Curse

Bob Slydell · Dec 10, 2009, 08:10 PM // 20:10

Quote:

Originally Posted by Chthon

/Signed.

I've been keeping tabs on the "I've been hacked" stories.

http://www.guildwarsguru.com/forum/s...9&postcount=28

Chthon · Dec 10, 2009, 08:14 PM // 20:14

Quote:

Originally Posted by Tullzinski

http://wiki.guildwars.com/wiki/User:...count_Security
Keep your email secure.....

The most logical explanation that is consistent with the reported facts of recent account thefts is that it is possible to steal accounts solely through interaction with NCSoft and a-net. The thief does not need to interact with the user in any way -- no keylogger, no man-in-the-middle, no phishing, no social engineering, no access to your e-mail, no gleaning your info from forums like this one. The thief goes directly to NCSoft/a-net and comes away with your GW login credentials. Do you comprehend that?

Now, can you understand why people are so upset?

Nuime · Dec 10, 2009, 08:20 PM // 20:20

/signed

Although I haven't had a problem (yet, *keeps fingers crossed*) I also would like to continue to play the game, make in-game-store purchases and everything else like one normally would without even having the slightest trace of worry that any "safe" actions I take through ncsoft will result in getting my account hacked.

Aside from just ncsoft apparently needing to up their own site security...
A simple thing that would make me feel a bit better when it comes to my accounts would be to simply send out an email confirmation when any password (guild wars or ncsoft main) requests to be changed. Assuming your email wasn't compromised, that alone would help a great deal.
You could even add on a "click here to confirm that yes, you changed your password" and make the account temporarily "suspended" until that link is clicked. Heck, take it one step further and make someone answer their "secret questions" again for another level of confirmation at any point of attempting to change a password. Yes it would be a bit of a runaround and annoying to do at that point, but I for one can safely say I rather have it be annoying for me to make changes to my account if it made it harder for someone else to remotely alter anything.

Carboplatin · Dec 10, 2009, 08:20 PM // 20:20

./signed.

However, I don't expect anything to be done. I've since started stashing my new earned goodies in multiple accounts, so if they hack one, hopefully the others will be safe. Yeah its that sad.

Grunntar · Dec 10, 2009, 08:22 PM // 20:22

/signed!

Quote:

Originally Posted by Siirius Black

Someone found a vulnerability in ncsoft and obviously they are exploiting it.

I completely agree with this assessment!

Quote:

Originally Posted by Chthon

because NCSoft can't build a secure system is utterly unacceptable

The fact that they unwilling to even try to build in some security is what I find most disturbing. The house is on fire, and they are sitting on the couch, drinking a beer, and watching TV.

(Datura) · Dec 10, 2009, 08:24 PM // 20:24

/Signed

I don't like NC Soft but love Arenanet.

So, I'll continue to do business with Anet until I can't trust their products for any reason.

Tullzinski · Dec 10, 2009, 08:27 PM // 20:27

Quote:

Originally Posted by Chthon

The most logical explanation that is consistent with the reported facts of recent account thefts is that it is possible to steal accounts solely through interaction with NCSoft and a-net. The thief does not need to interact with the user in any way -- no keylogger, no man-in-the-middle, no phishing, no social engineering, no access to your e-mail, no gleaning your info from forums like this one. The thief goes directly to NCSoft/a-net and comes away with your GW login credentials. Do you comprehend that?

Now, can you understand why people are so upset?

Absolutely!!! I guess I should have put the /sarcasm line in my last post. I find it amazing that ANET/NCSOFT has this listed as a ADDITIONAL security measure when it is NOT!!!

Hotboxin240 · Dec 10, 2009, 08:30 PM // 20:30

/signed

................

didis · Dec 10, 2009, 08:41 PM // 20:41

/signed

Authenticator ftw

The Drunkard · Dec 10, 2009, 08:42 PM // 20:42

/notsigned

I would agree if you provide an explanation on some of the possible reasons how people are getting hacked and some alternatives for Anet to improve the security. Otherwise this is just another thread demanding Anet to change their game's structure because "we don't like it."

Chthon · Dec 10, 2009, 08:53 PM // 20:53

Quote:

Originally Posted by Tullzinski

Absolutely!!! I guess I should have put the /sarcasm line in my last post. I find it amazing that ANET/NCSOFT has this listed as a ADDITIONAL security measure when it is NOT!!!

My apologies, missed the sarcasm.

Aragno · Dec 10, 2009, 09:01 PM // 21:01

Signed

ArenaNet should start focussing on main issues instead of fixing rather pointless things

Obrien Xp · Dec 10, 2009, 09:03 PM // 21:03

/signed

We bought it and worked on it, at least try to do something.

Skill Balance<<<Security

I love anet, its just that this is out of hand.

Jhesta Z · Dec 10, 2009, 09:04 PM // 21:04

--Signed--Signed--Signed--

Too many hours played to start over.

Rydia Merchan · Dec 10, 2009, 09:06 PM // 21:06

/ Signed!!! Thanks for posting this Shan.

shadowlurk16 · Dec 10, 2009, 09:13 PM // 21:13

Signed.

I got my account hacked 4 days ago by a Chinese gold farmer. I just got it back yesterday after HAVING to call NCSoft and pressure them into doing something. Pressure this company on the phone guys, even if you have to wait 20-40 minutes while on hold.

To people who want to know the potential of these hackers here are the main things.

1) These hackers can gain all your information that is entered in your NCSoft account. This means full name, DOB, Street Address, and email.

2) These hackers can change your security questions and passwords at any time they wish.

THIS IS SERIOUS NCSOFT! We are being serious about wanting to keep our accounts safe, so be respectful and return the favor.

Suggestions for NCSoft on how to improve security

1) Require changed password requests to be finalized in the email of the registered person. Changing passwords directly in NCSoft Master Account is unsafe.

2) Allow players to HAVE A CHOICE wether or not they want a password for each of their characters. This means that when you click on a character to play, another password unique to that character (and not stored on the NCSoft website) is required to access the character.

3) Characters cannot be deleted once made unless a request is sent to the user's email for confirmation.

4) Allow the email used to log into the account to be changed via email confirmation from the old email and the new email.

5) MAKE ALL REQUESTS AND TRANSACTIONS GO THROUGH THE USER'S EMAIL! This will make things much more secure.

Please fix the security issues for the sake of your company and for your player base.

Olim Chill · Dec 10, 2009, 09:18 PM // 21:18

Quote:

Originally Posted by Chthon

The most likely explanation is that, in addition to the usual number of people who get their accounts stolen through their own stupidity, there is currently a method of stealing accounts directly through a-net/NCSoft. The password reset feature on the NCSoft master account seems the most likely culprit.

I suspect the same. One of my accounts got hacked right after I'd used the password reset feature. It was the first time I ever used the password reset feature and the first time I ever got hacked. Fortunately, there was nothing in there worth taking at the time.

Die You Infidel · Dec 10, 2009, 09:22 PM // 21:22

/notsigned

get urself a proper password

Eliz Genevieve · Dec 10, 2009, 09:26 PM // 21:26

/signed. I've been hacked too, I know what it feels like.

shadowlurk16 · Dec 10, 2009, 09:29 PM // 21:29

Through much reading of player responses, I have come to the conclusion that one of the many problems wrong with the NCSoft security system (and the reason why many people are getting their accounts hacked) is the Password Reset Feature.

4 days ago, my account got hacked after using the password reset feature. I changed my password through the NCSoft Master Account system and within 3 hours of me resetting the password, the account belonged to a gold farmer in China.

Another user made a similar post.

"I suspect the same. One of my accounts got hacked right after I'd used the password reset feature. It was the first time I ever used the password reset feature and the first time I ever got hacked. Fortunately, there was nothing in there worth taking at the time." - Olim Chill

So the moral of the story? DO NOT reset your password at this time. Leave it as it is. I figure that the hackers are getting your information via hacking the notifications that are being sent from NCSoft server that the account password was changed.

The hackers are intercepting packets from password changes.