly don’t need SMS, which is one of the least secure, probably only slightly better than emailing a code.

you dont buy a lot of cappuccino coffees then ? thats excuse for high game prices !!