If they encrypted your credit card number, they wouldn't be able to bill you. Credit card numbers are not stored encrypted, but they are required by MasterCard, Visa, and a slew of national and international laws that they be stored in two separate databases. Typically, the first 6 and last 4 are stored together for routing purposes and the middle digits and CVC are stored in elsewhere.
Besides, no matter how robust the encryption, if the baddies know that the credit card number contains only numbers, it'd be fairly trivial to crack it.
Which explains why the mentioned the first six and the last four digits were possibly -- thought no evidence points to it -- compromised. Thanks for that information!
I imagine though that the verification process needs to go through MC/Visa somehow, and trying to brute force the middle numbers from a single location would raise lots of flags. Plus there's the CCV; do you know how vendors would have to work with that?
what makes this really disturbing is this happened in December of 2010, here is it April 2012, why did it take cryptic so long to figure out they were TRIBBLE?
I can't speak to that. But I can say that anyone who is posting on the forum about it not working has obviously not logged out. Because once you log out you can't get back onto the forum until you reset your password.
Well I used my laptop where im not logged in and it doesnt work but my issue is diffrent. I have a PWE account with the same email as STO as I played PWE games before they bought Cryptic but never merged my account now when i try to reset it says my email is a PWE account which it is but not completely lol so I cant reset because it wants to reset my PWE Account and not my STO. I changed my PWE Email now but it still thinks my old email is PWE.
There are a number of cryptanalysis techniques that can do an unsalted hash run on a massive dictionary and figure out what the salt is. It takes significantly longer, but if the economic reward is there it isn't hard enough to dissuade a good hacker. The real security that salting the hash gives you is that your hash can't be directly passed to some other authentication server to log into your account. Being able to "pass the hash" would bypass the need to crack your password at all.
what makes this really disturbing is this happened in December of 2010, here is it April 2012, why did it take cryptic so long to figure out they were TRIBBLE?
As I posted above, it's only been in the last couple of months that we've started to see all the Account TRIBBLE threads on the forum. Prior to that I don't know that I've actually seen any since launch. Once it was clear there was a problem Cryptic started searching the database to find it. The hackers were slow at utilizing their hack - 1.5 years slow.
Any chance you could reply to my previous post, as per below? I suspect we're not the only ones having issues with this particular problem:
"My friend is a long time player and the e-mail address linked to his account is no longer active. He can therefore not receive the password reset e-mail.
Submitting a ticket to Cryptic requires him to login, which he can no longer do. In the interim, he's submitted a ticket on the Perfect World website, but as his account is a Cryptic account, he's not sure they'll be able to help him."
Which explains why the mentioned the first six and the last four digits were possibly -- thought no evidence points to it -- compromised. Thanks for that information!
I imagine though that the verification process needs to go through MC/Visa somehow, and trying to brute force the middle numbers from a single location would raise lots of flags. Plus there's the CCV; do you know how vendors would have to work with that?
I don't really know that much about how MC/Visa do their fraud detection. The positive side for the consumer is that if the bad guy already knows the first 6, then his brute force attempts will hit both MC/Visa and the issuing bank. So you actually have 2 different companies that have a vested financial interest in looking out for and eliminating fraudulent activity.
Any chance you could reply to my previous post, as per below? I suspect we're not the only ones having issues with this particular problem:
"My friend is a long time player and the e-mail address linked to his account is no longer active. He can therefore not receive the password reset e-mail.
Submitting a ticket to Cryptic requires him to login, which he can no longer do. In the interim, he's submitted a ticket on the Perfect World website, but as his account is a Cryptic account, he's not sure they'll be able to help him."
BranFlakes posted an email link above where someone could contact Customer Service directly and work out the situation.
Cosmic, for some people, that's still not working. Others are logging in to find they no longer have any toons. Something weird is going on.
Have the players who are finding no toons not logged into the game in quite sometime? If that's the case, their characters may be in the back-up database. Have them log out of the game and back in to the game. If this is still an issue, direct them to this post: http://forums.startrekonline.com/showthread.php?t=267893
And, again, for players who are trying to rest your password but are getting redirected to the frontpage, please log-out from the forums/ site and then use the links.
Have the players who are finding no toons not logged into the game in quite sometime? If that's the case, their characters may be in the back-up database. Have them log out of the game and back in to the game. If this is still an issue, direct them to this post: http://forums.startrekonline.com/showthread.php?t=267893
Have the players who are finding no toons not logged into the game in quite sometime? If that's the case, their characters may be in the back-up database. Have them log out of the game and back in to the game. If this is still an issue, direct them to this post: http://forums.startrekonline.com/showthread.php?t=267893
And, again, for players who are trying to rest your password but are getting redirected to the frontpage, please log-out from the forums/ site and then use the links.
(As an aside, Brandon, aside from my prior post asking if Cryptic is going to apologize to the people who got tarred and feathered, thank you, personally, for keeping on top of this.)
we recently detected evidence of an unauthorized access to one of our user databases. The unauthorized access occurred in December 2010, and evidence of this has just been uncovered due to increased security analysis.
Way to be on top of things...Cryptic is such a ball of FAIL.
Oh something else... for those complaining about the downtime, look at Sony, as soon as they thought they had a problem they yanked the plug on everything, even the services they thought were still secure.
Personally I think it was the right thing to do, but I digress
Was something like a month of downtime I think?
Also, understand that as a network professional, I am not being sarcastic when I say the following:
Network security is HARD.
(That said glad I've always billed through paypal, where I use a completely unique password, and their authenticator.)
Some password security hints:
I don't care how long or complex they are, the important thing is they are not in the common dictionaries (look around on the net you can find them). Every Email Account you have should have a password that is used only for that account. Nothing else (bank, game, anything) Any access that gets people close to your money directly, or that people can order things cross shipped without much effort, gets it's own password. Bank accounts, Paypal, Western Union, Amazon.com Do not, repeat, do NOT use one of those silly password maintenance programs for anything important. You are allowing a single point of compromise. No financial, banking, insurance, etc password should be saved anywhere on your computer. I keep mine with my will.
For things of lesser importance, example games, forums, wiki's, come up with a half dozen good but rememberable passwords and rotate through them, however, never, for example, use a password for game A on the wiki, information site, or third party forum for game A.
I have one 'throw away' password I use anywhere that's at the 'I don't care' level. ACtually I've got 5 but the other 4 have be discontinued do to high suspicion that they've been munched.
You can then run what is essentially a smartphone environment on that pc. If the authenticator app doesn't require being online to use, leave that computer off the internet.
There are a number of cryptanalysis techniques that can do an unsalted hash run on a massive dictionary and figure out what the salt is. It takes significantly longer, but if the economic reward is there it isn't hard enough to dissuade a good hacker. The real security that salting the hash gives you is that your hash can't be directly passed to some other authentication server to log into your account. Being able to "pass the hash" would bypass the need to crack your password at all.
One presumes if they got deep enough in they could recover the salt as well.
well I still need my problem looked at . I have a PWE account with my email i used before PWE bought Cryptic. The same email was used for STO. I never linked the accounts. When I try to reset my password it says my email is linked to a PWE account and gives me a linkt to PWE. When I try to reset it there it trys to reset that account not my STO account. I changed My email there to a Second Email I have but when I try to reset STO it still has it Linked to PWE. HELP! The only reason I can post is on this computer I had it set to keep me logged in. I have been trying this on my laptop where i am not logged in.
One presumes if they got deep enough in they could recover the salt as well.
Yes, but it really doesn't matter if they do... Asymmetric cryptography is based on the concept of strong, one directional mathematics. The salt is applied alongside your password into a cryptographic algorithm in order to ensure your password is not the same in my database as another. However, I cannot use my knowledge of the salt to unsalt your hashed password, it just doesn't work that way.
Now, if they do know the salt, that can reduce the complexity of brute forcing your password. But it does not allow them to bypass the need to brute force.
To be fair, you never know how secure any sort of security is until it's cracked.
This being said, see my last post.
Wrong. By default, you NEVER encrypt user passwords to your database. You ALWAYS hash. There is no excuse for not doing so. That way, even if your database is compromised, important information is not lost.
That is just one of the few BASIC rules for any application...
Yes, but it really doesn't matter if they do... Asymmetric cryptography is based on the concept of strong, one directional mathematics. The salt is applied alongside your password into a cryptographic algorithm in order to ensure your password is not the same in my database as another. However, I cannot use my knowledge of the salt to unsalt your hashed password, it just doesn't work that way.
Now, if they do know the salt, that can reduce the complexity of brute forcing your password. But it does not allow them to bypass the need to brute force.
well I still need my problem looked at . I have a PWE account with my email i used before PWE bought Cryptic. The same email was used for STO. I never linked the accounts. When I try to reset my password it says my email is linked to a PWE account and gives me a linkt to PWE. When I try to reset it there it trys to reset that account not my STO account. I changed My email there to a Second Email I have but when I try to reset STO it still has it Linked to PWE. HELP! The only reason I can post is on this computer I had it set to keep me logged in. I have been trying this on my laptop where i am not logged in.
Phew, thanks for the proactive approach. Been trying all morning to recover my reset password ... panic... stress ... then found the email in my Spam folder
It's a bit of a worry reading some Facebook comments. A couple of players have different accounts, or missing characters. Fingers crossed everything is where it belongs when I get home tonight.
Well that is disturbing. Can anyone who actually knows about the technical side of this type of situation explain how this happens?
I think it happens when people download some sort of Key Generator off the Internet and get their accounts TRIBBLE and months later Cryptic starts to detect account usage patterns that are all too similar across many accounts. To combat that, they figure that it'd be best to run a script on all accounts that had the same passwords for lengthy periods of time, say since launch. It's not the best course of action perhaps from everyone's perspective but I doubt they can do much else at this point.
OK I would love to know why it took 2 years to figure this out...that's as bad as Sony's no response statements...really cryptic your customers financial data, passwords, usernames, everything that can be accessed with an email or @ handle with unencrypted passwords was at risk for 2 years before you got your act together and finally looked into it...this just pathetically unacceptable and you need to seriously upgrade your firewall tech and coding to make sure this never happens again...hell I wouldn't be surprised if someone sues you over this incident...:mad:
Cryptic is vigilant at protecting your account security and privacy
i'm sorry BF, but I don't believe this, it took you 16 months to find this issue, and to top it off I'm willing to bet that the ONLY reason it was found was the STOWIKI issue, which as you said has nothing to do with it,but it should have caused you to verify your security. The fact that you don't routinely Verify it, when you have that much PII is scary.
...customers financial data, passwords, usernames, everything that can be accessed with an email or @ handle with unencrypted passwords was at risk for 2 years before you got your act together and finally looked into it...
Is there any proof that that's exactly what happened?
Comments
Which explains why the mentioned the first six and the last four digits were possibly -- thought no evidence points to it -- compromised. Thanks for that information!
I imagine though that the verification process needs to go through MC/Visa somehow, and trying to brute force the middle numbers from a single location would raise lots of flags. Plus there's the CCV; do you know how vendors would have to work with that?
Well I used my laptop where im not logged in and it doesnt work but my issue is diffrent. I have a PWE account with the same email as STO as I played PWE games before they bought Cryptic but never merged my account now when i try to reset it says my email is a PWE account which it is but not completely lol so I cant reset because it wants to reset my PWE Account and not my STO. I changed my PWE Email now but it still thinks my old email is PWE.
"salt," "hash"... dammit, now I'm hungry....
Any chance you could reply to my previous post, as per below? I suspect we're not the only ones having issues with this particular problem:
"My friend is a long time player and the e-mail address linked to his account is no longer active. He can therefore not receive the password reset e-mail.
Submitting a ticket to Cryptic requires him to login, which he can no longer do. In the interim, he's submitted a ticket on the Perfect World website, but as his account is a Cryptic account, he's not sure they'll be able to help him."
I don't really know that much about how MC/Visa do their fraud detection. The positive side for the consumer is that if the bad guy already knows the first 6, then his brute force attempts will hit both MC/Visa and the issuing bank. So you actually have 2 different companies that have a vested financial interest in looking out for and eliminating fraudulent activity.
Have the players who are finding no toons not logged into the game in quite sometime? If that's the case, their characters may be in the back-up database. Have them log out of the game and back in to the game. If this is still an issue, direct them to this post: http://forums.startrekonline.com/showthread.php?t=267893
And, again, for players who are trying to rest your password but are getting redirected to the frontpage, please log-out from the forums/ site and then use the links.
And, if you don't remember the email you signed up with, email: customerservice@perfectworld.com
Cheers,
Brandon =/\=
IDK, just going based on the Facebook comments.
(As an aside, Brandon, aside from my prior post asking if Cryptic is going to apologize to the people who got tarred and feathered, thank you, personally, for keeping on top of this.)
Way to be on top of things...Cryptic is such a ball of FAIL.
Personally I think it was the right thing to do, but I digress
Was something like a month of downtime I think?
Also, understand that as a network professional, I am not being sarcastic when I say the following:
Network security is HARD.
(That said glad I've always billed through paypal, where I use a completely unique password, and their authenticator.)
Some password security hints:
I don't care how long or complex they are, the important thing is they are not in the common dictionaries (look around on the net you can find them).
Every Email Account you have should have a password that is used only for that account. Nothing else (bank, game, anything)
Any access that gets people close to your money directly, or that people can order things cross shipped without much effort, gets it's own password. Bank accounts, Paypal, Western Union, Amazon.com
Do not, repeat, do NOT use one of those silly password maintenance programs for anything important. You are allowing a single point of compromise. No financial, banking, insurance, etc password should be saved anywhere on your computer. I keep mine with my will.
For things of lesser importance, example games, forums, wiki's, come up with a half dozen good but rememberable passwords and rotate through them, however, never, for example, use a password for game A on the wiki, information site, or third party forum for game A.
I have one 'throw away' password I use anywhere that's at the 'I don't care' level. ACtually I've got 5 but the other 4 have be discontinued do to high suspicion that they've been munched.
Use authenticator type devices wherever possible. If they are only available via smartphone, well you can actually work around that. Get an older machine somehow, needs to run xp at least, and install the:
http://www.howtogeek.com/howto/21831/how-to-test-drive-google-android-on-your-pc-without-buying-a-phone/
Android virtual machine on it.
You can then run what is essentially a smartphone environment on that pc. If the authenticator app doesn't require being online to use, leave that computer off the internet.
One presumes if they got deep enough in they could recover the salt as well.
Yes, but it really doesn't matter if they do... Asymmetric cryptography is based on the concept of strong, one directional mathematics. The salt is applied alongside your password into a cryptographic algorithm in order to ensure your password is not the same in my database as another. However, I cannot use my knowledge of the salt to unsalt your hashed password, it just doesn't work that way.
Now, if they do know the salt, that can reduce the complexity of brute forcing your password. But it does not allow them to bypass the need to brute force.
Thank you!
We appreciate you working late to stay on top of this
Wrong. By default, you NEVER encrypt user passwords to your database. You ALWAYS hash. There is no excuse for not doing so. That way, even if your database is compromised, important information is not lost.
That is just one of the few BASIC rules for any application...
This guy speaks the truth
Cheers,
Brandon =/\=[/QUOTE]
Ya did this to will get a response in 3-4 buisness days!? This is TRIBBLE !
EDIT: Wow... just saw this happened in 2010 :cool: I hope we something back for those who had accounts then... grrr
Brandon any Ideas on this?
It's a bit of a worry reading some Facebook comments. A couple of players have different accounts, or missing characters. Fingers crossed everything is where it belongs when I get home tonight.
well it shouldn't take 2 years to figure that out it should be more like less than a month
i'm sorry BF, but I don't believe this, it took you 16 months to find this issue, and to top it off I'm willing to bet that the ONLY reason it was found was the STOWIKI issue, which as you said has nothing to do with it,but it should have caused you to verify your security. The fact that you don't routinely Verify it, when you have that much PII is scary.