Curse

Curo · Jan 02, 2010, 05:06 AM // 05:06

Now that I've finally reached the end of these 16 pages, I'm going to say something that has not been said clearly in this thread.

Re: "Roughly half of the hacked acounts do NOT have an NCsoft Master Account"

All this statement tells us is that there are still idiots out there giving their account information to RMT's etc. You cannot rid the world of idiots, and account 'hackings' like this will always continue as long as there still exist people that are greedier than they are intelligent.

IF all (or a significant majority) of account hackings were traced to be related to the NCsoft Master Account, it would be an incredibly insulting reality. There is NO way that you can deny a breach of security in the NCMA by saying that only half of the hacked accounts had a NCMA. Since when is "half" an insignificant proportion?

Briefly, let me make an analogy. You would not say "only half of car accidents involve alcohol use/abuse", and use that to try and convince people that alcohol is not a major concern in car accidents.

In short: telling us that half the hacked accounts have no linked NCMA means nothing.

Sierraa · Jan 02, 2010, 05:08 AM // 05:08

Quote:

Originally Posted by Regina Buenaobra

Roughly half of the hacked acounts do NOT have an NCsoft Master Account, and very few account thefts involved a password change at all. The hacker(s) knew the account credentials, and they did not access the hacked accounts through NCsoft Master Accounts. The hackers had a list of passwords, which they used to steal accounts.

Again, our NCsoft Security team is continuing to investigate this issue, and there might be additional changes forthcoming.

HALF of the hacked accounts didn't not have an NCsoft Master Account. HALF. That leaves the other ~50% unexplained.

We've been complaining about the NCsoft site for years now and nothing has been changed until recently. Most of us are not directly relating the ability to login to a different account by using OUR information to the hacks, it may have contributed and if it didn't it's a new problem that needs your attention.

My personal information is on that account and it's viewable to anyone who happens to gain access to it.

REDdelver · Jan 02, 2010, 05:08 AM // 05:08

Quote:

Originally Posted by Regina Buenaobra

There is a change in one of the NCsoft Master Account processes that is being enacted, and we believe this change will help quite a lot in enforcing account security, and we're very grateful to the folks involved who've worked today to get those measures in place, on a holiday, and many of them away from home.

Through all the rough sea water......

Id like to extend apprectiation to the people who are supposed to be off the clock, relaxing, and/or just enjoying the holidays.....who are working hard on issues that need to be heading in the right direction.

Thank you to all who are involved. I'm not going to make assumptions that certain people arent doing anything to help the gaming community out.

Please pass along Miss Regina, that some of us appreciate the extra time spent.

Thanks

greenthumb · Jan 02, 2010, 05:16 AM // 05:16

Quote:

Originally Posted by Regina Buenaobra

I would like to reiterate one point again, because people continue to ignore this fact: The account hacks are not likely related to the NCsoft Master Account security concerns. Roughly half of the hacked acounts do NOT have an NCsoft Master Account, and very few account thefts involved a password change at all. The hacker(s) knew the account credentials, and they did not access the hacked accounts through NCsoft Master Accounts. The hackers had a list of passwords, which they used to steal accounts.

Quote:

very few account thefts involved a password change at all.

I applaud ANet for arranging for prompt action in responding to the community's concerns and lack of confidence in the NCsoft Master Account security.

It's not clear what ANet and NCsoft regard as "very few", but it's worth noting that ANet/NCsoft was aware of account thefts involving password changes (and the relative ease in changing GW account password credentials through the NCsoft Master Account until the new change).

I think it's great that something's been done, and hopefully further improvements will be made to address any other concerns and security weaknesses that have been presented. If these concerns have been known for awhile, I wouldn't necessarily regard the recent action, even on a holiday, as being proactive. (Perhaps the recent improvement could and should've been implemented some time ago, and perhaps shouldn't have then required major escalation on a holiday....it's something that the organization should try to take back and consider internally.)

Ravious · Jan 02, 2010, 05:18 AM // 05:18

I posted this on Kill Ten Rats, so I hope it gets disseminated a little more. Massively sometimes picks up my posts... but yeah, even though it is debatable as to whether this is long overdue or not, great action by ArenaNet on this holiday weekend.

I hope the issue gets resolved, even moreso, and I hope that this puts a jolt into the devs for GW1 and GW2 in regards to how fragile our characters can be. Not being able to recover deleted characters is 100 times worse than getting hacked and losing loot... especially with the HoM on the line.

DragonRogue · Jan 02, 2010, 05:26 AM // 05:26

Quote:

Originally Posted by REDdelver

Through all the rough sea water......

Id like to extend apprectiation to the people who are supposed to be off the clock, relaxing, and/or just enjoying the holidays.....who are working hard on issues that need to be heading in the right direction.

Thank you to all who are involved. I'm not going to make assumptions that certain people arent doing anything to help the gaming community out.

Please pass along Miss Regina, that some of us appreciate the extra time spent.

Thanks

Agreed. Between the hat issues and now this, im sure Regina and Gaile and many others have not had a good holiday this past 24 hours or so. It is very nice to see you all working hard on the holidays to try and fix these issues. Crappy time of year for this all to have happened. For that I am truly sorry. And kudos for doing this. Also I am pretty pleased with Gaile and Regina for doing their best to keep everyone posted as well as they have been. We can see how much time you have invested into these issues. Especially when most companies wouldve said, tough shit, we are on holiday and will deal with this after the new year.

Inner Salbat · Jan 02, 2010, 05:29 AM // 05:29

Quote:

Originally Posted by Regina Buenaobra

I would like to reiterate one point again, because people continue to ignore this fact: The account hacks are not likely related to the NCsoft Master Account security concerns. Roughly half of the hacked acounts do NOT have an NCsoft Master Account, and very few account thefts involved a password change at all. The hacker(s) knew the account credentials, and they did not access the hacked accounts through NCsoft Master Accounts. The hackers had a list of passwords, which they used to steal accounts.

People ignore you because their partly blind with rage with both frustration and anger, and to me there justified considering they/we and I will not get back our stuff despite most of us being here playing your game since it's release.

And how exactly did they obtain this mysterious list of passwords?

Enko · Jan 02, 2010, 05:34 AM // 05:34

Quote:

Originally Posted by DragonRogue

Agreed. Between the hat issues and now this, im sure Regina and Gaile and many others have not had a good holiday this past 24 hours or so. It is very nice to see you all working hard on the holidays to try and fix these issues. Crappy time of year for this all to have happened. For that I am truly sorry. And kudos for doing this. Also I am pretty pleased with Gaile and Regina for doing their best to keep everyone posted as well as they have been. We can see how much time you have invested into these issues. Especially when most companies wouldve said, tough shit, we are on holiday and will deal with this after the new year.

while its great that they're working during the holidays, a lot of these issues have been known since october . .. it's only come to a head now because someone posted this here (previously only on aion forums) and its getting a lot more attention.

some things like requiring the old password to change passwords should have been there from the start.

Emperor Bush · Jan 02, 2010, 05:56 AM // 05:56

There are a few things that don't make sense to me regarding Regina's most recent post in this thread.

But the most blatant problem I see: as Regina tells it, they only discovered this specific issue yesterday. So in the last 24ish hours they were able to update the password change request screen to include the necessity of the old password. They were able to do this in 24ish hours, while people were on vacation, and apparently not even in town. And kudos for that.

But it begs the question: Why was this not done weeks ago? If this particular fix was relatively simple, and if it was known that at least some of the hacking occurred via the PlayNC password change request function, couldn't this have been done prior to today? It could have saved who knows how many people from having their accounts hacked, and it could have saved the people involved from having to spend their vacations making this change. How many times did someone in this forum and other forums suggest to add this exact feature? How many "I GOT HACKED!" stories began with, "I got an email explaining my password had been changed."? How many stolen accounts were completely avoidable here?

At my job: had I screwed something up, and my boss discovered it while I was on vacation weeks later, and I needed to come into work on my vacation to fix it, I would receive a bit of credit for having done so. But that credit would not have likely negated the repercussions of having made that mistake to begin with.

DragonRogue · Jan 02, 2010, 05:57 AM // 05:57

Quote:

Originally Posted by Enko

while its great that they're working during the holidays, a lot of these issues have been known since october . .. it's only come to a head now because someone posted this here (previously only on aion forums) and its getting a lot more attention.

some things like requiring the old password to change passwords should have been there from the start.

Yes Enko, i am quite aware of the issues and how long they have been going on. So you dont need to quote me when all that thread is saying is that i was thanking them for dealing with this issue during the holidays when they couldve told us F*off and we will deal with it afterwards. Refer to my previous posts. I want answers just as much as everyone else here. Because many of my friends have been hacked and no excuse thus far pertains to what happened to them.

Added security is greatly appreciated, but id also like to know what they are doing to those who the items are being transfered to. Who are these hackers, where did they get these illeged lists of PW and account info? And are they being perma banned for transfering stolen goods?

While it is unfortunate that this has come to a head over the holidays... and I thank them for taking THIS time (over the Holidays) to deal with it... Too much has been ignored, blame has been spread around, and no one still has acceptable answers.

Inde · Jan 02, 2010, 06:11 AM // 06:11

I'll pop in here. My words don't mean any more than the next poster, but you all must understand that ArenaNet is listening and taking action. I understand the frustration that these security updates were a reaction versus preventative, that maybe we've been saying them for far too long now, but I have to point out that other NCSoft games are not getting this same treatment right now.

The IGN to the character log in? Not on any other NCSoft game.
The current password addition? Not on any other NCSoft game.

Now not even I want to draw any conclusions why NCSoft seems to be absent on this issue but I can clearly see that ArenaNet is pushing. They are fighting. They are apparently one-up on other NCSoft games at this time. Which should tell us all that our community managers and support are dedicating time, resources and their passion into this. Did it come too late? Is the damage too much? I'm not going to express an opinion on that but I felt that it needed to be pointed out clearly that ArenaNet, while they might be fighting the bureaucracy of the big corporate giant, is certainly making progress. And maybe NCSoft has been there all along but, of course, all we can see and hear is the ArenaNet side so that's what I base it on.

On the same note, I do have to give thanks to not only this community but the Aionsource.com community who both seem to be fighting so hard to see that their accounts are protected. Is it because of us these security updates have happened? I think we can say with some degree of certainty that yes, yes it has. RMT's, hackers, etc. are bound and determined to acquire our accounts and I think this is a lesson for both the users and the development and publishing companies that we have to be even more vigilant. I know that a lot has indeed been learned from this thread by the players on account and password security. It is only going to benefit many of us later on as we muddle around the internet.

I know this is a passionate topic for many of us, especially those who have been hit, but please continue to try and stay on topic. Give valuable feedback, list your concerns if you have them, but know that ArenaNet is there. They are in this thread watching (even if you can't see them

).

Enko · Jan 02, 2010, 06:37 AM // 06:37

I do appreciate the fact that Gaile and Regina are pushing NCSoft for these changes since these are on NCSoft's side not on Anet. The issues that Anet has had control over have seemed to get fixed fairly soon (hat issue, etc).

I'm wondering how much of the empty answers we've been getting is because they can't say anything beyond what NCSoft tells them. It's too bad that Anet can't break off from them and just run everything themselves.

Sora267 · Jan 02, 2010, 07:00 AM // 07:00

Quote:

Originally Posted by PuppyEater

Good to see ye olde Tombstone Policy in full force. I'm just surprised it didn't take someone losing their entire real life identity to get anything even addressed. (All though, to be honest, someone experiencing identity theft would force them to do something but I really don't think it would be worth it...)

Given that they didn't fix the bug with the site, only the GW login security, there's still the chance that your account will be randomly logged into so they can see the email address(not for your GW accounts but the one tied to your NCMA, which for many of you is probably the email you actually use), physical address, and phone number you've put in. And if you have a physical address there there's no way to remove it entirely, only change it. You can change the phone number though. So, personal information is still at risk, and I'm assuming this aspect is something ANet has zero control over.

Quote:

Originally Posted by Curo

In short: telling us that half the hacked accounts have no linked NCMA means nothing.

I think they're just trying to calm the "hysteria" they keep mentioning.

Also, kudos to ANet for trying to get this fixed over the holidays. Hopefully our less fortunate Aion brethren will get similar additional security measures in place soon!

Divine Ashes · Jan 02, 2010, 07:13 AM // 07:13

Although it may damage NCSoft's reputation even further than it has already been in the past, I for one feel it necessary for as many people to know about this as possible (I personally linked this thread on team quitter for example). As Inde stated, not only will it help us in our foray through other internet communities, but it gives us all insight as to how to protect our personal accounts better, and to give suggestions and ask questions regarding our personal security on the internet. Anet has acted fairly quickly since the proverbial shit hit the fan to get this treatment for Guild Wars, but one has to wonder where NCSoft has been in all of this, and why in the first place there was not the utmost security already in place for our accounts.

Inner Salbat · Jan 02, 2010, 07:24 AM // 07:24

If they've put the box in to enter old password before changing it to a new one, this is good.

But it changes nothing, hackers still have there list of passwords and can change the password still, has anyone one yet changed there password and gotten a confirmation by email ?

Martin Alvito · Jan 02, 2010, 07:51 AM // 07:51

Inde, I am certain everyone is thankful that ANet employees worked today to put the new protections in place.

However, it is tremendously disappointing that events came to this. It has been obvious to anyone following the matter that unauthorized access to NCSoft accounts was causing some account thefts. Regina is still trying to downplay the problem and effectively blame the "fansite hack"! This astonishes me. A GW account linked to an NCSoft Master Account functionally was not passworded until today, and it took public announcement of the methodology for something to be done.

We shouldn't have to coerce ANet to get account security. But that is what this matter came to. If they want our money in the future, they need to start demonstrating that they care now. The events of the last six months have not been encouraging. As matters stand, I see no reason to do future business with this company.

Skyy High · Jan 02, 2010, 07:57 AM // 07:57

Quote:

Originally Posted by Sierraa

HALF of the hacked accounts didn't not have an NCsoft Master Account. HALF. That leaves the other ~50% unexplained.

We've been complaining about the NCsoft site for years now and nothing has been changed until recently. Most of us are not directly relating the ability to login to a different account by using OUR information to the hacks, it may have contributed and if it didn't it's a new problem that needs your attention.

My personal information is on that account and it's viewable to anyone who happens to gain access to it.

Did you miss the part where she said, "and very few account thefts involved a password change at all." While "very few" is incredibly vague, the point remains that much fewer than 50% of the hacks were accompanied by a password change. Access to the NCMA does not in itself make it possible to hack a GW account - you need to reset the password first - so if most of the hacks do not involve password resets, they can't be simple matters of the NCMA getting hacked.

I just changed my NCSoft password, it didn't require me to put in my old password first. =/

Giga_Gaia · Jan 02, 2010, 07:58 AM // 07:58

We do appreciate very much that Gaile and Regina are pushing the NCSoft guys to protect us from hackers. But I can't help but feel both concerned for our fellow Aion subscribers, as well as wondering why they (NCSoft) did not take steps to protect their own primary cash cow from these unathorized access attempts when this problem came into light back in... October, was it? As far as I know, there hasn't been such a widespread 'hysteria' of these account hacks over any online game like this since... ever. While this password confirmation may be a nice first step, what will happen to those who lost their accounts and everything in it? I can't help but feel bad for all the Aion and GW players, and Anet as well, for all this grief that was beyond their control.

EDIT: Skyy, it only asks for your old password for your GW account at the moment.

Glaed · Jan 02, 2010, 07:59 AM // 07:59

While I haven't read through the entire 17 pages of this post, I have read enough to both understand what probably happened to me and to be irritated that something like this happened.

In December I had tried to access my NCSoft Master Account to purchase GW for my son for Christmas only to find that I couldn't get on, my password wasn't valid. Wtf? I had just used it in October to purchase the Bonus Mission pack and the pet unlock pack from the NCSoft Store and I also purchased a copy of Aion Collector's Edition as well.

So after trying to reset my password it asked me my security questions, stuff I know very well, but neither of my answers were correct. I finally had to contact NCSoft support to have my account information reset. I couldn't find my product keys though, so I had to go through the whole thing of scanning the emails of my purchases from NCSoft Store and Paypal stuff showing that the username was mine and the product keys of the most recent stuff I had purchased.

Finally they reset my passwords and I logged in to the account to find that while my name was the same, the address and phone number was changed to someplace in Texas. The email was still the same though, but I was curious how come I didn't get an email confirming me of a password change when this turd of a person took over my account. It notified me when I changed my password from the generated one from NCSoft support, but not when the turd changed it?

Thankfully Guild Wars didn't seem to be compromised, it seems they were actually after my Aion account that I never even played (computer issues with the game) and they even payed for a month of game time, because I had canceled the account after the free time was up at the end of November.

Part of me was a bit glad that it was a wasted game card or whatever on their part, because they had just payed for it on December 20th or something like that, but now I have a brand new Aion CE that I never played that is now banned.

So if I am understanding any of this that I have read so far that it was a security issue on their side... I'm rather irritated, to put it mildly. All they had to do was just log on repeatedly until my account was the lucky winner and they then have access to my personal info, my log in info... all they have to do is change the passwords and they have new games!

I went through the whole thing of thinking that my email had been compromised and deleting that account, checking my computer (which I had just done pretty much a clean install of everything when I upgraded to Win 7) with every AV and malware thingy I could get my hands on, changing the password to everything I think I have a password for, changing the email to a new one now that I deleted the old one, only to find out it was their issue?? On one hand I'm relieved it wasn't me this time... on the other.... I feel violated. By something I thought I could put my trust in. Guess I'm just naive.

Page Down Warhammer · Jan 02, 2010, 07:59 AM // 07:59

I'm thankful the Anet employees were prompt with the fix, but I have a few things to say.
I've been thinking about this a lot and wouldn't it be easier to do some sort of phone registration or something? I mean say your account gets hacked right? So you call NCsoft and tell them and they do a quick search to make sure you are the owner of the account and all and then change your password back to something you agree on over the phone. Then at least a hacker would have to try to convince Anet that they really are you in order to access your account. And if you bought GW with your credit card in California, and someone is calling NCsoft from say.. Florida.. that would be difficult.