PlayNC Account Hacked Help!

U Stole My Donut

Academy Page

Join Date: Feb 2006

Texas

Elite Trained Kindred

W/E

Ok if your PlayNC account gets hacked is there a way for them to get your creditcard number? I know there is nothing they can do for a hacked account except say its all your fault but im worried about maybe Credit Card info. Is there anything I need to worry about? God im so pissed even thought I dont still play GW I hate to see my things get hacked and stolen! if anyone can help me that would be awesome! thanks

Malice Black

Site Legend

Join Date: Oct 2005

Cancel your card that is #1 on the list...besides that all you can do it report it to PlayNC.

U Stole My Donut

Academy Page

Join Date: Feb 2006

Texas

Elite Trained Kindred

W/E

But when u make the PlayNC account do you enter your credit card information? I dont remember

broodijzer

broodijzer

Jungle Guide

Join Date: Jan 2006

void

Mo/

you can test that by making a new account.
I don't remember entering credit card information, but I don't have a credit card

Malice Black

Site Legend

Join Date: Oct 2005

Quote:
Originally Posted by U Stole My Donut
But when u make the PlayNC account do you enter your credit card information? I dont remember
Have you bought anything from the online shop?

U Stole My Donut

Academy Page

Join Date: Feb 2006

Texas

Elite Trained Kindred

W/E

yeah i have but it doesnt save your credit card information you have to enter it again every time you buy something i just checked by making a new account.

Thallandor

Thallandor

Desert Nomad

Join Date: May 2005

Singapore

Seers of Serpents [SoS]

R/

hmm i dont think i will ever use the online store...

Malice Black

Site Legend

Join Date: Oct 2005

Don't..it's a bit dodgy

Tactical-Dillusions

Tactical-Dillusions

Desert Nomad

Join Date: May 2005

Grimsby, UK

R/

I'm sure Gaile or Alex would disagree

Manic Smile

Manic Smile

Desert Nomad

Join Date: Dec 2005

Hawaii

----- 15^50[Rare] ---- Alliance: ----- [SMS] -----

is that supposed to make those that were hacked feel better

a friend of mine who's a mod here lost all his itmes and gold over this

I mean it was partly his fault for not using a more complicated password but it took 70ish tries for him to be hacked. What kinda website allows 70 tries. ..

Omega X

Omega X

Ninja Unveiler

Join Date: Jun 2005

Louisiana, USA

Boston Guild[BG]

W/Me

Quote:
Originally Posted by Manic Smile
is that supposed to make those that were hacked feel better

a friend of mine who's a mod here lost all his itmes and gold over this

I mean it was partly his fault for not using a more complicated password but it took 70ish tries for him to be hacked. What kinda website allows 70 tries. ..

They must have gotten most of his login information to try 70 times. Because finding a normal password from scratch takes many more tries than that.

Gaile Gray

Gaile Gray

ArenaNet

Join Date: Feb 2005

Quote:
Originally Posted by Tactical-Dillusions
I'm sure Gaile or Alex would disagree
Yes, I disagree, if you mean that I'm disagreeing with describing the in-game store as "dodgy." I have used it myself. Yes, gasp!, NCsoft has my personal credit card number. And you know what? They serve hundreds of thousands of players a month, given the popularity of Guild Wars, Lineage, Lineage II, City of Heroes, City of Villains... you see my point? I think that NCsoft, through the PlayNC store, has a good idea of how to protest my privacy and assure my credit card information is safe.

Decide for yourself, by all means. I'm ok with ordering through the store.

Cow Tale

Cow Tale

Lion's Arch Merchant

Join Date: Oct 2006

Ocean Shores, Washington

Last Sun Rise

W/Mo

are there realy people who woudl try to figure out a password from scratch? sheesh and i thought by playing GW for 10 hours a day i had no life.

Linksys

Jungle Guide

Join Date: Apr 2006

it's double too difficult to guess someone's login info if you don't even know the email address they use to log in. so for even more security, don't tell anyone the email address you use or your Play NC log in name.

Hockster

Hockster

Banned

Join Date: Jul 2005

Quote:
Originally Posted by Gaile Gray
Yes, I disagree, if you mean that I'm disagreeing with describing the in-game store as "dodgy." I have used it myself. Yes, gasp!, NCsoft has my personal credit card number. And you know what? They serve hundreds of thousands of players a month, given the popularity of Guild Wars, Lineage, Lineage II, City of Heroes, City of Villains... you see my point? I think that NCsoft, through the PlayNC store, has a good idea of how to protest my privacy and assure my credit card information is safe.

Decide for yourself, by all means. I'm ok with ordering through the store.
Sorry, but PlayNC's account "security" is a total joke. Thet do not appear to ahve any sort of account lockout at all. I recently forgot my password to my PlayNC account. After 22 attempts I did finally get in, and all PlayNC did was send me 21 emails that someone from my IP address has attempt account access and if it was not me to contact PlayNC support. That is completely unacceptable. The PlayNC password policy is a total joke, my home network passwords are more secure.

The fact that PlayNC processes thousands of transactions monthly does not mean they are secure. All that means is that there are thousands of potential targets.

Quote:
They must have gotten most of his login information to try 70 times. Because finding a normal password from scratch takes many more tries than that.
PlayNC doesn't offer much in the way of protection. If someone used a character or forum name, it would be relatively simple, but time comsuming, to brute force a less than secure password. The fact is that 70 attempts at access without any sort of account lockdowm is total bullshit.

King Kong

King Kong

Krytan Explorer

Join Date: Jan 2006

W/R

Didnt Gaile say she was going to get them to fix some bits of it? 70 attempts is a joke And to think i was gonna buy a char slot today, think ill pass on that lol

fenix

fenix

Major-General Awesome

Join Date: Aug 2005

Aussie Trolling Crew HQ - Event Organiser and IRC Tiger

Ex Talionis [Law], Trinity of the Ascended [ToA] ????????????????&#

W/

Yeah, from what I've heard, PlayNC's security is terrible. There should be AT LEAST a lock out after 5 guesses...

King Kong

King Kong

Krytan Explorer

Join Date: Jan 2006

W/R

Dont worry this topic will be off the first page soon, so they wont have to worry about it

dmndidjit

Academy Page

Join Date: Jul 2006

Quote:
Originally Posted by Gaile Gray
the PlayNC store, has a good idea of how to protest my privacy
Your Freudian Slip is showing. Like most corporations, I'm sure they do protest your privacy.

Saraphim

Saraphim

Jungle Guide

Join Date: Mar 2006

The Hand of Omega [WHO]

E/

Quote:
Originally Posted by Cow Tale
are there realy people who woudl try to figure out a password from scratch? sheesh and i thought by playing GW for 10 hours a day i had no life.
No-one in their right mind tries bruteforcing passwords manually, they'll run a script that'll continuously try until it gets it right. Log-In is definitely half the battle, and if it's an email... then all you have to do is use the same email somewhere else, probably GW related and a hacker has half the info they need. (dependent on the security of sites, no secure server = no absolute security)
Quote:
There should be AT LEAST a lock out after 5 guesses...
Agreed, no lock out is pathetic for a web site that deals with credit card information. I had hoped they'd have rectified this by now, I certainly won't buy any character slots or anything else from there till they do.

TheGuildWarsPenguin

TheGuildWarsPenguin

Wilds Pathfinder

Join Date: Aug 2005

Los Angeles, California

Picnic Pioneers

E/

Did they ever fix the thing where you can't get into the ingame store if you don't link your PlayNC account to your GW account and if you did, you can't change your GW login name or password?

mrgoat

Frost Gate Guardian

Join Date: Jul 2006

Quote:
Originally Posted by Gaile Gray
Yes, I disagree, if you mean that I'm disagreeing with describing the in-game store as "dodgy." I have used it myself. Yes, gasp!, NCsoft has my personal credit card number. And you know what? They serve hundreds of thousands of players a month, given the popularity of Guild Wars, Lineage, Lineage II, City of Heroes, City of Villains... you see my point? I think that NCsoft, through the PlayNC store, has a good idea of how to protest my privacy and assure my credit card information is safe.

Decide for yourself, by all means. I'm ok with ordering through the store.
Your strawman is showing. The number of people who play their games has nothing to do with how good their security is. What would be pertinent, is their previous record for good security - but they don't have that. They have a histroy of bad security policies, but that's pretty different from good ones. The question now is how bad?

Seeing as I know more than you do about this sort of thing, I'm going to stick with my opinion over yours for now. So here's what I think (And this opinion is slightly revised from previous commentary): Not that bad. Rate limiting is a good idea, but an account lock after N guesses would constitute a denial of service vulnerability, and add an associated nightmare in customer service / verification to unlock an account. (Just think what would happen when some ne'er do well decides to use a spam list of emails to lock ~80% of guildwars accounts. Account "theft" isn't the only thing to think about here.) Locking an account after a number of guesses is a bad idea. Limiting it to 5 guesses in 15 minutes, or 30 minutes, or even an hour is a fine and dandy idea, provided it's implemented with an enforcement of complex passwords. That would be enough - it would stop automated attempts to crack your password, and the aforementioned DOS attack would take significant, sustained use of resources to lock any significant portion of accounts and keep them locked. (Actually, add a proper end-to-end encryption scheme in the protocol used to communicate with the server, and then you have enough. I have no evidence if the do any encryption in the gw client or not. If not, sound the klaxons again, it's a problem. I expect something at least equivalent to SSLv3 in the GW store.)

I would like a confirmation though, on wether/how long they keep your credit card information - I have to re-input it each time I buy from the store. If they store it, and I still have to re-enter it, that's pretty silly. If they don't store it at all, then until the IRS decides to tax in-game earnings, I don't much care about their security. And there's exactly zero reason to store it. Subscription-based games are the only ones that should ever need to store that.

After all this, if someone can guess your password in only 70 tries, you are using a bad password (Or they achieved a statistical miracle) Stop using your pets name and your birthday for passwords.

ducktape

ducktape

Krytan Explorer

Join Date: Jul 2005

W/R

Quote:
Originally Posted by TheGuildWarsPenguin
Did they ever fix the thing where you can't get into the ingame store if you don't link your PlayNC account to your GW account and if you did, you can't change your GW login name or password?
No, but they keep saying "oh we should let the team know about it, it shouldn't be like that". Unfortunately it's still stuck where you can't change your login name or e-mail account for GW if you buy something from the store, which is why many people are not buying things from the store even though they really want to.

cosyfiep

cosyfiep

are we there yet?

Join Date: Dec 2005

in a land far far away

guild? I am supposed to have a guild?

Rt/

heck, even THIS SITE locks you out after 5 bad guesses on the password----and I dont think we are selling anything here! (are they?)

FeroxC

Krytan Explorer

Join Date: Mar 2006

EOA

P/W

Only 70 attempts!, to crack an average password you needs thousands and thousands of attempts enough to strain the login server and get very well noticed(applies to bruteforce & dictionary).

If he got it under a couple of thousands attempts it means youve been infected with a trojan/keylogger and hes probably logged every password/number youve entered since.

Its not PlayNCs fault its your lax PC security.

ducktape

ducktape

Krytan Explorer

Join Date: Jul 2005

W/R

I think the point is that 70 attempts is a ridiculous number of consecutive wrong password attempts to allow. I'm sure it would have let the attacker keep guessing and guessing and guessing indefinitely.

Eviance

Eviance

Desert Nomad

Join Date: Nov 2005

Eh I forget... o_O

Biscuit of Dewm [MEEP]

R/

Quote:
Originally Posted by FeroxC
Only 70 attempts!, to crack an average password you needs thousands and thousands of attempts enough to strain the login server and get very well noticed(applies to bruteforce & dictionary).

If he got it under a couple of thousands attempts it means youve been infected with a trojan/keylogger and hes probably logged every password/number youve entered since.

Its not PlayNCs fault its your lax PC security.
I agree that if his password was complex enough, even average then it must have been a keylogger or someone he knew possibly. Now what he should do is sweep his PC like I had to and then go back through any accounts that have important info and change all the passwords. I had to do this, it's no fun and luckily thanks to my bank account I was able to realise I had a keylogger within a few days of it being on my PC, so it wasn't that bad. Still it took me two days to get all my accounts sorted with my GW account being the most difficult! I was stupid when downloading a poker program -_-

HOWEVER at the same time there was another thread going on about PlayNC's lack of security. At that time Gaile said that there was a loggin temp-lock in place but when myself and a few others checked into it, that wasn't the case. I'm really hoping that they are still working on this issue and that it can be resolved in the VERY near future so that these things happen less often, even to the stupid people who fail to use complex passwords. Mine was complex enough but now it's almost to much for myself to log in with lol.

To the OP: Good luck and do your best to clean your PC to make sure it wasn't a keylogger/trojan. If it was then everything you're accessing including online banking, emails, ebay, paypal.. EVERYTHING is at risk! I've been there it's no fun! Glad to hear that at least your credit card info via plaync wasn't aquired ^_^

Edit: ONE last thing! Check your connection and make sure you don't have a piggy back! Password your PC so that no one can gain access from across the street! That was a tip a guildie gave to me and I actually had someone attempt 9times to log on to my plaync account once via an IP that was near to me, so I am guessing that's what had happened there.

Spydergst1

Frost Gate Guardian

Join Date: Mar 2006

Chicago

W/R

I know this does not pertain to PlayNC or give you direct advice for your situation but I thought you might find this info useful someday.

1. If you stay at a hotel/motel. Do not give your room “key card” back. It contains all your information including credit card. The hotel staff puts it on top of the deck of available room keys and your info stays on it for someone to grab. Recent news reports of people stealing identies from the hotel they worked at was in the news just a few months ago. The hotel writes off the loss of the key cards so don't worry and they don't charge you extra for not turning it in. I KNOW! Someone in my family owns a hotel.

2. Write on the back of all your credit/debit cards (NOT YOUR SIGNATURE)!! Write "Photo ID Required". That way no one can slip a purchase passed a dip shit cashier who is not paying attention.

3. Shred (don't just rip up) all your credit card application junk mail. YES, YES, YES, people do go though your garbage. For instance, I always thought no one goes through my garbage! One day a woman, her son and a cop come to my door and complain about porn movies being in the garbage. Living in a 6 unit apartment building at the time it could have been anyone. It sure wasn't me. Another time I threw away a certificate on a wood plaque I was given by my father for Karate when I was young. A few weeks later someone told my dad they were garbage diving and found it and gave it to my dad. I lived about 10 miles from my dad at the time. He was upset. Point is people do go though your garbage and WILL steal your idenity and tape up and turn in those credit card applications with a different address under your name.

4. Never click a link provided in an email which requires you to login with an account. For example there are scammers who create web pages that look exactly like ebays website and send you emails stating your account has been hacked. Login to correct the problem or, I bought an ebay item from you and I want it. They will have links. Once you click the link you are taken to a bogus website which looks exactly like the real thing with verisign security logos trying to make you believe is the real website. Once you login is records your login info and now they have you ebay account information or the website they are trying to scam your account for. I like to click the link and put "here is my login info" in the username field and F**k off scammer in the password field. but if you do that they will now that your email account is active since you clicked the link and they will keep sending bogus emails.

There are more tips but I feel I have provided enough here
Good Luck

Grais

Frost Gate Guardian

Join Date: Mar 2006

The Tools

Quote:
are there realy people who woudl try to figure out a password from scratch? sheesh and i thought by playing GW for 10 hours a day i had no life.
Do a google for bruteforce password crackers, there are a ton of them, most legal and designed to figure out the password on that obscure app. or program that you forgot, I have used one for just such a occasion, and it took about ten minutes to figure out a 8 digit code.
But of course they are also available to try to bruteforce any password out there. So be cautious and careful.

cjb909

Ascalonian Squire

Join Date: Apr 2006

Friggen Awesome

R/Me

Quote:
Originally Posted by Spydergst1
1. If you stay at a hotel/motel. Do not give your room “key card” back. It contains all your information including credit card. The hotel staff puts it on top of the deck of available room keys and your info stays on it for someone to grab. Recent news reports of people stealing identies from the hotel they worked at was in the news just a few months ago. The hotel writes off the loss of the key cards so don't worry and they don't charge you extra for not turning it in. I KNOW! Someone in my family owns a hotel.
I'm calling BS. http://www.snopes.com/crime/warnings/hotelkey.asp
They don't put anything on the cards except an ID number.

Quote:
Originally Posted by Spydergst1
2. Write on the back of all your credit/debit cards (NOT YOUR SIGNATURE)!! Write "Photo ID Required". That way no one can slip a purchase passed a dip shit cashier who is not paying attention.
Good idea, but doesn't usually work too well. With the ability to purchase online, or even swiping the card yourself at the checkout, most cashiers don't ever handle your card. And when they do....they don't care. My dad has written on his card "Check for ID", he asked the cashier what it said, and the cashier told him. And that was all.

I don't know anything about number 3, and for number 4, yeah watch out for phishing sites.

luinks

luinks

Frost Gate Guardian

Join Date: May 2006

Purple Ravens

Mo/E

Also the client itself has flaws you can check this thread, it also has good tips for account security, no response was given at the time i wrote the thread by Anet about the infinite attempts you can do in the log-in screen...
http://www.guildwarsguru.com/forum/s...php?t=10081483

Ritualistic Spankin

Ritualistic Spankin

Academy Page

Join Date: Aug 2006

Threads like this will keep coming around until this problem is fixed, and I think that is the only way it is going to be addressed. Ideally, the more pressure we apply to the problem, the sooner it will get resolved.

Also on a password security note: When choosing a password, don't just pick a word, most bruteforce programs that I have encountered run through a known list of words from the dictionary, thus cutting down the time it takes to access an account.

You should use a combination of number, lowercase, and uppercase letters in your password. However all it takes is 1 keylogger and that goes out the window.

...I guess take that for what it is worth.