Wednesday, 28 August 2013

How to keep your Final Fantasy XIV Online Account Safe & Secure

Final Fantasy XIV, is a new online multi-player role playing game (MMORPG) which was launched on the Sony PlayStation 3 and PC this week by Square Enix. Gaming accounts on such games are actively targeted by cyber thieves, as they look to profit from victims by selling off in game character equipment in exchange for real life money, and to even also harvest personal.


Protection of the Square Enix user account by the gamer, is the key to the games security, and it is much the responsibility of the gamer, not Square Enix, to ensure it is kept secure, which will become clear in the rest of this post.  If a bad guy gains access to this account, he will have achieved his objective, and can go on to steal. Many victims don't understand how their accounts were compromised by hackers, and consider the hackers to be super clever, and the gaming company to be at fault. However the attacks are old techniques and fairly simple, and in the vast majority of cases, it is the gamer at fault, in having poor security habits leaving themselves wide open to attack. There several common techniques used to steal credentials from gamers online accounts, which I'll explain below together with advice to protect against such methods.

1. Phishing Emails
Most online game accounts credentials are typically stolen through phishing attacks. Hackers send a professionally worded fake email to a gamer, typically pretending to be from the company providing the game. The email will include a link to a fake but genuine looking website, and the message will have a reason, based on either fear or greed, to access that site by clicking on the link. For example the email message might say "Urgent your account has been hacked and the password requires resetting" -fear, or perhaps "you won our competition for free access and in game rare items." - greed.

Gamers are duped into entering their account credentials on the fake website, and then are typically forwarded onto the actual website so they don't realise they have been hacked, meanwhile the hacker has harvested the gamers username and password. 
ADVICE: Be wary of any email which appears to be from Square Enix or Sony, and requests for you to click on a link or opening an attachment or form, no matter how real an email looks or what the senders email address is, never access a website through a link in an email.

2. Same account passwords on other sites
Another method is to steal account credentials from other supporting websites, such as fan forums, which often have poor security. Such sites can have their entire databases stolen without the knowledge of their administrators, or have hidden malicious scripts in posts which steal data from PCs accessing it, or even have the data stolen and sold on by dodgy administrators.
ADVICE: Never use your Square Enix account and password combination on any other website or other online account ever.

3. PC Keylogger
Another method for stealing account credentials is via malware infection of a PC, typically involving the hidden installation of keylogging software. Keyloggers collects your credentials as you type them into the game's login screen or even into the official website, so even PS3 gamers aren't safe. The keyed data is then forwarded on covertly to the hacker.
ADVICE: Ensure anti-virus is installed, definitions kept updated and it is always running.  Ensure your firewall is enabled. Avoid installing any additional unofficial plugins or tools for the game, especially tools which claim to give you an advantage in the game. Sometimes these tools and plugins act as Trojans, provide their function but will steal your credentials and forward them on to the bad guys behind the scenes.

4. Use Square Enix’s one-time password system (two factor authentication)
This is by far the most effective way to protect your Final Fantasy XIV account, sign up to the Square Enix one-time password system.


They have an option of either purchasing a hardware token which generates a one-time password on it (see picture), or a software token, namely an smartphone app which you can install, which like the hardware version, generates the required unique one-time passwords.  You enter the generated one-time password as part of your login into game, the security is that you must have possession of your phone or hardware token to login to the game, so even if someone has obtained your account username or email address and your password, they cannot log into your account. This proven authentication method has been used by industries to protect accounts and online banking.

2 comments:

Patrick said...

I don't understand why someone would try hacking a gamer account?

Dave Whitelegg said...

Hi,

The Whys, in order, typically its the first one.

1. For the Money. Rare in game items, which it can takes hours of gameplay and luck to obtain, can be sold off in game a great deal of game currency. Some players also have built up lots of such items and lots currency (gold/gill) over hundreds of hours of gameplay. This in game currency can be transferred out of character/gaming account and sold on for real currency. People buy in game money using real in game money, even in FF14 this is already available, google it. Yes its against the game rules, but it goes on in every game of this type. The bottom line, access to your gamer account = Cash

2. Seen this one a few times, good old revenge. Sometime people piss other people off in the game, as way of getting back they hack their gamer account and stripping their character of items and/or locking them out, or even deleting their character.

3. Personal data is always of value, names, home address, email address, DoB, account password, password reset question etc.