About Account Security

A few days ago, GWG forum members made us aware of a possible problem with PlayNC account security. It seems that a few accounts were stolen, and the concern was raised that the thefts may have resulted because of a shortfall in security through the PlayNC system.

I don't want to get into the mechanics or the details, but I want to thank the forum members who reported this problem, and I want to apologize if any of you felt that you weren't helped as immediately nor as thoroughly as you might have been in the initial stages. I want to express thanks to one member in particular (whom I won't name right now, but you know who you are!) who provided very helpful and detailed information which we used to track down the matter. And you will be interested to know that the appropriate action has been taken on more than one of the accounts of those responsible. I am not at liberty to reveal what that was, but knowing action was taken, and the accounts identified, is probably of some interest to you.

As a matter of fact, these thefts were made possible through a combination of errors. I know that GWG has made a change that will prevent the acquisition of information. And you will be pleased to know that there is a major change in the PlayNC system coming within a matter of days. Protocols are being put in place that will greatly reduce--perhaps even make impossible--this particular kind of account theft. That is not to say that all account thefts will be rendered impossible--we could only wish! But the three or four that we know of which were a result of this recent situation will be far less likely to happen in the future.

Here are some tips I'd like to share with you:

• Use a unique account name. If you're using an email address to conduct matters that must stay secure, use an email address that you do not reveal to others. So use one "private" address for matters that require a high level of privacy and security, such as game accounts, online banking, and so forth. And then use a completely separate "public" address for correspondence, on-line trades, chat rooms, online message programs, forum memberships, etc. Stop and ask yourself: When I'm idling in IRC, is everyone in the world seeing my bank user name? My GW Account name? When I add someone to my IM list or when I post in a forum, are people learning more about me than I really want them to know?
• Come up with a complex and unique password. Use symbols, if allowed. Use upper and lower case. Toss in some numbers, but for goodness sake, don't use your birthday or other easily-found things. (See below about birthdays.) Try to not use the same password for everything. (This is called mitigating disaster; it's sort of like diversifying your portfolio. If one stock crashes, they don't all crash. If one account is stolen, not all are stolen. )
• Do not reveal your Guild Wars account name to anyone. If you are conducting a trade, use your "public" email for that, never, ever your Guild Wars user name. No one needs your user name or your PlayNC account name, ever! If you want to meet in game, give them a character name. If you want to correspond, use that "public" email address and keep your private one private.
• Do not reveal your birthdate. Sure, it's fun to have people know when it's your birthday, but it may be smarter to not make that known. A lot of contests ask for your birthday to verify your entry, so it is hard to not reveal this, at times. Heck, even the Guild Wars championships require birthday information! Maybe the best suggestion is simply to keep this info reasonably private and, if you reveal it, do not reveal it at the same time you're exposing that private email address.
• Take the usual privacy provisions. Keep personal information to a minimum on forum profiles. You can't be sure what a bank, credit union, mortgage company, or anyone else will ask to "verify your identity." Some ask things that could be found by someone rifling through the recycling on your curbside! (Yay, shredder!) Anyway, because you can't predict what you'll be asked for account verification, keep profile information to a minimum. General location, sure! But do you really need to mention online that you live on Maple Avenue in Anytown, USA? That your Zip Code is 12345? That your mother's maiden name is Smythkowicz, or that you were born on a sunny Sunday in April of '86 at St. Chuck of the Perpetual Smile Hospital in Upper East Midlothian? Think about it: TMI!
• If you are given the opportunity to come up with a security question, make it matter! Don't ask something silly like "How do you spell cat?" Don't ask the same question for every account you own. Don't make it a question for which there are only a few answers. "What's your favorite colour" is lame! Well, unless you really know the differences between purple, amethyst, lavender, orchid, lilac, aubergine... The truth is, there are usually only 6 or 8 answers to that colour question, so someone could "hack" that one pretty simply by just going through the Red-Orange-Yellow song. For your security question, come up with something obscure and something hard to guess.

I'm sure there are a dozen other great security tips, and I invite anyone to post them here. In the meantime, please know that we're working to improve security and welcome your feedback our processes at any time. Send thoughts through the Support tab, or share them in a forum post.

Thanks for the info Gaile. I'm sure this information will save a lot of people a lot of hassle(and money)

I would also like to add
1. Always have a firewall installed, be it a software or hardware one. Make sure it's always turned on and test it's integrity with the any number of online tests that are available.
2. Always use an antivirus system, complete with trojan/key logger scans. Again update and scan regually.
3. Use one or more anti spyware programs, again keep them updated and scan regually.
4. Always apply the latest patches for your browser and operating system etc.
5. Never ever download any third party hacks, cheats, No CD patches or do anythng to fiddle with your guildwars installation, esp the GW.exe.
6. Delete spam without opening or reading it.
7.Never open attachments from unknown senders. Be careful of attachments from known senders, they may be unwittingly forwarding you infected files or their computers may be infected with a virus that is automatically sending infected messages to people in their address books. If you are not expecting a certain attachment, check with the sender before opening it. While any attachment may potentially contain a virus but you should be especially cautious of attachments that end with ".exe," ".pif," or ".scr" file extensions.
8. Install and use spam blocking software. You may download free spam blocking software, purchase spam blocking software, or use spam blocking protection offered by your Internet service provider.
9. Be wary of Phishing, Asking for account infomation from an official sounding source with a view to stealing it. Verify any requests, in this case AN, NCsoft with support.
10. Secure your browser, install a pop up blocker, make sure the security settings are correct, be careful of cookes and what activeX controls are being installed.


Use various online reviews and search engines to find out how to do these things, there are also a number of free anti virus/firewall/spyware software you can use. I'm not sure if I'm allowed to list them on this site. But google will be able to turn them up quickly.

Thats all I can think of ATM

Thanks again for the advisory.

About #5, you should be very careful with downloading any mod or extention for any program. Be especially careful if you download cheats and hacks for online programs. Certain viruses can be detected easily if they try to connect to the internet, but if the program already has access it's easier to conceal. Also be careful with normal ones, I downloaded a pack of 30 mods for Oblivion from an "official" fan site and ended up with about 5 different trojans and a logger. Always scan files before installing them.

In #7 you forgot to mention .zip and .rar (and other zip formats), those can contain absolutely anything. If you remember some years ago, some jokers thought it was funny to make a mail with the subject line "I love you" which spread like wildfire, so be careful with all attachments.

I have several recommendations for programs you can use to make your computer safer, but I don't want to post them unless I get an OK from a mod. I'll just say this; Don't use Internet Explorer.

Oh I love topics like this one. I never get tired preaching about the importance of "hard" passwords myself. Using things like your or your significant other's birthday or your dog's name as a password is begging to get hacked. You won't belive how many accounts have been broken into (not neccessarily Guildwars, I'm talking general here) by simply going through a list of common female names and four letter words.

That point could be substituted by: Don't use Internet Explorer. Use alternative browsers like Opera or Firefox. If you want Internet Explorer to be secure, you will not be able to access a lot of content on the web, because you have to entirely disable javascript and ActiveX. The alternatives are safer simply because they are less widely used and as such the bad guys don't bother finding exploits for their security holes.

Don't be mistaken, there is no such thing as a absolutely safe system. It can only be safer, but everything can be compromised, given the right ammount of time and effort. In the end it comes down to the user being vigilant.

Also watch out if you have something like MSN open in the background. I've had my guild wars window stay on top but the MSN window behind it was the active window. Needless to say, my friend got my password, and is easy to do by mistake if you don't look at the screen as you type your email/password. That was a quick trip to account editing. Particularly nasty if you have an IRC channel open.

Another tip.....be careful of websites you get in email or other places. A lot of websites have spyware and stuff that could hurt you in the long run. Also, download and run, daily, Ad-aware and Spybot-Search and Destroy. I run them both and you'd be amazed at the stuff I get......and I'm careful! I also have running, at start up Zone Alarm (firewall) and AVG (anti-virus). All these programs are free. To find them just google the name with Free before it.

The only secure thing is in your head.

Even if you follow all these precautions, NEVER ASSUME INVULNERABILITY.

Please use your head, common sense and dont trust anyone.

Especially me o.o

Another tip:

Install McAfee SiteAdvisor (www.siteadvisor.com - works better with firefox then with internet explorer). Know the experience other users have had with the site you are about to visit (and it's downloads).

Very good advice, but I'd also like to recommend that people also run these two daily as well.

CCleaner

VundoFix

Running those two alongside the two that Commander Ryker mentioned should keep your system spyware and malware free.

I've always used internet explorer,but I don't go to crack/warez hacker sites,and the other sites that are constantly screwing up peoples computers. I update my computer protection constantly and use antivirus and spyware protection. I also have microsoft auto-update enabled. -been using computers for several years and i've never had a problem.

I recently updated to IE 7 it's really great!

I always put in a fake birthday anyways >_> No need for people to be knowing how ol....err young I am... >_>

Trvth Jvstice:
I hear bad things about IE 7, you might want to run a search about it first before you go being too happy with it. I heard it broke some PCs, but that could just be their issue and not IE7s. If I were you I would check into it anyways.

@ Eviance- Thx I'll check it out. I did do a little research before I installed. And I set a restore point before installing.

I was a little pressed for time with my earlier post. I have nothing against Firefox and I do realize it's safer to use than IE, but I just hate the idea of having 2 browsers installed on my computer ( probably a habit left over from back when our hard drives were only a few gigs in size lol).

The reason Firefox is safer though, is because there aren't nearly as many hackers out there interested in screwing with Firefox as with IE.
From what I've read, Firefox users are starting to have a few problems with rogue programs and trojans, but mozilla sends out fixes and updates pretty quickly.

About people getting their account stolen. I've been told that plaync allows unlimited password attempts, so once someone knows your username, they have unlimited tries to guess your password. There are programs out there that can be used to automatically enter different passwords until it finally guesses the correct one.

Is it wise to change your password every few weeks or so?

I would also encourage that the community and other Guild Wars fansites take the same action as Gaile Gray recommened and remove birthdates from display and profiles.

A big thanks to Gaile Gray for her attention in this matter and quick resolution. And thanks to the community for all the great tips so far. Spreading the word is the easiest way to see that others are protected.

The more often the better, but at least once a month.

@Trvth Jvstice
You shouldn't use IE because it's the most favoured target for hackers, switching to one of the two browsers eightyfour-onesevenfive is a much better choice. There's no real disadvantage to installing Firefox or Opera since it doesn't require much space, and you can import all your bookmarks from IE to Firefox at least, not sure about Opera but I think you can there as well. You can even use a skin for Firefox to make it look like IE if you get nostalgic

Seconded. Although I consider it basic safety measures I'm sure many people aren't aware of what she mentioned, thank you Gaile for taking the time.

I really hope they increase the character limit on PlayNC account passwords, it's currently set to 10 characters maximum. I made a longer password and it let me choose it, and then I could not log back on later, so I did the "forgot my password" option...it mailed me my existing account password and I noticed it had cut off the password after the 10th letter.

It would be more secure if we could make longer passwords... the longer and more complex your password is, the harder it is to guess or crack with a program.

yeah, and afaik it doesnt let u use symbols and all that stuff.. feels a bit unsafe for me, i think they should let u.

I recently had my acount compromised, a keylogger i belive. I managed to change the password b4 any bad things happend, but now i want to change the acount name. I cant find away of doing this anywhere. I dont want other ppl knowing my acount name...

Can someone help?

Ive also heard its possible to get keyloggers over ts/vent. Only use trusted well known servers for it.

I just looked up the help on PlayNC and found out it is not possible to change the name you use to log into Guild Wars if you have intergrated it with the PlayNC store.

Which means someone has my acount name and unlimited time to figure out my password. Even if I change the password on a regular basis this person has forever to try and hack my acount.

Does anyone know if there is a support function I can use to help me?