Curse

jray14 · May 12, 2010, 03:38 PM // 15:38

Quote:

Originally Posted by Martin Alvito

The password reset mechanism now sends you an e-mail, which precludes pure brute force attempts using the password reset mechanism.

I'm curious, how many of you have tried this? Is it working properly? I've been too nervous to try it, figuring the benefit would be less than the risk of triggering some other sort of security breach. I just wouldn't be surprised if NCSoft emailed my activation link to the wrong person, or someone got my new password from a keylogger attached to the NCSoft site, etc.

Martin Alvito · May 13, 2010, 01:35 AM // 01:35

Quote:

Originally Posted by jray14

I've been too nervous to try it, figuring the benefit would be less than the risk of triggering some other sort of security breach.

I tested it on an alt that holds mostly junk (mods, mats). Doesn't look like it has been hacked since; the small amount of cash in the box is still there.

Bob Slydell · May 13, 2010, 08:01 AM // 08:01

Quote:

Originally Posted by Scarlett Romanov

I'm fairly certain Gaile said that it wasn't possible to unlink them. That or "not enough resources" excuse.

Gaile says way too many things aren't possible, when they are... aside from the fact that an unlink requires the removal of a 1kb piece of text representing a GW account from the matching NCsoft account name. but apparently this is a very exhausting process, especially designing a simple GUI workaround in HTML- ONCE for each user to unlink on their own terms themselves. Sometimes I wonder if they have enough resources to even function properly in real life.

Gill Halendt · May 13, 2010, 08:34 AM // 08:34

Quote:

Originally Posted by Bob Slydell

Gaile says way too many things aren't possible, when they are... aside from the fact that an unlink requires the removal of a 1kb piece of text representing a GW account from the matching NCsoft account name.

Which is also something they've already done in the past: they could remove accounts for Dungeon Runners when it was shut down.

I'm pretty sure those accounts didn't simply disappear when the game went down, so they likely had to purge them manually.

**cosyfiep** · May 13, 2010, 03:38 PM // 15:38

I think its sometimes a pretty fine line between something they CAN'T do and something they just don't WANT to do-----
We have asked for a lot of things we were told could not be done only to get them at a later date----me'thinks this may be yet another of those.

Chthon · May 14, 2010, 03:30 AM // 03:30

In Gaile's defense, I don't recall ever reading her saying that unlinking GW accounts from the Goddamned NCMA was impossible. I do recall reading that it was difficult "because multiple teams are involved," or something like that. (Translation: NCSoft's involvement is required, and they refuse to do it.)

Yelling @ Cats · May 14, 2010, 03:50 AM // 03:50

Quote:

Originally Posted by axe

I garauntee you that the casual players (the silent Majority) are screwed worse needing to know the current pass to log in, than the vocal Minority, that are actually worried about their items, gold, etc..

I'm absolutely dumbfounded by this post. I can't even begin to put into words how I feel about this. The closest I can come is WTF?

Faer · May 15, 2010, 06:22 PM // 18:22

Quote:

Originally Posted by Chthon

In Gaile's defense, I don't recall ever reading her saying that unlinking GW accounts from the Goddamned NCMA was impossible. I do recall reading that it was difficult "because multiple teams are involved," or something like that. (Translation: NCSoft's involvement is required, and they refuse to do it.)

http://wiki.guildwars.com/index.php?..._ from_NCsoft

Apparently somebody told her it was impossible, which she relayed to people asking about it. Then somebody said an email from NCSoft confirmed that it was possible. So, who knows what's going on with that one. Can't fault her much for it either way in that situation.

ragnagard · May 17, 2010, 09:53 AM // 09:53

When i wake up today, i read a happy email from Ncsoft (censored):

Quote:

Someone at 80.188.--.-- has reset your Guild Wars Game Account password for account [email protected]. If you did not make this change, please contact support immediately at [email protected].

So.. unless i was dreamwalking... seems that their holes are still there.
I was using different pass at ncsoft <-> Gw account, long one, alphanumeric + numeric symbols, etc.

Good to see that i was able to reenter ncsoft acc, change GW pass again, and into the game it was all as i left it yesterday...

But still....

Riot Narita · May 17, 2010, 10:30 AM // 10:30

Quote:

Originally Posted by ragnagard

When i wake up today, i read a happy email from Ncsoft (censored):

So.. unless i was dreamwalking... seems that their holes are still there.
I was using different pass at ncsoft <-> Gw account, long one, alphanumeric + numeric symbols, etc.

Good to see that i was able to reenter ncsoft acc, change GW pass again, and into the game it was all as i left it yesterday...

But still....

The thing is - if The Big Problem still exists at NCsoft... it doesn't matter how good/unique your passwords are. Because they don't need any passwords to get in.

Since your stuff was intact, chances are the thieves weren't able to guess one of your GW character names, or track one down from old forum posts etc (via stolen forum account names/email addresses etc).

I assume you're sure your system is clean? (no malware got in)

ragnagard · May 17, 2010, 10:40 AM // 10:40

Quote:

Originally Posted by Riot Narita

The thing is - if The Big Problem still exists at NCsoft... it doesn't matter how good/unique your passwords are. Because they don't need any passwords to get in.

That was my point, no ncsoft password change nor using same pass as GW, still opened & changed GW pass ...

I will transfer my gw-money to my personal bank (2nd or 3rd mules) when i got time, but was a bit weird.

Under windoze, i cannot asure that 100%, but if i got malwares, they would have detected my pass / chars, as i change between some accounts, typing the 3 lines.

But i am safe now, ncsoft support reply me with a "we are aware of your ticket, kk?" mail. Sure, i feel....safe... [sarcasm mode off]

coil · May 17, 2010, 04:20 PM // 16:20

anyone else find it ironic that to change your Master Account pass you need to enter the current AND new passwords?

ragnagard · May 17, 2010, 05:33 PM // 17:33

i found ironic that i could be hacked more easily from that website than exposing myself to malware threats (or sharing password).

I guess that i shouldnt have read the EULA & small letter for that free xunlai chest they gave me!.

It would be ok, just if they let us unlink the accounts. The other accounts i have are happy being orphans.

oxylus · Jun 27, 2010, 03:49 PM // 15:49

Hi Emily,

Thanks for taking the time to reply in detail. Could you please pass on our responses to your security team?

Quote:

Originally Posted by Emily Diehl

So, you can see here, that even though the second password requirement was removed, it doesn’t change the fact that there’s still a huge wall between you and any random hacker: the requirement to know a character name on your account.

That is a huge mistake. While this may keep away some random hackers, what about non-random hackers? People who have a grudge against you from a GvG match or someone who just wants to grief you. [1] They know your IGN, and likely know your email and IM too. My IGN does not protect my account!

It's good that you are providing multi-factor for NCSoft accounts, but the cornerstone of multifactor is that the authentication methods are not available to attackers. My IGN is known to EVERYONE. It's not a secret!

On the other hand, my account password IS a secret. That is a great addition to multi-factor to make it harder for someone trying to take over my game account.

I know you made this decision by weighing your support load against the number of accounts that were protected by the password method. You were proabably also looking at a spike in returning users as GW2 came closer and put more pressure on your support queues. I work for a software company of roughly the same size as Anet and I have been unhappy when we make decisions like this, but I know the rationale behind it.

However, I ask you reconsider and enable game-account password authentication for any changes to the NCsoft master account. As others have said, the cost in a lost account is so much greater than someone needing to contact support for a password reset.

[1] The reason I'm asking for this is because my GW account is linked to a NCSoft master account with multiple users. Only one of my flatmates had a credit card and our GW accounts were linked to his NCsoft account (we were students, and we didn't think anything of it). While I generally trust him, I don't like the idea of someone having the ability to change the password on my GW account without telling me.

Vitas · Oct 13, 2010, 10:27 PM // 22:27

Back to GWG after a long while.

Is this the current situation? Has there been any more information about this? I am still searching but I don't find anything so far. I used the terms "ncsoft" and "secure" for my search.

\/