PDA

View Full Version : Possible security issues



Tincture
05-31-2013, 07:32 PM
Hi all - (apologies if this was tackled in an earlier thread),

I don't want to sound pessimistic, but I was just wondering how will Hex handle duping/hacking issues? With the upcoming tablet support, that means the game opens up another possible security loophole. There are some TCGs out there where these exploits have happened. Repeatedly. I would dare say a lot have seen or heard of such events and this will ruin it all for the legitimate customers. Heck, we see it even with physical cards like MTG with counterfeiting. The only difference is that here, its so easy for anyone with enough savvy to dupe cards and you won't know if its legit or not; unlike in real life cards where there are still some ways to try and determine if the card is good. What security features will be showcased to protect us?

I just want to be able to play in an environment knowing that my investment is what it is and that people get their cards by luck, trading or hard work (PVE). Not through cheating.

Derium
05-31-2013, 07:34 PM
all cards have a code, two show up with the same code, they know. That security has been around since 97' in UO. Trust me, it''s there now in 2013.

Tyrfang
05-31-2013, 07:36 PM
They actually stated on a podcast that each card as a unique identifier and a history.

You could probably dupe the cards using a memory dump on the client, but they'd recognize them as doubles once you interacted with the server.

Cory believes "security and authenticity" is the "most important" factor for the secondary market to thrive for any collectible, and they have developing with that in mind.

nearlysober
05-31-2013, 07:39 PM
I think I read somewhere on the forums today that they'll have an upcoming article on security coming up soon, before the KS ends.

But yeah, as others have mentioned each card will have a unique encrypted key and they will be able to be traced.

In addition, for account security, they will have authenticator system.

Tyrfang
05-31-2013, 07:40 PM
This Sunday should be a security article by Cory; he announced it during the Geek Allstars podcast.

Erebus
05-31-2013, 07:40 PM
He's stated very clearly in his GeekAllStar interview that they have some very complicated security algorithms in place already and he has a zero tolerance policy for this kind of thing.

Tincture
05-31-2013, 07:41 PM
Wow. Thanks for all the replies. Nice knowing that they already thought of it. Really looking forward to playing this game when it comes out! :)

Tyrfang
05-31-2013, 07:45 PM
I'm glad they thought it was such a huge issue.

*Silently glares at Blizzard.*

Tincture
05-31-2013, 07:48 PM
Lol! So true so true.... :D

LordRaven
05-31-2013, 10:29 PM
So glad they hit the goal for authenticator support at launch. My authenticator was removed from my WoW account for less than an hour (when I upgraded an old iPhone) and I got hacked before I could get it back on. I've had a physical authenticator on my SWTOR account since before the game went live.

Banquetto
06-01-2013, 03:23 AM
I don't think there's really much to say about duping and similar security issues.

If CZE execute successfully, there'll be no problems. If they have some horrible bugs slip through their QA (oh hai Neverwinter negative auction bids), then there will be dire problems.

But it really comes down to execution. Nobody is making flawed design decisions that enable duping anymore.

wradcliffe
06-02-2013, 02:05 PM
I think there is a lot that has not been said about security in general. It is not really just security, it is about the platform and the development approach being taken. Cryptozoic has not been a software development company up until now so it should be a concern to anyone how they plan to pull off a stable and secure platform. When I look at the the team members for HEX I seen nobody dedicated to this. There is no Platform Architect or Quality Assurance and Testing Lead, only developers listed. I would personally love to be involved in a complete architecture/platform review and would consider it a good sign if they opened up their system to scrutiny.

Fireblast
06-02-2013, 02:38 PM
Some subcontractors are probably doing it for them.
Just hope they have some good guarantees

~

Mr.Funsocks
06-02-2013, 02:41 PM
One problem about security: You generally don't want to talk about it too much 'cause then the bad guys know what they're fighting.

Tyrfang
06-02-2013, 02:44 PM
Basically, as long as the database itself is secure, there are only a few ways to "attack" the game..

Off the top of my head:

"Fake" a purchase, which wouldn't matter, because the boosters probably have a unique ID, and that would be checked when you open the pack or use it in a tournament.
Copy all the cards stored in the app's memory via a memdump, but then the server would notice doubles of certain IDs, and delete them.
Adjust your in-game currency...which is also stored in the database, so it would really only be visual.

Niedar
06-02-2013, 02:45 PM
Security through obscurity doesn't work if its worth the time and effort.

Mr.Funsocks
06-02-2013, 03:11 PM
Basically, as long as the database itself is secure, there are only a few ways to "attack" the game..

Off the top of my head:

"Fake" a purchase, which wouldn't matter, because the boosters probably have a unique ID, and that would be checked when you open the pack or use it in a tournament.
Copy all the cards stored in the app's memory via a memdump, but then the server would notice doubles of certain IDs, and delete them.
Adjust your in-game currency...which is also stored in the database, so it would really only be visual.

That misses the two most common ways: Break into someone's account (which, really, the only way that happens is user stupidity typically and they can't do much about that), or botting, which I figure will be difficult and not too lucrative, but entirely possible.

NaryaDL0re
06-02-2013, 03:15 PM
Just adding this in case no one already mentioned it.

The more crypto tells us about security the worse it is.
Just like blizzard for example states at every occasion;
talking about security measures is contradictory to their purpose.

So we might as well rub out little heads together...
but we shouldnt hope for any real "update" or informations.
Lets hope no one finds out how this game is protected.

EDIT. ah mr funsocks beat me to it.

Tyrfang
06-02-2013, 03:22 PM
Account security has authentication. Hopefully people don't log-in with the same account info as other games with shoddy security...