Curse

Enko · Jan 01, 2010, 04:35 PM // 16:35

Quote:

Originally Posted by Lukyboy

This is interesting....

What could be the reason that they are not fixing this?

denial that its their fault.

Tullzinski · Jan 01, 2010, 04:35 PM // 16:35

not expecting any changes to the site, it is too easy for them to send people to the site to change their forgotten password. Saves NCsoft money by not having a support person touch the ticket to change forgotten passwords.

Comes down to money>security and until that changes do not expect a change to the password reset function.

glacialphoenix · Jan 01, 2010, 04:37 PM // 16:37

Quote:

it is too easy for them to send people to the site to change their forgotten password

...do they even ask for verification when you reset your password...? Because I remember people complaining about how they didn't.

Enko · Jan 01, 2010, 04:39 PM // 16:39

Quote:

Originally Posted by Tullzinski

not expecting any changes to the site, it is too easy for them to send people to the site to change their forgotten password. Saves NCsoft money by not having a support person touch the ticket to change forgotten passwords.

Comes down to money>security and until that changes do not expect a change to the password reset function.

if the issue is that when logging into ncsoft, you might end up on someone else's account, just requiring the old password to change to a new password would block this. that shouldn't be that hard to implement. once they get that block in, then they could actually work on fixing the problem. with the number of games that are affected by this, it should be one of ncsoft's, if not the most, important issue to fix as it affects their credibility. if their shareholders ever got word that their entire database was open like this, they'd probably lose a crapload of money.

Quote:

Originally Posted by glacialphoenix

...do they even ask for verification when you reset your password...? Because I remember people complaining about how they didn't.

they don't. you click the account to change the password and it just asks you to input a new password.

Coverticus · Jan 01, 2010, 04:39 PM // 16:39

That was some read I have to admit Erys, much obliged for posting the links.

Well...... most of us knew that the website was a pile of the proverbials but the whole "random" account access just defies belief. Obviously they didn't quite give enough bananas to the 3 year old web-monkies who built the site. Quite frankly, its shocking.

At first I thought this cannot be believed. But after reading, hmmm.

Anyway. This PLUS the debacle of what is occurring in the event atm (lack of hats) is SERIOUSLY making me (and a lot of others I would assume) start seriously thinking about bothering with GW in general.

So ANet. While I appreciate your lord and master (NCSoft) is probably gagging anything said at present, it is time to start reassuring the current community, past and present, that things ARE being done. The login change was the first step granted.

Or say goodbye to what is potentially a huge playerbase for GW2 (thus revenue).

YunSooJin · Jan 01, 2010, 04:40 PM // 16:40

I know the guru population isnt exactly made up of adult professionals, but is there anyone well-versed in context of the law who can comment on this?

Possible that there can be class-action type lawsuits?

edit: also everyone should start trying to log into their NCsoft master accounts :P

Erys Vasburg · Jan 01, 2010, 04:40 PM // 16:40

Quote:

Originally Posted by genofreek

Is the info in the login info talk page all just unjustified rumor, then? They name the third party site in question and go into a lot of detail on how passwords got leaked.

I'm not denying that NCsoft left themselves (actually us) wide open for hacking, but can anyone confirm or deny the responsibility of RockYou?

Quizzical wasn't implying that RockYou was the site Gaile keeps referencing - he was simply pointing out what could have happened to the fansite that has yet to be named, and provided a hard, entirely unrelated example. RockYou isn't even remotely GW related.

Smarty · Jan 01, 2010, 04:42 PM // 16:42

NCsoft is a terrible company. Their support rating is appalling. They have had Aion out for four months in the West and whilst they've finally hired some GMs for the US servers, the Euro servers are still relying on their automated bot detection scripts and on player reports to work out who the botters and goldsellers are and falsely ban legitimate players instead. This in a subscription-based game. Do not expect NCsoft to do anything useful, such as sever the master account connection with GW, or fix their crappy website, or give hacked players any compensation, or even admit that they have shonky security, cos it won't happen. I really wish they didn't own ANet.

Zinger314 · Jan 01, 2010, 04:43 PM // 16:43

Quote:

Originally Posted by YunSooJin

Possible that there can be class-action type lawsuits?

No, due to the typical EULA clause of "you don't own anything."

You can try, though.

Tullzinski · Jan 01, 2010, 04:49 PM // 16:49

Quote:

Originally Posted by Enko

if the issue is that when logging into ncsoft, you might end up on someone else's account, just requiring the old password to change to a new password would block this. that shouldn't be that hard to implement. once they get that block in, then they could actually work on fixing the problem. with the number of games that are affected by this, it should be one of ncsoft's, if not the most, important issue to fix as it affects their credibility. if their shareholders ever got word that their entire database was open like this, they'd probably lose a crapload of money.

Requiring the old password (which has been forgotten) would require a legitimate user to contact support to change the password.

I totally agree that requiring the old password would solve the problem, but that defeats the purpose of having the password reset function there to keep people from having to contact support.

Awhile back I thought that putting in a legitimate CD key to change the password would work better instead of the old password.

YunSooJin · Jan 01, 2010, 04:50 PM // 16:50

Quote:

Originally Posted by Zinger314

No, due to the typical EULA clause of "you don't own anything."

You can try, though.

What about the fact that some people's credit/personal information is exposed?

dr love · Jan 01, 2010, 04:50 PM // 16:50

Quote:

Originally Posted by ac1inferno

What I don't get is can't they check and punish those who did it? I mean isn't it possible to look back in trade logs and see that one account moved everything it owns to another account? Or even if they were outside an outpost and everything was dropped for another account to pick up, isn't is possible to look back and check into those?

1. banning or punishing them won't get your items back. and if that were possible, then you could essentially get people banned that you don't like by giving them free items.

2. if they compensate you for your loss, then it is effectively duping (your friend could pretend to hack you)

3. you could potentially revoke really bad trades you made by saying you got hacked.

4. having the person's ign may not help you either if they just ignore you.

can you think of a better solution?

Riot Narita · Jan 01, 2010, 04:50 PM // 16:50

Sh!t the bed.

So all of us with linked NCsoft master accounts... our character names are literally the only things standing between us and random robbery?

Now I am EXTRA glad I bought name changes for every IGN I've ever posted on forums.

Leslie · Jan 01, 2010, 04:52 PM // 16:52

I hope NCsoft do the following.

1. Add a security password option (or, force players to enter the old password) before allowing to change the accounts' passwords from the master account.

2. fire, torture and murder the moronic half-wit individual(s) responsible for coding the website, then hire competent web developers to fix this ridiculously huge security problem.

Enko · Jan 01, 2010, 04:52 PM // 16:52

Quote:

Originally Posted by Tullzinski

Requiring the old password (which has been forgotten) would require legitimate user to contact support to change the password.

I totally agree that requiring the old password would solve the problem, but that defeats the purpose of having the password reset function there to keep people from having to contact support.

i would rather have the minority of people who forgot their GW passwords be required to request user support then to have everybody's account at risk.

Quote:

Originally Posted by Leslie

I hope NCsoft do the following.

1. Add a security password option (or, force players to enter the old password) before allowing to change the accounts' passwords from the master account.

2. fire, torture and murder the moronic half-wit individual(s) responsible for coding the website, then hire competent web developers to fix this ridiculously huge security problem.

the question is, is ncsoft even aware of the problem? so far all the links in the OP were on aion's forums or the gw wiki which I doubt ncsoft personnel frequent that often. unless it shows up on their forums or a huge news release is given out by one of the big websites (mmorpg.com, tentonhammer.com, etc), I doubt they would even admit its their problem.

also, is it me or did all of these problems start popping up after aion got released? I've had a ncsoft master account since 2004 when I was playing city of heroes and never had a problem with them.

Edge Igneas · Jan 01, 2010, 04:53 PM // 16:53

Quote:

Originally Posted by ac1inferno

What I don't get is can't they check and punish those who did it? I mean isn't it possible to look back in trade logs and see that one account moved everything it owns to another account? Or even if they were outside an outpost and everything was dropped for another account to pick up, isn't is possible to look back and check into those?

Of course they can.

They already said they carry all sorts of information and logs of trades. I know they said this during the Armbrace duping, and I think they also said it again during the RR days.

I'm just waiting for them to actually do something. Trace the IP's already, break a situation before it occurs. But I'm guessing this isn't happening one place at a time, the trading could probably be occurring nonstop, from multiple people working in a group.

Hiding in the bowels of the deepest districts.

Tullzinski · Jan 01, 2010, 04:54 PM // 16:54

Quote:

Originally Posted by Enko

i would rather have the minority of people who forgot their GW passwords be required to request user support then to have everybody's account at risk.

Absolutely, I think maybe adding the input of a CD key to change the password may work better.

Erys Vasburg · Jan 01, 2010, 04:55 PM // 16:55

Quote:

Originally Posted by Riot Narita

So all of us with linked NCsoft master accounts... our character names are literally the only things standing between us and random robbery?

That is about the size of it, yes. You can thank NCSoft for letting Linsey get hacked for that layer of protection.
(An assumption of course, but it adds up. Until officially told otherwise by someone we can actually trust to be informed (like, not Gaile), it's the logical conclusion.)

Enko · Jan 01, 2010, 04:58 PM // 16:58

Quote:

Originally Posted by Tullzinski

Absolutely, I think maybe adding the input of a CD key to change the password may work better.

and how many of us kept all of their cd keys from 4 years ago? requiring the old password would block off the method in the OP since they are randomly being allowed access to other people's accounts; they wouldn't know the original password. this would be a quick easy thing to implement to stop the current account hackings until they can actually fix their website security.

Tullzinski · Jan 01, 2010, 05:00 PM // 17:00

Quote:

Originally Posted by Enko

and how many of us kept all of their cd keys from 4 years ago? requiring the old password would block off the method in the OP since they are randomly being allowed access to other people's accounts; they wouldn't know the original password. this would be a quick easy thing to implement to stop the current account hackings until they can actually fix their website security.

When the account gets stolen you have to produce the keys to get it back. So if you do not have them you are screwed either way.... and you had to input the keys to link the accounts in the first place. So should be easy to put in to.

Do not get me wrong I am not defending NCsoft, just looking as a different option becuase IMO they will not add the input of the old password to change your password.