Curse

Deviant Angel · Mar 17, 2011, 10:54 PM // 22:54

Interesting.

I logged in yesterday to find a very inactive friend logged in and on a character that I rarely ever saw him play. He was showing up as afk on messengers, so I sent a txt asking about it and he confirmed that it wasn't him on the account. He was at work. I eventually found his assassin being used as a bot in ToPK. (Hey Anet! HINT! HINT!!) I asked him about the e-mails once he got home and he said he couldn't find anything from NCSoft about a password reset or anything else. The password was obviously reset since he couldn't log in.

I was wondering if the hacker had gone that extra mile and changed the e-mail address, so I went into my account and changed mine to see what would happen. I instantly got an e-mail from NCSoft on both accounts.

The old account got a notification that someone at XX.XXX.XX.XXX changed the e-mail address associated with my account. The second account got a verification code and instructions about how and where to use it. Both e-mails were sent at the same time. The notification e-mail instructed me to contact support if I didn't change the address. Really?! Why the hell should we be forced to jump through hoops with support when they could do something as simple as ask us if we authorize the change before sending the verification code to the new address? I didn't work my ass off for the things I have in game just to lose it all because they refuse to do simple things like ask me to verify that I want an e-mail address or password changed. I don't mind having to click a few more times to change anything related to my account and anybody that considers it unnecessary or annoying is probably playing for the other team.

The friend I mentioned here was the second person from my friends list that has been hacked in the past week. I'm not sure about the other person, but I know that the one I saw online yesterday did NOT get e-mails from NCSoft. How the hell does that even happen?!

I enabled their latest security feature when I logged into my NCMA yesterday and I still don't feel confident that my account is safe. Oddly enough, my bank uses a similar method and I don't constantly worry about losing my money. I actually feel feel pretty vulnerable since I think I was on the FL of two people that were hacked and I have no idea how they became victims. They were both inactive and don't use RMT sites. I honestly believe there is something very wrong on the NCSoft side. :/

A little off topic, but I have to ask... what happens to accounts that were hacked and used as bots? Assuming my friend manages to get his account back, does he have to worry about getting Dhuum'd in the future if Anet decides to go on another massive banning spree?

Kago Seirei · Mar 18, 2011, 06:54 AM // 06:54

Heh, I also was a victim of being hacked, although I stopped most activity on my main GW account years ago. Technically I quit the game, but came on every now and then to see if any friends were still playing, and possible play a little to see what has changed.

I think it wasn't till sometime last year that I decided to login again, but couldn't. After all my efforts to use all passwords I've ever used in the past, I still couldn't login. After giving up, I decided to put up a support ticket for it, in which they finally reset the password for me, and even then I couldn't login, because the account was banned. (Probably because it was used for botting. -_-;

After that, I put in another ticket to get it unbanned, and it was handled swiftly, but all my characters were naked. About 8 sets of Obsidian armor gone, and tons more 15k prestige armor, not even counting the backup platinum and ectos/shards I had been hording prior to quitting. Yup, you guessed it, they just told me that I was SoL in terms of getting all my stuff back. Only things they didn't take were my mini-pets, which I'm surprised.

When I got hacked, it didn't really bother me much though, since I didn't really think I'd need the armor, money, weapons, and all those materials. Then I saw Guild Wars 2, and was so blown away by it, that it made me want to fill up my Hall of Monuments... Oh right, I had nothing... -_-;;

So, now I'm pretty much starting from scratch in terms of cash and working for HoM...

Braxton619 · Mar 18, 2011, 06:57 AM // 06:57

If you got hacked, immediately contact NCS about it here:
www.guildwars.com/support

karateckie · Mar 18, 2011, 01:10 PM // 13:10

Quote:

Originally Posted by Deviant Angel

Really?! Why the hell should we be forced to jump through hoops with support when they could do something as simple as ask us if we authorize the change before sending the verification code to the new address?

Exactly. Such a simple measure, and it would have prevented my case of hacking. If you don't have access to the old account then you're stuck contacting support...but at least you're not contacting them because you were hacked.

There's no cure for bad passwords, key loggers, etc. Those risks will always be around. But there are routine security measures that NCSoft could take which would have stopped many cases of account compromises that I've seen posted lately.

Braxton, I think everyone here has already been through support. We're just dealing with the aftermath.

Lyger · Mar 18, 2011, 03:57 PM // 15:57

/signed for the simple measures as outlined about. Also, I admit that 99% was a number I pulled from my behind

I'd like to hope that GW/NCSoft implement something like the coin lock feature that Rift just implemented over the last couple of days. It would go a long way to protecting the assets that their customers have built up over their playing time. (Guess what I'm playing while waiting for my GW account to get sorted out ... ).

Deviant Angel · Mar 18, 2011, 09:11 PM // 21:11

So I guess my friend got his account back today. The hacker stole his minipets, rare materials, roughly 200k, a few major vigor runes (lol?) and trashed all the equipment on his assassin that they didn't need for the bot. Other than that, he said his other characters appear to be untouched.

It's fairly obvious that the hacker wants accounts for botting ToPK. (Once again... HINT HINT ANET!) They actually went through the trouble of capping Shadow Form for his assassin and getting it through all the Prophecies missions required to access ToPK. (I guess that could be considered a not-so-bad thing?

)

Keep in mind that he was one of the people that DID NOT receive a notification e-mail about his password being reset. NCSoft did not bother to offer an explanation about what happened or reveal the IP of the person that hacked his account. They simply allowed him to regain access to his account and told him that the culprit's IP had been nuked.

The number of people that have said something on here about their accounts being hacked is pretty small, but I feel like the number of victims is much higher. Go sit in any district of ToPK and tell me all those people look like legit players. I'm willing to bet that a lot of those accounts are stolen. I have reported a few that have been farming non-stop for days and they are still at it! Literally... non-stop. I used to go into extreme farming mode back in the day and even I had to stop to sleep every now and then.

It probably would have taken my friend months to realize that he had been hacked if I didn't log in the other day. I can only imagine how many others have been hacked and have no clue since they didn't get an e-mail. :/

Edit: Apparently he didn't get an e-mail when he regained control of his account and changed the password. Anyone else? Might be something worth mentioning to support.

Thamior Shamus · Mar 19, 2011, 09:24 PM // 21:24

I also got hacked the other day.... Was able to get support to reset the password yesterday but was banned during a GvG because my account was hacked. >.>

A couple of my friends have also had their accounts hacked recently... You'd hope that ANet or NCsoft could take the extra step to make our accounts a lot safer.

AngeliqueSynner · Mar 19, 2011, 10:54 PM // 22:54

I was hacked on another game. Never been hacked on guild wars.
But personally I'd borrow materials from a friend or guildy to start farming and build it back up. :]

Surgo · Mar 20, 2011, 02:53 PM // 14:53

Don't know about anyone else, but I'd pay $10 + shipping for a physical second-factor authentication.

Urcscumug · Mar 21, 2011, 03:13 PM // 15:13

@Surgo, if the problem is keyloggers, a physical password generator is useless. Because if there's a rogue program running on your computer, it can do, intercept and impersonate anything that you do.

Restricting game access from certain IPs is a good idea... until you start thinking about it. One problem can be ISP's who like to regularly change their clients' IPs, making this feature useless. Another very basic flaw is that the restricted IP can be changed from the master account, so if the keylogger gets access to that it won't matter anyway.

Rift's Coin Lock can mitigate this issue because (presumably) it springs into action automatically, as soon as it detects a different IP for a certain account. But it depends on how the unlock is done. If the hacker already has access to the means to confirm the unlock... it's back to square one.

The problem of MMO servers is how to make sure that the person at the end of that Internet cable is who they claim to be. It's nearly impossible to do this perfectly. Ease of authentication and hard-to-hack are mutually exclusive, and it's hard to find a good balance. That's just how it is with any form of remote communication. Even face-to-face identification can be faked so...

Thing is, effort should be spent on preventing these hacks from happening, not on damage control once they've happened. Because as anybody can see after reading this thread, there's nothing left to do afterwards.

The only advice I can give you is:

(1) Keyloggers: once you got one, you're screwed. Unfortunately Windows makes it almost impossible to avoid getting one, by design (users are actually required to go download random software and install it). This is made worse by flaws in software you're running (browser, messenger, email client, Windows itself) that let stuff enter and install itself without you even knowing.

So consider having a different Windows install for GW, which is kept clean and up to date at all times, with the minimum amount of software installed beside GW. Also consider using stuff like DeepFreeze and Anti-Executable.

On a side note, if you run GW on Mac or Linux the problem is mitigated by multiple factors. Linux users almost never install random binaries off the web, there's centralized machine-wide auto-update and GW on Linux/Mac runs via a virtual machine of sorts (Wine, CrossOver, Boot Camp) which has separate files and environment which is easier to check/keep clean. Still, don't assume that as a Mac/Linux user you're invulnerable.

(2) Be wary of any forums you join. Don't use the same email or password as your in-game account or the master NCSoft account.

(3) Be careful who you give information that facilitates the login. Don't mention email addresses in-game, don't mention any IGN outside it. Yeah I know, it sucks not to be able to do that, to offer help to people on forums and so on. But as long as any IGN is an authentication factor, that's how it is. And I hope I don't have to say you should never tell anybody the password.

(4) If the master account is hackable, you're screwed anyway. So stop worrying about whether it's hackable or not. Sure, do the stuff above, but don't lose sleep over the master account.

IDEAS FOR IMPROVEMENT

The pool for private knowledge needed for login could be extended.

Idea 1: on the game login screen, show the pic of a random one of the account chars and ask the user to type its full name to login. Sneak in randomly generated char pics every once in a while and ask user to type "not mine" if they see it.

Idea 2: Make user answer questions like: on char X, my currently equipped weapon has a mod of ..... (single choice answer from given list).

* Lock the account after 3 login mistakes.

* Lock accounts who are inactive for extended periods of time.

Bright Star Shine · Mar 21, 2011, 03:37 PM // 15:37

Quote:

Originally Posted by Urcscumug

Idea 1: on the game login screen, show the pic of a random one of the account chars and ask the user to type its full name to login. Sneak in randomly generated char pics every once in a while and ask user to type "not mine" if they see it.

Idea 2: Make user answer questions like: on char X, my currently equipped weapon has a mod of ..... (single choice answer from given list).

* Lock the account after 3 login mistakes.

* Lock accounts who are inactive for extended periods of time.

Idea 1: I know enough people with a shitton of extra charr slots they use for storage with names like qfqfidoeqijdqsojdq. So, that one's is going to provide trouble to a lot of people.

Idea 2: Do you really think I remember what weapon which charr is wielding at every time? My ssin has like 12 diff shields sets and 3 diff armor sets, I don't bother remembering every time I logg off..

Also, you are going to severely punish people that would come back to the game after a 6 month break or something, they won't remember every charr name or weapon they have equipped..

At the "lock account" thing: also bad idea. I've tried to log onto Guildwars when: drunk (usually not a problem), stoned (never a problem), even did it when on shrooms once.. I am still amazed I was capable of typing my password then.. But my point, there are enough other people that play GW when drunk occasionally, but some might not be able to type their password correctly from the first try, so you'll penalize them too.

And, locking after being inactive is the worst idea of em all.. Why would one do that? The account is still property of the respective owners, and NCSoft/Anet is in no way in their rights to lock them for just being inactive.

There are better ways to secure accounts tbh..

TheGizzy · Mar 21, 2011, 05:48 PM // 17:48

Quote:

Originally Posted by Bright Star Shine

The account is still property of the respective owners, and NCSoft/Anet is in no way in their rights to lock them for just being inactive

You might want to reread the EULA you agreed to. The account is actually not your property, it is the property of NCSoft... and if they so chose, yes, it would be within their rights to lock accounts just for being inactive.

As to the rest, there are many ways they can make the login process or account verification process more secure, and I expect we'll see some of those methods showing up in GW2. Gaming account security has progressed by leaps and bounds over the years and they need to catch up. These are not stupid people, they are aware of the flaws AND aware of the potential solutions. What they are also aware of, unlike all of us here - myself included, which is significant since ensuring gaming account security and recovery is part of what I do for a living - they are also aware of the limitations of a) their software and b) their staffing.

Every decision has consequences - for the company, and for the players. In Bright Star Shine's post, we have an individual saying, "I engage in illegal activities that cloud my brain function... and I want the game to accommodate my choices and allow me to play while I'm impaired." So from his/her perspective, account security is important - but only if it does not inconvenience him/her.

This is the mentality a developer and publisher are up against. "Protect me or else... but you better not make me take any responsibility for my own security or inconvenience me in anyway."

Hell of a job, I can tell you.

Surgo · Mar 21, 2011, 09:16 PM // 21:16

Quote:

Originally Posted by Urcscumug

@Surgo, if the problem is keyloggers, a physical password generator is useless. Because if there's a rogue program running on your computer, it can do, intercept and impersonate anything that you do.

That's not what I was talking about at all. Not a password generator...say, an RSA key burned into a USB device. The device would only communicate via USB events and never send the key, but rather would take the authentication challenge and perform the signature on-device.

LordDragon · Mar 22, 2011, 04:12 AM // 04:12

A very simple mechanism for security uses an SSL encrypted code. The code resides on a USB device. That code was given to the USB device by the log in server of the game. The log in server knows what that code is. The next time the game tries to log in through the log in server it reads the USB device and sees if the codes match what is on file. If not, no log in.

The real security of a device like this is that the code changes every single time you log in. A person with an old code cannot do anything.

Getting a new code requires a person to jump through many hoops. This would stop almost all hacking attempts completely unless a person could write a MitM (Man in the Middle) logger for the device itself that would hack the 128-bit SSL encryption. Not impossible but VERY hard to do.

If you really wanted to get as close to hack proof as possible, use the above device with bio-metric date (finger print or such). That is how some top level security is handled. With the USB changeable key, a password and bio metric data the log in process is actually pretty painless but close to impossible to crack.

Lyger · Mar 23, 2011, 09:07 AM // 09:07

Well, Rifts coin lock system, as pointed out, is an issue if someone has access to the email account you have it pointed towards. But if someone has that information, then you have more problems than a hacked game account. But having seen it in action, I'm pretty impressed with it. I've also seen reports from people who were hacked who had their gear/characters saved by this very feature (there was an issue that Trion fixed very quickly with a vulnerability on the client that allowed people to log in without needing the username or password combination).

I'd love to see something like coinlock in place - and NCSoft have taken the first step by adding the IP assignation upon login. They just need to take it a step further (and require a code ala coinlock), and I'd love to see Anet add something similar into Guild Wars itself. And really, some kind of red flag should surely go up if an account that is always played in the UK is suddenly being accessed from China, for instance.

Also - I'd be happy to pay for an authenticator (as mentioned above) to keep my account safe. I really hope there is such a measure for GW2.

Got my account back, btw - and it was raided as expected. I haven't lost too much (just some superior vigor runes, some armour peices that were broken in the salvage process, etc). I've never been a rich player, since I blow my ingame gold on silly stuff like alcohol and sweets (which I burn through upon buying). I'm more annoyed that the hacker reset my UI and totally messed up my neat filing system i had going in my storage. Really, it's just adding insult to injury! But hey ho - my guildies have stepped up to help me get my characters kitted out fully again, and digital items aren't all that important to me. My characters are still there, so I actually have some inclination now to carry on trying to max out my HoM.

Urcscumug · Mar 23, 2011, 01:33 PM // 13:33

@Surgo, LordDragon: It doesn't matter how fancy the device that handles the authentication. Eventually it will have to send that data through your computer. Which is where the malware is waiting to sniff it. Game over.

Try not to let that malware in there in the first place, that's the best you can do.

The only way what you propose would work was if the entire machine you're using to play would be its own black box, unmodified by anything and anybody except its makers, AND it didn't have any vulnerabilities, AND nobody cracked its master keys etc. Which is what console makers are trying to do... and failing.

Security, convenience of use, freedom to tinker; pick two; and you really only get one.

LordDragon · Mar 23, 2011, 03:00 PM // 15:00

Quote:

Originally Posted by Urcscumug

@Surgo, LordDragon: It doesn't matter how fancy the device that handles the authentication. Eventually it will have to send that data through your computer. Which is where the malware is waiting to sniff it. Game over.

.

I guess you did not see where the code changes every time you log in. Getting the last code would do nothing for them as it would change on that very log in. This is the way the military handles sensitive information and it works very well. You cannot hack the account without the current code, the current code device, and the password. The military adds bio metric data so log on credentials are not an issue anymore. Hackers HAVE to find another way in.

The person would have to hack the incoming stream AND the encryption not just the outgoing stream as that code would now be useless.

All of this is handled by the log on server and not the local client. It is all encrypted and nothing is typed in but the password. I guess you could compromise the log on game server but that would be the only way to get all the information you need and be able to use it. Even if the sniffer collected every piece of data that came out of the system and every piece of data that went back into the system they could still not use it. That is unless they can crack the encryption without the encryption key.

They could get the key from the log on server if they could hack that but if they can hack the log on server they really don't need your data anymore now do they?

Urcscumug · Mar 24, 2011, 12:54 PM // 12:54

I don't think you realise how completely a piece of rogue malware owns your computer while running locally with full priviledges. Key word being "completely". It can do anything, see everything that goes on. It's smart enough to understand what goes on. When it doesn't understand, it promptly receives updates that teach it the new tricks. There's human hackers out there who download all the client updates, break them and then teach the malware how to do it.

Stuff like changing things around, memory randomization, no execute flags etc. is primarily meant as a defence against remote code injection, which works blindly and just hopes the evil code ends up somewhere meaningful. If the malware runs locally all these tricks are useless. It's like trying to trick someone who can read AND change your thoughts.

Encryption is only useful en-route. Eventually information has to be decrypted so it can be used. The malware will be there when that happens.

There's no defence against this. You can not be secure on a compromised machine. You're not running the show anymore. Your computer is a puppet, a zombie, end of story. The only defence is for the malware to not get on it in the first place.

And a simple piece of proof: if the security you describe was possible, there would be no bots in GW.

PS: Out of curiosity, on what computers do you think bots run on? Do you think the hacker loads side-by-side GW clients on their own machine? The run-of-the-mill ones do, but the smart ones run them on zombie computers owned by innocent people. Why do you think it's so hard to ban bots? If all bots where in China or whatever, always on the same IP ranges, wouldn't it be easy to ban those? It's hard precisely because bots run on innocent person's computers, all over the world.

LordDragon · Mar 24, 2011, 03:27 PM // 15:27

Urcscumug, I know all about zombie systems and bot-nets (and I am NOT talking about GW bots). You really do not understand what type of security I am talking about. That is fine.

I do understand what you think you are talking about and what I described above could only be hacked in this case.

If the attack came in between one log in and the next AND If the attacker somehow recovered or cracked the decryption key on the log in server (all encryption/decryption happens there)

So, even if they get the key and all the data going both in and out. Even if the program 'learns' which no program really does. They cannot get all the data at the correct time and deal with the encryption correctly.

And again, just adding biometric data to all of that would stop them cold. Now, they COULD use the information gathered to do other types of attacks but they are not getting through on the log in screen.

I am not going to go into any more detail but just be aware that this is how certain very secure sites deal with the combination of security vs convenience and they have never been hacked they way you have described EVER. Every hack came from another route. For more detail on why this is look up Identity based encryption and State based encryption. You may not find very much on SBE but suffice it to say that even if a zombie system could duplicate everything possible to read off of the system that was compromised (and had the encryption key!) the zombie system would still be rejected by the log in server.

Maybe, just maybe zombifying the very system that was compromised might get them in but even that is a long shot.

Urcscumug · Mar 24, 2011, 04:54 PM // 16:54

Quote:

Originally Posted by LordDragon

even if a zombie system could duplicate everything possible to read off of the system that was compromised (and had the encryption key!) the zombie system would still be rejected by the log in server.

I don't understand why.

If the zombie knows everything, for all intents and purposes, the login server is unable to tell the difference between the human performing legitimate login and his zombie computer imitating a legitimate login.

Please explain further because I feel that I'm missing something. I'm more than willing to admit my ignorance (and learn something in the process) in case that turns out to be the case.

Cryptography at its core means two parties know a secret that nobody else does. It doesn't work if one of the parties got its brain rooted by villains.

What Surgo proposed (the isolated hardware device that only sends encrypted data through the computer) is the only solution that comes close. But it stops short of being perfect; if there's malware on your computer, once the authenticator does its job and your IP is allowed to play GW, the malware is free to merch your stuff or trade it to its buddies.