Potential User Data Breach

"
hunter_AS wrote:

I know the common though is blah blah blah who does this guy think he is, I am a former PCI Forensic Investigator consultant who has led with major credit card breaches and now lead the incident management department at a large financial institution. Before this I served as a lead penetration tester as well.



Spoiler
I also served as a lead penetration tester but under your mum instead :^)
LUL i use steam umad hackers
Thanks for letting us know.
Appreciate the transparency.
Maybe they were just trying to make COC great again?
Appreciate the transparency.
I have lost my 2 character in account fck

"
hunter_AS wrote:
^ This does not inspire a lot of confidence. If you severed internet connections and started immediately reformatting without performing imaging on the affected systems, it shows that you clearly do not have capable incident responders on staff. With that being known, I sincerely doubt the security measures you put in place are adequate, unless you have identified root cause, which is once again hard to do when you immediately start erasing evidence. Along with this, if there was potential proof that sensitive information was accessed, you are wiping this out as well.

With that said, as long as the payment card data never touches your network and you actually are salting, very little issue aside from your proprietary information potentially being breached. I appreciate the notice, but your response didn't inspire much enthusiasm for your ability to handle the event.

I know the common though is blah blah blah who does this guy think he is, I am a former PCI Forensic Investigator consultant who has led with major credit card breaches and now lead the incident management department at a large financial institution. Before this I served as a lead penetration tester as well.


Man joins PoE over a year ago, leaves forums untouched. Man's first post? This one. I'd be inclined to pay attn to what he said.
- 0 * - < _ > - * 0 -- 0 * - < _ > - * 0 -- 0 * - < _ > - * 0 -- 0 * - < _ > - * 0- 0 * - <
<739610877-3104-376.101077-1106.75103739110792103.108-5'92.9410776.>
- 0 * - < _ > - * 0 -- 0 * - < _ > - * 0 -- 0 * - < _ > - * 0 -- 0 * - < _ > - * 0- 0 * - <
"
waskely wrote:
"
sarannah101 wrote:
"
stevich wrote:


+ hacker would have to bruteforce 2 passwords

- user experience when trying out the game (even if it seems minor to type in 2 passwords)
- as you mentioned bigger workload for support
- remembering 2 passwords
- always having to type this password after every login (thats a absolut killer user experience wise)

I think the negatives outweigh the positives, but maybe im just negative.

- user experience when trying out the game (even if it seems minor to type in 2 passwords)
Well, the 2nd password would have to be created. But this is only once.

- as you mentioned bigger workload for support
Nothing to be done about this.

- remembering 2 passwords
Yes, but the 2nd password isn't a real password, it would only be a 4 or 5 digit code. Which will usually be something players can easily remember.

- always having to type this password after every login (thats a absolut killer user experience wise)
Having to type this password once after every log-in isn't a huge deal in my opinion. Try to keep track of how often you log in/out. Maybe once every 3-5 hours, unless you happen to crash. Keep in mind though, you could play the game without even letting the game prompt you for the 2nd password, by not accessing your stash/inven/equipped items. Ofcourse when your inventory fills up, eventually you'd have to let it prompt you when you need to sell stuff from your inventory.

You are correct with your downsides though, so awesome feedback. Personally, I think the pro's heavily outweight the cons.
The true realistic cons for the player are having to create this code, remembering it, and typing it once every play session(usually at the very beginning).


What the hell is this crap. Do you ever travel? Or try to log into POE at work? It requires constant POE unlock codes being sent to your account email whenever logging in from a different location from your last login (every day I have to do this twice because I log in at work) and i hate it. I dont want 3 layers of security for a fking game, banks don't even care that much.

If our accounts were chosen for violation by would be hackers, they need to pick a account email, brute force the password, hack the email address associated with the account (or make it seem as tho they are logging in from the same location)

Maybe i'm just lazy, but that all seems like way way way too much work for a game account



Seriously, it's not that complicated... tie in the google authenticator or a similar 2FA solution and make it optional. Got a smart phone? Then you have 2 factor authentication. I'm not sure WTF OP was trying to do, but it's a seriously convoluted "solution" to a problem that's been solved for decades. Who you are, what you know, what you have. Pick two.
Thank you for the full disclosure and rapid notification.
ProbablyGettingNerfed - L100 Occultist
Vinktarded - L100 Pathfinder

Report Forum Post

Report Account:

Report Type

Additional Info