Curse

JimmyNeutron · Dec 12, 2009, 03:23 AM // 03:23

Quote:

Originally Posted by flubber

all I see is you getting banned as well as endangering others. you might get away with it once, but the way you're on about it...you aren't gonna dupe that easy, that many times, when dealing with real people.

and paying extra for security? you must be joking. I'll drop the game like a bad habit.

Like I said, you're stupid and deserve to be caught if you can't think of other ways of duping through a fake hack or other loophole if ANET implements the restore feature.

And DUH!!!, not going to be that dumb to do it more than once per account per year. Why do you think people have 4 accounts??? LOL!!!!!!!!!!!!! and personally, I wouldn't do this on any rare and limited mini pets. I would rather do it on say a mini Dhuum since there is no set quantity like the mini Mad King Guard or a Crystalline Sword R9

Remember Friend #2 will keep his stuff because to ANET, it looks likea legit sale; a RANDOM person getting the item for free, drawing, contest, or at the right place and right time to buy.

ANET pulls Friend #2 inventory, he will argue back and said, "Hey, I bought that from a guy that was desperate for gold." or some other BS." If we want to make ANET really miserable. Transfer those items around 10+ time to different accounts times to make ANET spend more resource in the investigation.

So now ANET will have to spend at least an hour to review the log and see where and who it went to and for how much and reverse all that. Now, sounds easy and doesn't sound like much work, but multiply that by a factor of 1000 and ANET will be tied up reviewing logs and would have to put some resource into just reviewing the log. This of course, will cost ANET real money because the resource that could've been use for other things, is now use to sniff through logs to restore stolen goods and etc....

See?????????????

gone · Dec 12, 2009, 03:49 AM // 03:49

Quote:

Originally Posted by JimmyNeutron

Like I said, you're stupid and deserve to be caught if you can't think of other ways of duping through a fake hack or other loophole if ANET implements the restore feature.

And DUH!!!, not going to be that dumb to do it more than once per account per year. Why do you think people have 4 accounts??? LOL!!!!!!!!!!!!! and personally, I wouldn't do this on any rare and limited mini pets. I would rather do it on say a mini Dhuum since there is no set quantity like the mini Mad King Guard or a Crystalline Sword R9

Remember Friend #2 will keep his stuff because to ANET, it looks likea legit sale; a RANDOM person getting the item for free, drawing, contest, or at the right place and right time to buy.

ANET pulls Friend #2 inventory, he will argue back and said, "Hey, I bought that from a guy that was desperate for gold." or some other BS." If we want to make ANET really miserable. Transfer those items around 10+ time to different accounts times to make ANET spend more resource in the investigation.

So now ANET will have to spend at least an hour to review the log and see where and who it went to and for how much and reverse all that. Now, sounds easy and doesn't sound like much work, but multiply that by a factor of 1000 and ANET will be tied up reviewing logs and would have to put some resource into just reviewing the log. This of course, will cost ANET real money because the resource that could've been use for other things, is now use to sniff through logs to restore stolen goods and etc....

See?????????????

You're joking right? you do realize that many other well-known games have/had this sort of feature implemented and haven't been taken for a ride....

Quote:

Originally Posted by JimmyNeutron

Why do you think people have 4 accounts??? LOL!!!!!!!!!!!!!

it was a storage thing brah.

HBlix · Dec 12, 2009, 05:13 AM // 05:13

As long as they prevent any security holes on their end, nothing needs to be done. I have never had any account for anything I have ever owned stolen, ever. Adding anything would only serve to annoy me and baby people who do something dumb.

JimmyNeutron · Dec 12, 2009, 06:31 AM // 06:31

Quote:

Originally Posted by flubber

You're joking right?

I joke, u not. I am alive serious.

Martin Alvito · Dec 12, 2009, 08:11 AM // 08:11

Quote:

Originally Posted by Inde

Let me be very clear and show you why gaming developers laugh at your petitions and threats of boycotts. Now Martin Kerstein will probably hate me for this (sorry!), and let it be noted that this probably isn't his current opinion of this specific problem so please don't read more into it then necessary.

Let me point out a few things that indicate why this is totally irrelevant to the topic under discussion:

1) Distribution of sales

The specific issue you raise was with the PC version of the game. So the game sold 5 million copies on day one, eh? What proportion of those sales was to PC, XBox and PS3? Moreover, what would have been expected? The data you indicate is a useless and pointless refutation. Show me robust PC sales and I might agree with you if not for:

2) Hacking the game client

PC users found a way around the problem. Even if PC sales were robust, the fact of the matter is that PC users could expect that members of the community would find a way around the issue that concerned them. No such solution exists here.

3) Substitution effects

Where else were the COD4:MW2 purchasers going to go? I'd argue that they weren't going to substitute to L4D2 for a variety of reasons. Can we agree that the substitution threats to GW2 sales are Diablo 3 and Star Wars: The Old Republic, that Blizzard has satisfactorily demonstrated a commitment to inexpensive account security measures, and that Bioware is intelligent enough and sufficiently well funded to avoid NCSoft's mistakes here?

Assuming that what proved true in COD4:MW2 sales will apply to GW2 sales is foolish. There's no guarantee that the causal mechanism will play out the same way, and plenty of evidence that would suggest otherwise. ANet is the disadvantaged marketing player and simply cannot afford to alienate the existing player base. It really is that simple.

Shanaeri Rynale · Dec 12, 2009, 10:04 AM // 10:04

There are so many easy things that can be done. E.g make it so rare mats can never be salvaged from armor. Then there would be no point in stripping chars of thier armor for money. Any improvement would be welcome at this point. Put a temporary measure in place while the proper one is being fixed.

It was done before I.e reconnects taken away while the dupe was fixed. So why not do something now?

You can't compare EA and Anet. EA has hundreds of products over every gaming platform there is, Anet has just one product on a single platform.

If anet succeeds in isolating it's established fan and player base then quite simply GW2 starts from a very, very weak positon.

No company in this day and age can afford to ignore the wishes and concerns of it's customers, especially if that company has all it's eggs in one basket, EA may well be able to ignore the feelings of a few thousand people, Anet with it's single aging product imho just cannot(well it can, but you know what I mean)

Quote:

Our goal on this forum is to provide constructive feedback. While I can appreciate your desires to do this in petition form I would rather have the community engaged in discussion.

Normally I would agree were the subject not so important We're not talking about if a skill should be changed, or wouldn't it be good if...

If we are getting daily reports of multiple account loss to the point where threads are having to be merged, If Guru is only a small proportion of the community who knows how many have been compromised game wide. Some may not even know they have been hacked for months.

This issue is so serious that I believe the 'we'll let you discuss it' approach is no longer valid. As an elite site you have direct contact and relationships with people in Anet we do not have.

On behalf of the community you, by proxy represent then I believe some sort of open letter to areanet CC'd to the gaming press is needed, followed up by updates as to the responses or not.

For an issue this serious and this destructive I believe standing by and just watching person after person post the same horrific thing is unacceptable,

I admire the job all of you do here, and over the years you have done a fantastic job for the community, but this time i firmly and totally believe you can and should do more.

My apologies if you are, but if so it has not been made public. In that case perhaps it's time it should.

Rehnahvah Gahro · Dec 12, 2009, 10:08 AM // 10:08

Also, Infinity Ward cannot be compared to NCSoft let alone Anet. IW is through the roof right now, they sold so much copies of MW2 (including Console, well specifically Console), it's not even funny anymore. Anything they sell after that will become a sure hit.
NCSoft on the other hand should take complaints much more serious, they don't exactly drown in cash (they're not doing too bad either, but nothing compared to the big names out there).

What I'm trying to say is: pressuring NC (even if it is through Anet) will have a greater effect than trying to pressure IW. So I guess this thread has other means than pure discussion and suggestions.

Another thing that boggles my mind: Why did NC change their site in the first place. Were they really that dumb and neglected security just to save a few cents? Don't tell me they were really that ignorant

And if they were, they deserve a little payback, just enough to never make such a mistake again. All I know is that if this situation is not dealt with until GW2 or even gets worse, I will not bother getting GW2 (at least until I can be sure that my account is as safe as you would expect from an MMO).

Rushin Roulette · Dec 12, 2009, 10:23 AM // 10:23

Quote:

Originally Posted by JR

[highlight]
Compromised account restorations

This is already provided by many MMOs. Once the account has been compromised, game support can go back and verify which items were removed and restore them to the compromised account. ArenaNet has always stated they cannot restore items on live servers. Whether this is a technical or a budgeting limitation is up for speculation, but the inevitable comparison has been made and this capability has been requested.

Other S/W solution

Specify what other software features you'd like to see implemented.
(e.g. Human verification images)

These 2. Anet are able to add or remove items during a live server build such as with trades between NPCs or during Holidays with ToT Bags /Masks when in town and participating in the games such as the 9 Rings of AFKdom or Grenth vs. Dwayna.

For the S/W Solution, I was thinking of automatic Email confirmation for Email or Access changes. If you try to change the Password, then it is only changed AFTER you enter a pin or click a link which is sent to the registered Email. If you try to change the Email address of the account, the same happens, but a confirmation is needed from the old and the new address before anything is changed.

This is standard procedure with most games and Sites already, so I don't know why Anet/NCsoft don't use these basic company side security features. If for example the User has lost or forgotten his Email address, then there is always the possibility of getting help from Support via the CD Keys, character names or what ever else sort of information they randomly request. On a side note: There should also be a possibility of changing the registered address of the user in case the user moves house because this isn't really that uncommon nowadays, especially as many users are in the teens and move for college or out of hotel Mom for the first time.

Hengis · Dec 12, 2009, 01:36 PM // 13:36

I voted for SecurID. I have used a SecurID fob at work in its various forms for many years. These things are used by the biggest businesses and even by Government Departments to protect their information and I firmly believe that this would end account hacks period.

Several of the choices do not in anyway address the issues that have been exposed and discussed specifically by Martin Alvito in his well thought out and reasoned posts on the weaknesses in the PlayNC Master Account - specifically the fact that the site tells you if you guess things right, doesn't require a confirmation email or knowledge of the exisiting password, and then exposes all your linked usernames to the hacker.

I would also like to see a clear acknowledgement from ANet and or NCSoft that they have a serious problem and some form of in-game restitution for those of us who have recently had years of playing this game destroyed. I would not expect or even want this to become a long term policy as it is indeed open to abuse.

What has surprised me in both this thread and the closed petition thread was how many new people have posted saying they have been hacked. As we know that we (as in Guru members) only represent a tiny fraction of the community, there must be hundreds if not thousands of active players who never post anywhere who have suffered the same fate.

Theer must also be similar numbers of dormant accounts that have also been hacked that we won't ever find out about, or might only find out about in the coming months if the players decide to come back to the game.

I am also still astonished that there are still some people who still don't believe there is a problem, although they now seem to be in the minority.

This problem still seems to be escalating. The community is probably smaller than it ever has been, yet the number of players reporting hacking incidents is now higher than ever.

I have played Guild Wars for four and a half years and in all that time have never seen anything on this scale. There have always been occasional reports of accounts being hacked, but they could be explained by the usual keyloggers or shared accounts etc, but this latest problem seems to be much more than that. The majority of us who have been hacked recently are long term players, who if things such as keyloggers and weak passwords or poor personal security were to blame would have been hacked long ago.

Inde · Dec 12, 2009, 04:10 PM // 16:10

You guys seemed to have missed my key point. I wasn't comparing MW2/EA with GW/Anet. I was showing you the overall opinion of game developers on petitions and boycotts. Not the facts or inconsistencies behind it.

Martin Alvito · Dec 12, 2009, 04:41 PM // 16:41

It's how you framed the post. You started out with, "Let me be very clear and show you why..." rather than framing it as something like, "Game developers don't believe you. Here's the evidence they're using." The difference is subtle, but influences the responses you get.

In any event, the point that people are making is that while other game developers may indeed be able to ignore their community, doing so here would be fatal.

If ANet's looking for proof, they should ask the marketing department a simple question. In 2006-2007, what proportion of existing players purchased the expansions, and what proportion of players reporting getting hacked during that period purchased expansions? I'd bet that those proportions differ and that the difference is statistically significant.

Moral: account thefts cost you business, even when you cannot be held accountable for the thefts. When it's reasonable to hold the developer accountable, account thefts are poison.

Rushin Roulette · Dec 12, 2009, 05:16 PM // 17:16

Quote:

Originally Posted by Inde

You guys seemed to have missed my key point. I wasn't comparing MW2/EA with GW/Anet. I was showing you the overall opinion of game developers on petitions and boycotts. Not the facts or inconsistencies behind it.

Yea, you may be right about ES IW or other major Game companies. They can afford to scare away a few thousand players because a few thousand copies of 20 Million is not as bad as a few thousand of 2 or 3 Million players in total.
Anet have however listened to the Players that have screamed the most over the past.
Minion Masters were overpowered, you can only support X amount of Minions now
SR was overpowered, you can only get energy 3 times every 15 seconds.
UB was over powered, Anet nerfed UB 2 or 3 times.
CoP was overpowered, It got hit by the Nerfstick.
SF and a few more Farming Skills are overpowered, It is in the works with Anet.
These are only a few examples of what has changed in the last few years after the players complained. I really hope Anet listen to this and actually sit down with NCSoft to constructively work on a solution to the problem. They don't even need to brainstorm ideas much, because the player base is basically serving these to them on a silver platter. They only need to go to their system admins and give them the ideas and ask which ones are actually possible and which ones they can trash immediately because they're not worth the effort or the costs.

Edit: There is also a difference between players not getting their favorite servers or great graphics as opposed to account security for a product that is basically only physically on the Host servers. It makes the whole EULA rules void if the makers themselves cant even guarantee basic host side security for the things that do not break the EULA. Rules and responsibility run both ways. Security is not an issue that is solely the responsibility of the user.

Now heres a question for you in particular Inde. What do you think that could happen to you, if it turns out that the user security on Guru is too lax and users have come to harm through virtual loss? There must be a reason why you are always cracking down so hard on Spammers, Ad-Bots and insulting posts.

Chthon · Dec 12, 2009, 08:37 PM // 20:37

Quote:

Originally Posted by Inde

Yeah, ever since gaming went mainstream the biggest profits have come from the "casual gamer" demographic. You can totally ignore the serious, hardcore gamers and still make a fortune so long as you can keep the attention of that guy who buys every crappy movie tie-in game and a new version of Madden every single year. I get it. Lots of folks get it. This guy gets it and even draws cartoons about it. These guys too. MW2 telling the hardcore gamers to go jump in a lake and not having to pay a price for having done so is just one more example of a trend that's been happening for awhile now.

However, there's a huge distinction to be drawn between leaving out dedicated servers and letting Chinese RMT thieves steal accounts at will. Dedicated servers only matter to the hardcore gamers -- people who care about things like latency advantage, etc. The lack of dedicated servers hardly bothers the casual gamers. On the other hand, nobody is going to buy a MMO if they know their account would be subject to unpreventable theft. Not even casual gamers. If, starting tomorrow, every kid who works at Gamestop starting telling customers who came to buy Aion "I suggest you buy a different game; NCSoft has weak security and your account could be easily stolen and there's nothing you could do about it," sales would fall dramatically. The only reason that NCSoft's sales haven't fallen off a cliff, the only reason that NCSoft hasn't chosen to clean up its act, is that almost nobody knows. The vast majority of the potential customer base of causal gamers is totally ignorant of the problem. It's only a comparatively few hardcore people on the forums who grasp the size of the security problem -- a comparatively few people who can't even agree to be vocal about it. NCSoft can -- and probably will -- ignore us unless and until we become so vocal about their poor security that word gets out among the broader potential customer base.

Now, why I said we "might" be able to get their attention with a petition is that maybe, just maybe, someone at NCSoft can see the likelihood of progression from highly vocal forums to articles in the gaming press to the kid at gamestop whispering advice to avoid certain companies. And maybe this person would decide it's wiser to save face by fixing security before the company gets a widely-known reputation for bad security instead of after. Maybe.

Quote:

Our goal on this forum is to provide constructive feedback...This thread is going very well, there is the exchange of ideas, there are opinions, there is analysis of different security options, there are voices that are offering their feedback. Exactly what is desired on a forum. I count this thread very successful.

The hell it is. In addition to the fact that we're polling a largely non-expert group about matter that require expert knowledge ("75% of Fox New viewers who responded to our poll think the Large Hadron Collider is a threat to all life on earth!!!"), we're rehashing a matter that's already been discussed to death. These ideas have been know for YEARS. They've been suggested for years. They've been not implemented for years. The only thing that distinguishes this thread from any other "suggestions for improving account security" thread from 6 months ago, or a year ago, or 3 years ago is the fact that NCSoft's faulty security is likely responsible for many of the recent account thefts. That's the elephant in the room. That's what we should be talking about.

Burst Cancel · Dec 12, 2009, 08:56 PM // 20:56

So how many people have actually quit over account security issues? Do any of you have the hard data you need to support your positions? All I see is a lot of handwaving and baseless conjecture.

There isn't a single option in that poll that's really worth a damn. Even SecurID is vulnerable to trojans/MITM attacks. And for those of you who think you're immune to viruses - even official first-party drivers have been compromised by viruses (http://news.softpedia.com/news/Offic...s-122612.shtml). No security program or policy in the world matters if the user authorizes the program. And that's ignoring factors that are generally outside of your control (e.g., DNS cache poisoning).

Inde · Dec 12, 2009, 09:53 PM // 21:53

LOL, I actually do really appreciate everyone's passion over this. But as you have so eloquently pointed out Chthon, we may be screaming at a wall. All we have is speculation. ArenaNet has tried to respond to the issue. Gaile Gray's talk page has been updated quite a bit over the last 2 months with their research on this issue. It's more then I have seen in a bit so you just have to be watching the right channels of communication they use.

Burst Cancel, I'm sure by now most of can indeed see the flaws with every choice. But I don't believe it should stop any company, whether it's a financial institution, retail, school, game, website or any other online portal from at least trying. We all know that basic fact that if you're connected to the web, you are vulnerable.

Fril Estelin · Dec 12, 2009, 10:22 PM // 22:22

Quote:

Originally Posted by Theocrat

We know restorations are possible now, though.

I meant not possible in the sense of not manageable. Not at all.

Martin Alvito · Dec 12, 2009, 10:22 PM // 22:22

Quote:

Originally Posted by Burst Cancel

So how many people have actually quit over account security issues? Do any of you have the hard data you need to support your positions? All I see is a lot of handwaving and baseless conjecture.

Can't get the data. And I don't blame ANet and NCSoft for concealing it.

But what we can say with confidence is that, compared to other websites on the web, the NCSoft website is five to ten years behind the times. So when we start observing droves of players complaining that their account was stolen via password reset at the NCSoft site, we can infer that the two are probably related.

If you can't appreciate this based on what has been said, do what I did: go to the website and try to figure out how it could be hacked. You'll quickly realize that an organized effort to do so would pay dividends. Just don't actually log into your PlayNC account unless you like risk.

Quote:

Originally Posted by Burst Cancel

There isn't a single option in that poll that's really worth a damn.

We're not looking for impregnable security. Honestly, we just want the security to be competitive, so that hackers move on to more attractive and profitable targets rather than go after this game. As the industry leader, Blizzard answered the bell. But if NCSoft can't be bothered to follow, then there really isn't any sense in doing business with them further. If I'm going to be playing something online for an extended period of time, the account I use had better be secure.

Smarty · Dec 12, 2009, 10:41 PM // 22:41

Quote:

Originally Posted by Chthon

On the other hand, nobody is going to buy a MMO if they know their account would be subject to unpreventable theft. Not even casual gamers. If, starting tomorrow, every kid who works at Gamestop starting telling customers who came to buy Aion "I suggest you buy a different game; NCSoft has weak security and your account could be easily stolen and there's nothing you could do about it," sales would fall dramatically. The only reason that NCSoft's sales haven't fallen off a cliff, the only reason that NCSoft hasn't chosen to clean up its act, is that almost nobody knows. The vast majority of the potential customer base of causal gamers is totally ignorant of the problem. It's only a comparatively few hardcore people on the forums who grasp the size of the security problem -- a comparatively few people who can't even agree to be vocal about it. NCSoft can -- and probably will -- ignore us unless and until we become so vocal about their poor security that word gets out among the broader potential customer base.

Now, why I said we "might" be able to get their attention with a petition is that maybe, just maybe, someone at NCSoft can see the likelihood of progression from highly vocal forums to articles in the gaming press to the kid at gamestop whispering advice to avoid certain companies. And maybe this person would decide it's wiser to save face by fixing security before the company gets a widely-known reputation for bad security instead of after. Maybe.

And this is why I disagree with you Guru admins and moderators closing Shan's poll and closing all the "I've been hacked!" threads that have been popping up lately. Once a thread's closed it drops off the front page and the scale of the problem appears smaller than it actually is, whereas what we actually need to get anything done is to push it towards the bolded parts in Chthon's post. This problem is HUGE, guys, and deserves more attention than just this one open thread - until something is done about the NCsoft login procedure and/or other security measures are implemented.

Inde · Dec 12, 2009, 10:44 PM // 22:44

They have been closed but they are not simply deleted. We have a very clear record of them in this thread here: http://www.guildwarsguru.com/forum/s...79#post4928279

Which is still on the front page.

Chthon · Dec 12, 2009, 11:43 PM // 23:43

Quote:

Originally Posted by Burst Cancel

So how many people have actually quit over account security issues?

None I'd wager. People don't stop playing a game they already bought over poor account security; they try to avoid buying a game with poor account security in the first place. Well I suppose you could count the people who had their accounts stolen and couldn't/didn't care to deal with support to get it back as having "quit."

Quote:

Originally Posted by Inde

LOL, I actually do really appreciate everyone's passion over this. But as you have so eloquently pointed out Chthon, we may be screaming at a wall. All we have is speculation. ArenaNet has tried to respond to the issue. Gaile Gray's talk page has been updated quite a bit over the last 2 months with their research on this issue. It's more then I have seen in a bit so you just have to be watching the right channels of communication they use.

1. While neither is particularly likely to be effective, screaming at a wall is better than whispering at it.

2. Where there's smoke, there's fire. I don't need to wait for Martin Alvito to figure all the details out and produce a working proof-of-concept to draw conclusions from the mounting body of circumstantial evidence. There is a very high probability that there exists a method of stealing GW accounts that bypasses or largely bypasses interaction with the user. There is a high probability that the NCSoft master account's password reset is a major weak point.

3. That gives me an idea. Why not try to give you a proof-of-concept? Would anyone, especially those who say "you can't prove the weak point is at NCSoft, so it's all speculation," like to volunteer for "Project Hack-A-Mate"? If so, PM me the name of the NCSoft account linked to your mule account (or even your main account), and I'll get some people together to try to break it.

4. I now think Shan is right about something. I also now think that's only half the story.