If you've been hacked, post in Riverside and I'll merge it into the other thread here: http://www.guildwarsguru.com/forum/s...php?t=10407405.
If you've received a 045 error about account fraud you're posts should go here: http://www.guildwarsguru.com/forum/s...php?t=10376668.
If you have posted previously, please first see if your story is all ready in the correct thread. This will allow Anet to know your situation. It will allow your voice to be heard. It will also allow others to make their own conclusions based on user reports without having to filter through hundreds of comments.
In the meantime, read this on security, run this to download anti-malware software, go here to ask for support on your issue.
Hacked/Fraud or Account Security Threads - Updated 1/03/10
Inde
Inde
I've reconsidered keeping this a discussion thread. I would like the user's experience and the ArenaNet responses to really just stand for themselves. Accusations can fly back and forth and I would rather make sure that everyone is aware of information firsthand rather then leave it up for speculation and debate.
http://wiki.guildwars.com/wiki/Feedb..._Account_Hacks
Quote:
Originally Posted by Gaile Gray
I have been actively discussing the stolen/hacked account issue with devs inside ArenaNet and with a number of NCsoft team members, as well. We have many teams involved -- programmers, network team members, security team members, etc. -- so you can be sure this situation is being given a great deal of focus and attention.
While I cannot and would not say flat out that "It's not (something or other)" because we don't have enough information yet to make that statement, I can tell you that we carefully spot-checked a few accounts last evening, and at least one of them was not tied to a NCsoft Master Account. The hacked account was a straight Guild Wars account with no association whatever with the NCsoft site. So theorizing that there is a breach or a window of hacking opportunity on that site -- and that such a weakness is resulting in stolen accounts -- seems inaccurate, given the facts in front of us. In my opinion, it would be an error to combine posts about accidental blocks for fraud and posts about stolen accounts. They are entirely different situations, and should be discussed separately, as they are being handled differently. I've already informed you as much as I am able about the fraud issue just above. (See this conversation, please.) And as I said, stolen accounts are a very different case. Both situations are being reviewed and both are being addressed as quickly as possible. Everyone who gets an in-game message saying his or her account is blocked should contact support. If your account was hacked, you will most likely receive a message when you try to log into the game that says the account has been terminated. This is for your own protection, an attempt to prevent the RMT thief from stripping the account or using it to advertise gold sales. (Of course we cannot guarantee that the account will remain intact; the items may already have been harvested. But we lock down the account as quickly as possible in your best interests and will unlock it when you contact Support.) When writing, provide the error message that you received so that the team can quickly align your issue -- hacked account or erroneous "fraud" ban. Please let me know if you have further questions and I will help as much as I am able to do so. Thanks for reading this and please feel free to share this with others, as you see fit. -- Gaile 19:57, 4 November 2009 (UTC) I want to point out that the forum has two separate threads on the ongoing issues of account theft and accounts accidentally marked for "fraud." That will help keep the conversations topical and of more value to the individuals who are affected. -- Gaile 20:27, 4 November 2009 (UTC) |
Inde
Updates on those with 045 errors:
http://wiki.guildwars.com/wiki/Feedb...ks:_1_Nov_2009
Quote:
Originally Posted by Gaile Gray
Erroneous Fraud Blocks: 1 Nov 2009
On Sunday, November 1st, a few Guild Wars accounts were erroneously blocked for payment fraud even though their purchases were entirely legitimate. It is necessary for the company to be very careful about fraud because it is a significant issue these days, but the Support Team discovered this morning that, unfortunately, a few innocent folks got caught in the net yesterday, and for that we apologize. The Support Team is aware of this situation and is actually shifting personnel to deal with the issue. They will be responding to tickets as quickly as they can. Reinstatement takes a bit of time because each key must be adjusted manually (and some accounts have many keys), so please be patient while the team strives to remedy the situation. If your account was affected and you have not been reinstated by tomorrow evening (Tuesday, November 3rd) please feel free to post your Support Incident Number here and I will look into the matter for you. Again, we extend our sincere apologies for this mix-up! -- Gaile 19:51, 2 November 2009 (UTC) Update: 2 November 2009 Those players who were involved in this specific incident will be happy to know that their patience and understanding will have a reward. Those of you who attempted to make a purchase and were erroneously blocked for "fraud" will find that the purchase price will be credited back to the you, and the item or items that you attempted to purchase will be given to you with our compliments. -- Gaile 01:12, 3 November 2009 (UTC) Update: 4 November 2009 Unfortunately, I'm not able to review individual tickets yet. I have sent for an update on the expected turn-around time on this issue and will post as soon as I know more. At this point, please hold tight and don't post a follow-up here (or via fan forum PMs or emails to me) until I find out when folks should expect to hear back from the team. Thank you. -- Gaile 20:23, 4 November 2009 (UTC) Update: 4 November 2009 (Part 2) I spoke with the lead of the Billing Team, and he told me that they are making progress on the account restorations, but it will take more time to get everyone back into the game. Team members are working overtime this evening, and the hope is that they will have everyone who wrote on Sunday, Monday, and Tuesday cleared up by tonight (US time). They still have an expanded number of people working on this matter, so we hope to get new reports turned around very quickly now. Please do not make a phone call if you have already submitted a ticket. Please do not submit a duplicate ticket. Please do know that you are in the system, and you will be helped as quickly as possible. Here is one of Gaile's Lame Analogies (tm): Mom's cooking dinner, making good progress. But the kids keep calling her into their room to ask "Is dinner ready yet?" Every time they do that, cooking stops, and the dinner is further delayed. (See I told you it was lame. ) The point is, a phone call will not move you up in the queue, but it will take team members away from the ticket they are dealing with -- maybe yours! -- and that's not going to help anyone. So please, contact support once, and let them do their work. I will post another update as I have more information. If a few of you end up not getting sorted after I've been told we have an "All Clear," you can count on me helping with those individuals cases. (But not just yet, please.) Thanks again for your patience. -- Gaile 03:36, 5 November 2009 (UTC) |
Inde
Quote:
Originally Posted by Gaile Gray
I have a thought to share. The most reasonable conclusion that we have been able to draw, so far, is that the hackers are getting account credentials external to Guild Wars and external to the NCsoft Master Account. They are then hacking their victims by using the actual credentials, as if they owned the account. Most victims have used those credentials elsewhere. Maybe their game account and their email share credentials; maybe they use the same in the game and in a fan forum. Some of the largest forum software programs (the ones whose names you know) and some of the major social networking sites have very grave security issues. It clearly is possible for a hacker to acquire a list of where you're active and what passwords you are using. And that ties in with what I see in researching hacks. The hacker may try three or four passwords, but he's gotten those passwords somewhere, he's not guessing. (Velocity systems will slow this down, but they will not prevent access when someone has legitimate passwords.)
I want to emphasize that we're looking at every level of our systems -- both Guild Wars/ArenaNet and NCsoft -- but we're not finding any sort of weakness. I've talked to a lot of hacking victims and I have the stats, but I won't go all formal on you. Let's just say that a significant number of victims (the vast majority) confess that they were using a weak password. Many say they use the same password everywhere or use it in places where hackers naturally would look, like the game and a fan forum. Others can't be sure exactly where they may have used the same credentials, but admit it is possible that they did. Our Security Operations Team feels this it is this shared credentials situation that is allowing the hacks to happen. So the best advice I can give you is as follows:
|
Quote:
Originally Posted by Gaile Gray
I knew, as I typed the above, that someone would ask about changing a user name once tied to an NCsoft Master Account. It only took minutes for that question to arise. And I know that this is something that we need to make changes to allow. In all honesty, I have been working for nearly 5 years to get this change made, but there are reasons why it hasn't happened, mostly related to the fact that multiple teams need to be involved, the change it not a trivial one, and naturally great care must be taken to ensure that security remains high.
However, in light of the recent increase in account thefts, I've taken the opportunity to bring this up yet again. (As I wrote that email, I could almost hear a few folks sighing, at my persistence. ) I will ask about this again next week, for I have a meeting with some folks who may be able to shed a bit of light on when we can make it possible to change a Guild Wars game user name for an account that is tied to an NCsoft Master Account (formerly called a PlayNC Account). If I get info, I'll share it. If I don't get info, count on me to continue to try to get it. -- Gaile 02:46, 8 November 2009 (UTC) |
Quote:
Originally Posted by Gaile Gray
Dozens of people and companies have your email address. But unless you use a weak password, none of those entities can steal your account. While I think we need to allow the changing of the user name, that is not the be-all and end-all for this situation, for appropriate personal security and a complex password are the key. -- Gaile 07:08, 8 November 2009 (UTC)
|
Quote:
Originally Posted by Gaile Gray
I will be happy to explain. If an external site is insecure, and someone manages to obtain account credentials, having one's name as a "Top Trader" or "the person who has a gazillion ectos to trade" can provide an impetus for a hacker to focus on accessing that particular account. And a lot of times, one's character name may be Fred the Warrior and their account email address may be [email protected].
One of our security agents was able to find every one of a sample list of hacked accounts that I sent him with a simple Google search. I don't mean he acquired their credentials but he did learn where they were active, and knowing one point of data can lead to others. So the suggestion about keeping one's character names a bit on the private side is intended as an idea about achieving, perhaps, an extra means of security. It may be overdoing the matter; that's up to you to decide. After all, the suggestion about character names does not form the main thrust of my advice, which concerns using unique user names and unique password. -- Gaile 04:28, 12 November 2009 (UTC) |
Quote:
Originally Posted by Gaile Gray
We learned today that one of the trading sites associated with Guild Wars may have experienced a security breach and its account database (including user names and passwords) may be in the hands of hackers. So far we have identified more than 20 Guild Wars account that appear to have been accessed by unauthorized individuals who may have been involved in the fansite's database breach.
Our security recommendations have never been more timely, particularly those that suggest that you always use a unique password for every single account that you own. We have closed the game accounts of those involved in the account thefts. We will be watchful for further episodes. And we will be contacting the fansite owner to continue gathering information related to this incident. -- Gaile 21:48, 9 November 2009 (UTC) |
Inde
Quote:
Originally Posted by Gaile Gray
I am concerned that you've blamed the unauthorized access to your account on NCsoft or ArenaNet. That simply is not an appropriate thing to say. Google posts do not necessarily equal fact, although if you wish you can email me the links and I'll be happy to review them. NCsoft has historically been very open about security issues in the past and I believe that NCsoft and ArenaNet would be forthright about any internal vulnerabilities if they were discovered today.
We are reviewing security at every level. We have identified a potential breach via one fansite; we've been told that many others may be at risk. In your personal situation, you may believe (or know) that those vulnerabilities don't relate to your account theft. But since we are still looking into this, it's too early to lay blame anywhere other than with the known issues, and it's highly inappropriate to draw any conclusions, including one that leads you to believe that ArenaNet or NCsoft is responsible for your account's loss. I sympathize for the loss of your items, I truly do. But I think everyone should be responsible and appropriately accurate about statements of blame. An internal vulnerability has been disproved on every level of investigation we've conducted thus far. -- Gaile 21:14, 13 November 2009 (UTC) |
Quote:
Originally Posted by Gaile Gray
My professionalism prevents me from using expressions like "Are you nuts?" But I'm going to slip that in there just as a little nudge. Are you suggesting that the company would somehow allow RMTs to flourish because we'd sell more games when they replace closed accounts? Think about it! NCsoft is a multi-billion-dollar company. Would they risk their global reputation to sell a few games? A thousand games? A million games? NCsoft is in this industry for the long haul, and reputation is critical!
You should know this important fact: RMTs seldom buy games. They steal them. They steal them from people who buy their gold or items. They steal them by injecting Trojans onto game or forum accounts and keylogging the passwords. They steal them through social engineering. They steal them through hacking fan forum databases, finding people with shared credentials, and taking over the account. For every new account an RMT buys -- if they buy any at all -- we're looking at the costs of assisting dozens if not hundreds of their victims. There's a seriously horrible cost/benefit ratio to selling an account and having to resolve 20 support claims (each of which is probably more costly than the profit from a game sale). We spend thousands of dollars a day taking action on all sorts of accounts, from cheaters to harassers to RMTs. We are highly incented to keep the RMTs out of the game, and we put our dollars where our philosophy is by paying for staff to remove them. And we remove them not because we want them to buy a new game, but because their activities have a harmful effect on legitimate players. If our diligence drives some away from Guild Wars -- and it has in the past -- we help support the game economy and we reduce the security risks of RMTs trying every means under the sun to steal your account. -- Gaile 21:29, 13 November 2009 (UTC) |
Inde
Quote:
Originally Posted by Gaile Gray
As simply as I can put it: When we have information, we share it. We have frequently run in-game messages on this subject, and I update these pages when there is a new incident or when there are new details on a previous report. We have no idea whose information has been compromised, and therefore we cannot send them some sort of "pre-hack" warning. The reason we don't know future victims is because we do not all the means by which hackers are gaining account credentials. (Obviously, keyloggers, social engineering, insecure external sites all play a partial role.)
We are engaged in internal research and are casting our eye externally, too, because everything so far points to the fact that the breach is external to the game and our network. We do know of the breach of one fansite's database and are working with that site's owner. (A player report led to this discovery, incidentally.) This evening the Community Team contacted all fansite owners or administrators to provide them with information that may help them make their sites more secure. We hope that all fansites will post the information we've shared, and that all players will do what they can to secure or re-secure their accounts. (Forgive me for linking to our Account Security page yet again, but I'll take any means I can to get that info to players!) Now, please don't think I'm minimizing the concerns you've expressed, or that I've adopted a so-called "company line" that seeks to brush off our responsibilities. I sent an email to Mike O'Brien, the president of ArenaNet, just last night, and also included the Executive Vice President as well. The email keeps them fully apprised of the situation and invites their insights. I've also been in touch with a few dozen people at ArenaNet and NCsoft West in Austin, Brighton, and Seattle. When one of us gets new information, a whole bunch of people get it, too, and we discuss and analyze it. We seek assessments from those who can respond in context -- for example, a network programmer or a security expert. In the end, we've eliminated some possibilities, we've discovered an issue (the fansite breach) that may have a wider impact, and we're continuing to look into this matter because we do, and should, take this matter extremely seriously. Again, when we have more information, we will share it. -- Gaile 02:22, 14 November 2009 (UTC) |
Quote:
Originally Posted by Gaile Gray
There are multiple, specific messages on the log-in screen. They are rotated, and are designed to pertain to certain elements of the overall security issue. If there isn't such a message this week, I agree that there should be and I will ask that we get it into the rotation as soon as possible. I don't know about in-game chats nor fansites. Please feel free to address questions about those forms of communication to the Community Team. And no, the fansite hacking to which you refer was not a "major cause" of the issue. The one that I detailed on these pages turned out to involve only about 30 people, hardly a "major" event, I'm sure you'd agree. (Unless, it goes without saying, you were one of the 30. )
I have asked that we change/increase/beef-up our in-game (log-in screen) messaging, but there was concern that putting huge, flashing "WARNING" messages (which I suggested, only half in jest) would cause a major panic. So instead, we offer the existing messages, changing out the wording and rotating the messages themselves in an attempt to increase readership. This page is something I offer as a courtesy, usually constructed more on my own time (as now) than on company time. If folks don't know about the page, I am not sure how to increase awareness. Perhaps you have suggestions about that. If so, I am more than happy to hear them. -- Gaile 06:58, 21 November 2009 (UTC) |
Quote:
Originally Posted by Gaile Gray
Update: 2 December 2009
We did confirm that one fansite had a security breach. The website owner has been very open and forthcoming about the issue. The webmaster posted on the site to let site visitors know about the situation and to urge site members to update their credentials in order to eliminate matching credentials on the site and on any game account. We appreciate the fansite staff’s cooperation and believe that the enhanced security that the webmaster suggested will help prevent further breaches related to that site’s issue. As mentioned previously, all fansites for which we have current contact information have been contacted by the Community Team to heighten their awareness of security concerns. -- Gaile 00:52, 3 December 2009 (UTC) |
Inde
Quote:
Originally Posted by Gaile Gray
As always, I appreciate the helpful input on this situation. You can count on your ideas being relayed to the team members who are, at this very time, focusing their efforts on improving account security. Thanks. -- Gaile 00:14, 15 December 2009 (UTC)
|
Quote:
Originally Posted by Gaile Gray
I have been reading that thread, and I admire a lot of the ideas that are coming out of it, particularly the ideas of a practical nature. Some are good, some aren't so good, or are not do-able, but overall, there's a lot of value in a thread that offers honest, player-driven input on a critical matter. You will be hearing soon about this matter, but I can tell you that we do continue to keep security at the forefront of our priorities on a daily basis, and the current concerns expressed by players have only heightened our focus. -- Gaile 02:54, 15 December 2009 (UTC)
|
Inde
Quote:
Originally Posted by Gaile Gray
I've noticed a number of comments about NCsoft Master Accounts and hacked game accounts. It appears that some players are assuming that there is a connection, that if you have an NCsoft Master Account (NCMA) you may be at increased risk of account theft. We have conducted extensive research on this factor, and I have data as current as this morning that shows that this does not appear to be true. Of a cross-sampling of accounts, nearly half did not have an NCMA at all. I hope that this information puts your mind at ease on any perceived "risk factor" regarding whether a game account is tied to an NCMA or not, for that truly does not seem to be an element in the current situation.
Today, as many have already noted, we changed the in-game account security messaging to make it more noticeable. (Feedback given in an existing thread will be relayed to the Live Team.) More information on the subject of account security will be coming soon. -- Gaile 21:34, 15 December 2009 (UTC) |
Quote:
Originally Posted by Gaile Gray
Allow me to disabuse you of an erroneous assumption: My statements do not in any way pertain to the totality of our research, nor do they relate to a sole or singular approach being taken in investigating hacking/theft incidents. We are most definitely not looking solely for a commonality of attack. We are not looking exclusively for a single person or entity involved with account thefts, although we know nearly all are being carried out by a specific group in a certain location. Some players have publicly stated an assumption about NCMA security and its purported "connection" to account thefts. With support from the Community Team and the developers, I have informed people that such an assumption is wrong, as above.
Please do not take my comments out of context, nor perceive in them a singularity of view on our part, for that would most definitely not be factual. Do not assume that your comments -- tantamount to "Because you are looking behind the door, you are not seeing the burglar in the closet" -- represent the truth of the situation, for they do not. Research covers a wide variety of points of evidence that merely includes the NCMA, but does not focus upon it with any single-faceted vision whatsoever. As far as your concerns about the NCMA and processes connected with it, I believe that all those observations are known to the NCsoft team. However, I will review the thread in question and will be sure to send a single message with all valid concerns to the team, for their focus and action, as possible. Thank you for encapsulating several valid comments in a single thread. -- Gaile 00:04, 16 December 2009 (UTC) |
Arkantos
Posted on the official wiki:
Will keep thread updated as more security updates come.
Quote:
Jan 1 ArenaNet and NCsoft staff members have been discussing the possible security issues pointed out by players in various forum threads. We absolutely do take these concerns seriously, and measures are being and will continue to be taken to address the concerns on several levels. A change in one of the NCMA processes is being made even as I write, and I think you will all agree that this change will help tremendously in enforcing a high level of account security. I just want to say I'm very grateful to the people who have been involved. They are working on a holiday, some of them away from home, and they've just been splendid in getting into this, to listening, to looking at what they can do to help -- to taking the whole matter on board and making definite improvements in very short order. Research continues and additional changes may be put in place. But if you try to change your password in on the NCsoft site, you will notice a change, I'm sure, that will enhance account security now and in the future. |
Quote:
Jan 2 Additional security measures were instituted today in connection with NCsoft Master Accounts, following yesterday's update that provided higher security for Guild Wars game accounts. Please note that the prompt response of the team to player concerns about security should be seen as a proactive, positive response to the possibility of an issue, rather than "proof" that such an issue existed. Rest assured that research is continuing and additional measures can and will be taken if they are needed. We've seen two reports: There's a known issue with an Aion forum. There's a claimed issue that allows people to "jump" between NCMAs, either intentionally or accidentally. Has anyone has personal experience with the second? I recently read on a forum thread (yes, I read them from time to time ) that only one person made the second claim. With no evidence to support it, and with that person reportedly absent in recent days, it would be helpful to have something more than relayed, repeated, or rumor-based info. Anyone with actual experience with this, please drop me a line at [email protected]. Thanks! Clif Notes for today's update: * New security measures are in place which we believe will address some of the concerns that have been expressed in recent days. * Research continues. Thanks for reading. |
Quote:
Jan 3 Players have expressed concerns that would-be account thieves might be able to acquire Guild Wars character names from support tickets tied to their NCsoft Master Account (NCMA). But it's important to note that NCsoft customers can have up to three separate accounts: a game account, a NCsoft Master Account, and a support account. The support account is not tied to the NCMA. So even if a player's support ticket does contain a character name, that name will remain hidden because support tickets are not viewable through the NCMA. Testing continues related to the report of switching between NCMAs. After more than 230,000 attempts, a team member has been unable to effect even one switch between NCMAs. The teams will continue to do more research, of course, and more details will be provided in the near future. Please be assured that this concern remains a top priority with ArenaNet and NCsoft. -- Gaile 00:02, 4 January 2010 (UTC) |