Curse

neighto · Dec 22, 2009, 04:17 PM // 16:17

Quote:

Originally Posted by Hissy

Nothing, obviously. You'll never get your stuff back. Nobody will. You knew that.

This (and anything else they're planning to add) comes far too late for people have already been robbed.

Better late than never...

Sure, I guess, you can use the cliche of better late than never.

In this instance I believe it's a flawed excuse rather than a solid reason. Is it really better late than never?

It goes beyond the coinage, the FoW armors, and the miscellanous other pixelated stuff that I no longer have on my characters.

My 4+ years and 6000+ hours of love for this game have been compromised, along with my trust of ANet's security. I'm not spending another 4+ years and 6000+ hours to get it all back when the security of thier servers undergoes band-aid solution after band-aid solution that leaves the larger issues unaddressed and wholly vulnerable.

What point would it serve to re-invest that time & energy when the possibility of it being compromised a 2nd time is still more likely to happen than not?

Why would I buy GW2, when it runs on the same security issue plagued principles? Why would I give my money to a company that has, up to this point, completely failed to provide any measure of timely or decent customer service?

Better late than never doesn't fix the problems that have already occurred, and I'm not referring to my "stuff" being gone.

Riot Narita · Dec 22, 2009, 04:34 PM // 16:34

Quote:

Originally Posted by neighto

Is it really better late than never?

Yes it is. I realise how much it sucks for you, but if it saves others from the same fate, it has to be A Good Thing.

Quote:

Originally Posted by neighto

leaves the larger issues unaddressed and wholly vulnerable.

What point would it serve to re-invest that time & energy when the possibility of it being compromised a 2nd time is still more likely to happen than not?

Why would I buy GW2, when it runs on the same security issue plagued principles?

Because it won't have the same security issues? They ARE doing something about account security. Finally. It seems there is more to come... hopefully they will plug the known holes and add stuff to mitigate damage in case of as-yet-unknown holes. If not for GW1 then at least for GW2.

If they don't... well, I will be thinking hard too, about whether to put time and money into GW2. Just have to wait and see, but for now I am optimistic.

Riot Narita · Dec 22, 2009, 04:40 PM // 16:40

Hmm. I wonder if all the other games under the NCsoft master account are making similar changes. Or is it only A-Net that's pulled their finger out of their proverbial?

Coverticus · Dec 22, 2009, 05:01 PM // 17:01

Superb, a step in the right direction ANet.

Quote:

Originally Posted by Regina Buenaobra

We sincerely apologize for interrupting the Snowball AT for this. The security update was a high priority update, and it was important to get this out as soon as we could.

Judging by what people have already stated on the whole getting "immediately" kicked thing for the update patch to be implemented, maybe next time a global announcement stating "Servers will be shut down in 30mins" (or something to that effect, counting down every 5 mins or so) so that people have forewarning and don't commit to anything (or have time to pick up that rare drop hehe). **Forgive me if this indeed happened, am at work atm

**

*Darcy* · Dec 22, 2009, 05:41 PM // 17:41

I just logged in to GW without needing to retype anything. The -password works with the "remember" box checked. So my GW is still safe from keyloggers (it has an "only-GW" password).

Axeman002 · Dec 22, 2009, 09:29 PM // 21:29

if people can hack into the governments computers...an internet game will be a breeze, no matter whats implemented ...but against the small time hacktards...this update gets a thumbs up for me

HawkofStorms · Dec 22, 2009, 09:45 PM // 21:45

Stupid question but...

"What if an account... has no characters currently on it?" Does it just get locked out for all time?

Riot Narita · Dec 22, 2009, 09:48 PM // 21:48

Quote:

Originally Posted by HawkofStorms

Stupid question but...

"What if an account... has no characters currently on it?" Does it just get locked out for all time?

Leave the security question blank, until you created a character. It's in the FAQ :-D

Crystal Lake · Dec 22, 2009, 10:25 PM // 22:25

Well, hopefully we will have less posts on here about accounts being hacked. It certainly seems like it's made it much more difficult for the gold sellers to hack accounts. As far as the other hackers, I don't know what else anet can do.

pumpkin pie · Dec 23, 2009, 01:58 AM // 01:58

A word of precaution: Watch out all Guild that has Forums and webpages, you are gonna be hacked, lol.

I probably shouldn't mention this cos hackers might be reading too, but then if you don't say anything, people forgets and when it do happens its too late. So...

Seriously, I know this is a good addition for security, but I thought of it some last night and the only place I've ever let anyone know of my in game name is on Guild Forums. So, quickly go erase your traces now! especially if you are using the same email address and password. Check to see if your guild forum is infected before you do so too lol

just in case. Yes I know I am paranoid.

<< under your avatar, under Guild, you might want to erase those too.

Chthon · Dec 23, 2009, 02:23 AM // 02:23

1. Let me start by saying that I am very, very pleased with this security update.

2. Let's take a look at how effective it's going to be. Right now, there's 4 known types of account theft going on:

GW account is stolen via vulnerabilities in website for the NCSoft Master Account.
Chinese RMT companies run automated attacks against the NCSoft website, gaining access to random accounts in bulk. This is the type of account theft that until now worried me the most because, unlike other theft methods, there's nothing the player can do to prevent the NCSoft Master Account from getting stolen. Worse yet, NCSoft seems dead set on pretending there's no problem, no matter how many accounts are stolen and how much evidence mounts.
A-net's little fix puts a complete stop to this sort of theft. Stealing your NCSoft account gives the thief your GW username and password, but he has no way of obtaining your character names from the NCSoft account alone.
GW accounts that had their username & password grabbed some time ago in the fansite breach, but the thieves are just now getting around to looting them
If the stolen database had an IGN field (like Guru's used to), then this fix does very little. At most, it requires the hackers to reconfigure their account looting bots. On the other hand, if that data wasn't part of the fansite's database (or the hackers didn't bother collecting it), these guys are stopped.
Various forms of user idiocy
- User trusts a "friend" he shouldn't have with username & password
  No help. Anyone dumb enough to give out his username and password is also dumb enough to give out a character name.
- Phishing and other social engineering
  Some help. The thieves now need to ask for username, password, and a character's name. That should sound a notch even more suspicious than asking for username and password. Unfortunately, many folks dumb enough to give username and password will fork over a character name too.
- Spoofing and Cross-site scripting
  Some help. Every attack page needs to be rewritten, so (hopefully) some attackers may not bother. And the authors have to somehow justify asking for a character name on a webpage. Such sites should appear more suspicious now.
- Keylogger + Insufficient Antivirus/Firewall
  Very little help. Attacker can just steal the character name too.
  What about putting it in the command line/checking the box to remember it? No use; if the attacker has obtained high enough privileges to execute his keylogger, he's also got high enough privileges to execute a program to scan your shortcut and your GW folder and grab any stored password or character name. At best, this knocks out low-level scum who lack programming ability and use a keylogger written by someone else.
Targeted attacks against wealthy individuals.
Since these attacks are done in varying, and possibly unknown (to me), ways, I can't really judge how effective the character name requirement will be.

3. As you can probably see, a-net plugged the biggest, worst security hole they had -- unfettered GW access once the NCSoft Master Account is compromised. (And it's pretty obvious to the cynics among us (me included) that fixing this particular problem was the goal of this patch.) There's still other holes to be plugged, and a lot more security features that need to be implemented before we have a "secure" game, but this is a very, very good start.

4. The instinct to protect one's IGN (as evidenced by the deluge of name-change requests to Inde) is correct. Since the GW username and password can be obtained from the NCSoft account, and the NCSoft account is utterly insecure, IGN is the only thing standing between you and account theft. At this point, the most important thing you can do to secure your account is to (1) keep you IGN's as private as possible, and (2) minimize connections between your IGN's, GW username, NCSoft username, and forum username. (Assuming, that is, you aren't engaging in plain old user idiocy. Ceasing idiocy would be more important.)

5. That said, IGN's on the forum are not as big an issue as people are making out out to be. First of all, matching an IGN to a NCSoft username or GW username is a potentially nigh-impossible task, and one that cannot easily be automated. Sure, if your NCsoft username is BobDole, and your forum username is BobDole, and your GW username is [email protected], and your IGN is Bob Dole, then you could be in trouble. If you've got a bit more variation, it's unlikely a bot could make the necessary associative leaps. (How, for example, could a bot connect a forum user named MsNyx with a posted IGN of Stevie Nix to either GW username [email protected] or NCSoft username fleetwood?) A human could do a better job. But human employees are expensive. And English-literate human employees are particularly expensive in China. No doubt there will be some lone wolves trawling the forums for info on high-value targets, but I think the odds of RMT companies turning to the forums to gather info for bulk account thefts are pretty low.

6.

Quote:

Originally Posted by Martin Alvito

Yes, this is a very tight workaround to the parent company's apparent obstinacy.

Yes, it was. A-net scores some points in my book for going against NCSoft's manifest desire that they continue stonewalling. Perhaps a little late, but they ultimately chose to do right by their customers.

7. You know who else scores some points in my book? The community who finally pressured them into action. Particular thanks go to Shan for standing up and making herself heard, Martin Alvito for piecing together how NCSoft accounts could be so easily stolen, and Inde for more behind-the-scenes activism than we may ever know.

8. Why was the update done with no announcement? I lost my snowball tourney/VQ/Mission/girlfriend/etc. because of it!

Assume for a minute that a-net was correct when they said in the past that at least some of the accounts currently being stolen had their username & password grabbed some time ago, but the thieves are just now getting around to looting them, and it should be pretty obvious to you. If I were a thief given a few hours forewarning, I'd promptly write a bot to log into as many accounts as possible and grab a character name off them. If I had a half hour forewarning, I'd have my employees do the same manually.

9. Several folks have pointed out, once a thief has gotten into an account, he has an incentive to delete all the characters and create a new one with a different name in order to keep you out while he loots stuff. After some thought, I don't think this makes much sense. The thief needs to strip each character before he deletes it. By the time he's finished stripping the last character -- the time when he could finally lock you out -- he's finished and no longer cares if you get the account back or not.

In any event, insofar as that's a problem, the oft-requested character locks are the solution.

10. As for the folks complaining that they don't know the character names on their mule accounts, go contact support. Seriously, having to contact support to reclaim your intact account beats the hell out of having to contact support to reclaim your stripped account.

Ultimately, this is the bottom line:

Quote:

Originally Posted by Arkantos

What ANet did just saved hundreds if not thousands of accounts being stolen. That's a huge step in the right direction.

Hyperventilate · Dec 23, 2009, 02:34 AM // 02:34

To anyone who is having trouble remembering character names:

I just got an e-mail back from support with single character names on my forgotten-named accounts. I -DID NOT- have to prove ownership.

This is a step in the right direction for security, but I don't know how much good it will do. Let us wait and see.

In response to the post below me:

I did not need to provide CD keys or any other sort of proof of ownership. I simply told them the account e-mail and they provided me with character names.

anime232 · Dec 23, 2009, 02:37 AM // 02:37

interesting that this was added and all but still would have been nice to know ahead of time what day it was going to be implemented so we could get names on accounts we don't use often (XTH accounts)... support going to love me when they see about 40ish e-mail address... and even more so if they need the cd-keys lol

animal fighter · Dec 23, 2009, 02:53 AM // 02:53

Quote:

Originally Posted by JonnieBoi05

LOL... My pleasure. I am full of pointless/useless info that people could live the rest of their lives just fine not knowing. xD

does this affect role-play land too? it must if you're posting in this thread. then again, I wouldn't doubt your complete nerdiness to post everywhere for no reason. did you also buy the upgrade called "fuse my human life into my guild wars account?" that one applies to you without a doubt

also sweet update d00d. after hundreds of people were already 'hacked'

Martin Alvito · Dec 23, 2009, 03:42 AM // 03:42

Quote:

Originally Posted by Chthon

9. Several folks have pointed out, once a thief has gotten into an account, he has an incentive to delete all the characters and create a new one with a different name in order to keep you out while he loots stuff. After some thought, I don't think this makes much sense. The thief needs to strip each character before he deletes it. By the time he's finished stripping the last character -- the time when he could finally lock you out -- he's finished and no longer cares if you get the account back or not.

The thief could use a stolen account to farm as follows:

1) Delete all characters
2) Make a new character
3) Run it to D'Alessio
4) Bot the lvl 10 trick
5) Run it to Gunnar's
6) Bot Dwarven Boxing to 20
7) Run to farm spot

But this is a fair amount of work. It would take a pretty organized thief in need of accounts.

I think the larger threat is thieves converting stolen accounts to gold spambots, which just requires pushing a new character through Chabek for Kamadan, and requires nothing to reach GToB. Those that are worrying are correct that thieves, IF they get the account, are incentivized to delete. However, thieves using automation are now foiled. Don't get keylogged, and you should be fine.

pumpkin pie · Dec 23, 2009, 04:02 AM // 04:02

Quote:

Originally Posted by Hyperventilate

To anyone who is having trouble remembering character names:

I just got an e-mail back from support with single character names on my forgotten-named accounts. I -DID NOT- have to prove ownership.

This is a step in the right direction for security, but I don't know how much good it will do. Let us wait and see.

In response to the post below me:

I did not need to provide CD keys or any other sort of proof of ownership. I simply told them the account e-mail and they provided me with character names.

That is not wise for ArenaNet to do, what if some players haven't log in for some time, and the thief send a support email to ArenaNet?

darkknightkain · Dec 23, 2009, 04:12 AM // 04:12

Quote:

Originally Posted by Hyperventilate

To anyone who is having trouble remembering character names:

I just got an e-mail back from support with single character names on my forgotten-named accounts. I -DID NOT- have to prove ownership.

This is a step in the right direction for security, but I don't know how much good it will do. Let us wait and see.

In response to the post below me:

I did not need to provide CD keys or any other sort of proof of ownership. I simply told them the account e-mail and they provided me with character names.

I seriously hope you are joking...
This creates a even bigger security issue than what the patch was trying to fix.

Now if someone want to hack accounts they only need to guess account names, don't even need to guess the character name.

Chthon · Dec 23, 2009, 05:48 AM // 05:48

Quote:

Originally Posted by Martin Alvito

The thief could use a stolen account to farm as follows:

1) Delete all characters
2) Make a new character
3) Run it to D'Alessio
4) Bot the lvl 10 trick
5) Run it to Gunnar's
6) Bot Dwarven Boxing to 20
7) Run to farm spot

But this is a fair amount of work. It would take a pretty organized thief in need of accounts.

I think the larger threat is thieves converting stolen accounts to gold spambots, which just requires pushing a new character through Chabek for Kamadan, and requires nothing to reach GToB. Those that are worrying are correct that thieves, IF they get the account, are incentivized to delete. However, thieves using automation are now foiled. Don't get keylogged, and you should be fine.

I hadn't thought of that. I was caught up in the current MO of stripping accounts for profitable items. However, don't thieves who steal accounts for long-term use (spam bots and farm bots) always change the password? Since you're going to be going through Support anyway, it's not like they get to keep the account any longer if they delete your guys than if they don't. Even if you had a NCSoft account, and they stole your GW account through some other means, once you reset the GW password, they don't get to keep the account any longer if they delete your guys than if they don't. They have nothing to gain; the only reason to do it is spite.

Riot Narita · Dec 23, 2009, 10:27 AM // 10:27

Quote:

Originally Posted by Hyperventilate

To anyone who is having trouble remembering character names:

I just got an e-mail back from support with single character names on my forgotten-named accounts. I -DID NOT- have to prove ownership.

This is a step in the right direction for security, but I don't know how much good it will do. Let us wait and see.

In response to the post below me:

I did not need to provide CD keys or any other sort of proof of ownership. I simply told them the account e-mail and they provided me with character names.

Quote:

Originally Posted by darkknightkain

I seriously hope you are joking...
This creates a even bigger security issue than what the patch was trying to fix.

Now if someone want to hack accounts they only need to guess account names, don't even need to guess the character name.

They'd have to break into your email too though, wouldn't they? To get the character names that support sends you? Still, it doesn't seem very clever.

By the way, big thanks to Chthon and Martin Alvito. Your well thought-out posts and insights have been invaluable the last few weeks.

Hyperventilate · Dec 23, 2009, 01:07 PM // 13:07

Yeah, no. I'm not joking. They told me it was a one-time leniency because of people having mule accounts that are not accessed often, and the update being so abrupt.

The hackers would still need to know my password and my e-mails for the accounts, plus the character names.

I don't feel strangely or oddly that they answered my request. The hackers would still need to know far more than just the e-mail or the character name.