 |
|
Dec 14, 2009, 12:01 PM // 12:01
|
#121 |
|
Jungle Guide
Join Date: May 2005
Location: Hot as hell Florida
Guild: [Wckd]
Profession: Me/
|
How difficult would it be to keep an electronic "watermark" on a person's account?
From everything I've read, these accounts are being hacked/stolen by others with different IP addresses, service providers, countries of origin etc. I'm not up to date on network security, but surely there must be a way to verify that the account being logged into comes from the same computer? If that's too difficult, then why not just have a backup? It can't be difficult to store an account's major details, like armor sets (or parts thereof) and other items in a simple .ini file on ANet's servers. Perhaps each account is backed up once a week, if an account hack is claimed, the person e-mailing or calling in has to provide their original CD-key? Once a person proves ownership, the account is reverted. Or maybe there shouldn't be two companies both with security holes handling online transactions for real money if they can't handle game account hacks. In my time playing WoW, there were a couple of attempts to hack my account, and Blizzard was VERY aggressive in tracking down the culprit and restoring my account, even items! Customer service and communication is an extremely important issue for any game developer, moreso for those that operate online games, especially those who handle online monetary transactions, AND ANet/NCSoft have failed miserably in this respect. |
|
|
|
Dec 14, 2009, 02:13 PM // 14:13
|
#122 | |
|
Krytan Explorer
Join Date: Mar 2008
Location: England
Profession: Me/
|
Came across this whilst browsing AionSource - note the bolded part, very interesting if true:
Quote:
|
|
|
|
|
|
Dec 14, 2009, 03:48 PM // 15:48
|
#124 | |
|
Jungle Guide
Join Date: Mar 2006
Location: Trying to stay out of Ryuk's Death Note
Profession: N/R
|
Quote:
------------------------------------------------------------------------- http://wiki.guildwars.com/wiki/User:...count_Security Keep your email secure. If someone gains access to your email account, immediately change your Guild Wars user name and password. (If you can't get access for some reason, get in touch with support right away. If your game account is bound to an NCsoft Master Account, you are not able to change your Guild Wars user name but you can protect your account by changing your GW game password from within the NCsoft Master Account hub. And you can change the email address associated with your NCsoft Master Account (and your games) at any time. Many players feel that having an NCsoft Master Account adds another level of security to the game's security. ------------------------------------------------------------------------ How many more examples have to be provided by the community to prove that this is indeed a weak spot. At a minimum NCsoft should disable the password reset function. One would think that the Master Acount hub password reset function was added to reduce the need for support personel to assist players in resetting forgotten passwords. This automated feature would likely save them money by reducing the amount of support tickets needing hands on intervention. I wonder how that is working out for NCsoft? With an increase of hacked accounts accross NCsoft games linked to the Master hub, it seems like any cost reductions have not been realized by NCsoft due to the increase of tickets dealing with stolen accounts. Stolen account tickets have to be more time consuming/costly to deal with than password resets. For all the added security ideas presented here, one is missing; disabling the reset feature at the NCsoft Master Hub. This is simple to accomplish, the cheapest and the quickest of any of the security measures presented. The only drawback would be that people in need of a password reset would have to open a support ticket and provide a cd key. Do this for three months and see if the "my account was hacked" tickets are reduced. If a reduction, than the problem is identified and a long term solution should be researched and implemented. If not then publish the findings and tell everyone it is NOT the problem and continue to blame the users. Edit: Not sure how hard it would be to require the input of a valid CD key when reseting the password at the Master hub ...any clues??? Last edited by Tullzinski; Dec 14, 2009 at 03:53 PM // 15:53.. |
|
|
|
|
|
Dec 14, 2009, 03:55 PM // 15:55
|
#125 | |
|
Lion's Arch Merchant
Join Date: Sep 2006
Guild: Alchemy Incorporated
Profession: Mo/E
|
Quote:
I am a person with discretionary income. I had planned to spend quite a few holiday dollars bringing my niece into the GW family play this season, but that won't be happening. Companies spend thousands of dollars on marketing advice and knowing how to appeal to their consumers. I'm just giving them the same information they pay for in other instances. Gaile Grey has said on her support page that dealing with one hacked account is more costly for the company than the profit derived from several games sold. So, it makes business sense for them to increase security too. I am willing to spend money on increased security features. I understand that the game/expansions/extras that I've purchased to date were purchased with the existing level of security. |
|
|
|
|
|
Dec 14, 2009, 04:36 PM // 16:36
|
#126 |
|
Forge Runner
Join Date: Jun 2006
Guild: Hard Mode Legion [HML]
Profession: N/
|
Ok, I'm going to share some additional thoughts on this subject.
Whatever A-net/NCSoft does, they cannot in any way protect credentials that are used somewhere else. So how can they improve GW security? This is a hard question. For full security I would limit IP range and send out tokens. Or secure certificates. This is how many banking applications work (and some large games provide tokens). Would I do this for a game like GW? No! It will never pay back, expenses are too high. Sure, people say they will buy additional security. But that number is rather limited and would have additional support issues. From economics perspective this is a bad choice. For banking it works because banks need to pay stolen money back. Once prevented compromise and they have their investment back, easily. The worst that can happen with an online game is lost of trust of (a few) customers. Might sound harsh but it's true, specially for a pay once play 'forever' game. Next step down would be a detection of strange behaviour. This is hard to implement and might cause some latency issues at login for customers. Just check if the account is already logged in. If not then log in. If logged in check IP address of user logged in and the new connection. If the same it's a reconnect, so proceed. If the user is logged in and the IP is not the same, present a message on the screen for let's say 5 minutes. After time is up bring down old connection and enter from new IP (I forget to turn off game sometimes when visiting friends with my laptop). This would prevent kicking people from the game. Within this detection some additional checking could be done. I think it's against EULA to share accounts. So A-net could make a check on someone logging in from IP A while previously logged in from IP B. If IP A is located in the US and IP B in Europe it's very unlikely that the account can be accessed within 5 hours from both A and B. This would limit the attack base to a region near the hacker/gold seller. There are some ways to spoof IP addresses but I don't think those would work well for hackers/gold sellers, since they also need to make a profit. The last thing is unusual behaviour from an IP address. If a certain address uses a huge number of logins to various accounts it's suspect. But we are talking about intrusion detection here which is a rather new field of work and many large businesses fail at it. And I'm not sure where the responsibility lies, at A-net or NCSoft. However, this is for the GW account. This excludes the NCSoft account, which seems to be part of the problem from the various messages I see here. We know one thing of it, the e-mail address cannot be changed. And it might be difficult to implement this. And it's out of reach for A-net for sure. My first impression is that the NCSoft account must have been accessible to the hacker/gold seller. How would it be possible to request a password reset otherwise? (well I can think of some ways but I guess a-net is aware of those methods and covered them). Given the address cannot be changed any implementation that requires feedback from the user would not work. I might register with [email protected] and the service they provide might discontinue. Or all of a sudden my free e-mail provider charges money and I change accounts because I don't want to pay. So the e-mail address I used to register might not be accessible, meaning I cannot change the password even when I know the credentials. But there are things that look doable. For example, if a certain IP address accesses a high number of accounts or requests a reset for many passwords is suspect for sure. Even if those requests are done over a long period of time. Not that many people have 10+ accounts. Problem here is that this is easily worked around with a proxy or something like TOR. The request goes to the original e-mail address, so it cannot be filtered on that either. On the site of the NCSoft account not much can be done in short time. The master e-mail cannot be changed. Filtering is hard. Detection of suspect behaviour is hard. Just ask forum admins how hard it can be to keep certain people out and you know a little about fighting people who are not there to troll but are acually making money with what they do. So for the NCSoft account responsibility is mainly with the user. The link between this account and GW cannot be broken once made, it would mess up a lot. Let's assume the e-mail address can be changed. Would this help? Only if that e-mail address is not used anywhere else. Else it's just a matter of time before people will try to enter the account again. What could help is if NCSoft would release tokens or certificates for their website. Their userbase is larger than only the GW users. Even ask a contribution, once a year or once every 3 or 6 months. Fail to pay and your account will be reverted to 'default' security. Pay again and your account will be linked to the token again. Don't drop the token in your milk or you cannot change your NCSoft stuff for a couple of days/weeks. Knowledge is in the market, many companies issue tokens or certificates for websites, specially in the financial world. Edit: this last part does not make the GW account more secure than it's now. People can enter it already before they can reset the password. They reset to lock the legitimate user out, not to access the account! Last edited by the_jos; Dec 14, 2009 at 04:54 PM // 16:54.. |
|
|
|
|
Dec 14, 2009, 04:57 PM // 16:57
|
#127 |
|
Jungle Guide
Join Date: Aug 2005
|
They should use a unique log-in name, not email address.
They should also hold at least one character backup that is from before the last time the password is changed. |
|
|
|
|
Dec 14, 2009, 04:59 PM // 16:59
|
#128 | ||
|
Wilds Pathfinder
Join Date: Oct 2005
Location: Belgium
Guild: none
Profession: N/E
|
Quote:
Block IP's from outside your country? Use a proxy. Quote:
|
||
|
|
|
|
Dec 14, 2009, 05:13 PM // 17:13
|
#129 |
|
Wilds Pathfinder
Join Date: Jun 2006
Guild: N/A
Profession: N/
|
All i would want is Character sercurity, I don't care about Items that much. Yes is sucks that items are lost, but at least least you still have your character AND most important of all your HoM.
I can personally say if i was hacked, and my characters were deleted and i lost the thousands of hours of work on my HoM, i would not buy GW2, the stigma of losing so much would be too great. I believe that should be a priority, seeing how we had 3 years of just working on the HoM before any hope of gw2. |
|
|
|
|
Dec 14, 2009, 07:42 PM // 19:42
|
#130 |
|
Krytan Explorer
Join Date: Sep 2007
|
That's a RSA token that rotates to a different six digit # every minute. You combine your unique 4 pin # + the RSA token # = password.
Even if someone has your pin #, they would not be able to break into your account because they also need the RSA token #. In addition, each RSA token is unique and ties into your account only. So grabbing and using someone elses RSA token # will not work for your account. Lastly, only way to make ANET do anything about it is to voice your anger with YOUR WALLET aka $$$. Until they see a big decline in sales and online purchases, they don't give a crap about you or the community because if they did, they would've disable the password reset already, right?????????????? Do you see the password reset being disable? No. Do you see them modifying it so it requires an authentication that is sent to your register email address? No. STOP BUYING ANYTHING RELATED TO ANET/GW/AION/ETC... UNTIL IT IS FIX!!!!!! SPREAD THE WORD!!!!!!!!!!!!!!! |
|
|
|
|
Dec 14, 2009, 07:55 PM // 19:55
|
#131 |
|
Frost Gate Guardian
Join Date: Jan 2006
Location: California
Guild: TTP
Profession: R/E
|
Well after reading the latest I went over and took all my billing info out of my Aion master account. And I had really wanted to see Aion's Christmas but instead I think I might be better off uninstalling GW and Aion and play EQ2 only.
And no way am I going near GW2. |
|
|
|
|
Dec 15, 2009, 04:33 AM // 04:33
|
#132 |
|
Jungle Guide
Join Date: Aug 2006
Location: In my own little world, looking at yours
Guild: Only Us[NotU]
Profession: E/
|
Looking at the Poll now, it looks like the main concern is recovery and not prevention. Why is this?
|
|
|
|
|
Dec 15, 2009, 07:43 AM // 07:43
|
#133 | |
|
Grotto Attendant
Join Date: Jun 2006
Location: Europe
Guild: The German Order [GER]
Profession: N/
|
Quote:
And in any case, this is multiple choice poll. I, for one, voted for two prevention methods and one restore method. Mostly because i realize that security is as strong as its weakest link: Plaync account and linked account password changes in recent 'hack wave'. If security feature can be bypased in similar way, they are pointless. You can have "cia quality" password, ip lock and hw token generator, but if plaync allows you to change ip lock and hw token link the same way it allows password chage, well those features might as well not exist. On the other hand, account restore would solve exactly what people want: Everyone is worried about loosing characters and all the hard work and progress first and foremost. You could have account breach, but it will not affect you. |
|
|
|
|
|
Dec 15, 2009, 09:24 AM // 09:24
|
#134 | |
|
Desert Nomad
Join Date: Apr 2007
|
Quote:
So it's good to have measures to limit damage as well Last edited by Riot Narita; Dec 15, 2009 at 09:27 AM // 09:27.. |
|
|
|
|
|
Dec 15, 2009, 09:29 AM // 09:29
|
#135 |
|
Krytan Explorer
Join Date: Mar 2008
Location: England
Profession: Me/
|
I'm more worried about recovery rather than prevention because at least that's a surefire guarantee of not losing your character due to your own or the company's carelessness, and is IMO the more realistic option when it comes to actually getting the current level of "security" changed - it's an additional extra that they could charge us for, rather than being something they'd have to spend time and money developing for free. As long as I'm guaranteed to have my main there to link to GW2, that'll do me where GW1 security is concerned.
GW2, on the other hand... I'm really not looking forward to having to link that to NCsoft to get rewards from GW1.  I hope they come up with another way of sorting out the HoM.
|
|
|
|
|
Dec 15, 2009, 09:48 AM // 09:48
|
#136 | |
|
Jungle Guide
Join Date: Jun 2008
Location: Australia, what you want my home address?
Guild: [CAT]
Profession: Mo/
|
Recovery options lend themselves to abuse by the unscrupulous, and tend to be expensive to implement as they would require a not insignificant amount of investigation work from the support staff.
I favor better account security, certainly an email confirmation BEFORE changing the password on your account, and probably the same for an attempted log in from outside of your geographic IP range. I really don't see GW2 going with an optional Token device, though it might be nice, I fear the expense of implementing it would make it unreasonable to expect. Quote:
|
|
|
|
|
|
Dec 15, 2009, 10:30 AM // 10:30
|
#137 | |
|
Forge Runner
Join Date: Jun 2006
Guild: Hard Mode Legion [HML]
Profession: N/
|
Quote:
Prevention is lowering the chance that something is going to happen. Recovery means that when something happens it can be restored to the original situation (or something similar). Adding a lock to the door will prevent someone from entering and stealing stuff. It will not prevent a fire to destroy the same stuff. The right insurance will cover both loss by fire and by burglary. So recovery deals with all situations in all circumstances while prevention will only lower the chance of something specific to happen. This is why people prefer recovery and not prevention. |
|
|
|
|
|
Dec 15, 2009, 10:49 AM // 10:49
|
#138 |
|
Desert Nomad
Join Date: Aug 2005
Guild: DVDF(Forums)
Profession: Me/N
|
And in this case 'recovery' (which need'nt include item restoration) I.e preventing your account being trashed once someone bad has got in is firmly in the court of Anet not NCsoft....
|
|
|
|
|
Dec 15, 2009, 11:07 AM // 11:07
|
#139 |
|
Jungle Guide
Join Date: Jun 2008
Location: Australia, what you want my home address?
Guild: [CAT]
Profession: Mo/
|
You mean to say, Recovery options require no additional effort or inconvenience on behalf of the user, no extra security steps to worry about... if something goes wrong Big Brother will fix everything?
|
|
|
|
|
Dec 15, 2009, 11:18 AM // 11:18
|
#140 |
|
Desert Nomad
Join Date: Aug 2005
Guild: DVDF(Forums)
Profession: Me/N
|
No. Take for example perfect world, which is a free to use (nothing to pay unless you want non game changing shinies)
Characters remain on the server for a week after you delete them. You are stopped from doing any account-sensitive actions (such as trading items or accessing storage) for about a minute after you log in, and you can put a separate password on the storage itself. Some of the more valuable items, are by default flagged as undroppable and untradable, and you have to go through a waiting period to unflag them. All the above would help no end in the event of someone getting in. There's no need for big brother to fix anything for you. As i've said before. There are simple changes that can be done to at least alleivate things but apart from changing the warning about account security from white text to red text nothing has been done, neither have threads like this and on other sites over the internet even been acknowledged by Anet. Part of me thinks Anet would have been better spent sorting this issue out than signing a 1000 odd xmas cards. Bah Humbug 
|
|
|
|
 |
|
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 10:41 AM // 10:41.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("