Curse

Nocere Moriari · Sep 21, 2006, 05:51 AM // 05:51

THX Gaile!!!!
Thanks ArenaNet!!!!!

Kelgooma The Great · Sep 21, 2006, 11:59 AM // 11:59

everyone here seems to have their heads about them
use hard passwords 8-10 charecters minimum with letters, numbers, and symbols if u can. Use a FIREWALL!!! this will do wonders for your security. Trojan/malware is the most difficult of all to guard against, because you can get them by using unsecured software without your knowledge, my best advice would be dont download a peice of software, unless you have no other option. stay away from filesharing programs as they are a serious security risk. finally, while i have never personally had a prob. with IE, the logic in the arguments listed throught this post should'nt be disreguarded.
(1 of the 500mil IE script kiddies could be eyeing me as i post this

)

KvanCetre · Sep 21, 2006, 12:11 PM // 12:11

I have a firewall, I just scanned for viruses a few days ago, I don't download mods, and well...

"Someone at 196.202.xx.xxx has reset your Guild Wars Game Account password for account [email protected]. If you did not make this change, please contact support immediately at [email protected]."

Also got my PlayNC master account :\

KvanCetre · Sep 21, 2006, 12:35 PM // 12:35

Update, maybe useful:

I went into the PlayNC website to see just how easy it was to change my account stuff around.

All it took was a birthday and a security question. Unfortuntaly, my security question was...lacking and was easily taken. From here, without any email validation(as is the normal function of a password reset) the "thief" could change the password(without it being reset and sent to an email first, as is usual)

From there, the thief can look at your accounts you have linked and change your passwords with ONLY your birthday.

So if they get into PlayNC, Guild Wars is gone without a problem, without an email(except for the one to tell you it happened).

I was a lucky one, though, as all my charaters and stuff seem to appear to be there.

kh1ndjal · Sep 21, 2006, 06:42 PM // 18:42

few people know this but u should use a trusted spyware/malware remover

some websites will tell u which programs are trusted, if u dont know, ask someone who does

some of this software will actually install spyware/malware on ur pc, and "pretend" to delete it

Lanni · Sep 21, 2006, 08:23 PM // 20:23

It is too late now for GW to move away from using your email address as your account name isn't it?

Unfortunately the most risk is to the least savvy folks, who only have one email address and don't understand that some ISP's offer email aliases or that they can buy a web domain (i.e. another set of email addresses) which they can use just to forward emails to their ISP mailbox.

I went into the web store screens three times but chickened out each time as there was no answer to the question "does the email account made in the shop become my GW logon account"? From reading this thread I beleive that it does not. Question 1: Is that right?

The "five strikes and the account is locked" change will stop the brute force password cracks on the PlayNC account.
Question 2: can anyone confirm whether this five strikes rule exists for our Guild Wars accounts or whether it will be introduced?

These are the instructions from the official GW site for changing the PlayNC master account email address:

Quote:

Originally Posted by Guild Wars Support Answer ID 2303

1. Log in to your PlayNC master account
2. Click the EDIT CONTACT INFO link in the Contact Info section
3. Enter your new e-mail address in the Email Address field
* Make sure the checkbox below the Email Address field is checked if you wish to receive:
o PlayNC newsletters
o Beta announcements
o Game trials
o Other exclusive offers
4. Click the UPDATE button
5. Retrieve the e-mail verification code sent to the new e-mail address you entered
6. Enter your e-mail verification code on the VERIFY EMAIL ADDRESS page
7. Click the VERIFY button

Gaile, please can you suggest points 5 and 6 be changed to read
5. Retrieve the two different e-mail verification codes sent to both the old and the new e-mail addresses you entered.
6. Enter both e-mail verification codes on the VERIFY EMAIL ADDRESS page

If you no longer have access to the old email account, you will need to wait 48 hours after the initial request before you may proceed to verify the change using only the single code sent to the new email address.

The reason for this requested change is that if someone does hack into your PlayNC account, as it stands now, they can take it over without you even getting told (on the "old" email address). By insisting on a code from both the old and the new addresses, a hacked owner can know it is happening and have a chance to access their own account from their "old" email and change its password.

Hacking will happen sometimes but let's make it as hard as we can

Thanks

Lanni

Tyggen · Sep 21, 2006, 08:29 PM // 20:29

Quote:

Originally Posted by kh1ndjal

few people know this but u should use a trusted spyware/malware remover

some websites will tell u which programs are trusted, if u dont know, ask someone who does

some of this software will actually install spyware/malware on ur pc, and "pretend" to delete it

Yes, that's a very important thing to remember, can't imagine why I forgot to mention it

You should always be extremely careful when clicking on ads on sites, especially the ones that advertise with texts like "WARNING! An error has occurred on your computer! Click here to scan!" or "Your computer is running slower then it should, click here for a registry cleaner!". Many of those 'cleaners' install spyware and adware when you run them.

Rule of thumb; if an ad-remover needs to be advertised it's probably not good enough to clean your pc. Look in PC magazines or websites you trust for tests on which removers are worth using.

Also; clicking on most ad banners will download a tracking cookie to your computer, those are used to monitor your internet activity and send info to the advertising company that made it. They can also be far more malicious (then referred to as data miners) and send information about your computer to others. Hackers can make use of your cookies to obtain info about you, so be careful with them.

-edit-

If someone wants a secondary email send me a PM and I can set you up with a gmail account (that is, if they allow us to change the email registered to our accounts)

Loviatar · Sep 21, 2006, 08:34 PM // 20:34

Quote:

Originally Posted by Lanni

"does the email account made in the shop become my GW logon account"? From reading this thread I beleive that it does not. Question 1: Is that right?

i have purchased 3 slots and my account login is unchanged

Edelmdor · Sep 22, 2006, 01:14 AM // 01:14

I got the following email 12 times!

Quote:

Someone at 129.15.xxx.xxx attempted to reset your PlayNC Master Account password for account XXXX. This attempt was unsuccessful. If you did not attempt this change, please contact support immediately at [email protected].

So... What do we do? I tried contacting [email protected] but ended getting this:

Quote:

Our support process has changed and we no longer accept direct e-mail at this address. Please read the following carefully: Please visit our PlayNC Support website (http://support.plaync.com). We invite you to search our Knowledge Base of over 1,300 articles for the answers to your questions. If you don't find what you are looking for, you can contact support using the instructions below. SUBMITTING A NEW INCIDENT: Go to http://support.plaync.com and submit your issue to us via the "Ask a Question" tab. UPDATING AN EXISTING INCIDENT: 1: Go to http://support.plaync.com and log into the "My Stuff" tab. 2: Go to the "Questions" section and click on your incident. 3: At the bottom of your incident thread, click on the "Update Question" button to reply to our staff. 4: If you do not see an "Update Question" button, go to the "Ask a Question" tab and submit a new incident. Include the reference number of the incident you would like to update. Thank you, PlayNC Support Team http://support.plaync.com

Anyone with similar problems?

bg_solidsnake · Sep 22, 2006, 09:15 AM // 09:15

When i made my GW account i knew i had to choose a hard password!
So i did and now i dont have any problems

!

Loviatar · Sep 22, 2006, 05:16 PM // 17:16

Quote:

Originally Posted by bg_solidsnake

When i made my GW account i knew i had to choose a hard password!
So i did and now i dont have any problems

!

JUST IN CASE

you can also turn your question into a 200+ character password and then go maximum on the answer as well.

the answer does not have to be anything but what you put down as the matching program doesnt care

be sure to write it down though because you will not remember it

Jessica Pariah · Sep 24, 2006, 12:29 AM // 00:29

- Use the 'Remember Me' so keyloggers cannot see your email address on GuildWars.
- Use -password=yourpassword in the command line of GuildWars, I think this prevents keyloggers from logging your password.

Greetings,

Jessica

PS: LF GOOD HA/GVG GUILD
PPS: Gaile, you promised to look at my idea, but you didn't *cry*

Guinevere Ac · Sep 25, 2006, 09:51 AM // 09:51

Well well well, tried to sort this issue silently for a week, but now i feel i have to post this here and everywhere else i can.
Such a big company should have the option to restore even just character. is not such a big problem. Blizzard does, and their player base is 4 time bigger then guild wars one.
Restoring full account is impossible because it would mean duping items and golds? No problem, just allow people to simply restore their characters. naked, without gold coins nor weapons, simply naked withou any damage to the economy.

as for security issues. this discussion was mainly opened because of what happened to me. my password was probably not the strongest one, but it had letters and numbers, after massive scans system has been found to be completely clean. i'm very paranoid about security on my side.
i wouldn't be pleased to discover that my only fault was to buy characters slots via ncsoft guildwars store, linking that way my game account to my play.nc details

tho i can't possibly believe nothing can be done to solve the issue of a character hacked and deleted by whoever. a feature that, maybe upon request, stores character details in a safe location and that allows that given character to be restored if anything happens (just the character itself, no items or gold as this would open a door to players willing to be richer) is something that i'm very concerned is not in this game.

Seriously, starting to be upset

@gaile. sorry for posting it here but u were not expecting that i was fine with the answers telling me "we're sorry for what happened to you. but it happened and programmers technicaly cant manage details in their game, for security reasons. regards" were u?

CoRrRan · Sep 25, 2006, 11:26 AM // 11:26

Personally I would really favor a system where you can set an option where you HAVE TO change your password every 30days (or thereabouts). It is something I am familiar with, with all the companies I have worked for and it works quite good. Again, nothing much to implement I'd think and a great step into better security.

Another thing about the "-password" switch in a shortcut to gw.exe. If you DO NOT have a GOOD firewall running, DO NOT DO THIS! The easiest thing for a dedicated hacker is to look for files on your harddrive that contain WRITTEN passwords, without masks. Including shortcuts of course.

For the rest, Gaile's first post and Shanaeri's are GREAT ways to start with your own security while playing/logging into GW.

King Kong · Sep 25, 2006, 11:49 AM // 11:49

When you buy from the store and link your account, do you have to make an master account name?

Loviatar · Sep 25, 2006, 02:02 PM // 14:02

Quote:

Originally Posted by CoRrRan

The easiest thing for a dedicated hacker is to look for files on your harddrive that contain WRITTEN passwords, without masks. Including shortcuts of course.

For the rest, Gaile's first post and Shanaeri's are GREAT ways to start with your own security while playing/logging into GW.

if a good hacker is in your system already you have already lost.

as for masking i am sure that you also know the same cure i do

John Ebridge · Sep 25, 2006, 02:26 PM // 14:26

For me point one raised by Gaile is the biggest flaw in the system.

Using an e-mail address as a loginname.
E-mail addresses are so easily obtained.

That is allready one hurdle taken by someone who wants to hack into your account.

What if I have more than one GW account?
Then I would need several 'secure' e-mail addresses.

Please change it to a user provided (or by ANET) logonname.
This coupled with an e-mail verification system is a lot more secure.

Solar_Takfar · Sep 25, 2006, 08:10 PM // 20:10

With all the stuff that's been going on, I'm a bit scared to use the online store, even though I'm taking all precautions (antivirus, firewall, antispyware). Would changing the password to something completely random and temporary while making a purchase, and then changing it to another password after activating the new content help mitigate the dangers...?

=HT=Ingram · Sep 26, 2006, 12:34 AM // 00:34

I have been stating this in support for over a month now, well actually since the day they added the store interface really...

I regularly used the old account maintenance options to secure my account. changing my login and password monthly. and now this is not possible. as the NCSoft system will not let you. and when I try to do password change it says it needs verified, so I get it sent to my account and the verification is blank... so I can not change my password at all... As such I have been in the process of getting rid of everything so I can get new retail accounts and NEVER NEVER going into that dumb NCSoft store again. cause guess what? When I used my freebie account for the WPE I was able to do it cause I never entered the store on that account. Lesson learned... Account about to be abandoned unless Anet wakes up to the support requests and make the changes to unlink the accounts again. Or at least an option to do so for people that are stuck like I am and those poor people that got their accounts hacked.

If we could just unlink and opt out of the store usage then we could use the normal anet game engine to fix this stuff as we used too.

MelechRic · Sep 26, 2006, 12:36 AM // 00:36

I'm a bit worried too. After reading about Guinevere AC's troubles I went to playNC.com to see what's possible securitywise:

1. You can change your password.

Good, I like this... except when coupled with the next two list items.

2. You can't change your username.

That's a huge problem because at some point the username was required to be an e-mail address. As was mentioned in this thread previously, that's a huge security hole because if a hacker gets this info he/she now has unlimited time to try and guess the password. Worst of all is that the GW client sends you to playNC when you try to change the password via the client. Once you're at playNC you have no way of making that change. Very kindergarten.

3. The GW client will let you enter a wrong password repeatedly.

Sorry, but on any standard system you get frozen out after some number of failed guesses. This makes brute-forcing much more difficult. Why not lock the account and require the user to re-verify after 5 or more failed attempt.

4. Weak passwords are accpeted by the GW client.

No need for detail here. It's a problem that should be fixable. Passwords should contain numbers and letters anf have an enforced minimum length with no dictionary words allowed. Symbolic characters should be permissible as well.

5. playNC store interface is now coupled with GW password and vice versa.

If either password is weak/compromised you've got a big problem. If either GW client or playNC has weak security you've got a big problem. It's a potential financial problem too because now there's a way to commit fraudulent orders.

That's all I can think of at the moment. I'm convinced there's room for improvement in this security triangle. ANet needs to improve the client. playNC needs to allow for changes to the username. The players need to be smarter about keyloggers, strong passwords and never sharing personal info no matter how well you know an internet friend.

*dismounts soapbox*

EDIT: ANet might consider implementing some of the security features that online banking services do. These days it's not uncommon for banks to require you to answer personal question, identify a random challenge image (that you've previously chosen) AND provide your password. Usually this is done when the bank detects access to your account from an IP that is not normally used by you. It's a small inconvenience when switching computers/locales, but as some have found out... the alternatives are much much more worse.

*dismounts soapbox*