Update - Wednesday, December 2, 2009

ok... after reading this thread, Martin, Chthon, and others have me scared. i still have an unused copy of nf lying around somewhere. going to install it, put all my junk on it that is worth anything, and NOT register it with plaync. What is the PR spin on all this Regina? Regina, can you get someone with technical knowledge to give a response to the concerns here?

How recent was this? Were your characters left in Great Temple of Balthazar?

The first automated hack with the bot that I heard about was going around in February and March, and left characters in GToB. It didn't change passwords at NCSoft, and we chalked it up to a keylogger at the end of the day. It bagged hundreds of people that spoke out, so you have to figure it probably scored at least in the low thousands. But if I remember right, if that one got you it got all accounts almost without exception. And that smelled of keylogger.

That's not consistent with only the one account of yours getting hit, but it does sound like the older mechanism to me. From what I understand, the new bot doesn't leave characters in GToB and it leaves calling cards.

Why the hell didn't I think of that? Brilliant.

Oh, and I remembered the brute force approach. The password reset mechanism has a maximum number of allotted attempts, but it only punishes you with a time delay. That'd be fine if the number of authentication combinations were sufficiently large, but it's not.

Suppose your security question is your birthday. If we assume that almost every player is aged 11-40 (and I'd say that's 95% true), that's only 10,958 possible combinations. But I can do better than that naive estimate. I can safely assume that most of the people I want to rob are aged 16-25. That's only 3653 possible combinations. At five entries a day, I can get every single one of you in that age range that I can get a username for in two years. I am currently in the process of testing how quickly I can get a new set of attempts, but my guess would be daily.

Better yet, if something's not a username, the stupid thing TELLS me. I get an error message if I found a legit username and fail to crack it, and I get a clean refresh if the username is bogus. So I can have one bot generating legit usernames and another bot testing legit usernames...

Best of all, if I can back out your age from other sources (eg: if my age were posted here and if my NCSoft login were MartinAlvito), I can get you in two and a half months tops. Instantly if I can match a date of birth to your login. So it looks like unsecured data is the problem because people that are dumb about unsecured data are disproportionately hit initially, when in reality I can hack anyone given time or luck and a bot!

Gaile can claim it'll take a bot 278 years to hack a strong password at one entry per second, but she's dead wrong. The strength of your password does not matter. It is not the point of vulnerability. If I can match your login e-mail to your NCSoft username, you're done.

You should be very afraid.

EDIT: Easily implementable solution concept:

That would make the NCSoft website useless as a means of getting entry, given the restrictions on changing the associated e-mail.

EDIT2: As for why - since it appears that the update didn't fix this issue, I'm not sure what the update functionally did.

On one hand, I feel like the lack of official response speaks volumes in and of itself.

On the other hand, I have some different fingers.

no, no, what i MEANT to say was - on the other hand, if they did find a URL security breach, and fix it, and intend to remain quiet about it, then why list it at all? Why say 'We fixed a crash bug and we fixed the URL' instead of 'we fixed a crash bug'?

that makes no sense.

(Copied over from the XTH thread, which I realized I was sorta hijacking):

That must be only for a reset. I was talking about how you can *change* a game password right on the NCSOFT site. You just click on the game account you want to change, and it gives you 2 boxes, "New Password:" and "Confirm Password:". Then as soon as you hit Submit, the game password is changed. At no point does it ever ask you for your old/current password, and you don't even have to know the game logins because it lists them all right there for you.

Does it ever display the account's associated e-mail address? Can that be forced via automated correspondence, or is it visible in the account settings?

If so, you could get everything you need via a realistic brute force solution. Hunting social networks and fansites would speed up the rate at which you can crack accounts, but you could get anybody irrespective of personal security eventually.

Yes, that's what I meant when I said "game logins." As soon as you login to an NCSOFT account, all your linked game accounts' associated e-mail addresses are listed right there on the main page.

So there would have to be a vulnerability with the NCSOFT logins and passwords for this to be a problem. Maybe I'm reading something wrong in this thread, but I don't remember there being any particular vulnerability pointed out with these. I thought the password reset mechanism being discussed was just for a game account password.

For even better results, fish at popular websites for age/name/details. For example, if you figure out someone's Facebook account (ie. searching by email), you can usually find out their age as well.

If you create a bogus site or a big forum, you can start fishing details as well. (ie. maybe builds, contests, or just a mere guild/alliance forum). Then just collect the data for 6-12 months so nobody makes the connection between hacked accounts and your website. Even better, make sure at registration the website asks security questions in case you lost your password with identical questions asked by NCSOFT.

- - -
I DO hope Anet/NCSOFT reads this and realize that their security system is indeed flawed and should be updated.

Then this is how it's being done.

Here's the problem - it would be a very easy piece of programming to get a bot to generate valid NCSoft usernames. Once someone has that piece of the puzzle, the point of vulnerability is the NCSoft security question for resetting that password. Birthdays are easy.

Once past that authentication, the hacker has the keys to the kingdom. The hacker has your in-game login and can make your in-game password whatever is desired. So the hacker never needs either of those pieces of information. The hacker can back out valid NCSoft usernames and then bots crack them via the weak password reset system.

The following needs to change yesterday:

- The security question is unacceptable. Birthdays are tremendously insecure and vulnerable to brute force even when properly secured. The number of valid combinations is too small. A birthday is about half as good as a 40 digit combination lock. And you won't see 40 digit combination locks guarding important data.
- E-mail addresses used as logons need to be concealed, and you need to enter the present e-mail to change them.
- The passwords need to be protected with the existing password for changes, and resets MUST generate an e-mail to the undisclosed game login address with the new password.

Doing those things will result in fewer unauthorized access problems and no value for gaining unauthorized access. Do those three things, and the present rash of hacks via the NCSoft site should die down.

A fourth thing would be nice:

- Take some ownership! If I'm right, this is your fault. You (ANet) may not have designed it, but you forced us to use this wholly insecure system. I'm no data security expert. I study human conflict. Yet even my rudimentary computer design capabilities can beat the system you're using to guard the security of your players' accounts in a feasible time frame.

Yup, and this is why the issue appears at first blush to be an issue with unsecured personal data. But the problem is that brute force can get all of us in the end. I suppose you might want to leave some customers if you're reselling the ill-gotten gains for cash.

And of course the ability to change them requires no knowledge of the current GW password. So all a hacker needs to do at this point is concentrate on your NC account password. Once he finally gets into your NC account, basically... "all your GW account are belong to him".

He sees them, resets their password to something he knows, cops+pastes the email name of the account into GW account name box and types in password and there you go.

If he's automating the thefts themselves, it stands to reason that he's automating the process of breaking security as well.

All you need is three computers sharing data and some fairly simple programs:

- One to generate valid account names
- One to test birthdates and steal information
- One to clean accounts

Then you just add computers wherever the production bottleneck is (probably testing birthdates) as your budget allows. Simple.

Of course, a fourth computer to search the Internet for personal data once you identify a valid username would improve efficiency. Or you might attack the problem the other way around and start with a dictionary of probable username/birthdate combinations derived from fansites, then move on to brute force.

And In the end the prison sentence really isn't worth it for a q9 Volatic Spear.

But if he's in a foreign country without extradition, who's going to prosecute?

However, there's a reason that we're discussing it rather than doing it, now isn't there?

last time i changed my Ncsoft password 2 seconds later i got a email from ncsoft saying some 1 at IP so and so changed your password if it was'nt you plz click this link and report it to us immediately

It says it when you change your own password too. Go to google, type in "whats my ip" and go to the first or second site, it'll tell you what YOUR IP is, than go to the email, if it matches you are fine, it's you. If it dosen't, than there is a problem but 2 seconds later is almost 100% your own IP changing your own password.

A lot of the recent hacks have resulted in that e-mail.

The IP isn't as helpful at tracing the perpetrator as you might think. If the hacker's any good, the hacker is using various tricks to hide the IP.

And once the hacker has changed that password, it's too late. The hacker is faster than Support.

Where is the mechanism where you can reset your password by merely entering a birthday? I've never happened upon that, and I think maybe we're talking about two different things here.

When I login to my NCSOFT account and click on the link to change my NCSOFT password, here's what I see:

"You will need to choose two hint questions which will be asked should you need to reset a forgotten password. You will need to provide the exact hint answers which you enter below in order to reset your password."

Then there's a picklist of 10 hint questions of which you select 2 and provide answers. Some of them are actually decent ones such as "What was your childhood nickname?" instead of the typical "mother's maiden name" bs.

I assume that you would need to specify those 2 answers after you click on NCSOFT's "Forgot your password?" link, but I'm too scared to try that right now to verify .

I posted an idea while ago on one of the previous hacking threads that got locked and assigned to the ether.

Beefing up account security would be one way of helping to prevent the current outbreak of hacking, but I was trying to think of a resolution to the underlying problem.

The underlying problem in my opinion is Real Money Traders. These are the people responsible for the vast majority of hacks. They hack accounts to steal the in game gold and items and then sell the gold for real money.

If they were prevented from selling their gold in game then their reason for existing would cease to exist.

I believe that Anet already has some kind of system in place that monitors transactions looking for unbalanced trades. If this system could be enhanced, it could be possible to stop these RMTs from selling their gold.

Gold buyers and sellers usually deal in multiples of 100K.

The idea would be that all high value transactions are analysed for balance on both sides of the trade.

A gold seller trying to pass over 100K for nothing of similar value in return would trigger the system and the trade could be blocked.

A gold seller handing over a stack of ectos for nothing in return of similar value could be blocked.

A series of lower value trades totalling a high value within a short time frame to or from one account could be blocked.

This would need some kind of rough value table being coded into the system to give base values for high end items, or stacks of items that are regularly traded for a high value but the number of these items is limited, so this should be possible. For example the game already knows a rough (merchant buy/sell) value for all crafting materials, so they should be easy to work out.

A set of exemptions could be made for example, trades between chars on the same account, or chars from accounts on the same NCSoft Master Account would be allowed no matter what the value.

Trades between people in the same guild could be allowed no matter what the value after both parties have been in the guild for a week (for example).

There could also be a popup message for example saying that the trade has been blocked because it is unbalanced perhaps with a “click here to have the transaction verified”. This could fire off a support ticket and the trade could then be suspended pending investigation or allowed to proceed after a week perhaps.

If enough doubt could be introduced into the mind of the gold buyer that they will not get the gold that they have paid real cash for, then they will stop buying.

If the gold sellers can be for the most part prevented from handing over the gold they have been paid for, then they will not be able to continue to trade.

A bonus from this would be that if an account was hacked, the gold seller would be unable to transfer the stolen gold and items to their mules/bots/harvesters as the trades would be unbalanced and so be blocked.

This is only a rough and ready idea, and probably has a load of flaws, but if somehow Anet/NCSoft could hit the RMTs with a double blow of increased account security and make it much more difficult, time consuming and risky for them to go about their illegal business, then just perhaps they can be driven from the game.

Wow.. just previewed this.. sorry for the "Wall'o'Text"! I didnt realise how much I had written!

The only security question I've seen is the birthday on the "Forgot your password?" link.

I didn't luck into anyone's birthday when figuring out how to identify a valid username, so I haven't managed to verify the existence of additional security questions. (I haven't exactly tried very hard.) Like you, I'm unwilling to test any of my own accounts since there are other suspected vulnerabilities on the site.

If I'm mistaken, that changes things quite a bit. That would rule out brute force and make Chthon's explanation the more likely one. It doesn't change the fact that there's a glaring security vulnerability should someone gain unauthorized access to your PlayNC account that permits immediate forced entry to your game accounts.

If people want to engage in the transaction, all making the transaction illegal does is increase the transaction cost. That'll reduce the problem. It will never eliminate it. Unless ANet has infinite monitoring resources or comes up with an innovative and clever solution to that problem, we're stuck with what we have.

I forget which of Posner's books makes that argument, but it was the best expression of the concept I've seen.

But there are legitimate reasons to move this stuff around. I don't like having all of my eggs in one basket due to security concerns. This means that I periodically need to move stuff around to complete a trade. I like being able to do that without getting banned.

Separating out legit transactions from illegitimate ones is harder than you think.

When NCSoft added the free Xunlai promotion, I had to use my NCSoft account again, but their website and certain log in mechanics had changed. They changed my password without notice, but that's not relevant. I do recall setting up 2 security questions for password retrieval, and neither one was birth date. I don't know if that was one of the options. My answers to the security questions have nothing whatsoever to do with the questions. I have not tested the password reset feature with the questions.

I don't remember providing a birthday either. Perhaps they read it from the game account?

Ah, OK. I finally found an account with real security questions.

Are you sure that you didn't have to set that up manually? I can't reason out why the system would provide three possible responses (birthday, security questions, nothing) rather than two.

You can verify whether or not your first answer was right. It tells you...

The site I'm talking about is

https://secure.ncsoft.com/cgi-bin/plaync_login.pl

with the little "Forgot your password?" link leading to

https://secure.ncsoft.com/cgi-bin/pl...pl?language=en

Maybe it *is* the same one you're talking about after all, because when I enter a bogus username there it asks me for my birthday on the next page. I certainly hope that it doesn't stop there, but since I'm not messing around with my own account, I can't test it.

If that's all there is, then I suppose everything comes down to (1) NCSOFT account name and (2) e-mail address registered on the NCSOFT account (assuming that the password is e-mailed). Obviously (1) is easily brute-forced, but isn't (2) still a major obstacle for a hacker if they're not in the business of breaking into e-mail accounts?

Depends. The security question system is quite vulnerable to a dictionary attack if you use legitimate answers, and the system helpfully tells you when you get the first answer right.

Oh snap. It tells you when EITHER is incorrect....................

Oh my God....

Pro tip: if one of your security questions is that your first car was "red"...

Change it.

I'm not too keen on testing my own account, but you are correct that I did have to provide the 2 questions manually. Since NCSoft did change my password, I was unable to log in and had to use the password reset feature. I do not recall the details of what was involved to reset the password at that time, but I do remember setting up the new questions.

Turns out it's five attempts every twelve hours. So I was too generous by half. At one attempt per second, you could make 86,400 attempts in a day. So you could attempt to brute force 8,640 accounts twice per day.

If half of the customers are in the 16-25 demographic, use the birthday and and report their birthdays accurately, you're going to net just under an account a day this way with a single computer making an attempt every second and brute force.

If you're using two security questions, the results probably depend on what you're using as security. The car question is just bad, people. A hacker's going to get that one in an awful hurry. Even if you say "fuchsia". And if it was fuchsia, shame on you.

If you want a guess, the rash of hacks involving a password change is some combination of unsecured personal data and the fact that cracking the NCSoft system provides the keys to the kingdom. Unless our hacker is a lot more organized than I suspect, and can disguise a very large amount of traffic without NCSoft noticing/acknowledging.

As with some of the other explanations, brute force probably cannot explain the observation alone. However, it is very likely part of the solution. Close those glaring security loopholes and at least some of the hacks will stop.

Uh-oh:

.

Aparently, this still continues. 113.237.252.125, Liaoning province works sundays. Busy bees, then password-reseters.

Reading all these posts has me asking, "Why so much trouble for stealing a GAME account?" Sure seems like a lot of trouble just to steal some pixels.

Do you know what RMT (Real money trading) is? Gold sellers use stolen accounts for their transactions or for transfers with their networks and whatnot. Stolen accounts also provide them with gold directly, obviously.

Suppose that someone steals 10,000 accounts. Suppose that the average haul per account is $40 in easily resaleable goodies. (That's more or less a stack of ecto. Which, if you consider outlier accounts with lots of stuff, is a reasonable mean.)

That's $400,000 in difficult-to-trace cash.

Now consider that you can automate the entire process if you can brute-force accounts.

Sounds pretty lucrative, doesn't it? No labor costs, only costs are computers, Internet service, and power. Why farm gold when you can steal it? If you locate properly, you're just as immune to legal retribution as a Chinese gold farming entrepreneur.

You know, reading this thread sure makes me feel sick.

I don't think I even want to try and go make sure my account is secure. I'm afraid I'll give myself away just by doing that much.

My Paypal account was hacked 1 minute after transaction in ncsoft store. Paypal is now investigating ncsoft and their security. It is not about pixels anymore.

Actually they may have a website hacked and some software planted. In such case by logging you will just give them all credentials....


I wonder if all those hacked people actually tried/logged to ncsoft account sometime before hacking attempt or did any transactions there.

Wow, that's definitely interesting. Any more details you can give us on that?

I got additional character slot in NCsoft store which I paid via PayPal. After a standard confirmation which arrived about 50 seconds after transaction I got an email (exactly 3 seconds later after previous one) from PayPal telling me that my account (PayPal) was accessed by a third party after the transaction. Between those two emails I got standard confirmations from NCsoft. I also got the slot so everything was looking legit to me. However everything got blocked and I needed to reset and set up again all my paypal login data. My old password was automatically cleaned and I was not asked for it at all. When I logged in there with new credentials I saw information that PayPal has contacted NCsoft for clarification of the incident and that they are currently investigating whether there was a security breach on the seller (NCsoft side). So far I am still waiting for the confirmation since NCsoft does not reply to PayPal (2 unanswered inquiries I am aware of). Unfortunately I do not know the details of those inquiries but I asked for them already. From what I understood they (paypal) blocked my account immediately after the incident so there was no harm done. However someone managed to login to my Paypal account just after my logging out and it happened just after the transaction.

Ouch. I hope you will post updates if you hear anything further.

I assume you have eliminated the possibility of malware on your PC, that "saw" you use Paypal and triggered an immediate attack?

If so, NCsoft would be my #1 suspect... distantly followed by Paypal, and even more distantly followed by some unknown third party that tapped into your internet communications (eg. at your ISP, hacker in your neighbourhood if you use wireless, etc).

*whistles*

Hissy's right that you need to rule out the possibility of malware. If you don't use PayPal on an extremely regular basis, that's the most likely culprit.

But if your system is clean...wow. That escalates things a few notches.

Can anyone else confirm this? I'm reluctant to call a single episode a pattern despite other suspicions about the website. However, I'm not about to suggest that someone risk sacrificing their game and PayPal accounts trying to confirm.

All I'm out to do here is prove that brute force hacking is quite plausible despite ANet's insistence to the contrary. What I'm saying is: ANet is telling you lies. I draw no firm inferences about whether or not this results from ignorance or malignant intent. If you want an opinion, it's malignant disregard for the player base on NCSoft's part. Just another example of NCSoft killing the cow for the milk and thinking we're too stupid to notice. It's hard to blame ANet for that, but at the same time they're still standing up and spouting the company line.

But I can't prove that. All that I can assert is that such shortsighted behavior fits a broader pattern that we've observed in NCSoft's actions. Nor can I prove that we're getting hacked via brute force. In fact, the math would suggest that brute force is only part of the problem. Brute force alone can only explain the issue if NCSoft's data security people are impressively terrible at their jobs. You think they'd notice a spike in traffic large enough to generate the sheer volume of new account hack reports via brute force alone.

Regardless, the company line is unarguably wrong. If you got hacked, it's entirely plausible that it wasn't your fault. The PlayNC authentication system just isn't robust, and it doesn't have the proper safeguards set up to protect you in the event that a hacker defeats it. It really is that simple.

Maybe once a month, I get a notice from Paypal saying I need to update my account. I haven't used it in over 2 years and the debit card used is no longer any good. I just delete the email and forget about it. The Paypal account was used to purchase character slots, unlocks, and such. Looks like I won't being updating it anytime soon, maybe just create a new one for any online purchases other than GW items.

I confirm this, happened to me too. Exactly after my transaction with NCsoft, i got an email from PayPal saying my account was accesed by a third party and that it was under investigation. I defo do not have malware, since its a fresh install of windows.

Well GORED me.

That pretty much narrows it down to inside job or external hacker compromising the site entirely, and makes my concerns about brute force petty by comparison.

Any thoughts about how we can discriminate between the inside job and external hacker hypotheses?

Very interesting.

Some thoughts:

Could be both of you have some spyware on your machines, despite your efforts to keep them clean. Strikes me as unlikely -- anyone intelligent enough to write something to specifically monitor paypal usage would be intelligent enough to send themselves your credentials then wait 12 hours until you were more likely asleep to use them.

Could be paypal being oversensitive and setting off a false alarm at legitimate activity by NCSoft.

Could be man-in-the-middle. It's well known that SSL is essentially swiss cheese if you've got the resources to invest in an attack. Perhaps someone with the resources decided that NCSoft is a worthwhile target.

Could be NCSoft's server is compromised and now contains a malicious program.

Could be an inside job at NCSoft.

Probably does NOT explain the account thefts. People with long dormanacies in GW and even longer dormancies on the NCSoft site have been hacked. That indicates either a "save em for later" approach inconsistent with trying to use stolen paypal credentials within a minute of stealign them, OR it indicates that the vulnerability requires nothing from the user to be exploited -- ex: brute forcing the NCSoft account.

That's worse, since it's now two major problems instead of one.

Soooo, I think it's time to repeat myself: FOR THE LOVE OF GRENTH, PLEASE ALLOWS US TO SEVER OUR GW ACCOUNTS FROM THE NCSOFT ACCOUNT! It's clear enough that there's major problems there and that NCSoft just isn't going to fix them.

With the data available to us, probably impossible to distinguish. Someone perpetrating an inside job would seek to appear like an external hacker.