my account stolen

[Ninijutsu]

There is nothing wrong with the current security features. If your account is stolen then 1. It's completely your own fault or 2. You were bruteforced and Loftar can/most likely will get your account returned to you promptly (not that bruteforcing ever fucking happens for the most part).

[txtrung0]

My guess would be people buying titan accounts?

[RustyBuckitt]

Surprised that nobody has asked this question yet...

@OP What client are you using? Some clients use loggers that can be used to steal your account.

[loftar]

Conflicts with someone who knew my password I did not have, we have been friends well and I trust him.

Sorry, but if I had a penny for every time I've heard that...

What would crack a password was a very long time.

If by this you mean that the password would have been brute-forced, then no, that did not happen. The logs make that quite obvious.

Has anyone ever legitametly used the change email function? I dont know why it exists.

It's being used all the time. Of course, people won't go to the forums telling all about it.


For now, I've disabled the account from game logins. By any chance, that might mean that whoever now uses it contacts me about it so I can ask why he has it.

[bitza]

There is nothing wrong with the current security features. If your account is stolen then 1. It's completely your own fault or 2. You were bruteforced and Loftar can/most likely will get your account returned to you promptly (not that bruteforcing ever fucking happens for the most part).

i suppose that if she didn't want to be raped, she shouldn't have gone out in that slutty outfit too, right?

this email recovery "feature" is an ass-backwards travesty of a security check that has been used to hijack accounts since world 3, almost 5 fucking years ago. it amazes me that a permanent solution hasn't been implemented to this; instead the devs wait for another account to get stolen and a thread to get posted, then everyone goes "herp a derp it was your fault".

i struggle to think of any other online account system that works this way. imagine if facebook or your online banking worked this way. even the most rudimentary webmail systems back in 1995 had better recovery procedures.

all that being said, the OP was probably using one of those shady russian clients used to steal passwords.

[loftar]

this email recovery "feature" is an ass-backwards travesty of a security check that has been used to hijack accounts since world 3, almost 5 fucking years ago. it amazes me that a permanent solution hasn't been implemented to this

What, really, is the problem with it? Virtually every case of account "theft" has been an instance of account sharing gone sour, and I see no reason to believe this case is any different. I honestly think there's a very strong case to be made that people sharing their passwords have it coming.

And how do you mean Facebook is any different? When I use its password recovery function, I do indeed get a link to reset my password sent to my e-mail. Online banking typically uses physical RSA gadgets -- I'm sure you don't intend to say that we should go that far.

[bitza]

it's true that there's not much you'll be able to do in the event of password sharing, or keylogger clients i suppose. where the big problem comes in is the "change email" box under the account link. this is the big gaping security hole that causes so many of these problems with account theft.

if i know the password to the account, i can use the "change email" function to link that account to my email. then, i change the password. now the account is associated with my email, and the original account holder doesn't know the password, nor can they re-associate the account to their email without developer intervention.

i'm not a super smart computer guy, but even i know this is bad implementation. i guess either the "change email" function needs to go away, or it needs to require an authentication from the original email address before changing the associated email address.

[venatorvenator]

I suppose this is still relevant. Quote from some years ago:

There is MY Side of the story.

I don't necessarily dispute it. Lesson learned is to not trade accounts.

It's certainly not disallowed, but when I get a PM from the original registrant complaining that the account was stolen, well, don't blame me if justice happens.

[loftar]

i'm not a super smart computer guy, but even i know this is bad implementation. i guess either the "change email" function needs to go away, or it needs to require an authentication from the original email address before changing the associated email address.

That would make it pointless for its intended purpose of changing your e-mail address when you've lost your original account, however.

And for that matter...

if i know the password to the account

...I just cannot help but think that this is the primary problem. If you knew the password to the account, the characters could just as well already be dead anyway.

That being said, of course, I don't necessarily think it would be a bad idea, as some have suggested, to include a "revert back" link in the receipt e-mail sent to the original address. I just see before me a number of potential issues with that too. I'm still weighing them against each other.

[TeckXKnight]

Would it be possible to send a confirmation e-mail and if that e-mail is not addressed by clicking a link or some such within X days/weeks then the account is transferred over to the new e-mail? That way if it is fraudulent then the original owner can block it but if it's legitimate then they'll be able to transfer it over safely.