FFXIV Ideas Part 1 – Security

Posted on June 10, 2009 by Aselin

For the first part of this series, after much thinking, I will look at one of the most important aspects of an MMO– security.  A year ago, players were the subject of various exploits because their computers were unprotected from vulnerabilities found in Javascript and Adobe Flash.  The people behind RMT activities managed to slip code in their own banner ads that are displayed on various FFXI-related websites.  This code allowed the “RMT hackers” access to player’s accounts, keylog their PlayOnline ID and password and take control of the account.  Players to their surprise and disappointment have found months and years of hard work gone in an instant.  Many of their characters had their Rare/Ex equipment gears dropped and were stripped of everything and sold.

Blame was spread everywhere.  Blame on Adobe and their vulnerability in Flash at that time.  That didn’t surprise me as more security vulnerabilities are being patched in Adobe-related software.  Blame on the players themselves for not having any sort of firewall, anti-virus, anti-malware, anti-spyware software on their computer.  And, if they indeed have them, didn’t keep them updated and current.  A lot of players also visited suspect websites that had these infected banner ads.

Lastly, if probably the most important, blame was casted on Square-Enix’s lackluster customer service and slow response to the situation at hand.  It took months for SE to respond and counteract the issue.  Slow to an answer, they began an option to have a person’s account restored to a previous backup, whether it was a few days ago or even as far back as three or four months.  However, to the player, the process was long and tedious.  Often times account retrieval and character restoration proved ineffective as many players no longer had their original payment information they used when they started FFXI and/or the original registration codes used.  What made the situation worse were the people behind the customer service handling the issues.  Many were ignorant, stupid (putting it bluntly), unsympathetic and unempathetic, robotic, and inflexible.  GMs, the game’s Game Masters, were also powerless to handle these issues, and were just as worst as the people behind the customer service telephones.

In the end, Square Enix made available not only character restorations and account retrievals, but the use of a little security token to further secure the account.  However, even this can be pointless as many players bought them just for the Satchel and extra space, then discontinued their security tokens.  The problem there was that you cannot reactivate the token nor get a new one.  Once deactivated, it’s deactivated permanently.  And, I’m sorry to say, but players who opted just for the satchel and deactivate their token have just made a grave mistake.  Don’t come crying on public forums if your account gets hacked.  Your fault there now instead of SE’s because you chose to deactivate your security token.

Other things that were added was storing an encrypted file on a different hard drive or in another folder that contained one’s password.  They also added an on-screen software keyboard for entering one’s password.

However, what has happened, has happened, and the damage has been done and the blame-game has been played out.  What it has showed was that the biggest issue to be dealt with for Square-Enix’s MMO, FFXI, and the upcoming FFXIV was security.

With that in mind, I asked myself: “How can SE make FFXIV even more secure than FFXI?”  Below is my answer to this dillemma.

Let’s start with the security token.

Security token:

  • Optional for Playstation 3 users.  Reason: To my knowledge, no virus or keylogger has been made and infected the modern consoles– 360, Wii and PS3.
  • Mandatory and required for Windows users.  Reason: One word– Windows.  Those who have used it know the countless number of security patches made for Windows and their flagship browser, Internet Explorer.
  • Previous owners of current FFXI security tokens are transferrable to FFXIV accounts, and shared between both MMO accounts.
  • Security tokens, if cancelled, can be renewed and reactivated for a small fee.  However, player would still need to buy a new security token in addition to the reactivation fee.
  • Security key code is only available for 15 seconds before it is permanently erased.  Reason: On BG Forums, a user found out that an old security code was still valid up to 30 minutes-plus after it’s been used.  Not good at all.

Five simple bullets.  The security token is something I use now and am very glad SE has introduced it.  Every player should own one.  No one should start having a false sense of security telling themselves that they’ll never get hacked and lose all they’ve worked for.  “Never say never” is a saying one should keep close to themselves.   Prepare for the unexpected as best as possible.  Don’t wait for the worse to come to you in the end.

A better PlayOnline ID (POL ID) and use of Social Security number:

Though FFXIV will no longer use PlayOnline and PlayOnline Viewer, the POL ID is a good idea– at first.  The POL ID is a unique 8 digit alphanumeric ID made of 4 letters first and 4 numbers last.  This was created upon creation of a PlayOnline/FFXI account.  However, the fault with this is that when exposed to the wiles of a keylogger, any one person can gain access to another person’s account.  All they would need is a person’s POL ID and password used.

SE thus came up with the security token and another set of user name and password system called a Square-Enix account.  This mean that players would have to enter two IDs and two passwords– one with POL ID/account password, and a second one for a Square-Enix account user name and password.  A fifth password is optional if you’ve locked out your PlayOnline Viewer with a password.

This was tedious as it required two steps to do if a player didn’t save their ID and password in Viewer.  Keep the POL ID and rename it as Final Fantasy Online ID (FFOID) since PlayOnline is no longer used.   This FF Online ID, like the POL ID, is created after you setup your FFXIV account.  Instead of eight digits, make it ten and a mix of upper and lower case letters, including numbers.  Example: AannaAnnAA or nnAannaaAA, where n equals a number, A is an upper case letter, and a is a lower case letter.

Keep the current Square-Enix account system as it is effective.  In the setup of a FFXIV account, make it required for the user to set up an SE account user name and password.  This would be asked after setting up a player’s account with their payment information and other relevant data.  There, in the SE account page, a player can link his or her FF Online ID so that it won’t have to be entered again before logging into FFXIV.

Thus, before a player logs into FFXIV, you’d be presented with three fields: SE account user name, SE account password, and security code from token.  If token is not used, then your FF Online ID would be used as a password.

To further secure this account, you will be required to enter your social security number upon registration and account setup.  This is only used for account verification, cannot be changed or altered whether by calling Square-Enix or going to the SE account page, and is stored server-side and is permanent.  I will further explain why below.  AION uses SSN as a way to verify one’s age, but here it will not verify one’s age but one’s account instead.  This will follow a person’s account and character(s) from system to system.

You might think that, like with AION, you can enter any SSN to fool the server into verifying your age, but here it is much different.  You will need a valid form of payment– debit or credit card– for ID verification.  Since debit/credit cards contain the person’s name, social security number, address, and balance, this will be used to verify a valid SSN.  The name and SSN must match that on the debit/credit card for ID verification during initial account setup.  If you are using a parent’s credit card, their name will be used for the account and this name and SSN cannot be altered once account is created.  Then again, why for goodness sakes will someone younger than 18 be allowed to play?  It’s already disallowed for someone younger than 18 to play FFXI based on the ToS/EULA.  Seeing that the name used for account setup and that name’s SSN is permanent and cannot be changed, no other person can use that account and character.

Any changes to the hardware and updating the UIC’s hardware IDs and/or console model will require the verification of one’s social security number.  And, UIC is described next.

Unique identifier code (UIC):

Now, a FF Online ID may not be enough for security, especially if a player opts to not have a security token.

The idea behind this comes from the activation process used for current software like Windows OS and Adobe products, for example.  When one activates Windows, a code is first given that is made up of the hardware that Windows is installed on.  This unique code is thus given to a person or computer that returns an activation code so that that person can activate and use Windows permanently.  It’s annoying to use for Windows or any other software, and to others it’s invasive and unnecessary.  However, when one thinks about it, it is secure as the code is highly unique and cannot be manually modified.

When the concept is applied to an MMO, it can further secure a person’s account.  But, this time, it isn’t used to activate a person’s account, but to secure it.  And, seeing that PS3 consoles only vary slightly when compared to computer hardware, this might seem ineffective.

This is where the “unique identifier code” (UIC) comes into play.  This code is latched onto a person’s account and character.  The UIC is generated after one person installs FFXIV and creates a FFXIV account.  During the account setup, you are asked to enter your name, social security number, and payment information.  The UIC is non-transferable and is stored server-side.  It is permanently linked to your SE security account and FFXIV account that you initially setup for FFXIV, and all characters you create afterwards.

FFXIV, when loaded each time, will perform a quick scan upon loading FFXIV to generate a temporary UIC.  This temporary UIC contains the current numbers 1, 2, 3, 6 and 8 that are listed below.  It is then verified ONCE a player has logged in and checked against the permanent UIC stored on the server.  If they do match, the player can log in.  If they DO NOT match, the player or person will be warned and immediately prevented from logging in.  They also cannot perform any account related changes when a mismatch occurs.

The following can be and should be used to make up this unique identifier code of a certain length:

  1. FF Online ID as a prefix
  2. Original registration code that came with FFXIV
  3. Player’s first 4 letters of his or her first and last name
  4. Console’s serial/model number
  5. Console’s region number
  6. Player’s region code
  7. Computer’s hardware made of the following five traits:
    1. video card model
    2. CPU model
    3. sound card model
    4. motherboard model
    5. operating system
  8. Last six digits of one’s social security number as a suffix

1, 2, 3, 6, and 8 are unchangeable and permanent.

4 and 5 are only used if on the PS3.  If on PC, these would be xxxxx-xx representing the first 5 digits of a PS3′s model number followed by its two digit region code.  When a person is playing on both the PC and PS3, two UICs are generated seeing that they must be two separate unique codes.  This can also be changed when a player changes console models.  They would have to do something I mention below called “Hardware change.”

If a person registers and creates an account on PC first, the PC UIC is created, and vice-versa for PS3.  When that person installs it on a PS3 after having done so on the PC, a player would have to select an option called “Transfer existing UIC to PS3.”  The player would have to enter their FF Online ID, original registration code, their full name and their social security number, which is only used to create and verify confirmed registered user on the server.  This confirmed registered user is permanent and cannot be changed whether through account settings or even calling Square-Enix themselves.  The opposite option also applies if a PS3 was installed first and setup before the PC version, “Transfer existing UIC to PC.”  Yes, account creation should now require a person’s social security number.

7 is only used if on a PC, and can be altered due to hardware upgrades or changes in hardware.  A player would only have to go to their account page for the FFXIV viewer (whatever it will be called) or in their SE account page and find an option I would call, “Hardware change.”  By clicking this, a scan of the system’s hardware is performed and the UIC is changed and updated.

3 is a player’s name that is used upon registering and creating their account.  It is permanent and unchangeable, and stored server-side.

Example of a UIC if a player is using both a PC and PS3 version of FFXIV:

PS3 UIC: xxxxxxxxxx-xxxx-xxxx-xxxx-xxxx-joe0doe0-cecha-01-01-xxx-xxx-xxx-xxx-xxx-999999

Windows UIC: xxxxxxxxxx-xxxx-xxxx-xxxx-xxxx-joe0doe0-xxxxx-xx-01-555-555-555-555-555-999999

Temporary UIC (used for verifying user and account created upon loading FFXIV):

xxxxxxxxxx-xxxx-xxxx-xxxx-xxxx-temptemp-nnnnn-nn-01-nnn-nnn-nnn-nnn-nnn-999999

All “x” remain the same.  “xxx-xxx-xxx-xxx-xxx” will be used in place of the PC’s hardware configuration code on the PS3.  The last six digits remain the same as well and is unchangeable.

“n” will represent the code numbers generated when a player is logged onto either a PS3 or PC.  This will match up with the “x” used in the permanent one.  If temp UIC was made on PC, it would only have the hardware IDs for that.  The same applies to the PS3, and both will be verified against the permanent UIC stored on the server before logging in.

0 will replace the last character(s) if a person’s first and/or last name is less than four characters.

When one upgrades their computer hardware or changes it, or if a player changes console models, a person would have to verify their name and social security number that is stored on the server, along with original FF Online ID and registration code.  This whole process may seem tedious and invasive, but it should prove effective in securing one person’s account and prevent something even something more grave– RMT activity.

Using UIC to prevent RMT activity:

Seeing that a UIC is generated upon account creation with every installation of FFXIV, and is unique from person to person, this should prove to be an effective means to stop players from selling their accounts and characters to places like BroGame or IGE.

Hear me out on this.

Let’s say you quit FFXIV after two, three years and think you want your money’s worth by selling your account.  Now, remember, you have a permanent UIC stored on the server with your name and social security number.  This UIC is also permanently attached to your character(s).  First off, when one re-installs FFXIV because of a hardware or software issue, they would only have to select “Use existing account.”  Going there, a player would have to enter the original registration code, name, social security number, and FF Online ID used when account was created to verify the correct account owner.  However, when one sets up a new installation of FFXIV, they would be required to create a new account and register with the server before using the program.  This immediately creates a UIC that is automatically attached to that person’s new account and later their character, or characters.  It is this same UIC that will be verified against the server and see if it matches that on the characters.  It is also, as said above, used to generate a temporary UIC to match the one on the server.

When another person obtains the information of another person’s FFXIV account they will be met with a couple obstacles:

  • The new person with another person’s FFXIV account cannot verify it since they have different social security numbers
  • FFXIV generates a temporary UIC upon loading using the current hardware used and is based on the user and person who installed and setup FFXIV– new installation or not
  • Same temporary UIC also uses the registration code that came with the original FFXIV software.
  • UIC from the other person’s account contains part of their name and last hardware used.
  • The UIC holds the last six digits of the other person’s social security number and cannot be changed.

The player selling his or her account would have to give up the following:

  • First and foremost their full social security number, not the partial last six digits
  • Registration code for FFXIV
  • FF Online ID
  • Full first and last name used when the account was created
  • SE account username, since this cannot be changed once created, and password

The person selling his or her account would literally have to go to the buyer’s household and enter their name and social security number to perform the transfer of the account.  For someone to give up their social security number for several hundred dollars or thousands of dollars would have to be pretty idiotic, and be given the Darwin Award of the Year.

The person on the other end who purchased the account also cannot attach that bought account from the SE account page as it is non-transferrable.  And, even still, he or she would still need the original account owner’s social security number to change hardware IDs, payment info, and verify account and character ownership.  Your UIC is permanently attached to your SE security account username and password.  It is this same information used to log you into FFXIV, as this will be mandatory and required.  You cannot add or transfer characters and accounts you have obtained– whether illegally (hacked) or bought– to your existing SE account.

In another scenario, let’s say the other person only has the FF Online ID, name, SE account user name and password.  Their current temporary UIC would verify against the UIC that the bought account is being logged onto.  When a mismatch is detected, that player would be prevented from logging on.  Three attempts and that person’s computer and/or PS3 is locked out from accessing that account again.  They would have to do a hardware change, transfer existing UIC, or use existing account options and do so with another person’s social security number.

I know that many of you would never give out something as unique as your social security number, and would have to be as dumb as a brick to do so.  The process involved would also be tedious but it’s the best way to secure one’s account.  I don’t know about you, but giving out your SSN to IGE or BroGame would have to be very stupid on your part.

In summary, UIC will prevent account sharing, the selling of accounts, the exploitation of one’s account, and prevent hackers from getting a hold of it.  If by some off chance you get keylogged and an RMT player gets your FF Online ID,  and SE account username and password, they would still need your social security number to verify account and begin a transfer existing UIC, hardware change, or use existing account options for the current hardware that FFXIV is played on.

Stronger encryption:

SE should implement AES 128-bit or stronger encryption for logging on, connecting, and verifying an account.  Contents of the game loaded into memory will also be encrypted and its memory block locations randomized.  This is to prevent tampering in the game and to prevent botters and hackers.  It may cause a small performance hit but given that the PS3 and Windows-based PCs will have powerful enough processors, this should NOT be a problem.

Optionally, SE could implement encryption while in-game to hopefully stop packet sniffers, only if it didn’t cause a delay or lag in the game.

Memory scanning and process protection:

Practically all Korean MMOs use a form of memory scanning and protection to prevent hacks, cheaters and botters.  It uses a somewhat invasive method that installs a system level file that is loaded when the game is running.  Security software previously considered this a harmful rootkit, but software like Daemon tools does the same thing for creating virtual disc drives.  The software being used for memory scanning and protection is called NProtect Gamegard.  I know Blizzard does similar for World of Warcraft by scanning a person’s memory.  Anything found and they are immediately reported.

It does the following: (according to Wikipedia)

“Hides the game application process, monitors the entire memory range, terminates applications defined by the game vendor and INCA to be cheats, blocks certain calls to DirectX functions and Windows APIs and auto-updates itself to change as new threats surface.”

I would love to see Square-Enix implement something similar to prevent hackers and botters, and be a required installed on all Windows Vista and upcoming Windows 7 PCs.  It will stop cheaters, something I hate so much in FFXI and would make the game a lot better MMO to play.

I’ve played Korean MMOs before and still do.  I don’t find Gameguard annoying or intrusive.  It’s welcomed though.  Now, if they only stopped the RMT in the Korean MMOs…

Conclusion

With everything mentioned, I have given my ideas for security for FFXIV and would wish Square-Enix would consider it.  I have covered three things in this post: FF Online ID, unique identification code, memory scanning, and encryption.  The more secure FFXIV is than FFXI, the more I will consider playing it.  I don’t want to see another RMT or another botter in that game.

I can be contacted via “octoberasian” on KillingIfrit.com or “Aselin” on BlueGartr Forums.  I can give out my e-mail only if requested via PM on those forums.

I will not publicly give out my e-mail here due to possibilities of spam.  You can also post on my forum here.

Join the forum discussion on this post
This entry was posted in FFXI, FFXIV. Bookmark the permalink.

Leave a Reply