Accounts Being Hacked.

Just a warning out there, 2 people in my linkshell were hacked today. One with and one w/o a security token. The one with the token got on his account eventually but all gil was gone, all his plasm was spent and his expired mog locker was no longer expired and big gil items gone.

He contacted a GM and they said they cannot tell him who he traded/mailed items to and said they can only restore items. To get back on his account, he said he went to the website and "forgot password" option and he just needed his serial number from his token to verify and change his password.

I know hacking is not new but I haven't really heard of it happening as of late. Just figured I would send an FYI/warning out to everyone.

Were they using PC? If so, Keylogged.

does that work even with security token? >.> whats the point of token then!

I am pretty sure yes for both. I know the one who couldn't get back on for sure.

Has to me, they just have to guess lucky on the correct number.

Someone said in vent that they get the passcode from keylogger when you log in and log onto the SE site at the same time. Then change the passcode. So essentially they are logging in in "real time" onto the SE site.

I don't know if you can use the same passcode for more than one login but it seems logical.

From what I understand, you can disable tokens through the SE site - in case you lose, break, or the batteries die. If someone snags your password logging in to the game, and it happens to be the same as your SE password, they're in easy peasy.

you cant use 2 times the same token code , it doesnt work i tried it more times .

It can I think there is a small window from what i remember but I have not read up on it in a very long time.

you can use the same token code twice in 30secs. go try it ~.^

They used a keylogger. They can easily deactivate your token. If you type in your personal information alot for other purposes, they can use that info to retrieve lost passwords. That is how I got hacked. The hacker didn't have one of the passwords so he reset the passwords after obtaining my personal info. Wiping your hard drive would not work since they have your information already.

SE should make the smartphone app be the token. As I understand it now it is basically a security token that just generates you a number. but it would be better if you login to your account and then it waits for conformation from your smartphone app to let you continue. that way keyloggers couldn't get everything they need.

Would work a lot to be honest. Account won't access without Authorization from your phone. I would go 1st straight buy to go for that protection.

Of course not everyone wants a several hundred euro/dollar smartphone and/or contract in place of an 11 euro/dollar piece of plastic

Just commenting, I play FFXI since 2003 and that has never happened to me ... WTH you guys are doing with your PCs ? lol

then those people can buy the token >.> im just saying they have a smartphone app that mimics the token. but why mimic it when you can make a more secure way.

Edit: its actually the main reason why I will be playing ffxiv on the ps4 when it comes out (ps3 atm) I just dont want to deal with any of that crap.

The only way I can see a token account being hacked is if they were using a RAT, the person in question typed in all their log in information, including the 6 digit code, then the hacker disabled the mouse/keyboard quickly before the person could hit enter. That's the only way I can see a token account being hacked, otherwise I'm calling *** and one of the guys just didn't want to admit he didn't have a token and doesn't want to man up to his own carelessness.

no. as someone who was hacked 2 months ago: you guys are all wrong.

they get a trojan on your ***. In my case there was a link i clicked that was a short tinyurl type link.
Next, thanks to SE being *** stupid, when you log into your SE account the "DISABLE MY TOKEN/SMARTPHONE TOKEN" code is right on the front *** page of your SE account. not "click this spoiler to show password" or "click here to go to token disable code"; just right in the middle of the screen.

So these guys have a month to: record your keystrokes, get an idea of when you go to bed, etc. I logged into SE to pay my crysta, next day after i logged for bed they logged in 2 mins later and took their time stripping my account.

Roommate (who had also clicked link in skype) signed into SE account to pay bill 1 week later > next day stripped.

They just screencap the removal code > remove token / change passwords and youre basically their ***. Even if I caught it that night, SE cust support only works the same hours real people are at work (plus have no desire to help you unless JP).

Getting hacked with a token is pretty hard, but you don't need a RAT. You need a logger, and something to prevent the player from logging in for a few minutes. Once you capture the 1 time code, assuming you have all the other relevant data if you can enter the 1 time code before the player can manage to log in then you have the account. I don't know how disabling 1 time, but capturing a second 1 time code after that point wouldn't be terribly difficult.

Getting to that point means your PC is pretty infected though, they need to interfere with a whole lot of processes.

who randomly clicks on links via skype?

who browses in an admin account?

basic web safety people...

Exactly. For me, I had gone to bed one night, but forgot to check all my characters for the stupid login campaign. So I logged in - well, tried to log in - the next morning just to get credit before JP midnight. It was probably less than 9 hours later.

As far as keeping them from logging in... it took me a minute before finally checking, but, my POL folder was completely empty. So that's one way to do it. But not the only way - if you know the main character, and you're about strip someone's account, then you already have a character on that server. "Let's see, it's 2AM, /sea all Terminus... no, nothing, ok I'm good." But that also doesn't even have to happen. If you get the info, login, disable the token, change all the passwords, you know that you have from that moment until SE gets off their collective *** to raid the account. Pretty sure that someone who steals accounts is already familiar with SE's customer service reputation.

It's not that hard at all. Particularly if there is no indication that whatever someone might have used to get the keylogger on your computer did anything at all, let alone something malicious. People can be smarmy all they want, but the days of ***like Selena_Gomez_lesbian_sexscene.mp4.exe.zip working very well are past (for most of us.)

I do, and I'd hazard to guess most people do. I should sandbox but I'm too lazy to set it up.

I dont think that 2nd one is "basic" for 99.9% of people

And as someone who has been on some of ash's skype calls,generally its friends onry as far as I know. But some of those people I could see doing it out of spite just because >_>

Do you need to enter the 1 time code to remove the 1 time? That's incredibly stupid if you don't.

I don't think so (and can't check) just for the case where you might have lost/destroyed a token. It would be safer, but there would be a non-stop fit being thrown if every time that happened, people had to actually deal with someone at SE.

I thought to remove to token you had to input the serial number on the back?

You need a 1 time to access the account page yeah? I don't see it making a difference (you need to contact SE when you lose it in either case) and it requires that many more captures to actually change the password.

Or that.

GMs not being able to track items/gil sent via mail system is inconsistent with what I know about XI, after playing for 11 years.

Just a small example of something that happened to me recently.
Someone offered to sell a clear for said amount of gil.
They took the gil, split it amongst a bunch of others, sent it across to their mules, by which time I realized it was a scam and called GM.

I provided the name of 1 person. That person turned out to be a mule of someone I knew. I found out because the GM brought him on his main into jail. The GM disappeared for a good 45 minutes, but people kept popping in jail.
By the end of the ordeal, all my gil was traded back to me from the people, and the GM even asked me to confirm that I had every last gil missing.

When I did confirm I was sent back to my MH.

GMs can track anything. If you give them a time and place, that narrows it down and saves them investigating pages and pages of data.