Curse

Deviant Angel · Nov 07, 2010, 12:13 AM // 00:13

Quote:

Originally Posted by Riot Narita

During the last spate of account thefts, due to master account (lack of) security... they actually put in that requirement.

But later, after the dust had settled, and A-net had largely fixed the problem (for GW, not Aion etc) by adding the character name check...
...they took it out again

Incredible. This makes it indisputably clear, that NCsoft do not take security seriously. NCsoft simply should not be trusted with our accounts.

This is why I do not want GW2 to require an NCsoft master account for any reason.

Lucky for us (and OP) that A-net put in that character name check, because it was only a matter of time before a new master account hole was found and exploited.

But it's still unsatisfactory: our IGN's are our only defense against master account breaches, and now we have to be careful where we post them. That sucks. I hope GW2 offers something better than that, and ideally the option of securID-style hardware.

There was absolutely no reason to remove it. Keeping it there wasn't causing problems for anyone except the hackers... and then it was removed. That sends a really bad message and I totally understand why so many people are reluctant to link their game account.

Nobody in their right mind will complain about a few extra hoops to jump through for changing passwords and account information. Oh...noes... my fingers are going to fall off because they want verification that the account is mine! Give me a break. PUT IT BACK!!!

If they don't step it up in the security department, they are gonna be dealing with a lot of angry customers when GW2 is released. It's stupid to expect us to link our accounts when they can't even add the most basic forms of security to keep our accounts safe once we do. That being said, I linked mine way back in the day when the online store was added. Long before the threads started popping up about the security issues. I feel pretty confident that my GW account is safe, but there will always be that little "what if" nagging me until they at least pretend to care.

Chthon · Nov 07, 2010, 08:42 AM // 08:42

Quote:

Originally Posted by Riot Narita

During the last spate of account thefts, due to master account (lack of) security... they actually put in that requirement.

But later, after the dust had settled, and A-net had largely fixed the problem (for GW, not Aion etc) by adding the character name check...
...they took it out again

Incredible. This makes it indisputably clear, that NCsoft do not take security seriously. NCsoft simply should not be trusted with our accounts.

This is why I do not want GW2 to require an NCsoft master account for any reason.

Lucky for us (and OP) that A-net put in that character name check, because it was only a matter of time before a new master account hole was found and exploited.

But it's still unsatisfactory: our IGN's are our only defense against master account breaches, and now we have to be careful where we post them. That sucks. I hope GW2 offers something better than that, and ideally the option of securID-style hardware.

Let me go further than that: If GW2 requires the NCMA either to play or to link to GW1 HOM, then I am not buying it. Period. I do not care how fantastic a-net manages to make the game; I do not care how worthy it is of my dollars; If there's any more NCMA crap involved, count me out.

Lensor · Nov 07, 2010, 10:29 AM // 10:29

Since HoM will be linked to GW2 through an in-game item, I really hope the link will be done by, in a GW2 interphase, entering your GW1 info (just like logging in). That way no NCMA is needed. I think this would be the best way, not only for security reasons, but also since a lot (A LOT) of people made an NCMA account several years ago to be able to use the in-game store and never looked back.

Nyta · Nov 07, 2010, 11:16 AM // 11:16

Quote:

Originally Posted by Riot Narita

During the last spate of account thefts, due to master account (lack of) security... they actually put in that requirement.

But later, after the dust had settled, and A-net had largely fixed the problem (for GW, not Aion etc) by adding the character name check...
...they took it out again

Incredible. This makes it indisputably clear, that NCsoft do not take security seriously. NCsoft simply should not be trusted with our accounts.

This is why I do not want GW2 to require an NCsoft master account for any reason.

Lucky for us (and OP) that A-net put in that character name check, because it was only a matter of time before a new master account hole was found and exploited.

But it's still unsatisfactory: our IGN's are our only defense against master account breaches, and now we have to be careful where we post them. That sucks. I hope GW2 offers something better than that, and ideally the option of securID-style hardware.

Actually, to my understanding, the character name requirement was added as a counter to losing the account due to forum hackings (people using the same log-in credentials on forums and in-game losing their accounts; the problem got kinda bad towards the end of last year). The requirement to enter your old password to change it was added as a response to the issue people claimed to have with randomly logging into someone else's NCsoft account when logging into their own. The reason that was changed back was because they couldn't duplicate that problem and, iirc, no one that happened to ever actually provided evidence of it happening when they did it.

The character name requirement, as I understand it, had nothing to do with the NCMA.

Tom Swift · Nov 07, 2010, 05:58 PM // 17:58

Quote:

Originally Posted by Nyta

Actually, to my understanding, the character name requirement was added as a counter to losing the account due to forum hackings (people using the same log-in credentials on forums and in-game losing their accounts; the problem got kinda bad towards the end of last year). The requirement to enter your old password to change it was added as a response to the issue people claimed to have with randomly logging into someone else's NCsoft account when logging into their own. The reason that was changed back was because they couldn't duplicate that problem and, iirc, no one that happened to ever actually provided evidence of it happening when they did it.

The character name requirement, as I understand it, had nothing to do with the NCMA.

No - the addition of the character name requirement was actually in direct response to the complaints about the NCMA. Ideally, it prevented someone who managed to hack the NCMA from accessing GW from the NCMA. At the same time there were a lot of people claiming their Aion accounts had been accessed from NCMA glitch. it was actually the number of people losing their Aion accounts that called attention to GW and resulted in ANet including the security question.

Chrisworld · Nov 07, 2010, 07:09 PM // 19:09

Would it be too crazy for me to suggest to setup a virtual machine or 2nd small PC with Linux on it just for the security? You could do your NCMA business only on that Operating System, so your chances of being keylogged at the NCMA level are high less. I ONLY log onto my NCMA from my Mac or iPod Touch, and change the passwords from there only. I think that is a pretty superior layer of security, given keyloggers are win32 applications. Don't count linux out, its even free. Now, the only GW password you would enter in Windows would be your GW acct pass. Just be smart where you browse and use super strong passwords. But mostly where you browse... as a super strong password means nothing for a keylogger, since that captures text.

Hackers go for people in Windows systems, because thats where GW is and thats easiest target. Stop doing NCMA in windows and do it in Linux, you've just increased your NCMA security 1000 times over.

Cool Name · Nov 07, 2010, 07:22 PM // 19:22

"Just be smart where you browse and use super strong passwords."

Just do this. Using linux is overkill, and pretty much pointless. From reading this thread it seems the majority of stolen accounts don't come from keyloggers. They come from having username and passwords being stolen, and using them to try get GW accounts.

The simple solution is don't use the same password for everything. If you are paranoid specifically about your GW account, change the email address to something you only use for your GW account. Using linux just to do one thing is pointless. (This is nothing against linux, just your reasoning for using it)

Chrisworld · Nov 07, 2010, 07:39 PM // 19:39

Quote:

Originally Posted by Pthoms T

"Just be smart where you browse and use super strong passwords."

Just do this. Using linux is overkill, and pretty much pointless. From reading this thread it seems the majority of stolen accounts don't come from keyloggers. They come from having username and passwords being stolen, and using them to try get GW accounts.

The simple solution is don't use the same password for everything. If you are paranoid specifically about your GW account, change the email address to something you only use for your GW account. Using linux just to do one thing is pointless. (This is nothing against linux, just your reasoning for using it)

I guess I did kinda go overboard suggesting Linux just for NCMA. I don't use Linux, but I do use my mac and ipod for everything except gaming (which is done on my windows pc) so I guess since it's there, why not limit NCMA to just that platform instead of the PC. That on top of password smarts is great.

I'll revise it a bit: If you use Linux, Mac or iPod Touch/iPhone/iPad or Android phones for more than just a few things, do your NCMA on that rather than Windows, it'll be much more secure.

Crimson Robes · Nov 07, 2010, 09:38 PM // 21:38

Quote:

Originally Posted by Chrisworld

If you use Linux, Mac or iPod Touch/iPhone/iPad or Android phones for more than just a few things, do your NCMA on that rather than Windows, it'll be much more secure.

Uhm....no

Starmidder · Nov 07, 2010, 09:42 PM // 21:42

UPDATE: My account is now locked (wasn't locked as of Saturday night) and I have heard zero back from anyone at NCSoft. Customer service department should be renamed customer disservice as they have made a bad situation even worse by preventing me from just playing the damn game. It would be nice if SOMEONE from Arena Net would step it at some point during this process so I'm not dealing with the incompetency of NCSoft the entire time, but I guess that is too much to ask.

As someone else said earlier in this thread, if NCSoft has anything to do with GW2 in game, I will not be purchasing it.

Chthon · Nov 07, 2010, 10:44 PM // 22:44

Quote:

Originally Posted by Nyta

Actually, to my understanding, the character name requirement was added as a counter to losing the account due to forum hackings (people using the same log-in credentials on forums and in-game losing their accounts; the problem got kinda bad towards the end of last year). The requirement to enter your old password to change it was added as a response to the issue people claimed to have with randomly logging into someone else's NCsoft account when logging into their own. The reason that was changed back was because they couldn't duplicate that problem and, iirc, no one that happened to ever actually provided evidence of it happening when they did it.

The character name requirement, as I understand it, had nothing to do with the NCMA.

Quote:

Originally Posted by Tom Swift

No - the addition of the character name requirement was actually in direct response to the complaints about the NCMA. Ideally, it prevented someone who managed to hack the NCMA from accessing GW from the NCMA. At the same time there were a lot of people claiming their Aion accounts had been accessed from NCMA glitch. it was actually the number of people losing their Aion accounts that called attention to GW and resulted in ANet including the security question.

Also, forum hacking was largely a smokescreen/scapegoat for NCSoft to lay the blame on so they could deny the problems with the NCMA. While a major forum did get hacked, and I'm sure quite a few people who were dumb enough to use the same passwords and lost their accounts because of it, that damage was positively dwarfed by the number of accounts lost to direct attacks on the NCMA (which, by the way, had (and it seems still has) far more vulnerabilities than just the cross-login glitch).

Nyta · Nov 07, 2010, 10:50 PM // 22:50

Quote:

Originally Posted by Tom Swift

No - the addition of the character name requirement was actually in direct response to the complaints about the NCMA. Ideally, it prevented someone who managed to hack the NCMA from accessing GW from the NCMA. At the same time there were a lot of people claiming their Aion accounts had been accessed from NCMA glitch. it was actually the number of people losing their Aion accounts that called attention to GW and resulted in ANet including the security question.

I poked through Gaile Gray's archives trying to dig up where she talked about why these security measures were implemented, and why only one of them was taken away. Here's what I found (bolded the more important parts):

Regarding the alleged security breach:

Quote:

Let me share a few details: We do not know that any accounts have been stolen through this reported security weakness. We have not confirmed if there is a weakness; we surely understand the concerns and comments, but we have not had an opportunity to test it. We made the "old password required" change as a conservative measure in the event that research does confirm a potential exploit. In other words, we took proactive measures, which I'm sure players appreciate.

We do know that the vast majority of accounts have been stolen by people who:

* Know the user name
* Know the password
* Do not change the password

This means that getting into the NCMA to access the account isn't the method of choice for the RMT account hackers who have been so active in recent weeks. Fully half of the accounts they're stealing do not have an NCMA at all.

Fred -- your account was stolen by an RMT, as you've been told. As far as we can tell, RMTs have not been involved in the reported security issue with NCMAs. -- Gaile 04:12, 2 January 2010 (UTC)

Regarding the character name requirement:

Quote:

As you will have noted if you were playing within the last hour, we have instituted a new security measure for your account. And personally, I'm pretty darn happy about this! When you log into the game, you will be ask to supply the name of one of the characters on your account. "Why?" you may ask. Well, because nearly all of the accounts that have been stolen in recent months have been stolen by RMT (Real-Money Traders) who are getting access through external sources. And those RMTs will be very unlikely to know the names of characters on your account! Simple, eh? You give a name -- and remember to spell it exactly correctly, and to use proper capitalization -- and you will get access. If you have trouble or forget the names, support will be happy to assist you, of course.

Please head to the FAQ for more info. And if you have feedback, you're welcome to share it here. -- Gaile 03:01, 22 December 2009 (UTC)

Regarding the removal of the old password requirement:

Quote:

In December of 2009, players alerted us to a possible security issue with NCsoft Master Accounts. In order to maximize security while we researched the matter, we added an additional security requirement involving Guild Wars accounts. This secondary layer of security required a player who wanted to reset his game password not only to pass the security requirements for his NCsoft Master Account but also to input the game password in order to reset it.

As you can imagine, most players who reset their passwords are doing so because they have forgotten the original password. So with that extra security requirement, players no longer were able to do a direct reset but instead were required to contact Guild Wars Support for help. This increased ticket volumes and response times, and players were unable to join Guild Wars while they awaited assistance.

Both the Guild Wars and NCsoft teams conducted a lot of research on the reported security issue. The teams were unable to replicate the reported glitch and they could find no evidence that any Guild Wars accounts were stolen as a result of such an issue. We know there was confusion between fansite forums, websites, and game accounts themselves around that time; perhaps the issues that players reported were related to that confusion. We can state, though, that the security of the NCMA system checked out thoroughly.

Because the NCMA system successfully passed all the research and testing that the teams conducted, we removed the secondary account password requirement a few weeks ago. We did this because the extra step is unnecessary, and because it causes our players significant inconvenience. If we see any indication—and we monitor daily—that account security requirements need to be increased or enhanced, we will take steps to do so immediately. But at this time, we feel confident that it is appropriate to allow players who have access to their NCsoft Master Account to go ahead and change their game password without requiring them to jump through additional hoops.

Please let me know if you have any questions or concerns about this or any other support-related issues. I'll be happy to assist in any way possible. -- Gaile 18:54, 5 May 2010 (UTC)

In short, the character name was an anti-RMT measure, but RMTs weren't typically hacking accounts through the NCMA, so the character name requirement was NOT a response to the NCMA issues. The password change, however, was. That's why the character name change is still in place (because RMTs are a constant threat), but the old password requirement no longer is (because the "accidentally log-in as someone else" issue was determined to not actually exist.)

fortior · Nov 08, 2010, 07:24 AM // 07:24

NCsoft: "Security? Naaah, if they get hacked they'll just buy a new account, brb making a grinding mmo"

this is such a load of bullshit NCsoft. Jesus christ man. AGAIN?

Iuris · Nov 08, 2010, 07:47 AM // 07:47

NCsoft keeps saying that there's nothing wrong with the master account security. But for some reason, people would rather believe their "friend of a friend what got hacked" instead of considering that maybe that friend of a friend would rather not admit he's not as savy and safe as he'd like to think himself to be...

fortior · Nov 08, 2010, 07:53 AM // 07:53

distrust in a company isn't so strange when they remove security features and treat you like dirt when you need support..

Faer · Nov 08, 2010, 08:13 AM // 08:13

I'm afraid I am going to have to close this, Starmidder, because it's starting to open a can of worms that we really don't need open right now. The whole topic of whether or not the NCMA Account Roulette bug ever/never existed isn't really something that is going to lead to any positive discussion and I'm cutting it off here before people get any more ridiculous about it. For anyone interested in the history, there is plenty on it in Gaile's wiki archives, both supporting and denying the existence of the error. People who care should go dig through those pages and PM each other about it for the time being, until we have another epidemic of compromised accounts, at which point discussion of this sort of problem might actually be able to held intelligently, instead of being a bunch of "he said, she said" and "friend of a friend" nonsense. If enough people start having this problem again, and get some statements or documentation on it, feel free to be the first one to start the rally anew.

Regardless of the circumstances, know that we feel for your loss, and hope that Support gets everything straightened out with your account soon.