Guild Wars Forums - GW Guru
 
 

Go Back   Guild Wars Forums - GW Guru > The Inner Circle > The Riverside Inn

Notices

Closed Thread
 
Thread Tools Display Modes
Old Jan 03, 2010, 04:15 AM // 04:15   #421
Guest01
 
Join Date: Jul 2006
Advertisement

Disable Ads
Default

Quote:
Originally Posted by Kador View Post
Anet should seriously provide a way for players to make purchases WITHOUT forcing the customer to link to an NCSoft master account.

There are a lot of purchases I would like to make but I refuse to link any of my accounts and hence cannot purchase anything from the NCSoft store.
If you go through the in-game store, you do not need a NcSoft master acct. All you need is a credit card. I realize not everyone has one, or even wants one. If you fall into that category, get a prepaid card and only load it when you need to use it.
mrvrod is offline  
Old Jan 03, 2010, 04:18 AM // 04:18   #422
Frost Gate Guardian
 
Join Date: Aug 2009
Guild: We Carry Diseases [rat]
Profession: A/
Default

If this is true then really what is the point of changing passwords and character names in the log in screen?
Bulletproof Maniac is offline  
Old Jan 03, 2010, 04:23 AM // 04:23   #423
I despise facebook
 
Turbo Ginsu's Avatar
 
Join Date: Feb 2008
Location: Australia
Guild: Meeting of the Lost Minds
Profession: Me/
Default

Quote:
Originally Posted by Bulletproof Maniac View Post
If this is true then really what is the point of changing passwords and character names in the log in screen?
Quite simple. Elimination of variables.
Turbo Ginsu is offline  
Old Jan 03, 2010, 04:28 AM // 04:28   #424
Jungle Guide
 
Trub's Avatar
 
Join Date: Mar 2006
Location: Sitting in the guildhall, watching the wallows frolic.
Guild: Trinity of the ascended [SMS]+[Koss]+[TAM]=[ToA]
Default

Quote:
Originally Posted by Bulletproof Maniac View Post
If this is true then really what is the point of changing passwords and character names in the log in screen?
Because not all of the attacks were thru the NCSoft master site. (Per data recieved here on Guru and Aionsource.)
The log-in change is a 'second layer' to hopefully prevent brute force attacks, aimed directly at your GW account.
Trub is offline  
Old Jan 03, 2010, 04:29 AM // 04:29   #425
Forge Runner
 
Join Date: Jun 2006
Location: VA
Profession: Mo/
Default

Quote:
Originally Posted by Bulletproof Maniac View Post
If this is true then really what is the point of changing passwords and character names in the log in screen?
even if someone got onto your master account and changed your password, they still wouldn't be able to log into your account unless they knew one of your character names. they wouldn't have access to that unless you had an old support ticket that had one. if someone got on your master account then, they would be able to change your password but not log in and you could hopefully get your account back afterward.

changing passwords wouldn't have stopped the master account issue but if a list of passwords was stolen like they said, then it would have stopped those.
Enko is offline  
Old Jan 03, 2010, 06:22 AM // 06:22   #426
Frost Gate Guardian
 
toon-a-loon's Avatar
 
Join Date: Jun 2005
Location: Belton, Missouri
Profession: W/R
Default

I'm wondering if the people who all got hack were really rich in guildwars or showed off some title or armor on these forums. I had a idea that the hackers might have been recording names of people showing off their achievements in Guildwars. This could be a possibility of one way they could of got peoples game name.
toon-a-loon is offline  
Old Jan 03, 2010, 06:40 AM // 06:40   #427
Wilds Pathfinder
 
Join Date: Aug 2005
Guild: BEN
Profession: R/N
Default

that could happen in a sql database if the code is written badly and an exploit used.. if it just randomly accesses someone elses data at random- that's pretty bad programming.. can't really see that happening.. probably more likey a inside job at ncsoft- someone on the inside took a look at/had access to the database and leaked it
Mustache Mayhem is offline  
Old Jan 03, 2010, 06:48 AM // 06:48   #428
Pre-Searing Cadet
 
Join Date: Sep 2009
Default

Quote:
Originally Posted by Enko View Post
Thanks, Regina.

The last 48 hours has restored much of my faith in the Arena.net team. Looks like a lot of the crap you guys take really should have been directed at the NCSoft guys.
Alot of the crap they have taken should not have been dealt to anyone
Lord Randy is offline  
Old Jan 03, 2010, 08:33 AM // 08:33   #429
Lion's Arch Merchant
 
Join Date: Sep 2006
Location: Travelling around Tyria, Cantha, and Elona
Profession: P/W
Default

Indeed thank you for the update Regina (and Gaile). Looking forward to what NCSoft's response will be. But like I said, never before have I seen or heard of an online game, or online companies period, that has had such blatantly glaring flaws in their security. Congrats, NCSoft.

Last edited by Giga_Gaia; Jan 03, 2010 at 09:12 AM // 09:12..
Giga_Gaia is offline  
Old Jan 03, 2010, 08:36 AM // 08:36   #430
Desert Nomad
 
glacialphoenix's Avatar
 
Join Date: Jul 2008
Location: Singapore
Guild: Royal Order of Flying Lemmings [ROFL]
Profession: Mo/
Default

Thanks, Regina and Gaile. It's good to know we're being listened to.
glacialphoenix is offline  
Old Jan 03, 2010, 08:42 AM // 08:42   #431
Frost Gate Guardian
 
Join Date: Oct 2009
Default

Quote:
Originally Posted by mrvrod View Post
If you go through the in-game store, you do not need a NcSoft master acct. All you need is a credit card. I realize not everyone has one, or even wants one. If you fall into that category, get a prepaid card and only load it when you need to use it.
Sorry, this is NOT true. I have tried it. This may have worked in the past, but not any more. You MUST have the linked NCSoft Master Account. That's the only way. At least for me in the US. Maybe it's different elsewhere, though I doubt it.

If it were that easy then why would I even have posted the complaint? Due to the security issues I refuse to link my accounts, and you MUST link to make a purchase. Once linked, the process is irreversible and you are forever linked to the NCSoft account with its security risks.

From the in-game store

Quote:
In order to access the Guild Wars Store, you must have an NCSoft account linked to your Guild Wars account. If you already have an NCSoft account, you can link it to your Guild Wars account at this time.
Then you get 2 options, either log in to your NCSoft account or create a new one.

Since they apparently allowed purchases without the linked account in the past, then it shouldn't be too hard to go back to that former policy.

Last edited by Kador; Jan 03, 2010 at 09:02 AM // 09:02..
Kador is offline  
Old Jan 03, 2010, 09:23 AM // 09:23   #432
Lion's Arch Merchant
 
Inner Salbat's Avatar
 
Join Date: Oct 2005
Guild: Leader - ANZAC
Profession: E/
Default

Quote:
Originally Posted by Lord Randy View Post
Alot of the crap they have taken should not have been dealt to anyone
I think they understand the out rage and don't take any of it too personally, however we are rightful and justified in our anger at this situation.

As I've stated before, if characters could be rolled back or there items given back in some way then we'd be less so, because then being hacked wouldn't be anywhere near as big a deal.
Inner Salbat is offline  
Old Jan 03, 2010, 09:49 AM // 09:49   #433
Grotto Attendant
 
Arduin's Avatar
 
Join Date: May 2005
Location: The Netherlands
Guild: Limburgse Jagers [LJ]
Profession: R/
Default

Quote:
Originally Posted by mrvrod View Post
If you go through the in-game store, you do not need a NcSoft master acct. All you need is a credit card. I realize not everyone has one, or even wants one. If you fall into that category, get a prepaid card and only load it when you need to use it.
Quote:
Originally Posted by Kador View Post
Sorry, this is NOT true. I have tried it. This may have worked in the past, but not any more. You MUST have the linked NCSoft Master Account. That's the only way. At least for me in the US. Maybe it's different elsewhere, though I doubt it.
Added to this, some countries simply don't have prepaid cards, so those people are forced to go through NCSoft to buy something GW related.
Arduin is offline  
Old Jan 03, 2010, 09:50 AM // 09:50   #434
ArenaNet
 
Regina Buenaobra's Avatar
 
Join Date: Apr 2008
Profession: Me/
Default

I just wanted to elaborate on one of the points I made earlier regarding the random account switching bug, which, according to reports made here, is a possible security vulnerability. The Security team has added logging in order to reproduce it internally so it can be tested. At this point, they have been unable to reproduce it internally. Until we're able to reproduce the bug, we won't be able to verify the vulnerability exists. While we made changes to processes, adding additional checks before an account's password can be changed, based upon the possibility that this error exists, we also continue to work on internal testing to reproduce the problem, so it can be addressed. So far, the information we have about this is vague. We're doing everything we can, in terms of testing, with the info we do currently have. More details would be useful. If you have information that could help us reproduce the error, we would appreciate if you could contact us. Thanks again.
__________________
Regina Buenaobra
Community Manager
ArenaNet, Inc.
Regina Buenaobra is offline  
Old Jan 03, 2010, 10:28 AM // 10:28   #435
Guest01
 
Join Date: Jul 2006
Default

Quote:
Originally Posted by Kador View Post
Sorry, this is NOT true. I have tried it. This may have worked in the past, but not any more. You MUST have the linked NCSoft Master Account. That's the only way. At least for me in the US. Maybe it's different elsewhere, though I doubt it.

If it were that easy then why would I even have posted the complaint? Due to the security issues I refuse to link my accounts, and you MUST link to make a purchase. Once linked, the process is irreversible and you are forever linked to the NCSoft account with its security risks.

From the in-game store



Then you get 2 options, either log in to your NCSoft account or create a new one.

Since they apparently allowed purchases without the linked account in the past, then it shouldn't be too hard to go back to that former policy.
Well if that's what it says for you, I'm certainly not going to disbelieve. All I can tell you is neither of my son's accounts are linked to an NcSoft master acct. and they've both used my cc to buy items through the in-game store. I do live in the US, so I don't know why it would work differently for us.
mrvrod is offline  
Old Jan 03, 2010, 10:40 AM // 10:40   #436
Supastar~ ★
 
Sierraa's Avatar
 
Join Date: May 2006
Location: USA [GMT -7]
Guild: Sierraas Asian Harem [love]
Profession: Me/
Default

Quote:
Originally Posted by flubber View Post
THIS IS JUST AN EXAMPLE IN NO WAY AM I SAYING THEIR SITE WAS HACKED OR TARGETED

-snip snip-
I for some reason never really understood the connection between my guild wars login/password and my in game name. _____ Sierra isn't close to my login name at all. My login name doesn't even contain an S in it.

I have problems believing that people were targeted personally too (which is kinda what I get from your post.) If people WERE being targeted, more high end traders who frequent Ventari's with rare and expensive items should have been hacked. (They're the type to QQ about it too.)

As a side note: DL is a secure forum and a nice guild. :P We (as a guild) would never do anything to jeopardize current and future member's guild wars account.

I wanted to add that I'm happy to see Gaile & Regina working hard in response to this thread. <3
Sierraa is offline  
Old Jan 03, 2010, 10:51 AM // 10:51   #437
Lion's Arch Merchant
 
Inner Salbat's Avatar
 
Join Date: Oct 2005
Guild: Leader - ANZAC
Profession: E/
Default

Quote:
Originally Posted by Regina Buenaobra View Post
I just wanted to elaborate on one of the points I made earlier regarding the random account switching bug, which, according to reports made here, is a possible security vulnerability. The Security team has added logging in order to reproduce it internally so it can be tested. At this point, they have been unable to reproduce it internally. Until we're able to reproduce the bug, we won't be able to verify the vulnerability exists. While we made changes to processes, adding additional checks before an account's password can be changed, based upon the possibility that this error exists, we also continue to work on internal testing to reproduce the problem, so it can be addressed. So far, the information we have about this is vague. We're doing everything we can, in terms of testing, with the info we do currently have. More details would be useful. If you have information that could help us reproduce the error, we would appreciate if you could contact us. Thanks again.
What you need to do is find one of these idiots that broke it and get him to reproduce it, in a sense you need to get a hold of one or more of these hackers and lock them in a room and tell them to spill the beans.

By the way, when your finished with them could me and and my steal bat come for a visit, to play long swing shots at private parts of his anatomy ?

Just a thought something you might like to consider, maybe the solution to the problem with reproduction evades your tests because your team isn't doing something a hacker is before attempting repeated logins, or alternatively perhaps as is sometimes the case seeking someone outside of the group for technical assistants that can look at the problem from a fresh perspective.

Last edited by Inner Salbat; Jan 03, 2010 at 11:36 AM // 11:36..
Inner Salbat is offline  
Old Jan 03, 2010, 12:19 PM // 12:19   #438
Alcoholic
 
Aussie Boy's Avatar
 
Join Date: Mar 2007
Location: Australia
Profession: W/
Default

Here is a question and sorry if it's already been answered somewhere
I did try the help on support but nothing came up there in the search.
Can you delete the support tickets that have all your info char name account name etc when you ask a question?
I can't find anyway to do it only to close a ticket or update it.
Thanks in advance.
Aussie Boy is offline  
Old Jan 03, 2010, 12:53 PM // 12:53   #439
So Serious...
 
Fril Estelin's Avatar
 
Join Date: Jan 2007
Location: London
Guild: Nerfs Are [WHAK]
Profession: E/
Default

Quote:
Originally Posted by Inner Salbat View Post
What you need to do is find one of these idiots that broke it and get him to reproduce it, in a sense you need to get a hold of one or more of these hackers and lock them in a room and tell them to spill the beans.
I wasn't in favor of this thread at all (which IMHO has much more negative sides than people would like to see) but, in defense of the OP, security doesn't classify people into hackers or normal. There's actually a concept of "white hat hacker" which the OP and a few others applied here: they "highlight" vulnerabilities so that companies are forced to fix them. Some white hat hackers do it outside of the public eye, some prefer to do it in front of everyone (see Black Hat conference). Many white hat hackers are hired by pro security companies. ("black hat hackers" also find vulnerabilities but exploit them for them own benefit, this is what people traditionally call "hackers")

Quote:
Originally Posted by slowerpoke View Post
Right now, when someone does get access to a master account they can change all the passwords and dont even need to know the old game account passwords.
I thought Regina said they fixed it to ask for the old password?
Fril Estelin is offline  
Old Jan 03, 2010, 01:39 PM // 13:39   #440
Forge Runner
 
Join Date: Jun 2006
Location: VA
Profession: Mo/
Default

Quote:
Originally Posted by slowerpoke View Post
Make sure you tell them to change the password system, requiring a user to also type in the old password for a game account when asking for a new one, just like every other properly secure site on the internet.

Right now, when someone does get access to a master account they can change all the passwords and dont even need to know the old game account passwords.
they already changed that for guild wars accounts. aion and master account passwords can still be changed without the old password.
Enko is offline  
Closed Thread

Share This Forum!  
 
 
           

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:17 AM // 10:17.


Powered by: vBulletin
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("