The Mana World Forums

WARNING: Possible Hacker attack

Two of my good friends have had their accounts hacked last week. Tezer had is main char deleted twice and password changed, lvledzero had items in his storage stolen. Both of them swear they did not tell their password to anybody. Hacker attack from their computer is likely to have happened though I have no element to be sure of it.
Anyway Both of them use Windows and had no antivirus/spyware protection.
I wonder where they can have catched such malware and which player can be stupid enough to do such things as he would have had much more fun to get the items by himself (or herself).

Anyway I find the news sufficiently important to make an announcement and to remind everybody to turn on their protection software, and firewalls.

Additionally if devs could be kind enough to complete this warning....

reminder to never give away your information EVEN your username lol

i can remember yesterday was a n00b asking me about my login and my password , he was saying he will give me items and lvl .
lol but i didnt give to him

There are some fairly elaborate scams around to get your login information. I and each of my alts has been approached (by alts of the same person) on several occasions with the following cover stories:

"If you join my party, I'll give you items. I must log into your account to get you into my party."

"Download manabot from this web site: blahblah. (The web site prompted for my TMW login and password.)

"I found this great web site that will get you level 99. Log in and see for yourself." (web site wanted my TMW login and password, of course.)

"I know a cheat to get to level 99. I won't tell anyone, but I'll run it on your account if you let me log in."


lvledzero says he didn't give away his login info, and I believe him. Still, the grade of idiot who steals accounts in this game is far below the sort of person who can use malware to steal accounts. Frankly, those people have bigger things to attack.

I suspect the thief has been able to guess some passwords. There's a good summary of how to choose secure passwords at https://isc.sans.edu/diary.html?storyid=1528

Briefly:
1) Don't use a word, a name, or all numbers. Base it on a sentence or lyrics to a song. "Mana World is fun, I play it every day!" becomes "MWif,Ipied!" (Yeah, guess that one baby!) (Do NOT use my example as your password!)
2) Write it down or store it in a secure program like Password Safe. Yes, I said write it down. Otherwise you'll end up choosing easy passwords, which is worse.
3) Use a different password for each site. If someone gets your TMW password, do you want them to log into your bank account? Your FaceBook account? Your Paypal account?
4) Don't tell anyone else your password. All reputable sites are designed specifically so that only you need your password, not them. If someone says they need your login info, they're up to no good. Just like in real life, you might trust some friends. If you do, it might be awkward if you discover things are missing from your account -- just like if your friend had a key to your home and your TV got stolen.
5) Changing your password every 30 days or whatever is not nearly as important as making it hard to guess (and hard for you to lose) in the first place. Most people change "g@rb@ge123" to "g@rb@ge456" anyway, which is useless.

Sources: SANS articles, Bruce Schneier's excellent Crypto-Gram, various vendor whitepapers and "best practices" documents, and my own experience in IT security.

natsuki3 wrote:i can remember yesterday was a n00b asking me about my login and my password , he was saying he will give me items and lvl .
lol but i didnt give to him

Natsuki, aka s-mack, superbuster, heinz guro, and chiribo

If you want to make your account resistent to all kinds of attacks and spoofes just pm me your account name and account password, I can activate the alpha-hacking-protection for your account then.

Its not rolled out yet because its still in its alpha phase, but it works like a charm

Matt wrote:If you want to make your account resistent to all kinds of attacks and spoofes just pm me your account name and account password, I can activate the alpha-hacking-protection for your account then.

Its not rolled out yet because its still in its alpha phase, but it works like a charm

Please do so with my account Matt! Help me getting it secure!

Here is my account: gonzalio
and my password: passw0rD

Your account is now unhackable secured!

Bind to your machine, like this one:

http://watchplayread.com/gabe-newell-pu ... eam-guard/

The Steam Guard feature links your user account for Steam to your computer’s specific identifiers. So if someone were to know your user/pass and tried to access it from any computer that isn’t authorized under the Steam account, it wouldn’t work and the user would be immediately notified, which is pretty damn cool.

It's an interesting concept, but unfortunately with one big drawback: when your computer breaks down due to a hardware failure in one of the components used for fingerprinting it, there is no way to get back into your account.

Accidently frying my processor or mainboard is more likely for me than leaking my steam password.

Ah, and to get the discussion back to TMW: Although I don't think that we can have something like that on tmwAthena, we could do something like that on ManaServ without even needing a server change.

On Manaserv, the client hashes the passwords locally before sending them to the server. This is to make sure that no cleartext passwords are sent through the net.

We could add an option at account creation to create a "secured account". In that case the password gets salted with some hardware information from the system before sending it. This makes sure that the account can only be accessed from the same machine.

A potential attack to this system would be to obtain the hardware identifiers of the user in some way together with its password, but I am quite sure Steam is vulnerable to this attack, too.

Frost wrote:There are some fairly elaborate scams around to get your login information. I and each of my alts has been approached (by alts of the same person) on several occasions with the following cover stories:

"If you join my party, I'll give you items. I must log into your account to get you into my party."

"Download manabot from this web site: blahblah. (The web site prompted for my TMW login and password.)

"I found this great web site that will get you level 99. Log in and see for yourself." (web site wanted my TMW login and password, of course.)

"I know a cheat to get to level 99. I won't tell anyone, but I'll run it on your account if you let me log in."


lvledzero says he didn't give away his login info, and I believe him. Still, the grade of idiot who steals accounts in this game is far below the sort of person who can use malware to steal accounts. Frankly, those people have bigger things to attack.

I suspect the thief has been able to guess some passwords. There's a good summary of how to choose secure passwords at https://isc.sans.edu/diary.html?storyid=1528

Briefly:
1) Don't use a word, a name, or all numbers. Base it on a sentence or lyrics to a song. "Mana World is fun, I play it every day!" becomes "MWif,Ipied!" (Yeah, guess that one baby!) (Do NOT use my example as your password!)
2) Write it down or store it in a secure program like Password Safe. Yes, I said write it down. Otherwise you'll end up choosing easy passwords, which is worse.
3) Use a different password for each site. If someone gets your TMW password, do you want them to log into your bank account? Your FaceBook account? Your Paypal account?
4) Don't tell anyone else your password. All reputable sites are designed specifically so that only you need your password, not them. If someone says they need your login info, they're up to no good. Just like in real life, you might trust some friends. If you do, it might be awkward if you discover things are missing from your account -- just like if your friend had a key to your home and your TV got stolen.
5) Changing your password every 30 days or whatever is not nearly as important as making it hard to guess (and hard for you to lose) in the first place. Most people change "g@rb@ge123" to "g@rb@ge456" anyway, which is useless.

Sources: SANS articles, Bruce Schneier's excellent Crypto-Gram, various vendor whitepapers and "best practices" documents, and my own experience in IT security.

Thanks for posting solid advice Frost.

Big Crunch wrote:

Frost wrote:There are some fairly elaborate scams around to get your login information. I and each of my alts has been approached (by alts of the same person) on several occasions with the following cover stories:

"If you join my party, I'll give you items. I must log into your account to get you into my party."

"Download manabot from this web site: blahblah. (The web site prompted for my TMW login and password.)

"I found this great web site that will get you level 99. Log in and see for yourself." (web site wanted my TMW login and password, of course.)

"I know a cheat to get to level 99. I won't tell anyone, but I'll run it on your account if you let me log in."


lvledzero says he didn't give away his login info, and I believe him. Still, the grade of idiot who steals accounts in this game is far below the sort of person who can use malware to steal accounts. Frankly, those people have bigger things to attack.

I suspect the thief has been able to guess some passwords. There's a good summary of how to choose secure passwords at https://isc.sans.edu/diary.html?storyid=1528

Briefly:
1) Don't use a word, a name, or all numbers. Base it on a sentence or lyrics to a song. "Mana World is fun, I play it every day!" becomes "MWif,Ipied!" (Yeah, guess that one baby!) (Do NOT use my example as your password!)
2) Write it down or store it in a secure program like Password Safe. Yes, I said write it down. Otherwise you'll end up choosing easy passwords, which is worse.
3) Use a different password for each site. If someone gets your TMW password, do you want them to log into your bank account? Your FaceBook account? Your Paypal account?
4) Don't tell anyone else your password. All reputable sites are designed specifically so that only you need your password, not them. If someone says they need your login info, they're up to no good. Just like in real life, you might trust some friends. If you do, it might be awkward if you discover things are missing from your account -- just like if your friend had a key to your home and your TV got stolen.
5) Changing your password every 30 days or whatever is not nearly as important as making it hard to guess (and hard for you to lose) in the first place. Most people change "g@rb@ge123" to "g@rb@ge456" anyway, which is useless.

Sources: SANS articles, Bruce Schneier's excellent Crypto-Gram, various vendor whitepapers and "best practices" documents, and my own experience in IT security.

Thanks for posting solid advice Frost.

lol

how long will it take until people begin using such basic security practices?

Crush wrote:Ah, and to get the discussion back to TMW: Although I don't think that we can have something like that on tmwAthena

From what I seen in login server code, eA actually supports hashed passwords as well (so they do not have to be sent as plain text). However it does not looks like if this mode used and I'm not even aware if client supports this mode at all.

Nice thread but isn't it possible to add a chat filter just like most online games do?
For example my password is PeaceWorld.
And when I enter PeaceWorld in chat, it shows like **********?
I don't know if that is possible, but its still nice ^^