Author Message

Mandatar

Rank 5
Mandatar
Joined
11 Apr 2009
Posts
3541
Location
Netherlands
PostedApr 22, 2013 9:21 am
Superman0X wrote:

We are just telling our players what is actually established as the best practices. You can chose to follow them or not.... but they are best practices for a reason. In fact, you contact an email based payment system (Paypal, Google, Moneybookers, etc) and ask them, they will in fact tell you that this is what THEY recommend as well.  


I perfectly understand the benefit and recommendation that the email address listed at your payment system can be matched by the billing department of the selling company.

The issue though, is that your billing department recommended that this email is listed as primary email for your AGE account.

If compromised, I can very well imagine that Billing says: "We've send an email to the email attached to your payment account, please respond to that email to verify your identity."

Or if AGE could add an optional 2nd layer of security on account details:
That you can set your account so that if you want to view or edit personal data (containing the email attached to the account) you will get an email on that account asked for verification to get access.

At least that would be better than just saying "this type of verification is recommended by PayPal etc, so we just ignore security and ask our players to submit their email address for their main account and accept that we provide a security risk."

Azeal (80), Scrooge (30), Someshta (30), Nardel (15), Mandatar (65)
Advertisement

Superman0X

GameMaster: USA
Superman0X
Joined
11 Jun 2007
Posts
12163
Location
San Jose United States
PostedApr 22, 2013 9:32 am
Mandatar wrote:
At least that would be better than just saying "this type of verification is recommended by PayPal etc, so we just ignore security and ask our players to submit their email address for their main account and accept that we provide a security risk."  


I am not sure you are understanding. These changes are recommended by both us, as well as the payment provider... BECAUSE they improve security. There is LESS risk, if you make these changes. In fact, the payment providers would prefer it if we denied all access, except to the email on the payment methods. They consider the fact that we allow you to have a different email address high risk.

yudia

Rank 1
Joined
28 Oct 2008
Posts
358
Location
United States
PostedApr 22, 2013 12:06 pm
your account was locked billdoor because your emails didnt match?

I have been getting the same emails every time I buy AP and thought it was a suggestion, it did not say in the email that I had to change my email address.
the last time I bought AP was in March and they did not lock my account.
the email said:

billing email wrote:
Hello,

Thank you for purchasing Aeria Points! We noticed that the email address attached to your payment method does not match the email address attached to your account. As part of our security measures to protect your account we want to verify if you made this AP purchase. If you did not make this purchase, please contact us and include your transaction number in your ticket.

To better ensure your security when purchasing AP, going forward we highly recommend that your purchasing email address and the email address attached to your account match.  



that email was sent to my payment email, not my aeria account email. and it says they recommend that both emails match. it does not say that I have to change my email address.

Superman0X

GameMaster: USA
Superman0X
Joined
11 Jun 2007
Posts
12163
Location
San Jose United States
PostedApr 22, 2013 12:56 pm
yudia wrote:
your account was locked billdoor because your emails didnt match?

I have been getting the same emails every time I buy AP and thought it was a suggestion, it did not say in the email that I had to change my email address.
the last time I bought AP was in March and they did not lock my account.
the email said:

billing email wrote:
Hello,

Thank you for purchasing Aeria Points! We noticed that the email address attached to your payment method does not match the email address attached to your account. As part of our security measures to protect your account we want to verify if you made this AP purchase. If you did not make this purchase, please contact us and include your transaction number in your ticket.

To better ensure your security when purchasing AP, going forward we highly recommend that your purchasing email address and the email address attached to your account match.  



that email was sent to my payment email, not my aeria account email. and it says they recommend that both emails match. it does not say that I have to change my email address.  


The account locking was not related to the email on the acount. However, after it was locked, the email not being the same made it more difficult to unlock the account.

Mandatar

Rank 5
Mandatar
Joined
11 Apr 2009
Posts
3541
Location
Netherlands
PostedApr 22, 2013 2:02 pm
Superman0X wrote:
Mandatar wrote:
At least that would be better than just saying "this type of verification is recommended by PayPal etc, so we just ignore security and ask our players to submit their email address for their main account and accept that we provide a security risk."  


I am not sure you are understanding. These changes are recommended by both us, as well as the payment provider... BECAUSE they improve security. There is LESS risk, if you make these changes. In fact, the payment providers would prefer it if we denied all access, except to the email on the payment methods. They consider the fact that we allow you to have a different email address high risk.  


There is a small but critical flaw in your argumentation.

Yes, all payment companies strongly advice AND recommend that each single paying customer is verified on the email address of their payment account. There is a difference in how this is applied though.

AGE could comply to this rule, by sending a confirmation email to the email accounts attached to payment emails (only if the 2 do not match), asking them to confirm the secondary email as genuine. That way you could fully comply with the request that you can attach each paying customer to the email enlisted in their payment account.

This is even more secure than "suggesting to use the same email address". I know that AGE allows me to change the email attached at will, and so does paypal. So I could easily attach both to the same email today, and both to other emails tomorrow. This type of security is hiding responsibility of the safety obligations as a company.

For years there has been a trend to unite all accounts with a single login. But people realised this also means a single point of failure. Social engineering is well adapted to pinpoint the weakest link in account safety, and cascade through all users accounts to secure online isolation and pluck all payment accounts.

I know AGE takes some effort into safety, but I also know that accounts and emails have been out and stolen many times (by being a publisher you are as vulnerable as the sum of coding companies who provide you with games), judging from the amount of "account safety locks" last years.

You should realise that Billdoor isn't trying to judge AGE, but holding a plea for AGE to review the safety of their paying customers. People are asking you to make us feel safe with AGE. Many increase their feeling of safety by spreading their online risk, and it would be nice if AGE could accommodate this. I do not just ask this as a user of your games, but also as security expert for a software company that makes and deploys applications such as your billing application and item malls.

Please do not hide behind the "we simply follow the protocol". I've listed plenty of options that would allow for the same security towards payment services, while allowing your paying customers their freedom of choice. I know you understand what I am writing here, so please no further responses behind the façade of recommended protocol. Please try to walk up to the PMs or the billing department, and ask them to review their safety procedure to accommodate the feeling of safety for the customers.

Azeal (80), Scrooge (30), Someshta (30), Nardel (15), Mandatar (65)

Superman0X

GameMaster: USA
Superman0X
Joined
11 Jun 2007
Posts
12163
Location
San Jose United States
PostedApr 22, 2013 2:11 pm
Mandatar wrote:

You should realise that Billdoor isn't trying to judge AGE, but holding a plea for AGE to review the safety of their paying customers. People are asking you to make us feel safe with AGE. Many increase their feeling of safety by spreading their online risk, and it would be nice if AGE could accommodate this. I do not just ask this as a user of your games, but also as security expert for a software company that makes and deploys applications such as your billing application and item malls.
 


If Billdoor likes, he can explain why there was an issue with his account.

We are constantly updating our security, but we only know about an issue after the fact... not before. Once something has gone wrong, we take the actions to protect the account, and to restore service as quickly (and easily) as possible. The recommendations that we make are based on this. We will continue to provide these best practices to our customers... whether they choose to follow them or not. We only really force action, once there is an actual compromise.

AKFrost

Rank 5
Joined
10 Jan 2008
Posts
4860
Location
Berkeley United States
PostedApr 22, 2013 2:38 pm
@Mandatar and co.

Um.

If they were capable of social engineering your billing service, why would they bother coming to Aeria for email addresses? There are far more vulnerable websites on the web, and unless your billing email gets zero spam, it means somebody unscrupulous ALREADY has your email account.

Thus, I don't understand your point at all. Have you actually taken a course in security? Your "different emails" scheme will only serve to make your life worse here at aeria should something go wrong. It will not make your money any more secure.

Also, If your billing service is vulnerable to social engineering attacks AND doesn't have fraud protection, why would you trust them with your money? This is a far bigger problem than "exposing" your email behind Aeria's security.

Less tin foil, more computer science please.

Mandatar

Rank 5
Mandatar
Joined
11 Apr 2009
Posts
3541
Location
Netherlands
PostedApr 22, 2013 2:53 pm
AKFrost wrote:
why would they bother coming to Aeria for email addresses?  


Not for the email address, but that's no computer science. I recommend you to read back in this thread and follow the link on social engineering I posted.

I think it would be unwise to go into details about the possible technical security issues that I suspect at AGE in this forum, you as a GS should understand this. So I'll happily assume my tin foil hat for you again. Smile

AKFrost

Rank 5
Joined
10 Jan 2008
Posts
4860
Location
Berkeley United States
PostedApr 22, 2013 3:02 pm
Mandatar wrote:
AKFrost wrote:
why would they bother coming to Aeria for email addresses?  


Not for the email address, but that's no computer science. I recommend you to read back in this thread and follow the link on social engineering I posted.

I think it would be unwise to go into details about the possible technical security issues that I suspect at AGE in this forum, you as a GS should understand this. So I'll happily assume my tin foil hat for you again. Smile  


The only thing aeria exposes is your email address. Any legitimate billing service would at least verify that you control the bank account or credit card account (By charging your account a dollar or something with a verifying code) before allowing anybody to gain access to it.

Thus, your point is completely invalid. Any billing service vulnerable to social engineering is not reputable and should be avoided like the plague.

Also, Computer Security is a major topic of computer science.

Mandatar

Rank 5
Mandatar
Joined
11 Apr 2009
Posts
3541
Location
Netherlands
PostedApr 22, 2013 3:10 pm
Superman0X wrote:
Mandatar wrote:

You should realise that Billdoor isn't trying to judge AGE, but holding a plea for AGE to review the safety of their paying customers. People are asking you to make us feel safe with AGE. Many increase their feeling of safety by spreading their online risk, and it would be nice if AGE could accommodate this. I do not just ask this as a user of your games, but also as security expert for a software company that makes and deploys applications such as your billing application and item malls.
 


If Billdoor likes, he can explain why there was an issue with his account.

We are constantly updating our security, but we only know about an issue after the fact... not before. Once something has gone wrong, we take the actions to protect the account, and to restore service as quickly (and easily) as possible. The recommendations that we make are based on this. We will continue to provide these best practices to our customers... whether they choose to follow them or not. We only really force action, once there is an actual compromise.  


Perhaps if you could re-read the small selection of the text you decided to quote, you could see that this passage is not related to AGE's internal security program, but to the feeling of security of the customers. I could suggest a more pro-active stance for your companies security, but that's not really the issue of the OP in this thread.

I also fail to see how Billdoor's personal issue is of relevance to the shortcomings in the security procedure from your billling department. From what I recall we were not supposed to discussed private tickets in a public place, let's stick with that, ok?

Azeal (80), Scrooge (30), Someshta (30), Nardel (15), Mandatar (65)
Display posts from previous:   Sort by: