Curse

Shadowmoon · Feb 25, 2009, 03:11 AM // 03:11

Well at least they did not delete characters this time around. Personally i really wish they would devote a 3 month update period for a character locking feature. Even if i had to pay to get this feature, I would paid a reasonable fee to know my main will make it for gw2. The long period b4 gw2 make me paranoid that I might do something stupid that removes all the work I've done in the HoM

Eragon Zarroc · Feb 25, 2009, 03:35 AM // 03:35

of course hackers never stop. The chance to steal something awesome instead of earn it themselves is just too tempting for some people. simple as that.

Malice Black · Feb 25, 2009, 03:58 AM // 03:58

My account was accessed by someone too. Logged on couple of days ago, popped onto guild chat, and it said I had been online 5 hours ago which I hadn't. Nothing was taken as I have nothing worth stealing these days.

AKB48 · Feb 25, 2009, 06:44 AM // 06:44

Quote:

Originally Posted by Malice Black

My account was accessed by someone too. Logged on couple of days ago, popped onto guild chat, and it said I had been online 5 hours ago which I hadn't. Nothing was taken as I have nothing worth stealing these days.

I think the same thing happened to me, too. When I logged onto one of my characters yesterday, somehow it was in GtoB. Even though I was in my GH before I log out. Note that I do know it is well and possible to get a "transfer" for your GH to GtoB if you log out in your GH and log in later. But I was watching the screen the entire time and no such "transfers"(the picture of GtoB will show, but it didn't) happened. Luckly none of my stuff was taken and my good, old 5k gold is still in the vault. But man, these hacks must be desperate, hard times for them too, eh?

Jhadur · Feb 25, 2009, 09:11 AM // 09:11

Quote:

Originally Posted by fusa

Your computer security is your own responsibility. There's no reason why NCSoft or Anet should replace items you had stolen due to your own stupidity.

So can you prove that everyone that was hacked was due to their "own stupidity"

the_jos · Feb 25, 2009, 10:14 AM // 10:14

Quote:

Originally Posted by Inde

Everyone seems to be missing the key point of nearly all these stories. You were all hacked within minutes to hours of signing onto your game. Some even kicked out of game while playing. Read through all the stories... it's something that keeps being reported.
....
Nearly everyone of them tells us that they were active and playing when their data was compromised. Make of that what you will. They aren't going mindlessly through and testing hundreds of emails and passwords, they aren't mindlessly going through and sifting through hundreds of inactive accounts. If the majority of people can not find an infection on their system then these hackers are either getting around multiple anti-virus systems or they are monitoring the game/your client somehow. Let it speak for itself.

Ok, let's consider two things here, Inde.

First of all, the stories could be similar for those users because the attacker decided to break into the account at an active playtime. Not everyone looks at their last login time when they access the game again. But it's very obvious when you are kicked out of the game for no good reason.
If I would go hacking GW I would do it at a time that's convenient for me.
When hacking a company or robbing a place it's best to wait till everyone is gone. But there will always be people playing GW, could be that the ones erroring out are just collateral damage.

Besides that, it was HA weekend and MAT, on Friday-evening my router somehow disconnected from the internet (resulting in a 007) and I had several moments of severe lag or disconnects during the weekend.
There could be a relation between the disconnects and the hacks, but this could also have other causes.

Second, let's assume the attacker monitors the game or the client.
This means that they must have compromised either the local system (most probably a troyan) or they have compromised a piece of infrastructure at one of A-net's datacenters. Otherwise routing mechanisms on the internet would make it hard to target an active session and break into it.

A compromise at A-net's side would probably have caused many more people reporting loss of items. Or that did happen but those people ain't active on guru.

It could be targeted attacks on active connections, but it's not one of the usual suspects.
Pulling an active connection from the internet isn't something just the average guy is able to do. And requires monitoring a certain infrastructure point on the internet. I would target

Now there is one more option I didn't consider yet.
Man in the middle with a compromised HOSTS file.
This way all traffic could be rerouted through the systems of an attacker who could be able to take over the connection without A-net even noticing.
And the user would get problems connecting when the route is cut.
Dunno how many AV companies scan that file.

The last resort option is the option no-one wants to know but everyone is somewhat aware of.

So based on the information I have atm I'd either expect compromise of the client or people who have reused or submitted their login credentials somewhere else.
It's the most obvious cause given the information we have and general knowledge of hacking.

Fril Estelin · Feb 25, 2009, 10:26 AM // 10:26

Quote:

Originally Posted by the_jos

Man in the middle

This is the option I thought was most probable given the nature of the problems stated here. Very troubling is someone found such an opportunity, but unless he's some serious hacker, Anet should find him (or them, RMT is probable).

I'll reply to your other post by PM when I get the time.

Gun Pierson · Feb 25, 2009, 12:27 PM // 12:27

Quote:

Originally Posted by the_jos

Man in the middle with a compromised HOSTS file.
This way all traffic could be rerouted through the systems of an attacker who could be able to take over the connection without A-net even noticing.
And the user would get problems connecting when the route is cut.
Dunno how many AV companies scan that file.

Spybot checks the hosts file if I'm not mistaken. Anyway that's what I was thinking too. The hacker sniffs, intercepts packages after which he can take on the identity of the user while Anet and the client aren't aware of it. The user gets a disconnect ofcourse, but that happened to all of us in the past at some point. So the user is not aware he's being hacked.

the_jos · Feb 25, 2009, 12:44 PM // 12:44

@Fril and Gun,

MitM could be an option but still it would most likely indicate a problem on client side.
It's not possible to just sniff traffic and take over the connection without compromising some vital parts of the internet (main routers etc). Else, because of the routing infrastructure, it would be more a gamble.
So an attacker should gain control of the initial connection and relay traffic from the client to his/her own computers. From there just forward the traffic to the real A-net servers. At a certain time cut the connection and reconnect from the hackers computer.
I'm not sure how the GW client handles this, but there seems to be state-control in it.
I know that when 'friends' disconnects and I do a reconnect later at some times this functions normal and some times it will ask for credentials again.

I'm not sure how login credentials are send from the client to the GW infrastructure.
If plain it's vulnerable to MitM. If not, only taking over a working connection works.

In all cases MitM is a rather sophisticated attack and hard to pull off.
And in almost all cases requires some action from the user.

Glider of chaos · Feb 25, 2009, 01:32 PM // 13:32

Speaking of "disconnect before the hack" issue. I'm not totally sure but I think that you will get disconnect message if someone else tries to log into your account while you're still ingame.

Gli · Feb 25, 2009, 01:38 PM // 13:38

Looking for things these incidences have in common might be a futile effort if the hackers have been harvesting user credentials for an extended period of time before acting on them. If the exposure that gave them the info happened some weeks or even months ago, looking for the avenue through which it happened is too late now.

If I were an account stealing RTM parasite, I'd sit on stolen account info until I had a whole bunch of it, then plunder them all in as little time as I could and sell the spoils before a ANet could stop me. Money in the bank, they could ban me for all I'd care.

It's my belief this is how these things go. Account hacks don't happen en masse because of a sudden exploit, they happen that way because it's convenient for the account thief.

Triaz · Feb 25, 2009, 01:42 PM // 13:42

One simple solution I have seen MMO's take to prevent loss of character due to hackers is simply put a 7 day waiting period on character deletion. For PVE characters only I would see no reason to do this for PVP characters since we all switch them around according to what our guild/team needs. Put PVE characters in "timeout" for 7 days at which point at anytime during those 7 days you can cancel deletion. Because I am with everyone else losing cash/items would irritate me but it just means more farming. Losing my ranger or warrior that was created 44 months ago would prolly make me /ragequit and uninstall.

Big John Thomas · Feb 25, 2009, 01:47 PM // 13:47

Ok this is part of the email I sent to supportliaison which explains what happened to me a bit better

Quote:

Hello, just read the post on Guildwarsguru about getting in touch with you if affected by the "hacking" incident at the weekend.

I've already sent a report via Ncsoft support the incident number is xxxxxx-xxxxxx.

The character I mainly use and the one that has been been logged into is xxxxxxxxxxxxxxx. I'm sure I left him at Kamadan am1and I think when I logged into him he was at The Great Temple of Balthazar. None of my characters have been deleted.

The items taken from my account are approx 730k 10 ectos I'm positive of because about 10 minutes before I logged off I bought an everlasting searing tonic for 100k and 40 ectos which was also taken and my tormented shield. The items placed onto this character was a mandragor mini pet and 6 armor of salvation.

I cant remember exactly when I logged off but it must have been about 1.00am gmt and back on shortly after 17.00 gmt on 23/02 so it happened between these hours.My guild leader said he saw me log on about 3.00am for 1-2 mins but he's on mainland Europe so not sure about that because of the time difference .I did actually try to log in about midday but couldn't get past the loading screen but this is a problem I been suffering for a year now,I cant even play the game during weekdays but that's another story.

A couple of times over the weekend I got disconnected while playing.It was not the usual type of d/c like when you get bit of lag like a network error,It was a sudden d/c and and when it asked if I wanted to try reconnect I clicked yes and it just came up with a box saying unable to reconnect straight away all really quick, usually there's a bit of delay while it try's. I'm sure you know what I mean.I'm sure this was when someone was logging into my account and kicking me out.A few other alliance members said it happened to them but haven't heard of anyone else loosing anything yet.

It's annoying because I'm careful what I do,I'm well aware that this goes on.Windows is kept upto date I have a couple of anti spyware programs which I run nearly everyday,Avast antivirus,hardware and software firewalls.My login username is actually an old email that hasn't been used for about 2 years. I actually only reinstalled Windows a couple of week ago and not much has really been put onto it yet although GW was put back on with a backed up dat file.

Now I've been looking at whats been posted on here. My Guru account uses a different email and password,so does my Ncsoft account and I dont have a Wiki account.Like I said my login name is an old email address that hasn't been used for about 2 years now.

Now, Xunlai House.I made an account there when it first started,logged in a couple of times and never used it since.I just thought I'd try it but dam, what was my email and password for it! So Thought I'd try my GW details and oh dear it worked

This is the only place where I have used the same login details.Yes I know I shouldn't have but at the time I didn't know about peoples accounts being compromised and had completely forgotten about the Xunlai House.

Wish Swiftdeath · Feb 25, 2009, 03:54 PM // 15:54

Quote:

Originally Posted by Malice Black

My account was accessed by someone too. Logged on couple of days ago, popped onto guild chat, and it said I had been online 5 hours ago which I hadn't. Nothing was taken as I have nothing worth stealing these days.

exactly the same thing happened to me, all i had were some elite tomes, 20 gold weapons(all customised though

) and like 3k in storage :P.

Wubbies · Feb 25, 2009, 03:58 PM // 15:58

Quote:

Originally Posted by Glider of chaos

Speaking of "disconnect before the hack" issue. I'm not totally sure but I think that you will get disconnect message if someone else tries to log into your account while you're still ingame.

yes this is true... you get logged out.. i cant believe people still trying to figure this out and point fingers everywhere at anet, other people, this and that.. it's like being on the freeway and it's stop and go traffic.. to only find out its a silly car accident and everyone stops to see blood.. its like beating a dead horse. let anet deal with it.

Tullzinski · Feb 25, 2009, 04:06 PM // 16:06

[QUOTE=
Now, Xunlai House. This is the only place where I have used the same login details.[/QUOTE]

Do any of the other affected player have the same login/pword in Xunlai house? Alot of people have multiple/old accounts also.....

Malice Black · Feb 25, 2009, 05:12 PM // 17:12

Quote:

Originally Posted by Inde

Edit: GWBBCode has indeed screwed up all emails that get sent out from Guru. Known issue since forever.

I'll vouch for Inde on this. Had this issue before on Guru, just had an admin wipe my PMs and the problem was sorted.

didis · Feb 25, 2009, 05:42 PM // 17:42

First of all...

I would appreciate it, that some kind of assurance is given to us players by ArenaNet that the infrastucture of Guild Wars and all connection to other company parts (NCSoft) are thrustworthy.

Due to to SOX 404 i would like to have extra insurrance by a trusted thirth party to start an audit against the confidentiality, integrity and availability of the different systems (server, databases, application, network and middleware).
The report can give us players some assurance that at ArenaNet's all posible has been done to mitigate the risks of comprimisation of our accounts. I also know that IT is in scope of the audit reports for the financial results review by those auditors. What is their statement? If their is no audit report then i think this could also result in legal problems for Arenanet because they don't make transparant that they take security meassures serious. I mean taking preventive security meassures befor and not after occurance.

Also i want to mention the opportunity of implementing a challenge/respons system with a token just like Blizzard has implemented for those people who want more assurance that there hard work and labour in the game is extra protected. The level of security meassures should be increased by the value increasing over time. That means, to be answering another post, you by a car with a basic security level. You by all kind of nice expensive stuff resulting in the fact that the insurrance agencies wanting to add a higher alarm system. This is also the case with Guild Wars. I would like to pay for a challenge response system to know i am saver. It's like a life insurrance. To bad this is not implemented but investigated (see one of my posts on gaile gray's talk page on wiki).

Wubbies · Feb 25, 2009, 06:04 PM // 18:04

Quote:

Originally Posted by didis

First of all...

I would appreciate it, that some kind of assurance is given to us players by ArenaNet that the infrastucture of Guild Wars and all connection to other company parts (NCSoft) are thrustworthy.

Due to to SOX 404 i would like to have extra insurrance by a trusted thirth party to start an audit against the confidentiality, integrity and availability of the different systems (server, databases, application, network and middleware).
The report can give us players some assurance that at ArenaNet's all posible has been done to mitigate the risks of comprimisation of our accounts. I also know that IT is in scope of the audit reports for the financial results review by those auditors. What is their statement? If their is no audit report then i think this could also result in legal problems for Arenanet because they don't make transparant that they take security meassures serious. I mean taking preventive security meassures befor and not after occurance.

Also i want to mention the opportunity of implementing a challenge/respons system with a token just like Blizzard has implemented for those people who want more assurance that there hard work and labour in the game is extra protected. The level of security meassures should be increased by the value increasing over time. That means, to be answering another post, you by a car with a basic security level. You by all kind of nice expensive stuff resulting in the fact that the insurrance agencies wanting to add a higher alarm system. This is also the case with Guild Wars. I would like to pay for a challenge response system to know i am saver. It's like a life insurrance. To bad this is not implemented but investigated (see one of my posts on gaile gray's talk page on wiki).

*court is in session *
Lawyer for the people of GW: Your honor.. my clients are suing ANET for loss of ectos...

Keep smoking whatever it is that makes you happy i guess.

when i log into gw i see all the time security precautions they advise you dont give out info.. change password..etc.. Anet gives info about the number of people busted for gold scams etc.. i mean what do u want anet to do hold your hand on every site or everytime u change your password? how would u know what anet takes serious? do u work for them?

Security measures increased for increased level of play? life insurance for gw players? i tohught that life insurance crossed the line when j-lo had insurance taken out on her ass..but this...now im QQ in stiches..lol..wets self

Anet u could make alot of money selling in game life insurance.. if gieco has the gecko what mini would anet use for the "life insurance" campaign?

my vote would be a unicorn with a baskin robbins ice cream signature on the side.

Painbringer · Feb 25, 2009, 06:05 PM // 18:05

I guess I will not assume it is just GW that has the problem? Or that they have an issue at all. From the action taken from A-net they are taken this very seriously and are probably reviewing the logs with a fine tooth comb. Fast response and individual contact is impressive. The easily could have took the e-mail support route.

One question I have is- If someone where to get your e-mail address how long would a hack program take on a 6 – 7 digit password

P.S. I also worry these hackers are using innocent Hacked Mules to transfer goods further hiding there existence. Three way trades worry me.

Because when a Ban Stick starts smacking people it takes the Military Approach “Guilty until you prove your innocence”