test content
What is the Arc Client?
Install Arc

Account Guard now in Testing

Archived PostArchived Post Member Posts: 2,264,498 Arc User
Hello Captains,

At Cryptic Studios, we take the security of your account very seriously. To further advance our security measures, we are happy to announce that we are beginning testing of a new security feature to be included in all Cryptic Studios games. Account Guard is a new feature which is intended to help secure your Star Trek Online and/or Champions Online account from those who may try to maliciously access it.

This feature is being enabled on Tribble today, and we’ll be watching the forums closely for your feedback regarding this feature. We’ve also provided a brief FAQ, which you can see below, to answer some of the questions we know you’ll have regarding this feature.

Cheers,

Brandon =/\=
Post edited by Archived Post on
«1

Comments

  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    ACCOUNT GUARD FAQ

    Q: What is Account Guard?
    A: Account Guard is a system designed to protect the account you use to log into Cryptic games from unwanted access. It keeps track of the computers you have authorized on your account, and notifies you when your account is accessed from an unauthorized computer.
    ***
    Q: How does Account Guard notify me when my account is accessed from an unauthorized computer?
    A: Account Guard sends a notification to the email address associated with your account. This email details the time the account was accessed, and the IP address from which the access was attempted.
    Your account will be inaccessible from that location until the Account Guard code delivered in the email is submitted to the game or website.
    ***
    Q: What do I do if the login attempt in the notification is not mine?
    A: Your account will be inaccessible from an unauthorized location without the Account Guard code that is sent to you. However, if you receive a notification for an authorization attempt that didn't come from you, change your password immediately.
    ***
    Q: How do I authorize a computer using Account Guard?
    A: When Account Guard notices your account has been accessed from a new location, it will prompt you for a special one-time code. That code will be delivered to the email address associated with your account. For this reason, we ask that you ensure the email address associated with your account is current; you can do so in the "Settings" tab of your "My Account" page on our website. To authorize that location for your account, just submit the code at the prompt.
    Until you decide to de-authorize the computer, your will be able to access that account, from that computer, without interruption.
    If you receive an Account Guard notification from a computer you don't recognize, we recommend you change your password immediately. Instructions and links will be included in the notification that is delivered to your email address.
    ***
    Q: Account Guard references my "computer name". What is that?
    A: Your computer is assigned a name when the operating system is installed. Account Guard automatically fills in this information. If you desire, you can also type a different name for that computer at the time you authorize it.
    ***
    Q: Can I opt out of Account Guard?
    A: Yes. At this time you will need to Contact Customer Support to opt out of Account Guard.
    ***
    Q: Can I rename the computer name associated with my account?
    A: If you de-authorize your computer, and log in again, you can re-name your computer at the Account Guard prompt.
    ***
    Q: Do I have to authorize my computer with Account Guard for each game separately?
    A: No. Account Guard functions across all Cryptic games. If you authorize your computer with one Cryptic game, it will be authorized with all Cryptic games.
    ***
    Q: Will Account Guard work with my Perfect World account? Which games have Account Guard protection?
    A: Account Guard is currently only available on Cryptic Games such as Star Trek Online and Champions Online, but Account Guard will protect your account whether you access those games using a Cryptic or Perfect World login.
    ***
    Q: How often do I have to authorize my account through Account Guard?
    A: Only as often as you change computers. If you remain on the same account and computer, and do not remove authorization, Account Guard will not prompt you again.
    ***
    Q: I received a prompt to enter a code through Account Guard, but I never received an email. Help!
    A: Make sure you're checking the email address associated with your account. Also, be sure to check your spam folder. If you still don't receive an email, contact Customer Support. You may also want to add donotreply@crypticstudios.com to your emails spam whitelist or address book.
    ***
    Q: Can I generate a new authorization email if the first one doesn't show up?
    A: If you log into your account again, another email will be sent to the address associated with your account.
    ***
    Q: For how long does my authorization code last? Does the code expire if I don't use it?
    A: The code will expire after a period of time, after which point it cannot be used. If your code expires, you can log into the game again, at which point a new code will be sent to the email address associated with your account.
    ***
    Q: I logged into the game but wasn't prompted for an Account Guard code. Why wasn't a code sent to me?
    A: If you've never logged into a Cryptic game before, you will not be prompted to enter a code the first time you log into your account.
    ***
    Q: I already registered a computer with my account, but Account Guard is prompting me for a code. Is there a limit to how many computers I can authorize against my account?
    A: Currently, only 10 computers can be remembered on your account at one time. If you go over your limit, the computer that you accessed least recently will be forgotten, and you will have to re-authorize it.
    ***
    Q: I keep entering the wrong code, and now I can't get into my account. Help!
    A: If you enter the wrong code too often, you may be locked out of your account. If this happens, wait a while before attempting to log in again. If you still can't log into your account, contact Customer Support.
    ***
    Q: How can I ensure the security of my account?
    A: First of all, remember to change your password frequently! Also, make sure your password is secure and not easy to guess. For more information on generating secure passwords, follow this link:
    http://www.microsoft.com/security/online-privacy/passwords-create.aspx
    Keep your password unique. If you have multiple accounts, make sure they each have their own unique and secure password.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    Wasn't this posted yesterday?
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    tobar26th wrote:
    Wasn't this posted yesterday?

    Yes in the redshirt forums
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    Account Guard functions across all Cryptic games. If you authorize your computer with one Cryptic game, it will be authorized with all Cryptic games.

    So, if we authorize a computer on Holodeck will we still need to authorize it on Tribble or vice versa?
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    So, if we authorize a computer on Holodeck will we still need to authorize it on Tribble or vice versa?

    indeed what he said.
    If i go onto tribble now and do the authorization thing, when this goes to holodeck, will i have to do it again?
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    So, by "cannot access the account" without the code do you mean through the game client or through the client AND the website?

    Because I see this happening:

    1. I log into someone's account and get told to verify the computer. Now I know I have the right password.

    2. I got startrekonline.com and login to their account. Now I change their email address so that emails goto my email.

    3. I try logging in again, the code gets sent to MY email now. I authorize my computer, login, and wipe their fleet bank and personal bank out sending it all to some dummy account.

    4. Rinse and Repeat.

    We've heard that Cryptic will reimburse individual accounts as best they can but we also know by that same token that you have no desire to reimburse a FLEET for lost and/or stolen items. So if someone jacks my fleet leader's account and does the above they can then send all my fleet's items and money away and you won't do anything about it.

    Now add in how much time and effort people will be investing in Starbases and the amount of resources being gathered for that and there's a whole new issue.

    Sure the above procedure might assist in identifying the bad guys and all but then what? We MIGHT get everything back and we might not? The bad guy will get a ban? They email the stuff to a free account and disseminate it from there and there's no way you can ban/punish everyone that's touched that loot...

    I'm just hoping this applies to both the My Account page and the Client otherwise it's only gonna stop the laziest of hackers.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    So, if we authorize a computer on Holodeck will we still need to authorize it on Tribble or vice versa?

    Only if you log in from a different computer :) If you log in from the same computer, you only need to validate on a single Cryptic shard, and then won't be asked again from that computer. This info in the in FAQ, but I know it's a long read :p

    Cheers,

    Brandon =/\=
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    hate it .....what a waste of time that could of been dedicated to making the account bank everything we wanted instead of a glorified mail system we already have and didn't like, that is why we asked for an account bank......some people just do not get it.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    I tried this on Redshirt and it was very easy and user friendly to use. Just grab the code from my email and entered it. Simple way to Authorise 'game' login's to a computer. Please implement this for Account logins via the website also to close the loop.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    This is not my preferred type of account lock (see Trion's Rift), however, its good to see Cryptic is trying. I still have my doubts about how Cryptic have addressed their security failings, considering their less than motivated approach to tackling other systemic failures in the company.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    Will this feature be added to the main website because I see a few flaws on protecting accounts because they can also be accessed from the website to avoid this new Account Guard? I hope you add it to the website login to help better protect.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    LtSmith wrote:
    Will this feature be added to the main website because I see a few flaws on protecting accounts because they can also be accessed from the website to avoid this new Account Guard? I hope you add it to the website login to help better protect.

    Indeed. Closing 1 door of 2 means hackers go for the one that's wide open and not booby-trapped. This, while easy to use, does not actually solve any fundamental account security problems at all. At best, it is poorly conceived. At worst, it is a red herring. It's like adding a lock to the glove box in your car to ensure your car isn't broken into.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    AuntKathy wrote:
    Indeed. Closing 1 door of 2 means hackers go for the one that's wide open and not booby-trapped. This, while easy to use, does not actually solve any fundamental account security problems at all. At best, it is poorly conceived. At worst, it is a red herring. It's like adding a lock to the glove box in your car to ensure your car isn't broken into.

    It is just in testing now and Thanks for pointing this out to me the other day people do need to know about the threat is still there untill that 2nd door is shut.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    please see the red shirt boards and this very thread for why this software isn't ready for release yet.




    Cheers.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    At Cryptic Studios, we take the security of your account very seriously.

    Excuse the off topic but that made me giggle :D
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    Or.... you could get a mobile app like TOR for security keys.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    this just seems like if your account gets comprimised its going to hinder you more than help you.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    first saw this when trying to log in on tribble last night...had me confused at first because it said that someone was trying to access my account from a different location (I was just on an hour earlier) but I think that, all in all, it's a good thing to have.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    Dam i pooed my self i thought someone had TRIBBLE my account again :confused::o:D
    .
    What happens if like in my case where 3 brothers sharing the same computer and game and 3 different accounts, my question is to PWE_BranFlakes :)

    1 lifetime account and 2 free to play
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    How is the "different computer" determined? If it's by IP, how do you deal with dynamic IPs? PlusNet in the UK, for example, use these, and I know a lot of other companies do, too.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    Silly question time :) On the confirmation email I got from Cryptic it's told me my machine name and I.P address.... My IP changes each time I reboot my router, is STO going to have a sulk after the next reboot?
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    that is what that wierd code was for will we have to do again when goes live?
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    its the same basic concept that facebook has. I save the machine, and i can therefor log into my facebook from this machine at any time without causeing a security problem. but if someone tries to log into my facebook from a device that i have not saved, i get an email informing me of that. and IF i did not authorize it, there are steps that can be taken after that. It makes all logical sense to me.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    hate it .....what a waste of time that could of been dedicated to making the account bank everything we wanted instead of a glorified mail system we already have and didn't like, that is why we asked for an account bank......some people just do not get it.

    You want all items within our accounts in a single bank so hackers can cleanout an account even quicker, before extra security is added?

    Offering such an ability in banking would probably encourage hacking big time. It would make it far more worth a hackers time and effort to hack someone they know is a vet with 10 characters. Especially one who brags about having a lot.

    Security measure sounds alright and would be best being put in place before encouraging hackers. I do wonder how many hackers will also target someones emails.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    This is mainly for PWE_Branflakes, since he seems to be the one running this thread:p

    Seems everyone's main concern is, if a hacker tries to access and account from the game client itself, then yeah, the system catches it. But there is a whole new problem. Now the hacker knows they have the right password. They can now, simply log into STO website, and change the password in there, and reroute all sto based emails, and then do what is necessary to get the prompt again, with a code containing email sent to them. From there they can remove the computer normally used from the access list, and make the account theirs in every sense of the word. So the concern being voiced here is, why block the in-game client at all if all that's going to do is make it so the hacker has to do a little password changing and email rerouting and be inconvenienced of about 5 minutes of their time.

    But what I would like to say is, a half baked feature that has its other half in the works is better than no feature at all. If nothing else, since the majority of us have smartphones that notify us the instant we get an email, once we got the message, we simply beat the hacker to the punch, and tell cryptic what is going on so they can take over. After all, I am sure there is a computer somewhere that keeps a listing of all the accessing information on each account stored somewhere so that it can be used for investigative purposes, and even if there wasn't, all computers keep records of that type somewhere.

    In short: most people here are saying its an excellent concept, it just has a major back door flaw. That flaw being the ability to, after confirming that the password is correct, simply using the website itself to finish the take over process. :eek:

    Anyway, just wanted to put that out there, and basically give you a condensed version of what everyone here, aside from the guy talking about the account banking system., is saying. And what that is is: Nice car...now, can I also get locks for the rear passenger doors?
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited June 2012
    It's nice that Cryptic is finally doing something, but I'm not too fond of this system. It does not account for those with alternate computers (like how some people like to sometimes play from their laptops) or using a relatives computer on vacation. And like said previously, it's not accounting for variations of the IP if the router is reset or you have a roving IP.

    Furthermore, It would be really nice to visually see Log-In times, which could help us immediately recognize unauthorized accesses. As well as failed password attempts since you last sucessfully logged on.
  • dalolorndalolorn Member Posts: 3,655 Arc User
    edited June 2012
    Bump, just testing if we can still post in 'archived' threads.

    Edit: Ok, one thing to remove from the "How many ways does this merger suck" list.

    Re-edit: Wtf? Why didn't it return me to the thread? O_O

    Re-re-edit: Ok, that's annoying.

    Infinite possibilities have implications that could not be completely understood if you turned this entire universe into a giant supercomputer.p3OEBPD6HU3QI.jpg
  • podsixpodsix Member Posts: 207 Arc User
    edited June 2012
    That is just downright bizarre, seeing all the names on all the old posts changed to "Archived Post"... it's like, spooky. :frown:

    I don't like that.
    7n4nvF5.png
  • mgazermgazer Member Posts: 0 Arc User
    edited June 2012
    Q: Can I opt out of Account Guard?
    A: Yes. At this time you will need to Contact Customer Support to opt out of Account Guard.
    ***

    Good. Can't stand all that security TRIBBLE.

    So when do we need to contact customer support and how to contact them? Standard support ticket?
    [SIGPIC][/SIGPIC]
    _____________________________________________________________
  • nesualnesual Member Posts: 0 Arc User
    edited June 2012
    It's nice that Cryptic is finally doing something, but I'm not too fond of this system. It does not account for those with alternate computers (like how some people like to sometimes play from their laptops) or using a relatives computer on vacation. And like said previously, it's not accounting for variations of the IP if the router is reset or you have a roving IP.

    Furthermore, It would be really nice to visually see Log-In times, which could help us immediately recognize unauthorized accesses. As well as failed password attempts since you last sucessfully logged on.


    I've had my IP reset a couple of times since I originally posted that question on the forums... It doesn't seem to have made any difference at all, so I'm guessing that the whole thing about IP is either bugged or non-functioning, and if it's based on your computers name, well, that's just a little bit silly really isn't it?

    A visual log of login times & failed password attempts is a great idea. I've seen it done on a number of banks online systems, never occured to me that it could be applied to games aswell.

    Nes
Sign In or Register to comment.