Easiest way to stop Gold sellers hacking accounts

The unfortunate case of Nadeen being hacked got me thinking (dangerous i know)

It seems that gold sellers etc, rob account to salvage the FoW armor, get mini pets etc and so use the money to then sell on.

The easiest fix to do would be to make FoW armor unable to be salvaged or deleted. If you cant sell the ecto you get from it, it then becomes worthless to a gold seller.

You could also put a special 'flag' on an item that would render it unable to be traded outside of your account, destroyed,dropped or sold. Lets call it the 'customised flag'

When an item is customised it's then fixed to your account and can no longer be used to gain any money from it's sale or trashed.

I mean how hard can it be? The flag is in the database so no extra storage is needed, the only changes needed would be to the salvage, drop item and sell item code to include somethin like
if item.customised=-true then msg "Sorry you cant destroy a customised item"

With no way of getting money from robbing players it would solve a lot of issues and heartache.

I dont want a new hat for xmas, I want something to protect the time and effort I put into this game. That would be the best xmas Anet gift of all.

lol easiest way is don't dlnd anything even slightly dodgy and have a stong password.

I don't think much of your ideas either, what if (hypothetically) I wanted rid of my fow armor because it's not to my liking any more?

I'd prefer that hat to be honest.

if you read the hacked threads it's clear that strong passwords etc are'nt enough.
If you did'nt want your FoW armor then move it to another char on your account. If you have'nt got the room buy another slot, Anet could use the money

or dont make ecto's tradable = end of hacking

1.- Don't Buy Nothing to the Gold Sellers.
2.- Hide your e-mail account linked at game, don't use it for nothing (reg in forums, chats, paypal [if you are buying gold...], MSN, etc)
3.- Use a strong password with letters & numbers.
4.- Antivirus - Adaware - Anti Keyloggers - A Normal Security programs on your computer.

The best way is, don't use the email of loggin for nothing, if no one know's it, is impossible to hack your account.

Cya!

Er, that won't do anything. Hackers will still hack even if they can get nothing out of it.

Because they are jerks like that.

For those who have used their email log in for other things, you can't change it once your account is linked to NCsoft. So even if someone wants to change their email log in to a new, more secure one, they can't.

I for one, Don t use the same email in my GW account. As a matter of fact deleted the account. That way, my login is private and not linked to any email. That way I dont risk my account being hacked because I used the same email than the one I used to register for example in this forum...

Just be careful what you download and install. And never, ever give your account information to anyone

People have done all these measures and still get hacked. Read the threads and threads about it on this forum, Wiki and 'the other one'

The point of this thread was to suggest ways in which the damage can be limited once they do get in.

Obviously those people that got their accounts hacked have made mistakes... Whether they realize it or not.

I say don't change game play / mechanics for this reason. It won't stop the hacking and another thread will pop up when someone gets something else valuable stolen.

I don't know what sort of security Guild Wars implements but I would hope that they lock your account after 5 or so failed login attempts (to stop brute force hacking). This is really the only security measure you would need.

Other than that, if you get your account hacked it is 99% likely it's YOUR OWN FAULT.

How rude and condescending. I'm sure if you were hacked by a chinese gold farmer, you would start making a topic and wondering how could it have happened. Surely all the accounts hacked from Aion and Guild Wars cannot be a coincidence, since they're all through PlayNC. There are even reports of the farmers getting thorugh Paypal accounts on computers that were scanned for malware.

I'm actually pretty upset with how unsecure my account feels in the hands of NCSoft right now. Got nothin' against Anet though.

My worst nightmare is not getting robbed by hackers; but having my main character deleted out of spite. That would be really bad. Sometimes I wakeup screaming.......

I can easily see someone deleting their own set of FoW, considering some (most) of them are ugly as sin. I personally only have my Warrior one for the HoM. I can definitely see myself deleting it if storage ever becomes an issue.

So no-one would be able to get rid of old armor or customized old weapons? That sounds like a pretty bad idea. Storage space would rapidly become an issue. Similarly, it would forbid trading customized items to a storage account. Something I'd also vote against.

Viable suggestion. Most of the items would only be worth a few k at best when merched, anyway. Still against applying that to materials, though.

Even if people wouldn't gain money from the hacking, some would still do it simply for being pricks. A lot of problems with security and computers in general are located between the seat and the keyboard. Some are actually traceable to the company in question. I'm not sure which it is in this case, nor do I overly care to be honest. I'd suggest NCSoft work on their security just in case, and users think before they do. Anet can go on and make a new spiffy hat.

I see nothing in his post that could be construed as rude and/or condescending.

The majority of the people who have had their accounts broken into was most likely due to actions on their own part whether it be their web browsing habits, weak passwords, sharing accounts, etc. There probably are a few that were hacked due to security problems on ncsoft or anet's part but those are in the minority.

The most recent person I saw who claimed they were hacked in game said they clicked a link in an email and ran the program that came up because someone told them to do it even though they had no idea what the program did. A lot of the people that are saying they were hacked are probably not giving all the details either intentionally because they don't want to make themselves seem stupid to everybody else or because they just don't know what they did.

We don't know all the details with how the account was hacked so we can't make a good call on what would prevent it.

If someone is good enough to actually hack into ncsoft's or anet's database, then they'd probably steal credit card information, not just in game items.

sorry... but it's just the facts.

these hackers aren't magicians... they got your password because you made a mistake.

so why ask for anet to change their code because of something you did wrong?

i'd rather they spend their time on more productive things like game updates. of course they haven't done much of that at all lately either.

Prove it.

You can't. I cannot disprove it in any specific case, but you cannot prove your contention in any specific case either.

The underlying logic behind your statement runs as follows: in the past, all accounts have been hacked through malware. Therefore, it continues to be the case that all accounts are hacked through malware. Further, all accounts will be hacked in the future through malware.

When you put it on the table like that, it starts to look pretty silly, doesn't it?

It can be shown that NCSoft accounts have glaring security vulnerabilities. There are no protections for users in the event of unauthorized access. No computer system is fully secure. There are no protections against password brute forcing. The protections against brute forcing the "change account" provisions are inadequate.

This suggests that some proportion of accounts greater than zero could be hacked by means other than malware. Given the reports of accounts being hacked by means that cannot reasonably be explained by malware, I'd conclude that your argument is false.

You could argue that victims of NCSoft password change hacks got keylogged during the XTH promotion and are only now being targeted, but if you want to make that argument you need to explain why the hacker(s) sat on that information for so long. On the face of it, your theory simply does not appear to fit the facts.

@ OP: The problems are more fundamental. Your suggestions might be constructive, but also create problems - especially with the resale of dedicated miniatures. Further, they do not remove the incentive to hack accounts to loot accounts of liquid valuables such as ectos, armbraces and gold that players want to use to buy things at a later date. Your "flag" has to be irrevocable to work, but players possess valuables that they do not intend to possess forever. Better solutions to the NCSoft account problem exist:

- Let me delink my GW account (best)
- Force me to provide something additional to change my game passwords (existing PW, code from an e-mail sent to the login e-mail address, etc.)
- Do not EVER display the linked e-mail address that is my username
- Make the "change password" protections for NCSoft accounts themselves more secure
- Make it impossible to generate a valid list of actual NCSoft accounts via brute force
- Make it more difficult to brute force passwords (NO protections exist at present).

Listen...

The only way they could get your password without it being your fault is if they hacked directly into A-Net's database... Which I very highly doubt.

Even if they did manage to get past the firewall and into the database, the passwords are still going to be hashed using either a MD5 or SSHA salted algorithm. Even with a set of Rainbow tables these are going to be very difficult to crack if you use a reliably strong password. In short it would take a lot of time and energy to crack one password, probably much more time than it was worth.

Now... the other much more likely possibility is that you messed up.

I'm thinking of a number between 1 and 100? Can you guess it? No.

Guess what. That's basically the same concept as a password. Just use a little logic and there's your proof.

great idea.

What Enko and Craigrs84 are saying is the most accurate.

The possibility of this is far greater than it being an issue lying with the security with a huge video game development/publishing company's security.

For the record, I was hacked recently too and to be honest as much as I have a strong account and am generally very careful with what I download and such... I have no doubt that it was something on my part.

Having something malicious invade your computer is not just due to running a random .exe attachment in the "enlarge your penis" junk-mail.

I'm not claiming to be tech savvy with computers so it's easier for me to accept that possibility... but neither can most of you as well. Just because you're taking computer-science courses in high school doesn't mean you don't make mistakes.

Even if your password's on the weaker end, it's still really hard to crack via brute force... unless it's something stupid like it being identical to your e-mail address. The only way for anyone to really narrow it down to anything is if they know you to a certain degree. Anything else is just pure random guessing. It's like the lottery.

If those gold farmers are that good at brute force hacking, then why don't they take a crack at winning the lottery? Seeing as how they're obviously so damned talented and lucky at guessing random variables. They won't be working for gold farming sites if that was the case.

They arent?! How come I have never been hacked in almost 4 years?

It's an argument that even I toss back and forth blaming password strength and then NC. But unless we got a real statement from NC or Anet about this were still gonna be out here posting and playing the guessing game, blaming anything we possibly can just to post bullshit.

And at Silv3rr. Try suping up your hosts file like it did. Go to C:/Windows/System32/drivers/etc and open "hosts" in notepad. You all can benefit from this as well. And add any suspicious gold/gw site you come across into the hosts file like this:

0.0.0.0 www.example.com
0.0.0.0 example.com

What this does is cause these sites to time out because when they are supplied from another website, your computer ignores the closest DNS and loads them with an ip address of 0.0.0.0, as well as any ads they supply. So their scripts will never make it onto your browser or anything else they try to make it onto. Clever eh?


I've done it and I say..anything it takes to be a little more protected.

I Personally have an assload of sites in it already, about 16,000 from a site that worked on looking them up and probably 30 or more for malicious GW sites and gold ad's.

This is what firewall programmers don't want you to know about, the utilities of your very own computer that work just as good, without even using a firewall.

Works on ANY operating system in the world.

http://www.youtube.com/watch?v=VUQZGuJ8jLM - little more explanation.

They could just use NCSOFT website. Hacking website is actually not that hard if it is not properly protected. You do not need to care about anything in ANETS dba whatsoever since you can access gw account via playing around with NCsoft master account. You know you can clear your GW password from there? You need just to "sniff" a login to NCSoft master account and all the rest you will get sooner or later on a silver plate. Password to NCsoft account does not matter much. The fault of people can be just that they purchased something from NCsoft store or just went there to link their account... Xunlai pane promotion anyone? Will you blame people for doing that?

Even better they do not need to hack NCsoft website. They can just use random IGNs from sales or gw auction sites. You will hit some logins to NCsoft easily. You can say people are stupid but even if they realized their mistake they cant easily correct it. Try to change login to NCsoft account.

Since you are not penalized for incorrect tries you can use botnet and just run password query for every confirmed login. Matter of days even for strong ones I would say...

@OP. I will sign everything which will increase security in this game. I hope something will be done.

I like Martin Alvito suggestions. I will add that for 3 subsequent incorrect tries IP gets blocked. It will not prevent botnets but will hit smaller hackers.

I don't even care right now if I get banned or not but up yours and kiss off. So many of us have been hacked. Most of us used the stinking store and got hacked after that. I checked with IT here at work and they said inside job. So shut up. my fault pfft joke

Also armbraces and zkeys.

/Win

heres what anet should do make it so you either need a waiting period of one week and at any time during said week if u log on you can end it making said hacker have to restart or make u have to confirm it from your email address

Ban all Chinese IP

hurf derf

4 Years no hack. People who get "hacked" are mostly people who accidentaly give out tidbits of information. If anyone gets anything of your account info, you just gave them an account. So before you go about spouting "HACKED HACKED!!!" understand sometimes it's your own doing. It's usually just carelessness. Stay away from 3rd party programs in general. Texmod included. Don't give out any information, don't use your email for GW on other websites. Keep your GW password and account name private from all things. If you trust someone with account info, you're asking to lose your things.

4 years of playing a lot.. Pissing a lot of people off.. No 3rd party programs.. No altering of GW at all.. Never using my GW email anywhere else.. Passwords don't have to be too strong either. If they don't have the username you are more or less fine... Also, if someone who knows anything about hacking a computer wants your GW account then they will take it. Not a whole lot you can do to stop someone determined and educated.

Hate to break it to you, but if someone wants to hack your computer, and knows how to, the strongest password you can think of doesn't stand a chance.

1. A number of suggestions that would significantly improve security have been floating around for a long while now. The fundamental problem is that a-net/NCSoft (I have a feeling it's more NCSoft in this case) just don't seem willing to admit to themselves (much less to us) that THEY have a security problem and it needs to be fixed. Until they accept that security needs to be upgraded, no amount of insightful ideas about how to upgrade security are going to make a difference.

2. I am consistently amazed at how people here are utterly unable to grasp the possibility that accounts are being stolen in multiple ways. Yes, there is a certain baseline of people who get accounts stolen because they did something dumb. Always has been. Always will be. However, IN ADDITION to that, there appears to be a number of accounts being stolen without any interaction between the thief and the user -- account thefts perpetrated solely using a vulnerability in a-net/NCSoft's systems.

NCsoft may well be unwilling to do anything about it. BUT it's ANets game. There are things they can do within their own game that can reduce or negate the effects of being hacked.

Yes people screw up sometimes, thats why we put air bags, crumple zones and ABS on cars. So that when we do the effects are greatly reduced.

What Anet seem unwilling to do, because it's been one of those hidden unspoken issues for 4 years is to fit the car they made with anything other than a fender to protect their occupants.

I am really starting to think they don't give a <insert word> about their customers who have spent so much time, money and effort on their game.

if they did they would say 'so what if GW2 is a delayed a month, we want to better protect our customers' and do something about it.

And don't give me it's not possible blah blah. Thats what we were told about re-connects, hairdressers and the like. Of course it's possible it's just that they are unwilling to do anything about it.

I don't want stupid new hats, dumb ass bosses what I do want better protection for my account and a demonstration that Anet actually do more than pay lip service to valuing a customer.

Enough really is enough.

1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100

There - I guessed it. Now give all your gold, and anything worth salvaging. Oh yeah - delete that Sin with 28 maxed titles.

My idea about more security on anets side
They could just send an email to your email account with a Link to click to confirm
you actually want the password changed and not just
"someone from ip yada yada yada changed the passwrord if not contact us after the fact you just been hacked and we willget back to you oh say in 3 days time.
Also put in place a 3 times your out for trying to enter a password and it locks you out for say 1 hour or something
with an email to your account so you have an idea someone IS trying to get in.
These suggestions have been around for a while by many people.
I hope GW2 will have better way of dealing with account security.

You DO realize that this only works when site does use it domain address and not ip address, right? And its not like it is very hard to get new and new domain names if you really want to get past address based blocking.

This only works when program asks operating system for DNS resolve, like most browsers. No software is under obligation to do this i am afraid.

Not to mention that decent firewall does more than just deny certain hostnames. Like blocking incomming/outgoing traffic and managing application ability to access network. Incoming traffic gets you wormed & compromised.

hosts file abused like this is just another abblock.

lol, you brute forced his magic number, how dare you!

Speaking of hackers. Lately I have recieved many of these. As you can see my e-mail filter program has no porblem weeding them out. I never leave home without it. By the way; never have I nor will I ever play WoW.

/notsigned

It's only going to help the people that have FoW armor and high-end minis; I doubt gold sellers ignore the people who don't have hundreds of platinum.. Crafting mats, gold, and Miscellaneous items are still up for grabs. It also doesn't help if they delete your characters that you've spend thousands of hours on/

my domain host has better security than NCSoft. basically i could brute force any GW;s client. anyone could do it, i could write a program in 30 seconds to do it. all ou need is a [email protected] and just start aaaaaaaa, baaaaaaa, caaaaaaa etc etc.

what ANet and NCSoft should do is write some security code into their website and game client that detects this kind of shit.

apart from that, i am sure any smart kid can hack into your account. they just need to get all the saved passwords and auto-fills from forms from your webbrowser. maybe just put a backdoor trojan on your computer like backorifice. how do i get your IP? easy, you been playing HA or teaming up on a free Vent channel... easy to get your IP now.

shit man, i could even get your ip from any website that i set up. i can view the last 50 ip addresses that have hit my website if i want. its easy to script.

even tho its a game and i don;t really care if i lost everythiung tomorrow, i still sign for better security. after all, even tho i don;lt really care if i lost everyting (got nothing to lose really), i woiuld prefer not to.

Namaste! Trin

EDIT: Speaking of which, i just checked how much info i could get just by looking at this forum. I eventually found out my ABN number and from that all my past postcodes from the last 10 years where my business was located as well as previous business names. i am sure i could peice together more history if i then linked my real name (from my ABN) to facebook.... i am sure its easy enuff for someone to hack you if they want...

The way I'm reading posters here, there's no ratelimit on login attempts?

Assuming you can only attempt to login 5 times a minute and (say) 30 times a day, bruteforcing would seem impossible.

Link each guildwars account to the owner's ip. If your ip changes, require a cd key to reset the address.

No more hacking.

Funny, but if it were a good password using special characters, upper case lower case, and numbers, you increase your range to 94 different characters.
If you have a 10 digit password that's 53 qunitrillion combinations. If you had 10 powerful computers working together to crack this single 10 digit password it could take up to 6,531,568 days. I really doubt these Chinese hackers are using super computers.

P.S. It does suck that GW has no limit on the # of failed passwords attempts. I think that would be ok to program in. I don't really like the idea of making armor not salvageable though. Anyways just make your password a few digits longer, cause it will make it exponentially harder to crack.

I use the same Email address, user name, and a variation of 4 memorable passwords all over the internet and Ive never been hacked.

I used the same password everywhere too for over two years, then with all the account safety boo hoos going around I added a single number, symbol and second word and swap them around from time to time.

If I get hacked, you will know about it. I never open emails that I werent expecting or that are not from a known secure website registration. I never download any junk programs or applications that I dont need (only thing I tried for this game was GWX2).

If you are worried about security, change your password regularly.

GW "rich" people if that comes to reality: