[READ]SRO Account Hacks: How it's done and how to stop it.

[whpwnage]

MODERATOR AND/OR ADMIN : I say this message deserves a sticky. I certianly don't need to take the time to post or write this - but - I am, for everyone's good. Many people can benefit from my advice - this deserves attention.

This is real insight into the problem. I did this for your users, and ALL users of SRO. I also did this to reassure a few people that my intentions were NOT bad, and I do NOT intend to wrong them.

========[START MESSAGE]=========

I've noticed a rash of hackers running about SRO - and truthfully, it pisses me off. I was confronted by one in-game, warning me to "watch out and don't try to offend the wrong people."

Yeah, right.

Well, the guy didn't know who he was dealing with. My curiosity was sparked. So - a few days ago - I set out to test my skills once more, it's been a long time ... but hey, once they're there - they're there for good. If you care to get an idea of what I am & what I do, this sums it up:

http://en.wikipedia.org/wiki/White-hat

I picked a few people. I ravaged their accounts. I gave them back when I was done. Why, why do all of this when you don't need to? Why waste so much time when you have nothing to gain? Do you want to know how long I've spent doing this?

Account 1: 10 minutes

Account 2: 6 minutes

Account 3: 5 minutes

Account 4: 1 hour ( This guy was a L70+, 33 years old - and a *programmer* no less. I dug up his secret question, I prepared a dictionary attack. If I wanted this guy's account - it was mine. I'm not about to go as far as bruting someone's account. But, I can. I left him alone.)

Account 5: This guy was smart. His snotty posts on boards pissed me off... I had a tough time digging up info on him. Lucky for him - he didn't publicize an e-mail address... except for one that he did not use as his login.

*Gasp* e-mail address.

Let me shed some light on this "hacking" we're all hearing about. Most everyone online, even the so called "bad" people in-game, are pretty good folks. I really - after getting to know people - haven't found a single person I did NOT like. There ARE people that I do not like - and that's braggards, script-kiddies, and goldfarmers. So you want to know what I'm going to do today? I'm going to potentially destroy the SRO account hacking problem. I'm going to let YOU know how THEY do it. Why? Because when you KNOW how people can DO something, you also can figure out HOW TO STOP IT. This is especially true when you _ARE_ the security hole.

Here we go:

HOW a SRO account gets hacked & stolen

1- A victim is picked.

2- Find their username

3- Find their e-mail address

4- Owned


Your secret answer is irrelevant at the moment. Your password does not matter. Once they have your username and e-mail, your account is theirs. So, I'd like everyone to take a moment ... and think of how you can correct this problem......

YES!

You need to treat your E-MAIL ADDRESS as your new SRO PASSWORD - DO NOT USE YOUR USERNAME(S)

You need to use a STRONG password on top of this. Use at least 8-10 characters, numbers AND letters. DO NOT USE A WORD IN A DICTIONARY.

People _CAN_ figure out your secret question. One person ... took "birthplace" as a question on their account. I found out the user's country.
I pulled up a list of the 10 major cities in that person's country. (towns & villages don't have hospitals). They were born in city #4. Account is hacked.

Another person - they listed their pet as their secret answer. So, I searched for their username - and an animal. Found their pet's name. Account is hacked.

Are you following a trend here?

The more you post online, the more information there is about you, the easier it is for people to "hack" your account. Yes, this *IS* what hacking *REALLY* is. Taking all of the facts you have available. Building on them. Finding out more information. Building on it ... keep building ... build more ... until you have the answer. My success rate was 80% in taking accounts I set out to take - using my head alone, and NO hacking tools, NO programming, NO cracking.

Let me sum this up for you, in a SHORT list of things you should keep in mind to safeguard your account from someone like ME.

1- Strong password. Press random keys on your keyboard, or use a password randomizer.

2- RECORD YOUR PASSWORDS. Write them down, that way you can use STRONGER passwords.

3- TREAT YOUR E-MAIL ADDRESS LIKE A PASSWORD. Use a NEW e-mail for ALL of your SRO accounts. Under NO circumstances should your username be in your password.

4- Don't fill in public profiles. People use them to hack your account.

5- Don't use the same username to post on boards as you use as a login. Can't stress this enough. That's 50% of your account lost.

6- Search for your OWN information on google. Anything you find - DON'T EVER USE IT AGAIN. This information is now INSECURE.

7- Watch out for XFIRE accounts. They show how much of a PRIME TARGET you are. (1K hours+ logged into SRO? You've got a fat account.)

If you've made a mistake with your account, DON'T PANIC. You can still save it - even if it has been compromised before.

Change your e-mail to something completely out of the ordinary. Something you've never used before.

Make it NOT a word, or a combination of 2 words and some numbers - the longer it is - the harder it is to figure out.

Change your actual name. Use the same fake name for _all_ of your logins.

When you set your passwords - don't be afraid to combine things. If your old pass was dog133 - change it to a combo of words plus numbers: car133bird331 - dumb as it looks - is a GOOD password VS a brute force attack. It's simple for you to remember, and it's HUGE when a scriptkiddie goes to attack it.

Nobody can advise you like someone who is REALLY into security. Joymax's security is shoddy. They suck. You have to take measures for your own good. You've just gotten advice from someone who's pretty good. I won't say I'm one of the best - as there are many better than me. Hey, give me credit - at least I'll admit it.

[ PS: About those guys who claim to break into Joymax's databases: 100% bull. I read that "chat with a hacker" - the guy either bruted or engineered. Trust me on that.]

Good luck everyone. I sincerely apologize to anyone whose account I've gotten into. You know who you are man. I hope you can forgive me. I took 1 global of yours - if you want the dime back, I'll send you a quarter.

I've also tried to give Joymax some of my own insight on their problems. You want to know what they say?

Nothing. They don't give a **** about anyone. Keep that in mind.

Peace.

[Demarthl]

interesting. quite interesting indeed.

so, if all this is true, why dontcha take out those who cheat and bot etc?

what you dont work for you dont deserve right?

*shrugs*

[Drew_Benton]

Nice post , but horrible format.

Don't forget also that since GG is disabled, you could easily trick someone with an "innocent" program that steals their account in game.

Here's the thread I made to try to help: http://www.silkroadforums.com/viewtopic.php?t=26424

[DarkJackal]

Shenanigans lol.

That is just guessing and researching thier info, not really "hacking" its not much better then having a prgram guess it for you(bruteforcing).

[SuicideGrl]

formatting fixed, and stickied. let's not have this be a discussion of ethics, just take the information for what it's worth - and i feel like it's worth a lot. to me, it's worth as much as my character is. Thanks whpwnage.

[LuCiDiTy]

Thanks for this info. Feels good I have a random login name and pass

[CrazyAztec]

thanks

[Jay]

Thanks for the tips, will duely note this info and then start changing my security around, with the 1337 hackings in greece, ima need it, lol..

[Blyth]

I've also tried to give Joymax some of my own insight on their problems. You want to know what they say?

Nothing. They don't give a **** about anyone. Keep that in mind.

So god damn true

[ziddy1232]

you got me...

twice.

Hi -

You probably have noticed that your account has been trounced.

Please read this whole message through - it's important for your account, and any future accounts you

may decide to make. Pass the information around to anyone you know as well - I'd appreciate it.

Feel free to edit out _EVERYTHING_ personal, and to even slap your own name on this text. You've

earned the right to do it. You can call me Kumadori - if you'd like to refer to me.

=============================================================================================

I have no interest in keeping your account. You seem like a decent guy, and I don't really like

stealing things ... so I guess you're lucky I got it - rather than someone else.

Now, I'll give you step by step advice on how to protect your account from ME getting it again, and from

other people getting it. Other people won't be as nice as I am.


1- Change your e-mail address(es) to non-public ones.

These days - this is a _KEY_ thing you should do. With SRO - this is one of the main weaknesses.

For your accounts that have monetary value - use a *different* e-mail for them. NOT the one you use for

chatting online. You have no idea. Never post your e-mail address you use for your account. Never give

it out. Keep it close.

2- Use a strong password.

It sounds like you had this down. I have no idea what your password was. I didn't need it.

3- Change your name to a fake one.

Lying is OK online. You're just covering your arse. Make sure you either use the same fake name, or

keep a record of names you use.

4- Don't be afraid to write down your fake usernames, alternate e-mails, and passwords .... on paper.

Old things - like notebooks, pens, and paper - are good. They're not online. Stick it in a safe

place, and refer to it when you need to.

5- Your new information is as follows:

user: edited
pass: edited
email:edited (By me.. not the guy who sent this)

You'll never hear from me again - and your account is safe if you follow these instructions.

Now, I'll answer a few questions you most likely will have.

1: How did you do it?

That's for me to know, and you to wonder about. I'm not teaching people how to do this.

2: Did you take anything from my account?

No. I have no interest in that.

3: Are you a hacker?

Yes. It's been a long time since I've done something like this ... but I was challenged online. The

knowledge of how to do this - is all I care about.

4: How long did it take you to get my account?

6 minutes the first time. 4 minutes the second.



Welcome to the real internet.

Don't bother trying to find me. Everything is fake over multiple layers. Not even I could trace this

message.

If you want to respond to me -

Don't be cocky - remember - I could have taken your entire account - twice. I didn't even *use* my full

resources - if I did, lol, you don't want to know. You can post your reply on http://www.silkroadforums.com -

Just title your message "Response to the person who hacked my account". Don't bother asking them to

trace me either. I'm already on top of that before you thought of it.

Hope this never happens to you again. If you paid attention and follow that step-by-step guide up

there, you're safe.

Don't mess up again.

PS: My apologies for involving you in my game. Someone challenged me to play - and I did.

Be careful, and have a nice day.

Second email :

You can still visit pr0n sites if you don't got the real thing yet.

I didn't use a keylogger

Just my skills & brain.

peace. (Sorry again. T_T - man - watching the real person just makes me feel horible T_T ~ said like a true white-hat ~ )

~ Kumadori ~

Now. I dont want to shout and swear and raise the roof becuase it was so easy for you ro gain access to my account... I want to thank you.
Thank you for opening my eyes to how easy it is to get hacked...

I wont try and trace you, though im sure i could.

[J3FFz128]

wouldn't you need their password to be able to login into silkroadonline.net and get there email addrress?

[borat2]

Only thing i can comment, you just rock thanks for clearing this up.

[woutR]

So hack back phulshof's account if you're all so nice and stuff

[hellsharpt]

you need account name email and secret question, thats it. With that the password and email address can be changed then they log in and you can never do so again.

I agree that this is the easiest way to lose your account (aside from being a noob and d/ling a 3rd party program with a keylogger). psholf from my guild lost his this way.

[Vandango]

good luck getting my e-mail

[ziddy1232]

good luck getting my e-mail

itiskarl@hotmail.co.uk

What do i win?

[Vandango]

good luck getting my e-mail

itiskarl@hotmail.co.uk

What do i win?

not the 1 used for my sro account

[achmalach]

is this you?

http://www.dontstayin.com/members/karlos-vandango

[zphantom]

That's what I've said :p

He forgot to add:

Create a good secret answer to begin with.

How to prevent getting hacked in the first place:
Use an email address no one knows or would guess (you can change it right now). Don't include your real name, or your nick names, or your user names as part of your email address.
Create a strong Password.
Create a strong Secret Answer (don't use common answers like dog's name as "spot", or birth place as NYC or Los Angeles). Create a good fake or unrelated answer.

After you're hacked, or if your current SA is weak, all you can do is:
Change your email address to something no one knows or would guess again.

I think the best password is even a password that foils keylogging by using letters and numbers that look similar. It can be countered but every bit helps. Add characters like lIi10Ovvw

[Black_Mamba]

Nice info, yeah most people are hacked cuz they reveal too much info about themselves. A mistake I learned a long time ago, years before I found this game. I wasn't hacked in any way but it brought upon other problems with people online. Number 1 rule on the internet is never tell anyone your real name, real town, real country, just fake the lot and keep track of it all. Use different aliases for every forum, site, emails etc. I've never used actual words as anything, I usually fill every box in with random letters and numbers even when it says name and write it down in a book.

[uBeR]

Dumb post. Only commonsensical ideas listed here. Have been reiterated thousands of times here.

[StealMySoda]

I think the email thing is a good point.

I made an account on my moms website, and created the name and made it completely random, made it as long as possible. Before anyone can even try to guess my username on that account they would first need to know my moms website, which I pretty sure nobody on SRO knows.

Even if you cant do that, make an account on hotmail.com or something, and make a completely random name like j2j1nxq91210n.212.sd@hotmail.com, write it down, and write down the password to it also. Your all set.

[MastaChiefX]

This REALLY got a sticky? Wow general discussion has really gone down

[i play silk road]

i also reccoment alt codes

because they may knnow the symbol, but not how to get it, eg ‡

someone give me the code for that

[IceCrash]

dude, ur awsome, fantastic thing u have done in postin that, u rock the shit out of everything, honestly.
Plz everybody, say A BIG THANK U for this man/women, he/she deserves it, thank you very much.

[IguanaRampage]

absolutely wonderful. I have been following most of these tips and I recently thought of some of these, and learned some more from this guide. Incredibly nice of you to post this! Thanks man!


*spams Bakemaster to make whpwnage a pie*

[zonas_jaf]

the issue with security is very simple, never base anything secure on everyday data. (having designed and broken a few networks i can atest to this).

alot of people think they cant have their password written down or put in a file on a computer and must memorize them because its more secure.

heres how i do stuff.

my style of password : 4tvy43w2a4 my style of secret question : 3c4t3erag4. both are kept in a text file on my home server.
i keep it txt file on my server at home. at this point people scream 'what if someone hax0rs my machine!' . well reality is A - you dont 'hack into machines' you trick people into running trojans and virus that you've written. now lets say one gets on to your box, it has to know what to look for. and by the time you have a trojan on your box, you can have a keylogger on there anyways. and with a keylogger its game over anyway.


i just thought id throw that in from experience and all that

[Draquish]

I refuse to call this hacking.

[Millenium]

Oh my god. This is what I've been waiting for all my life.

Thanks so much to the original poster. =( I could have offered my account information for you to hack if I knew it would produce these ..... wonderful results.

I can finally play SRO on Greece *cough* without having to worry about anything. And tell the lame idiots I got hacked twice but I am still legit.

[IguanaRampage]

I refuse to call this hacking.

so...what are you trying to say? Hacking is exploiting a flaw in the system usually, from what I know, and although JM's security isn't great what he is saying is that it is the fault of the user. So what are you trying to say? Are you agreeing with him?