EVE account security proposal (CSM)
All this data is potentially out of date, and should be taken with a truckload of salt
Issue was withdrawn from the agenda.
- Raised by: mazzilliu
- Submission Date: 2009/07/05
- Issue ID: TBA
Summary of the Problem
As the popularity of EVE-Online grows, phishers and other malicious information thieves have increasingly targeted EVE account holders for their virtual assets. There's several methods malicious people can use to steal passwords that users are generally not aware of:
- they could set up an EVE related site and record submitted passwords for use against accounts. Not all users re-use their usernames and passwords for their eve accounts and eve fansites, but statistically speaking some will, so every collection of passwords will result in a stolen account.
- they could hack an already existing EVE fansite and obtain passwords from that source. No matter how well intentioned EVE fansite admins are, their site can still be hijacked for malicious purposes.
- e-mail phishing
- keylogging- while some people cite this as a main source of compromised accounts I personally doubt this, due to the fact that this method is criminal, obtains only one user's password, and is difficult in comparison to the first method
One other factor in stealing EVE account information is that, unlike credit card identity theft, the chances of getting prosecuted in real life are low, and one can still make a profit from doing it. I'm not a lawyer, but i've not heard of anyone going to jail for logging into someone else's video game account to steal their fake money.
The Proposed Solution
I'm proposing a three-tiered solution, but with the following provisions kept in mind:
- all the alternate authentication systems should be optional.
- CCP need to determine the most common causes of account compromise and educate users on how to protect themselves.
- no security should be implemented if it leads to a reasonable chance that the average user will lock themselves out of their account.
- there must be a focus on educating the end user about why these precautions are necessary and why an EVE account should be treated with the same carefulness as any other account with something of value on it.
Here is what I propose that CCP do to increase account security:
- implement that token key authenticator as described in this thread ( http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1088297 ), but only as an option.
- after the user's password is past a certain age(say, three months) do a popup on the EVE login screen that functions in the same way as an eve advertisement, in that it goes away after displaying only once. in it include the warning, with a link to additional reading that explains why this is important- so even computer illiterate people can understand why it matters. if the password isnt changed, show the notice on every 1 month anniversary thereafter.
- Allow the option for users to change their account names just like their passwords. It isn't always clear to users that their account name shouldn't be the same as their main character name, and if they figure it out later they are very unlikely to remake their account to fix that.