Question: hypothetical Hacking of a Gold card protected account

[alh]

The problem is the question is too hypothetical to answer in any sensible way.

Obviously what will happen will depend on the exact nature of the attack.

Was it hacked because of negligence on your side, then yes it will be your fault and you will be held accountable.

Was it hacked because of negligence on MA side, then you have a better case, but still has a lot of convincing and phone calls to do.

Just a "it was somehow magically hacked" isn't really an answerable case.

[Darkewulfe]

Anything can be hacked, theoretically. The strongest encryption in the world (4096 bit? iirc) can be hacked, but it would take time.

[Redfrog]

Quote:

Originally Posted by Darkewulfe

Anything can be hacked, theoretically. The strongest encryption in the world (4096 bit? iirc) can be hacked, but it would take time.

Exactly. The GC code that gets generated has to be verified server side. Therefore it can't be random but must use an algorithm to generate the new code each time the GC is inserted. Which means that it can be duplicated and can be cracked. It is not and cannot be 100% secure purely because of how it works. The generated number must be verifiable and therefore must be predictable. Therefore it's crackable.

[Pollus]

Give us some real- theories!

Like this one:

1. Obtain access to a client with entropia
2. replace entropia.exe with a simple program showing your three (two then one) loggin fields over the backround uppon launching from the clientloader. When the user enters the GC number, state that its wrong and force the user to enter it again, now you will have two loggins. ref. phishing
3. Ftp the results out
4. now the attacker recieves a notice that the info has arrived, and can start his evil work

no PoC

[Gazza]

Quote:

Originally Posted by Pollus

Give us some real- theories!

Like this one:

1. Obtain access to a client with entropia
2. replace entropia.exe with a simple program showing your three (two then one) loggin fields over the backround uppon launching from the clientloader. When the user enters the GC number, state that its wrong and force the user to enter it again, now you will have two loggins. ref. phishing
3. Ftp the results out
4. now the attacker recieves a notice that the info has arrived, and can start his evil work

no PoC

Agreed, anything brute force on the Gold Card is not going to work, the mostly likely hack will always be phishing/social engineering. In these cases it is your own fault.

For more information on the technology in use here look up RSA Securid, I am not sure that this is the exact provider for MA, but it will be something similar.
Symmetric key information can be found here:

http://en.wikipedia.org/wiki/Symmetric_key

Any attempt to hack this would require a huge amount of know how and CPU power, and as there are much more profitable targets for any attempted hack than EU, so I would sleep easily

[Centech]

MA is going to tell you to contact the local authorities, just as they always have.

The GC is a tool they offer you for as close to foolproof protection as possible. It is not however any sort of extended warranty or exception to the normal EULA.

[BruuD]

Quote:

Originally Posted by Redfrog

Exactly. The GC code that gets generated has to be verified server side. Therefore it can't be random but must use an algorithm to generate the new code each time the GC is inserted. Which means that it can be duplicated and can be cracked. It is not and cannot be 100% secure purely because of how it works. The generated number must be verifiable and therefore must be predictable. Therefore it's crackable.

It is not random no, but you need to know 1 gc number in order to calculate where in the sequence of numbers you are.
So no one can ever crack your GC code without you first telling them one.
That is why you have to synchronise if you have generated a few codes without entering them into thw login window.
Afaik, this system cannot be cracked unless you are foolish enough to help the hacker.

(ok, if someone hacks into MA's systems you're still screwed ofc )

[Leona]

Getting access to an gold card protected account without physical access to the card and without "hacking" MA's server is possible in at least three other ways. One of those ways doesn't need much more effort then the key logger method for not gc protected accounts.

That it didn't happen yet (or at least we don't know of any reliable case) has several reasons but unfortunately will happen sooner or later. To deny this means spreading the feeling of false security.

MA never stated the gc delivers perfect security. The gold card system is additional security and a must, but doesn't replace basic security.

Same is valid for stuff like virus scanner, firewalls etc.: while those tools are mandatory, the user might get the feeling he can visit any website, open e-mail attachments or install 3th party software save (and without using his brain) because he is protected anyway. At least thats what i see happen in my daily IT work.

The point is, when the first gc protected account will get hacked, that does not prove the gc system to have failed. Actually it is very likely that the gc system will get "bypassed" on the client side or on the way, thus no increased liability from MA's side. And i guess that will be pretty much the answer we will (hopefully never) see.

On an side node: There is a lot that the community and MA could do to increase account security, not mainly technical stuff, more information and organization. Best security is always to make it not worthwhile to an potential attacker.

[Dorsai]

Quote:

Originally Posted by Pollus

Give us some real- theories!

Like this one:

1. Obtain access to a client with entropia
2. replace entropia.exe with a simple program showing your three (two then one) loggin fields over the backround uppon launching from the clientloader. When the user enters the GC number, state that its wrong and force the user to enter it again, now you will have two loggins. ref. phishing
3. Ftp the results out
4. now the attacker receives a notice that the info has arrived, and can start his evil work

no PoC

Here we have here a potential method of hacking a GC account.
It would be my fault in this case.
Firstly, because I had installed, or allowed to be installed, the fake entropia.exe
Secondly, on launching the new exe, my firewall noticed a new prog is trying to access the net, and I allowed it.
Thirdly, when a good CG code fails.

This is why I made a support case to MA asking that they post news about all patches on the client loader & their web-site news section.
They need not say why the patch, just that. Then If I get an update, with no news from MA, on either site, i would know to be careful.

How might MA work to prevent such a phishing attack working?
No POC to offer, but:
Assign each GC a unique serial number (They might be unique already).
Have an automated phone system that I can phone, and enter my GC number that will "lock-down" my account instantly, logging out my avatar.
In order to re-activate my account I need to file a support case, with the next 3 CG numbers. 3, because after 3 tries your account is locked, so the 3 successfully phised could be used to re-set the GC, but the hacker does not have the 4th number.
Any hack that asked for more than 3 numbers should be spotted instantly. However, how do you lock your account when MA are closed. By the morning, your avi it empty.

TO prevent malicious locking, have a spot on the card for the owner to enter a "pin" number, that the register with MA when they activate the GC.

TO lock the account enter card number "12345" pin number "1234".

It also occurs to me that in order for MA to put all the blame on me, I need a way to lock my account 24/7. Currently, if I suspect I am under attack, I have to wait for support to turn up for work.
With Credit cards there is a phone number that can be used 24/7/365 to report lost/stolen cards. MA need to put in place a way to lock my account 24/7/365 too.

[aridash]

Quote:

Originally Posted by Argh non Ral

But someone with the skills able to do this, why would mess accounts with few k dollars worth, when able to ripoff any bank for millions?

this is good point, however someone might use EU to develop and test such an attack as its low profile and a success might avoid much attention from local law enforcement.

Quote:

Originally Posted by BruuD

Afaik, this system cannot be cracked unless you are foolish enough to help the hacker.

yes, thats correct. you need to unwittingly assist the hacker by becoming infected with some trojan. so the primary defence against any attack is to secure the PC and as i found to my cost recently thats not always as easy as we think. but once the PC is secure, what purpose does the GC actually serve?

back to the underlying question of the thread, MA has i believe answered this and there is no guarantee or indemnity against any hacks on GC account. its just an extra lock on the door.