More on Rift hacking

Saw this post on RiftJunkies:

RIFT Junkies NOT The Source of Account Hacks

Despite the odd title (I guess people were accusing them?) they link to a thread in the official forums where someone claimed they’d found an exploit with the login system of Rift that let him log into a friend’s account without having his password:

Here’s a link to the post. It’s a huge thread so I’ll summarize. The person then said he’d been in contact with Trion and later, that a fix was incoming.

Assistant Community Manager Elrar responded in that thread:

All,

We have some things in the works right now and have been passing on your feedback, concerns, and thoughts throughout the day (no matter how radical or unlikely).

Sharing sensitive information about our actions (no matter how broad) naturally also informs those carrying out these attacks. This puts us in a tight spot with how much information we can provide, and the questions we can answer.

Apologies we can’t be more forthcoming at this time, but we appreciate your understanding – its always our goal to ensure you can play and enjoy the game securely, and unfettered.

Thanks everyone,

After this, the original poster referred non-believers to this thread which is about an emergency server restart having to do with Account Security (this was on the 18th).

Later still, the original post was back with, among other things, this to say:

Last but certainly not least, I must also sing the praises to Trion. Most companies do their level best to hide critical security issue sand sneak in fixes. Trion responded to the news by contacting me within the hour, discussing the details in detail, and responding within minutes of getting info that they verified the issue and were expediting a solution. A couple hours later, everyone gets to try out Coin Lock and the hole is plugged with steel-reinforced concrete under twelve feet of kevlar policed by sharks with frickin’ lasers on their frickin’ heads.

And later:
Got word back from Steve Chamberlin, the development lead for Rift. This hole is sealed.

That’s not everything but those seem to be the salient points.

It sounds like the hacks were more or less random. You could log into your account and then log into some other random account. If you had a piece of info (as yet unspecified but apparently not email or password) you could target a specific account, but it sounds like most using this exploit were just jumping into whatever account was randomly exposed to them.

So we’ll see. Hopefully things will be better now.

[Updates:
Zam has an interview with the user who discovered the exploit.
Scott Hartsman’s post about the situation.
]

Rift and hacked accounts

Disclaimer: I am not a security expert.

I’ve been seeing a lot of talk about folks getting their Rift accounts hacked. Most often the #1 question is “How did this happen?” People go crazy examining their systems for key loggers or other malware that might be delivering their credentials to some hacker.

I have my own theory on what’s going on. Part of it is Trion’s fault, part of it is the internet’s fault. I don’t think we’re seeing a massive key logger issue here; at least not one on our home computers. That’s assuming the problem is as extensive as the community seems to think it is.

I think we’re seeing an organized, brute force hacking attempt across a multitude of accounts. If you’ve never read about rainbow hash cracking, now might be a good time to do so. Note the first line in that post: The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423” in 160 seconds. and the post is from 2007; you can imagine how much faster these cracking software packages work today.

[Update] Glad I put the disclaimer about not being a security expert in there. According to a friend on Twitter (who I won’t credit just so as not to put him in the spotlight) in order to use these rainbow tables, the hackers would first need to have access to Trion’s database of hashed (encrypted) passwords. Or, of course, a dump of any other database of passwords where you used the same password. So I may be off-base in my whole theory. [End Update]

So what can you do? Honestly, not very much. I think Trion stumbled when they limited password length to 16 characters. Coding Horror’s Jeff Atwood promotes the idea of pass phrases. So instead of “!ah84&nah3” as a password (which can be cracked pretty quickly using rainbow tables) your password might be “IreallyLove_Rift_(because)all(!)myhawtfriendsplay!” My understanding is (again, not a security expert) that a password that long is going to be hard to crack even with rainbow tables, because the size of the table it would require would be so freaking huge. There’s a little bit of “When a bear is chasing you, you only need to be faster than your friends” thing going on. A lengthy password takes you out of the “low hanging fruit” demographic.

For me, that long passphrase is also easier to remember and faster to type than !ah84&nah3, but maybe I’m just weird.

Anyway the point is moot since Trion limits us to 16 character passwords.

I’m also not sure about having to use your game login credentials to log into the forums and website. How many people log into the forums from public Wifi at a coffee shop or something? Since the site and forums use https:// to log in, they *should* be secure but I still feel uneasy about that.

Anyway, the good news is… well, there isn’t really any good news, except that if you get hacked don’t pull your hair out examining and re-examining your system looking for key loggers.

The best you can do at this point is using all 16 characters of your password and definitely mix in punctuation. But I suspect that the gold farming companies that are doing all this hacking are using rainbow tables that cover punctuation. Also make sure you’re using a unique password for Rift, not one you use on other sites.

Hopefully the Coin Lock feature will be the first step in putting an end to this outbreak of hacking (but I suspect the hackers will quickly start spoofing IP addresses to get around it), and I’m looking forward to Trion’s future anti-hacking techniques like authorization via emails/sms or smartphone authenticators.

Last thought: If you’re buying gold, you’re part of the problem. Remember that the gold you’re buying most likely originated from a hacked account. By creating demand, you’re encouraging hacking.