How did they get your password?

[Arran]

It's clear that account 'hacking' is a significant problem, a problem that can be solved with additional account access protection mechanisms.

Layer 1 is obviously your password, every account has a password.
Layer 2 doesn't exist for us, but some servers use a serial limitation system

Serial limitation means that you can only login to your account from your computer. This has 2 main problems:

Problem 1: What if you have multiple computers?

Proposed solution: A GUI grid where you can add/remove serials from.

Problem 2: What if your computer breaks? (Meaning you can't add your new serial to the grid)

Proposed solution: First of all we can use email confirmation to confirm that the new serial is yours but if you don't have an email set or it's inaccessible then we need a way to get back on and I propose a 48 hour wait, that way a 'hacker' would need to wait 48 hours and if in that time the real account owner logs on, the 48 hour countdown is aborted and the account owner is informed that someone tried to login from another serial and therefore they should change their password.

This is what I want to do, to stop accounts from being 'hacked' so easily. But serial limitation isn't the only way of doing it, maybe there's a better way? But to find out if there is a better or easier way of solving this account stealing problem, I need to know why layer 1 fails for so many people.

If your account has ever been 'hacked' that means that you somehow let someone get your password, post here explaining how they knew your password. If you were an idiot and actually thought those "CIT cheat" websites that ask for your username and password were real, then say so here.

Alternative Layer 2 Implementations

• We already store your last used serial so we could easily add a security question / secondary password which you need to answer whenever you login with a serial that differs from the last used serial.
• PIN code required for withdrawing money from ATM, sending money to others and making trades.

[Ex_TcR]

Long time ago, a guy posted a link in shoutbox, saying "If you want free drugs, go here" idk how many people got trapped but I didn't open it, maybe some hackers knows that how to fool someone. Newb hackers (I think) use links thingy, like sending a link to a guy saying check this or any trap and because of what, they gets the password by scripting/programming the system etc.


anyways, I have a question, what if I am using random computers to be in touch with forums 24/7 ? I mean I aam very active .. I use to open forums from different computers. is it possible to add soemthing liek "Security Code" when we log in via another computer? or we can get a confirmation code .. will be sent to our e-mail(If we're using one) and we'll copy it from our e-mail.

Proposed solution: A GUI grid where you can add/remove serials from.

its a good idea but, if our computer breaks, as I mentioned above, Is it possible to make it so that we have to confirm teh new computer via our E-Mail..?

sorry.. mistook.

a problem that can be solved with additional account access protection mechanisms.

[RedDrifter]

I had my account hacked once because I had  the same password for other games too and I gave my password to a friend on the other game and after sometime we had an argument and he tried to steal all my money luclky I didn't have much back then so I really didn't care and kept on playing.

[BabY]

For a better way of protecting account password... What about making a new e-mail PIN key / pass key or whatever, that CANNOT be the same as account password, and restrict password changes to the associated e-mail only (Send new password confirmation, so it becomes harder for attackers to change password?

The only con is that if the user uses the same password for his associated e-mail, but wouldn't that be his fault for not securing it?

anyways, I have a question, what if I am using random computers to be in touch with forums 24/7 ? I mean I aam very active .. I use to open forums from different computers. is it possible to add soemthing liek "Security Code" when we log in via another computer? or we can get a confirmation code .. will be sent to our e-mail(If we're using one) and we'll copy it from our e-mail.
 its a good idea but, if our computer breaks, as I mentioned above, Is it possible to make it so that we have to confirm teh new computer via our E-Mail..?

As long as you don't use the same password you use in game for forum, there's nothing harmful can happen to you

[Arran]

its a good idea but, if our computer breaks, as I mentioned above, Is it possible to make it so that we have to confirm teh new computer via our E-Mail..?

Did you even read the whole topic..?

[BoDy]

A guy PMed me with "can you explain this post to me <link>" I opened the link and found a "replica" of our forum but I'm logged off, and you need to log in to be able to see wbat he's talking about and he fooled more than 10 players in that day
Evetually he got banned on forum because I reported'em to Kaka

[Arran]

A guy PMed me with "can you explain this post to me <link>" I opened the link and found a "replica" of our forum but I'm logged off, and you need to log in to be able to see wbat he's talking about and he fooled more than 10 players in that day
Evetually he got banned on forum because I reported'em to Kaka

Then maybe all these accounts being hacked is just a sign of player stupidity because:

1. People should know to check the URL when something like that happens.
2. People shouldn't use the same password for different things.

Though if this is true and most accounts are 'phished' then it means that a secondary question / password would be solve the problem unless players were truly stupid and also told the 'hacker' the secondary password.

[BoDy]

Then maybe all these accounts being hacked is just a sign of player stupidity because:

1. People should know to check the URL when something like that happens.
2. People shouldn't use the same password for different things.

Though if this is true and most accounts are 'phished' then it means that a secondary question / password would be solve the problem unless players were truly stupid and also told the 'hacker' the secondary password.

And use a different password for their forum account, just incase.

[sandisk]

If this would become real, will it be mandatory ? all in all it's an good suggestion for those who actually "need" it.

Imo the "Hacking" isnt a big problem, let the stupid people pay for their stupidity. When you read all the "I got hacked" threads it's just 

[Arran]

If this would become real, will it be mandatory ?

No.

[VazZ]

Though if this is true and most accounts are 'phished' then it means that a secondary question / password would be solve the problem unless players were truly stupid and also told the 'hacker' the secondary password.

From what I've seen when occasionally scanning through the posts where people complain about being hacked or how their accounts were banned and they then claim someone else was on the account, I think it's at least as much aware password sharing as well.

People are just sharing their accounts password with one of their 500 friends or cousins or whatever they claim to be (for some reason they meet their relatives ingame instead of in real life but OK human stupidity is a different topic, at least I wouldn't believe someone who sends me an SMS "Hi iam your cousin give password ill give stats") and then trust them instantly.
So the idea that someone brought up above saying there could be an additional confirmation code when logging in is actually completely useless to say it polite, because that's just another password. If I gave my "friend" my password to log in to my account and I know he'll also need a confirmation code, I would just give them that code too, otherwise it wouldn't make any sense to give them the password if they can't log in.

And that doesn't only go for the aware password sharing part, the code would also be useless for the phishing part, because when people know they'll need a code (in form of a sort of secondary password) they would obviously ask for that too in their fake login form..

[sandisk]

No.

But still if people get phished they'll probably lose more than their MTA account, for example their e-mail password.

[VazZ]

But still if people get phished they'll probably lose more than their MTA account, for example their e-mail password.

Not necessarily.. That's only applying to the people who have the ignorance to use the same password everywhere, and to those: If they get phished (which requires stupidity as stated above) and then also use that password for anything else, they clearly never listened to the warnings over the years and then their loss is well deserved. Those people shouldn't be expecting to not lose all their internet accounts when they're already stupid enough to give away their password (aware or not) and then use the same password everywhere.

Additionally their e-mail passwords and anything else not related to that is nothing Arran has to take care of, all he does here is attempting to find a solution for the hacking going on within his own server. If people get hacked on their e-mail account, why would you move the fault to anyone else..

[sandisk]

Text..

I'm not saying it's Arran's responsibility to take care of the ones who've lost their e-mail accounts, but the thing is if you can get "phished" for your MTA account info why not your e-mail aswell. If you're stupid enough to randomly click on everything random people send you, you kinda deserv that hard lesson. Sure this might be a solution for some, but it wont help the majority of the ones who claim their Accounts got "hacked". We should send them on a class on how to surf the internet safely

[neiltorres81]

Well, other using KeyLogger to hack account that save user and passwords on documents. they're hacking some online games account. well I sugguest to add it KeyLogger. I was one of it victim in CrossFire PH.