About Account Security

A few days ago, GWG forum members made us aware of a possible problem with PlayNC account security. It seems that a few accounts were stolen, and the concern was raised that the thefts may have resulted because of a shortfall in security through the PlayNC system.

I don't want to get into the mechanics or the details, but I want to thank the forum members who reported this problem, and I want to apologize if any of you felt that you weren't helped as immediately nor as thoroughly as you might have been in the initial stages. I want to express thanks to one member in particular (whom I won't name right now, but you know who you are!) who provided very helpful and detailed information which we used to track down the matter. And you will be interested to know that the appropriate action has been taken on more than one of the accounts of those responsible. I am not at liberty to reveal what that was, but knowing action was taken, and the accounts identified, is probably of some interest to you.

As a matter of fact, these thefts were made possible through a combination of errors. I know that GWG has made a change that will prevent the acquisition of information. And you will be pleased to know that there is a major change in the PlayNC system coming within a matter of days. Protocols are being put in place that will greatly reduce--perhaps even make impossible--this particular kind of account theft. That is not to say that all account thefts will be rendered impossible--we could only wish! But the three or four that we know of which were a result of this recent situation will be far less likely to happen in the future.

Here are some tips I'd like to share with you:

• Use a unique account name. If you're using an email address to conduct matters that must stay secure, use an email address that you do not reveal to others. So use one "private" address for matters that require a high level of privacy and security, such as game accounts, online banking, and so forth. And then use a completely separate "public" address for correspondence, on-line trades, chat rooms, online message programs, forum memberships, etc. Stop and ask yourself: When I'm idling in IRC, is everyone in the world seeing my bank user name? My GW Account name? When I add someone to my IM list or when I post in a forum, are people learning more about me than I really want them to know?
• Come up with a complex and unique password. Use symbols, if allowed. Use upper and lower case. Toss in some numbers, but for goodness sake, don't use your birthday or other easily-found things. (See below about birthdays.) Try to not use the same password for everything. (This is called mitigating disaster; it's sort of like diversifying your portfolio. If one stock crashes, they don't all crash. If one account is stolen, not all are stolen. )
• Do not reveal your Guild Wars account name to anyone. If you are conducting a trade, use your "public" email for that, never, ever your Guild Wars user name. No one needs your user name or your PlayNC account name, ever! If you want to meet in game, give them a character name. If you want to correspond, use that "public" email address and keep your private one private.
• Do not reveal your birthdate. Sure, it's fun to have people know when it's your birthday, but it may be smarter to not make that known. A lot of contests ask for your birthday to verify your entry, so it is hard to not reveal this, at times. Heck, even the Guild Wars championships require birthday information! Maybe the best suggestion is simply to keep this info reasonably private and, if you reveal it, do not reveal it at the same time you're exposing that private email address.
• Take the usual privacy provisions. Keep personal information to a minimum on forum profiles. You can't be sure what a bank, credit union, mortgage company, or anyone else will ask to "verify your identity." Some ask things that could be found by someone rifling through the recycling on your curbside! (Yay, shredder!) Anyway, because you can't predict what you'll be asked for account verification, keep profile information to a minimum. General location, sure! But do you really need to mention online that you live on Maple Avenue in Anytown, USA? That your Zip Code is 12345? That your mother's maiden name is Smythkowicz, or that you were born on a sunny Sunday in April of '86 at St. Chuck of the Perpetual Smile Hospital in Upper East Midlothian? Think about it: TMI!
• If you are given the opportunity to come up with a security question, make it matter! Don't ask something silly like "How do you spell cat?" Don't ask the same question for every account you own. Don't make it a question for which there are only a few answers. "What's your favorite colour" is lame! Well, unless you really know the differences between purple, amethyst, lavender, orchid, lilac, aubergine... The truth is, there are usually only 6 or 8 answers to that colour question, so someone could "hack" that one pretty simply by just going through the Red-Orange-Yellow song. For your security question, come up with something obscure and something hard to guess.

I'm sure there are a dozen other great security tips, and I invite anyone to post them here. In the meantime, please know that we're working to improve security and welcome your feedback our processes at any time. Send thoughts through the Support tab, or share them in a forum post.

Thanks for the info Gaile. I'm sure this information will save a lot of people a lot of hassle(and money)

I would also like to add
1. Always have a firewall installed, be it a software or hardware one. Make sure it's always turned on and test it's integrity with the any number of online tests that are available.
2. Always use an antivirus system, complete with trojan/key logger scans. Again update and scan regually.
3. Use one or more anti spyware programs, again keep them updated and scan regually.
4. Always apply the latest patches for your browser and operating system etc.
5. Never ever download any third party hacks, cheats, No CD patches or do anythng to fiddle with your guildwars installation, esp the GW.exe.
6. Delete spam without opening or reading it.
7.Never open attachments from unknown senders. Be careful of attachments from known senders, they may be unwittingly forwarding you infected files or their computers may be infected with a virus that is automatically sending infected messages to people in their address books. If you are not expecting a certain attachment, check with the sender before opening it. While any attachment may potentially contain a virus but you should be especially cautious of attachments that end with ".exe," ".pif," or ".scr" file extensions.
8. Install and use spam blocking software. You may download free spam blocking software, purchase spam blocking software, or use spam blocking protection offered by your Internet service provider.
9. Be wary of Phishing, Asking for account infomation from an official sounding source with a view to stealing it. Verify any requests, in this case AN, NCsoft with support.
10. Secure your browser, install a pop up blocker, make sure the security settings are correct, be careful of cookes and what activeX controls are being installed.


Use various online reviews and search engines to find out how to do these things, there are also a number of free anti virus/firewall/spyware software you can use. I'm not sure if I'm allowed to list them on this site. But google will be able to turn them up quickly.

Thats all I can think of ATM

Thanks again for the advisory.

About #5, you should be very careful with downloading any mod or extention for any program. Be especially careful if you download cheats and hacks for online programs. Certain viruses can be detected easily if they try to connect to the internet, but if the program already has access it's easier to conceal. Also be careful with normal ones, I downloaded a pack of 30 mods for Oblivion from an "official" fan site and ended up with about 5 different trojans and a logger. Always scan files before installing them.

In #7 you forgot to mention .zip and .rar (and other zip formats), those can contain absolutely anything. If you remember some years ago, some jokers thought it was funny to make a mail with the subject line "I love you" which spread like wildfire, so be careful with all attachments.

I have several recommendations for programs you can use to make your computer safer, but I don't want to post them unless I get an OK from a mod. I'll just say this; Don't use Internet Explorer.

Oh I love topics like this one. I never get tired preaching about the importance of "hard" passwords myself. Using things like your or your significant other's birthday or your dog's name as a password is begging to get hacked. You won't belive how many accounts have been broken into (not neccessarily Guildwars, I'm talking general here) by simply going through a list of common female names and four letter words.

That point could be substituted by: Don't use Internet Explorer. Use alternative browsers like Opera or Firefox. If you want Internet Explorer to be secure, you will not be able to access a lot of content on the web, because you have to entirely disable javascript and ActiveX. The alternatives are safer simply because they are less widely used and as such the bad guys don't bother finding exploits for their security holes.

Don't be mistaken, there is no such thing as a absolutely safe system. It can only be safer, but everything can be compromised, given the right ammount of time and effort. In the end it comes down to the user being vigilant.

Also watch out if you have something like MSN open in the background. I've had my guild wars window stay on top but the MSN window behind it was the active window. Needless to say, my friend got my password, and is easy to do by mistake if you don't look at the screen as you type your email/password. That was a quick trip to account editing. Particularly nasty if you have an IRC channel open.

Another tip.....be careful of websites you get in email or other places. A lot of websites have spyware and stuff that could hurt you in the long run. Also, download and run, daily, Ad-aware and Spybot-Search and Destroy. I run them both and you'd be amazed at the stuff I get......and I'm careful! I also have running, at start up Zone Alarm (firewall) and AVG (anti-virus). All these programs are free. To find them just google the name with Free before it.

The only secure thing is in your head.

Even if you follow all these precautions, NEVER ASSUME INVULNERABILITY.

Please use your head, common sense and dont trust anyone.

Especially me o.o

Another tip:

Install McAfee SiteAdvisor (www.siteadvisor.com - works better with firefox then with internet explorer). Know the experience other users have had with the site you are about to visit (and it's downloads).

Very good advice, but I'd also like to recommend that people also run these two daily as well.

CCleaner

VundoFix

Running those two alongside the two that Commander Ryker mentioned should keep your system spyware and malware free.

I've always used internet explorer,but I don't go to crack/warez hacker sites,and the other sites that are constantly screwing up peoples computers. I update my computer protection constantly and use antivirus and spyware protection. I also have microsoft auto-update enabled. -been using computers for several years and i've never had a problem.

I recently updated to IE 7 it's really great!

I always put in a fake birthday anyways >_> No need for people to be knowing how ol....err young I am... >_>

Trvth Jvstice:
I hear bad things about IE 7, you might want to run a search about it first before you go being too happy with it. I heard it broke some PCs, but that could just be their issue and not IE7s. If I were you I would check into it anyways.

@ Eviance- Thx I'll check it out. I did do a little research before I installed. And I set a restore point before installing.

I was a little pressed for time with my earlier post. I have nothing against Firefox and I do realize it's safer to use than IE, but I just hate the idea of having 2 browsers installed on my computer ( probably a habit left over from back when our hard drives were only a few gigs in size lol).

The reason Firefox is safer though, is because there aren't nearly as many hackers out there interested in screwing with Firefox as with IE.
From what I've read, Firefox users are starting to have a few problems with rogue programs and trojans, but mozilla sends out fixes and updates pretty quickly.

About people getting their account stolen. I've been told that plaync allows unlimited password attempts, so once someone knows your username, they have unlimited tries to guess your password. There are programs out there that can be used to automatically enter different passwords until it finally guesses the correct one.

Is it wise to change your password every few weeks or so?

I would also encourage that the community and other Guild Wars fansites take the same action as Gaile Gray recommened and remove birthdates from display and profiles.

A big thanks to Gaile Gray for her attention in this matter and quick resolution. And thanks to the community for all the great tips so far. Spreading the word is the easiest way to see that others are protected.

The more often the better, but at least once a month.

@Trvth Jvstice
You shouldn't use IE because it's the most favoured target for hackers, switching to one of the two browsers eightyfour-onesevenfive is a much better choice. There's no real disadvantage to installing Firefox or Opera since it doesn't require much space, and you can import all your bookmarks from IE to Firefox at least, not sure about Opera but I think you can there as well. You can even use a skin for Firefox to make it look like IE if you get nostalgic

Seconded. Although I consider it basic safety measures I'm sure many people aren't aware of what she mentioned, thank you Gaile for taking the time.

I really hope they increase the character limit on PlayNC account passwords, it's currently set to 10 characters maximum. I made a longer password and it let me choose it, and then I could not log back on later, so I did the "forgot my password" option...it mailed me my existing account password and I noticed it had cut off the password after the 10th letter.

It would be more secure if we could make longer passwords... the longer and more complex your password is, the harder it is to guess or crack with a program.

yeah, and afaik it doesnt let u use symbols and all that stuff.. feels a bit unsafe for me, i think they should let u.

I recently had my acount compromised, a keylogger i belive. I managed to change the password b4 any bad things happend, but now i want to change the acount name. I cant find away of doing this anywhere. I dont want other ppl knowing my acount name...

Can someone help?

Ive also heard its possible to get keyloggers over ts/vent. Only use trusted well known servers for it.

I just looked up the help on PlayNC and found out it is not possible to change the name you use to log into Guild Wars if you have intergrated it with the PlayNC store.

Which means someone has my acount name and unlimited time to figure out my password. Even if I change the password on a regular basis this person has forever to try and hack my acount.

Does anyone know if there is a support function I can use to help me?

BIG NOTE

THOSE NO LONGER ARE WORTHWHILE.

the latest testing by PC Mag and others showed that they are missing next gen keyloggers/rootkits and a lot of others.

Spybot got 2.5/5 rating
AdAware got 3/5 rating

Spyware Doctor and Spysweeper got the keyloggers/rootkits and other stuff the others missed

both got 4.5/5 rating

thanks for that Loviator, that was something I didn't know but figured anyways...
I started noticing a couple of months ago that those weren't catching everything but they are still a decent backsweep at times....

A question: Are tracking cookies a threat to account or personal security? I know almost every major site uses them, but in the wrong hands could they be utilized for something unwanted?

Are Spyware Doctor and Spysweeper free? I like to use the free ones.

But as I stated earllier, I stay away from sites that put that junk on your computer. I also don't advise downloading any freeware unless it has been tested and used by a reliable source. I think Download.com tests their freeware before posting them on their site.

im pretty sure ad-aware and spybot are kind of out-of-date.


I went the distance and *purchased* spyware doctor- my computer hasnt been this happy since the day i bought it.


Also- consider restarting your computer into Safe Mode, and do a Deep Virus Scan as such- You cant be too careful.

its easy to forget how expensive/fragile these computer things are...

spyware doctor is your friend.

45+ other users on siteadvisor say differently.http://www.siteadvisor.com/sites/dow...page=6#reviews I, personally, have recieved a virus from that site. Don't trust it.

I'm glad to see this issue is being addressed so quickly. GG

My question is what is ANETs response to the players. It sounds like at some level ANET messed up somewhere but as i understand the people involved lost everything. I would image there is a good number of players that are understand secuity and make sure they are protected and would think at least a few of the people were protected. BUt between this thread and the other it seems like there was some stuff ANET did that caused players to lose everything.

And to be honest i think their response will at some level either assure i buy ch3 or not. If they choose to do nothing it will make me question why i buy the new chapters.

Can we see a link to those reviews?

Thx, siteadvisor seems like a great resource. /Bookmarked

I don't think Anet responded very quickly. My alliance leader had his account broken into and lost everything not customized. Well over 1000k worth of gold and items were stolen.The scumbag that did this even pm'd him the next day to brag about it.

My alliance leader took screen-shots of the chat between himself and the thief and sent that along with what happened to Anet support. That was over 2 weeks ago! In the meantime, other people were reporting in this forum that they had their account hijacked.

The account theft was related to him purchasing an extra character slot from plaync. Exactly how the thief got his user name is still a mystery.

Like I said, this happened 2-3 weeks ago and was immediatly reported. And they are just now taking steps to beef up security?

well i dont believe in purchasing/downloading/installing a dozen similar ___-ware programs. educate yourself instead... you don't have to be a net geek, nerd or whatever else.. just take a few minutes a day to familiarise yourself with the technology at least on a practical level. know where and how to patch your OS' latest vulnerabilities, where and how to update your AV definitions, be able to use common sense in not clicking on stupid links that exploit MSIE (the worst browser ever created(TM)), and so on and so forth...

btw as far as antiviruses go, i have got to plug Trend Micro. their line of AVs is absolutely top notch and not as burdensome/invasive as similar offerings from mccaffee, norton et al.

summary of earlier testing is on page 45 of the latest (sept 19th issue.

grab it and look at any place that sells PC Magazine

here is a little known free one MAXIMUM PC considers extremely good from their latest issue on utilities Nov/06 issue

http://www.f-secure.com/

If you can get an e-mail of a suspisious hacker, you should be able to get their IP adress and you can give it to NCsoft to stop them in their tracks and it will help everyone in the community. I did that and haven't seen any of the hackers accounts go on since.

In all honesty, no, we were not responsible. There were three components to the theft, as I understand it. I feel that the PlayNC security was lacking in a secondary issue involving one of those three. However, there really are security measures in place, and they will be improved by, for one thing, adjusting the number of times someone could try to brute force a password. But the situations that I wrote about involved players revealing their user name (a bad idea), players exposing their birthday (another bad idea) and (according to actual chat records) some players even eventually revealing their secret question (and presumably answer). (I honestly don't even know if the players are themselves aware of this even now. Sorry, guys, it's what I am told happened in at least one or two cases.) So I'm sure that you can see -- as much as I might be called a Protector of ArenaNet (or at least the company's reputation) -- the instances really cannot be totally or fairly laid at our feet.

Now, that needs to change! I will pass that along immediately.

I will have to say that I know some about accounts being hacked, my husbands was. We are firm belivers is adaware, spybot, avg, and doing alot of maintence on our comps. I dont know if it was the fact the he had just recently purtchaced a couple of extra char slots on his account or what that made him a large target.

I am glad to see that action on plaync side is being taken to help prevent things like this from happening in the future, I can't put all the blame on them. Mainly for one big reason, like my father told me when I was growing up "A lock is ment to keep honest people out"

You get these hackers out there and no matter what they will try to get you because they are not honest and they will try to find a way arround things no matter what you put in front of them. Just like a thief who will find ways to open locks no matter how complex it is. Sometimes it may be for the thrill of doing it, other times it may be becuse they can.

I ask that you not be angry with plaync or ANET over the security issues, they are working on them and working at changing them. Remember that it is not them who are doing the hacking. If it takes some time to resolve issues with one player, please remember that there are in my estimation thousands if not a million people who have accounts. Sometimes it take a little time to get through the e-mails and stuff that they get and do the investigations to resolve the issues that you send them.

Yes it took about a week or two for my husbands issues to be resolved, but they have been resolved. Unfortuantely he will not be able to get back all the things he lost. but we are happy with the outcome.

I would like to end this on one note, I would like to see where you can change your e-mail addy for the login to gw since you cant right now if your account is tied in with a plaync account. I think that measure would help with security issues as well.

To clarify: I wish ANET would help these people do more to rebuild. Correct a small lock keeps out honest men but a big lock keeps out criminals. I know that acct hacks are going to happen and that people are going to be stupid and download stuff. But Im not unhappy with the violation i am unhappy with the apparent lack of care. I find it intersting that it happened after you upgraded your acct via NCSOFT. If the lock company produces a faulty lock they are held liable for their actions. I think its good that they are fixing the problem but i would like to see more support for accts hacked.

How much did your husband lose when he was hacked? how long did it take you to build it all? how long will it take you to rebuild it?

No, NCsoft is not just now just starting to beef up security; it's an ongoing endeavour. Would you kindly ask your friend for the Support Ticket number that he received from NCsoft? Please ask him to PM it to me, or you may do so, if he is comfortable with that. I will be happy to investigate this one, as this is a crucial issue and we're very interesting in learning as much as we can from each instance. Keep in mind that we may well have resolved this issue, that the person who stole the account may already have been disciplined or actioned. That is what we offer -- not insta-refund of lost items.

Here's a tip for you, though: Most people establish identities on the 'Net. So Mary Sunshine becomes [email protected], and she is Mary Sunshine on the forums and IRC. When she creates a PlayNC account, what does she choose to use? Bingo! So her user name is exposed by her own hand.

Someone decides to trade with Mary, perhaps offering an offer that is "too good to be true" just to establish a relationship. This person says they should discuss by email, and Mary kindly provides her email address. Unless Mary is smart and has a "disposable email address" for public use (see my initial post), Hacker now has a second critical piece of info. Hacker looks at Mary's profile and sees she was born on XX date. Info Bit No. 3. And all with NCsoft and ArenaNet not having a single bit of involvement!

When you say that you don't know how someone got a user name, well, sorry, but it didn't get exposed by us. It is reasonable to ask that we (ArenaNet, PlayNC) keep your information secure. But it is also reasonable of us to ask that you keep your own information secure, too. If someone reveals personal information, puts up a silly security question, or tells a "friend" his password, something bad may happen, and there is nothing in the world that any company can do to prevent it. Asking a company to "make everything better" with personal rollbacks or with item restoration doesn't address the core problem. Such an act is absolutely and utterly impossible for us to do, as it starts the ball rolling towards fraud, an increase in scams, game economy damage, and it actually encourages a reduced care for personal security. It also devalues accomplishments and reduces the preciousness of items and gold. ("Oh, well, if my things get taken, they will be replaced.")

The end of the story is that together, with due care and with an eye to always keeping our essential information private, we can prevent account theft and all the pain that comes from it.

Please, Gaile, if you could post in this thread when/if usernames/email addresses can be changed for Guild Wars/NCsoft(store).
I prefer to change acount access information for important accounts on a regular basis, and this has always bothered me about GW.

thx for raising security awareness

This is a very good thread...