Curse

Zui · Sep 27, 2006, 08:25 AM // 08:25

Quote:

Originally Posted by manitoba1073

for those who isnt in the know, ppls accounts were hacked through anets own servers. im guessing guinivere was one of them. it happened to alot of ppl. so first dont assume they werent carefull enough on there own. theres no security that would have prevented it other than this idea of being able to lock down chars. hope u guys feel better now on blaming others for there mis fortunes. there was even announcement on anet and here about it if u dont believe me

Hi, you obviously saw a thread about the Play NC accounts, however, you clearly failed to understand it. Yes, there are flaws in the play nc security system, however, they are by absolutly no means large enough that you would get your account hacked if you were the least bit carefull.

Play NC is working on correcting the problem they have. However, if people weren't stupid/lazy and didn't set amazingly easy security questions/passwords, they wouldn't have been hacked. However, [email protected](this is just an example, so if this is a real email adress don't email them...) did make his password "bigmike53", for both his GuildWars account, his email account and his play nc account... I fail to see how someone using somthing like that as a password, and using that same password for every single service is anyones' fault but their own.

Oh, and before you comment on somthing as if it is fact, make sure you have some understanding of what you're talking about, ok? I mean you have the general idea, sort of.. But you're absolutly wrong on all the specifics.

Guinevere Ac · Sep 27, 2006, 08:42 AM // 08:42

/signed. at least use this noise i made to improve security for other people in the (hope near) future

oh, and i find somehow insulting that random people without any knowledge at all about my specific situation feel free to throw accusations about security on my side.

Quote:

As a matter of fact, these thefts were made possible through a combination of errors. I know that GWG has made a change that will prevent the acquisition of information. And you will be pleased to know that there is a major change in the PlayNC system coming within a matter of days. Protocols are being put in place that will greatly reduce--perhaps even make impossible--this particular kind of account theft. That is not to say that all account thefts will be rendered impossible--we could only wish! But the three or four that we know of which were a result of this recent situation will be far less likely to happen in the future.

Yawgmoth · Sep 27, 2006, 07:19 PM // 19:19

/signed

but make it not affect pvp chars

Malice Black · Sep 27, 2006, 07:40 PM // 19:40

/no

Too much crap just for a game.

master_of_puppets · Sep 27, 2006, 09:26 PM // 21:26

/not signed

If you got hacked its probably your fault which is very probable or a slight chance of a security breach or something. Im guessing in the case of this Guneverere person someone guessed their password or knew their e-mail.

DONT use the same password and email that you use for things like forums (esp. GW-related forums) Maybe use an e-mail that no one knows and a password thats not stupid and has letters and numbers.

Guinevere Ac · Sep 27, 2006, 10:02 PM // 22:02

Quote:

Originally Posted by master_of_puppets

/not signed

If you got hacked its probably your fault which is very probable or a slight chance of a security breach or something. Im guessing in the case of this Guneverere person someone guessed their password or knew their e-mail.

DONT use the same password and email that you use for things like forums (esp. GW-related forums) Maybe use an e-mail that no one knows and a password thats not stupid and has letters and numbers.

AGAIN???

Dougal Kronik · Sep 27, 2006, 10:17 PM // 22:17

Guinevere Ac, was that your character with the Tyrian GMC title?

If so, let me know if there is any way I can help you get it back.

Additionally, a lot of the post are guessing or assuming what happened to you, but if you could clarify for the community - that may help more than calling on Anet to institute security protocols - other members won't be victimized like you were.

lord_shar · Sep 27, 2006, 10:30 PM // 22:30

Based on what I've read previously, GuenevereAC did everything right with firewalls, routine virus + spyware scans, etc... and still got hacked because of gaping security holes on www.plaync.com's web site. That's not the user's fault, but ANET itself.

A secondary password would go a long way towards preventing character deletion since it won't be routinely captured by keyloggers. At the very least, it makes end-game character deletion that much harder for a keylogger script monkey to execute.

/signed.

EDIT: Use a PIN system requiring mouse-clicks with an on-screen-only numeric keypad. This defeats key-loggers since all they will cap are mouse-clicks.

Also, what is required to have ANET perform an account-restore? Even Blizzard's WoW-helpdesk can perform account resets to correct hacked accounts, especially given that ANET's infosec-division failed here.

logan90 · Sep 27, 2006, 10:48 PM // 22:48

Quote:

Originally Posted by lord_shar

Based on what I've read previously, GuenevereAC did everything right with firewalls, routine virus + spyware scans, etc... and still got hacked because of gaping security holes on www.plaync.com's web site. That's not the user's fault, but ANET itself.

A secondary password would go a long way towards preventing character deletion since it won't be routinely captured by keyloggers. At the very least, it makes end-game character deletion that much harder for a keylogger script monkey to execute.

/signed.

EDIT: Use a PIN system requiring mouse-clicks with an on-screen-only numeric keypad. This defeats key-loggers since all they will cap are mouse-clicks.

Also, what is required to have ANET perform an account-restore? Even Blizzard's WoW-helpdesk can perform account resets to correct hacked accounts, especially given that ANET's infosec-division failed here.

It was also NCSoft's fault, not just ANet.

That pin system you mentioned would need modification to work. A keylogger doesnt just cap mouse clicks, it caps their X,Y co-ordinates also(well, some do). If the numbers are fixed on the screen then it would be pretty obvious what a click at 274,381(example) would be. The locations of the buttons or the order of the numbers (or both) would need to be randomized.

lord_shar · Sep 27, 2006, 11:03 PM // 23:03

Quote:

Originally Posted by logan90

It was also NCSoft's fault, not just ANet.

That pin system you mentioned would need modification to work. A keylogger doesnt just cap mouse clicks, it caps their X,Y co-ordinates also(well, some do). If the numbers are fixed on the screen then it would be pretty obvious what a click at 274,381(example) would be. The locations of the buttons or the order of the numbers (or both) would need to be randomized.

Coordinates would depend on screen resolution being used along with interface size. The keypad could also be moved around to vary the coordinates data. But yes, scrambling the key positions would also strengthen security.

Another possibilty: have the game issue the delete-code when the deletion-security feature is activated for the character. Since the code doesn't go through the keyboard buffer until it is keyed in for use, key-loggers have zero chance of ever capturing it.

ducktape · Sep 28, 2006, 12:07 AM // 00:07

/signed as an optional feature on whichever characters you want.
/signed as an extra pin/password instead of e-mail confirmation to delete.

/signed for pop-up notifications at login and/or e-mail notifications when the wrong password has been entered more than 3 times trying to access your account - that way you can tell when someone is trying to hack your password instead finding out after they have already hacked it and changed it, or worse, find that out after your stuff is gone.

If they give us the option to add a delete-protection password to whichever characters we want (or to skip that entirely) if someone hacks your e-mail password and uses "forgot password" to reset your gw password and steal all your stuff, at least you won't have to start your character over again from scratch. Then people will feel safer about not having a thief delete their characters, and people who could care less don't have to do anything different than they already do to manage their characters.

I think a delete-protection password or pin number would be better than a password or pin just to access the protected character in the first place, that way you're not typing the extra password all the time for it to get keylogged.

I agree that allowing people to set a password to prevent character deletion will probably make some more support tickets for NCSoft to handle for people who forget their delete password, but it's a lot better for their image than having super-pissed off customers with deleted, unrestorable characters every time there's a security problem screaming "OMG YOU RUINED MY LIFE". No offense to anyone who got hacked and deleted, you have every right to feel that way when you have something you poured a lot of effort into taken away because you did your part on security but the software vendor didn't do their part on security. I'd want to start a riot if that ever happened to me!

Anyways, people are not likely to want to delete a character they liked so much as to enable the optional delete-protection feature for it, or at least not use the delete feature very often, so that seems to be the option that would generate less additional I-forgot-my-password support tickets. Just my two cents, overall...

Hockster · Sep 28, 2006, 06:05 AM // 06:05

Quote:

Originally Posted by lord_shar

Based on what I've read previously, GuenevereAC did everything right with firewalls, routine virus + spyware scans, etc... and still got hacked because of gaping security holes on www.plaync.com's web site. That's not the user's fault, but ANET itself.

Uhh, Anet does not control the PlayNC site. So shut up when you have no clue.

Quote:

Originally Posted by manitoba1073

/MEGA SINGAGE

for those who isnt in the know, ppls accounts were hacked through anets own servers. im guessing guinivere was one of them. it happened to alot of ppl. so first dont assume they werent carefull enough on there own. theres no security that would have prevented it other than this idea of being able to lock down chars. hope u guys feel better now on blaming others for there mis fortunes. there was even announcement on anet and here about it if u dont believe me http://www.guildwarsguru.com/forum/s...php?t=10048864

Duh, read the above section. Hacked Anet servers. HAHAHAHAHAHAHA!!! Sheesh.

TheBaron82 · Sep 28, 2006, 08:46 AM // 08:46

Quote:

Originally Posted by Eragon Dragonslayer

PS: Black Guinevere i feel for you i know what its like to have a hacked char but i have never lost one that was worth soo much i dedicate this thread to u and i hope that anet will see this and decide to protect other people

PLX ANET CONSIDER THIS!!!

Did he/she ever got his char back?

lord_shar · Sep 28, 2006, 09:10 AM // 09:10

Quote:

Originally Posted by Hockster

Uhh, Anet does not control the PlayNC site. So shut up when you have no clue.

Duh, read the above section. Hacked Anet servers. HAHAHAHAHAHAHA!!! Sheesh.

Um, where did you read "hacked ANET servers?" My sole point is that the user played no direct role in compromising his/her personal account. However, security was breached due to weak account security management (using e-mail addresses instead of unique user ID's). PlayNC may not be the same company as ANET, but both have a contractual partnership in developing and maintaining strong system security. I read the above link, and there were more than a few common blunders executed by whoever set up PlayNC's web site, but I guess it doesn't matter since they don't deal with live financial data? A routine security audit would have caught these problems before any data was compromised, but I'm guessing that audits aren't part of PlayNC's + ANET's operating requirements.

PS: As for no clue, my line of work involves Infosec related material dealing with this sort of B.S., but with real world financial data, and I've been doing this stuff for well over a decade...

So, what do you do for a living?

Hockster · Sep 28, 2006, 09:52 AM // 09:52

No direct role? The only way a brute force or dictionary password hack attempt works is if the user didn't have the foggiest clue about password security. I'm still leaning towrds this person probably having the password stickie noted to their monitor, but honestly, I couldn't care less about their account, or shortfalls of account security.

The OP's idea is a stupid one that only panders to the people who think everyone else should be responsible for basic internet security. Unless NC Softs servers were comprimised, and I didn't see anythig stating that, accounts that get "hacked" are the ones that a blind one handed monkey could crack.

PS. Of course you do. The real question is did your e-penis get bigger with that statement? yes, that is rhetorical.

lord_shar · Sep 28, 2006, 10:00 AM // 10:00

Quote:

Originally Posted by Hockster

No direct role? The only way a brute force or dictionary password hack attempt works is if the user didn't have the foggiest clue about password security. I'm still leaning towrds this person probably having the password stickie noted to their monitor, but honestly, I couldn't care less about their account, or shortfalls of account security.

Nope, based on the information in the URL you provided, weak security questions involving readily accessible information were the only layer between the hacker and user accounts. Brute force wasn't necessary.

Quote:

Originally Posted by Hockster

The OP's idea is a stupid one that only panders to the people who think everyone else should be responsible for basic internet security. Unless NC Softs servers were comprimised, and I didn't see anythig stating that, accounts that get "hacked" are the ones that a blind one handed monkey could crack.

Stronger security is always fine so long as it doesn't impede functionality. PvE Character Deletions are not a routine occurence on any account.

Quote:

Originally Posted by Hockster

PS. Of course you do. The real question is did your e-penis get bigger with that statement? yes, that is rhetorical.

...and uncessary given the age groups that read these forums. If you're really 40 years old, at least make some effort to post like it.