Author Message

AKFrost

Rank 5
Joined
10 Jan 2008
Posts
4860
Location
Berkeley United States
PostedApr 22, 2013 3:39 pm
Mandatar wrote:

Perhaps if you could re-read the small selection of the text you decided to quote, you could see that this passage is not related to AGE's internal security program, but to the feeling of security of the customers. I could suggest a more pro-active stance for your companies security, but that's not really the issue of the OP in this thread.

I also fail to see how Billdoor's personal issue is of relevance to the shortcomings in the security procedure from your billling department. From what I recall we were not supposed to discussed private tickets in a public place, let's stick with that, ok?  


Billdoor's entire argument (and thus the point of this thread) is that Aeria requiring your aeria email and billing email to match is bad policy. You're the one that went off on an invalid tangent about 'social engineering". So I'm here to defeat both of your points.

With that said:

Your "feeling of security" does not trump actual security. Aeria is responsible to all of its 10 million+ accounts, not just how you feel about yours. Requiring your billing account email be the same as your aeria email is the only way to verify that you control both accounts, and thus increases the likelihood that billing activity on your account is legitimate.

Again, your security outlook is extremely flawed. You obviously trust Aeria enough to give them money (which is why there's a billing email issue to begin with. People who are completely F2P does not need to submit a billing service email).

If Aeria has poor security as to allowing their accounts to be hacked, then there's no reason to assume that their payment system is secure. This is your security fail #1.

If Your billing service has poor security as to allowing the leakage of an email to be sufficient for your billing account to be hacked, then you shouldn't be letting them manage your money to begin with. This is your second security fail.

If You think that your email is a secret on the internet when there's hundreds of packet sniffers scraping emails from every ISP on Earth, meaning that your email's probably been revealed to unscruplous people the moment you made that paypal account and they sent a verification email to you, then that's your third security fail.

If you think that aeria should allow any arbitrary email to be used as a billing email to govern real money transactions, thus disallowing Aeria any ability to verify the legitimacy of such transactions beyond paypal assuring Aeria that they -might- get their money provided the customer doesn't file a chargeback saying it's fradulent activity, which cannot be disproved because aeria allowed -any- arbitrary email to be used. That's your fourth security fail.

Armed with these, no company's security policy can possibly make your account secure, much less make you feel secure.

You're just that customer that asks for the impossible.
Advertisement

Mandatar

Rank 5
Mandatar
Joined
11 Apr 2009
Posts
3545
Location
Netherlands
PostedApr 22, 2013 4:23 pm
AKFrost wrote:
You're just that customer that asks for the impossible.  


At least I can look into the mirror, knowing I never tried to hide an account from AGE.

Azeal (80), Scrooge (30), Someshta (30), Nardel (15), Mandatar (65)

billdoor

Rank 5.1
billdoor
Joined
05 Aug 2008
Posts
6418
Location
Foldereid Norway
PostedApr 23, 2013 2:49 pm
Been out of Dodge for a couple of days.

My whole argumentation boils down to that as long as we are repeatedly getting our AERIA accounts compromised due to faulty AERIA account database security, asking us to trust in AERIA to keep our AERIA accounts and not at the least, our own MONEY safe, is requiring a major measure of trust. Having had my AERIA account compromised three times already in this way over the last year, in spite of my security precautions at MY end, tells me AERIA are the ones having problems with security and should not come telling ME how to keep my stuff safe. Thus, the required measure of trust is not there.

If you are promoting practices as related to you from the billing companies, you should make sure you are waterproof at your own end before you make such requests of us. Also, I find it odd I have yet to experience ANY account security problems ANYWHERE else online in the 10+ years I have used online billing services, and not ONCE have I been asked to make sure my billing account email matches the email of whatever user account I am purchasing services on elsewhere. And I have been using serious online companies for years. You would think they would have told me soon enough if this was required. While Aeria has had my account compromised 3 times within 13 months and makes this request from me.

If it is so important the billing services and user account emails match, why is this not stated on every website where you might wish to do online purchases at the time you sign up? That would be the obvious thing to include to prevent future trouble, right? I call a bluff.

Now, I will hold that Aeria makes this request for the convenience of AERIA and not its customers. You obviously want to save money on reduced handling time, but apparently do not take into account that we, the users and your paying customers, want to go to ANY step we can to keep our own private data and economy safe. If my non-matching emails are not convenient to Aeria, I am sorry, but that is not MY problem, that's Aeria's.

I will refrain from matching up my emails because of AERIA's obvious lack of security and advice others to do the same. My billing service email address is going NOWHERE near my Aeria accounts.


@ AKfrost: I spend my money at Aeria (misguidedly, for sure, but some folly should be allowed for all) because of one of their games, not because of the company. Because of the repeated compromising of my Aeria account in SPITE of my own security precautions at my end, I am fully convinced that Aeria's obvious lack of account database security (just ask around, I am far from the only repeatedly compromised Aeria customer that takes his security seriously) is a risk to me and my privacy. For which reason I WILL, as you put it, be the customer asking the impossible. And do the obvious thing: keep my billing and Aeria account emails separate.

My own security concerns trump Aeria's, and when Aeria's security is faulty, I have to take steps to protect myself. I am the customer, I am the one with the money, I am the one calling the shots with how I protect them at my end.

If I believed I could trust Aeria's security, I might consider their request. But past experience of mine and others show that Aeria's database security is very flimsy indeed. If we want to keep on playing games hosted by Aeria and spend real money on them, we would be doubly stupid if we did not made things harder at our end for the people exploiting the holes in the Aeria security to prevent them from wreaking havoc with our online accounts elsewhere.

(And...if we use different emails, it makes it a whole lot easier to find out which end the security break was at IF our billing service gets compromised.)

SeasonsEnd/MadManMoon/Uigeadail - retired from Shaiya as of May 10th 2014.
Display posts from previous:   Sort by: