Curse

Black Metal · May 05, 2010, 09:01 PM // 21:01

Unless things like this get serious attention for GW2, This will be a big check in the 'reasons not to buy GW2' column

Martin: as others have stated, if an account rollback option is not instated for GW2, you will be in a serious competitive disadvantage

Karate Jesus · May 05, 2010, 09:04 PM // 21:04

Quote:

Originally Posted by Martin Kerstein

-snip-

Holy crap! Someone from the CR department actually replied to us here on the lowly GW1Guru rather than GW2Guru? Shocking.

By the way, account support is terrifyingly bad. You guys should work on that.

Quote:

Originally Posted by Martin Kerstein

We have monitored daily for any upswing in stolen accounts and have seen no increase whatsoever.

You sure 'bout that? Gaile's support page has been pretty goddamn busy the last two weeks for "no increase" in stolen accounts.

Oh, and the accidental fraud blocks are back. NCSoft should seriously be ashamed. These are disgustingly blatant security problems and you're getting a bad rep for them. Go to any other game and Guild Wars is known as "that game with all the hacks and bots". No joke.

**cosyfiep** · May 05, 2010, 09:06 PM // 21:06

a rather large /FACEPALM is needed here.

WHY in the WORLD would you ever REMOVE a security feature??????????????? That is just plain asinine! You dont EVER downgrade security ....its one of the few places that its still really really....really needed!

oy (my reasons to not buy gw2 are quite a lot, but this would indeed add another to the list)

Martin Alvito · May 05, 2010, 09:22 PM // 21:22

Quote:

Originally Posted by Martin Kerstein

After extensive research, the Guild Wars and NCsoft teams were unable to identify any security breaches in the NCsoft Master Account system. This means that the delays that customers were experiencing related to account resets added no value from a security standpoint. We removed the second password requirement a few weeks ago. We have monitored daily for any upswing in stolen accounts and have seen no increase whatsoever. We will continue to monitor the situation and if we notice any adverse effects as a result of the change, we will address the issue immediately.

Please explain the following, then:

1) Why did the rash of hackings slow considerably after implementation of the character name security feature in the client?
2) Why did it stop entirely after the discovery on New Year's and the introduction of the feature you just removed?
3) What was the cause of the hackings? The explanation repeatedly advanced by CR's (social engineering) does not fully explain the observed pattern of hackings. Social engineering works on people that practice poor security habits. But people that practice good security habits also got hacked. Therefore, something else must also be at work.

I'm sorry to inform you that this is what the situation looks like from our side:

- You are experiencing a higher volume of Support cases due to the feature.
- This is costly, and you want it to stop.
- You also do not wish to assume responsibility for the hackings, because that would imply an obligation to correct the situation.
- Therefore, you are continuing to lie about the cause of the hackings in order to save money.

If this is not true, please provide the information that would conclusively demonstrate that you are being honest with us. If you continue to make assertions without evidence we can observe, as above, we will continue to infer that you are jerking us around. That is damaging your relationship with your players. We (OK, some of us) understand business decisions. We don't understand or accept being lied to.

billypowergamer · May 05, 2010, 09:55 PM // 21:55

The security of everyone's accounts should not be compromised because some find it inconveient to protect themselves or because the company does not want to be bothered with it. Martin hit it on the head. This really makes me start to question Anet's reasoning.

Gill Halendt · May 05, 2010, 10:09 PM // 22:09

This is absolutely absurd. Both NCSoft and ANet act like amateurs.

AuraofMana · May 05, 2010, 10:21 PM // 22:21

Whoever thought of this, tell him he fails at the basic rule in software engineering: Nothing is 100% safe. Why do you think software and databases measure their services in terms of how many 9's they have? Because they know they'll never be 100% reliable and safe. The highest people get are 5 or so 9's: 99.999%. Whoever your lead programmer is, he should have came out and pointed this out. A freshman in college understands this, but a full blown game development company doesn't?
So many games fail because of terrible support like this. Examples have been laid out in front of you and you still don't learn from it? What's the point of playing your game if botters kill the economy and hackers trash my account?
NCSoft is a Korean publisher, Korean MMORPG's suck. They suck because all they offer are repetitive grindfests, security loopholes for botters and hackers, and terrible customer service. GW is turning into one of those.

coil · May 05, 2010, 11:58 PM // 23:58

are you serious??

Quote:

Originally Posted by http://wiki.guildwars.com/wiki/User_talk:Gaile_Gray/Support_Issues#Update:_Security_Issues

Now, if you think about it, no one has more of an incentive than the company to find a breach or any sort of security issue because it's in the company's best interest to address it pronto. And no one has more of an incentive and more of a reason than the company to keep their customers' accounts secure. It would be foolish to remove needed security if there was a risk. I confess my first thought was "Leave it in place," but as I mentioned, no one proved there was a risk and no account histories exposed a breach. The teams monitor account thefts carefully and if a situation calls for it, measures will be taken to boost the security requirements. But at this point, the extra step doesn't strengthen the system and it prevents players from working on their own accounts -- accounts they've accessed through security -- so the team decided it was reasonable to remove the extra requirement.

so because some moron can't remember his GW login password, you're going to DECREASE EVERYONE ELSE'S security levels??????

i used to think ncsoft was the source of all the bullshit...now i'm starting to wonder.

btw, whoever the "team" is that decided it was reasonable to remove a security feature should be fired.

Chthon · May 06, 2010, 03:04 AM // 03:04

Quote:

Originally Posted by Martin Kerstein

After extensive research, the Guild Wars and NCsoft teams were unable to identify any security breaches in the NCsoft Master Account system.

Which suggests two possibilities: Either the breaches didn't exist, or they exist(ed) but your security teams weren't good enough at their jobs to find them. Given that (1) the pattern of volume of reported account thefts was consistent with a security breach and no other theory (and certainly not the "its just social engineering" theory you've put forth), and (2) numerous credible individuals on these forums reported various security flaws in detail, I really have to conclude that the flaws exist(ed) and the problem is with your security team.

Quote:

This means that the delays that customers were experiencing related to account resets added no value from a security standpoint.

1. There is very strong evidence that this particular security feature works directly to stop whatever method was being used to steal accounts during the peak theft period.

2. Even if you are correct that there is currently no known security flaw that necessitates this feature, this feature goes a long way to protect against most conceivable but currently unknown security flaws. Why on earth would you open yourself up to suffering maximum damage from the next vulnerability uncovered (not to mention the previous vulnerability which I doubt you've fixed) when you know exactly how to avoid it?

Quote:

We have monitored daily for any upswing in stolen accounts and have seen no increase whatsoever.

I do not keep track of the volume on Gaile's talk page, but several folks here seem to disbelieve that claim. Care to provide hard numbers to back that up?

I'm going to have to concur with Martin Alvito's assessment of the situation: The rationale you provide for this decision is not convincing, at all. It only serves to feed my worst suspicions about NCSoft and a-net's competence, motivations, and priorities, and to reinforce my highly negative opinion about NCSoft and a-net that was created by the way the original theft outbreak was mishandled. I'd say that this is the sort of thing that might lead me to decide not to buy GW2, but that wouldn't be true -- I already made that decision when I saw how badly the original outbreak was handled. This merely strengthens my resolve not to depart from that decision, no matter how fancy the preview screenshots may look.

Mangione · May 06, 2010, 08:33 AM // 08:33

@Kerstein: Is this for real?

Wasn't there a security hole that allowed people to get into NCSoft Master Accounts of other users without knowing username and passwords?

It did not require an exceptional hacking skill. It required nothing at all, just accessing NCMA with your own credentials gave a small percentage to end up into someone else's Master Account.

Weren't there some RMTers who abused this security hole to take over some GW accounts just by "getting casually" into other people's NCMA, and then simply change the password?

How many people found their accounts hacked and to add insult to injury they have been blamed for being stupid/lax in security/botters/RMTers?

Sorry for being bitter, but if some people have problems finding their old passwords it is THEIR problem. You can't solve it by putting at risk all other people's accounts. Removing a security feature for everyone because some people fail to keep their passwords is simply unbelievable.

Alesa · May 06, 2010, 01:47 PM // 13:47

Quote:

Originally Posted by Martin Kerstein

Gaile posted an update on her support page on this issue:

In December of 2009, players raised concerns about the security of NCsoft Master Accounts. While we investigated those concerns, we added a second layer of security that required players to input their game password before making a change, even though they already had logged into their NCMA and had passed its security measures.

After extensive research, the Guild Wars and NCsoft teams were unable to identify any security breaches in the NCsoft Master Account system. This means that the delays that customers were experiencing related to account resets added no value from a security standpoint. We removed the second password requirement a few weeks ago. We have monitored daily for any upswing in stolen accounts and have seen no increase whatsoever. We will continue to monitor the situation and if we notice any adverse effects as a result of the change, we will address the issue immediately. Please see Gaile's Support Page for more detailed information.

I'm sorry but I don't understand this either. Who cares where the security breach was at this point? I mean yeah, good job for investigating, finding out it wasn't you. But the feature worked. If the increase in account thefts came from keyloggers, social engineering, websites, stupidity, it didn't matter. You had fixed the problem. A much bigger problem than just "I can't remember my password".

Gill Halendt · May 06, 2010, 02:37 PM // 14:37

Quote:

Originally Posted by Alesa

A much bigger problem than just "I can't remember my password".

Even more absurd is they need to drill a hole in their security system because they have no way to recover a password for the legitimate owner of an account.

refer · May 07, 2010, 03:32 AM // 03:32

This is epic bullshit. Shut the website down then if it's not safe, or shut Guild Wars down!

And to the people who don't remember their password or name after a couple years: ... WHAT THE [censored>go red]!? I can understand not knowing your character name since it was just added* but your ID or password!? How can you be such an idiot? You should have written that information down on a flash drive or in a book... hell stick it under your bed/in a safe/somewhere where it won't get lost. This is common sense 101. And make sure to back it up after too. Maybe this incident will teach them. Even Windows 7 has a built in password vault/storage system with handy backup feature!

*Although to solve this problem, they should just not check for a character name the first time somebody logs after it's been implemented and then have a popup telling them to remember from now on.

ilr · May 07, 2010, 04:47 AM // 04:47

Quote:

Originally Posted by Shanaeri Rynale

Imagine a bank saying 'we've tested our security and since no one has hacked us yet and passwords are such a pain to the customer we've decided to remove them from our online banking system'

Banks are different, their profits are funded by the tax payer now so they can leave the vaults open all they want or even connected to a series tubes that takes the money straight to Vegas.

azizul1975 · May 07, 2010, 08:41 AM // 08:41

i have to say that something is just not right at NCSoft right now. since Wednesday last week, my account was hacked twice.

On the first hack, all my golds gone, and all my gears are salvaged.. totaling a lost to around 1 mil.

on the second hack, they removed my characters and replaced with their own.

this is very serious indeed. i might put the "immediate purchase" of GW2 on hold if this goes on...

Yol · May 07, 2010, 01:48 PM // 13:48

Removing any security feature is just beyond idiocy. If Anet think that NCsoft is acting in the interest of the players by doing this, they need to have a long hard think about the message that this is sending out, and how it may impact on GW2 sales.....even worse if ncsoft master account is needed for transferring achievements via the HoM.

However, one thing that did occur to me is that there appears to be a correlation between a new rise in hacked accounts and the rise in the use of bots in pvp. Admittedly, correlation doesn't always prove cause-effect, but I wonder how many of the hacked accounts have downloaded the pvp bot programmes? http://www.guildwarsguru.com/forum/p...t10436129.html

Killed u man · May 07, 2010, 02:08 PM // 14:08

Clearly Anet realizes GW is done for. They're now trying to rake in loads and loads of money by having everyone getting hacked, hoping they would buy new acounts.

On a more serious note, is it me, or the NCsoft support site down?

Tullzinski · May 07, 2010, 06:08 PM // 18:08

NCsoft/ANET Presenting the removal of the security feature as helping the players is pretty bad. It sounds all nice and like NCsoft/ANET cares about the players first, but be honest and say it, it costs less and is quicker to have players use the automated password reset feature.

The fact is that after the security features were implemented the rash of hacked accounts stopped. I cannot believe that this is being trumped by the extra inconvenience and extra time of going through support to reset a password.

Our security is being sacrificed because people are to stupid/lazy to remember their passwords, and their stupidity and laziness is costing NCsoft/ANET money to support these idiots.

Our security is more important than their inconvenience!!!!!!!!!!!!!

Now that support people have more time why is it that we have not seen a direct reduction of bots in the game???

jray14 · May 07, 2010, 07:07 PM // 19:07

@ANet: These security decisions and explanations thereof are just ludicrous. When you took away that extra password layer, you left us hanging by a thread instead of two threads. You can point the finger around all you want, but the fact is that you totally dropped the ball by not providing the basic and minimally acceptable security measures that are fully within your capabilities and control (such as character locking to prevent deletion, or any of the dozens of other strategies covered in depth in these forums.) Any number of these would be sufficient all by themselves to keep our accounts safe, despite the antics of NCSoft and RMT hackers or whatnot.

Emily Diehl · May 07, 2010, 07:09 PM // 19:09

Heya guys,

We see that a lot of you have concerns about our changes to how you log into NCsoft.com to manage your Guild Wars account, so here’s an explanation that may help you understand exactly what we did a little better.

To be clear (since I think some folks are mixing up a few different topics here), you still need to log into your NCsoft Master Account to manage your Guild Wars account. The change is that you now no longer need to enter your Guild Wars password after that to get into the game account management section. Here are some things to keep in mind:
- The only things you can actually do from the Guild Wars account management screen on the NCsoft website is change your game password, add a serial key to your account, or download the client. So unless some nice hacker wants to buy you something and put it on your account for you, the main thing that people worry about here is the password angle.

Let’s go worst case scenario and say a hacker does somehow know your NCsoft Master Account name and your NCMA password. They manage to get onto your account management page and change your Guild Wars password. What now? Well, if you guys remember:
- You still need to know a character on your account to log into the game! So not only would this hacker need to know your NCMA credentials, but he would also have to know a character that’s on your account.
- There’s no good way for a hacker to have this information…especially not from anything NCsoft related, since we don’t list that information anywhere. And your Guild Wars account name is even different than your master account name, so that’s a lot of information for someone to get in order to piece together a way to get in and mess with your characters

So, you can see here, that even though the second password requirement was removed, it doesn’t change the fact that there’s still a huge wall between you and any random hacker: the requirement to know a character name on your account.

We are not removing the character name requirement functionality in game, and (as we’ve stated in the past), as SOON as we implemented that measure, we noticed a phenomenal drop in account hacks and thefts.

I know that some of you may doubt us on this, but I’ve personally talked to Gaile and other members of the support team and have heard them say definitively that there was not an increase of account thefts or hacks since we removed the second log-in barrier. What we HAVE seen, though, are more players being able to get back in the game quicker when they forget their passwords and need to reset them.

Let's face it. When you want to log in and check out a game you paid for (but may not have played for a while), there’s nothing more frustrating than being locked out of your own account. And when you try to log into the game’s website to fix that issue, but are then being asked for the password you already know you forgot in the first place, that’s just annoying. Then you have to fill out a ticket and wait for someone to answer it to get help. We’ve all played games long enough to know that’s not the place you want to be, because when you want to play something, you want to play it now. You don’t want to sit and wait on a support ticket.

Anyway, I hope this helps you guys understand a little more about our reasoning behind the changes. I hope you understand that security is taken very seriously here. We want people to play our games, so why wouldn’t we care about people getting hacked and quitting? That doesn't make any sense. We all know that the rash of stolen accounts last year was bad news, and no one wants to see that happen again. But we're not going to keep a change that isn't really improving security just because it makes it look like things are more secure. That doesn't help anyone.

I’d also like to mention that we’re more than willing to answer questions about the topic, but you should keep a few things in mind:

Security is a sensitive topic, so there may be things we can’t really go into detail about. For example, we didn't talk about requiring character names before we did it. If we'd said anything, that just would have tipped off account thieves about it.

Phrase your questions and concerns in a constructive way that can help everyone in the discussion. We come to the forums to share information with you, not for flame wars or to give attention to trolls. A thread that's on topic lets us focus on getting you the information you need. Having a differing opinion is completely cool, but being aggressive and attacking us over things you’d like explained isn’t. We’re not asking you to be carebears, but come on now. You all know the difference between raising concerns and trolling. Don't be that guy.

Hopefully this helps a bit! If you're still confused or worried about anything, let us know and we’ll try to help!