Dec 18, 2009, 12:38 AM // 00:38
|
#201
|
Ascalonian Squire
Join Date: Aug 2009
Profession: E/R
|
Quote:
Originally Posted by karlik
I have become one of the group that advises against linking your account to ncsoft, it is starting to look like a possible security issue. Change the password in game instead.
|
Oh, thanks! I never realized I could change it like that.
|
|
|
Dec 18, 2009, 12:45 AM // 00:45
|
#202
|
Desert Nomad
Join Date: Mar 2006
Guild: DPX
Profession: R/
|
Quote:
Originally Posted by Regina Buenaobra
I understand people's concerns, and sympathize with those who have had their accounts stolen. Many games have been targeted by hackers recently. They're using information taken from other games and other websites and trying that account information in Guild Wars and other games.
|
That may be true but most if not all of those games send you a activation link/key before you can do any changes.
Thank you for your reply, but it doesn't really help us and it does nothing to set us at ease.
It has zero benefit if we change our passwords,because changed or not the only thing unwanted guests need is your login email adress,they neither need access to that email nor do they need the old password, at every other place if you want to change the password you need the old password, or you need the email which is where the actual password change happens.
I know that most of this problem is not yours or Anet's fault but instead NCsoft's fault,but that is no reason to do nothing for us that will actually help us with the problem.
If NCsoft does not want to work on the issue I suggest you as Anet advice people to not link their account to NCsoft, because doing so may open you to a HUGE vulnerability.You try to work on a way for the ones of us that did link our accounts (hello free storage pane) ,but which no longer wish for them to be linked to be able to unlink the account from your side of the connection.
We no longer trust NCsoft and we no longer wish to be open to this vulnerability.In my opinion there should be absolutely no work on GW2 untill you can sort out this problem,if you do not we will have the same problems with GW2.But I am simply one player in the thousands of players that play this game, so my opinion will most likely be disregarded, which is not unexpected.
Thank you.
A concerned player.
Last edited by Xenex Xclame; Dec 18, 2009 at 12:47 AM // 00:47..
|
|
|
Dec 18, 2009, 02:52 AM // 02:52
|
#203
|
Krytan Explorer
|
Quote:
Originally Posted by Ambitious
I'm trying to take heed of this warning and change my password, but I'm running into some difficulties.
I registered an NCsoft account, and attempted to add my Guild Wars account to it so I could change my password. However, it needs the "serial code." Where can I find this code?
|
Good Luck! and hope your account doesn't get hack! Remember, we don't need your original password to reset your password.
That's like saying to the Locksmith:
Thief: This is my house, could you let me in?
Locksmith: As long as I get pay for my service, I don't give a damn if its your house or not. Not my job. My job is to open locks.
Last edited by JimmyNeutron; Dec 18, 2009 at 04:20 PM // 16:20..
|
|
|
Dec 18, 2009, 03:16 AM // 03:16
|
#204
|
ArenaNet
Join Date: Apr 2008
Profession: Me/
|
Quote:
Originally Posted by Fay Vert
Damn it woman, stop failing and LISTEN. Look at the poll results.
There are many ways accounts are compromised, singling out one obvious one, which probably only accounts for a small proportion anyway is not going to solve the problem or address people's fears.
Limit the consequence of the hack, implement a no delete on characters, how hard is that?
|
Sorry, but you do not have all the information our security team has about this issue, so you cannot accurately determine how effective one method is over another. Furthermore, this isn't the only way we're trying to help protect players. Our development team is continuing to work on solutions.
__________________
Regina Buenaobra
Community Manager
ArenaNet, Inc.
|
|
|
Dec 18, 2009, 03:32 AM // 03:32
|
#205
|
Jungle Guide
Join Date: Apr 2005
Profession: N/A
|
Quote:
Originally Posted by Regina Buenaobra
Sorry, but you do not have all the information our security team has about this issue, so you cannot accurately determine how effective one method is over another. Furthermore, this isn't the only way we're trying to help protect players. Our development team is continuing to work on solutions.
|
I just want to echo Fay Vert's frustration, not just because I fear my account could get hacked at any time, but because I don't feel like you are giving as any useful information. Giving us ambiguous statements like "were working on it" or "lots of games have been getting hacked recently" tells us nothing. Many people have asked specific questions that seem to me very reasonable. For example:
Since accounts are being hacked through resetting the password on the playNC website, a common question is: why can't you implement e-mail confirmation when resetting passwords? Is it because that is something NCSoft has control over? If so, why are you not pressuring NCSoft to change it, and if you are, why are they doing nothing?
|
|
|
Dec 18, 2009, 03:47 AM // 03:47
|
#206
|
Jungle Guide
Join Date: Mar 2006
Location: Trying to stay out of Ryuk's Death Note
Profession: N/R
|
Quote:
Originally Posted by Regina Buenaobra
Sorry, but you do not have all the information our security team has about this issue, so you cannot accurately determine how effective one method is over another. Furthermore, this isn't the only way we're trying to help protect players. Our development team is continuing to work on solutions.
|
True we do not have the info you all do. On top of it ANET will not release it to us since it will help the hackers. We get it.
However, there have been a numerous people that have reported accounts being stolen/hacked and getting the email from NCsoft Master Hub notifying them the password has been changed by IP addresses from RMTs in China.
Common sense tells us that the weak point is there. So it does not take a rocket scientist to determine that if the function was turned off for now it would reduce the amount of accounts stolen.
While I am not saying all of the hacked accounts are because of NCsoft site, it is obvious that once that login and password are hacked it is giving the hackers free access to any and all accounts tied to the NCsoft Master Hub.
Please disable that sites ability to change passwords. With Wintersday coming up tomorrow, I can imagine that alot of people that have not played in awhile will be returning and if they forgot the passwords it is nice to be able to direct them to the automated site to reset it. But this needs to happen and soon despite the influx. Which is going to cost more: Having support reset passwords manually or dealing with the increase of hacked accounts.
Last edited by Tullzinski; Dec 18, 2009 at 03:54 AM // 03:54..
|
|
|
Dec 18, 2009, 04:08 AM // 04:08
|
#207
|
Banned
|
Quote:
Originally Posted by Regina Buenaobra
Sorry, but you do not have all the information our security team has about this issue, so you cannot accurately determine how effective one method is over another. Furthermore, this isn't the only way we're trying to help protect players. Our development team is continuing to work on solutions.
|
What we do have is the info we see from people who have been hacked - and time and time again it points back to ncsoft.
When I change my password from the ingame menu it wants my current password. When I change it from ncsoft it just wants a new password. That equals zero security. I agree with the above request, remove the abilty to change passwords from the ncsoft menu.
|
|
|
Dec 18, 2009, 05:09 AM // 05:09
|
#208
|
Wilds Pathfinder
Join Date: Dec 2005
Guild: Spectra Sg [SpcA]
Profession: W/Mo
|
add me to the list
Quote:
Someone at 122.147.127.153 has reset your Guild Wars Game Account password for account [xxx]. If you did not make this change, please contact support immediately at [email protected].
|
This was.. 7 hours ago. Sent an email to support requesting to reset or to lock account, took the initiative to provide my cd key, lots of fingernail biting - nothing. as a doublewhammy, i was holding off dedicating my HoM items. 3 years worth of hard earned minipets, together with weapons and fow armors. the dude must be having fun. may his family jewels rot and fall off.
okay, venting aside, i was reminiscing of the good old days in thunderhead keep and eternal grove. enemies attacking on multiple fronts, a small team of adventurers fending them off in a fort. When one entry point was under extreme duress, the team was reshuffled immediately to stem the threat, with much frantic pinging and arrows drawing on the minimap. failure to do so usually resulted in a wipeout. many dwarven kings and tree singers must have fallen in the course of guild wars. good times.
on to these account breaches. i have read gaile's and regina's statements on these account breaches. The general strategy seems to be a) change password b) wait while the team comes up with a resolution.
a) is not really an ideal response to these breaches. many players are on hiatus and do not even log in or follow the forums. I was only aware of all these issues after receiving that dreaded email. of course, now that i know, there is no way for me to change my password without support's assistance.
b) is well and good. but it seems to be more skewed towards the mid or long term. this "brainstorming" is not about how to hustle that warrior to the west gate, it is about how to slay the evil lich king at his lair. thunderhead keep could well be lost by the time we figure out how to slay the lich king, in which case we will never get to him.
to summarize my opinions:
a) short, medium, long term solutions are required. this is true in every crisis. what are the short terms resolutions offered so far? the first post in this thread was 10th dec. it has been almost a week since then. many accounts could have been saved if some form of short term action was taken.
b) service support standards are lacking. this is an online game. the account governs my ownership of the game. theft of my account equals theft of my copy of the game. 7 hours (and counting) is too long a wait for a simple account lock request or even an initial contact by a support rep. i have not even been attended to, so i can only wonder how long it'll take for that to happen.
c) separation of concerns is a standard audit procedure. i am at fault for reusing passwords for forums and internet support accounts like ncsoft. to be realistic, few users are going to have separate passwords for the multitudes of websites out there. however, i practice tranching. i make it a point to have a different username and password for accounts which require higher security. guild wars was one of those accounts. that my guild wars account was breached possibly because a different forum account was breached stinks of irregularity.
d) keyloggers and trojans are a possibility, but i'm confident there would have been some actual reports of malicious software on someone's pc considering the severity of this outbreak. occam's razor.
e) this is not the bigger battle. the bigger battle is guild wars 2. i've just had 3 to 4 years of gaming effort on guild wars compromised. the heart-break is hard for a non-gamer to imagine (afterall, it's all virtual right?). i have serious misgivings about any online games which cannot safeguard my progress/ ownership. it may well be that this is my farewell to tyria.
Last edited by trielementz; Dec 18, 2009 at 06:11 AM // 06:11..
|
|
|
Dec 18, 2009, 07:09 AM // 07:09
|
#209
|
Furnace Stoker
Join Date: Jan 2008
Profession: Mo/
|
Quote:
Originally Posted by karlik
What we do have is the info we see from people who have been hacked - and time and time again it points back to ncsoft.
When I change my password from the ingame menu it wants my current password. When I change it from ncsoft it just wants a new password. That equals zero security. I agree with the above request, remove the abilty to change passwords from the ncsoft menu.
|
That is too much common sense and an easy fix. It would take maybe one programmer one hour at most to do, if that. Much better to spend time in meetings thinking of solutions, pondering what this data means, and changing the log in screen text to tell people to change your password right now. Heaven forbid they do an easy fix on that security hole and fix at least some of the problem. My password in game is already hell-a-hard to guess, but a fat lot of good that does when it can be changed through NCsoft master account.
|
|
|
Dec 18, 2009, 08:40 AM // 08:40
|
#210
|
Lion's Arch Merchant
Join Date: Oct 2005
Guild: Leader - ANZAC
Profession: E/
|
Quote:
Originally Posted by trielementz
Someone at 122.147.127.153 has reset your Guild Wars Game Account password for account [xxx]. If you did not make this change, please contact support immediately at [email protected].
|
descr: New Century InfoComm Tech. Co., Ltd.
descr: 1F~11F, No. 218, Rueiguang Road
descr: Taipei Taiwan 114
Do a whois from a command prompt for more detail information.
And yes I am another one that was hacked, without sharing info on any forum or website.
Uhmm, guess my avatar needs changing
|
|
|
Dec 18, 2009, 12:38 PM // 12:38
|
#211
|
Jungle Guide
Join Date: Mar 2006
Location: Trying to stay out of Ryuk's Death Note
Profession: N/R
|
Sorry to hear about the above members getting hacked.
ANET/NCsoft:
Two more examples of gold sellers stealing accounts. Regardless of how they were hacked, the NCsoft Master Hub Password reset function needs to be turned off. It is the finish line for the hackers and should be disabled immediately.
Are we going to see a flood of accounts hacked with the return of many members due to the event weekend?
VV what he said below VV
Last edited by Tullzinski; Dec 18, 2009 at 02:58 PM // 14:58..
|
|
|
Dec 18, 2009, 02:38 PM // 14:38
|
#212
|
Lion's Arch Merchant
Join Date: Apr 2007
Location: UK
Guild: I use to love CB :(
Profession: Mo/
|
Regina/Anet
Accounts are being compromised everyday and there needs to be some level of damage limitation ASAP, allow people to at least lock characters otherwise you will see more folks walking away from GW and GW2. If any of my friends get hacked they will not get GW2.
Accounts have been hacked for a long time already and there needs to be immediate damage limitation. There is no comfort for those who have been compromised, nor does the fact that anet are working on solutions. Me and others are not prepared to spend at the store and everyday folks are scared that there account is another statistic, regardless of how it happened.
Please make this possible before more fans and players are compromised.
TY
Last edited by Silverblad3; Dec 18, 2009 at 02:41 PM // 14:41..
|
|
|
Dec 18, 2009, 03:53 PM // 15:53
|
#213
|
Banned
|
Quote:
Originally Posted by Tullzinski
Are we going to see a flood of accounts hacked with the return of many members due to the event weekend?
|
Don't forget the huge number of people linking to NCsoft to buy costumes. I suspect that will generate quite a few new hacks as well.
|
|
|
Dec 18, 2009, 04:03 PM // 16:03
|
#214
|
Pre-Searing Cadet
Join Date: Jan 2007
Location: Illinois
Guild: Blade and Rose [BaR]
Profession: Me/N
|
Quote:
Originally Posted by Inner Salbat
descr: New Century InfoComm Tech. Co., Ltd.
descr: 1F~11F, No. 218, Rueiguang Road
descr: Taipei Taiwan 114
Do a whois from a command prompt for more detail information.
And yes I am another one that was hacked, without sharing info on any forum or website.
|
This might even be the same person who got me yesterday:
Someone at 122.147.127.156 has reset your Guild Wars Game Account password for account [...]. If you did not make this change, please contact support immediately at [email protected].
Did a whois, got:
descr: New Century InfoComm Tech. Co., Ltd.
descr: 1F~11F, No. 218, Rueiguang Road
descr: Taipei Taiwan 114
country: TW
and a person's name, email, apartment number. It's been 18 hours since I filled out a support ticket, still got nothing but the automated response.
I posted in Bellissima's thread on GWO. From NCSoft, I only got the generic "your password has been reset" email, and then tried to login to my PlayNC/NCSoft account, and could not. Someone hacked into my PlayNC account, changed my security questions/answers, and changed my Guild Wars password. Even though I use a unique password for Guild Wars, which I haven't typed in ages (I use the Properties shortcut), apparently you don't even need to enter your old Guild Wars password in PlayNC to change it.
So, essentially, all that is standing between you and $150 worth of game is a very hackable website. I wish there were an unlinking option, or heck, requiring your old GW password to change to a new one.
At least my characters have not been deleted -- someone was kind enough to check, and my igns are still addable to the Friends List.
Otherwise, I second this post:
Quote:
Originally Posted by Rehnahvah Gahro
[T]he flaw lies within NCSofts Site. It has been reported from various independent sources and you'll only have to look at the "Change your Password" Method to see how utterly fail this whole Master-Account security is.
So I would vote for "Other S/W", specifically suggesting that NCSoft gets their **** together. Other than that, there are no further security updates needed.
The easiest solution would be to UNTIE all GW-Accounts from the useless, security-lacking, no-advantage-at-all "Master-Account". But Anet being a 100% subsidiary of NC I don't see that happening.
|
Last edited by Rinoa Hawkeye; Dec 18, 2009 at 04:45 PM // 16:45..
|
|
|
Dec 18, 2009, 04:35 PM // 16:35
|
#215
|
Grotto Attendant
|
I am back in this thread but briefly.
Quote:
Originally Posted by Regina Buenaobra
Sorry, but you do not have all the information our security team has about this issue, so you cannot accurately determine how effective one method is over another.
|
No amount "our security team knows better than you do" is going to make anyone with even the slightest shred of common sense believe that the NCSoft site doing things like telling anyone whether a given string is a valid username or allowing unlimited login attempts with no delay is OK.
Quote:
Originally Posted by Rinoa Hawkeye
Did a whois, got:
descr: New Century InfoComm Tech. Co., Ltd.
descr: 1F~11F, No. 218, Rueiguang Road
descr: Taipei Taiwan 114
country: TW
and the person's name.
|
I am very sorry about your account.
That name is the name of the contact info for New Century InfoComm Tech. Co., Ltd., which is most likely just an ISP. That person is probably not responsible and probably not willing or able to help figure out who is.
Perhaps, something is being done though:
Quote:
Originally Posted by flubber
It's about time...
|
Has anyone checked to see if the same gaping security flaws are still there?
|
|
|
Dec 18, 2009, 04:40 PM // 16:40
|
#216
|
Krytan Explorer
|
I can see it now.
GW Update: A Bank has been added to GW. Like a regular bank, you need an ATM card to deposit and withdraw anything from the bank. How will this work? Your ATM card can be anything you have in inventory, materials, rare drops, armor, dyes, etc...
Once you place the ATM item into the Bank, you will then be require to enter a 4 digit pin #. If the wrong ATM item is placed in, it WILL still ask you for a 4 digit pin #. This is to prevent hackers from guessing if they have the right ATM item or not. Once the correct pin# is enter, you can store anything you want into the bank; gold, materials, weapons, etc... and even the ability to lock up any characters from deletion!!!
Ex. ATM Item: 4 Pile of Glittering Dust (NOTE: This is not the same as 1 Pile of Glittering Dust or a Stack of Dust). The 4 IS IMPORTANT!!!!
Timer: Wait 5sec REGARDLESS of correct ATM item or not
Enter Pin.
Wait 5 sec
Bank Unlock if correct.
Why the timers? Like I said, to prevent hackers. Long time ago, Unix hackers would be able to guess a username easily if they got the Password prompt immediately. Getting the Password prompt means the username exist and therefore returns the Password prompt instantly. However, if the username doesn't exist, it searches its "passwd" file for the username that was enter and this takes about 5-10secs. Hackers would know if it takes more than 5sec, an invalid username have been enter and to try the next username. Don't ask how I know. LOL!!!
Fun part back then was passwd wasn't encrypted till later on. Someone could've just type on "cat passwd" and log the entire output to a txt file. Later on, encryption was implemented and passwd- <---hyphen added, but still wasn't secure. Anyways, I'm digressing.
But you get the point...a Bank added!!!! all yours for the low price of $9.99!!!!
NOTE: This idea is (tm) and patent pending!!! To use this feature, please contact me for royalties fees.
LOL!!!
Last edited by JimmyNeutron; Dec 18, 2009 at 07:05 PM // 19:05..
|
|
|
Dec 18, 2009, 04:43 PM // 16:43
|
#217
|
Forge Runner
Join Date: Jun 2006
Guild: Hard Mode Legion [HML]
Profession: N/
|
Quote:
Originally Posted by karlik
Don't forget the huge number of people linking to NCsoft to buy costumes. I suspect that will generate quite a few new hacks as well.
|
Is the master account vulnerable? Probably no more and no less than the GW account itself. It might be that the NC website allows a faster process of brute-forcing accounts, but I cannot tell because I don't know the mechanics behind it.
However, I'm not convinced that the NC website is less secure than the GW login. It's just a better target for hackers than the individual game accounts.
From my point of view the link to the NC account does not make the GW account less secure, it seems like two entry points but just as a normal burglar they can work most efficient on one door at the time.
What I do know is that targeting the NC account is far more profitable for a hacker than the GW account. Because the account might be linked to several games. It might well be that the criminals figured this out and are now working full-force on the NC accounts and less on the GW/Aion/whatever accounts they used to work on. Meaning an increased amount of people getting hacked on their NC account.
|
|
|
Dec 18, 2009, 04:44 PM // 16:44
|
#218
|
Pre-Searing Cadet
Join Date: Jan 2007
Location: Illinois
Guild: Blade and Rose [BaR]
Profession: Me/N
|
Quote:
Originally Posted by Chthon
I am very sorry about your account.
That name is the name of the contact info for New Century InfoComm Tech. Co., Ltd., which is most likely just an ISP. That person is probably not responsible and probably not willing or able to help figure out who is.
|
Thank you. As for the name, I can't say it is the hacker, but it gave me an apartment number from the address, a name, an email (hotmail, no less). I'm not going to do anything with it because I don't know what I would do--not even sure this is the right person, and I don't speak Taiwanese. I guess it's just a waiting game now, until NCSoft restores access to my account.
|
|
|
Dec 18, 2009, 05:19 PM // 17:19
|
#219
|
Banned
|
Quote:
Originally Posted by the_jos
Is the master account vulnerable? Probably no more and no less than the GW account itself. It might be that the NC website allows a faster process of brute-forcing accounts, but I cannot tell because I don't know the mechanics behind it.
However, I'm not convinced that the NC website is less secure than the GW login. It's just a better target for hackers than the individual game accounts.
From my point of view the link to the NC account does not make the GW account less secure, it seems like two entry points but just as a normal burglar they can work most efficient on one door at the time.
What I do know is that targeting the NC account is far more profitable for a hacker than the GW account. Because the account might be linked to several games. It might well be that the criminals figured this out and are now working full-force on the NC accounts and less on the GW/Aion/whatever accounts they used to work on. Meaning an increased amount of people getting hacked on their NC account.
|
What we keep seeing is somehow they get into the NCsoft account - maybe brute force, maybe because we are dumb enough to use the same name and password at other sites, maybe they have found a weak link there?, etc.
Regardless of how, once they get into NCsoft, it is as you said, they have access to any game account you have linked. From that point they don't need to know any passwords, they can change the game passwords at will and start cleaning your accounts.
|
|
|
Dec 18, 2009, 05:49 PM // 17:49
|
#220
|
Desert Nomad
Join Date: Jul 2007
Location: Cuba
|
A number of security flaws are present on that ncsoft account website, which have been pointed out numerous times and all are still present.
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 10:42 AM // 10:42.
|