liquid_wolf wrote: »

Vyndetta wrote: »

@liquid_wolf I don't want my account login name to be seen by others. I know that it is the first step in accessing my account. It should NOT be visible to others. We should have an Account Name that is NOT our Login.

Funny you should be calling out the IT people. You're actually the one who's being pig headed. I mean, you can't even acknowledge that this can assist in leading to hacks?

People are ultimately the problem. You can implement every security measure you can find any it still won't work.

The account name being visible, though unsettling, isn't the end-of-days issue that people believe it is.

I'm tired of these professionals coming in talking about security, when they clearly don't understand that their biggest hole in their systems are the people themselves.

Every layer, every password, and every control they have in place is negated by what people do, and how they behave.

"Security Professionals" know systems... and very little about people.

As far as I'm concerned, when it comes to achieving security, their methods are useless.

They ultimately do more harm to people, and allow them to become sloppy and less careful.

Hell... the same protections that get put in tend to encourage people to be bigger jerks, and hide behind those protections like a mask.

Sure... you have a safe and secure system... but the people eventually become little better than penned animals.

You are totally correct, however as already stated, that is not justification to ignore simple measures.

By your same argument you might aswell not even bother having a password!

We understand everyone's concerns regarding this and want you to know that we take account security very seriously. Regarding the system we currently use, it is important to note that the process of getting personal information from a userID is extremely difficult, if not virtually impossible.

To recover a userID associated with a specific e-mail address and password, you need the first name, last name, and e-mail address of the account owner. Provided that is correct, you are still required to answer a security question, provide the correct answer, and then be sent an e-mail with a reset link. Simply attempting to put the required information into the website will not give an attacker any information.

There are quite a few layers of authentication, as well as the security of your trusted e-mail to protect you. This is all coupled with additional security not exposed to the player or potential hacker that protects you as well.

We hope this helps assuage some concerns. If you ever feel your information has been compromised, our support team is always here to help.

ZOS_AmeliaR wrote: »

the process of getting personal information from a userID is extremely difficult, if not virtually impossible.

I think everyone understands this -- and thanks for the reassurance -- but I don't think that's what people are concerned about. They are concerned about the process of getting people's log-in credentials from the userID being displayed publicly (or pseudo-publicly).

The process goes like this:

Read the userID of someone.

That is half of their log-in credentials.



Obviously, without the password, this is not an immediate, complete breach of the system, but it is still a partial insecurity that could be fixed by letting players use character names or something like Blizzard's "battle tag" system to determine their display name in-game and on any other public or pseudo-public place.

Lox wrote: »

ZOS_AmeliaR wrote: »

We understand everyone's concerns regarding this and want you to know that we take account security very seriously. Regarding the system we currently use, it is important to note that the process of getting personal information from a userID is extremely difficult, if not virtually impossible.

To recover a userID associated with a specific e-mail address and password, you need the first name, last name, and e-mail address of the account owner. Provided that is correct, you are still required to answer a security question, provide the correct answer, and then be sent an e-mail with a reset link. Simply attempting to put the required information into the website will not give an attacker any information.

There are quite a few layers of authentication, as well as the security of your trusted e-mail to protect you. This is all coupled with additional security not exposed to the player or potential hacker that protects you as well.

We hope this helps assuage some concerns. If you ever feel your information has been compromised, our support team is always here to help.

All of that is irrelevant I am afraid, you (ZOS) are still breaking one of the fundamental concepts for account security ... 'Do not give you account information to anyway'. I am sure all the other games where accounts have been compromised also had many layers of security in place aswell.

The person trying to gain access to an account is unlikely to try and do it through the 'official' account recovery processess, unless they have a good amount of information to start with. you are distributing account information publicly and therefore providing the potential account theif with a starting point. Without this, the process is harder as they need to identify a start point (i.e. first bit of information) before doing anything else.

^^This

I don't feel secure. Please split account name from login name and put a delete code for the character, simply writing "delete" in a box is stupid. It would be horrible to lose all the progress invested in the character like that. Security codes for login, for everything, and the option like "steam guard", you turn off all security measures if they bug you, but give all options to people.

liquid_wolf wrote: »

Vyndetta wrote: »

@liquid_wolf If hackers or whatever already have access to your account name, hence login information, then they are that much closer to already getting your account. It is simply a matter of one less security measure.

This isn't security. It is simply hiding and hoping.
Security is about awareness and preparedness.

Gthirteen wrote: »

Keep your pseudo intellectual ramblings to yourself. Just because the possibility exists that someone can acquire this information through nefarious means does not mean I should just say screw it and give it out.

Furthermore I am a IT professional and I know all about "healthy" passwords and mine is secure but that is not the point here.

I don't care if you are an IT professional. It doesn't matter because the majority of the older IT professionals in my department are stubborn mules who can't pull their heads out of the idea that "security through obscurity" and "punishment on breach" is the way to be.

It is ultimately a flawed practice and always fails. You can't keep anything secret anymore.

Would not displaying the account name help? Nope.

Looking at the vast majority of other MMORPG accounts that get hacked, stolen, broken into, and reset tells us that it doesn't help.

Because the problem was never the account name, or even the email... it was the people and practices themselves.

You can't protect people from their own mistakes... but you can put them onto the battlefield so they can learn to protect themselves.

Your arguments have no value, because the people still find ways to mess it up.

Best practices be damned.

I dont know which company you work for , but do tell me so i can avoid them like the plague. Clearly they need a best test while contracting people.

Removing 1 step in your security makes no sense whatsoever. Doesnt matter if it is true that in most cases it was the user on fault by giving their information away that caused the breach , it does NOT excuse what they did here.

Why would anybody have any confidence that anything too do with the security tech used in this game? Too many screw ups, too many bots, and if an old lady like me with no computer experience can figure out a simple work around the lousy security isp address crap how good is any of their security?

[/quote]

I dont know which company you work for , but do tell me so i can avoid them like the plague. Clearly they need a best test while contracting people.

Removing 1 step in your security makes no sense whatsoever. Doesnt matter if it is true that in most cases it was the user on fault by giving their information away that caused the breach , it does NOT excuse what they did here.[/quote]

Lol might as well save your breath brother but I agree wholeheartedly!

ZOS_AmeliaR wrote: »

We understand everyone's concerns regarding this and want you to know that we take account security very seriously. Regarding the system we currently use, it is important to note that the process of getting personal information from a userID is extremely difficult, if not virtually impossible.

To recover a userID associated with a specific e-mail address and password, you need the first name, last name, and e-mail address of the account owner. Provided that is correct, you are still required to answer a security question, provide the correct answer, and then be sent an e-mail with a reset link. Simply attempting to put the required information into the website will not give an attacker any information.

There are quite a few layers of authentication, as well as the security of your trusted e-mail to protect you. This is all coupled with additional security not exposed to the player or potential hacker that protects you as well.

We hope this helps assuage some concerns. If you ever feel your information has been compromised, our support team is always here to help.

I'm sorry Amelia, but this sounds like a script composed by someone who doesn't understand security, and the need to keep as many elements of an account holder as confidential as possible.

There are reasons why many (the most sensible) forums use seperate login and "nickname" systems. Every piece of information is a vector - having someone's username to a login is a vector if the backend is compromised. NOBODY can claim their system is inscrutable, that it's impossible to get in without other details. Google Amazon, Apple and Wired reporter. Note the recent Apple SSL bug, and the current OpenSSL mess - there are holes everywhere that haven't been discovered, some may never be discovered, and you can bet that somewhere a black hat is sitting there laughing, saying, "you'd be amazed what you can do with just a username".

This is a piece of our personal information. It should be handled with care, and to quote that oldest of customer support quotes, The Customer Is Always Right.

If Zenimax are saying we're not right, and claiming to guarantee that we have nothing to fear, then please get it written into the EULA that Zenimax and it's directors take full responsibility and accountability for any loss, damage, inconvenience or personal grievances that come about from sharing our username with the world and their dog (not to mention every gold farmer and bot running around Tamriel). Something, say, I can pass on to my lawyer for a rainy day.

Daggers wrote: »

ZOS_AmeliaR wrote: »

We understand everyone's concerns regarding this and want you to know that we take account security very seriously. Regarding the system we currently use, it is important to note that the process of getting personal information from a userID is extremely difficult, if not virtually impossible.

To recover a userID associated with a specific e-mail address and password, you need the first name, last name, and e-mail address of the account owner. Provided that is correct, you are still required to answer a security question, provide the correct answer, and then be sent an e-mail with a reset link. Simply attempting to put the required information into the website will not give an attacker any information.

There are quite a few layers of authentication, as well as the security of your trusted e-mail to protect you. This is all coupled with additional security not exposed to the player or potential hacker that protects you as well.

We hope this helps assuage some concerns. If you ever feel your information has been compromised, our support team is always here to help.

I'm sorry Amelia, but this sounds like a script composed by someone who doesn't understand security, and the need to keep as many elements of an account holder as confidential as possible.

There are reasons why many (the most sensible) forums use seperate login and "nickname" systems. Every piece of information is a vector - having someone's username to a login is a vector if the backend is compromised. NOBODY can claim their system is inscrutable, that it's impossible to get in without other details. Google Amazon, Apple and Wired reporter. Note the recent Apple SSL bug, and the current OpenSSL mess - there are holes everywhere that haven't been discovered, some may never be discovered, and you can bet that somewhere a black hat is sitting there laughing, saying, "you'd be amazed what you can do with just a username".

This is a piece of our personal information. It should be handled with care, and to quote that oldest of customer support quotes, The Customer Is Always Right.

If Zenimax are saying we're not right, and claiming to guarantee that we have nothing to fear, then please get it written into the EULA that Zenimax and it's directors take full responsibility and accountability for any loss, damage, inconvenience or personal grievances that come about from sharing our username with the world and their dog (not to mention every gold farmer and bot running around Tamriel). Something, say, I can pass on to my lawyer for a rainy day.

Well said and right on.

liquid_wolf wrote: »

Vyndetta wrote: »

@liquid_wolf I don't want my account login name to be seen by others. I know that it is the first step in accessing my account. It should NOT be visible to others. We should have an Account Name that is NOT our Login.

Funny you should be calling out the IT people. You're actually the one who's being pig headed. I mean, you can't even acknowledge that this can assist in leading to hacks?

People are ultimately the problem. You can implement every security measure you can find any it still won't work.

The account name being visible, though unsettling, isn't the end-of-days issue that people believe it is.

I'm tired of these professionals coming in talking about security, when they clearly don't understand that their biggest hole in their systems are the people themselves.

Every layer, every password, and every control they have in place is negated by what people do, and how they behave.

"Security Professionals" know systems... and very little about people.

As far as I'm concerned, when it comes to achieving security, their methods are useless.

They ultimately do more harm to people, and allow them to become sloppy and less careful.

Hell... the same protections that get put in tend to encourage people to be bigger jerks, and hide behind those protections like a mask.

Sure... you have a safe and secure system... but the people eventually become little better than penned animals.

There's my forum name, guy, go ahead and log into it and put up a post as me saying I smell like butt, or get off the pot.

Any word on how long this is taking? It's been 6 days since I put in a request change as my personal info is out there.

Vyndetta wrote: »

@Daggers you realize "The Customer is Always Right" hasn't been in practice for about a decade now, right? LOL

Seriously though, I am just blown away at how badly things like this are handled. Is there not a single employee at ZOS or even Bethesda that can sit back and say "Huh, you know... maybe we didn't think that one through all the way. Let's look at making that change."

Well hopefully they are now but who knows. What I wanna know is why something like this was in the design at all, I mean wouldn't someone have thought that putting your actual account name out there was a bad idea? Especially considering how often these game accounts get hacked already.

Granted I am sure it was just a oversight but how? Anyway I do love the game and hope they take things like this seriously.

Well is ESO's servers are ever targeted hackers will have an easier job of finding the best accounts to hack. An authentication device, app or something would be nice.

My biggest concern is my forum name. It was assigned to me and I'd really rather not have it the way it is for obvious reasons.