• Announcements

    • Share your Suggestions!   01/01/2016

      Greetings, Do you want to help Black Desert be the best game possible? We are constantly looking for ways to improve the game, your feedback and suggestions are a key part of this process.  Everyone is welcome to visit our Suggestion Forum and share your thoughts with the BDO Team and the community.  Below I will give some advice on how to present your suggestions to ensure you are heard. How to make sure your contribution will be taken into account: Be precise and constructive.Take the time to explain your reasoning behind a feeling or a suggestion.Check if the suggestion you have in mind has already been shared. If it's the case, you can reply to it.Ask other players or friends you know what they think of your post before you click the "Submit" button.Be realistic. To add content requires a long time, but don't feel discouraged if it takes time to see changes.  I want to thank you in advance for any suggestions provided, and we look forward to reading your contributions!
    • Forum Rules   04/24/2016

      1. Inappropriate or infringing content Kakao Games Europe does not vouch for or warrant the accuracy, completeness or usefulness of any message, article, link or comment posted by other users in the Services, and shall not be responsible for the contents of any such message, article or comment.The messages express the views of the author of the message, not necessarily the views of Kakao Games Europe. The User can report any violation of the services policies by clicking on the report icon on the Forums.The User shall not use the Service(s) to post any material which is knowingly false and/or defamatory, inaccurate, abusive, vulgar, hateful, harassing, obscene, profane, sexually offensive, threatening, invasive of a person's privacy, or otherwise violating of any applicable law.The User shall not use the Service(s) to post any advertisement, link or information regarding content which infringes the Agreement.The User shall not post any copyrighted material unless the copyright is owned or licensed by the User or by Kakao Games Europe.The user shall not promote illegal or illicit activities including cheating and the use of exploits.  2. Naming policy The User shall not use on the Website, the Forums and in the Game character names, family names, guild names, clan names and/or nicknames that are:Vulgar, abusive, hateful, racist, defamatory, threatening, pornographic or sexually orientated;Referring to inappropriate parts of the human body or bodily functions;Referring to drugs or illegal activities;Related to the Nazi regime;Referring to figures or activities of religious relevanceRelated to political regimes or personalities involved or suspected of violation of human rights;Promoting violence, ethnically or national hatred;Impersonating an existing person, including Kakao Games Europe officials Violating the intellectual or industrial rights of a third party, including trademarks.The use of alternate spelling, for instance by replacing letter with number, in order to violate the above mentioned rules shall be considered a violation of the naming policy.The user will not create additional forum accounts in order to bypass any warning, suspension, ban or purport themselves as someone else.  3. Threats to the provision of the Services The User shall not make threats or attempt to disturb the provision of the Services in any way including spamming, denial of service attacks, performing actions whether alone or as a group, on the Service(s), that would affect the performances of the Service(s) or the experience of other end-users of the Services.Kakao Games Europe reserves the right to take any actions necessary deemed necessary to maintain the integrity of the Service(s).  4. Account sharing The User is not allowed to share the credentials of the User’s Account with anyone.Notwithstanding the above, Kakao Games Europe may request from you the name of your Account for events or in order to provide you customer support. However, Kakao Games Europe will never ask you for your Account password.  5. Violation of law The User undertakes to respect the legislation of the country from which the User launches the Game and accesses the Services.  6. Behavioral rules and guidelines 6.1. Thread bumping The User shall not bump own threads. Replies to own threads with the sole purpose of moving said thread to the top of the forum can lead to a warning with the possible consequence of losing writing permissions on http://forum.blackdesertonline.comIf the User wants to add more information to a post, the “EDIT” function can be used. It is permitted to reply to own posts once every 48h as long as the follow up post adds new and meaningful information related to the topic.Replies to other users posts with the sole purpose of increasing it's visibility are also considered thread bumping as well as spam and will be actioned accordingly.Normal replies to other users are not affected by the above mentioned rules.6.2. Posting Etiquette The user shall not post in all capital letters, use excessive punctuation, flamboyant fonts etc. to draw attention to its posts.Using the words Kakao, Kakao Games, Pearl Abyss or any Kakao Games Europe member’s name in a topic title is frowned on.The user shall not use misspelled versions of inappropriate words to circumvent the swear word filter. Doing so shows the User was fully aware of the nature of the word and it will be reflected in any potential penalties.6.3. Interacting with other users Post made with the sole purpose of upsetting or angering other users are not allowed. All posts have to be made in the spirit of mutual respect. The User shall not attack or insult other users for having different opinions or for making statements the User disagrees with. Challenging the opinions or statements of other users is permitted, attacking the person holding them is not. If the User finds the actions of other users in breach of the forum rules, the Report Function should be used in order to bring the case to the attention of the moderator team. The case will then be reviewed and appropriate actions will be taken. The user shall not "name and shame" other users. If a user is suspected to have broken Terms of Service / Terms of Use or taken part in fraudulent activities it should be reported directly to Kakao Games Europe by submit a support ticket.6.4. Quoting The User shall not quote posts who break the forum rules. The User is instead encouraged to use the Report Function in order to bring inappropriate content to the attention of the moderator team. Reported content will then be reviewed and appropriate actions will be taken.6.5. Abuse of Report Function The user shall not abuse the report function. The report function is intended to be used to make the moderation team aware of potential breaches of the forum rules not to get revenge on other users. If the User finds another user behaving inappropriate several times in a short time span, the Report Function can be used, highlighting one relevant post and indicating in the notes that other threads are affected too. If the User feels a thread is out of control, one post should be reported indicating in the notes the whole thread needs attention.  7. RP Forum Rules The RP Forums follow a more strict rule set. Any user wishing to participate on the RP forums is advised to review the specific rules before posting.  8. Appeal Forum Moderations Threads deemed inappropriate to a particular forum will be moved to a more appropriate forum or even removed completely. Threads that have been removed or closed are not to be re-posted. The User shall not discuss specific cases of moderated posts or disciplinary actions against users on the forum. If the User disagrees with an action taken by the moderator team, an e-mail should be send to forumdisputes@blackdesertonline.com. An uninvolved Community Manager will then review the case. 
    • IMPORTANT - REACH US IN THE NEW FORUM   05/04/2017

      Ladies and gentlemen ATTENTION please:
      It's time to move into a new house!
        As previously announced, from now on IT WON'T BE POSSIBLE TO CREATE THREADS OR REPLY in the old forums. From now on the old forums will be readable only. If you need to move/copy/migrate any post/material from here, feel free to contact the staff in the new home. We’ll be waiting for you in the NEW Forums!

      https://community.blackdesertonline.com/index.php

      *New features and amazing tools are waiting for you, even more is yet to come in the future.. just like world exploration in BDO leads to new possibilities.
      So don't be afraid about changes, click the link above and follow us!
      Enjoy and see you on the other side!  
    • WICHTIG: Das Forum zieht um!   05/04/2017

      Damen und Herren, wir bitten um Eure Aufmerksamkeit, es ist an der Zeit umzuziehen!
        Wie wir bereits angekündigt hatten, ist es ab sofort nicht mehr möglich, neue Diskussionen in diesem Forum zu starten. Um Euch Zeit zu geben, laufende Diskussionen abzuschließen, könnt Ihr noch für zwei Wochen in offenen Diskussionen antworten. Danach geht dieses Forum hier in den Ruhestand und das NEUE FORUM übernimmt vollständig.
      Das Forum hier bleibt allerdings erhalten und lesbar.   Neue und verbesserte Funktionen warten auf Euch im neuen Forum und wir arbeiten bereits an weiteren Erweiterungen.
      Wir sehen uns auf der anderen Seite!

      https://community.blackdesertonline.com/index.php Update:
      Wie angekündigt könen ab sofort in diesem Forum auch keine neuen Beiträge mehr veröffentlicht werden.
    • IMPORTANT: Le nouveau forum   05/04/2017

      Aventurières, aventuriers, votre attention s'il vous plaît, il est grand temps de déménager!
      Comme nous vous l'avons déjà annoncé précédemment, il n'est désormais plus possible de créer de nouveau sujet ni de répondre aux anciens sur ce bon vieux forum.
      Venez visiter le nouveau forum!
      https://community.blackdesertonline.com
      De nouvelles fonctionnalités ainsi que de nouveaux outils vous attendent dès à présent et d'autres arriveront prochainement! N'ayez pas peur du changement et rejoignez-nous! Amusez-vous bien et a bientôt dans notre nouveau chez nous

[Notice] Account Security

184 posts in this topic

Posted (edited)

the beta forums have ssl applied to it, everything here but the posting itself uses ssl (including logging in to your forum account)

its probably an issue with ipb which prevents it from being forum wide (hence maybe the push to swap to the new forum?)

No, that's not true. This whole forum platform is insecure and not using HTTPS transfer or SSL authentication (or even ROT13 or whatever). Account names,  email addresses, and passwords are transmitted in plain text as part of regular HTTP requests:

x5A3uP6.png

It's absolutely unprofessional and they keep running the forums in an unsecure way despite having been called out on it several times since release by multiple people, myself included.

They don't, that's why they state it.Many people use the same passwords across accounts because they are lazy and or don't know any better.
It's not uncommon to assume that 70% of the people on these forums have the same email password as they do game password.

These forum accounts and passwords match game accounts because they can be used to login as far as I remember (I don't think I ever created a forum account; just used my login).

Despite this, if passwords are saved in a secure/hashed way, there's no way for them to compare them to any data dump, whether it's one of their own services or a third party one. You can only do that if passwords are stored in plain text, which is completely unacceptable today (or even years ago).

Edit: One more thing. Even if it's a third party they're subcontracting, they should at least tell us which kind of data was compromised, e.g. email and passwords or email and passwords and credit card numbers. They're only telling us the bare minimum, mostly just to be on the safe side regarding any "but we told ya" incident.

Edited by Smaxx
2 people like this

Share this post


Link to post
Share on other sites

Posted

lol @ change email address. TWO STEP AUTH you slackers! Whilst your at that fix servers. Not another dim from me until you do!!!!!!!!

OMG

I suggest you review your cipher list on your new forum cert, its open to all kinds of attacks. Cert is shared with other sites using SNI, you may want to move it to its own VIP which will allow you to tighten the cipher list.

https://www.ssllabs.com/ssltest/analyze.html?d=community.blackdesertonline.com

This one is free. Contact me if you wish further help on how to properly secure a Certificate.

1 person likes this

Share this post


Link to post
Share on other sites

Posted (edited)

Edit: One more thing. Even if it's a third party they're subcontracting, they should at least tell us which kind of data was compromised, e.g. email and passwords or email and passwords and credit card numbers. They're only telling us the bare minimum, mostly just to be on the safe side regarding any "but we told ya" incident.

I don't remember any mention of sub-contracting in the OP. Let's not making it something it may not be due to a lack of information, also they did tell us what type of data was compromised, Email and password of those affected. If they were, they got a password reset from the company.

Literally if you were not a part of that list, your'e fine. That's what I take from OP but tbh, I don't know the entire scope of the attack was, assuming it was even an attack.
They gave us what they needed to. If you've any experience in Risk Management you know why they didn't give us any more.

Edited by War

Share this post


Link to post
Share on other sites

Posted

I don't remember any mention of sub-contracting in the OP. Let's not making it something it may not be due to a lack of information, also they did tell us what type of data was compromised, Email and password of those affected. If they were, they got a password reset from the company.

Literally if you were not a part of that list, your'e fine. That's what I take from OP but tbh, I don't know the entire scope of the attack was, assuming it was even an attack.
They gave us what they needed to. If you've any experience in Risk Management you know why they didn't give us any more.

Probably wasn't even an attack :D it's most likely people tried to buy ingame currency and got infected with a malware, or something more stupid like using the same email and password to create an account at their site. Then the techs or login servers noticed an anomaly when accounts were logging in from a different region than they usually do on a large scale lol. Also I don't think they're stupid, if credit cards were affected I think they would do more than this.. But yes a little reassurance would be nice if it was said on the original post, that no credit cards were compromised. If those people affected weren't already compromised by entering credit card info on the malicious website, trying to buy gold.

Share this post


Link to post
Share on other sites

Posted

Probably wasn't even an attack :D it's most likely people tried to buy ingame currency and got infected with a malware, or something more stupid like using the same email and password to create an account at their site. Then the techs or login servers noticed an anomaly when accounts were logging in from a different region than they usually do on a large scale lol. Also I don't think they're stupid, if credit cards were affected I think they would do more than this.. But yes a little reassurance would be nice if it was said on the original post, that no credit cards were compromised. If those people affected weren't already compromised by entering credit card info on the malicious website, trying to buy gold.

quite possibly

I suppose we will never know /shrug :)

Share this post


Link to post
Share on other sites

Posted

This is what happens when your IT department is trash... really how hard is it to install and force use an SSL on the forums? It takes less than 5-10 minutes... 

Share this post


Link to post
Share on other sites

Posted

Just stop. You do not have the resources to replace your forum correctly.

There is no need. You are only introducing risk.

It will look bad for whoever owns this project, yes. Still, do what's best for your company and customers and cut your losses on the new forum.

Share this post


Link to post
Share on other sites

Posted (edited)

OMG

I suggest you review your cipher list on your new forum cert, its open to all kinds of attacks. Cert is shared with other sites using SNI, you may want to move it to its own VIP which will allow you to tighten the cipher list.

LOL! Thank you, you made my day. xD They probably fear missing the money of anyone still on WIndows XP with Internet Explorer 7 or something like that. ;)

Edit: Just checked our company website, which is hosted using a "click here to enable HTTPS" and it passes using a "A" rating. I'd be very, very ashamed.

Edited by Smaxx

Share this post


Link to post
Share on other sites