It seems that incidents of cracked accounts and looted/deleted characters are on the rise, and it seems there is nothing that can be done about it by the GM's or helpdesk representatives - due to abuse of any helpful measures that have been offered in the past.

Adding unique ID's to all items in the game, would be a massive step towards solving these problems. Before doing a character rollback, they could check that items are really non existant on the server, rather than just passed to a friend or something. Even only putting these ID's on items created after the feature is added, would be one hell of a start.

Access to the game from known open proxies, such as ones in Mexico or Russia, should not be possible. I understand that IP's used to hack other accounts have been traced back to such proxies. There should be no genuine reason to use these proxies, so it should not be allowed at a server level, rather than an account level (where it could be altered).

Another thing, would be to give us, the users, more control and reporting over what is happening on my account. For example the option to restrict my account to a specific IP range or domain, such as my ISP - and conversely I would like to be able to BAN it being logged in from certain IP's/domains. In a similar vein, I would like logs of which IP my account was logged in from and when. High level helpdesk/support personnel should have access to this information, so they can quickly see a trend.

The "I forgot my password" option needs to be double checked for security. I've never used it, but if it simply sends your password to the registered email address, then this needs to be changed right away. Hacked accounts seem to always have their email addresses changed, so it is possible that the hackers are abusing this feature by rather than hacking the account via the password, they are able to change the email address registered to the account. A good standard procedure is to change your password to a random alphanumeric combination and then mail THAT to you. A genuine user logging in would immediately notice something was up when their password didn't work - even if nothing had been taken. Also, the feature would be tightly logged, and subject to the banned proxy rule.

If anyone has anything to add to these, please post, and rate the thread and keep it active. I hope we can get something done about this, since it is a situation which can make players leave.

Good ideas. and perfectly workable.

Certainly the remove of proxys connecting to servers.. give me one reason other than to hack that you would use a proxy connection that is valid enough to stop this.

Also logs. logs and MORE logs. we need access logs. we need IP trace logs and whats more. we need something that when you attempt to access an account when sumone is already logged on. it should A) Log it and report it or B) kick of the player and lock the account for 30 mins (gives time to change password if its ure account, and give a possible save from sumone already trying to steal your stuff. perhaps then catching them will be easier. (it will need to tell BOTH parties that they have attemped to use an account at same time tho)

Syn

I agree completely.

I believe that the immediate benefits of implementing some or all of the above features would far out weigh any costs or overheads that would be involved. Ultimately, the only thing that seperates Neocron from a non-subscription game of any kind is the ability to develop a character and through that identity, interact with other characters in a persistant world. If the security of our accounts (and therefor our characters) is in doubt, where is the incentive to carry on?

Why pay to participate in an environment where if someone decides to takes a grudge out-of-game or simply wants to take something for nothing, the facility would appear to be there to support them

[EDIT] For the people who voted no, I'm curious: Is it the proposed solution that you disagree with, or do you believe that this isn't a problem?

Very well thought out with solid, do-able ideas. Thank you.

Item id's is a must in my opinion.

But you need to take into account that large clans share passwords. From what I have seen alot of the "HACKED" accounts have been from a large clan and its my believe its due to shared passwords and if you share your info its your problem if the people you gave accses to tax your goods.

it would appear the problem is people having their email adresses changed, so i would say the best way to fix the problem would be to add something such as say.. when you request your password to be sent to you through your email, it first asks for lets say.. the name the account was registered under. Then, before you implement this, KK would give people a week to make sure their account details are accurate, (name, email and such) then email everyone a copy of their account details, so they can have a copy of the name the account was registered in their mail box. This way, in order for someone to Hack a person account, they must A) be able to change the email address, then B) know the real life name of the person who owns the account.

who votes no? o_O

Originally posted by Cruzbroker
who votes no? o_O

The hacker ...

Originally posted by \\Fényx//
The hacker ...


:lol: :lol: :lol: :lol:




Oh man, woooooo. I was kinda stressed out fenyx, thanks for providing me with this laugh. You're the best. :p

Originally posted by Shadow Dancer
:lol: :lol: :lol: :lol:




Oh man, woooooo. I was kinda stressed out fenyx, thanks for providing me with this laugh. You're the best. :p he wasnt kidding...

Originally posted by Shujin
he wasnt kidding...

I know. But that's part of the humour.

Originally posted by Shadow Dancer
I know. But that's part of the humour.


I never joke . . . or lie . . . shadows a cock and nids a ass....

ok ok... maybe I can lie :p

names plz :p

Fenyx I flamed duder as a joke and got edited, hehe. Be careful. :)

Originally posted by Shadow Dancer
Fenyx I flamed duder as a joke and got edited, hehe. Be careful. :)

wha . . . it was a joke . . . honest, meh its later but yah i . . i . . i didnt mean it . .

must resist urge to flame fenix for power posting...msut...resist....urge


wait up how can i flame fenix he is "leet" :rolleyes:


OT yeah good idea...and could some one say if this would be feasable or this going to be a thread *overlooked?*

I, for one voted NO.

Why? Because current codebase and database is simply NOT made for item ID's. If KK would have been better planning the game, or better forcing to take as much as possible stuff in to considering, like adding extra bits to database to be "just for sure" and really think all scenarios in "What if" and making the worst one happening.

But KK was poor and time shedule was fast, so they had to cut corners somewhere. We are suffering from that.

And no, KK cannot make this kind of stuff happen, not without big database overhaul.

Thank you but no thank you. Suffer hackers or whine hackers. They do exists and will exists no matter what you do.

as someone whos been hacked... yes :p

I voted yes, I would gladly go without any new content or balancing to get some extra security added to the game.

Originally posted by LVirus
I, for one voted NO.

Why? Because current codebase and database is simply NOT made for item ID's. If KK would have been better planning the game, or better forcing to take as much as possible stuff in to considering, like adding extra bits to database to be "just for sure" and really think all scenarios in "What if" and making the worst one happening.

But KK was poor and time shedule was fast, so they had to cut corners somewhere. We are suffering from that.

And no, KK cannot make this kind of stuff happen, not without big database overhaul.

Thank you but no thank you. Suffer hackers or whine hackers. They do exists and will exists no matter what you do.

Adding Unique Item ID's would actually be fairly easy. Certainly not be completed in a day but certainly not as long as it would take if the Database was given a complete overhaul.

The only thing that would be hard in my opinion is some sort of way to keep track of all the ID numbers ex: some way to search for id numbers outside of the game. as each character's information is kept in dat files i think it would be a bitch.

To everyone who has said no...you either have not been hacked, not known someone be hacked, or you are a hacker yourselfs...

I have known someone be hacked and the many months that they put into their chars were all lost due to some inconsiderate person who thought it would be funny...

Really.. think about your chars and what you have and how long etc it took you to achieve it all...Do you really wanna lose it over a hacker?

I think its a blinding idea... In this sort of game there has to be more security... The simple send me my password to my email account is just not good enough....

Oh and rather than asking for the RL name, which someone may know, why not ask for the postcode/areacode etc... ? That would be alot better

to itemtracking-No cause it wont work

to restrict ip - A BIG SWINGING YES FIX IT ALREADY...

restricting IP? i play NC on like 30-40 PC's... i hope i am not gonna have to tell KK the IP of everyone? and baring in mind Dial up gives you a different IP each time... i hope you are not talking of a system like this :p

Originally posted by Jesterthegreat
restricting IP? i play NC on like 30-40 PC's... i hope i am not gonna have to tell KK the IP of everyone? and baring in mind Dial up gives you a different IP each time... i hope you are not talking of a system like this :p

Exactly.............. <--- dial up.

If live, I imagine it would give you an option of if you would like your account protected or not.

It would be much like firewall kind of tailored to each account to allow access or not.

I also imagine that like a firewall you will be able to allow access to domains like if you were on dial up you could set it to allow a specific IP range.

The problem with this guy's sollution is that once you set your IP would you be able to change the IP security settings if your IP is changed?

If not that brings up the problem of inaccessibility, which leads to problems with helpdesk, which leads to problems with lost man hours due to retards entering the wrong IP or switching ISPs.

Good idea, however I don't think the gentlemen thought of the long term effects of this. I wanted to point out one thing.


Access to the game from known open proxies, such as ones in Mexico or Russia, should not be possible. I understand that IP's used to hack other accounts have been traced back to such proxies. There should be no genuine reason to use these proxies, so it should not be allowed at a server level, rather than an account level (where it could be altered).

Doing something like this would cut off neocron access to all of Mexico and Russia. I could understand if someone were using a high anonymity proxy. But the only way to check for that is to send a check that most firewalls block and report as a trojan/subseven exploit.

We couldnt lose Russia. The neocron.ems.ru guy live in russsia!

There are hundreds of thousands of anonymous proxies open all over the world. They change literally everyday. Theres no way this could be done absolutely no way.

You also need to think about all the people who use proxies. College Students, businesses, apartment complexes with internet service and alot of other people i cant think of.

Originally posted by Jesterthegreat
restricting IP? i play NC on like 30-40 PC's... i hope i am not gonna have to tell KK the IP of everyone? and baring in mind Dial up gives you a different IP each time... i hope you are not talking of a system like this :p


Originally posted by FirestarXL
For example the option to restrict my account to a specific IP range or domain, such as my ISP - and conversely I would like to be able to BAN it being logged in from certain IP's/domains.


Your ISP, when they go into business, buy a set of IP's from some company (I forget what it's name is). Thus, every IP you get on Dial-up WILL come from this range. A quick e-mail to your ISP should get you the IP ranges they use, and then you're set. It'll narrow things down a lot if you do get hacked.

thats great... but i play at multiple internet gaming cafes, my house, my dads house, and friends houses. bollocks should I have to phone all those ISP's and demand all the IP ranges!

how about we just dont do this idea?

kthxbye

Junkie

:edit: i feel i should post something usefull - KK could just log the IP's used to login? thatway IF i was hacked i could find out when / where i logged on and check against KK's records

Well in that case, you'll have to tell it to allow all IP's. The possibility of getting hacked is the price you pay to play at different places.
And if you have a little patience, it wouldn't be hard to, every time you go to a place that you can't log in at, simply add that range to the list. 5 mins and you're in.
An idea would be that you have to confirm by e-mail to change IP ranges, thus even if someone gets your username and p/w, they can't log in as you (assuming they don't hax your e-mail, which is always possible)

(Edit)

Originally posted by Jesterthegreat
KK could just log the IP's used to login? thatway IF i was hacked i could find out when / where i logged on and check against KK's records

That's the best way of doing it. Then you could contact that person's ISP and report them for hacking. Even if they don't get criminal charges, a good ISP will simply close their account. That could hurt a lot if they're on cable :D

it would appear the email h4x is the problem - many people whos accounts have been hacked have had email addresses changed - and i would assume p/w's sent to the new addresses.

if KK just logged the IP's of who logged on... O_o

Logging IP's is just so simple, why did they not think of it before.. and also some of the security is kinda lacking in areas. you would have thought with such a erm whats the word, oh i dont know, but yeah we need more security questions..its just all too easy at the moment...

Originally posted by darknessfairy
Logging IP's is just so simple, why did they not think of it before.. and also some of the security is kinda lacking in areas. you would have thought with such a erm whats the word, oh i dont know, but yeah we need more security questions..its just all too easy at the moment...


OMG! shes teh h4xz0r!



:p :D :angel: :D :p

lol me hack lol your having a laugh right? fix probs after hackers...yes...be a hacker... no...hackings bad mmmmkay

when i see you in feb - you'd better not have my 3 slot fully artifact HL or ill be pissed :p lol j/k

OOOOOOhhhhhh shit...i wondered why i had that...did seem a bit odd to me :/ (jk)

omgomg! a confession! NID! wru?!

i neeeed a mod!

Danae! help me! she hacked me! omg!

ok... i got it out of my system now >.< sorry hehe

Why? Because current codebase and database is simply NOT made for item ID's.

I disagree. While it may not be a good idea to start giving everything an ID, what you can do is give rares an ID. It allows a tracking of the more important stuff without giving a huge overhead.

In fact I'd go as far as implementing it without telling the public about it.


thats great... but i play at multiple internet gaming cafes, my house, my dads house, and friends houses. bollocks should I have to phone all those ISP's and demand all the IP ranges!


Make it optional. It is a good idea too.

Originally posted by Archeus
I disagree. While it may not be a good idea to start giving everything an ID, what you can do is give rares an ID. It allows a tracking of the more important stuff without giving a huge overhead.

In fact I'd go as far as implementing it without telling the public about it.

Make it optional. It is a good idea too.


personally i prefer KK keepin track of logins / attemped logins

but optional would do i guess >.<

oh and yes - if item tracking is implemented dont tell people - just watch t for a month or so - then ban all the people, and replace where necessary. DONT replace instantly or they will not bitch on here and it will be obvious lol



although i didnt say here when i lost my 3 slot all arti HL and hp

How exactly do these people hack your account?

No-one knows my username, my pw, or the email address that is registered with it? How on earth do they get this stuff?

No honestly that wasnt me, i r sto0pid tankeh

driible - if i knew that i would tell KK :p

i would assume they somehow get your details changed on the neocron page (change your email adress) then click 'forgot password' in which case it sends it to the new email.

i wouldnt think about goin into detail as its not even discussing exploits... its discussing hacking peoples accounts O_o

all i know is it happens :(

Originally posted by FirestarXL
Another thing, would be to give us, the users, more control and reporting over what is happening on my account. For example the option to restrict my account to a specific IP range or domain, such as my ISP - and conversely I would like to be able to BAN it being logged in from certain IP's/domains. In a similar vein, I would like logs of which IP my account was logged in from and when. High level helpdesk/support personnel should have access to this information, so they can quickly see a trend.



I love this idea. I want to see MY logs, I want to know which IP's were used when tryin to access my account, I want to see a log showing that a connection attepmt was made when I was already ingame.

Well as an experiment proved yesterday. the game send the account name to the server in PLAIN ENGLISH so that piss easy to find out. however as usual the password is encrypted and using the free decryption tools on the web didnt manage it so thats some small blessing. also one of the guys tried for a while and gave up trying to crack it.. however. i wonder if the request password send e-mail in plain english, if so they can find ure e-mail.. those ppl that were hacked.. did u use hotmail as ure e-mail.. cos if so hotmail is simple to hack and there u have it... :D

Not sure tho.


(and no i didnt hack and i cant hack/crack ect)

As far as I am aware, unless there are major changes in the law, we will never see a log of IPs which log onto your account or attempt to. To access this information you would need a court warrant in most countries due to privacy and data protection laws.

I voted no, but for a simple reason. Before KK puts in place even one change to the login/password system, they first need to identify which accounts have been hacked, and of those which were "hacked" by an individual with soft access to the information (brothers/friends/clanmates etc) and which were hacked by an outside source. Then they need to identify the exact hacking mechanism (if one exists) and THEN they need to implement measures to block these attempts and secure the system against other possible routes.

Simply implementing a whole raft of changes is inefficient, inconveniences people and may not even address the problem. Indeed it could open other routes which were previously unavailable.

I agree KK needs to investigate hacking claims, and THEN take action if necessary. Taking a sledgehammer to crack a nut is never the best way forward.

so... until they know the exact means the hackers used they cannot try any counter measures...

well im glad you dont work for KK

:rolleyes:


actually... thats the kinda answer a helpdesk member would give!

nah j/k... helpdesk would say 'tough' and sign off

Jester, its a simple concept, identify what the exact problem is, then implement solutions. This applies to everything, not just online video games. It becomes especially important when you have a company with limited resources like KK.

Here is the point you fail to understand: if KK simply implements all the suggestions, and more, the "hackers" MAY still be able to gain access if the exact or most probable routes are not identified first. In fact, the measures may even open up more posssibilities for hacking UNLESS the problem is IDENTIFIED first.

I voted NO, in the sense that KK must INVESTIGATE FIRST, THEN TAKE ACTION.

There is an issue here to be addressed, all I am suggesting is that before we go down ANY road to solve the problem, we have to know where the problem lies.

Well currently testing a few thoeres on how it was hacked. and were hopefully guna find a way in. then we can work back from there and lock it off and hope that its the same way they got in :D

email from Thanatos
...(DaFire) now added a system that blocks an IP for 30 minutes if 3 unsuccessful attempts have been made to login to the account management system on neocron.com.

YAY! Its a good place to start KK. I'm sure this means that the unsucessful attempts will be logged also........Evil Doers Beware!!!!!

A fair few points to catch up on, so I'll just work through these.

Firstly the ideas I posted are just those, ideas, there to provoke discussion. Please also note, the poll question is not asking for approval of those ideas, merely that people agree it is an issue that must be tackled.

Firstly, in respose to Lvirus - it's already been stated that item ID's are NOT going to be simple to implement, otherwise they would have done it already, which is fair enough. However I am thinking it might be worth the effort, and while doing that I'm sure there's other things that could be added if need be.

Also yes, probably nothing we think of here will defeat a dedicated hacker who wants to get in. But at the moment, it's pretty obvious they have methods of getting in which, without question, work. At the moment they have it easy, and they know it - they also know that once they've done their thing there's no in-game way to find out who did it.

Regarding the IP restriction issues brought up by Jester - as my wording stated this would have to be an optional feature, not just because you might need to use from many IP's, but also because a non-techie person compelled to deal with it would probably end up blocking their own IP or ISP out of confusion.

In Jester's case of accessing it from many places such as Internet Cafe's etc, this won't help since that situation is already a security nightmare for many reasons. So, not all ideas applicable in that case and option switched off.

Those worried about dial-up giving dynamic IP's, that's not a problem. As alphaGremlin stated, ISP's have IP space they allocate from - however you do not even need to know this, since ISP addresses resolve via dns into hostnames that can be vetted by a wildcard string. By this I mean, instead of allowing 192.168.34.1 - 192.168.32.254 you just allow *.myisp.net and let DNS sort it out. It's not foolproof, but it's better.

Finally, the proxies one. I'm referring to open unsecured proxies with no acountability, that's the main thing. Mr proper user in Mexico or Russia (just examples) can access the cron straight from their IP or through their authorised ISP proxy, no harm done and no problem. However there are known dodgy ones that can be tracked back only to a dead end, totally. Why should genuine users be coming through these? Some countries have some very oppresive laws it's true, but then we would simply be making allowances in order to facilitiate them breaking their own laws. Is that good for them or us?

There are a fair few extremely up to date lists of open proxies, and known spammer proxies which I feel would be useful in this case. But that's something kk would have to look into anyway.

As for the legal thing, good point, I know websites can and do log their visitors, places like hotmail have logs. Does this apply here, can someone with legal experience comment?

My forum logs every single IP of everyone online and report multiple IPs per user to me. this is perfectly legal

Reporting IPs of people who use a particular service or product TO the provider of that product/service is legal. If the provider were to attempt to divulge that information to other users without consent, that would be illegal I believe.

Originally posted by Bob Monkhouse
Reporting IPs of people who use a particular service or product TO the provider of that product/service is legal. If the provider were to attempt to divulge that information to other users without consent, that would be illegal I believe.

Varies from country to country but generally correct. From what I have seen so far the US is a lot more lax about giving this information away then European ISPs.

Originally posted by mcouillard
Very well thought out with solid, do-able ideas. Thank you.
Ditto. I wish KK would realize that some player suggestions are relatively easy to implement and can lead to dramatic improvements in the quality of their business.

I agree that something needs to be done. You seem to know alot about these things so I'm just gonna leave it to this.

Most of these suggestions seem fairly reasonable. They are definately worth a close look at by KK to see if they are possible or practical.

Security is not my forte (and then some) so I've nothing else to add that's not already been said.

Zu

There are US states where hacking a NC account gets you the death penalty.

> if it simply sends your password to the registered email address, then this needs to be changed right away. Hacked accounts seem to always have their email addresses changed, so it is possible that the hackers are abusing this feature by rather than hacking the account via the password, they are able to change the email address registered to the account.

Flawed; Chicken and egg syndrome. The security of your NC account is dependent on the password strenght of your Email account AND your NC account. Make sure both got strong passwords.

Item tracking wont work. Imagine X users on every server, imagine the amount of stuff some people buy to level up every day, imagine someone constructing that stuff into something else. It's not 25/day data transactions we're talking about, we're talking about a dedicated database server that KK need to run.

You should all change the passwords on your accounts, the default passwords are no match for password breakers. You should all steer clear of installing crap on your computers that you have no idea what it is, put up firewalls and stuff unless you know what the hell is going on in your systems.

It's so easy writing a keyboard/network sniffer you wouldnt belive it, take approximately 5-10 minutes depending on if you want it to log to a file or log to another email account. A centralised solution wont work if someone break into your email account, you are still fucked.

Originally posted by ichinin

Flawed; Chicken and egg syndrome. The security of your NC account is dependent on the password strenght of your Email account AND your NC account. Make sure both got strong passwords.

Indeed, and we can't expect kk or anyone to have to account for the fact that your email may be compromised.

they are able to change the email address registered to the account.

Which doesn't make much sense as if they are in your account at that stage nothing is going to stop them.



Item tracking wont work. Imagine X users on every server, imagine the amount of stuff some people buy to level up every day, imagine someone constructing that stuff into something else. It's not 25/day data transactions we're talking about, we're talking about a dedicated database server that KK need to run.

You put IDs on constructed rares and rare items. These are the lowest level of items. We already do to some extent with the constructors names being on them. The item doesn't have to log who has it, only an unique ID. KK can then check the backup tape ID of the player in question who is hacked and then do a search for that item to see who has it in the world. After that it is just a matter of telling that player who did they get it from and comparing other IDs on items vs players.

No this will not stop hacking. What it will do is track items to hackers or return stolen goods back to thier rightful owners.

It is not about stoping hackers. Its not going to happen. It is about damage control and removing them from the game.