Dec 11, 2009, 02:13 AM // 02:13
|
#21
|
Frost Gate Guardian
Join Date: Nov 2009
Location: The Shining Blade Camp
Guild: Nouvel Ordre de Phoenix [MJM]
Profession: R/Mo
|
From the poll, I voted for a No Delete option on characters/items.
However, there are also three additions I'd like to see:
*Require me to confirm through my e-mail account via clicking a secure link before allowing my password to be changed, rather than notifying me after the fact when it's already too late. This doesn't prevent hacking, but means that two separate accounts would need to be hacked to proceed, adding one more layer of protection.
*Require me to provide my old password before allowing my password to be changed unless I initiated the process with a lost password request. Even if I initiated it, I want it going through my e-mail rather than just my game account.
*Locking out the account for a designated length of time (perhaps 12-24 hours) after a specified number (perhaps around 5) of failed password attempts. This makes brute forcing a password a lot harder and a lot less worth the effort.
All this seems pretty basic to me, but I'd feel a lot safer if it was implemented.
|
|
|
Dec 11, 2009, 02:34 AM // 02:34
|
#22
|
Wilds Pathfinder
Join Date: Sep 2007
Guild: Textual Harassment [kTHX]
|
Quote:
Originally Posted by Hissy
Except the ones you're wearing!
|
Better then nothing at the cost of nearly nothing sounds worth it to me.
|
|
|
Dec 11, 2009, 02:35 AM // 02:35
|
#23
|
Pre-Searing Cadet
Join Date: Jan 2007
Guild: Ravn
Profession: W/N
|
I said this before with my account got hacked post but to be positive and not so negative like I was in the past I will say it again.
How about blocking all big items from being sold to NPCs. Does anyone really sell 7 black dyes to the Dye Trader? or sell stacks of Ectos to the merchant? If that action could be stopped then the next part would catch the rest.
Next 3 day grace period on big items! Any trade that is worth more then 100k would have a 3 days for the final trade to go threw. The items are locked in trade so nothing can be changed except for a cancel. If its a legit trade then the trade will go threw on the 3rd day.
I wouldn't mind waiting 3 days to get what ever I wanted, knowing that it would be mine in 3 days and the cost wouldn't go up cause its all locked in.
That would save a lot of accounts, seams like most of us find out that we been hacked within 2 days of event.
The only draw back would be the time it takes to give back our account control.
|
|
|
Dec 11, 2009, 02:38 AM // 02:38
|
#24
|
Departed from Tyria
Join Date: May 2007
Guild: Clan Dethryche [dth]
Profession: R/
|
Quote:
Originally Posted by JR
Static IP/MAC/HW checking
|
No problems here, as long as we are able to select or create significant and difficult enough security questions.
I would like to choose how I build my own password, thanks very much. I firmly believe that passwords shouldn't even have any requirements on them such as character number, which characters to use where, words not to use, etc.
Quote:
SecurID authentication option
|
I have never heard anything bad about this idea, ever. Thus, I have no complaints against it.
Quote:
"NO DELETE/SALVAGE/TRADE" option on characters/items
|
I like the idea, but I'd rather they work on ways of stopping them from getting into the account altogether.
Quote:
Additional authentication for Xunlai storage access
Randomized point and click gui for password input
|
The first idea is ultimately inferior to the second here, and I fully support the second.
Quote:
Compromised account restorations
|
Restoration of at least items that were deleted through the trash been should be recoverable. Asking that ANet get better at retracing and redoing every single transaction that a hacker makes is just as futile as simply asking them to do their job better.
I understand that you included this option, just to be fair, but with the recent issues at hand, I doubt there's anyone in the game who would be bothered by extra security being put in place.
The only reason, I think, to choose this option is because you don't believe the problem really lies with ANet. For example, maybe the security needs tightened around NCsoft instead, as Martin seems to be stressing as of late.
|
|
|
Dec 11, 2009, 02:39 AM // 02:39
|
#25
|
Jungle Guide
Join Date: Mar 2006
Location: Trying to stay out of Ryuk's Death Note
Profession: N/R
|
Until something is figured out. NCsoft Master Hub password reset should be disabled in the interim. I would be interested in how many times the Master hub website would be is being hit by chinese IPs per day.
With a nod to Theocrat and the Blizzard Authenticator I would pay $6.50(or more) per Authenticator for my accounts.
|
|
|
Dec 11, 2009, 02:44 AM // 02:44
|
#26
|
Wilds Pathfinder
Join Date: Jun 2009
Profession: W/Me
|
Yes Arena Net lack of security is a big issue.... That being said... a minority of the community is also partly to blame... the reason the Chinese are so determined to steel your account is because real money can be made selling game currency and goods to others...
Along with increased security I propose the consequences to real world money transactions be raised to a permanent ban.
If nobody is paying real world money there is no incentive to steel accounts.
|
|
|
Dec 11, 2009, 02:59 AM // 02:59
|
#27
|
Furnace Stoker
Join Date: Jun 2005
Guild: gwpvx.com/user:dzjudz
|
Other s/w solution:
- Being able to sever accounts from ncsoft master account; and/or
- Better password protection over there.
|
|
|
Dec 11, 2009, 03:16 AM // 03:16
|
#28
|
Ascalonian Squire
Join Date: Dec 2009
Location: TXN
|
Quote:
Originally Posted by Martin Alvito
On the "other" vote - There isn't much that's reasonable to ask or cost-effective regarding the game client itself. It compares well with its peers. Highly aggressive measures such as IP checking and SecurID authentication would be preferable. But I doubt that ANet would provide such costly measures for free, and I'm not convinced that we should expect such.
The NCSoft master accounts, however, have glaring security vulnerabilities. The following would make these accounts harder to defeat using automation and would protect us even in the event of unauthorized access:
- Let me delink my GW account from the PlayNC account (best)
- Force me to provide something additional to change my game passwords (existing PW, code from an e-mail sent to the login e-mail address, etc.)
- Do not EVER display the linked e-mail address that is my username
- Make the "change password" protections for NCSoft accounts themselves more secure
- Make it impossible to generate a valid list of actual NCSoft accounts via brute force
- Make it more difficult to brute force passwords (NO protections exist at present).
Everything after the first item is a garden-variety security measure that I fully expect to observe in any authentication system today. Do online retailer accounts display complete credit card information when it is saved? No. So why should unauthorized access to my PlayNC account give someone the ability to have all of my game login information?
If those things can't happen for whatever reason and ANet has to go it alone, then I'd support hardware verification, IP checking or SecurID even at a (one-time) cost to the user.
|
I'm not really crazy about the opinions in the polls, but I like Martin's ideas. I've followed you around in these recent topics about hacking and insecure accounts and really appreciate your well-thought posts.
I would hope for this issue to be addressed or cleared up by Anet or NCSoft. I ended up changing my email, password, and security questions and check my email every chance I get to make sure some greedy Chinese bot doesn't get grabby with my account.
|
|
|
Dec 11, 2009, 03:24 AM // 03:24
|
#29
|
Jungle Guide
Join Date: Jun 2008
Location: Australia, what you want my home address?
Guild: [CAT]
Profession: Mo/
|
Quote:
Originally Posted by JR
Static IP/MAC/HW checking
|
A static IP isn't available to every Guild Wars player around the world, indeed many are stuck with dynamic IPs and have no choice in the matter, this is also cumbersome for people who play from multiple locations (work, on the road, gaming at a buddies house and net cafes)
Hardware checking and to a lesser degree MAC verification are great if you only play on one system, and rarely make substantial changes to the system. People who game on Dells might like this option, Geeks will revile it.
The whole downloadable game client thing was meant to allow us to download and play Guild Wars from anywhere... and i seem to recall it was once popular in the Korean Net Cafe scene... IP/MAC/HW checking is an inconvenience in these cases.
Quote:
Originally Posted by JR
Strong password policy
|
Policy is never enough to save people from their own stupidity, Anet has been warning us on the log in screen about the needs for account security and strong passwords... that is enough, and as you mentioned, still vulnerable to key loggers, data intercepts (man in the middle attacks) and the like.
Quote:
Originally Posted by JR
SecurID authentication option
|
Not a bad idea, having to pay extra for basic account security seems a little odd though, and still vulnerable to man in the middle data intercepts even assuming they do manage to implement a SecurID system well, once the user's computer is compromised (no more difficult than it would be to get a key logger on there) this offers NO PROTECTION.
Quote:
Originally Posted by JR
"NO DELETE/SALVAGE/TRADE" option on characters/items
|
Instead of making the lock on characters/items something that can be toggled on and off (ie BYPASSED) make it time limited... lock a character for a day/week/month and it stays locked for that period, and there is nothing you can do to unlock it short of contacting support in the case of malicious locks.
etc.
|
|
|
Dec 11, 2009, 03:45 AM // 03:45
|
#30
|
Frost Gate Guardian
Join Date: Nov 2009
Location: The Shining Blade Camp
Guild: Nouvel Ordre de Phoenix [MJM]
Profession: R/Mo
|
Quote:
A static IP isn't available to every Guild Wars player around the world, indeed many are stuck with dynamic IPs and have no choice in the matter, this is also cumbersome for people who play from multiple locations (work, on the road, gaming at a buddies house and net cafes)
|
This. I have a dynamic IP. It would be a tremendous pain for me if the game stopped recognizing my computer every time I disconnected from the network.
That said-- forgive me if I'm ignorant about the tech, but even with the dynamic IP, my IP address doesn't seem totally random. It's within a certain range. So while it's not identical every session, it's still clearly from the same general geographic area.
Which makes me wonder about regional lockouts. What if I could set up my account to not allow a login from, say, outside of North America? If I was planning a major international trip and felt it was crucial to bring GW with me, I could always green light the region I was going to in addition-- it wouldn't have to be a permanent blackout.
I don't actually know how hard that would be, so it might be totally impractical and/or not really a big enough issue to deal with. But most of us most of the time would only be legitimately logging on from one region. I'd rather see that than something that checks exact IP.
|
|
|
Dec 11, 2009, 03:45 AM // 03:45
|
#31
|
Forge Runner
Join Date: Mar 2006
Location: Mableton, Georgia
Guild: Guild Ancestors Reunited [ギルド]
|
I chose 1, 2, 5, 6, and 7. They sound very good and would be extremely beneficial to have.
|
|
|
Dec 11, 2009, 04:05 AM // 04:05
|
#32
|
Desert Nomad
Join Date: Aug 2005
Guild: DVDF(Forums)
Profession: Me/N
|
Another poll should have been added. What priority should account security be given.
A. It's fine as it is
B. When they can get around to it
C. Drop everything
all this poll is doing is asking us how we would do anets/ncsoft job for them.
The when issue is as vital as how, if not more so.
|
|
|
Dec 11, 2009, 04:24 AM // 04:24
|
#33
|
are we there yet?
Join Date: Dec 2005
Location: in a land far far away
Guild: guild? I am supposed to have a guild?
Profession: Rt/
|
yes to just about everything except the static IP thing----IP's can be covered up so that just wont work (and us dynamic people dont have choices).
I would pay for a fob---and it would be the last thing I would buy from them too.
__________________
where is the 'all you can eat' cookie bar?
|
|
|
Dec 11, 2009, 05:50 AM // 05:50
|
#34
|
Desert Nomad
Join Date: Mar 2006
Guild: DPX
Profession: R/
|
My option isnt anywhere on the poll so ill state.
How about a simple confirming email sent to the email BEFORE letting anyone change the info, like every other password that you have to change.
|
|
|
Dec 11, 2009, 06:06 AM // 06:06
|
#35
|
Ascalonian Squire
Join Date: Jul 2008
Location: GMT +1
Guild: [BCG] and [EKSF]
Profession: N/
|
What gets my vote:
1. Static IP/MAC/HW checking
3. SecurID authentication option
Other S/W solution:
- Confirmation e-mail asking you to confirm the password change before the password is actually changed for both the NCsoft master account and the game account(s) linked to that master account.
|
|
|
Dec 11, 2009, 07:34 AM // 07:34
|
#36
|
Grotto Attendant
Join Date: Jun 2006
Location: Europe
Guild: The German Order [GER]
Profession: N/
|
Quote:
Originally Posted by JR
Static IP/MAC/HW checking
|
Generally, MAC can be spoofed on hackers machine and easily retrieved from hackee machine, as are other hadrware signatures, but those are not as trivial.
IP address spoofing is not unheard of either, but it is a bit more problematic.
Problem is that you have to trust machine that runs it, and well, you can not trust it.
Strong password policy
[/QUOTE]
Too strong password policies usually tend to make users go into two modes:
a) reuse as much as possible
b) write credentials down.
a) is kind of problem that we faced lately, and well, it was disastrous and kind of triggered this thread.
Quote:
Originally Posted by JR
SecurID authentication option
|
This is fairly viable option, but do not be easily fooled by its foolproofness. Generally, this works by binding your account to machine id. Which is usually done on account mamagement web application.
This means that if someone can access that, they have shot at changing your securid binding to piece they own. Confirmation emails or support intervention can fix this, of course.
We worked on similar method: Bank acount is tied to cellphone number, if you want to make transaction, you will be sent SMS with authentication code for that transaction.
People still got hacked thou. How? Social engineering: Hacker simply called support and asked then to change cellphone tied to account (... I am desperate, i really need to pay rent now or i am evicted, etc, that kind of stuff ...). It worked.
This is still best method right after teaching users to be more responsible :-)
Quote:
Originally Posted by JR
"NO DELETE/SALVAGE/TRADE" option on characters/items
|
This is very much prefered, but there is issue: people flagging items/characters and then changing their mind.
If they can easily unflag, this feature would do little good, if unflagging is harder and requires, for example, support intervention, it is going to be cost prohibitive for ncsoft.
Quote:
Originally Posted by JR
Additional authentication for Xunlai storage access
|
This only protects part of account and not really part people are most worried about: Characters.
Quote:
Originally Posted by JR
Randomized point and click gui for password input
|
Bad option. Taking screenshot of onscreen keyboard layout is trivial if you expect this authentication method.
Quote:
Originally Posted by JR
Compromised account restorations
|
This is support nightmare and very prone to abuse.
|
|
|
Dec 11, 2009, 07:42 AM // 07:42
|
#37
|
Grotto Attendant
Join Date: Mar 2006
Location: Done.
Guild: [JUNK]
|
Just to make this clear:
I will not be paying extra for sufficient security.
|
|
|
Dec 11, 2009, 08:26 AM // 08:26
|
#38
|
Forge Runner
Join Date: Sep 2006
Location: AZ
|
None of the choices given. What I want to see is NCSOFT sorting out their security (pathetic for a "huge multi billion company").
Martin put it very well so I just +1 onto his suggestions.
Quote:
Originally Posted by Martin Alvito
On the "other" vote - There isn't much that's reasonable to ask or cost-effective regarding the game client itself. It compares well with its peers. Highly aggressive measures such as IP checking and SecurID authentication would be preferable. But I doubt that ANet would provide such costly measures for free, and I'm not convinced that we should expect such.
The NCSoft master accounts, however, have glaring security vulnerabilities. The following would make these accounts harder to defeat using automation and would protect us even in the event of unauthorized access:
- Let me delink my GW account from the PlayNC account (best)
- Force me to provide something additional to change my game passwords (existing PW, code from an e-mail sent to the login e-mail address, etc.)
- Do not EVER display the linked e-mail address that is my username
- Make the "change password" protections for NCSoft accounts themselves more secure
- Make it impossible to generate a valid list of actual NCSoft accounts via brute force
- Make it more difficult to brute force passwords (NO protections exist at present).
Everything after the first item is a garden-variety security measure that I fully expect to observe in any authentication system today. Do online retailer accounts display complete credit card information when it is saved? No. So why should unauthorized access to my PlayNC account give someone the ability to have all of my game login information?
If those things can't happen for whatever reason and ANet has to go it alone, then I'd support hardware verification, IP checking or SecurID even at a (one-time) cost to the user.
|
|
|
|
Dec 11, 2009, 08:45 AM // 08:45
|
#39
|
Frost Gate Guardian
Join Date: Jun 2006
Location: Seoul, Korea
Profession: Mo/Me
|
you sure that these hacks were carried out by third party? I'm thinking that Anet is doing the "hack" by themselves to save the server's upkeep cost. By deleting items from an account, players are discouraged from playing the game and thus give up on playing. So what? That's less players on the server, meaning the cost to maintain the server will be lowered.
Notice, 3 years ago, the number of accounts hacked was relatively low. Why do these hacking incidents happen now, when the game is in its dying stage? Easy, the most logical answer is: Anet is carrying out these hacks.
Why do I suspect that Anet is doing this? I have 10 accounts ever since I started Guild Wars and I have only been playing on 1 account out of the 10 I bought. I do, occasionally, check on my other accounts but the time interval is somewhere around 4-5 months. From the time when Guild Wars was released to present time, I have never downloaded anything from any third parties and I don't have any viruses/malware/trojan/spyware on my computer. How can I be so sure about the state of my computer? Well, I only go through about 5 hard drives every 2 months since I reformat my computer so many times that it basically destroys my hard drives. Of course, I didn't care much about my hard drives since my family can afford new hard drives every 2 months. Anyhow, not until recently, 5/9 inactive accounts I have, were hacked. Hacked? How? I don't download anything and I reformat my computer every 2 weeks and change my password every 4 months for these accounts.
It's basically impossible to hack my Guild Wars accounts, but somehow, someone managed to hack them. I found it strange since no one else has access to my accounts, but Anet. Whatever the case is, I'm happy that I gave up on this game. I can now allocate my time to more useful things, like spending time with my friends on World of Warcraft ^.^
Solution: None needed since the game is dying. Adding additional security measures means anet has to hire better programmers and security experts, which won't happen for a dying game. Who would want to spend money on something that is going to be dead. Guild Wars 2 is good enough to attract old and new players without having to keep loyal players.
Last edited by II Lucky Charm II; Dec 11, 2009 at 09:03 AM // 09:03..
|
|
|
Dec 11, 2009, 08:58 AM // 08:58
|
#40
|
Academy Page
Join Date: Feb 2007
Guild: Legion Of Losers
|
Quote:
Originally Posted by JR
Static IP/MAC/HW checking
This is used by some banks. If you try to access your account from an IP or MAC address that is foreign to that account (meaning you haven't used it before or haven't used it recently), then you are asked additional account security questions before access is allowed.
Similar to the IP/MAC address check, a hardware configuration check will compare some aspect of the hardware with which you are currently using to access the account. Additional security questions will be asked if the information is mismatched.
|
This is my favorite option but it would be way too hard for most people to get working. It would be nice to have a drop down list in my account settings that would say
Only allow logins to my account from: [COUNTRY]
This would be idiot-proof (you dont even have to know what an IP is, let alone whether you have a static or dynamic one), and reasonably robust.
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 10:40 AM // 10:40.
|