Where's the security code?

Sat Feb 19, 2005 3:48 pm

I don't see why some of you are "happy" about the code being taken away. For those who might now know, the reason the code was put into place is because there were programs that were constantly attacking the login page guessing a ton of passwords. And the programs were working.

The code stopped all of this. Making accounts much safer from programs attempting to gain access.

Also, someone mentioned that they'd want the username and password on the same page. Considering how fast someone may login without noticing anything like a peculiar URL, it's how all of those fake login pages worked so well.

Sat Feb 19, 2005 5:02 pm

Personally, I'm quite glad they've gotten rid of it. I'm getting tired of entering a code in, just because they think I'm a robot! Hmph! :evil:

Sat Feb 19, 2005 5:15 pm

Tizzy wrote:Personally, I'm quite glad they've gotten rid of it. I'm getting tired of entering a code in, just because they think I'm a robot! Hmph!

It's actually to protect your account. Not cause they thinks you a robot so. :roll:

Sat Feb 19, 2005 5:20 pm

In that case...I want the code back too!

Sat Feb 19, 2005 5:26 pm

Hmm, I wonder if they're going to bring the code back eventually? They're probably updating the system or something. o_O

Sat Feb 19, 2005 5:29 pm

Yes, they could be doing that. Alot of things haven't been working at all today.

Sat Feb 19, 2005 6:22 pm

well I'm happy its' been taken away for the moment. I had forgotten the password to my two spare account, and I us a combination of 3 passwords and numbers at the end and it's hard to keep rearanging and doing the secruity code too.

I was able to get one of my accounts back, will have to wait an hour for the other one but I'll remember it's password one of these days lol

I do hope they bring it back, but for now, it was nice to figure out some forgotten passes!

Sat Feb 19, 2005 6:36 pm

I was just logging on and saw this post...I thought I fell for a scam login page or something

Sat Feb 19, 2005 9:02 pm

Next time just check the URL and make sure it's Neopets.

Sun Feb 20, 2005 3:46 pm

Tizzy wrote:Next time just check the URL and make sure it's Neopets.

Actually, that doesn't always work.

In Firefox, for example (along with, most certainly, Opera and Safari... don't know for sure if IE is vulnerable to it, but I'd assume it is), URLs can be spoofed disturbingly easily. There's an exploit that uses alternate character codes to force a false URL to display. You can also make it look very similar to the correct letters, which is enough to fool a casual glance.

Read more about that here: http://www.shmoo.com/idn/homograph_old.txt and especially noteworthy is the suggestion they have for how to check a URL:

There are a few methods to detect that you are under a spoof attack. One easy method is to cut & paste the url you are accessing into notepad or some other tool (under OSX, paste into a terminal window) which will allow you to view what character set/pagecode the string is in. You can also view the details of the SSL cert, to see if it's using a punycode wrapped version of the domain (starting with the string 'xn-'.

(see also http://www.shmoo.com/idn/ , which has a working example of a spoofed url so you can see if you're currently vulnerable).

Alternately, Firefox and Internet Explorer users can install the Spoof Stick extension, which will display the real url of the site you're on in giant letters of the color of your choice in the toolbar. I highly recommend it. You can download that here: http://www.corestreet.com/spoofstick/

Sun Feb 20, 2005 3:51 pm

Really?! Thanks iconoplast! Hmm, I guess I'm stumped now. We just have to hope the code comes back.

Website · Sun Feb 20, 2005 3:53 pm

iconoplast wrote:
Tizzy wrote:Next time just check the URL and make sure it's Neopets.

Actually, that doesn't always work.

In Firefox, for example (along with, most certainly, Opera and Safari... don't know for sure if IE is vulnerable to it, but I'd assume it is), URLs can be spoofed disturbingly easily. There's an exploit that uses alternate character codes to force a false URL to display. You can also make it look very similar to the correct letters, which is enough to fool a casual glance.

Read more about that here: http://www.shmoo.com/idn/homograph_old.txt and especially noteworthy is the suggestion they have for how to check a URL:
There are a few methods to detect that you are under a spoof attack. One easy method is to cut & paste the url you are accessing into notepad or some other tool (under OSX, paste into a terminal window) which will allow you to view what character set/pagecode the string is in. You can also view the details of the SSL cert, to see if it's using a punycode wrapped version of the domain (starting with the string 'xn-'.
(see also http://www.shmoo.com/idn/ , which has a working example of a spoofed url so you can see if you're currently vulnerable).

Alternately, Firefox and Internet Explorer users can install the Spoof Stick extension, which will display the real url of the site you're on in giant letters of the color of your choice in the toolbar. I highly recommend it. You can download that here: http://www.corestreet.com/spoofstick/

Interesting, that is the first time I've heard of that. Guess the internet is even more insecure than I thought... :roll:

ADDIT: The spoofstick thingy takes up a lot of window space though. I think the best bet would be to be wary if you suddenly reach a log-in page unexpectedly. Anyone would know that something is up if you click on something in a user shop and is suddenly required to log in.

Last edited by Qanda on Sun Feb 20, 2005 3:56 pm, edited 1 time in total.

Sun Feb 20, 2005 3:53 pm

If they did take the code away to 'fix it' it could be because sometimes you couldn't tell which letters were which! I know on more then one occasion where I thought I was typing the correct code, but I wasn't because the c looked like a g or the l like a 1.
But maybe i'm just blind.

Sun Feb 20, 2005 4:07 pm

Qanda wrote:ADDIT: The spoofstick thingy takes up a lot of window space though. I think the best bet would be to be wary if you suddenly reach a log-in page unexpectedly. Anyone would know that something is up if you click on something in a user shop and is suddenly required to log in.

You can resize Spoof Stick in the options, and move it around a bit (at least in Firefox... haven't tested it in IE, because I really only use that to check compatibility for my website). (= I'll admit, though, it's a lot less obtrusive on large screen resolutions (sometimes I forget that not everyone is on 1600 x 1200 like I am). And part of the reason I recommend it is that Neopets isn't the only place that you're vulnerable to that sort of thing. The most common targets are probably ebay and paypal, although large banks are bretty commonly attacked in that way as well. But hey, that's why I gave multiple solutions as to how to check URLs.

And inrun, you're not the only one who had that problem. I always sort of assumed that when I needed to log back in for some reason it would usually take me 2-3 tries to get a code I could read. It just never bothered me much, because I almost never log out... it's a luxury of being the only one allowed within 3 feet of my computer without being smacked with a dead fish.

Website · Sun Feb 20, 2005 4:11 pm

iconoplast wrote:And inrun, you're not the only one who had that problem. I always sort of assumed that when I needed to log back in for some reason it would usually take me 2-3 tries to get a code I could read. It just never bothered me much, because I almost never log out... it's a luxury of being the only one allowed within 3 feet of my computer without being smacked with a dead fish.

I've had problems with security codes too; Neopets' ones weren't too bad, but a I've seen a few sites with horrendous ones in which the letter look like writhing maggots in the process of metamorphosis.

And I have the luxury of my own personal laptop, which I password-lock whenever I wander 3 feet or more away from it.