PSA: Google Authenticator 2-Factor Authentication OTP/ Anti-Hacking Measures

[Arunelle]

Good Day.

 

While browsing through my Account Settings, found a neat OTP setting using Google Authenticator. Did not see this before (pardon my ignorance) but what it basically does is that it generates a new One-Time-Password(OTP) for the 2-Factor Authentication (2FA) on login to the Blade & Soul Client. In light of the recent hacking reports seen on the forums, I would like to extend this feature to everyone here. If you already have it, please feel free to advice players who have not set it up.

 

It's a pretty neat feature that will combat hackers, as the login details are not captured in any existing database on the Blade & Soul servers. Instead, a new OTP is generated upon request, making it nearly impossible to capture. Basically, all you need is a Apple or Android phone, and the Google Authenticator app downloaded from the respective appstores. Included some steps to set this function up.

 

1) Download the Google Authenticator app if you have not done so.

2) Login to Blade & Soul's website at http://www.bladeandsoul.com/en/.

3) On the top right-hand corner of the page, enter My Account > Settings.

4) You should see the 2-Factor Authentication button. Click "Add".

5) Follow the instructions given on the page. 

 

This method should combat almost all hacking attempts. Should your account be compromised after you have set the Google Authenticator 2FA OTP, please report the problem directly to NCSoft. For those whose accounts have already been compromised, please:

 

1) Remove all banking details from your browser (Autofill), NCSoft's online services, or anywhere you deem you have saved it in.

2) Reset your email password, or change it to a more secure provider (Hotmail, Google, etc)

3) Reset your NCSoft/Blade&Soul password to a more secure one, preferably one that uses lowercase, uppercase and special characters.

4) Contact NCSoft Support.

5) If your bank has OTP transaction verification services, set them up ASAP.

 

Unless you wish your B&S account be revoked, do not contest any transactions and force a chargeback with your bank, as this will result in immediate termination of your B&S account.

I hope this has helped.

 

*Moderators, please feel free to edit/use this post in any way you wish.

[iwashacked]

This is what i read on reddit during search for my own problems https://www.reddit.com/r/bladeandsoul/comments/4dp48l/i_tried_hacking_my_own_account/

 

Because of the recent threads of a lot of people getting hacked, I got paranoid and decided to check my own security, which I thought was good and I was wrong.

This is my current security

• Google email (With very long and unique password)

• 2-step verification on my Gmail (You need codes from my phone)

• NCSoft account (With long and unique password)

• 2-step verification with my NCSoft account(Only 1 IP can log in without it asking code from email)

• 2-step verification on the game (if you want to play you need Google verification codes from my phone)

Cool, you must be now wondering how can something like this get hacked? Let me tell you; Hacker does not need access to your email at any point.

Only security you have on your account is the IP verification on Blade and Soul website and your password. If hacker could possible spoof the IP, you did not set your IP or they found a way to go around it, then you are done.

Once I got on my account, I could change:

• Change my Email without any confirmation from the previous email (90 days cooldown)
• I could disable the 2-step verification on my account (google auth) after changing email because it now asks confirmation from the new email (I lol'd at this)
• I could see all the personal info on the account: Phone number, Name, Address and all the relevant stuff
• I could disable the IP verification

Basically, I got ownership of the account knowing it's password, and if NCSoft was hacked and everyone's passwords are compromised then change them NOW! Also enable the IP verification, ordinary hackers cannot get past that.

[Yuina]

"I could disable the 2-step verification on my account (google auth) after changing email because it now asks confirmation from the new email (I lol'd at this)"

 

Excuse me NCsoft. How can you guys be THIS dumb?

[Arunelle]

Well, now that we've surfaced the issue, NCSoft, please look into this.

 

The only thing that is worse than bots and in-game hackers are account hackers.

[iwashacked]

5 minutes ago, Yuina said:

"I could disable the 2-step verification on my account (google auth) after changing email because it now asks confirmation from the new email (I lol'd at this)"

 

Excuse me NCsoft. How can you guys be THIS dumb?

 

You'll probably laugh at this one https://gyazo.com/446f156d08698ae68a6fb8751e8c1081

[Yuina]

1 minute ago, iwashacked said:

 

You'll probably laugh at this one https://gyazo.com/446f156d08698ae68a6fb8751e8c1081

Yeah I just read that one too. No wonder people get hacked so easily.

Please NCsoft, get you head out of your *ss and do something already.

[iwashacked]

2 minutes ago, Yuina said:

Yeah I just read that one too. No wonder people get hacked so easily.

Please NCsoft, get you head out of your *ss and do something already.

yea... i checked my gmail and it's recent login locations.. No one broke into it, but i will contact google for them to investigate my account for whatever reasons, but as far as i can tell no one touched my gmail account (even my password is completely different, i even changed it just in case).

 

I lost my account and my bank account has been cleaned out from the hacker till i went negative 200 dollars.. Someone else got their savings and checking money stolen. I can't pay this, nor the overdraft fees.... I'm in a really bad place right now... I havent been to bed for a day and a half.... This is the first time this has ever happened to me... I have played tons and tons of mmos and bought things online constantly for more than half my life... Never has someone broke into my account and stole all my money, made me go negative, and disabled my account from my email address...

 

I can't wait for the day when i can look back this and laugh... I have had so much bad luck, my life sucks man :(

[Reaper00]

1 hour ago, iwashacked said:

Only security you have on your account is the IP verification on Blade and Soul website and your password. If hacker could possible spoof the IP, you did not set your IP or they found a way to go around it, then you are done.

Okay. How exactly would a hacker be able to spoof your IP address? Firstly, the hacker would have to know your IP address which would mean your computer was already compromised outside of NCSoft.

 

Secondly the IP address is the physical address of a computer on the Internet. Even if hacker managed to send a spoofed IP address in a request to the NCSoft server, they wouldn't actually receive a reply from the server because the reply would be sent to your computer and not their's. It's like if your next door neighbour sent a letter with your address as the return address and the letter then got subsequently returned. Your neighbour wouldn't receive it, you would.

[iwashacked]

9 hours ago, Reaper00 said:

Okay. How exactly would a hacker be able to spoof your IP address? Firstly, the hacker would have to know your IP address which would mean your computer was already compromised outside of NCSoft.

 

Secondly the IP address is the physical address of a computer on the Internet. Even if hacker managed to send a spoofed IP address in a request to the NCSoft server, they wouldn't actually receive a reply from the server because the reply would be sent to your computer and not their's. It's like if your next door neighbour sent a letter with your address as the return address and the letter then got subsequently returned. Your neighbour wouldn't receive it, you would.

Did you click the link? And it's actually easy to get someones IP address... I have the IP address of the person who hacked me...

[AionCheesecake]

How?

[Reaper00]

7 hours ago, iwashacked said:

Did you click the link? And it's actually easy to get someones IP address... I have the IP address of the person who hacked me...

Yes I did click the link and you copy and pasted the entire thing anyway. Did you read it though? The guy said "If hacker could possible spoof the IP, you did not set your IP or they found a way to go around it, then you are done."

 

Lot of IFs in that statement. He might as well have said if the hacker could guess your password you are done.

 

Only way someone could get your IP address is if you visited a compromised site or if you have some sort of malware installed on your computer. And as I said before even if they could spoof your IP address (which isn't easy as it involves compromising routers on the Internet), it wouldn't matter as they would not be able to carry on a conversation between the NCSoft servers and themselves anyway using your IP address.

 

And what makes you think you have the hacker's IP address? Unless you were hacked by a complete novice, they would be using a proxy of some sort to perform their hack so the IP address you have is most likely useless.

 

Contrary to popular belief just because someone posts something on Reddit, does not make it true!

[Skyfire]

On April 18, 2016 at 8:00 AM, Yuina said:

"I could disable the 2-step verification on my account (google auth) after changing email because it now asks confirmation from the new email (I lol'd at this)"

 

Excuse me NCsoft. How can you guys be THIS dumb?

This

[Reaper00]

1 hour ago, Skyfire said:

This

But just how does someone log onto your account to change your email address without first having access to your email account to receive the IP address verification email?

[Avenger]

Greetings,

 

As stated by Omeed and as a reminder we strongly recommend you to:

 

• Use a unique password for every account.
• Do not share passwords across accounts.
• Do not include common words, especially words like “password” or “user.”
• Use a mixture of upper and lowercase letters, numbers, and symbols.  Or use four to six words that have no relation to each other.

 

You can be sure this is monitored very carefully, and everything will be done to protect your account!

 

Regards,

Team Blade & Soul.

[Skyfire]

19 minutes ago, Reaper00 said:

But just how does someone log onto your account to change your email address without first having access to your email account to receive the IP address verification email?

They log into your NCSh** account, aaaaaand, click change email. That simple! Once logged in you can change your email once every 90 days without any restrictions what-so ever. 

[Reaper00]

10 minutes ago, Skyfire said:

They log into your NCSh** account, aaaaaand, click change email. That simple! Once logged in you can change your email once every 90 days without any restrictions what-so ever. 

Maybe I wasn't clear. Can you explain how they log into your account in the first place? 

 

Sure, once someone has already logged into your account they can change your security settings, but that is the same as saying "once someone is already inside your house they can unlock your front door". The problem isn't that they can unlock your front door once they are inside, the problem is how they got inside in the first place!

 

By the way, being able to change your email address without verification being sent to your old email is actually common sense and not a design flaw. A lot of people would be changing their email because they no longer have access to their old email account.

[Skyfire]

2 minutes ago, Reaper00 said:

Maybe I wasn't clear. Can you explain how they log into your account in the first place? 

 

Sure, once someone has already logged into your account they can change your security settings, but that is the same as saying "once someone is already inside your house they can unlock your front door". The problem isn't that they can unlock your front door once they are inside, the problem is how they got inside in the first place!

 

By the way, being able to change your email address without verification being sent to your old email is actually common sense and not a design flaw. A lot of people would be changing their email because they no longer have access to their old email account.

Being able to change email without verifying old one is common sense, I agree.  That statement was just to show how easily one can disable the so widely recommended (by their staff) two-step authentication when the truth is its nearly useless versus combating account theft.

 

How do they steal your account? It's really not that difficult but you would have to know a few things about forced entry and cyber security. That's not a topic I wish to explain because it's a university curriculum in itself but just to give you an idea, a hacker can take an encrypted password and crack it in even minutes using Rainbow Tables.  That is why I strongly recommend to make your password over 15 characters. They would need government computers to crack a longer password by such method. 

 

If if I may suggest, to make a stronger password, all you have to do is use your ordinary simple password, and add 5 dots before it and 5 dots after. So if my password was "cat" I could make it exponentially stronger by changing it to ".....cat....."  After that I'd change the "cat" part to "C4t". Combined, you have an extremely tough password to crack.

[Xellon]

Well now I'm a bit concerned. My phone broke too so I can't even use 2 step verification.

 

I just reset my password with a long random numbers, letters (lower case an dupper), spaces and symbols. I should be ok right? Did some research and learned that spaces in passwords are very effective.

[Reaper00]

43 minutes ago, Skyfire said:

How do they steal your account? It's really not that difficult but you would have to know a few things about forced entry and cyber security. That's not a topic I wish to explain because it's a university curriculum in itself but just to give you an idea, a hacker can take an encrypted password and crack it in even minutes using Rainbow Tables.  That is why I strongly recommend to make your password over 15 characters. They would need government computers to crack a longer password by such method. 

By an odd coincidence, I did do that at university and have done it in the real world for a number of years since that time. While what you say is true to an extent, Rainbow Tables are only effective against weaker cryptographic hashes (generally those using salts of less than 64 bits) . Most modern day encryptions standards use salts of at least twice that length precisely because of the vulnerability to rainbow table attacks. Now I guess it is possible that NCSoft are using an older method but it seems unlikely.

 

Of course the real problem with your theory though is how would a hacker get the encrypted version of the password in the first place? For that the NCSoft server would have to be compromised, and I'm pretty sure there would have been far more hacked accounts if that was the case. 

[Reaper00]

5 minutes ago, Xellon said:

Well now I'm a bit concerned. My phone broke too so I can't even use 2 step verification.

 

I just reset my password with a long random numbers, letters (lower case an dupper), spaces and symbols. I should be ok right? Did some research and learned that spaces in passwords are very effective.

Yes. If you did all that and your password was greater than 10 characters, you should be reasonably safe. Just don't ever use that password for anything else.

[Skyfire]

1 hour ago, Reaper00 said:

By an odd coincidence, I did do that at university and have done it in the real world for a number of years since that time. While what you say is true to an extent, Rainbow Tables are only effective against weaker cryptographic hashes (generally those using salts of less than 64 bits) . Most modern day encryptions standards use salts of at least twice that length precisely because of the vulnerability to rainbow table attacks. Now I guess it is possible that NCSoft are using an older method but it seems unlikely.

 

Of course the real problem with your theory though is how would a hacker get the encrypted version of the password in the first place? For that the NCSoft server would have to be compromised, and I'm pretty sure there would have been far more hacked accounts if that was the case. 

Decrypting a hashed password is one thing.  Stealing information from them is another.  To be honest, I don't know how a hacker could get their hands on their database, but I do know that if sensitive information is leaked, they, by law, have to report it.  Given that this has not happened, I don't know.  But seriously, how hard would it be if you know what you are doing?  Just look at all these holes! https://www.ssllabs.com/ssltest/analyze.html?d=secure.ncsoft.com  Their infrastructure has more holes than Swiss cheese!  It's like they went overboard on some parts of their security and completely failed on others.  Hello???? Anyone paying attention here?  Your security infrastructure is only as strong as your weakest link!  No wonder they got a grade F.  I mean, just look at this!  I wonder how much damage I could do using IE6 on their site which doesn't support it (allowing for multiple attacks due to lack of support in the first place).  And how lovely, POODLE bytes TSL attack is like fishing in a barrel it seems.  Forward secrecy's key exchange algorithm is shit, etc etc etc.  Frankly, reading over that document, is anyone actually surprised that so many hacks happen?  Frankly I am surprised I am not able to execute something as prehistoric as a Sequel injection to steal their data given this readout.  Seriously, I wonder how much damage I could do with Tamper Chrome addon alone.

 

Good thing I am on the right side of the law when it comes to cyber security.  These hackers who steal our credit cards because of NCSoft's incompetence, that's another story.