Curse

Dukeswe · Nov 21, 2009, 03:48 PM // 15:48

I got hacked some days ago and lost everything valuable on the account. I lost my chaos gloves, 4 tormented weapons, everlasting tonic and about 400k+ in money among other things. The hacker even destroyed alot of customized items for fun or something...
I know several people who gotten hacked and I think I can speak for everyone when I say that nobody wants to lose everything they spent so much time gathering/earning.
I certainly don't want it to happen to me again.

I made up 2 easy solutions which I think would deal a devastating blow to hackers and money trading companies (Since the money trading companies do hack accounts)

1. After you logged on to your account there should be an optional feature in options to activate. The feature should be to activate to only be able to log on from certain IP adresses which you choose yourself. Everytime you then try to log on with your username. Guild wars will then check the list of IP's that are trusted associated with your account and then allowed connection based on that.

An example on how it could look ingame:

Protect your account with IP security

Your current ip: 12.345.678.99 [Add this IP to your trusted IP's]

Type IP of your choice:__.___.___.__ [Add this IP to your trusted IP's]

List of IP's allowed connection to your account:
56.124.753.12 [Remove this IP from your trusted IP's]
12.345.678.99 [Remove this IP from your trusted IP's]

Just like how you easily can find out your ip by clicking on http://www.ip-adress.com/. Guild wars obviously knows what IP it connects to.
I don't know if there would be anyway for the hackers to circumvent this method (creating their own fake ip that looks like yours?) But I know it would definately increase the account security alot!

Just like now you should of course be able to override this by logging on to your NC Soft account and disable it incase you change IP or something.

2.
The second suggestion would be to be able to select an option inside guild wars that says something like: Only allow logins to this account from this computer. (For people not playing Guild wars on several computers.)
Guild wars would then create a file in your guild wars folder with an unique serial connected to your account.

So everytime you connect it would check if the serial in the file matches the one asked by the login server.

Same thing here with being able to be overridden with your NC account.

Summary: If these 2 security options were to be implemented by Anet this is what would happen: When you login with your correct username and password the login server checks which IP's are allowed and see if you are using one of those IP's. Then it would check the file with the serial that is unique for your account and if they match it would allow login just like normal.
This process might make the login process take a few more seconds than normal but wouldn't it be worth it?

How it would be for a hacker:
Ok lets say the hacker gotten to know your password and login. He would then also have to find out what your IP is and somehow clone it.(If that is even possible) And after that he would need the file with the unique serial on his computer. For that he would have to manage to attack the computer with a trojan and copy that file to his computer or manage to login remotely to your guildwars account using your computer.

To me that sounds like an awful lot of hard work

Hackers would no longer be able to use Password crackers that just spam words from a dictionary either.

We could all feel safer and Anet could be the first company to introduce this innovative account security to a MMO game

tejive · Nov 21, 2009, 06:32 PM // 18:32

Good suggestion in Sardelac, wtf?

/signed

Hylas · Nov 21, 2009, 06:52 PM // 18:52

I like it.
/signed

miskav · Nov 21, 2009, 07:05 PM // 19:05

2nded tejive's "Good suggestions here, wtf?" Comment

/signed

Chthon · Nov 21, 2009, 07:22 PM // 19:22

#1 is infeasible because of people whose ISP's give them dynamic IP addresses. However, some variation that allows blocks of IP addresses as an optional feature would be good.

#2 is fine except for the difficulty of dealing with people who experience hard drive crashes etc. and didn't have the foresight to back up their "serial number."

The Drunkard · Nov 21, 2009, 07:26 PM // 19:26

/signed
Then all of the QQers who will get their accounts hacked would only have themselves to blame.

Dukeswe · Nov 21, 2009, 07:42 PM // 19:42

Quote:

Originally Posted by Chthon

#1 is infeasible because of people whose ISP's give them dynamic IP addresses. However, some variation that allows blocks of IP addresses as an optional feature would be good.

#2 is fine except for the difficulty of dealing with people who experience hard drive crashes etc. and didn't have the foresight to back up their "serial number."

#1 Like I said this would be an optional feature for a larger player base. Maybe it could be made so you can select that all IP's that start with 85.126.xxx.xx is allowed or something. It would just be an extra layer of protection for alot of people.

#2 Also what I said is that there should be some kind of way to disable it without logging in. Like the NC soft account which should be required to get if activating those options. If you say the hacker can just hack the NC account well, that they already can now then. We just got to hope that they have enough protection for their players.

Obrien Xp · Nov 21, 2009, 08:14 PM // 20:14

ANET PLEASE DO THIS!!

/signed

Chronos the Defiler · Nov 21, 2009, 08:18 PM // 20:18

Or maybe allow cautious players too add an extra password or serial of their choice? This would be better than hardware definition and issues with dynamic IPs.

SpiritBond · Nov 21, 2009, 08:35 PM // 20:35

Great idea, this would prevent like 99% of hacks

. Anet should really make this.

/signed

Rekliss · Nov 21, 2009, 09:29 PM // 21:29

/signed because it's a good idea.

But if you dont give your info to the ingame goldsellers, this wouldn't happen. ever.

Bristlebane · Nov 21, 2009, 10:07 PM // 22:07

Good suggestion, /signed.
Here's some alternative/complementing ideas:

If you login to your account from a significantly different IP and start doing major suspect things (ie. start to empty a character of valuables etc), there should be a time lock. An email is sent to your email (which by the way does not have to be your login email). Replying to this email will allow you to extend the timelock or ban the IP currently on your account. If it is you, you simply have to wait and just enjoy the game normally for a couple of hours. Such IP difference would normally only occur if you change ISP, go to another country or city.

Another option is to let the game randomly create a "rune" password for your account, of where you have to click 3 runes of 16 (4x4). Game can popup this rune password dialog when IP is significantly different. You can only enter the rune password one try/hour. A failed attempt will just make most of your inventory non-tradeable/droppable/salvagable, except perhaps for common white weapons and common trophies. If you forget your rune password, you can change it. But only if you are legit online, confirm by email, and game randomly makes a new combination, maximum 1 time/day.

Edit: Just to make it clear, a "rune" password would in no way be your login password, it's only an additional password system.

samerkablamer · Nov 21, 2009, 10:13 PM // 22:13

the problem is that this is such a great idea, but anet will probably never see it

Bristlebane · Nov 21, 2009, 10:19 PM // 22:19

Not meaning to hijack your thread as we basically just want the same thing, and it didn't felt merit to create a new thread about it with such similar idea:

Anti-keylogger Protection!
Whenever you login, you have to click on say 2 pre-chosen runes after entering your password. There's 4x4 runes in total randomly shuffled. A keylogger can't record this and thus gives you an added (1-in-256) chance of stopping an intruder. Failed rune clicks temporary locks the account for an hour and sends the account owner an email. Recording mouse movements/clicks won't work either as the runes are shuffled.

The Cake Archer · Nov 21, 2009, 10:24 PM // 22:24

Great, as soon as your unable to log in from a certain IP you lose your gw acct.

Dukeswe · Nov 21, 2009, 11:34 PM // 23:34

Quote:

Originally Posted by Rekliss

But if you dont give your info to the ingame goldsellers, this wouldn't happen. ever.

Well my case was that I never gave my ingame to any goldseller. Infact i had been semi afk from guildwars the last months. Haven't been to any forums or anything. Then all of a sudden it gets hacked. Found no keyloggers or anything on my computer after thorough scans.

The support says it was a gold seller. But how they got the account info is beyond me because the password I used was pretty much only used at like 3-4 trusted sources.

Why I had the idea of these things. To prevent hacking like that to be possible or atleast make it alot harder for those bastards.

I realise alot of people just skim through what I wrote and don't really read at all. Like the last post from The cake archer

Of course you wouldn't lose the account as mentioned atleast 2 times in my text. There should be some other way for you to disable the functions incase of changed IP or hard drive crash.

nologic · Nov 22, 2009, 11:58 AM // 11:58

Since i dont have static IP its pretty annoying to add ip range for this ISP.

So it would be better if they add a dongle and you have turn in 4-5 digits with the password you got which the dongle provide, and it should only be linked to your account.

i do like if the anti hack wears down but the dongle should cost a few euro or dollars. I know blizzard has something like it and it is indeed a nice security feat.

Just my opinion.

Enon · Nov 22, 2009, 12:59 PM // 12:59

Or just don't download programs you're not suppose to download and don't sign-up on a phishing site.

No, not trolling. I'm serious...

DragonRogue · Nov 22, 2009, 03:01 PM // 15:01

Everyone assumes that people who get hacked did something wrong. but a memeber of our guild who was hacked 6 times found out that it was his hotmail address that had been hacked and when GW sent confirmation of him changing his loggin pw, that email was sent there to be read by the hacker. once he changed his email to a more secure addy, the problem stopped. So stop assuming that everyone who gets hacked was up to no good.

/Signed

anything to make this problem harder to have happen, im all for.

sithkhan · Nov 24, 2009, 02:38 AM // 02:38

Quote:

Originally Posted by Chronos the Defiler

Or maybe allow cautious players too add an extra password or serial of their choice? This would be better than hardware definition and issues with dynamic IPs.

This.

/signed

Also, I had never been hacked until the day I took advantage of the 25% off storage panes ... then three hours later - hacked. It is anecdotal, but it is my experience.