Security Token, The Magic Behind It...

Ok, so I love technology. No, not like the guy from Napoleon Dynamite, but I love it enough to get boggled by its mystical wonders. Like this Security Token. Surely, it is a small device which has a small button and a 6 digit screen. Whenever you press the small button, it completes the circuit and a randomly generated 6 digit code is shown on the small liquid crystal display.

Magical.

But how does it tie in to the Play Online services? This is one thing that really throws me off. After all, there's no USB or wireless/bluetooth connection of any kind which causes the software (pol.exe) or the online servers to connect to the device to either a) read the number, or b) serve it a number. I know that the number is also somehow connected to the code on the back of the device. My guess is that every 30 seconds, every registered token is granted a random number depending on the time of day and the security code on its back which is then connected in some way to a psychotically long algorithm on the servers which eventually equate to the code you type in.

Any one else have any other guesses? Alright, that's enough from me. ^_^

It's dipped in coffee and virgin galka blood then rolled in the dust of broken taru bones.
That's where it gets its magic.

I asked this question on another thread, albeit, in very "simple" form. lol Only true reply i got was quote on how SE says it "works". Anyways, my one thought was that it uses satelite, but thats a bit much i think.

Damnit Ludo, do you even play the game anymore? lol

Fairys!

I'm in lower jeuno atm.

Farming here, btw, grats on ur "Hero thread" ^^

I think Each token has a predetimined number for ever few minuets of the day and blah blah!

I think I deserve a medel for saving the day =]
Going to farm lots and lots of rabbit skins to level leathercraft to 7 now ; ;

it works off the same principles of a key-generator. I'm sure its some algorithm from any combinations of stuff like: the number on the back of your token, your Square ID, and maybe the time of day.

Give it a while, someone will crack it. Just some very complex algebra and there is numerous 'keygen making softwares' to download to try to break it,

But, it is a pretty effective measure against the kind of theft we've had recently using keyloggers and trojans. Once they break the algorithm though, its all over. Keyloggers and trojans would get someones token number and they could just make a 'keygen' to steal some more.

I got it for the +80 inventory mostly. If I get hacked by a virus, it gives me a reason to quit finally.

lol'ed



...they'll attack paypal and banking account instead of stealing your poor MMO account which have no value at all for any "real" hacker who could crack a such algorithm. If you're able to crack a such thing, you'll never EVER think one second about stealing a MMO account...

Mine didn't work :D Out of the box, just kept me from logging in. Six hours of customer service later, they severed it from the account. Paid for a mog satchel I guess D:

They said they would call me back... being SE, they haven't!

First, taking and using someone else's bank information is a federal offense across borderlines. Using someones virtual property is not a crime in any way in the US unless its used to extort another person and/or steal their non-virtual assets. Read up on why Paypal and eBay, as well as most other websites, do not insure or condone the sale of virtual items. You won't find a single person penalized for using someones MMO password and taking their virtual characters/gear. Even more so, China and Malaysia will not extradite or punish people for crimes committed via the internet to another countries citizens. Why do you think all the copyright piracy DVD and games for sale come from there?

Second, I doubt its that difficult of an algorithm. It's probably max a 128-bit token as the stronger ones would be much more expensive to produce (and they wouldn't only cost us $10/each). Just by the $10/each fee, I'd go out on a limb and say its probably a 32, max 64 bit at most. Even 128-bit tokens become very easy to break once you have a few reference points. While you are sorta correct in saying "if they knew how to do it they wouldn't go after MMO's...", look back up to the first thing I wrote and you would see why. Make $20 each from a hundred stolen passwords ($2000) and get away free and clear, or steal $2000 from someones bank account, which you can be punished for in most countries if you are caught.

I deal with this almost daily at work. RSA's 128-bit tokens have been 'hacked' numerous times and most the time within a few weeks of a new release by the average pirate just for bragging rights to say "look what I did!".

Look up the low-end of a Vasco Digipass price -- way more than $10 each even if you bought a large quantity like 500,000 tokens. Closer to $40/each for basic 128-bit tokens.

Dont know about token but, If some one hacks out your S.E. password the same way as your Pol password cant they just set your settings as "do not use one time password" and hack into your account anyway...

Here for online banking transactions we have a really similar system called digipass.

I'd assume it's a really similar system, if not the same that SE is using http://en.wikipedia.org/wiki/Digipass there is the Wiki on Digipass.
Kinda short on time so I'll read it later!

"UNAUTHORIZED USE OF COMPUTER " : http://www.efc.ca/pages/law/cc/cc.342.1.html

A quick google search regarding an article I read a few years back revealed this (non US case) in seconds: http://mmorpg.qj.net/Online-gamer-wins-lawsuit-for-virtual-damage/pg/49/aid/74225

3.7 Thousand dollar equivalent was paid to the victim of a single person penalized for using someones MMO password and taking their virtual characters/gear.


I can agree with this. chances are low that a foreign country will care about MMO theft if they won't take action on million dollar lottery scams.

Lastly, the science on how these guys crack the keys is pretty interesting. Usually it involves slowing down the internal clock that is used to generate random numbers down to a point where the 'spinning' clock can be analyzed. This usually involves extremely cold chemicals and some awesome mad-scientist style fog.



I've yet to get my token, but if it works like WoW's token (which I might add looks to be made by the exact same company, and is the same model token) it will require the code to turn off, or a faxed copy of a drivers license and some other junk.

Digipass 6

Yeah, I've seen the Digipass site, I thought it was kinda cute finding our prized Security Token with another logo on it, but that's just how it is.

There is still the added benefit of: a saved form password that no longer needs entered (Meaning that, unless they're at your computer, they have to get at your POL ID password, which you no longer enter for a keylogger/screencatcher), your SE password, which must be entered, and then this algorithm that will only work if they know your token's serial number. It's the same idea as a cipher. You can crack a code or pattern in it, but it takes extensive work to interpret it without the key.

In this case, they'd have to crack three different types of passwords, instead of the previous one.

Undoubtedly, this method is safer, simply because it hasn't diminished anything that wasn't already there. Your POL password is still there, which used to be your only source of security, and now you don't have to worry about it being captured by common methods. You simply have two more security measures on top of it, and none of them are stand-alone.

The idea is this: A password is stronger when there are more, varied characters. This is why you're often encouraged to use capital letters, numbers, and symbols. However, those measures are absolutely useless if you get a keylogger.

Similarly, this security token is a measure to make this process stronger. But if someone does put the legwork into cracking the algorithm, it means you'd best not let someone who knows your ID see the serial of the token, because that's essentially the cracker of the code.

There's never going to be a perfect system, because the majority is inherently stupid, and those who aren't often delight and messing with them (often with hilarious results).

Though, if you actually get hacked through a keylogger or screencapture.. You deserved it. Because only you can let those in.