If you must know, its one of our newest members.Quote:
Originally Posted by Fiel
He believes that this can't be at all accurate and all this other junk.
And he thinks the results will only bring more fear to people.
as if it can get worse, right?
Printable View
If you must know, its one of our newest members.Quote:
Originally Posted by Fiel
He believes that this can't be at all accurate and all this other junk.
And he thinks the results will only bring more fear to people.
as if it can get worse, right?
People fear the dark and unknown more. You see? PICs have been proven worthy so far... Unless another database leak then!Quote:
Originally Posted by Will
However, I still think Nexon not giving players the right to change emails is a hole itself.
My account was compromised - partially
A fellow SP member PMed me to state that he had reset my PIC without needing access to my e-mail. Due to the reset, when I log into my account it now asks for my PIN. Cracking the PIN can already easily be automated, so it would be just a matter of time before my account would be compromised and the 50 million mesos stolen - though this has not happened yet. This is evidenced by the topic here that started it all when a user from BasilMarket gave his account name and password and was hacked in a matter of hours while still using the PIN system. When I entered my PIN and double-clicked on a character, it asked me to provide a completely new PIC.
The other SP member has reported this vulnerability to Nexon. I do not know the vulnerability that the other user took advantage of.
T__T
Here I was really hoping I could play without worrying about Spidey-locks, changing my password every day, or intentionally banning my account for 24 hours. Ah well.
Woah...without even accessing the mail.
That means if they had logged on right after confirming it, they could of set their own PIC. Not even a need to crack the PIN.
If im reading Fiel's post right, it required him to use his PIN to gain access over the account again. This bit actually makes more feel more safe, since now, even if my PIC gets reset somehow, I can still have hope that they are unable to get past the PIN.Quote:
Originally Posted by Phoenix
The PIN system is very thin, though. The PIN system was hacked a crap load in the past, so there's nothing really stopping it.Quote:
Originally Posted by Sn1perJohnE
Still better than nothing. Id be more happy if they brought a combo of PIC and Birthday for the character deletion.Quote:
Originally Posted by ShiKage
Main point though, its better that there is something there instead of just letting people waltz onto the account and have their way after setting up a new PIC>
So I take it that this part was a false rumour, or else the mesos would already be gone.Quote:
Originally Posted by Fiel
Either way, I guess we are back to mainly relying on password strength.
I may as well reset my PIC to be something a bit easier to enter.
that's depressing :(
I was kinda hoping the PIC would make me feel better about some day returning back to my hacked account D:
Well at least the person able to find the exploit is helping to fix the hole by reporting it to Nexon.
Will only help if whoever processes the tickets actually reads it, understands it, believes it, cares enough, and thinks its important enough to pass on to the programmers, rather than just hitting the standard autoreply and moving on to the next ticket. To Nexon, the customer is (nearly) always wrong.Quote:
Originally Posted by DrRusty
I think if they could just be better at keeping the passwords secure, we wouldn't have to deal with all this PIN/PIC nonsense.
I'm guessing it was "god." Seems to find a lot of loop holes :\
There go my hopes for the PIC system to put an end to the hacking era.Quote:
Originally Posted by Fiel
Maybe it will just reduce the number of the hacked accounts, but not make that completely impossible.
....are the PINS our old pins?
I find it weird Nexon still kept the logs of all of our old PINs.
I'm fairly certain that you do not normally need to use the old PIN when you change the PIC. Fiel's account must have been reset in such a way that it looked like the PIC had never been set before.
That is were you are wrong. When you want to change your pic nexon doesn't make an automated one for you. You have to put in a new one so in order to get on the account to set the pic you need your old pin to access the account.Quote:
Originally Posted by MissingLink
Regardless of how weak PINs are, that's a pretty nice failsafe.Quote:
Originally Posted by street
Does that mean that if I make a new account today that I will be asked to enter a PIN as well as a PIC? :f6:Quote:
Originally Posted by street
I thought the regular PIC reset worked just like the old regular PIN reset where it clears it off your account after you confirm by clicking the link in the e-mail.
If I know the one he's talking about, which is the one that was posted in this thread before the server change, then no, it is not a rumor. It has happened to me before (wasn't hacked, it was on my account of my own accord).Quote:
Originally Posted by MissingLink
That's a pretty nice backup plan.Quote:
Originally Posted by street
If you make a new account it will still ask you to make a pin (source), nexon didn't fully make pic the bread and butter of your account. You will need to make a pin then make a pic,nexon was smart by keeping the pin's on our accounts and not making the pic remove our pins.Quote:
Originally Posted by LittlePrincess
When you do a regular pic reset it does clear your old pic, it doesn't clear the pin you had on the account.
No, I just changed the PIC on a second account to be sure.Quote:
Originally Posted by street
You do not need to enter the PIN to change the PIC on an existing account.
All you need is account name, password, and email access.
When you log into the game after resetting, you select world, channel, and character as usual. Then you have to enter the new PIC twice.l
Im not sure if I trust you. It would be completely idiotic to put all your eggs into one basket. Even with some of nexons blunders, I dont think they are that stupid.Quote:
Originally Posted by MissingLink
I actually have a success story on using Nexon's Customer Service. :f6: Took me over 2 months to finally get my items back. (I originally posted all my tickets on my Paladin, rather than my fm mule :f7:) Here's the main jist of it.Quote:
Originally Posted by MissingLink
What I sent:
Summary: Lost item during maintenance
GM Diatia/GM Jascol, I lost my Pieces of Time during the December 18th server maintenance. It was around 2pm PST, since that's when the maintenance started. Just before the server maintenance, I transferred the 21 Pieces of Time from my mule (soiledlinen, level 44 i/l magician) to my main character (AquaHammer, level 187 Paladin). Both characters are located in the Khaini server. After I successfully transferred the time pieces to my Paladin, I left the FM, and went to Leafre to catch the ship to Orbis. While i was waiting for the ship to leave port, I disconnect from the start of the server maintenance. I got an error message telling me "I cannot connect to the servers, and that there may be a server check/maintenance". When i logged back onto maple, I noticed there wasn't my 21 pieces of time on either of my characters (AquaHammer and soiledlinen). Both of the computers i used to transfer my time pieces ran Windows XP. You asked me to log a ticket from the account with which I had the error, so here it is. Thank you for looking into my dilemma. Your time spent is greatly appreciated.
How they responded:
Thank you for providing this information. We are sorry to hear that you lost these items. At this time we have decided to mail 21 Pieces of Time through NPC Duey to your character soiledlinen on Khaini. GM Talia has already mailed you these items and you have 30 days to pick them up from NPC Duey.
We hope this helps and hope to see you in MapleStory soon!
Sincerely,
GM Jascol
Proof i received the 21 Time Pieces:
Spoiler
Its all about how you explain yourself in your tickets. Yea, I had some bad past experiences with their customer service, but seems like they do try harder now. Other times, it depends on what category you put it under. They may look at certain categories more than others (which i can admit, is screwed up) :excellent:
Agreed, you cant just go in and say "heys, I lost teh items "blah blah" and "blah blah" when I had some discontion happens to me. I would like you to give me the items bakc pls. kthnsbye". Even I wouldnt want to respond to that.Quote:
Originally Posted by jwolfrush1
So is this over? o_0
Also a note for everyone regarding pic if hackers ever bypassed the pic from the character select screen it will ask for the pic in game. Char wont be able to move unless the pic is put in.
Thats useful. If they cant get your pic but still make it onto the character, you can at least have hope on keeping the items. Unless they are able to drop stuff with the PIC request up.Quote:
Originally Posted by street
you cant type either, only thing you can move is the mouse to click the pic in.Quote:
Originally Posted by Sn1perJohnE
Good, seems this PIC situation is becoming a lil more planned out in some ways than some people thought (and vice versa).Quote:
Originally Posted by street
If you can PE to bypass PIC you can PE to drop items. Assuming they didn't think far ahead enough to block that client request.
How generous of them to provide you with free time ores so quickly.Quote:
Originally Posted by jwolfrush1
Unless your account was created after the introduction of PICS and has never had a PIN.Quote:
Originally Posted by Sarah
Aren't PINs still required in this scenario? An initial PIN entry?Quote:
Originally Posted by Eosian
If not... that almost seems sort of damning on Nexon's end of a database breach. Only having certain security measures in place for old accounts that would have been subject to a leak.
mmm speculatin'
They disabled the way to reset your PIN when they added the reset your PIC.Quote:
Originally Posted by Sarah
Sort of implies they're not used any more, because what are the odds of you entering a PIN once and then remembering it far enough down the line when you need it but have never used it before?
Granted logical thinking isn't a Nexon forte, so someone who has bothered registering a new account recently would have to confirm whether or not they were asked to do both a PIN and a PIC.
From Fiel upon making this account (thread in maple questions)Quote:
Originally Posted by Eosian
http://www.southperry.net/showthread.php?t=23923Quote:
Originally Posted by Fiel
So yeah, they still require initial PIN setting. I think the PIC reset button doubles as a PIN reset also.
That's just bizarre then.Quote:
Originally Posted by Sarah
It's funny how they put completely different levels of security on all their games despite those games sharing the same account system.
If you just want to hurt someone, you can easily hop to one of the games with zero protection and clean out all their NX.
Wow. I didn't realise some of the other games had no security..
I just realized your initial quote of mine answered the question.Quote:
Originally Posted by Eosian
Fiel created this account to test the PIC. Someone somehow reset his PIC, returning it to the PIN input. If PINs no longer came on new accounts, this would not have happened.
Still... it can't be a 2-for-1 button, if this is the case. There has to be a way to deal with PINs now. Perhaps they are ticket-request only?
Yah, I play Mabi sometimes and all they require is the basic username and password... :|Quote:
Originally Posted by MonkyMagic
Same with DFO but you get a PIN to lock up purchase functions. (No buying, selling, dropping or trading of items until you activate the PIN) It's a good system I have to admit. And it can't be keylogged as easily as maple pins can.Quote:
Originally Posted by MeteorSummoner
Not like hackers really play Nexon's other games, lol.
Mabi storage service includes the ability to password lock each individual item in storage though.Quote:
Originally Posted by MeteorSummoner
Won't protect what you're wearing or what NX you have
Tomorrow's the last day. If it's not hacked by then.....
Alright, just checked my account.
Unfortunately, I was not able to login to my account. The password was changed and I had to reset it. I am 100% sure that I did not mess up typing the password because I copied the password I had written in the opening post and pasted it in the address field. So, I had to reset my password. I went into my account and a PIC was still not set for my account. This means that my PIN has not yet been cracked. Also, because a new PIC was not set, that means no one was in my account and my mesos are safe.
Then again, considering recent events I cannot for certain say that the PIC system is secure. There was a flaw with it (which Nexon stated that they fixed), but it only takes a split second to think about the compromised GM account to wonder how secure these things really are?
It also makes me think that maybe if the GMs think their accounts are so secure, maybe they are still using the PIN instead of being forced to update to a PIC like every other normal player. But I don't really know much about how people can get around all those account security and hijack it so... :|
Wasn't the PIN the weakest form of security before? Why are these hackers so inable to get past it?
were they or were they not able to steal the 50 million?Quote:
Originally Posted by Fiel
Wait Fiel, what if the hacker took the mesos, but resetted the PIC afterwards just to make it seem like you didn't get hacked? It wouldn't hurt to actually check Duey. Better to confirm than to assume for something as important as this.
Yeah it's strange indeed.Quote:
Originally Posted by DualReaver
Because the MAIN way of getting through the PIN system was to reset it and hack the e-mail. Due to the person not being able to reset the PIN with the e-mail anymore, since Nexon removed that option, they couldn't reset it. The only option left was to guess the pin starting from 0000 and ending with 9999.Quote:
Originally Posted by DualReaver
oh fiel copy + paste pw doesnt work sometimes.
on my old account when i thought i got hacked i kept pasting my pw which caused me to get panicked.
but when i finally typed it it worked.
There's more than one ways to reset a PIC
coughhttp://bit.ly/bS2WHZcough
"Now you may have to fiddle around with the header information but as of Feb 27, 2010, this exploit works and took me 10 minutes to find. Don’t ask me to help you because I won’t and yes, I’ve sent this into Nexon on Feb 24, 2010 but have received no replies so all is fair until I get that DMCA right?"Quote:
Originally Posted by god
This is the worst part of it
<shakes head>Quote:
Originally Posted by god
Technically, if the top is possible, wouldn't you be able to reset someone's password the same way, with only knowledge of the user ID?
Supposedly that's how they got in the GM account.Quote:
Originally Posted by Phoenix
I would speculate that just because a PIC isn't set doesn't mean that someone hasn't been in there to take the mesos. Because with multiple hackers trying one might try after another got the prize.
If you read his entire post he already answered that question.Quote:
Originally Posted by Derimed
There is no supposition to how the GM account was logged into, the user & pass were both publicly displayed by the GM on accident.Quote:
Originally Posted by LittlePrincess
A significant number of people saw it, took screen shots and tried to log in it. The entire event has it's own thread over here .
Yeah, here's just my opinion. Why would someone want to waste their time cracking into your account for only 50mill? To them, thats probally chump change. I used to keylog gunbound accounts and i had an unlimited supply of gold. Accounts that were either decent or just sucked was not worth my time to transfer everything. I think you should up the anti.
im gonna guess they don't even care about the 50mil. its more about the bragging rights to hackersQuote:
Originally Posted by xdarkelement
It doesn't matter. As it turns out, even though 50m wasn't enough to get someone to expose the PICs poor security, being a GM was. This particular experiment failed, but the exact same circumstances were provided for the GMs account and it proved exactly what this was meant to.
Random question Fiel; Why did you feel the need to level up your mule to 15? Do you have to be level 15 to recieve the package?
Have to be over a certain level to receive mesos greater than 1m per day.Quote:
Originally Posted by Seanny
He was moving the money and as it turns out, you can't do more than 1m per day until level 15 and I don't think he was willing to commit 50 days to the transfer of mesos.Quote:
Originally Posted by Seanny
Are you sure? Last time I checked I could give as many mesos as I wanted to a low lvl character, but they could only transfer 1m per day out. (But that was like 6-9 versions ago that I checked.) So I think he character would be able to receive the package, but if not over lvl 16 the hacker would have had to "train" in order to transfer the mesos to another character.Quote:
Originally Posted by Eosian
Ah okay, i decided to look up the character on rankings since they finally fixed them and noticed the change.
Guess no post-deadline hacking occured after all.
He could recieve them, he just couldn't get rid of them after. So he leveled up and transfered them elsewhere.Quote:
Originally Posted by LittlePrincess
I thought it was over lvl 15 to do that...I wonder why my NLC mule is 16 now.