EVE Cyber Security 101

 

Alright guys, we have to talk. On the first of February, this post started blowing up on /r/eve. For those who do not wish to read the whole thing, the tl;dr from the post itself:

  • I have subscribed to EVE Online and played the game for 5+ years.
    • I couldn’t log into my accounts from the launcher on Christmas afternoon. I assumed I forgot my passwords (because we had to change them when linking to email) and I was locked out of the launcher.
    • Later that day, I decided to reset my passwords. I logged in to find my account was not how I left it.
    • The vast majority of my assets and hulls [~20-25bn isk value] were sold or trashed. Only the ship hulls were “fire sale”-ed for 2.5bn, the modules were all destroyed in both major stations where assets were stored.
    • I logged into the EVE website and discovered that my account was accessed by two Russian IP’s for roughly 22min, i booted him/her out of my account before SP was stripped.
    • I petitioned CCP and got told that I could get 15 days of Omega time as compensation and nothing else, as well as trying to take credit for “limiting” damage by locking the accounts 3 weeks after I secured them myself Christmas night.
    • After continued discussion with CCP they decided that they would replace a few lost mods in one station but not the other and continue to not replace the sold hulls and take back the isk, closing the account as being resolved ignoring my patience and reasonable pleas
    • 5 weeks and 3 CCP replies with no effort or investigation resulting in the hacker with no punishment, CCP keeps my thousands of dollars and I’m left with a broken account
    • I find CCP’s treatment of long-term customers is subpar, and their lack of effort for helping a customer who essentially had his entire character drained and left hung out to dry, a terrible business practice.

One additional detail he adds in the full description

    “Recently this past Christmas day my accounts were hacked into via my email that we all had to newly link to our accounts. I did not find out how this happened until I was told about the major yahoo breach in 2014, which wasn’t made public till late 2016 and kind of put 2 and 2 together.”

Now, this post has gained a lot of popularity, and speaks to an ongoing discussion about EVE security, CCP’s customer service, and player expectations of the value of preserving the sandbox. Later in the post CCP Arcade, Lead GM at CCP, responded to the post with a lengthy description of the hacking response process.

login

In his response CCP Arcade states that the process of reversing the in game damage of hacking is “pretty complicated”. Further stating “If items are simply trashed by a hacker, then it simplifies our job as we can give them straight back to the player. However, if items are sold by the hacker then it would be unfair of us to remove items that were bought legitimately through the market by another player. Imagine you are a guy who bought a shiny new carrier and suddenly the ship is removed from your assets and a GM tells you that they need to give it back to the person you bought it from. Through no fault of your own you are now without a ship you relied upon or spent hours moving in preparation of an upcoming alliance op.”

It is in this that the real complexity of the situation arises. In EVE the sandbox rules as much of the decision making process as possible. CCP goes to great lengths to see that the sandbox is preserved. Now in the case of hacking theft directly, it is easy to simply punish the culprit, but EVEs market creates a far more complex web of responsibility. As in real life, if something is stolen from your house, and sold, there is often little anyone can do to help you get it back.

The spawning of extra items becomes problematic too. Replacing a ship that was lost, that maybe shouldn’t have been is not creating more than the universe had. Modules and items that dropped from the wreck are not returned with a reimbursement, because someone else has them.

This is the cyber equivalent of not brushing your teeth for 4 years

Now many may argue that it is CCPs responsibility to right any action they can with their god powers, and the personal “fun” of the player is more important than just some lost wreck thanks to a socket close. That’s fine, but let’s really look at who is at fault.

By the posters own admission it was compromised through a compromised email. This email was compromised in 2013 or 2014, and the news of that hack was not released until 2016. However, what that means is that the poster had not changed his password in the last two years. The switch to tie your email to your EVE account occurred in November of 2016, this means that the poster did not change his email password in spite of opting to use it to tie to his EVE account, just one month prior to it being hacked. This is the cyber equivalent of not brushing your teeth for 4 years, and complaining to the dentist that they are making your teeth hurt with their drills.

What this really means is that the poster has been using a compromised email for who knows what else, and given how quickly the attacker got to his account, the poster may want to be thankful to CCP for exposing his highly compromised security policy.

With that in mind, CCP did do their best to sooth the hard feelings of the poster, giving him free game time (value they do not need to account for in terms of the EVE market) and a few things they could justify, likely because the attacker didn’t do anything with them or they failed to sell.

In addition to all of that EVE is a game about security. It is a game built on trust, and the consequences of too much, or not enough of it. Trust in your own policies is a big part of that. Do you always insure your ship? Do you never? Do you “never fly more than you can lose”? Do you never fly drunk? Do you never lend out your account? Most players have some basic framework of policies to protect them from themselves and others, and a decent account security policy should be part of that.

So, you have to protect your account, that’s the bad news. The good news is it isn’t really that hard. If you have the technical prowess to get an EVE account, you have enough to secure it. Double true for those adept enough to generate an API key!

 

Snuff-T3-fleet

 

Cyber Security: What You Know – What You Are – What You Have

The goal of cyber security authentication is to verify that the person is who they claim to be, and are authorized to do what they are trying to do. Authentication is at best when it is nearly invisible, and at worst when it is easily compromisable. Authentication of a user is built on three basic factors.

What You Know: This is a knowledge test. In the movies when a person claims to be a family member, or childhood friend, they try to validate themselves by saying something “only they would know.” In cyber security, we generally use passwords, passphrases, or pin numbers.

What you Are: This is a physical test. Fingerprints are most common, but retinal scans and the like are used as well. Pretty much impractical for online, as any reading could be potentially spoofed if the equipment was in the hands of the user. Mostly used to gate a physical barrier or on a device itself.

What You Have: This is the most common form of security in the modern world. Most people carry several keys on their person at all time. You have the key? You are authorized. Nearly all mechanical devices prior to the computer era used this kind of security. With cyber security, you have keyfobs, authenticator apps, or ID cards you have to plug into a reader.

Each factor of validation is incomplete, and has limitations. Knowledge can be leaked or hacked, keys can be duplicated and stolen, and physical validation is cumbersome and limited. Thus, stacking multiple types of factors is more valuable than having more than one of the same factor. Having both a password and a challenge for character name can be good (the attacker may guess one and not the other) having both an authenticator app on your phone, and a password, protects you from all but the most intimate of attackers.

On the subject of “What you are” authentication. I believe there is a growing trend on the internet to use external validation to identify “What you are”. In essence when you log in with EVE, it becomes a part of “What you are” as far as EVE SSO is concerned. Websites such as ZKill “trust” EVEs system when it tells them that you are who you say you are. In much the same way, a person’s email accounts, and primary social media, have become a kind of validation of a user’s identity. As such, these have become the most important in a personal cyber security policy.

 

EVE-Online-security

 

Protecting Your Digital Life

Password:

Your password is your basic validation factor most users have for their online accounts. However, users often have hundreds of accounts at any given time, which leads to bad password policy. The first thing you have to realize is that now all accounts are created equally. Each service you create a password for creates a new vector of attack for that password. Passwords shared between services represent multiple attack vectors for attackers. Servers are being compromised all the time.

Most cyber security experts will recommend changing your password at least monthly on serious sensitive accounts. No one really cares if your MLP fanclub account gets compromised, as long as the only other sites that share that password are other forums. However, if you share the same password with your email, or EVE account, you are effectively saying “I trust MLP Fanclub that they have gone through the rigorous riggers to secure their system to Google’s (or Facebook, or whoevers) standard. Especially with the rising popularity of OAUTH and SSO (“Sign in with…” Authentication), your social media, and email passwords should be unique (or at least not the same as your random website account one), and changed frequently. Don’t worry about long garbled passwords. Most password requirements are more effective at causing people to lose passwords than it is in securing accounts, and often a easier to remember, but relatively random password is superior (source).

Google Authenticator:

The Google Authenticator is what people mean when they say “two-factor” authentication in an EVE context. The Authenticator can be installed on any Android, iOS, or Windows phone device. This generates a random six digit number that changes every thirty seconds or so. When you login you have to enter the code as well as your normal password. This verifies that the user attempting to access knows your password (what you know) but also has access to your Authenticator (what you have).

Additionally, for those who feel this is too cumbersome, CCP has added a way to turn your “What you have” from the authenticator app, to your computer. You can opt to have it no longer prompt you from the device, thus authorizing the device as you to CCP. Leaving any attacker barred without somehow getting your physical devices (or compromise yours). Obviously, if you do not trust the physical security of your computer, then the authenticator is the only choice.

For those without a device to run the Google Authenticator, having a strict password policy is your only real defense

 

Beyond the Sandbox

The time has come that we have to realize that cybersecurity is everyone’s responsibility. Insurance may not pay for stolen items, if they find out you didn’t lock your car, so too are the consequences of failing to protect your digital presence costly to you. EVE is a pretty low threat cause, especially compared to Facebook, banking institutions and even games like World of Warcraft, where hacking became so rampant, they spearheaded the movement to two-factor authentication in online gaming. You are lucky that the pool of people who will exploit a compromised account is the relatively small group of people who would care about such a thing. However, obviously that pool is big enough, and maybe we need to realize that to continue to live in an information age, ignorance is no longer a privilege we get to have.

 

Did you enjoy this article? Please consider supporting CZ.

Tags: account security, Ashterothi

About the author

Ashterothi

Ashterothi has spent the last five years learning and teaching EVE Online. He is a host on the highly successful High Drag and Hydrostatic Podcast.


  • Lulu Lunette

    Don’t care about your opinion on this. Huge thumbs down on CCP.

    Yeah the lesson we can all get here is to make sure our stuff is secure. We get it.

    I feel pretty bad for this guy and if it was me I would never play this game again.

    • Ashterothi

      When you get fired from your job because of poor data security, or you get your identity stolen because you don’t change your passwords, no one will be obligated to help you then either.

      I know this seems brutal, but cyber security is everyone responsibility. A user with improper security is the problem, not the CCP infrastructure designed to prevent it when properly used.

      • Lulu Lunette

        If my bank suspected my credit card was stolen, which they did the first time I used it to pay my Eve Online subscription; they’d call. If I miss that call and call them back, even right away after listening to the voicemail – the credit card is already shut off.

        Of course there is no way CCP can compete with a bank but my inconvenience there was absolutely well worth it. Why can’t CCP have it set so if you logged in from a new IP address you have to verify it? Why can’t they have a super harsh stance on any possible fraudulent tickets? They did say that it’s been abused in the past but make it a permaban if you dare try!! They must have access to better logs than we do to be able to track a thief like this. I don’t see why they couldn’t just duplicate what was lost – one player’s stuff can’t possibly be what would tip the tide in a war. (hmm well maybe considering it takes them 3 weeks just to answer.. maybe it does)

        The point is, CCP didn’t or maybe even can’t care enough for this one player. What if it was one of us? Oh wait it was. We are losing an Eve Online player to a real world crime that CCP basically validates. Too bad, so sad. At least the silver lining is that any serious Eve player that visits this site is gonna have their Google Authenticator’s flipped on.

        We only know HIS side of the story and I try not to get too triggered about it but this is horrible on CCP’s part. Says a lot. I hope the investigation is still pending and who knows maybe he was account sharing or something sketchy we may never know this whole story.

        Mucho respect to you Ashterothi, love hearing you and your thoughts but I don’t think we can agree here. Please don’t hate me

        • Rishian Starfury

          You have to think like a hacker. For example a “friend” hacks my account “sells” billions in game. I report the “hack” to CCP they reimburse all in game items effectively increasing my ingame net worth by billions after splitting the profits with my “friend.” Its not that CCP is being unfair they are mitigating exploitation. Does it suck yes. Hackers look for soft targets and use social engineering to exploit systems. Whats more dangerous to CCP losing a player or having the rep in the hacking community as a soft exploitable reimbursement system.

          • Ashterothi

            Bingo. When YOU get hacked, it is CCP that is compromised through YOU. This is where the ‘blame the victim’ argument falls apart, as your negligence is causing the negative impact to their company, not their companies negligence.

            CCP is niether your bank, nor your insurance. They help when they can, but should have no obligation to. Blaming CCP for this is blaming the car manufacturer because the car you left unlocked got stolen.

        • Jare

          Plus it is unlikely that stolen assets will end up on the same side of the war…. Doubt a corp or alliance mate was the scammer so if everything was reimbursed the alliance would have the assets theyre “supposed to…” not like it was a secret plot by the guy to get ccp to give him free supers. The whole “keeping reimbursing pure” is crap. Unless chribba got hacked, one account worth of stuff is a joke

  • Boom Boom Bartholomew

    “Imagine you are a guy who bought a shiny new carrier and suddenly the ship is removed from your assets and a GM tells you that they need to give it back to the person you bought it from. Through no fault of your own you are now without a ship you relied upon or spent hours moving in preparation of an upcoming alliance op.”

    -CCP can replicate items. They can program these items back in to the original owner’s hold if they find wrongful acts committed without upsetting the apple cart of the player who was wronged.

    The sandbox is meant to be with in the game. When hacking of accounts is introduced it is not “within the bounds of the sandbox”. To insinuate that is to insinuate that hacking accounts is part of the in-game game play of Eve. It is not.

    Ash, you’re a p smart dude. But you need to stop the squatting upon and pumping of CCP’s cock.

    • cantfindmydisqusaccount

      Well, thats the point. CCP _can_ replicate items, but they _won’t_. The sandbox creates items, and nothing else. If the item still exists, CCP won’t touch it and in my opinion, that is exactly the way to go.

  • Herbert Montague

    Well I learnt from this, my account and Gmail now authenticated. I do agree somewhat that CCP’s attitude toward this looks really bad on the company. I buy plex to play and I like to know my money is more protected than this. Getting it stolen in game by being bad is no problem, getting it removed by a hacker with no come back?… not so much.

  • Rishian Starfury

    Pro tip to all use an alpha numeric string as your password. This may seem like a hassle but is easier than you think. Use the ASCII table http://www.asciitable.com/ to link some phrases together via hex and use a special character *,&, etc to seperate the hex values. If you forget this complex password you only need to reference the table to remember.

  • Muon

    Ultimately, we’ve got to come up with a better way of doing things than passwords. It’s simply not realistic to expect people to have unique, strong passwords changed monthly for all of their accounts. Experts can rail about it all they like, but it’s never going to happen. There’s a *reason* people have poor password security, and it’s because *good* password security is an impractical pain in the ass! If they want to promote security, they’re going to have to come up with security systems that are actually compatible with basic human nature rather than blindly trying to force that particular boulder uphill over and over.

    • Ashterothi

      In theory the new email challenge should make things MORE protected. However, all this is predicated upon the idea that email passwords ARE identity and are protected as such. MANY institutions function under this assumption (for example banks). If your email isn’t secure, YOU aren’t secure.

      All that being said, two-factor auth is very secure. Enough so that the passwords security matters far less. Additionally, as long as your computer doesn’t move around a lot, you can make this have nearly 0 impact on your device. One of the things I like about Googles authentication, as opposed to other games authentication is that it is tied to your Google account, and thus will survive things like hardware failure. I have lost too many hours with Blizzard Customer Support because someone wiped a phone without writing down the authenticators codes.

  • Nad

    “For those without a device to run the Google Authenticator, having a strict password policy is your only real defense”

    I disagree.
    http://www.keepass.info
    If you have a computer (which you NEED in order to access anything that needs a password) , you have the ability to use this program.
    There is a plugin for 2FA.
    Put the database (and keyfile) in your Dropbox (or similar) folder and you can then access it from any device on which you can access dropbox.
    It has versions for PC, Mac, Android and iOS.
    This way, you only need to remember TWO passwords – one for access to the database itself, and one for Dropbox. Make these passwords GOOD, and change them REGULARLY.
    You can use the built-in autotype to fill in usernames/passwords/authentication codes, or you can copy/paste from the program.

  • NomoreForyou

    CCP sucks – they offer multi character training to new subscription buys but forget all of us who have already subscribed!!! What a bunch of thankless losers. Bye bye Eve