SRO Account Hacks: How it's done and how to stop it

Go down

SRO Account Hacks: How it's done and how to stop it

Post  pyuyd on Tue Apr 01, 2008 4:17 am

Moderator: I say this message deserves a sticky. I certianly don't need to take the time to post or write this - but - I am, for everyone's good. Many people can benefit from my advice - this deserves attention.
This is real insight into the problem. I did this for your users, and ALL users of SRO. I also did this to reassure a few people that my intentions were NOT bad, and I do NOT intend to wrong them.

I've noticed a rash of hackers running about SRO - and truthfully, it pisses me off. I was confronted by one in-game, warning me to "watch out and don't try to offend the wrong people."

Yeah, right.

Well, the guy didn't know who he was dealing with. My curiosity was sparked. So - a few days ago - I set out to test my skills once more, it's been a long time ... but hey, once they're there - they're there for good. If you care to get an idea of what I am & what I do, this sums it up:

I picked a few people. I ravaged their accounts. I gave them back when I was done. Why, why do all of this when you don't need to? Why waste so much time when you have nothing to gain? Do you want to know how long I've spent doing this?

Account 1: 10 minutes

Account 2: 6 minutes

Account 3: 5 minutes

Account4: 1 hour ( This guy was a L70+, 33 years old - and a *programmer* no less. I dug up his secret question, I prepared a dictionary attack. If I wanted this guy's account - it was mine. I'm not about to go as far as bruting someone's account. But, I can. I left him alone.)

Account 5: This guy was smart. His snotty posts on boards pissed me off... I had a tough time digging up info on him. Lucky for him - he didn't publicize an e-mail address... except for one that he did not use as his login.

*Gasp* e-mail address.

Let me shed some light on this "hacking" we're all hearing about. Most everyone online, even the so called "bad" people in-game, are pretty good folks. I really - after getting to know people - haven't found a single person I did NOT like. There ARE people that I do not like - and that's braggards, script-kiddies, and goldfarmers. So you want to know what I'm going to do today? I'm going to potentially destroy the SRO account hacking problem. I'm going to let YOU know how THEY do it. Why? Because when you KNOW how people can DO something, you also can figure out HOW TO STOP IT. This is especially true when you _ARE_ the security hole.

Here we go:

HOW a SRO account gets hacked & stolen

1- A victim is picked.

2- Find their username

3- Find their e-mail address

4- Owned

Your secret answer is irrelevant at the moment. Your password does not matter. Once they have your username and e-mail, your account is theirs. So, I'd like everyone to take a moment ... and think of how you can correct this problem......


You need to treat your E-MAIL ADDRESS as your new SRO PASSWORD - DO NOT USE YOUR USERNAME(S)

You need to use a STRONG password on top of this. Use at least 8-10 characters, numbers AND letters. DO NOT USE A WORD IN A DICTIONARY.

People _CAN_ figure out your secret question. One person ... took "birthplace" as a question on their account. I found out the user's country.
I pulled up a list of the 10 major cities in that person's country. (towns & villages don't have hospitals). They were born in city #4. Account is hacked.

Another person - they listed their pet as their secret answer. So, I searched for their username - and an animal. Found their pet's name. Account is hacked.

Are you following a trend here?

The more you post online, the more information there is about you, the easier it is for people to "hack" your account. Yes, this *IS* what hacking *REALLY* is. Taking all of the facts you have available. Building on them. Finding out more information. Building on it ... keep building ... build more ... until you have the answer. My success rate was 80% in taking accounts I set out to take - using my head alone, and NO hacking tools, NO programming, NO cracking.

Let me sum this up for you, in a SHORT list of things you should keep in mind to safeguard your account from someone like ME.

1- Strong password. Press random keys on your keyboard, or use a password randomizer.

2- RECORD YOUR PASSWORDS. Write them down, that way you can use STRONGER passwords.

3- TREAT YOUR E-MAIL ADDRESS LIKE A PASSWORD. Use a NEW e-mail for ALL of your SRO accounts. Under NO circumstances should your username be in your password.

4- Don't fill in public profiles. People use them to hack your account.

5- Don't use the same username to post on boards as you use as a login. Can't stress this enough. That's 50% of your account lost.

6- Search for your OWN information on google. Anything you find - DON'T EVER USE IT AGAIN. This information is now INSECURE.

7- Watch out for XFIRE accounts. They show how much of a PRIME TARGET you are. (1K hours+ logged into SRO? You've got a fat account.)

If you've made a mistake with your account, DON'T PANIC. You can still save it - even if it has been compromised before.

Change your e-mail to something completely out of the ordinary. Something you've never used before.

Make it NOT a word, or a combination of 2 words and some numbers - the longer it is - the harder it is to figure out.

Change your actual name. Use the same fake name for _all_ of your logins.

When you set your passwords - don't be afraid to combine things. If your old pass was dog133 - change it to a combo of words plus numbers: car133bird331 - dumb as it looks - is a GOOD password VS a brute force attack. It's simple for you to remember, and it's HUGE when a scriptkiddie goes to attack it.

Nobody can advise you like someone who is REALLY into security. Joymax's security is shoddy. They suck. You have to take measures for your own good. You've just gotten advice from someone who's pretty good. I won't say I'm one of the best - as there are many better than me. Hey, give me credit - at least I'll admit it.

[ PS: About those guys who claim to break into Joymax's databases: 100% bull. I read that "chat with a hacker" - the guy either bruted or engineered. Trust me on that.]

Good luck everyone. I sincerely apologize to anyone whose account I've gotten into. You know who you are man. I hope you can forgive me. I took 1 global of yours - if you want the dime back, I'll send you a quarter.

I've also tried to give Joymax some of my own insight on their problems. You want to know what they say?

Nothing. They don't give a **** about anyone. Keep that in mind.


Posts : 106
Join date : 2008-03-29

View user profile

Back to top Go down

Back to top

- Similar topics

Permissions in this forum:
You cannot reply to topics in this forum