Curse

Michael805 · Dec 10, 2009, 06:19 PM // 18:19

I find it odd that this thread popped up today. You see, I haven't played Guild Wars in several months, yet I constantly get e-mails about my GW password being changed at an email account that has no GW account linked to it. Then, this morning, I get an email at an account that does in fact have an account linked to it. It seems someone reset my password. The IP given was traced to China, so I can only assume Chinese gold farmers brute forced it.
Within 5 minutes of me receiving this email I contacted NCSoft support regarding the issue. It's now been almost 12 hours, and I've received no response (and even if I was to recieve one within the next 30 seconds I'm sure my account has been cleaned of the few million gold I had sitting on it, and I'm sure all of my characters are trashed as well).
This is the only time anyone (that I know of) has been on the account in several months. No one else knew my password, nor has anyone else ever been on my account. I have no keyloggers, and even if I did it wouldn't matter since I've not logged into either my plaync account or my GW account for several months.

Long story short, yes there needs to be more security, and there should most definitely be a link that you must click in order to reset your password. I don't know who in their right mind thought it would be ok to allow someone to reset their password without having to have access to the email account for which it is being reset.

Rushin Roulette · Dec 10, 2009, 06:25 PM // 18:25

/Signed

The easiest and most cost effective way would be to do something as simple as a confirmation Email for any change in the account (Namely Email address or Password).
Password changes go to the existing email account and the change only happens after the link has been activated or the one time TAN which is sent in the Confirmation Email is entered correctly (Wrong TAN = New Email and new random TAN Number/Letter code).
Changes in the Email Address have to be confirmed by both the old and the new Email via the same principle (2 Different TAN Codes).
This is the normal process for most sites and programs with sensitive data.
Both these can be overridden via the existing Support ticket method (Name of all your characters, all your Receipts, Activation codes for the games, name of your neighbour's boyfriend's Poodle's puppies in alphabetical order etc...)

P.S. My account has not been hacked yet, but a guildies account was hacked a few weeks ago a few minutes/Seconds after he had changed his Master Password on the NCSoft Site. And im 100% Sure that he doesn't buy Gold or similar, because Students don't really have that much money they can burn for crap like in game currency.

Anonymous IXl · Dec 10, 2009, 06:34 PM // 18:34

/SIGNED
I agree. My friend got his account hacked a week ago. 3 sets of obby, 60e, obby edge, VS, and a bunch more, all gone...

Another Felldspar · Dec 10, 2009, 06:39 PM // 18:39

There is a serious account security issue. Drop everything else -- nothing else matters -- and fix the security issue. No Chinese IP address should be able to access my account. I don't want to hear that the team is working on great new Wintersday quests/hats/minis/weapons; I want to hear that the team is working on account security. Or, I want to hear that there is a brand new security team in place at ANet, and they are working on account security. I definitely want to hear that security is being placed at the top of the priority list. No more sales, not another dollar, for ANYTHING whether A-Net or NCSoft related, until I hear that this issue is being addressed. None.

I'm happy to pay for security upgrades once I do hear that this issue is being addressed.

/signed

Martin Alvito · Dec 10, 2009, 06:40 PM // 18:40

/signed

But you knew that already.

Aleta · Dec 10, 2009, 06:43 PM // 18:43

Quote:

Originally Posted by Symeon

/signed

It's got to the point where I'm expecting it to have happened every time I log in.

Which is why I will not touch my other two accounts.

It's a day late and a dollar short as my best account, played the most is trashed and empty now.

/signed

I also wonder every day if my Aion account ok

Kurald Galain · Dec 10, 2009, 06:43 PM // 18:43

/signed

twelvesigneds

coil · Dec 10, 2009, 06:46 PM // 18:46

/signed but i think the problem lies within ncsoft, not anet.

Kronk Shaan · Dec 10, 2009, 06:58 PM // 18:58

I'd sign anything that improves network security anywhere.

However, as a PC/Network Tech myself, I would have to say that the chance of having your account (game login or NCSoft) hacked are really, really low. The only way that they (you know, 'they' - be it gold farmers or your 10 year old little brother who is eyeballing your ecto as a Christmas gift to himself) can hack your account is for you to have given them your info in some fashion. Whether it is a keylogger you got from a site claiming to have some awesome game cheat, or because you bought gold (most likely). The odds of someone guessing (or using a program to crack) your password because they already have your email address (so your game login) is pretty good. But I doubt that anyone could guess your login and than crack your password. Bob @ some random service provider .com/net/org etc. The number of possible letter, number and character combinations plus punctuation before the @, not to mention all of the varied service providers you could be using for email means I have a better chance of winning the powerball (I think the odds on that are like 73 million to 1) than they do of guessing an email address to someone who happens to play Guild Wars and conveniently just happens to have LOTS of gold, ectos etc. Read the warning on the login screen. Don't buy gold or items online.

Broseiden · Dec 10, 2009, 07:28 PM // 19:28

Quote:

Originally Posted by Kronk Shaan

I'd sign anything that improves network security anywhere.

/Snip

You haven't been around lately, eh? Both Aion and GW accounts are getting hacked through the PlayNC Account and even a few reports of a "third-party" trying to access Paypal accounts. It's a very easy process of resetting the password and making their way into your account. And by "easy", I mean they can and have been doing it to take accounts away, and no sign of being stopped.

Bob Slydell · Dec 10, 2009, 07:29 PM // 19:29

NCSoft needs to get their act together.

/signed

Kawil · Dec 10, 2009, 07:34 PM // 19:34

/signed

Many valid ideas have been discussed on how to bring about greater account security. I'm sure they aren't too difficult to implement.

Axel Zinfandel · Dec 10, 2009, 07:40 PM // 19:40

Definitly a /signed on this one. I havnt logged on in quite some time and i'm nervous to even do so, despite my curiousity if it's been hacked or not.

Changing the password honestly isn't enough anymore and these guys are getting more and more pushy by the day. If NCsoft doesn't do -something-, it's pretty much the worst PR move someone could ever do.

Verene · Dec 10, 2009, 07:43 PM // 19:43

/signed, even though I have not been hacked, don't worry about it happening to me at all, nor know anyone who was.

However, I must point out, that even when threads pop up on here...people who post on GWG do not make up a large proportion of GW players. Nor is it Anet that has any control over this, but rather NCSoft. And angry attitudes do not help with anything.

Also, about the suggestions made on how to increase account security...none of us know if those suggestions are even feasible. We don't know the way the game is hard-coded. Plus, even if they were, there may be legal issues with a suggestion from a player being implemented.

Siirius Black · Dec 10, 2009, 07:47 PM // 19:47

/Signed
four of my guildies got their account hacked. This is ridiculous. The number of accounts reported hacked has increased dramatically. Someone found a vunerability in ncsoft and obiously they are exploiting it.

Shadowmoon · Dec 10, 2009, 07:48 PM // 19:48

/signed
AND
I am willing to pay for this feature for a reasonable price. $5 or $10 to guarantee that my necro and all of her accomplishments make it to guild wars 2 is worth it to me.

Chthon · Dec 10, 2009, 07:51 PM // 19:51

/Signed.

I've been keeping tabs on the "I've been hacked" stories. The most likely explanation is that, in addition to the usual number of people who get their accounts stolen through their own stupidity, there is currently a method of stealing accounts directly through a-net/NCSoft. The password reset feature on the NCSoft master account seems the most likely culprit.

This is unacceptable. If I fall for a phishing attempt or trust someone whom I should not have with my password, that's my own damn fault. But to have my account open to being stolen, no matter how careful I am, because NCSoft can't build a secure system is utterly unacceptable. So, not only do I sign on with Shan's petition -- harsh language and "security is more important than anything else" and all -- I'll go one step further: NCSoft will not see another penny from me, ever, until this is fixed.

To rehash several years worth of suggestions:
1. Find and close whatever vulnerability is allowing accounts to be stolen directly through a-net/NCSoft.
2. Since NCSoft clearly can't get their act together, just let us sever our GW accounts from NCSoft.
3. If we must retain the connection to NCSoft, then at the very least: (a) Give us back the ability to change our usernames. (b) NEVER display the e-mail that is the GW username from within the NCSoft account. (c) Require the current GW password to be entered in order to change the GW password.
4. Give us the ability to blacklist and whitelist individual IP's and IP blocks. I want to blacklist all of mainland China from ever logging into my account and I want to be prompted for a second password to login from any IP other than my current one.
5. Give us a "last login attempt for this account was X hours ago from IP W.X.Y.Z" notification every time we log in so that we know when someone is after our account and can contact support preemptively.
6. Give us an optional character lock that is permanent or takes at least a week to remove.
7. Give us a customized item lock with the same traits.

Golgotha · Dec 10, 2009, 07:56 PM // 19:56

The security issues both stop me from purchasing in-store products as well as really making me pause before purchasing GW2 when it is released. These issues aren't even based around NCSoft's laziness, rather their apathy towards the users' issues. If these issues were around during Prophecies and you had to tie your account to the NCsoft store, you can bet GW would've likely become a failure based on these problems. As a company, it makes it increasingly difficult to turn profit when your customers lose faith and trust in you.

/Signed

iTzF3aR · Dec 10, 2009, 07:56 PM // 19:56

Signed

Although to me it this really seemed like a QQ thread at first, I actually got to thinking what it would be like to have all my stuff deleted. Obby armor, high end weapons, my henchman tonic, characters, 6000+ hours. All gone. Like I am paranoid enough about it as it is. Fix it. Now.

Tullzinski · Dec 10, 2009, 08:00 PM // 20:00

Quote:

Originally Posted by Chthon

/Signed.

there is currently a method of stealing accounts directly through a-net/NCSoft. The password reset feature on the NCSoft master account seems the most likely culprit.

http://wiki.guildwars.com/wiki/User:...count_Security
Keep your email secure.
If someone gains access to your email account, immediately change your Guild Wars user name and password. (If you can't get access for some reason, get in touch with support right away. If your game account is bound to an NCsoft Master Account, you are not able to change your Guild Wars user name but you can protect your account by changing your GW game password from within the NCsoft Master Account hub. And you can change the email address associated with your NCsoft Master Account (and your games) at any time. Many players feel that having an NCsoft Master Account adds another level of security to the game's security.

I take it you are not one of the "many players who feel that having a NCsoft Master account adds another level of security to the games security"

/signed again for anyone who has not played the game in awhile....