Welcome to duststar theory

Maplestory Cyber Security Series – Part 3 of 4

Author duststar | 07.01.2010 | Category Cyber Security, MapleSEA

Continuing from this post.

Part 3 – Protecting your accounts

1. E-mail Accounts

a. Protect the data between you and the e-mail servers

i. For web-based e-mails, use secure connection “HTTPS” rather than insecure connection “HTTP“.
ii. For client application e-mails, use at least “SSL/TLS“  over POP3 or IMAP.

b. Prevent getting key logged

i. Use a “On-Screen Keyboard” to key in your password. For Windows XP, this can be found by clicking on “START” button, go to “All Programs”, go to “Accessories”, go to “Accessibility”.

c. Set your “Security Question” (Pick something only you will know)

2. Asiasoft Passport Account

a. Ensure that the passport website is secured by SSL (Check for “HTTPS”)

b. Verify that the SSL certification is authentic (Issuer should be “GlobalSign Domain Validation CA” and holder should match the domain name “passport.asiasoft.net”)

c. Pick a login ID that is different from your forum ID, game account IDs, e-mail ID etc (So that people cannot easily guess it)

d. Prevent getting key logged

i. Use a “On-Screen Keyboard” to key in your password. For Windows XP, this can be found by clicking on “START” button, go to “All Programs”, go to “Accessories”, go to “Accessibility”.

3. Maplestory Game Accounts

a. Prevent getting key logged (Use the in-game on-screen keyboard provided)

b. Pick a login ID that is different from your other game account IDs, e-mail ID, passport ID, forum ID etc (So that people cannot easily guess it)

4. 2-Factor Authentication (2FA)

a. If Asiasoft was to release the 2FA security token for MapleSEA, you should consider getting it.

b. Below is my submssion for “Vasco System Q&A Event“.

1. Do you know what Two-factor authentication (OTP Token) is?

Two-factor authentication (2FA) requires the use of 2 different pieces of information or process to authenticate the identity of a person. For Asiasoft’s implementation, basically this means 1st factor looks at “something you know” e.g. id, password, soft-keyboard pin and 2nd factor looks at “something you have” e.g. the OTP (One-Time Password) security token.

OTP Token is this case, when activated or pressed, generates a random password that is based on a secret process e.g. RSA algorithmn known between the security hardware device (token) and the security server (token authentication server). Usually, the generated random password is only valid for a short period of time therefore even when one’s OTP is compromised the account is still safe to a certain extent (Please see answer to question 2).

2. Do you know that Two-factor authentication provides 99.8% protection?

Yes. Basically the other 0.2% comes from 3rd factor mechanism “something you are” e.g. biometric fingerprint or iris scan. However, the costs of implementing 3FA would probably be too high (to achieve that 0.2% extra user confidence) and unrealistic for the gaming industry (even local Singapore banks are not using it, yet).

3. How do you think Two-factor authentication can contribute to securing game accounts?

It adds on an additional layer of defence against account compromisation which is good because this is exactly what “defence-in-depth” strategy means. Attackers will need to spend more time and effort to defeat 2FA.

Technically, when a player logs on to his account using 2FA, attackers cannot access the account unless the player logs out. Even if the player logs out, if the session for the OTP has expired e.g. 1 min, the attacker is still being denied access to the account.

4. Will you be interested to use it, rate it 1 – 10? (1 – Not at all, 10 – I am very interested)

10.

5. Rate the Two-factor authentication. (1 – lousiest, 10 – Best)

10.

6. When do you want this to be implemented?

As soon as possible. However, players ought to be made known if any, the costs involved for token purchase, replacement and any other support costs. Also, another of my concern would be the younger population, how to educate them on 2FA.

5. Choose a Strong Password

a. At least consists of 12 characters with alphabets, numbers and symbols if possible e.g. m@pl3s+-0ry (with symbol), mapl3st0ry (alpha-numeric).

6. Recognise and Prevent Phishing Attacks

a. Avoid using “links” given by others. Always type in the web address yourself or use a bookmark.

b. When in doubt e.g. GM asking you to divluge your account ID/password or personal information, always clarify the matter through i-Box

7. Apply Common Sense

a. Do not log in any of your above accounts anywhere else other than your own system. There are always chances of software or hardware keyloggers being installed without you knowing.

b. Keep password only to yourself. It supposed to be your secret. Surely you don’t share secrets around right?

.duststar