Curse

Kula · Jan 01, 2010, 11:18 PM // 23:18

Thank you for sticking this thread, I would have missed it.

This is the most serious problem I've seen come out of Guild Wars in all these years. I hope they decided to beef up security measures for GW2 after this debacle.

Zehnchu · Jan 01, 2010, 11:21 PM // 23:21

sounds like they need to disable the Ncsoft and cash shop till they can figure out what's going on and get it fixed.

freedom_razor · Jan 01, 2010, 11:21 PM // 23:21

Quote:

Originally Posted by Tramp

I am still confused and no one answered. So the recent additional character name at login is worthless because they glitch or hack into the NCSoft account, then check out your support emails, and get your character name and information there?

Apparently, they can log into your NC account. If there are support tickets with character names there, they get the char name, login is there as well, and to change the password they don't need the old one, so they can change it, no problem...[well, there's a security question now, after their own employee got hacked]

Quote:

Originally Posted by Tramp

I need to know if I should start to dread logging in again, because I was feeling much better when Gaile said that a minority of people who were hacked did not have the NCSoft account, therefore the NCSoft account was not a problem, but now I concerned again.

I'm not sure any employee of any company would ever admit to screw-up that big, unless faced with hard evidence [which seems to be happening right now].

zelgadissan · Jan 01, 2010, 11:21 PM // 23:21

Quote:

Originally Posted by Kula

I hope they decided to beef up security measures for GW2 after this debacle.

That's the big issue here. This isn't really an ArenaNet problem, and I doubt there's much ArenaNet can do about it from what I've seen. This is NCSoft, and any game put out by ArenaNet will share this problem until NCSoft gets their shit together. All we can really do is make it public knowledge and force their hand.

moriz · Jan 01, 2010, 11:24 PM // 23:24

Anet is a wholly owned subsidiary of ncsoft. if ncsoft tells anet to tow the party line, anet must comply. this includes lying through their teeth.

so basically, nobody can prove in any way whether anet is responsible for this issue, because all their official support is doing, is echoing whatever ncsoft is telling them to.

FoxBat · Jan 01, 2010, 11:29 PM // 23:29

Quote:

Originally Posted by Tramp

a minority of people who were hacked did not have the NCSoft account

That it's a minority should have you be concerned. They probably got had by the usual keylogger, trojan, scam, other sites selling info methods.

What's worst of all is NCSoft won't ever acknlowedge this, so we won't even know if it ever gets fixed. How can anyone consider buying future NCSoft products not knowing whether it will be stolen tomorrow or not?

Aurelio · Jan 01, 2010, 11:31 PM // 23:31

Quote:

Originally Posted by freedom_razor

Apparently, they can log into your NC account. If there are support tickets with character names there, they get the char name, login is there as well, and to change the password they don't need the old one, so they can change it, no problem...[well, there's a security question now, after their own employee got hacked]

So if there aren't support tickets there is no way to obtain the character name and my characters should be safe, right?

DragonRogue · Jan 01, 2010, 11:36 PM // 23:36

Wow. Just...Wow. Epic. I think ALOT of people, not just NCsoft and Anet, but members of our own community, HAVE ALOT OF Fing APPLOGIZING TO DO TO ALL THOSE WHO WERE HACKED. Too long everyone has pointed the finger at those that were hacked as idiots or scumbag gold buyers and NO ONE listened when they pleaded that they werent. How do you all feel about yourselves now? All of you should be ashamed. Always thinking the worst about others and here all along those that were hacked... THEY WERE RIGHT, they didnt do anything wrong at all. But guilty til proven innocent it seems they have been treated. And now they have been proven innocent.

TO NCSOFT AND ANET,

Something seriously will need to be addressed to the community after all of this. How many people have you lost because they were wrongfully accused? How many wont be buying your products because of this and lack of trust in how you do things? I know, I for one, am seriously shaken by this information and all that has led up to this. Your companies have handled this with deplorable action and result. Constantly blaming the users, and other sites, when all along it was issues within your own company. My trust in your future products is NIL at the moment, and I will be seriously watching to see how this is handled before I will EVER purchase another game from ANY of your companies again, til I am satisfied with how this plays out. And Im sure I am not the only one who feels like this.

People pay real life money for your products. They spend hundreds, if not thousands, of hours playing your product and working on their content. Having that all taken away in the blink of an eye is gut-wrenching. Having everyone saying its their fault, when they know its not, is soul breaking. I hope you learn a valuable lesson here. In the future, it would be better to admit you have no idea how something like this is done, and ASK the community for thier help, in helping you find answers, instead of jumping to conclusions and alienating your consumer. If the consumer looses faith in your company, then you will ultimately loose in your pocketbook as well. And things such as this can break your company. So far your track record here is looking pretty bad. How will you restore our faith?

godis · Jan 01, 2010, 11:43 PM // 23:43

They tricked us into linking the account to get the storage pane. Now they want us to connect GW1 to GW2 through Hall of monuments. Dont think so...
Someone better steal a frog to get some action from NCsoft <--- joke

gone · Jan 01, 2010, 11:45 PM // 23:45

Quote:

Originally Posted by DragonRogue

Wow. Just...Wow. Epic. I think ALOT of people, not just NCsoft and Anet, but members of our own community, HAVE ALOT OF Fing APPLOGIZING TO DO TO ALL THOSE WHO WERE HACKED. Too long everyone has pointed the finger at those that were hacked as idiots or scumbag gold buyers and NO ONE listened when they pleaded that they werent. How do you all feel about yourselves now? All of you should be ashamed. Always thinking the worst about others and here all along those that were hacked... THEY WERE RIGHT, they didnt do anything wrong at all. But guilty til proven innocent it seems they have been treated. And now they have been proven innocent.

TO NCSOFT AND ANET,

Something seriously will need to be addressed to the community after all of this. How many people have you lost because they were wrongfully accused? How many wont be buying your products because of this and lack of trust in how you do things? I know, I for one, am seriously shaken by this information and all that has led up to this. Your companies have handled this with deplorable action and result. Constantly blaming the users, and other sites, when all along it was issues within your own company. My trust in your future products is NIL at the moment, and I will be seriously watching to see how this is handled before I will EVER purchase another game from ANY of your companies again, til I am satisfied with how this plays out. And Im sure I am not the only one who feels like this.

People pay real life money for your products. They spend hundreds, if not thousands, of hours playing your product and working on their content. Having that all taken away in the blink of an eye is gut-wrenching. Having everyone saying its their fault, when they know its not, is soul breaking. I hope you learn a valuable lesson here. In the future, it would be better to admit you have no idea how something like this is done, and ASK the community for thier help, in helping you find answers, instead of jumping to conclusions and alienating your consumer. If the consumer looses faith in your company, then you will ultimately loose in your pocketbook as well. And things such as this can break your company. So far your track record here is looking pretty bad. How will you restore our faith?

while that sounds good, I hate to break it to you Like this...

These recent "hack" issues plaguing GW are stemming from Aion and it's addition to the family. can I confirm that?...no. just call it a hunch..

The Last Battle · Jan 01, 2010, 11:48 PM // 23:48

why dont they just have a system where u can only log in and out 5 times a day? so if you make a mistake or something.

joshuarodger · Jan 01, 2010, 11:55 PM // 23:55

Quote:

Originally Posted by Tramp

I am still confused and no one answered. So the recent additional character name at login is worthless because they glitch or hack into the NCSoft account, then check out your support emails, and get your character name and information there?

I need to know if I should start to dread logging in again, because I was feeling much better when Gaile said that a minority of people who were hacked did not have the NCSoft account, therefore the NCSoft account was not a problem, but now I concerned again.

sorry, tramp, but that seems to be the unconfirmed consensus. unconfirmed by Anet/NCSoft, that is.

Quote:

Originally Posted by Aurelio

So if there aren't support tickets there is no way to obtain the character name and my characters should be safe, right?

theoritically, yes.

Lishy · Jan 01, 2010, 11:58 PM // 23:58

NCSoft, disable your freaking page already!

I can only imagine the amount of chinese bots <_<

Enko · Jan 02, 2010, 12:01 AM // 00:01

Quote:

Originally Posted by flubber

while that sounds good, I hate to break it to you Like this...

These recent "hack" issues plaguing GW are stemming from Aion and it's addition to the family. can I confirm that?...no. just call it a hunch..

as i mentioned earlier, i only recall hearing about this large number of people getting hacked after aion's release. could something have been messed up when aion was added to the database?

has anyone accidently gotten logged into an account that didn't have aion on it yet? of course those who have done this on purpose probably won't reveal it if they had. how many of those people that had their accounts stolen did not have aion? is it possible there's a connection to when aion got released?

JellyBelly · Jan 02, 2010, 12:06 AM // 00:06

As far as the problems being linked to having an Aion account, I don't know about anyone else, but I was hacked awhile back and GW is the only NCsoft game I have....

dawnmist · Jan 02, 2010, 12:07 AM // 00:07

Quote:

is it possible there's a connection to when aion got released?

The most likely connection is simply one of timing - when Aion was released, it triggered a ton of people wanting to make money by selling gold in Aion, so account theft attack attempts increased. If it so happened that they got into a GW account as well...that was just the hackers good fortune (and the real account holder's bad luck).

i.e. Aion provided visibility/motivation to try, and exposed GW in the process.

gone · Jan 02, 2010, 12:08 AM // 00:08

Quote:

Originally Posted by Enko

as i mentioned earlier, i only recall hearing about this large number of people getting hacked after aion's release. could something have been messed up when aion was added to the database?

has anyone accidently gotten logged into an account that didn't have aion on it yet? of course those who have done this on purpose probably won't reveal it if they had. how many of those people that had their accounts stolen did not have aion? is it possible there's a connection to when aion got released?

/edit
Above poster beat me to it ;-p

I personally think the 'hackers' are getting a bonus, meaning their primary target is, in fact Aion, but they are getting other account info via NCsoft main.

Don't get me wrong. there is still a problem with NCsoft's account page. It has me staying far away from it. if you know what I mean.

Cacheelma · Jan 02, 2010, 12:08 AM // 00:08

So Gaile still sucks at what she does and still tries to cover stuff up with lies even when she's a support personnel and the issue is very serious?

Why am I not surprised.....

I haven't played GW for ages now. I did play Aion recently though so I guess I'll head over to plaync and randomly login to someone's account... I mean try to login to my own account, and see if it's still my own...

Thanks for the headups!

Chthon · Jan 02, 2010, 12:09 AM // 00:09

Quote:

Originally Posted by Fril Estelin

Time to fix Hats problem (bugs) << Time to fix Security problem (trace/logs analysis, vulnerabilities identification and closing, prevention/redesign, risk assessment and mitigation...all this at various infrastructure levels...)

You don't have to solve the problem. You just have to stop the bleeding to buy time to solve the problem. Shutting down the NCSoft site, or shutting off its ability to reset GW/Aion passwords is enough of a solution for now. A complete fix can be worked out while the system is offline and not harming anyone. It should only take a few seconds to flip the circuit breakers to the NCSoft server room.

Quote:

Originally Posted by Mung @ Aion forums (Bunny's link)

Let me pause here to clarify that I am an IT administrator and part of my job is penetration testing on websites and networks. Let the games begin.....

QUICK DISCLAIMER//// I did NOT attempt to actually retreive any sensitive information, only testing certain processes to see if they are protected against. Ergo I did NOT violate any privacy or copyright laws nor did I in any way violate my user agreement!//////END DISCLAIMER

After 5-6 hours of analyzing their domain and website I found quite a few weak points in their security. I will list them here:

1:] A method called SQL injection (sending server side commands through a login screen to aquire database information) is apparently NOT prevented very well. I was able to send a basic acknowledge request and instead of "page not found" or "incorrect login" I received an SQL ack!

2:] The ENTIRE web domain is unprotected from file mirroring (process of copying all files housed at the web host).

3:] From reading the HTML for each page under the "secure.ncsoft.com" domain I found that the majority of the process functions are scripted in PERL but referencing Javascript multiple times for all sorts of verifying processes. This can easily be manipulated to a users intention.

Ohhh crap. This just keeps getting worse.

The revelations about how easily the NCSoft account could be brute forced were bad. The revelation that enough logins will eventually take you to someone else's account are even worse. But this takes the cake. I'm damn near speechless.

Well, now that I've composed myself, I have this to say:

Dear Gaile, Mike O'Brien, and other a-net folks,
The time has come to think seriously about biting the hand that feeds you. I'm sure that you've been aware for some time that NCSoft has major security problems. I'm sure that you could and probably would like to change GW to ignore password resets from the NCSoft account. I'm sure that you've received unequivocal orders from on high that the official response you are to make is to stonewall and pretend there's no problem, no matter how high the evidence mounts. I'm sure you've been obeying this order, not because you agree that stonewalling is a good idea, but because you understand that disobeying NCSoft is quite likely to spell the end of your time at a-net, if not the end of a-net altogether. Well, here's the hard truth for you: Allowing the status quo to continue is even more certain to spell the end of a-net. No one in their right mind is going to buy GW2 (or any other NCSoft title) once they find out that this is the ongoing security situation NCSoft expects them to live with. And it's going to end up widespread news -- real news that spills over the boundaries of this insular little forum world -- if account thefts continue apace. And they're going to continue apace (in fact I'd be shocked if they didn't increase), if vulnerabilities like that remain in place. You are looking at likely ruin on one hand versus certain ruin on the other. All I can say is "choose likely ruin"; it's your best option. If NCSoft won't fix their site, and won't agree to let you endrun the problem with changes to GW, and you acquiesce to that, then you're going to have to look on as your studio dies a slow, embarrassing death as the wholly-owned subsidiary of a laughingstock. Since that's your alternative, you might as well give NCSoft one last entreaty to remove their heads from the sand, then, should it fail, go forward and implement a GW-side fix on your own initiative, come what may and hell to pay.

Good luck.

own age myname · Jan 02, 2010, 12:16 AM // 00:16

Oh great, nice F up NCSoft.