EVE Cyber Security 101

Alright guys, we have to talk. On the first of February, this post started blowing up on /r/eve. For those who do not wish to read the whole thing, the tl;dr from the post itself:

• I have subscribed to EVE Online and played the game for 5+ years.
  • I couldn’t log into my accounts from the launcher on Christmas afternoon. I assumed I forgot my passwords (because we had to change them when linking to email) and I was locked out of the launcher.
  • Later that day, I decided to reset my passwords. I logged in to find my account was not how I left it.
  • The vast majority of my assets and hulls [~20-25bn isk value] were sold or trashed. Only the ship hulls were “fire sale”-ed for 2.5bn, the modules were all destroyed in both major stations where assets were stored.
  • I logged into the EVE website and discovered that my account was accessed by two Russian IP’s for roughly 22min, i booted him/her out of my account before SP was stripped.
  • I petitioned CCP and got told that I could get 15 days of Omega time as compensation and nothing else, as well as trying to take credit for “limiting” damage by locking the accounts 3 weeks after I secured them myself Christmas night.
  • After continued discussion with CCP they decided that they would replace a few lost mods in one station but not the other and continue to not replace the sold hulls and take back the isk, closing the account as being resolved ignoring my patience and reasonable pleas
  • 5 weeks and 3 CCP replies with no effort or investigation resulting in the hacker with no punishment, CCP keeps my thousands of dollars and I’m left with a broken account
  • I find CCP’s treatment of long-term customers is subpar, and their lack of effort for helping a customer who essentially had his entire character drained and left hung out to dry, a terrible business practice.

One additional detail he adds in the full description

    “Recently this past Christmas day my accounts were hacked into via my email that we all had to newly link to our accounts. I did not find out how this happened until I was told about the major yahoo breach in 2014, which wasn’t made public till late 2016 and kind of put 2 and 2 together.”

Now, this post has gained a lot of popularity, and speaks to an ongoing discussion about EVE security, CCP’s customer service, and player expectations of the value of preserving the sandbox. Later in the post CCP Arcade, Lead GM at CCP, responded to the post with a lengthy description of the hacking response process.

In his response CCP Arcade states that the process of reversing the in game damage of hacking is “pretty complicated”. Further stating “If items are simply trashed by a hacker, then it simplifies our job as we can give them straight back to the player. However, if items are sold by the hacker then it would be unfair of us to remove items that were bought legitimately through the market by another player. Imagine you are a guy who bought a shiny new carrier and suddenly the ship is removed from your assets and a GM tells you that they need to give it back to the person you bought it from. Through no fault of your own you are now without a ship you relied upon or spent hours moving in preparation of an upcoming alliance op.”

It is in this that the real complexity of the situation arises. In EVE the sandbox rules as much of the decision making process as possible. CCP goes to great lengths to see that the sandbox is preserved. Now in the case of hacking theft directly, it is easy to simply punish the culprit, but EVEs market creates a far more complex web of responsibility. As in real life, if something is stolen from your house, and sold, there is often little anyone can do to help you get it back.

The spawning of extra items becomes problematic too. Replacing a ship that was lost, that maybe shouldn’t have been is not creating more than the universe had. Modules and items that dropped from the wreck are not returned with a reimbursement, because someone else has them.

This is the cyber equivalent of not brushing your teeth for 4 years

Now many may argue that it is CCPs responsibility to right any action they can with their god powers, and the personal “fun” of the player is more important than just some lost wreck thanks to a socket close. That’s fine, but let’s really look at who is at fault.

By the posters own admission it was compromised through a compromised email. This email was compromised in 2013 or 2014, and the news of that hack was not released until 2016. However, what that means is that the poster had not changed his password in the last two years. The switch to tie your email to your EVE account occurred in November of 2016, this means that the poster did not change his email password in spite of opting to use it to tie to his EVE account, just one month prior to it being hacked. This is the cyber equivalent of not brushing your teeth for 4 years, and complaining to the dentist that they are making your teeth hurt with their drills.

What this really means is that the poster has been using a compromised email for who knows what else, and given how quickly the attacker got to his account, the poster may want to be thankful to CCP for exposing his highly compromised security policy.

With that in mind, CCP did do their best to sooth the hard feelings of the poster, giving him free game time (value they do not need to account for in terms of the EVE market) and a few things they could justify, likely because the attacker didn’t do anything with them or they failed to sell.

In addition to all of that EVE is a game about security. It is a game built on trust, and the consequences of too much, or not enough of it. Trust in your own policies is a big part of that. Do you always insure your ship? Do you never? Do you “never fly more than you can lose”? Do you never fly drunk? Do you never lend out your account? Most players have some basic framework of policies to protect them from themselves and others, and a decent account security policy should be part of that.

So, you have to protect your account, that’s the bad news. The good news is it isn’t really that hard. If you have the technical prowess to get an EVE account, you have enough to secure it. Double true for those adept enough to generate an API key!

Cyber Security: What You Know – What You Are – What You Have

The goal of cyber security authentication is to verify that the person is who they claim to be, and are authorized to do what they are trying to do. Authentication is at best when it is nearly invisible, and at worst when it is easily compromisable. Authentication of a user is built on three basic factors.

What You Know: This is a knowledge test. In the movies when a person claims to be a family member, or childhood friend, they try to validate themselves by saying something “only they would know.” In cyber security, we generally use passwords, passphrases, or pin numbers.

What you Are: This is a physical test. Fingerprints are most common, but retinal scans and the like are used as well. Pretty much impractical for online, as any reading could be potentially spoofed if the equipment was in the hands of the user. Mostly used to gate a physical barrier or on a device itself.

What You Have: This is the most common form of security in the modern world. Most people carry several keys on their person at all time. You have the key? You are authorized. Nearly all mechanical devices prior to the computer era used this kind of security. With cyber security, you have keyfobs, authenticator apps, or ID cards you have to plug into a reader.

Each factor of validation is incomplete, and has limitations. Knowledge can be leaked or hacked, keys can be duplicated and stolen, and physical validation is cumbersome and limited. Thus, stacking multiple types of factors is more valuable than having more than one of the same factor. Having both a password and a challenge for character name can be good (the attacker may guess one and not the other) having both an authenticator app on your phone, and a password, protects you from all but the most intimate of attackers.

On the subject of “What you are” authentication. I believe there is a growing trend on the internet to use external validation to identify “What you are”. In essence when you log in with EVE, it becomes a part of “What you are” as far as EVE SSO is concerned. Websites such as ZKill “trust” EVEs system when it tells them that you are who you say you are. In much the same way, a person’s email accounts, and primary social media, have become a kind of validation of a user’s identity. As such, these have become the most important in a personal cyber security policy.

Protecting Your Digital Life

Password:

Your password is your basic validation factor most users have for their online accounts. However, users often have hundreds of accounts at any given time, which leads to bad password policy. The first thing you have to realize is that now all accounts are created equally. Each service you create a password for creates a new vector of attack for that password. Passwords shared between services represent multiple attack vectors for attackers. Servers are being compromised all the time.

Most cyber security experts will recommend changing your password at least monthly on serious sensitive accounts. No one really cares if your MLP fanclub account gets compromised, as long as the only other sites that share that password are other forums. However, if you share the same password with your email, or EVE account, you are effectively saying “I trust MLP Fanclub that they have gone through the rigorous riggers to secure their system to Google’s (or Facebook, or whoevers) standard. Especially with the rising popularity of OAUTH and SSO (“Sign in with…” Authentication), your social media, and email passwords should be unique (or at least not the same as your random website account one), and changed frequently. Don’t worry about long garbled passwords. Most password requirements are more effective at causing people to lose passwords than it is in securing accounts, and often a easier to remember, but relatively random password is superior (source).

Google Authenticator:

The Google Authenticator is what people mean when they say “two-factor” authentication in an EVE context. The Authenticator can be installed on any Android, iOS, or Windows phone device. This generates a random six digit number that changes every thirty seconds or so. When you login you have to enter the code as well as your normal password. This verifies that the user attempting to access knows your password (what you know) but also has access to your Authenticator (what you have).

Additionally, for those who feel this is too cumbersome, CCP has added a way to turn your “What you have” from the authenticator app, to your computer. You can opt to have it no longer prompt you from the device, thus authorizing the device as you to CCP. Leaving any attacker barred without somehow getting your physical devices (or compromise yours). Obviously, if you do not trust the physical security of your computer, then the authenticator is the only choice.

For those without a device to run the Google Authenticator, having a strict password policy is your only real defense

Beyond the Sandbox

The time has come that we have to realize that cybersecurity is everyone’s responsibility. Insurance may not pay for stolen items, if they find out you didn’t lock your car, so too are the consequences of failing to protect your digital presence costly to you. EVE is a pretty low threat cause, especially compared to Facebook, banking institutions and even games like World of Warcraft, where hacking became so rampant, they spearheaded the movement to two-factor authentication in online gaming. You are lucky that the pool of people who will exploit a compromised account is the relatively small group of people who would care about such a thing. However, obviously that pool is big enough, and maybe we need to realize that to continue to live in an information age, ignorance is no longer a privilege we get to have.

Did you enjoy this article? Please consider supporting CZ.