Character Deletion Improvements!

Because, when you boil it down to basics, I'll bet you every single person that's had their account stolen wasn't concerned about their security AT ALL, at least not enough to take any steps to ensure their security, aside from setting an insanely easy password like their first name, or "password" that they use for absolutly everything, and probably even using a very public email adress that they probably use for everything like instant messenger, and fourms, even Guru Auction...

If they were actually concerned about their online security, and took reasonable precautions, I'll bet you that absolutly 0 people would have had their accounts stolen. Because of this, I see no reason to improve the existing system, aside from the current yet fairly minor flaws in the Play NC system, which, are already being worked on.

/not signed

At the very least limit any restrictions on character deletion to PVE characters.

/signed the part about using a password to delete it

What would it hurt?

/signed

Umm..

New ssystem #1:

When you delete a character, you just disable it, and you have to wait 14 days for it to be deleted entirely.

In this way, it's impossible for the hacker just to delete it and leave.

Problems with this idea is that, you may need the space of the deleted character right away,

Solution #1:

When you disable a character, you will get a free slot open, but if you decide to get the character back, you need to give up a free slot. Problem solved.

/signed

/signed but....

If they already got into your account, that means YOU did something wrong.

Usually around the password idea of making it really easy. Or telling it. Or using 3rd Party Programs.

Secondly, "Setting up and Extra Password" ... Wtf? If they already got into your account, setting up and extra password si nto going to do you any good.

Hell no, I don't want to keep confirming my Email just to delete PvP characters.

To have to make all sorts of confirmations and such just to delete your character is a bit annoying. I suppose if it's optional that's fine, but meh. It seems a bit extreme.

I do like the idea of having an email sent to you if the wrong password is used too many times. Perhaps even lock the account if that happens, requiring the account holder to respond to the email or click a link in it to unlock the account again.

Later

Ok....my idea might have been lost on all these posts, so I will remake it whith "easy-to-follow" steps:

1. a PIN number would be added to the account password system, this would be a 4 type number (got the idea from my phone). And it would act as a confirmation password, witch would be 100% configurable for the areas you want it to kick in... none / char deleting / storage access / change e-mail / all previous / -type here more suggestions-

2. Confirmation e-mail for deleting and "14 days period" is just wrong. Everything have to be built into the game client, and also, instantaneous. SO, for deleting a char, you type in his name THEN if you configured it to, you would have to go for the PIN as well.

3. Track of how many incorrect attempts have been made to access your account, AND a 24hs lockdown if it is typed wrong 5 times in a row (lets simplify it, no need for IP track or anything, just HOW MANY incorrect attempts had been made since your last log-out with the time for the last one will suffice). This would show on the char selection screen right after you log in as a pop up message you had to click OK to get rid, so it is 100% visible and you won’t simply select the char and forget about it on the corner of your eye.

-------------------------------

Ok, this is fair, easy to implement, optional and will make things a lot more secure and reliable, while not being a burden to anyone that don’t think they need it (the PIN suggestion). Off course, NONE of this would EVER be effective if number "2" and "3" are not added to the playNC account as well. Also it is obvious that all the security bugs have to be addressed and fixed as soon as possible.

Hope things are clearer now and people can actually have an opinion based exactly on what I suggested in the first place.

As for the other suggestions stated on this topic, since they require additional programs (e-mail clients and all) and time consuming activities I would REALY be against them.

Latter.

ok....but if we have a PIN thingy make it something we can click on screen and make sure the numbers move around like runescape...that way theres no possible way for them to see what we are clicking

/signed , happened to me too, I know how it feels

I don't think this will solve the issue either. You see, to access your account they need to know your account name, which in Guild Wars is your email. I highly dbout anyone who hasn't taken the steps to ensure their online security is going to have a different email and guildwars account password...

Which just puts us back at square one, because it wouldn't actually solve anything. The only thing that will consistently solve the issue is people taking perfectly reasonable precautions to ensure their own online security... Somthing that most people are unwilling to do, because they are ignorant, stupid, or are simply lazy.

Ok Eragon, even I got to say this a is a little too much for an online game.

These kinds of measures are expensive and time consuming for developers, and even thought I would love to agree "everything is possible", the little green paper notes tend to tell me otherwise. All the suggestions I made where based on availability for the developers to implement without much trouble, and this one is not.

On most cases, a simple password is enough to maintain a sustainable level of security. In GW (and other online games), since we are dealing of SO MUCH valuable accounts, a second and more complex system is required, but we gotta avoid exaggerations like the one you suggested. In a gaming scenario, I think these steps I stated are enough.

Just to be clear, I am not shutting your idea out, I just don't THINK it is the way to go with the suggestions I made, way too outrageous for the needs the GW user’s have.

Latter.

I wish people would take responsibility for letting someone figure out their password, instead of making anet spend time on idiot-proofing character deletion.

*sigh*

Has anyone though of just doing this for PvE characters only?

i.e you can just delete a PvP character easily, but you have to access your email for a PvE character.

Maybe we could even restrict it to PvE characters level 3 or above that need emails, or a pin/password or whatever.

/not signed

The game is already too idiot proofed. There's far too many clicking Yes 5 times, or confirming decisions over and over as it is. Yes it sucks to lose your account. But the simple fact is the only way to realisticaly brute force someones password is if that password was stupidly simple.

Dumbing down an already simple game......no thanks.

/signed

An optional lockdown option would be great. That way PvP characters, and trying-things-out characters can be deleted and remade to the player's heart content without problems. And favorite, long time characters can be locked down by the player and will need email verification to be deleted.

/MEGA SINGAGE

for those who isnt in the know, ppls accounts were hacked through anets own servers. im guessing guinivere was one of them. it happened to alot of ppl. so first dont assume they werent carefull enough on there own. theres no security that would have prevented it other than this idea of being able to lock down chars. hope u guys feel better now on blaming others for there mis fortunes. there was even announcement on anet and here about it if u dont believe me http://www.guildwarsguru.com/forum/s...php?t=10048864

Yes, and in that same post, gaile gray stipulated some of the ways people can avoid accounts being stolen etc.

Theres no security that would be able to stop someone who has already hacked your account from deleting your characters. If they know your account name then, having to retype in your email is useless, if they already know your password, then having to retype in your password is useless.

Hi, you obviously saw a thread about the Play NC accounts, however, you clearly failed to understand it. Yes, there are flaws in the play nc security system, however, they are by absolutly no means large enough that you would get your account hacked if you were the least bit carefull.

Play NC is working on correcting the problem they have. However, if people weren't stupid/lazy and didn't set amazingly easy security questions/passwords, they wouldn't have been hacked. However, [email protected](this is just an example, so if this is a real email adress don't email them...) did make his password "bigmike53", for both his GuildWars account, his email account and his play nc account... I fail to see how someone using somthing like that as a password, and using that same password for every single service is anyones' fault but their own.

Oh, and before you comment on somthing as if it is fact, make sure you have some understanding of what you're talking about, ok? I mean you have the general idea, sort of.. But you're absolutly wrong on all the specifics.

/signed. at least use this noise i made to improve security for other people in the (hope near) future

oh, and i find somehow insulting that random people without any knowledge at all about my specific situation feel free to throw accusations about security on my side.

/signed

but make it not affect pvp chars

/no

Too much crap just for a game.

/not signed

If you got hacked its probably your fault which is very probable or a slight chance of a security breach or something. Im guessing in the case of this Guneverere person someone guessed their password or knew their e-mail.

DONT use the same password and email that you use for things like forums (esp. GW-related forums) Maybe use an e-mail that no one knows and a password thats not stupid and has letters and numbers.

AGAIN???

Guinevere Ac, was that your character with the Tyrian GMC title?

If so, let me know if there is any way I can help you get it back.

Additionally, a lot of the post are guessing or assuming what happened to you, but if you could clarify for the community - that may help more than calling on Anet to institute security protocols - other members won't be victimized like you were.

Based on what I've read previously, GuenevereAC did everything right with firewalls, routine virus + spyware scans, etc... and still got hacked because of gaping security holes on www.plaync.com's web site. That's not the user's fault, but ANET itself.

A secondary password would go a long way towards preventing character deletion since it won't be routinely captured by keyloggers. At the very least, it makes end-game character deletion that much harder for a keylogger script monkey to execute.

/signed.

EDIT: Use a PIN system requiring mouse-clicks with an on-screen-only numeric keypad. This defeats key-loggers since all they will cap are mouse-clicks.

Also, what is required to have ANET perform an account-restore? Even Blizzard's WoW-helpdesk can perform account resets to correct hacked accounts, especially given that ANET's infosec-division failed here.

It was also NCSoft's fault, not just ANet.

That pin system you mentioned would need modification to work. A keylogger doesnt just cap mouse clicks, it caps their X,Y co-ordinates also(well, some do). If the numbers are fixed on the screen then it would be pretty obvious what a click at 274,381(example) would be. The locations of the buttons or the order of the numbers (or both) would need to be randomized.

Coordinates would depend on screen resolution being used along with interface size. The keypad could also be moved around to vary the coordinates data. But yes, scrambling the key positions would also strengthen security.

Another possibilty: have the game issue the delete-code when the deletion-security feature is activated for the character. Since the code doesn't go through the keyboard buffer until it is keyed in for use, key-loggers have zero chance of ever capturing it.

/signed as an optional feature on whichever characters you want.
/signed as an extra pin/password instead of e-mail confirmation to delete.

/signed for pop-up notifications at login and/or e-mail notifications when the wrong password has been entered more than 3 times trying to access your account - that way you can tell when someone is trying to hack your password instead finding out after they have already hacked it and changed it, or worse, find that out after your stuff is gone.


If they give us the option to add a delete-protection password to whichever characters we want (or to skip that entirely) if someone hacks your e-mail password and uses "forgot password" to reset your gw password and steal all your stuff, at least you won't have to start your character over again from scratch. Then people will feel safer about not having a thief delete their characters, and people who could care less don't have to do anything different than they already do to manage their characters.

I think a delete-protection password or pin number would be better than a password or pin just to access the protected character in the first place, that way you're not typing the extra password all the time for it to get keylogged.

I agree that allowing people to set a password to prevent character deletion will probably make some more support tickets for NCSoft to handle for people who forget their delete password, but it's a lot better for their image than having super-pissed off customers with deleted, unrestorable characters every time there's a security problem screaming "OMG YOU RUINED MY LIFE". No offense to anyone who got hacked and deleted, you have every right to feel that way when you have something you poured a lot of effort into taken away because you did your part on security but the software vendor didn't do their part on security. I'd want to start a riot if that ever happened to me!

Anyways, people are not likely to want to delete a character they liked so much as to enable the optional delete-protection feature for it, or at least not use the delete feature very often, so that seems to be the option that would generate less additional I-forgot-my-password support tickets. Just my two cents, overall...

Uhh, Anet does not control the PlayNC site. So shut up when you have no clue.

Duh, read the above section. Hacked Anet servers. HAHAHAHAHAHAHA!!! Sheesh.

Did he/she ever got his char back?

Um, where did you read "hacked ANET servers?" My sole point is that the user played no direct role in compromising his/her personal account. However, security was breached due to weak account security management (using e-mail addresses instead of unique user ID's). PlayNC may not be the same company as ANET, but both have a contractual partnership in developing and maintaining strong system security. I read the above link, and there were more than a few common blunders executed by whoever set up PlayNC's web site, but I guess it doesn't matter since they don't deal with live financial data? A routine security audit would have caught these problems before any data was compromised, but I'm guessing that audits aren't part of PlayNC's + ANET's operating requirements.

PS: As for no clue, my line of work involves Infosec related material dealing with this sort of B.S., but with real world financial data, and I've been doing this stuff for well over a decade...

So, what do you do for a living?

No direct role? The only way a brute force or dictionary password hack attempt works is if the user didn't have the foggiest clue about password security. I'm still leaning towrds this person probably having the password stickie noted to their monitor, but honestly, I couldn't care less about their account, or shortfalls of account security.

The OP's idea is a stupid one that only panders to the people who think everyone else should be responsible for basic internet security. Unless NC Softs servers were comprimised, and I didn't see anythig stating that, accounts that get "hacked" are the ones that a blind one handed monkey could crack.

PS. Of course you do. The real question is did your e-penis get bigger with that statement? yes, that is rhetorical.

Nope, based on the information in the URL you provided, weak security questions involving readily accessible information were the only layer between the hacker and user accounts. Brute force wasn't necessary.

Stronger security is always fine so long as it doesn't impede functionality. PvE Character Deletions are not a routine occurence on any account.

...and uncessary given the age groups that read these forums. If you're really 40 years old, at least make some effort to post like it.