Nov 21, 2010, 06:37 PM // 18:37
|
#1
|
Academy Page
Join Date: Sep 2005
Profession: E/
|
Account Security
This was originally posted on my userpage on Guildwars wiki. Several of my friends were asking me how they were hacked even though they had updated antivirus, browser, never opened any phishing emails etc... They were following the basic procedures deemed necessary by NCsoft and Anet. So as it turns out, one person's antivirus didn't pick up a keylogger, and neither did spybot. Other people had similar issues where their updated security software was insufficient to keep their account secure. This "rant" is a set of critisisms about NCsoft's outdated security measures and practices, and how people can defend against certain flaws, and dispell some of the myths with the NCMA... and I'd thought I'd post this here since my page on the wiki had a total of 4 views since yesterday and the more people reading this and spreading the word, the better IMO; and if anyone has anything else to add, I'd update this as needed.
==A change of heart==A month ago I would have said to someone who had their account hacked to update your anti-virus, check your firewall, download this, run that scan, etc etc, and I would have defended Anet's security and rode the "blame the ignorant user" bandwagon. But I came to the conclusion... Why should we (the customer) spend time and money to download/buy antiviruses, run lengthy scans, and learn how to use a outbound firewall, and spend a lot of time learning scattered and conflicting information about cybersecurity. I'm not saying that people shouldn't learn about internet security, but I think it's unreasonable to expect everyone to be well versed in cybersecurity to keep their account secure. Yeah there isn't any "vulnerabilities" inherent in the system that NCsoft and Anet uses... but their security practices are outdated compared to the industry average, and improved security practices could and would prevent a very large number of account hackings, saving the time of the support staff to concentrate on other matters like botting, cheating, misconduct etc.
==What's wrong with their security?==
===Password changes are direct without intermediate authorization steps.===:The NCsoft master account account allows anyone to change the game password without knowledge of the current game password. After the password change, the victim is only informed that the password has changed and to contact support immediately if they did not change the password. This makes it such that the attacker would only need the credentials for the NCsoft master account to steal your game account. ===There are no mechanisms in place to defeat keyloggers.===:Lets face it, tens millions of computers around the world are infected with some type of virus/worm/keylogger/malware/etc etc. No single antivirus solution is able to detect 100% of these threats, and there are many new variants that can’t be detected by any antivirus that lacks good heuristics. Even the industry leading behavioral engine can only detect up to 75% of new threats that isn’t contained in the virus definition file. On top of that, windows firewall is not very good at detecting unauthorized outbound connections that keyloggers use to send their payload to a remote server.
:There are certain things you can do to reduce the chance getting keylogged... When logging into NCMA allow the browser to remember the password, if you are using a private computer. This will allow logins without typing anything. Using a browser that allows the user to set a master password will add another layer of security since even if they keylogged the master password, they still can’t keylog the actual account credential. Also, again if you have a PRIVATE computer that ONLY you use you can use [[Command_line|command lines]] for character, password, and email such that you don’t need to type anything. Now this will open the computer up to remote attacks designed to steal credentials stored in short cuts, and browser profiles. Ones that steal credentials from short cuts are very rare... in fact I’ve never heard of such a thing. However, malware that steals browser profile files do exist, but no where as common as keyloggers, but that can be mitigated by using master passwords to protect the saved passwords, if the browser supports it. ===Secondary credentials needed to access the account is widely known===:Character name. Now that “did” add one more level of security, however many people use their exact character names for forums and wiki user pages, while other people use variants of their in game name which can be easily matched by guessing. This made the “added” security meaningless for many people, while others forgot their ingame name because this system didn’t exist before when they quit the game. For hackers that don’t know the character name but knows the password and email, all the hacker would have to do is send a phishing email asking just for the character name. There are many ways to do this, for example, the phisher can say that” you have won a ingame prize for 15 ectos on a random NCsoft sweepstakes, please reply with your ingame name so that we can contact you in game to give you your prize.“ There are many variants to this and since they aren’t asking for the password, the victim is more likely to give away the character name. With the advent of the HOM calculator, people are more likely now to advertise their character name to show off their “stuff” despite the ability to use the in calculator link to hide the character name. ===NCsoft and Anet believes that obscurity is security===:This is actually a fairly common practice among most companies. For example, vulnerabilities on various Adobe software has been known for a long time. Details in many cases are never released, even if it is being actively exploited because in their view, “if” the details are released then the number of exploitations will dramatically increase. So many companies like Adobe take their time until they release a patch. Apple has been guilty of this as well with the knowledge that most viruses are built for windows systems, they have been laxed in closing vulnerabilities that many types of malware could exploit because those malware didn’t exist in the past. But with recent upsurge in MacOSX marketshare, viruses and exploits that target apple software are becoming more common and now they are taking a more proactive approach. Unlike Apple which are changing their philosophy, NCsoft and Anet hasn’t changed their philosophy and don’t believe in proactively closing possible vulnerabilities that are either obscure or rare in a timely manner. Communication of security issues should be relayed in-game automatically like the Aionsource security breach, the dangers of having common passwords for forums and game accounts, but that never happens. ===NCsoft and Anet does not believe that successful exploits do not equate to vulnerability===:This has more to do with outdated security practices than anything else. Yes their system works just fine, and no successful theft of account credentials were obtained by breaking into the actual secure NCsoft or Anet servers. That’s because hackers don’t need to. Breaking into secure servers from an outside source is actually quite a rare occurrence. It is “MUCH” easier to fool an ignorant employee into opening an attachment containing a virus to steal information. For example, lets say hackers want to steal blueprints and schematic for a novel microprocessor. Now that data is securely stored in the main server safe and sound. But the head engineer works on it very often so he has a copy on his laptop and flash drive. The hackers, determined to steal the schematic obtains as much information as possible about the engineer to craft a personalized phishing email. The engineer clicks on the link in the email which took him to an attack site designed to exploit a flaw in his favorite web browser that allows driveby dowloads. The engineer unknowingly downloads a malware designed to steal that very data the hackers are wanting to get, while the engineer mistakingly thinks this is well crafted phishing attempt was a message from a love interest from a long time ago wanting to get together again. The above scenario occurs in the tech industry fairly often due to laxed net security policies or laxed enforcement of said policies and due to the value of the information for competitors and to nations that are playing catchup.
:Now value for value, guildwars accounts aren’t worth that much so phishing emails are generic, nondescript, and they are fairly easy to spot. However account theft via phishing, keylogging, trojans, hacking fansites, and other methods are the “ONLY” way hackers are stealing accounts. Hackers aren’t attacking the main gamer server. The average computer user and gamer is quite ignorant of what constitutes secure Internet practices, and Anet and NCsoft has been ineffective in educating the gamer community. Much like the engineer that specialized in semiconductor physics and assembly code, his knowledge of modern cybersecurity practices were outdated. I truly do not think that it is the sole responsibility of the gamers and clients to educate themselves to keep things secure. Much like a responsible IT department at a large corporations communicated clearly and effectively with every single employee, Anet and NCsoft should figure out how to communicate with every single active player via mass emails or ingame messages or anything. Modern IT now recognize the potential vulnerability an ignorant workforce poses, and I think Anet and NCsoft should recognize that too.
===NCsoft support login is not encrypted===:This is not the NCsoft master account, it is the support page at NCsoft, here...http://help.ncsoft.com/cgi-bin/ncsof...acct_login.php. If you notice, there is no https on that site. When you log into the system the login name and password is sent through as plain text, which can be easily intercepted using password sniffers in the local area network. This becomes a problem when someone has the same login name and password as the NCMA for the NCsoft support system. An easy way to avoid this issue is to simply change your password such that it is different than the NCMA. Remember there are two different log in system for NCsoft... one for support, and the other for the master account. The one for support is not encrypted while the one for NCMA is. Also if you had communicated about account keys, the hacker can take these keys from the support logs associated with the account, leading to another way of stealing your account.
==Vulnerabilities not directly associated with NCMA or the game system.==
===Forums have atrocious security===:Now most have heard that fourms are unsafe, don’t use the same password for everything etc etc... Why aren’t they safe? Well to start, most forums do not use SSL or any encryption techniques to encrypt the password as it gets sent for authorization. For example, Aionsource’s forum’s login and GWW/Gwiki/etc is sent via standard HTTP with no encryption. If someone on the network is using a man in the middle attack with a password sniffer, it can be easily extracted from the packet or packets containing the credentials. Guildwarsguru is a bit smarter. Their login is still unencrypted but the password is hashed via MD5 encryption. So if someone is using a password sniffer, they would get the MD5 hash for the password instead of plain text. While MD5 provides some security it is still quite easy to decrypt MD5 hashes.
:Now what the heck is a man in the middle attack? This is a problem with institutions that have very large networks. The most common source of these attacks occur in corporations, universities, and generally the attack must occur locally. The attacker would either poison an unprotected wireless router with fake ARP requests to spoof the attacker’s MAC address with the victims. Now this is a multi-step process but there are malicious tool kits available that automates this. Once its’s successfully spoofed, the router sends the information to the attacker’s computer, allowing the attacker to capture packets. On a wired connection, another thing an attacker can do is to plug in their computer to a monitoring port on network routers.
:Now there are ways to do with remotely, but is a lot more difficult. One would have to spread at bot-net that performs the same function as an attacker that captures passwords and poisons ARP requests automatically, as it sends captured passwords to a remote server. Also, same kinds of malware can be uploaded to major ISP’s and with knowledge of their internal network structure, they can capture any password that goes through that local ISP.
:So... this is why you don’t use the same passwords for everything.
===Can someone sniff my password when I log into the NCMA or when I log into guildwars?===:To put it simply, that would be quite difficult to do. The NCMA login system uses SSL encryption, and while SSL is not fool proof, it would take a very dedicated hacker to crack it... and only to crack one password. It’s just not efficient to harvest passwords in this manner. The guildwars log in at first glance seems unsecure. It uses an unencrypted HTTP connection though port 80. But the login credentials are obfuscated and uses an unknown encryption scheme. But the packets containing the credentials is only about 300 bytes so it wouldn’t be unreasonable to expect that a dedicated hacker can crack it... but again we run into the same efficiency problem. Like I said before, using a keylogger is much simpler than trying to crack the encryption.
Last edited by Lania Elderfire; Nov 22, 2010 at 04:45 PM // 16:45..
Reason: Update. Added a vulnerability in NCsoft support system.
|
|
|
Nov 21, 2010, 08:31 PM // 20:31
|
#2
|
Krytan Explorer
|
Regardless of the known account issues, most people who complain on forums being hacked have a lacking knowledge of how to protect data. Getting a keylogger or any malware is mostly due to dubious browsing activity.
Personally I'd be fine if they fixed some minor issues on password security and provided enough tools to restore accounts individually to a state before the hack happened.
|
|
|
Nov 21, 2010, 08:33 PM // 20:33
|
#3
|
Forge Runner
Join Date: Jan 2008
Location: Rubbing Potassium on water fountains.
Guild: LF guild that teaches MTSC (did it long ago before gw2 came out and I quit...but I barely remember)
Profession: N/A
|
And which part of this is new?
|
|
|
Nov 21, 2010, 08:39 PM // 20:39
|
#4
|
Krytan Explorer
Join Date: Jan 2008
Location: Southeast, USA
Profession: N/
|
Quote:
Originally Posted by End
And which part of this is new?
|
I believe they're just posting information to help other players protect themselves against hackers. Old information to you may be new information to someone else.
|
|
|
Nov 21, 2010, 08:43 PM // 20:43
|
#5
|
Forge Runner
Join Date: Jan 2008
Location: Rubbing Potassium on water fountains.
Guild: LF guild that teaches MTSC (did it long ago before gw2 came out and I quit...but I barely remember)
Profession: N/A
|
Quote:
Originally Posted by Spookii
I believe they're just posting information to help other players protect themselves against hackers. Old information to you may be new information to someone else.
|
I spose I guess I'm comming from the idea that all this is common knowledge by now but I guess some newer players havent heard I guess.
Can we get
Code:
tl;dr: Ncsoft Security and the NCMA suck and don't trust them at all
added at the end.
|
|
|
Nov 21, 2010, 09:08 PM // 21:08
|
#6
|
Lion's Arch Merchant
Join Date: Nov 2006
Location: Vienna
Profession: D/
|
Quote:
Originally Posted by Lania Elderfire
===Password changes are direct without intermediate authorization steps.===:The NCsoft master account account allows anyone to change the game password without knowledge of the current game password. After the password change, the victim is only informed that the password has changed and to contact support immediately if they did not change the password. This makes it such that the attacker would only need the credentials for the NCsoft master account to steal your game account.
|
This was what got me. I forgot that I had an old password on my Master-Account and well they changed the pw from my GW account.
This is a security step that can be changed in less than 5 minutes and many problems would resolve themselves.
It is just a bad joke that something like that is even possible.
|
|
|
Nov 21, 2010, 09:28 PM // 21:28
|
#7
|
Krytan Explorer
Join Date: Aug 2008
Guild: Aura
|
While I agree NCsoft could do more to secure their systems and the game we all play, the security of your own computer IS your responsibility. Security is only as strong as the weakest point. It doesn't matter what Anetdoe, the vast majority of game thefts are down to the user not being diligent in their own security.
Software engineers can only do so much, and while they can do a huge amount, the weakest link in account theft is almost always down to some oversight by the end user, or even just accidental use of their computer, but still inviting unwanted software onto their system.
I agree that all the steps you suggest are important, but the user needs to learn to secure their system. It's not too hard to learn a few basic security techniques, like password protecting their Windows account and using a separate administrator account, making their everyday account a standard user. This can mitigate about 90% of accidental installations of malware.
Password complexity is a good idea, using varieties of letters, numbers, punctuation and other symbols.
I think it would be a good idea for Anet to implement an RSA key system as an optional technique. Many companies use the small password generating tokens for remote users and even blizzard sells one for users of warcraft. I think all online games should definitely implement this.
Seriously though you wouldn't leave your car unlocked and then blame the manufacturer when it gets stolen so why don't you use the security systems on your computer?
|
|
|
Nov 21, 2010, 10:47 PM // 22:47
|
#8
|
Desert Nomad
|
Quote:
Originally Posted by caballo_oscuro
While I agree NCsoft could do more to secure their systems and the game we all play, the security of your own computer IS your responsibility. Security is only as strong as the weakest point.
|
Unfortunately NCsoft IS the weakest point, for anyone who DOES take all the usual personal precautions.
Last year, thieves found a way to randomly get into someone else's NCsoft master account. Once in the master account, it didn't matter how good your password was, what good practices you'd used, what precautions you'd taken. It was all for naught, the master account allowed thieves to bypass it all. NOTHING could protect you from being robbed in this way, except blind luck.
Even now, the only thing standing between you and the same thing happening with any current or future master account exploit... is your character name.
So now we have to protect our email addresses and character names, and never post them in such a way that they could be matched/linked/traced to the details visible in the master account.
That sucks. You either conceal your email address, or make a disposable address for your game account. We shouldn't have to do either of those, to make up for poor security at A-Net/NCsoft.
And our IGN's simply shouldn't form part of our login security. We should be able to post our IGN's willy-nilly, anywhere and everywhere, without a care. A-Net was forced to implement that, because otherwise there was no protection against thieves using the master accounts. They shouldn't have had to do that. NCsoft should have taken security seriously, and dealt with it promptly and properly. They did neither. They eventually put in a change, so that you had to know the old GW password before you could set a new one using the master account. But once the dust had settled... they took it out again! Such incompetence beggars belief.
"NCsoft, you ARE the weakest link. Goodbye."
Quote:
Originally Posted by caballo_oscuro
I think it would be a good idea for Anet to implement an RSA key system as an optional technique. Many companies use the small password generating tokens for remote users and even blizzard sells one for users of warcraft. I think all online games should definitely implement this.
|
I really, really hope we see something like that for GW2. I'd pay for that option.
|
|
|
Nov 21, 2010, 11:10 PM // 23:10
|
#9
|
Academy Page
Join Date: Sep 2005
Profession: E/
|
Quote:
Originally Posted by caballo_oscuro
While I agree NCsoft could do more to secure their systems and the game we all play, the security of your own computer IS your responsibility. Security is only as strong as the weakest point.
|
The problem is that NCsoft's practices are far below the industry standard for a major MMO company and dismal when it comes to the industry standard for online identity verification.
Learning is an obstacle, and most "cybersecurity" websites and tutorials contain conflicting, unclear, and inaccessible information for the layman. Time is also an issue, learning from scratch about cybersecurity takes a long time... you need to learn definitions, lingo, and concepts that are quite abstract for the uninitiated. This makes learning something like that not only a hassle, but completely unenjoyable. There is so much misinformation out there, that only people experienced in cybersecurity can weed out the noise.
What Anet and NCsoft needs to do better is communication. This is not a new complaint. People have said that for years, and their communications skills have only degraded. Important security issues/news aren't being relayed efficiently with clear unambiguous language to the general player base. Sure guru and wiki users get the news really quickly, but how many GW gamers actually read wiki talk pages, and the guru forum on a daily basis?
Also they should also be publishing a monthly or bimonthly report of the top account hack methods used and ways to prevent such an attack. An example is this http://www.symantec.com/business/the...d=threatreport. The report contains top threat trends, possible future trends, and recommendations for IT practices to mitigates these threats.
Last edited by Lania Elderfire; Nov 21, 2010 at 11:24 PM // 23:24..
|
|
|
Nov 21, 2010, 11:45 PM // 23:45
|
#10
|
Jungle Guide
Join Date: Dec 2005
Guild: Mystical Chaos
Profession: E/
|
My NCMA was recently hacked. They somehow managed to get in, change my contact email, and then my game passwords, all without me getting an email. While support was very quick to get my account restored, it left me wondering how I was compromised in the first place. I can't remember the last time I accessed my NCMA, and since I'm the only one that uses this pc, I have my game login info tied to a shortcut, so they couldn't have gotten any information via keylogger. All I can think of is that they somehow either cracked NCSoft's site again.
It all boils down to NCSoft needing better security. When I managed to get access back, I was able to change my passwords without needing anything at all. The NCMA asked for the old password to change, but if you're already logged in of course you've got that one. I was able to change my game password without needing the old one, and only got an email saying it had been done after I had changed it.
If it required knowledge of the existing passwords before you could change your game passwords, or confirmation via email that the password was being changed, that would be a huge step up in security. As for changing the contact email, I should have received a verification that the contact was being changed. Perhaps I would have been able to stop the thieves sooner.
|
|
|
Nov 22, 2010, 12:10 AM // 00:10
|
#11
|
Desert Nomad
Join Date: Jul 2008
Profession: A/W
|
NCSoft's security is horrible right now. About a week ago my NCMA was hacked, and reset the password on all my GW accounts. Then they were all blocked because a gold seller hacked into them. Nothing was stolen or anything. Thank goodness! I got all my accounts unlocked a few days later.
NCSoft please delete the concept of NCMA or improve it. Thanks!
Here is one improvement to the NCMA:
The user is not able to do any changes to the GW accounts. In order to reset or change the password to a GW account, the user must provide an access key # on the account. If you try to reset the password on the client, you must enter a valid character name and then the email.
Basically if a user hacks into your NCMA, your done for.
|
|
|
Nov 22, 2010, 12:17 AM // 00:17
|
#12
|
Grotto Attendant
Join Date: Mar 2006
Location: "Pre-nerf" is incorrect. It's pre-buff.
Guild: Requirement Begins With R [notQ]
Profession: Me/
|
I claim ignorance to internet security and programming so please tell me if my suggestion is useless, easy to circumvent or otherwise inefficient. Here goes:
Would it be possible for the developers to add a check box to the Guild Wars client's log-in screen with something like this?:
Quote:
[x] Only allow this account to log in to Guild Wars on this computer.
|
or
Quote:
[x] Only allow this account to log in to Guild Wars at this IP address.
|
It might cause other problems but at least it would be an optional security measure.
|
|
|
Nov 22, 2010, 12:19 AM // 00:19
|
#13
|
Academy Page
Join Date: Sep 2008
Location: USA
Profession: W/A
|
I myself have been playing guildwars for 4 years active and personally i beleive if you get hacked its "the players" fault. Usually these hackings happen because you go on forums and use your same email address and password as your guildwars information, as shown on when guildwars guru was hacked... and yet people continue to use the same info....really dumb.
Honestly all you need is 2 email adresses to keep your account's safe.
I use my 1st email for when I Dl a game and need it to varify,
For just about anything else IE, forums, i use my second email address.
Also for my email address's i use 2 different passwords that i Do NOT use for anything else to make it less likely for people to get my game and my email address making it nearly impossible to get an account back.
Also for making passwords just use acronyms with words and numbers in random places that is really easy for you to remember but really hard for other people to guess, really they don't even need to be long....
Ya ya i know there are a few misspellings...but seriously who needs spelling when you have guildwars.....
|
|
|
Nov 22, 2010, 12:26 AM // 00:26
|
#14
|
The Hotshot
Join Date: May 2006
Location: Honolulu
Guild: International District [id多]
|
Quote:
Originally Posted by North Dragon Slayer
Ya ya i know there are a few misspellings...but seriously who needs spelling when you have guildwars.....
|
You might not need spelling, but you need to read threads before you post in them.
|
|
|
Nov 22, 2010, 01:03 AM // 01:03
|
#15
|
Jungle Guide
Join Date: Aug 2006
Location: In my own little world, looking at yours
Guild: Only Us[NotU]
Profession: E/
|
A password is like a door lock, "It just keeps the honest man honest". If someone wants in bad enough, they will get in.
I guess a person can be paranoid and change their password every so often. Does that make your account safer? Who knows. Does having the same password, you started with 5 or 6 years ago, mean your account is more vulnerable than it would be if you changed it weekly? Again, who knows, as you have to go through someone with known security issues, to change it.
|
|
|
Nov 22, 2010, 04:38 AM // 04:38
|
#16
|
Academy Page
Join Date: Sep 2005
Profession: E/
|
Quote:
Originally Posted by makosi
I claim ignorance to internet security and programming so please tell me if my suggestion is useless, easy to circumvent or otherwise inefficient. Here goes:
Would it be possible for the developers to add a check box to the Guild Wars client's log-in screen with something like this?:
[x] Only allow this account to log in to Guild Wars on this computer.
or
[x] Only allow this account to log in to Guild Wars at this IP address.
It might cause other problems but at least it would be an optional security measure.
|
The IP thing would cause problems since most people don't have static IP's, but rather dynamic IP's that change over time. The computer ID verification is something that is fairly commonly used by various online banking systems, and would be something that would be great for the guildwars client IMO.
There are other systems that's also common like online site keys that are unique per account, and this would help defend against phishing attacks. This would be something useful for the NCMA login site to make it more secure where it is a multistep log in system. You type in for username and hit enter. Then it will show a site key (usually an image with a user made phrase), and if you don't recognize it, then it is unsafe to enter the password, but if you do recognize it then it's likely safe.
NCsoft doesn't have to invent anything new. All they'd have to do is see at what is around/available... see what works etc and use a similar system. Online banking is usually fairly secure with multiple redundant security steps. This is necessary because the average online bank user is even less informed about account security than the average gamer...and the target is very high value. But some of the systems are fairly annoying to get through, so they'd have to balance usability and security.
|
|
|
Nov 22, 2010, 08:29 AM // 08:29
|
#17
|
Desert Nomad
|
Quote:
Originally Posted by North Dragon Slayer
i beleive if you get hacked its "the players" fault.
|
Most often it IS the players fault. But, when flaws in the NCsoft master account are exploited, it doesn't matter how smart you are about logins, emails, passwords:
Quote:
Originally Posted by Riot Narita
Jeez. I can't believe that after all this time, people STILL don't get it.
If thieves get into your NCsoft master account, THEY DON'T NEED ANY PASSWORDS
Of course everyone should use different, strong passwords for everything.
But that is NO USE whatsoever when NCosft's security is breached.
Last year they were getting into people's NCsoft master accounts... WITHOUT KNOWING THE PASSWORD for those master accounts.
Once they're in your master account, they can set a new GW password WITHOUT KNOWING THE OLD ONE.
And it's sounding to me like they may have found a new way into the master accounts.
Which is why your IGN is so important to protect. Every time a flaw is found and exploited in the NCsoft master account "security"... character name is your ONLY protection against the thieves. It's the one thing they can't see/change in the master account.
|
|
|
|
Nov 22, 2010, 08:58 AM // 08:58
|
#19
|
Forge Runner
Join Date: Nov 2006
Guild: Crazy ducks from the Forest
Profession: W/
|
While I'm not really happy about resetting any passwords without either knowing the previous password or direct contact with support, I would point out one thing:
Anet and NCsoft have already stated that the alleged vulnerability of the NC master accounts was not confirmed. I remember the statement that half of the accounts that claimed to have been hacked did not even HAVE an NC master account - not that it wasn't used, in half the cases there wasn't an existing account to use at all. People who got into accounts got in by already having the passwords.
Just because it gets repeated on the forums ad nauseam doesn't make it true.
|
|
|
Nov 22, 2010, 09:48 AM // 09:48
|
#20
|
Desert Nomad
|
Quote:
Originally Posted by Iuris
Anet and NCsoft have already stated that the alleged vulnerability of the NC master accounts was not confirmed. I remember the statement that half of the accounts that claimed to have been hacked did not even HAVE an NC master account - not that it wasn't used, in half the cases there wasn't an existing account to use at all. People who got into accounts got in by already having the passwords.
|
There are many ways accounts get robbed. Nobody is saying that ALL thefts were due to NCsoft master account.
The evidence at the time, posted on both GW and Aion forums showed that a proportion of account thefts were indeed due to an NCsoft security failure that was being exploited. Regardless of whether NCsoft wanted to "state" a "confirmation" of it.
Also, do you seriously trust the word of a company that thinks it's good practice to remove the requirement of entering the old GW password, before letting you set a new one? Do you seriously think they would have put in that requirement (temporarily) in the first place, if there wasn't a problem?
This is a company thinks it's acceptable to have login screens that tell you if you guessed a valid ID, or the answer to one of the security questions etc etc etc. They are clueless, and not to be trusted.
Quote:
Originally Posted by Iuris
Just because it gets repeated on the forums ad nauseam doesn't make it true.
|
By the same token, just because you don't want to believe it... doesn't make it untrue, or impossible. And you cannot deny that if/when a master account vulnerability is found and exploited... NCsoft have done nothing to limit or prevent the resulting damage - quite the opposite.
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 11:52 PM // 23:52.
|