Curse

Fate Crusher · Nov 19, 2009, 08:38 PM // 20:38

Quote:

Originally Posted by soul_of_misery

Your email is your account name.

I think that's a greater security risk because if they linked your account to an NCsoft account they could email themselves your password.

Does it matter that my account name was an e-mail address? These people were still able to obtain it.

The only auctioning websites i have used is Guru. And my account name/e-mail isn't even available for users to view.

Quote:

99.99% of the time it is indeed the case. However to listen to people who have been hacked it would look to be 0%.

This is because anyone who is "Hacked" immediately is the beacon of security. Even if his entire guild knows his log in information. Even if his password is 1234. Even if he visits "Warez" sites. Even if he does a virus check and is loaded with them. He is the beacon of security if you will listen to him.

Even if you say that you and your clan members/friends are very secure, the likelihood that this is true approaches zero.

Can you be hacked by means other than your lapse in judgment? Sure. Just like you can be struck in the head by an air liner falling out of the sky. The chances of it are however abysmally low.

I'm a little offended that you may consider that i'm not being truthful with the circumstances i am explaining. I have nothing to lose/gain from this other than figuring out why these RMTs are on such a rampage. I am not bothered with the stuff i have lost, i'm just very grateful that my titles still exist.

However i do agree that many people who do post about being hacked are expecting sympathy/help/free crap. So i'm not surprised that you're mentioning that anyways.

Quote:

Who is the e-mail provider? Hotmail? gmail? MSN? Perhaps the mail provider was compromised.
My account's e-mail is a discontinued hotmail account that i haven't checked on for over 2 years. My new e-mail is a live account.
Have you ever shared your login with another person? Perhaps they did it, or perhaps their computer was compromised.
Never.
Have you ever used the same e-mail to sign up for forums or anything else? For example, guru?
Since i started my new e-mail, i've changed my contact details for guru to fit my new e-mail account.
Do you use that e-mail address for general purpose e-mail? Does it get spam? Perhaps the RMT folks are buying e-mail lists from spammers.
I previously ran AVG and i am yet to see any spam mail.
Does that e-mail appear on the internet anywhere? Where?
My Facebook page has both e-mails on show but my profile is private and my only affiliation to GW on Facebook is being a fan of GW2.
Honestly, how secure is your computer?
Router/hardware firewall?
My routers have had firewalls
Software firewall? WHich one?
Norton provided me with a firewall for a period of 1 year, i found AVG did the business quite well.
Antivirus? WHich one? Up to date?
AVG (not the free one...) i set daily updates.
Which browser? Extensions?
I'm a little old fashioned so i've been using Internet Explorer and Google Chrome.

God i hope this doesn't return for Guild Wars 2.

Would anyone know if this is as big an issue in WoW or anything else?

Jensy · Nov 19, 2009, 09:15 PM // 21:15

Quote:

Originally Posted by Fate Crusher

My account's e-mail is a discontinued hotmail account that i haven't checked on for over 2 years. My new e-mail is a live account.

Yes, well, Hotmail reuses email addresses. If someone knows your email address, they simply need to start a new account with that name and request a pw change. We had this problem on the website I used to do volunteer tech support for as well.

Dzjudz · Nov 19, 2009, 09:32 PM // 21:32

Quote:

Originally Posted by Jensy

Yes, well, Hotmail reuses email addresses. If someone knows your email address, they simply need to start a new account with that name and request a pw change. We had this problem on the website I used to do volunteer tech support for as well.

This. 12chars

vamperik · Nov 19, 2009, 09:55 PM // 21:55

This is what i sent to support when my account was hacked:

Quote:

Thank you I can now access my account . As I expect my account was hacked into luckily none of my characters were deleted ( my biggest worry ) but lots of my items have been taken , including all my money . weirdly some new items have appeared. I know that these cannot be replaced , but I thought I would let you know incase you can view the information of my trading in the past three days and investigate who my stuff went to . again I know you cannot get my stuff back or let me know where it went ,
but If you caught whoever did it and stopped this from happening again to someone else then at least something good has come from this.

and this was the reply:

Quote:

Hello,

I'm glad your characters were not deleted. Your account was accessed by an illegal Gold Selling company. It wasn't one person that took your items to hold, it was a professional company that tried to liquidate your items to fill orders for their buyers. We terminate thousands of their accounts a week but they continue to steal, hack, and cheat to gain access to accounts.

Regards,
GM Phields
The Guild Wars Support Team

This leads me to believe that they can track trading ? or am I reading it wrong?

Nerel · Nov 19, 2009, 10:25 PM // 22:25

Quote:

Originally Posted by vamperik

This is what i sent to support when my account was hacked:

and this was the reply:

This leads me to believe that they can track trading ? or am I reading it wrong?

They should be able to track trading, insofar as server logs detailing where, when and who they've traded with, and most likely which items were traded... noting that items are quite unlikely to have a unique ID tag, merely a string of code that identifies the item type, mods, dye etc... Two max req 11 gold longswords with the same skin, mods, both dyed red would probably look identical on the server logs... unless they were customized to different players. So yes they should be able to see what was traded and to whom, but tracking the stolen items as they are passed from account to account, sold/salvaged etc becomes troublesome at best.

The best you could expect is the 'storage' accounts used by the RMTs will get closed down and the 'customers' buying gold/ectos from those accounts for real world cash getting suspended.

It really is in support's best interests to say they can't track trades, simply put the effort isn't worth the time (and thus expense) that it would cost them, other than to take action against the hackers (closed account) and their gold buying customers (suspensions/banning).

Inde · Nov 19, 2009, 10:34 PM // 22:34

Quote:

Originally Posted by Dzjudz

It's probably this one, or Inde would've made a note saying "btw, Gaile isn't talking about this site" in the thread in question.

I did indeed post a forum-wide notice. If you want to inform people of what's been said or hasn't, you've got to stay on top of it.

Perhaps you missed it though, as it was displayed for a weekend.

Account Security

Here at GuildWarsGuru.com we have continually upgraded and adjusted our site, servers and even user profiles in order to better secure our users information. Our priority is providing you a protected environment, so you are able to use this website freely and without worry. For this reason, we have gone ahead and changed character names listed in your profile to private. Recent communication from ArenaNet has stated they feel the availability of character names could contribute to the risk of compromising accounts. We want to cooperate and also protect our users by proactively taking sensible security measures.

We appreciate some of you may feel inconvenienced by the change, as public IGN's are a useful feature and common to many gaming websites. We'd simply ask for your understanding, as no risk is too small at the cost of security.

We would also like to take this opportunity to firmly state that Guild Wars Guru has not been compromised in any way, nor is our security in question. We are in contact with ArenaNet. We routinely monitor and review our server logs and have security measures in place with regular updates. Any issues we may have had (and none have ever involved risk to usernames, emails or passwords) have been openly discussed with our users in our Site Feedback forum.

For your peace of mind, we would also like to clarify that had our security ever been breached the community would have been immediately and openly informed. We've also seen a number of accounts that have signed up on this forum just to post that they've had their account compromised. We are privileged and happy to be a voice of the Guild Wars community. If you have any questions or concerns please feel free to post those in our Site Feedback forum and I can address those.

Stating that, we would also like to remind our users to please read our Security Tips that have been available and to diligently protect their account information. [Guide] Security Tips for Guild Wars players

Erys Vasburg · Nov 19, 2009, 10:41 PM // 22:41

Quote:

Originally Posted by N E D M

wtf are they doing

Attempting to draw all users away from anything that is not the official Wiki by sewing seeds of fear in the soil that is the fan community. If they don't tell us which site they are talking about, then to be safe we have to suspect them all, which leaves us with official channels (of which there is only one) that are apparently 100% secure and in no way the cause of the problem.

It's a shame that we're not all blind to the recurring issues with NCSoft security.

Ninja Ninja · Nov 19, 2009, 11:49 PM // 23:49

Quote:

Originally Posted by Konker2020

This is not true, myself and clan members/friends have been hacked and are very secure about our information and give it to no one, don't assume that everyone is unintelligent and are completely at fault for being hacked because that is not always the case.

But people are completely at fault when it comes to getting hacked, its either by giving your info away or a keylogger stealing it and you get guild wars keyloggers by downloading a rar file that has to do with guild wars.
Giving your info doesn't always mean walking up to them and giving it, you could have used your email (guild wars username) on a guild forum or a fan site for guild wars or you could have given it out by adding a guild wars friend on msn messenger.

Quote:

Originally Posted by Inde

We appreciate some of you may feel inconvenienced by the change, as public IGN's are a useful feature and common to many gaming websites. We'd simply ask for your understanding, as no risk is too small at the cost of security.

What does IGN's have to do with account security, people can't hack your account with your character name.

Faer · Nov 20, 2009, 12:00 AM // 00:00

Quote:

Originally Posted by soul_of_misery

What does IGN's have to do with account security, people can't hack your account with your character name.

Might want to email that question to ArenaNet, as it was their idea. Be sure to let us know what they say.

Ninja Ninja · Nov 20, 2009, 12:09 AM // 00:09

Quote:

Originally Posted by Theocrat

Might want to email that question to ArenaNet, as it was their idea. Be sure to let us know what they say.

Not worth the effort, I guess it was because people were PM people pretending to be anet employees and asking for account info.

Fate Crusher · Nov 20, 2009, 12:22 AM // 00:22

Quote:

Originally Posted by soul_of_misery

But people are completely at fault when it comes to getting hacked, its either by giving your info away or a keylogger stealing it and you get guild wars keyloggers by downloading a rar file that has to do with guild wars.
Giving your info doesn't always mean walking up to them and giving it, you could have used your email (guild wars username) on a guild forum or a fan site for guild wars or you could have given it out by adding a guild wars friend on msn messenger.

What does IGN's have to do with account security, people can't hack your account with your character name.

My only guess would be that they could send an e-mail to support explaining that they had an account a long time ago and all they can remember is an IGN name. throw in a few obvious references about the account (anyone worth hacking would have all campaigns+expansion). and voila, support has just handed you an account.

I could be very wrong. but if this happens 1/10 times, even 1/50 times, these guys would try it.

As much as i hated Runescape, they had a very strict account retrievel system where you would set up your own recovery questions, even providing your own questions. you also would provide up to 3 previous passwords and they had in-game notifications advising you to change passwords regularly.

It IS the most popular free MMO, so i'm not surprised they've got pretty secure retrievel standards.

Kumu Honua · Nov 20, 2009, 01:47 AM // 01:47

Quote:

Originally Posted by Fate Crusher

I'm a little offended that you may consider that i'm not being truthful with the circumstances i am explaining. I have nothing to lose/gain from this other than figuring out why these RMTs are on such a rampage. I am not bothered with the stuff i have lost, i'm just very grateful that my titles still exist.

I don't care if you are offended. It's the pure truth.

Nearly every single instance of hacking is due to negligence of some kind by the person who is hacked. It is also universal that no matter how much negligence they had, they will swear to the day they die that they were the utmost authority on all things security.

You are no different. You are saying that YOU are the beacon of security. It's the exact same as this guy and that guy and the guy over there. Beacons of account security all. Hacked all.

Chthon · Nov 20, 2009, 02:07 AM // 02:07

Quote:

Originally Posted by soul_of_misery

What does IGN's have to do with account security, people can't hack your account with your character name.

Yes, that is a very good question...

nitetime · Nov 20, 2009, 03:40 AM // 03:40

Quote:

Originally Posted by Kumu Honua

I don't care if you are offended. It's the pure truth.

Nearly every single instance of hacking is due to negligence of some kind by the person who is hacked. It is also universal that no matter how much negligence they had, they will swear to the day they die that they were the utmost authority on all things security.

You are no different. You are saying that YOU are the beacon of security. It's the exact same as this guy and that guy and the guy over there. Beacons of account security all. Hacked all.

You honestly think that everyone getting hacked is just giving out their passwords? So these rmt's have someway to get peoples log in emails, but how are they getting all the passwords? They can't just be guessing, but I would like to believe that people are smarter then just giving out passwords.

Dzjudz · Nov 20, 2009, 03:42 AM // 03:42

Quote:

Originally Posted by Inde

I did indeed post a forum-wide notice. If you want to inform people of what's been said or hasn't, you've got to stay on top of it.

Perhaps you missed it though, as it was displayed for a weekend.

I'd like to inform people of what's been said. If I could find it anywhere, that is. Like you say, I must have missed the message, and I can't find it anywhere on the site (no sticky, no announcement forum, not even a non-sticky thread/post). No way for me to know what's been said if it's not recorded somewhere. Maybe you should add it to the stickied Gaile thread I linked to earlier. Anyway, I'm glad GWG isn't the problem. I wasn't worried personally, but I thought it strange that GWG didn't post any response. Turns out I missed the temporary message. Cheers.

Fate Crusher · Nov 20, 2009, 03:59 AM // 03:59

Quote:

Originally Posted by Kumu Honua

I don't care if you are offended. It's the pure truth.

Nearly every single instance of hacking is due to negligence of some kind by the person who is hacked. It is also universal that no matter how much negligence they had, they will swear to the day they die that they were the utmost authority on all things security.

You are no different. You are saying that YOU are the beacon of security. It's the exact same as this guy and that guy and the guy over there. Beacons of account security all. Hacked all.

Mate, i'm not denying that this happens a lot, but you're not even reading anything that anybody has posted here on this thread. It's the very reason why i wanted to start this so i could understand why this is happening so frequently.

I know honesty is very hard to come by. You can trust what i'm saying or not. But i am in no way (third time i've said this) trying to gain anything from this thread. I have done as much as i could to protect my password. Maybe i slipped up somewhere, i'm not saying i'm perfect but i'm defenitely not a liar.

If you can't acknowledge that Anet have even confirmed that even a said website was previously compromised (which means account information was stolen

) then please carry on with your blinkered lifestyle.

Thanks for reading.

Konker2020 · Nov 20, 2009, 04:24 AM // 04:24

Quote:

Originally Posted by soul_of_misery

But people are completely at fault when it comes to getting hacked, its either by giving your info away or a keylogger stealing it and you get guild wars keyloggers by downloading a rar file that has to do with guild wars.
Giving your info doesn't always mean walking up to them and giving it, you could have used your email (guild wars username) on a guild forum or a fan site for guild wars or you could have given it out by adding a guild wars friend on msn messenger.

What does IGN's have to do with account security, people can't hack your account with your character name.

I'm gonna go out on a limb here and say that you have never been hacked, I know exactly how keyloggers, viruses, data logs, worms, etc. work. I know computers inside and out, and I can tell you that a good hacker does not need a key logger to get your information. A decent hacker can get directly into your computer and monitor everything you do without your knowledge or the need for a keylogger or anything of the like.

Kumu Honua · Nov 20, 2009, 05:37 AM // 05:37

Quote:

Originally Posted by nitetime

You honestly think that everyone getting hacked is just giving out their passwords?

I've never said such a thing. I simply honestly believe that 99.99% of all people who have been hacked have had lapses in judgment. This ranges from giving out passwords to having the same login information for forums/other sites as they do for the game to visiting RMT sites where they pick up trojans/keyloggers to just plain stupidity.

Quote:

So these rmt's have someway to get peoples log in emails, but how are they getting all the passwords?

Being giving the information.
Phishing.
Brute Force.
Trojan/keylogger.
"Password" style passwords.

Quote:

They can't just be guessing, but I would like to believe that people are smarter then just giving out passwords.

Why not? One of the largest problems with Guild Wars and NCSoft is that they do not have a lockout feature. You can attempt to guess a password indefinitely without locking the account. I would go as far as to say that this is the single most used method of getting into an account once they get your game email.

Which goes back to the single most important thing you can do. Never use the same email for the game as you do for communication/signing up for forums and such.

Sadly, a VERY large portion of the user base uses a single email for EVERYTHING.

Fate Crusher · Nov 20, 2009, 06:28 AM // 06:28

Quote:

Originally Posted by Kumu Honua

I've never said such a thing. I simply honestly believe that 99.99% of all people who have been hacked have had lapses in judgment. This ranges from giving out passwords to having the same login information for forums/other sites as they do for the game to visiting RMT sites where they pick up trojans/keyloggers to just plain stupidity.

Being giving the information.
Phishing.
Brute Force.
Trojan/keylogger.
"Password" style passwords.

Why not? One of the largest problems with Guild Wars and NCSoft is that they do not have a lockout feature. You can attempt to guess a password indefinitely without locking the account. I would go as far as to say that this is the single most used method of getting into an account once they get your game email.

Which goes back to the single most important thing you can do. Never use the same email for the game as you do for communication/signing up for forums and such.

Sadly, a VERY large portion of the user base uses a single email for EVERYTHING.

Yes, i was surprised about the absence of a lockout feature. You would have thought that after four years, Anet would learnt from the massive invasion of bots and the big dupe scandal (quite irrelevant but still). Anet hasn't done a single thing to increase the security of accounts. fact. I think our storages should have PIN codes :3

So once we have all stupidly given away our account name/e-mail, how easy is it for these RMTs to obtain the password?

nitetime · Nov 20, 2009, 02:37 PM // 14:37

Quote:

Hello,

I'm glad your characters were not deleted. Your account was accessed by an illegal Gold Selling company. It wasn't one person that took your items to hold, it was a professional company that tried to liquidate your items to fill orders for their buyers. We terminate thousands of their accounts a week but they continue to steal, hack, and cheat to gain access to accounts.

Regards,
GM Phields
The Guild Wars Support Team

Thousands?! So RMTs have a way of way of creating actual GW accounts, other then buying/stealing/hacking them?

They're creating thousands of accounts a week, maybe they tapped into the anet servers. Maybe they run their own servers and when we switch districts for speedclears they log our info.

Can one of our asian correspondents let us know if this is happening on the asian forums, or if its just a joyous celebration counting our money?

Maybe it all stems from the XTH? what a mess...