So I read the recent security posts by Gaile and the different posts by people who have lost their accounts but one of the precautions suggested strikes me as odd. How does protecting an in-game-name protect your account?
Accounts are e-mail based, and I know of no way to link an in-game-name to an e-mail account by some sort of in-game action. On forums, I'd expect hackers to go after accounts that advertise good items or just accounts that are easily accessible, not go after people who list an in-game-name.
Unless I'm misunderstanding the situation, it seems like hackers go hold of e-mail accounts under which the forum user had registered, and were able to hack into the e-mail account. From that email account they got access to the GW account, or something along these lines. I don't see how blocking a user's in-game-name adds any security to the process.
So am I missing something or is blocking every user's in-game-name an overreaction?
In game names and security
Iotan
Inde
I'll quote ArenaNet:
Quote:
Originally Posted by Gaile Gray
Quote:
I will be happy to explain. If an external site is insecure, and someone manages to obtain account credentials, having one's name as a "Top Trader" or "the person who has a gazillion ectos to trade" can provide an impetus for a hacker to focus on accessing that particular account. And a lot of times, one's character name may be Fred the Warrior and their account email address may be [email protected].
One of our security agents was able to find every one of a sample list of hacked accounts that I sent him with a simple Google search. I don't mean he acquired their credentials but he did learn where they were active, and knowing one point of data can lead to others.
So the suggestion about keeping one's character names a bit on the private side is intended as an idea about achieving, perhaps, an extra means of security. It may be overdoing the matter; that's up to you to decide. After all, the suggestion about character names does not form the main thrust of my advice, which concerns using unique user names and unique password. -- Gaile 04:28, 12 November 2009 (UTC)
One of our security agents was able to find every one of a sample list of hacked accounts that I sent him with a simple Google search. I don't mean he acquired their credentials but he did learn where they were active, and knowing one point of data can lead to others.
So the suggestion about keeping one's character names a bit on the private side is intended as an idea about achieving, perhaps, an extra means of security. It may be overdoing the matter; that's up to you to decide. After all, the suggestion about character names does not form the main thrust of my advice, which concerns using unique user names and unique password. -- Gaile 04:28, 12 November 2009 (UTC)
HawkofStorms
Makes perfect sense to me. You got my approval. Although I've kept my IGN off guru for a few years, ever since I started getting death threats in game for suggesting nerfing SF in Saradelac (psychos). Only place this will frustrate people is the auction forum.
Black Metal
Gaile has stated twice (in the top stickied thread in the main discussion forum) that a security breach occurred in a fansite that lead to at least some of the stolen in-game accounts. For the sake of people who want to keep their accounts safe, which site was this?
edit: another thought. So we don't have characters / in-game names posted in our profiled any more. So how do we follow through in the buy/sell forums? If the answer is 'pm the guy your details', well that is virtually the same as telling the entire forum the same info.
edit: another thought. So we don't have characters / in-game names posted in our profiled any more. So how do we follow through in the buy/sell forums? If the answer is 'pm the guy your details', well that is virtually the same as telling the entire forum the same info.
Unlucky Slayer
That's the thing. Anet wont tell anyone what site they suspect. Everyone is just speculating on who this could be. This is merely Inde getting ahead of the curve so to speak.
Honestly, Anet/NCSoft needs to take a hard look at their own security before they start suspecting fansites on somewhat baseless "facts".
Honestly, Anet/NCSoft needs to take a hard look at their own security before they start suspecting fansites on somewhat baseless "facts".
Blades Of Decree
I completely disagree with this. If you are dumb enough to name your e-mail after a character name then subsequently advertise yourself you deserve to get hacked.
Another thing is that it has always been the user's choice to display their character name. Seeing as it is a CHOSEN right I don't see the need to remove it entirely. My username on guru is my character name, and I will be using "Location" as character name for now. I encourage others who disagree like me, to set their "Locations" to their character names.
Another thing is that it has always been the user's choice to display their character name. Seeing as it is a CHOSEN right I don't see the need to remove it entirely. My username on guru is my character name, and I will be using "Location" as character name for now. I encourage others who disagree like me, to set their "Locations" to their character names.
Malice Black
I think there is two options here:
1. Deal with it
2. Whine and threaten to never use guru again (oh dear...shame)
The vast majority will choose option 1, the rest can go be petty elsewhere.
1. Deal with it
2. Whine and threaten to never use guru again (oh dear...shame)
The vast majority will choose option 1, the rest can go be petty elsewhere.
Miscreant_Moon
I don't really understand the removal of IGN's either. I mean, you can simply go to the wiki and find out usernames. People have it all listed out over there. If what Gaile said is a concern, why are they promoting that on the GW Wiki? Did Gaile just jump the gun and say that too early? Or are they stretching for answers?
I guess I also have to point out that other games allow you to search for character names, like Aion. You can see their IGN's, full character stats and armor. So what about Anet security is so lacking that this would a concern when other games do this freely? I mean I applaud you Inde for trying to see that we're protected and taking anything that might be a security concern into consideration. But all Gaile's statement did, when compared to what I listed above, just makes me more concerned. I mean, why even bring that up?
I guess I also have to point out that other games allow you to search for character names, like Aion. You can see their IGN's, full character stats and armor. So what about Anet security is so lacking that this would a concern when other games do this freely? I mean I applaud you Inde for trying to see that we're protected and taking anything that might be a security concern into consideration. But all Gaile's statement did, when compared to what I listed above, just makes me more concerned. I mean, why even bring that up?
cosyfiep
I never thought it was a good thing to post your ign....so I never did, and now I feel a bit, uhm, vindicated? I never posted where I really am nor any other relevant information related to my gw account either (and I am a subscriber to the tinfoil hat club too...ask slayer).
Iotan
Well, Gaile's reasoning is fine and all, but then so is "don't use the password 12345." It's just common sense.
I've had my IGN listed on this and other GW fansites for 3 years without a problem. I still see the issue being GW and guru-linked email accounts rather than in-game-names. Going after people in the high-end trade section is going to be the quickest way to steal your way to riches, so are we going to discontinue that section as well? It would be in the best interest of safety...
Sarcasm aside, I guess I'll just put my IGN as my location or something else like that.
I've had my IGN listed on this and other GW fansites for 3 years without a problem. I still see the issue being GW and guru-linked email accounts rather than in-game-names. Going after people in the high-end trade section is going to be the quickest way to steal your way to riches, so are we going to discontinue that section as well? It would be in the best interest of safety...
Sarcasm aside, I guess I'll just put my IGN as my location or something else like that.
Malice Black
Quote:
Originally Posted by Iotan
Well, Gaile's reasoning is fine and all, but then so is "don't use the password 12345." It's just common sense.
I've had my IGN listed on this and other GW fansites for 3 years without a problem. I still see the issue being GW and guru-linked email accounts rather than in-game-names. Going after people in the high-end trade section is going to be the quickest way to steal your way to riches, so are we going to discontinue that section as well? It would be in the best interest of safety...
Sarcasm aside, I guess I'll just put my IGN as my location or something else like that. That is retarded. Show me a top end trader on here that has been hacked lately....
It's well known I'm rich, have I been hacked? No would be the answer to that.
I've had my IGN listed on this and other GW fansites for 3 years without a problem. I still see the issue being GW and guru-linked email accounts rather than in-game-names. Going after people in the high-end trade section is going to be the quickest way to steal your way to riches, so are we going to discontinue that section as well? It would be in the best interest of safety...
Sarcasm aside, I guess I'll just put my IGN as my location or something else like that. That is retarded. Show me a top end trader on here that has been hacked lately....
It's well known I'm rich, have I been hacked? No would be the answer to that.
Yang Whirlwind
Since ArenaNet/NCsoft chose to simply blame "a fansite" without naming it (or presenting any kind of proof for that matter), every fansite, including GWG, has been made suspect.
We are simply trying to show that we do everything,- and then a little extra to ensure our users safety.
With the option to list your character name removed, people will not list it simply because they feel compelled to when filling in their profile information.
Now it is a conscious choice to include the IGN in posts or change profile information to list it.
Like Malice, I would like to point out that I have never been hacked either.
I have been a member here for several years, have listed my IGN repeatedly and have been known to have a bit of valuables.
In case it is GWG, ArenaNet/NCsoft suspect of being the "fansite responsible",- they are wrong!!!
We are simply trying to show that we do everything,- and then a little extra to ensure our users safety.
With the option to list your character name removed, people will not list it simply because they feel compelled to when filling in their profile information.
Now it is a conscious choice to include the IGN in posts or change profile information to list it.
Like Malice, I would like to point out that I have never been hacked either.
I have been a member here for several years, have listed my IGN repeatedly and have been known to have a bit of valuables.
In case it is GWG, ArenaNet/NCsoft suspect of being the "fansite responsible",- they are wrong!!!
Curo
I feel like my personal identity and security is more likely to be breached by giving out such information as my exact location, hobbies, interests, biography, etc. These things are all also fields that GWG prompts you to fill out when editing your profile, yet I have done no such thing. Users have the option to withhold whatever information they wish. IMO, restricting us from placing our IGN in our profile is silly because we voluntarily choose to put such information out there, and we are prepared to deal with any consequences of disclosing such information. I can understand why richer players may be cautious about this, and I would also probably elect not to offer my character name had I amassed a large wealth in the game.
That being said, I have craftily circumvented the newly imposed restriction (look to the left, at my profile summary). If this violates any GWG rules, please inform me and I will remove it. Until then, I would like people I deal with on here to be able to contact me.
That being said, I have craftily circumvented the newly imposed restriction (look to the left, at my profile summary). If this violates any GWG rules, please inform me and I will remove it. Until then, I would like people I deal with on here to be able to contact me.
Yang Whirlwind
No Curo: we have no rule against you listing your IGN the way you do or listing it in posts you make.
The character information was removed to ensure that all had a chance to reconsider whether they wanted to give out that information after the remarks made by ArenaNet/NCsoft,- not to prevent people from choosing to do so.
The character information was removed to ensure that all had a chance to reconsider whether they wanted to give out that information after the remarks made by ArenaNet/NCsoft,- not to prevent people from choosing to do so.
Tamarek
This is the dumbest thing.. so now instead of it being on my every post under my avatar.. the person has to take 5 extra seconds to look at my posts to find out my IGN. I gotta hand it to Arena.net they're absolutely brilliant.
I'm sure everyone who is affiliated with GWG/other affect fansites is doing a great big /Facepalm atm.
I'm sure everyone who is affiliated with GWG/other affect fansites is doing a great big /Facepalm atm.
Malice Black
An extra 5 seconds, sacrilege!
There is always other sites. Feel free to use one of those. I've heard the Team QQ forums are full of intelligent people.
There is always other sites. Feel free to use one of those. I've heard the Team QQ forums are full of intelligent people.
Malice Black
I just fail to see why such a big deal is being made out of such a minor issue.