15M failed logins and it took them a month to detect it? Muppets.
15 MILLION dodgy login attempts spaffed all over Nintendo loyalists
Hackers broke into 24,000 Club Nintendo accounts after pummelling the loyalty-reward website in a month-long assault. The games console titan revealed that the sustained brute-force attack exposed the names, addresses, phone numbers and other personal details of thousands of its customers. Nintendo has reset a number of …
-
-
Tuesday 9th July 2013 10:30 GMT Anonymous Coward
15M failed logins and it took them a month to detect it? Muppets.
I think the issue isn't so much detecting it, but protecting against it. A company has to take a decision either to ignore failed logons, or lock an account (even temporarily) and so turn this cracking attempt into a successful denial of service attack. You cannot just lock logon attempts on an IP basis, because that is circumvented by the use of botnets anyway.
I would have added a CAPTCHA to the login process. That's not perfect, but it will at least demand extra resources from the wannabee cracker.
-
Monday 8th July 2013 11:31 GMT Miek
Hacking gaming companies seems to be getting more popular, there was an issue a month or two ago, where EA Origin's Battlefield servers suffered DDOS attacks aimed at their authentication servers. I believe they may have made some drastic infrastructure changes after this incident.
Edit: I forgot to mention the point of my post. Essentially any game company or web enabled service provider that doesn't work hard to ensure their systems are secure should be lambasted for such incompetence.
Another example, LG produce software called SuperSign, for driving public display screens. It uses Postgres as it's database ... the installer (windows) creates a new user postgres with the password 'postgres', nice, thankfully this can be changed by altering the password and updating the windows service user account settings. Unfortunately, I cannot change the fact that all the (SuperSign) user accounts' passwords are stored in the postgres database in plain text, not even hashed, let alone salted. Amateurs.
-
Monday 8th July 2013 11:51 GMT J I
Soft target?
I have a Club Nintendo account from when I was living in Japan (which does not appear to have been accessed, fortunately). It seems unlikely to me that anyone was hacking it for the things you can get as they are mostly limited edition Nintendo goods which need physical delivery and aren't particularly valuable anyway. My guess is that the hackers either wanted the kudos of hacking a household name, or were after a soft target for getting personal information they could use for something else.
-
Monday 8th July 2013 14:45 GMT lglethal
Re: Soft target?
That was kind of my first thought. If the hackers were after something which required a physical delivery, then surely it should be easy to track down the culprits (hint: check the delivery addresses). I know that there are ways to make this more difficult PO Boxes, etc. but anytime you actually have a physical delivery makes the chances of tracking someone a thousand times easier than a purely digital medium...
-
-
-
Monday 8th July 2013 14:50 GMT Aristotles slow and dimwitted horse
But according to these companies the internet is the future...
So stop critisizing poor old thems when they get it wrong. You know... like - buying your games online, micro payments, accounts linked to your finances, all that great sort of stuff that you wanted - because YOU asked for that convenience, and Nintendo, Sony, MS, Apple, Google, Amazon et al are only serving your needs right so why should they be accountable or responsible for anything? And anyway, it's the future so everything will be alright, right? And it's the future because that's what they say it is, right? And everything... right? Right?
Errr... wrong.
Fucking idiots.
-
Monday 8th July 2013 20:08 GMT Anonymous Coward
Some 40 years ago, in an age where the 'attacks' were playful rather than malicious, I was tasked with a system of preventing the brute force method. The solution was to simply delay ten to the power N seconds between login prompts where N was the number of failed attempts. It was also credited with improving the standard of typing as everyone took a bit of extra care, particularly after one mistake.