Curse

Saraphim · Dec 27, 2006, 03:21 PM // 15:21

Quote:

Originally Posted by Cow Tale

are there realy people who woudl try to figure out a password from scratch? sheesh and i thought by playing GW for 10 hours a day i had no life.

No-one in their right mind tries bruteforcing passwords manually, they'll run a script that'll continuously try until it gets it right. Log-In is definitely half the battle, and if it's an email... then all you have to do is use the same email somewhere else, probably GW related and a hacker has half the info they need. (dependent on the security of sites, no secure server = no absolute security)

Quote:

There should be AT LEAST a lock out after 5 guesses...

Agreed, no lock out is pathetic for a web site that deals with credit card information. I had hoped they'd have rectified this by now, I certainly won't buy any character slots or anything else from there till they do.

TheGuildWarsPenguin · Dec 27, 2006, 03:21 PM // 15:21

Did they ever fix the thing where you can't get into the ingame store if you don't link your PlayNC account to your GW account and if you did, you can't change your GW login name or password?

mrgoat · Dec 27, 2006, 03:36 PM // 15:36

Quote:

Originally Posted by Gaile Gray

Yes, I disagree, if you mean that I'm disagreeing with describing the in-game store as "dodgy." I have used it myself. Yes, gasp!, NCsoft has my personal credit card number. And you know what? They serve hundreds of thousands of players a month, given the popularity of Guild Wars, Lineage, Lineage II, City of Heroes, City of Villains... you see my point? I think that NCsoft, through the PlayNC store, has a good idea of how to protest my privacy and assure my credit card information is safe.

Decide for yourself, by all means. I'm ok with ordering through the store.

Your strawman is showing. The number of people who play their games has nothing to do with how good their security is. What would be pertinent, is their previous record for good security - but they don't have that. They have a histroy of bad security policies, but that's pretty different from good ones. The question now is how bad?

Seeing as I know more than you do about this sort of thing, I'm going to stick with my opinion over yours for now. So here's what I think (And this opinion is slightly revised from previous commentary): Not that bad. Rate limiting is a good idea, but an account lock after N guesses would constitute a denial of service vulnerability, and add an associated nightmare in customer service / verification to unlock an account. (Just think what would happen when some ne'er do well decides to use a spam list of emails to lock ~80% of guildwars accounts. Account "theft" isn't the only thing to think about here.) Locking an account after a number of guesses is a bad idea. Limiting it to 5 guesses in 15 minutes, or 30 minutes, or even an hour is a fine and dandy idea, provided it's implemented with an enforcement of complex passwords. That would be enough - it would stop automated attempts to crack your password, and the aforementioned DOS attack would take significant, sustained use of resources to lock any significant portion of accounts and keep them locked. (Actually, add a proper end-to-end encryption scheme in the protocol used to communicate with the server, and then you have enough. I have no evidence if the do any encryption in the gw client or not. If not, sound the klaxons again, it's a problem. I expect something at least equivalent to SSLv3 in the GW store.)

I would like a confirmation though, on wether/how long they keep your credit card information - I have to re-input it each time I buy from the store. If they store it, and I still have to re-enter it, that's pretty silly. If they don't store it at all, then until the IRS decides to tax in-game earnings, I don't much care about their security. And there's exactly zero reason to store it. Subscription-based games are the only ones that should ever need to store that.

After all this, if someone can guess your password in only 70 tries, you are using a bad password (Or they achieved a statistical miracle) Stop using your pets name and your birthday for passwords.

ducktape · Dec 27, 2006, 05:42 PM // 17:42

Quote:

Originally Posted by TheGuildWarsPenguin

Did they ever fix the thing where you can't get into the ingame store if you don't link your PlayNC account to your GW account and if you did, you can't change your GW login name or password?

No, but they keep saying "oh we should let the team know about it, it shouldn't be like that". Unfortunately it's still stuck where you can't change your login name or e-mail account for GW if you buy something from the store, which is why many people are not buying things from the store even though they really want to.

**cosyfiep** · Dec 27, 2006, 07:01 PM // 19:01

heck, even THIS SITE locks you out after 5 bad guesses on the password----and I dont think we are selling anything here! (are they?)

FeroxC · Dec 27, 2006, 07:29 PM // 19:29

Only 70 attempts!, to crack an average password you needs thousands and thousands of attempts enough to strain the login server and get very well noticed(applies to bruteforce & dictionary).

If he got it under a couple of thousands attempts it means youve been infected with a trojan/keylogger and hes probably logged every password/number youve entered since.

Its not PlayNCs fault its your lax PC security.

ducktape · Dec 27, 2006, 08:18 PM // 20:18

I think the point is that 70 attempts is a ridiculous number of consecutive wrong password attempts to allow. I'm sure it would have let the attacker keep guessing and guessing and guessing indefinitely.

Eviance · Dec 27, 2006, 08:32 PM // 20:32

Quote:

Originally Posted by FeroxC

Only 70 attempts!, to crack an average password you needs thousands and thousands of attempts enough to strain the login server and get very well noticed(applies to bruteforce & dictionary).

If he got it under a couple of thousands attempts it means youve been infected with a trojan/keylogger and hes probably logged every password/number youve entered since.

Its not PlayNCs fault its your lax PC security.

I agree that if his password was complex enough, even average then it must have been a keylogger or someone he knew possibly. Now what he should do is sweep his PC like I had to and then go back through any accounts that have important info and change all the passwords. I had to do this, it's no fun and luckily thanks to my bank account I was able to realise I had a keylogger within a few days of it being on my PC, so it wasn't that bad. Still it took me two days to get all my accounts sorted with my GW account being the most difficult! I was stupid when downloading a poker program -_-

HOWEVER at the same time there was another thread going on about PlayNC's lack of security. At that time Gaile said that there was a loggin temp-lock in place but when myself and a few others checked into it, that wasn't the case. I'm really hoping that they are still working on this issue and that it can be resolved in the VERY near future so that these things happen less often, even to the stupid people who fail to use complex passwords. Mine was complex enough but now it's almost to much for myself to log in with lol.

To the OP: Good luck and do your best to clean your PC to make sure it wasn't a keylogger/trojan. If it was then everything you're accessing including online banking, emails, ebay, paypal.. EVERYTHING is at risk! I've been there it's no fun! Glad to hear that at least your credit card info via plaync wasn't aquired ^_^

Edit: ONE last thing! Check your connection and make sure you don't have a piggy back! Password your PC so that no one can gain access from across the street! That was a tip a guildie gave to me and I actually had someone attempt 9times to log on to my plaync account once via an IP that was near to me, so I am guessing that's what had happened there.

Spydergst1 · Dec 27, 2006, 08:41 PM // 20:41

I know this does not pertain to PlayNC or give you direct advice for your situation but I thought you might find this info useful someday.

1. If you stay at a hotel/motel. Do not give your room “key card” back. It contains all your information including credit card. The hotel staff puts it on top of the deck of available room keys and your info stays on it for someone to grab. Recent news reports of people stealing identies from the hotel they worked at was in the news just a few months ago. The hotel writes off the loss of the key cards so don't worry and they don't charge you extra for not turning it in. I KNOW! Someone in my family owns a hotel.

2. Write on the back of all your credit/debit cards (NOT YOUR SIGNATURE)!! Write "Photo ID Required". That way no one can slip a purchase passed a dip shit cashier who is not paying attention.

3. Shred (don't just rip up) all your credit card application junk mail. YES, YES, YES, people do go though your garbage. For instance, I always thought no one goes through my garbage! One day a woman, her son and a cop come to my door and complain about porn movies being in the garbage. Living in a 6 unit apartment building at the time it could have been anyone. It sure wasn't me. Another time I threw away a certificate on a wood plaque I was given by my father for Karate when I was young. A few weeks later someone told my dad they were garbage diving and found it and gave it to my dad. I lived about 10 miles from my dad at the time. He was upset. Point is people do go though your garbage and WILL steal your idenity and tape up and turn in those credit card applications with a different address under your name.

4. Never click a link provided in an email which requires you to login with an account. For example there are scammers who create web pages that look exactly like ebays website and send you emails stating your account has been hacked. Login to correct the problem or, I bought an ebay item from you and I want it. They will have links. Once you click the link you are taken to a bogus website which looks exactly like the real thing with verisign security logos trying to make you believe is the real website. Once you login is records your login info and now they have you ebay account information or the website they are trying to scam your account for. I like to click the link and put "here is my login info" in the username field and F**k off scammer in the password field. but if you do that they will now that your email account is active since you clicked the link and they will keep sending bogus emails.

There are more tips but I feel I have provided enough here
Good Luck

Grais · Dec 27, 2006, 09:30 PM // 21:30

Quote:

are there realy people who woudl try to figure out a password from scratch? sheesh and i thought by playing GW for 10 hours a day i had no life.

Do a google for bruteforce password crackers, there are a ton of them, most legal and designed to figure out the password on that obscure app. or program that you forgot, I have used one for just such a occasion, and it took about ten minutes to figure out a 8 digit code.
But of course they are also available to try to bruteforce any password out there. So be cautious and careful.

cjb909 · Jan 06, 2007, 12:42 AM // 00:42

Quote:

Originally Posted by Spydergst1

1. If you stay at a hotel/motel. Do not give your room “key card” back. It contains all your information including credit card. The hotel staff puts it on top of the deck of available room keys and your info stays on it for someone to grab. Recent news reports of people stealing identies from the hotel they worked at was in the news just a few months ago. The hotel writes off the loss of the key cards so don't worry and they don't charge you extra for not turning it in. I KNOW! Someone in my family owns a hotel.

I'm calling BS. http://www.snopes.com/crime/warnings/hotelkey.asp
They don't put anything on the cards except an ID number.

Quote:

Originally Posted by Spydergst1

2. Write on the back of all your credit/debit cards (NOT YOUR SIGNATURE)!! Write "Photo ID Required". That way no one can slip a purchase passed a dip shit cashier who is not paying attention.

Good idea, but doesn't usually work too well. With the ability to purchase online, or even swiping the card yourself at the checkout, most cashiers don't ever handle your card. And when they do....they don't care. My dad has written on his card "Check for ID", he asked the cashier what it said, and the cashier told him. And that was all.

I don't know anything about number 3, and for number 4, yeah watch out for phishing sites.

luinks · Jan 06, 2007, 05:33 AM // 05:33

Also the client itself has flaws you can check this thread, it also has good tips for account security, no response was given at the time i wrote the thread by Anet about the infinite attempts you can do in the log-in screen...
http://www.guildwarsguru.com/forum/s...php?t=10081483

Ritualistic Spankin · Jan 06, 2007, 08:46 PM // 20:46

Threads like this will keep coming around until this problem is fixed, and I think that is the only way it is going to be addressed. Ideally, the more pressure we apply to the problem, the sooner it will get resolved.

Also on a password security note: When choosing a password, don't just pick a word, most bruteforce programs that I have encountered run through a known list of words from the dictionary, thus cutting down the time it takes to access an account.

You should use a combination of number, lowercase, and uppercase letters in your password. However all it takes is 1 keylogger and that goes out the window.

...I guess take that for what it is worth.