Guild Wars Forums - GW Guru
 
 

Go Back   Guild Wars Forums - GW Guru > The Inner Circle > The Riverside Inn

Notices

Reply
 
Thread Tools Display Modes
Old May 08, 2010, 10:35 AM // 10:35   #121
Desert Nomad
 
Join Date: Apr 2007
Advertisement

Disable Ads
Default

Quote:
Originally Posted by Stuart444 View Post
While people can talk about how people can see your in game character names, the thing some people seem to be forgetting is. the hacker would have to be able to associate that characters name to a persons e-mail address AND password and it is very rare from what I've seen that someone publicizes their in game characters game and GW e-mail address in the same place along with having a weak password that can be brute forced so it still makes it a rather hard to penetrate wall.

Not saying it's impossible, just saying it would be very rare for that all to happen ^
Yes, it WOULD be rare - IF that was what thieves actually needed to do. But it isn't.

They don't need the GW password. They glitch into a random NCsoft master account (again, no password required), where they can set a new GW password without knowing the old one. They'll see your GW login ID there too.

Now all they need is a character name. If you used the same email address for GW and any forum... forums have been hacked, user details stolen - including email addresses. Now they check the GW login email address against the list of addresses stolen from forums... if they find a match, they search forum posts to see if a character name was posted. I imagine most of that will be done automatically by software.

See what a ridiculous situation that is? We have to use different email addresses everywhere (if you didn't make a new email address for GW 5 years ago... it's too late now). AND we must not reveal our character names anywhere.

And we have to jump through these hoops, because NCsoft doesn't take security seriously.

Last edited by Riot Narita; May 08, 2010 at 10:38 AM // 10:38..
Riot Narita is offline   Reply With Quote
Old May 08, 2010, 12:32 PM // 12:32   #122
Lion's Arch Merchant
 
Join Date: Sep 2006
Guild: Alchemy Incorporated
Profession: Mo/E
Default

People who forget their Guild Wars passwords and need a reset probably don't have a lot to lose if their account is hacked. People like me who have spent literally thousands of hours in the game, who are emotionally tied to their characters, who accidentally type their GW password into their work applications out of sheer habit -- the ones that know their passwords are also the ones with the most to lose -- both emotionally and from in-game acquisitions -- if their account is compromised.

Guild Wars was my first on-line game. When I started it I didn't really understand the need for security. Who wants to break into my game anyway? What are they gonna do, play my character and keep me from seeing a mission? Consequently, because of my ignorance, my GW account name wasn't as secure as it should be, at least from people who were a little bit familiar to me. I mean, it asks for an e-mail address so I gave it the e-mail I was most likely to use. Then I had a problem and needed support. To get support I had to make an NC Soft Master Account. Again in ignorance I chose an account name I could easily remember. Now, even though I have made sincere and honest efforts, explaining exactly why I need changes made, asking support to change my GW account name, asking support to unlink my account so that I can increase my own security by changing my account name, asking for any help I can get with this, they will do nothing for me. Nothing. They won't allow me to cancel the contract that I made that allowed them to alter my GW account and thereby prevent me from changing my account name (people who haven't linked to NC Soft can change the e-mail address that comprises their GW account). They won't even abide by their own privacy agreement and remove all personal information (which would include the e-mail address used for GW effectively rendering the NC Soft Master Account useless). They don't keep their bargains. Now that I'm not so ignorant I still can't close any of the security holes that I created because the options are denied me simply because I screwed up and linked my account to NC Soft.

Now you tell me that one of the very few steps involved with security between NC Soft and my Guild Wars account has been removed and I shouldn't care because it's not a big deal anyway. ANY layer of security on my account is a big deal. A huge deal. It could very easily matter, because there aren't a lot of good layers to begin with. And NC Soft won't allow me to change that.

It matters. They need to fix it back. If they are going to go backwards with security then they need to allow us to step out of our relationship with them, unlink our game and cancel the Master Account.

*off topic*

Please do something to make the in-game store in GW2 available without an NC Soft account. I love buying the extras, but I will never again link ANYTHING to NC Soft. If they were reasonable in their business relationships it would be different but, unfortunately, they are not not.
Another Felldspar is offline   Reply With Quote
Old May 09, 2010, 02:37 AM // 02:37   #123
Grotto Attendant
 
Join Date: Apr 2007
Default

Quote:
Originally Posted by Emily Diehl View Post
To be clear (since I think some folks are mixing up a few different topics here), you still need to log into your NCsoft Master Account to manage your Guild Wars account. The change is that you now no longer need to enter your Guild Wars password after that to get into the game account management section.
Folks here, in particular some of the most critical voices, seem to be perfectly clear on that point to me.

Quote:
The only things you can actually do from the Guild Wars account management screen on the NCsoft website is change your game password, add a serial key to your account, or download the client.
And view your personal data...

Quote:
there’s still a huge wall between you and any random hacker: the requirement to know a character name on your account.
1. That's not a very strong wall. IGN's abound in forums like this, in screenshots, and... well.. in game. Only the difficulty of associating the PlayNC account with the IGN stands between you and account theft.

2. It is massively inconvenient to have to safeguard your IGN as an account credential. It makes arranging any sort of activity outside of the game -- from trading to joining a guild to forming a group -- a downright dangerous thing. See Riot Narita's post for more on what a hassle that is. I daresay that the inconvenience of needing to protect your IGN is a bigger inconvenience to more people than the inconvenience of the few idiots who can't remember their passwords.

3. EVEN IF you were correct that the IGN was a sufficient wall (and a convenient one) -- and you aren't -- it would still remain the wiser practice to have more than one effective security feature in place.

And let's be honest here, right now IGN is the ONLY effective security feature we have right now. As recently as a few months ago it was possible to break the NCMA through any one of (1) brute force against the password reset, (2) glitching into someone else's account, (3) file mirroring the whole domain, (4) monkeywrenching the javascript(!!?) functions used for user verification, or (5) SQL injection (possible, unverified how far one could get this way). Unless and until NCSoft is ready to admit those problems existed and put forth some evidence that they've been fixed, I'm going to make the reasonable presumption that the NCMA remains utter Swiss cheese.

To illustrate that point, try to answer this simple question: Assume that on 7/1/2010 someone associated with an RMT business interested in stealing accounts, who already knows how to compromise NCMAs, will figure out how to obtain a list correlating NCMAs and IGNs. How many of those GW accounts would be stolen before you even know about the problem? How many more will be stolen before you can figure out how he's doing it? How many more yet before you can fix the problem? Now, how many accounts would be stolen if the old-password requirement had remained in place?


Quote:
We are not removing the character name requirement functionality in game, and (as we’ve stated in the past), as SOON as we implemented that measure, we noticed a phenomenal drop in account hacks and thefts.
Which is as close as anyone from NCSoft or a-net has come to admitting that the story you keep telling us is bullshit and the real problem was with the NCMA.... Thank you for your (almost) honesty.

Quote:
Let's face it. When you want to log in and check out a game you paid for (but may not have played for a while), there’s nothing more frustrating than being locked out of your own account. And when you try to log into the game’s website to fix that issue, but are then being asked for the password you already know you forgot in the first place, that’s just annoying. Then you have to fill out a ticket and wait for someone to answer it to get help.
More annoying than...
...having your account stolen?
...having your account stripped and/or characters deleted?
...having to constantly guard your IGN?

Quote:
Anyway, I hope this helps you guys understand a little more about our reasoning behind the changes.
I think this pretty much sums it up:

Quote:
Originally Posted by Riot Narita View Post
You compromise EVERYONE'S security, just because a TINY MINORITY of morons can't remember their own password.
Quote:
Originally Posted by Emily Diehl
I’d also like to mention that we’re more than willing to answer questions about the topic, but you should keep a few things in mind:
...
Phrase your questions and concerns in a constructive way
OK, in the spirit of being constructive, how's this:

There does not have to be a conflict between the interests of the tiny minority of morons who can't remember their passwords and the rest of us who would rather have a secure account. You should be able to design the NCMA to give the user the option to choose between more security or more "convenience." Let the morons opt out of the old-password requirement. Or let me opt in to the old-password requirement. Or, better yet, let me opt to sever my GW account from the NCMA -- which I will do in a heartbeat, and that will be the end of the problem.
Chthon is offline   Reply With Quote
Old May 09, 2010, 03:09 AM // 03:09   #124
Older Than God (1)
 
Martin Alvito's Avatar
 
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
Default

Quote:
Originally Posted by Chthon View Post
And let's be honest here, right now IGN is the ONLY effective security feature we have right now. As recently as a few months ago it was possible to break the NCMA through any one of (1) brute force against the password reset
Credit where credit is due: this has largely been resolved. The password reset mechanism now sends you an e-mail, which precludes pure brute force attempts using the password reset mechanism. So if you have a strong password, you should be OK there.

Can't speak to the other issues, as I'm not qualified to evaluate more advanced security issues.
Martin Alvito is offline   Reply With Quote
Old May 09, 2010, 12:20 PM // 12:20   #125
Krytan Explorer
 
Smarty's Avatar
 
Join Date: Mar 2008
Location: England
Profession: Me/
Default

Quote:
Originally Posted by Chthon View Post
Or, better yet, let me opt to sever my GW account from the NCMA -- which I will do in a heartbeat
Yes yes a million times yes. The NCMA confers no benefit to me whatsoever and is in fact a decided inconvenience where my account security is concerned, because of decisions I made when I was a newbie online gamer (see an earlier post in this thread for someone in the same boat as me); I would *love* to be able to do this and have been asking for it for the past three years. What I'm dreading the most - if I do ever decide to buy GW2, which is still extremely unlikely due to it being an NCsoft product - is having to link my GW2 account to my current NCMA.
Smarty is offline   Reply With Quote
Old May 09, 2010, 08:17 PM // 20:17   #126
Krytan Explorer
 
jray14's Avatar
 
Join Date: May 2005
Location: NC, USA
Guild: Ohm Mahnee Pedmay [Hoom]
Default

Quote:
Originally Posted by Martin Alvito View Post
The password reset mechanism now sends you an e-mail, which precludes pure brute force attempts using the password reset mechanism. So if you have a strong password, you should be OK there.
. . Thank you, ANet/NCSoft! This is a big step in the right direction.
jray14 is offline   Reply With Quote
Old May 10, 2010, 05:05 AM // 05:05   #127
Jungle Guide
 
Join Date: Aug 2007
Default

Quote:
Originally Posted by Chthon View Post
Or, better yet, let me opt to sever my GW account from the NCMA -- which I will do in a heartbeat, and that will be the end of the problem.
Absolutely!! That's the best answer right there.
Tom Swift is offline   Reply With Quote
Old May 10, 2010, 06:47 AM // 06:47   #128
Forge Runner
 
Amy Awien's Avatar
 
Join Date: Jul 2006
Profession: R/
Default

Creating any NCSoft or ANet web-account linked to my game-account will be the last thing I do.

Quote:
Originally Posted by Jinkies View Post
... (Of course with this Anet could also give us the option to change the email address linked with the account as well) ...
You can change the email address from the client, or at least you could a few months ago.
Amy Awien is offline   Reply With Quote
Old May 10, 2010, 12:16 PM // 12:16   #129
La-Li-Lu-Le-Lo
 
Faer's Avatar
 
Join Date: Feb 2006
Default

Quote:
Originally Posted by Amy Awien View Post
You can change the email address from the client, or at least you could a few months ago.
Until you link your account to PlayNC.
__________________
Stay Breezy
Faer is offline   Reply With Quote
Old May 10, 2010, 01:13 PM // 13:13   #130
Forge Runner
 
Gun Pierson's Avatar
 
Join Date: Feb 2006
Location: Belgium
Guild: PIMP
Profession: Mo/
Default

Anet should at least give us the courtecy to untie the GW account from the NSMA.
Gun Pierson is offline   Reply With Quote
Old May 10, 2010, 03:22 PM // 15:22   #131
Lion's Arch Merchant
 
Jk Arrow's Avatar
 
Join Date: Nov 2008
Location: WI
Guild: Dark Phoenix Risin [DPR]
Profession: R/
Default

Nobody really knows how hackers do what they do or where they get their information but regardless of security measures, they try to find ways around them to steal people's stuff.

In my situation that I posted on Page 3 - Post 52, the account of mine that was stolen was a secondary account. I was not the original creator of the account. The only person that knew the original NCSoft info was the creator and even he did not remember his NCsoft username and password. I had since changed the GW password so now I was the only person that knew the game login password. The original owner and I were the only 2 that knew the game login username. IGN's were never posted on any website or attached to any outside source but IGN's can be found easily enough by searching in the friends log, but they still would have had to tie it to this account.

I guess what I'm saying is what possible security breach could have been used to gather the info needed to hack this account? Something somewhere allowed a hacker to get access without knowing this information.

The other issue I still have is that since I am not the original creator of the account, I am out of luck even though I am the one contacting support with documentation. However, the person that now has control, and would have had to hack through some part of the GW/NCSoft security does not have to prove anything. It's the attitude that we don't care unless you can prove yourself that is most disappointing.
Jk Arrow is offline   Reply With Quote
Old May 10, 2010, 03:51 PM // 15:51   #132
Forge Runner
 
Karate Jesus's Avatar
 
Join Date: Apr 2008
Location: Texas
Guild: Reign of Judgment [RoJ]
Profession: Me/
Default

Quote:
Originally Posted by Gun Pierson View Post
Anet should at least give us the courtecy to untie the GW account from the NSMA.
^ Yes, for the love of god, yes.
Karate Jesus is offline   Reply With Quote
Old May 10, 2010, 05:54 PM // 17:54   #133
Ascalonian Squire
 
Join Date: Oct 2007
Default

Been a long time lurker and infrequent player of the game, and this is a concern for me. Its clear plaync doesnt know how to handle security, ill buy GW2 for sure but it will never be linked to my plaync master account.
NeferJackal is offline   Reply With Quote
Old May 10, 2010, 06:20 PM // 18:20   #134
are we there yet?
 
cosyfiep's Avatar
 
Join Date: Dec 2005
Location: in a land far far away
Guild: guild? I am supposed to have a guild?
Profession: Rt/
Default

petition to unlink....next on the list of petitions!
(twould be signed by just about everyone I know, and their brother)
__________________
where is the 'all you can eat' cookie bar?
cosyfiep is offline   Reply With Quote
Old May 10, 2010, 06:28 PM // 18:28   #135
Forge Runner
 
Icy The Mage's Avatar
 
Join Date: Apr 2008
Location: Canada
Profession: E/
Default

Quote:
Originally Posted by cosyfiep View Post
petition to unlink....next on the list of petitions!
(twould be signed by just about everyone I know, and their brother)
Signed 100 times over
Icy The Mage is offline   Reply With Quote
Old May 11, 2010, 03:06 AM // 03:06   #136
Grotto Attendant
 
Join Date: Apr 2007
Default

Note to a-net: This issue is not going to go away until some corrective action is taken.
Chthon is offline   Reply With Quote
Old May 11, 2010, 05:35 AM // 05:35   #137
Guest
 
Scarlett Romanov's Avatar
 
Join Date: Jul 2005
Profession: Me/
Default

Quote:
Originally Posted by Gun Pierson View Post
Anet should at least give us the courtecy to untie the GW account from the NSMA.
I'm fairly certain Gaile said that it wasn't possible to unlink them. That or "not enough resources" excuse.
Scarlett Romanov is offline   Reply With Quote
Old May 11, 2010, 05:46 AM // 05:46   #138
are we there yet?
 
cosyfiep's Avatar
 
Join Date: Dec 2005
Location: in a land far far away
Guild: guild? I am supposed to have a guild?
Profession: Rt/
Default

I think I also remember them saying something about make overs not being possible at one point too....though the not enough resources (eg, they dont really care) is probably the most likely reply. Still would be nice to have the option and not need to 'look over you shoulder' all the time.
__________________
where is the 'all you can eat' cookie bar?
cosyfiep is offline   Reply With Quote
Old May 11, 2010, 10:50 AM // 10:50   #139
La-Li-Lu-Le-Lo
 
Faer's Avatar
 
Join Date: Feb 2006
Default

Gaile said everything was impossible. She also said you could hit teammates with Poison Arrow. General rule of thumb: ignore Gaile. When it comes to these sorts of things, almost anything is possible; it's simply a matter of making somebody care enough to get around to doing it.
__________________
Stay Breezy
Faer is offline   Reply With Quote
Old May 12, 2010, 12:12 PM // 12:12   #140
Wilds Pathfinder
 
 
Join Date: Jun 2005
Location: Georgia, US
Default

There is a god damn security breach. Nothing is ever 100% safe. I don't understand what is so god damn hard to grasp. It's a simple software engineering concept that all your programmers should have learned in intro courses.
Your dev's can't balance, your programmers fails at basic software concepts, your customer support are terrible, and your publisher is terrible and is the major cause for the security breach for both your game accounts and you players' private and personal information. I can't believed you failed at everything imaginable.
You should take a lesson from Blizzard. They have authenticators and flexible account management. They have good customer support both in game in the case of GM's, and a phone line you can actually call and get a live person to talk to within 10 minutes. They also have god damn account activity tracing and rollbacks. They have better security and security recovery.
You bet your entire company's future on GW2? You might want to offer the same service a six year old game have. How am I supposed to feel safe buying GW2? My account is just going to get hacked, private info released, and wait about a week getting an email back from support telling me to be more careful with my account as they can do nothing but tell me crap any non-idiot on the internet knows. You have a security problem. Just because you can't find it doesn't mean it doesn't exist. If you found it it wouldn't be a problem now would it?
Asking you to fix things is really that hard? It's obviously broken. You don't have enough resources to fix it? Then why would I want to pay money again to get screwed over again?
I remember when GW just came out and I was deciding whether I should play WoW or GW. I flipped a coin and fate chose GW. Maybe I should have stared fate in the face and told it no.
AuraofMana is offline   Reply With Quote
Reply

Share This Forum!  
 
 
           

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:51 AM // 02:51.


Powered by: vBulletin
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("