Curse

MegaMouse · Oct 22, 2006, 03:15 AM // 03:15

I recently got one of my Guild Wars accounts hacked. Lost all th stuff and gold that I had worked hard to collect along with the mini pets that I earned through birthdays and having the collectors edition of Factions. When I contacted NC-Soft their official position is to not get back any item or gold stolen from you. I do believe that that policy should be changed. The reason that I say this is each time someone logs into their account it is also logged into the server farm. Saying tht it will be quite easy for A-Net and NC-Soft to get the IP address from any account that they want.This way they can find the relevant IP if you give them the times that you were hacked and thieved from, and they can trace the thief through their IP. I have done this with a program that I have when someone has tried to hack my home computer and turned the perpetrator into the law. If NC-Soft and A-Net make it public that they will do such a thing it will discourage any more hackers. Most of the items stolen can only be used while in the game.
This is a problem that I have seen with other players and even with some of my guild mates. I am quite anal about keeping my computer cleaned up of any spyware nd even keep my firewall and antivirus up to date with a passion, so I know that there wasnt a keylogger omy computer when I was hacked. Thanks to the hacker I now change my passsword every other day, and keep it as long as they allow.
I hope that more people feel the same way about this as I do and that NC-Soft and A-Net get the point that it is a problem and they need to do something else other than say they are sorry we lost so much of our invested time.

Mega Mouse

Swinging Fists · Oct 22, 2006, 03:20 AM // 03:20

ANet won't replace items. There are many other threads about this same thing. Sorry for your loss, but you won't get your stuff back.

Hephaestus Ram · Oct 22, 2006, 03:38 AM // 03:38

And it'd be easy for you to give your PW to a friend so you could
transfer all your stuff to him, get all new stuff from Anet, and then
get your old stuff back.

I can come up with a whole series of scams to get free stuff if I
could just convince Anet to replace my lost items.

It's a sad thing if you really got hacked though.

Insuscient Ranger · Oct 22, 2006, 05:32 AM // 05:32

I was also hacked. Lost 500k+ ~400E or so.

many perfect weapons+ More

I am Pissed about it, but i now have all the items and some from Freinds and guildies who helped me out. i just change my password each week at least 1 time. I cant even logg on the account anymore >.>

Solar Light · Oct 22, 2006, 05:34 AM // 05:34

seriously.... dont be moronic now, you would be crying for some form of inchurence aswell if you got hacked, anhd duh, anet most likly can track server records of junk, i think some sort of inchurense system is needed for tehse things.

floppinghog · Oct 22, 2006, 05:47 AM // 05:47

correction. you dont know what hacking is.

lets go through this again, people who KEY LOG YOU..... DO NOT HACK YOU OR ANET. read text over and over until it sinks in.

and to be honest, theres no real way for you to KNOW if you dont have a keylogger once it has already sent the info away. just keep that in mind.

M1h4iL · Oct 22, 2006, 06:46 AM // 06:46

I am guessing you got 'hacked' because you either gave your password out, used a computer in a net cafe to play GW or go on random sites using internet explorer cathcing all sorts of keyloggers. Bad luck though, I wish anet did do something about this, there should be like a 24 hour return policy on any transaction.

Sekkira · Oct 22, 2006, 07:05 AM // 07:05

You can't say it wasn't a keylogger just because your spyware detector didn't pick it up. I can write a keylogger right now, throw it on your computer and I'm pretty certain none of your scanners will pick it up.

Div · Oct 22, 2006, 09:43 AM // 09:43

Plus, they have better things to do than rerolling the entire server just cuz you got hacked...and if they only replaced your items, then it'd be the new dupe hack by telling your anet that you lost your req 8 15^50 crystalline :P

Legolas Ravenwood · Oct 22, 2006, 12:39 PM // 12:39

If A-Net give weapons back to people with stolen accounts I'd be very happy!

Account 1 has over 200 Ecto and a bag of perfect weapons.
I transfer everything over to account 2
I then claim I got haxx0red and get everything back onto Account 1 from A-Net
Then I transfer everything back from account 2 to account 1
Account 1 now has 400 Ecto and 2 bags of perfect weapons

Seriously this will never happen. Please think of every possibility that will arrise from A-Net "restocking" stolen accounts. Also, get better security and don't download infected programmes or files.

Sekkira · Oct 22, 2006, 01:31 PM // 13:31

Arenanet sees logs of this transaction, delete 200 ecto and the back of perfect weapons, put bag of perfect weapons and 200 ecto on the original account.

You have just been owned. Seriously, why do people think if ArenaNet allowed restoration of weapons/items/gold that it'd be easy to dupe things out of them?

thezed · Oct 22, 2006, 01:35 PM // 13:35

Do you have any GW 3rd party programs? Something like a bot or anything that you had running in the background while you logged on to GW? Many times a key logger is hidden in these kind of programs, once that claim to help you. Your scanner would not pick this up either.

MegaMouse · Oct 22, 2006, 01:39 PM // 13:39

It sems that a lot of you are missing the point here It is notso much to et my stolen stuff back, but more to make A-Net and NC-SOft do something other than sit on their collective tails while this problem goes on.
As far as me playing on other computers that doesnt happen. I have 2 that I use for playing Guild Wars and all my other online games. One is my gaming tower at my house: no chance of anything getting past the security programs that I use on it. The other is my laptop which I take to work: same with this one. For a bit of informationI do not use just one or 2 programs to keep my computer clear but I use several and have thm ll set to paranoid, so not much gets through without me knowing about it.
I know of several programs that can be used to hack account passwords. One is called: Brute Force programs, these programs go through several thousand combinations of letters and numbers until they hit paydirt. This type of hacking can take time. If A-Net would put a lock-out on the log-in system where if you enter your password wrong after a set amount of tries,it locks your account up and they could send you an E-Mail letting you know what is wrong and how to fix it.
Even doing this wont stop unscruplous so-called friends, but this solution can send a message to the hackers that they are beign caught at what they are trying to do.
As far as any type of keylogger getting on a ersons system there are a couple built in ways to find them using Microsofts own built in safeguards. Either using the Ctrl Alt Delee trick ar by usinf Msconfig you can find and see all the programs running on your computer and then eliminate what isnt supposed to be there. I personaly check my computers each and every time I boot them up, this is time consuming and can become anoying if you have a lot of programs on your computer, but I concider it a necessary evil for the security of my habits.
Some of you may think that you know a lot on how to program a computer but I build about 50 or so each month, and maintain several hundred for a few large cooperations, so I think that qualifies me in knowing what I am talking about. I am responsible for the security of those that I maintain and take extreme measure's in doing just that. I do the same for my personal computers.
We all need to give A-Net and NC-Soft a nudge i the right diection even if they wont give our items and hard earned gold back, at least they should find a way to stop these hackers even if it causes us a small inconvience, I would take a bit of inconvience over beign hacked.

Mega Mouse

Legolas Ravenwood · Oct 22, 2006, 01:41 PM // 13:41

Quote:

Originally Posted by Sekkira

Arenanet sees logs of this transaction, delete 200 ecto and the back of perfect weapons, put bag of perfect weapons and 200 ecto on the original account.

And if the Ecto's have been sold/traded before A-Net even see what's happenning?? What will they delete then? They are not going to follow each of the 400 Ecto around accounts to delete them all.

Guinevere Ac · Oct 22, 2006, 01:50 PM // 13:50

a.net wont ever restore a single gold coin even on pope himself account. they even claim not to be able to restore a naked character without any item nor cash.
it's a lost cause. sorry for what happened but u're not having anything at all back. save your time.
as for better security. lost cause aswell. all they seem to be able to say is "do not download 3d pary programs" as if anyone here is idiot enough to do it. their official position is "increasing security is expensive for us in terms of more ppl working for us. tho we wont activly do anything about it." it's said. but that's how things are. nothing to do.

Sekkira · Oct 22, 2006, 01:52 PM // 13:52

No, you have no idea what you're talking about. This can clearly be seen by your extent of knowledge in hidden processes (none) which don't show up on the wonderful ctrl alt del menu and your ignorance on how your gaming rig is the fort knox of computer security. Anyone with common sense can build a system. Maintaining one PROPERLY takes a slight bit more knowledge, not much though.

Get it right though, what you're talking about is called cracking, hacking is editing source code.

On top of that, what do you expect ArenaNet or NC Soft to do? Train up a few million consultants to charge out to all of their consumer's houses and maintain their computer, babysitting them through each second the computer is online? It's not their problem if you can't maintain your own computer, they can sympathise that your hard work is ruined but that's about all they'll do.

Quote:

Originally Posted by Legolas Ravenwood

And if the Ecto's have been sold/traded before A-Net even see what's happenning?? What will they delete then? They are not going to follow each of the 400 Ecto around accounts to delete them all.

Correction. 200 ecto. I doubt their logs are something you'll only see printed out an hour after it has happened. Therefore, I have full faith in their ability to track this out easily and do so. However, imagine this on a massive database with thousands of people requiring their items back. Now you know why it's their policy not to do this.

mrgoat · Oct 22, 2006, 02:27 PM // 14:27

Quote:

Originally Posted by MegaMouse

As far as me playing on other computers that doesnt happen. I have 2 that I use for playing Guild Wars and all my other online games. One is my gaming tower at my house: no chance of anything getting past the security programs that I use on it.

False. You lose right here, when you think any security is perfect. No chance? None? There's no chance there's a bug in any of your security programs? No chance at all there's a zero-day floating around for windows? Really? There's no holes in your firewall allowing traffic to pass in either direction? And your computer is locked in a safe, buried under a ton of granite at the bottom of the ocean? You must have a hard time playing GW down there. There is no perfect security. It's always a balancing game with usability, cost, maintainability, etc.

Quote:

The other is my laptop which I take to work: same with this one. For a bit of informationI do not use just one or 2 programs to keep my computer clear but I use several and have thm ll set to paranoid, so not much gets through without me knowing about it.

Getting better. At least now you know "something" gets through without you knowing it.

Quote:

I know of several programs that can be used to hack account passwords. One is called: Brute Force programs, these programs go through several thousand combinations of letters and numbers until they hit paydirt. This type of hacking can take time. If A-Net would put a lock-out on the log-in system where if you enter your password wrong after a set amount of tries,it locks your account up and they could send you an E-Mail letting you know what is wrong and how to fix it.

True, technically. More than, say, 3 wrong passwords in 30 seconds could equal, say, no login until you do something to prove you're you. That would limit brute-forcers. It would also be a vector for a massive denial of service attack, whereby someone just tries 4 passwords of "aaa" on every email address they can get. Using a large spam mail database. With a botnet. Big mess. Please, think these things through before you try to sound like you know security.

Quote:

As far as any type of keylogger getting on a ersons system there are a couple built in ways to find them using Microsofts own built in safeguards. Either using the Ctrl Alt Delee trick ar by usinf Msconfig you can find and see all the programs running on your computer and then eliminate what isnt supposed to be there. I personaly check my computers each and every time I boot them up, this is time consuming and can become anoying if you have a lot of programs on your computer, but I concider it a necessary evil for the security of my habits.

Rootkit. If the keylogger isn't also a rootkit, you're being hacked by the world's most amateur amateur. I cannot believe what you say in the next paragraph, and also believe that you still hold the delusion that the tools MS builds into windows are anything but useless, useless dirt.

Quote:

Some of you may think that you know a lot on how to program a computer but I build about 50 or so each month, and maintain several hundred for a few large cooperations, so I think that qualifies me in knowing what I am talking about. I am responsible for the security of those that I maintain and take extreme measure's in doing just that. I do the same for my personal computers.

Hubris. You've demonstrated that you don't know thing one. I will consider you "qualified that you know what you're talking about" when you "demonstrate that you know what you're talking about".

Now for the parts I agree with: Yes, Anet should do something about the feasibility of brue-forcing passwords. It's a really difficult thing to do though. What actions could they take? Automatically ban any ip that tries more than n wrong passwords in x minutes? By spoofing the ip headers in the packet, you could get half the US banned in like, an hour. Lock the account after n wrong passwords in x minutes? Now you need an authentication system for getting it unlocked. It has to be relatively easy for the legitimate account holder to use, even if they have forgotten their password, ('cause they could be the one who guessed their own password!) but hard for "the wrong user" to use. Tough problem to solve. Oh! Maybe the account can just lock for y minutes, after which you can log in again! That'll work! Until someone just gets thousands of people's accounts locked every minute. We should track hackers! Yeah! That'll work! Until you realize that IPv4 isn't spoof-resistant, and that the person you're tracking used three proxy servers, a botnet, and lives in a country with no extradition treaty.

So yeah. It's not easy. Use a hard-to-guess passphrase, change it frequently.

Loviatar · Oct 22, 2006, 02:58 PM // 14:58

what if the person who was given all that loot has instructions to give/sell it to players who had no clue it was dirty loot?

someone innocently pays 50k in good faith than is offered even more from another innocent person that just logged in.

how is Anet supposed to straighten that out?

multiply by half the gaming population who will try to get something free.

@MR BIG SHOT SECURITY EXPERT WHO............

1 do you have a separate unique email account that is used only for that GW account and nothing else?

2 is that email address a max length alpha/numeric/symbol (if symbol allowed) random string @ your isp. xxx?

3 is your password a max length string as well used nowhere else?

4 it doesnt matter how many spyware tools you use if the ones you are using are not effective.

check PC MAGS latest testing to see which trusted antispyware apps let through keyloggers/rootkits/etc

and if you are such an expert how did this happen to you?

task manager is nothing compared to what i use (non microsoft is a given)

mrgoat · Oct 22, 2006, 03:20 PM // 15:20

Quote:

Originally Posted by Loviatar

3 is your password a max length string as well used nowhere else?

Doesn't matter if it's max length. You never store passwords plain text in a database, you usually use a salted hash, which produces a fixed-length string. (Hash because it's computationally infeasible on a strong hash algorithm to find a collision, and salted so that pre-computed hash dictionaries are useless)

In fact, it's bad to always use a max length password, as that limits the number of possible passwords to c^n, where n is the length of the string and c is the number of allowable characters.

Sectus · Oct 22, 2006, 03:21 PM // 15:21

I feel rather disappointing in the community right now. Are you guys always this pessimistic?

"I've been hacked and I lost all my items." And many people assume he lie and gave away his password.

"I hope anet will improve security." And people say anet doesn't care and they'll never do such a thing so don't bother asking.

"I hope anet will be able to restore hacked characters." And people starts talking about how to potentially exploit that system (if your first thought about restoring chars is how to exploit it, that's a really bad sign)

If we want anet to improve on their security and perhaps add a function to restore characters (I'd like to mention that a certain popular MMORPG with 7 million players has a system for restoring hacked characters), then we NEED to let anet know we want that. Saying anet doesn't care, and we shouldn't bother asking just makes it less likely anet will see this is an important issue which needs to be dealt with.

Everyone who's been hacked should come out and say so, and beg anet to improve their rather lousy account security. Otherwise this problem will go unnoticed by anet.

To the OP, I'm really sorry to hear your loss. Do you have any idea how you got hacked? Was it through your email account, someone managed to directly hack into your GW acccount, someone brute forced your password? Some clue might indicate what part of GW's security needs to be re-inforced and may let other players know what to be most careful about.