Poll: Account Security Solutions

Oh, thanks! I never realized I could change it like that.

That may be true but most if not all of those games send you a activation link/key before you can do any changes.

Thank you for your reply, but it doesn't really help us and it does nothing to set us at ease.

It has zero benefit if we change our passwords,because changed or not the only thing unwanted guests need is your login email adress,they neither need access to that email nor do they need the old password, at every other place if you want to change the password you need the old password, or you need the email which is where the actual password change happens.

I know that most of this problem is not yours or Anet's fault but instead NCsoft's fault,but that is no reason to do nothing for us that will actually help us with the problem.

If NCsoft does not want to work on the issue I suggest you as Anet advice people to not link their account to NCsoft, because doing so may open you to a HUGE vulnerability.You try to work on a way for the ones of us that did link our accounts (hello free storage pane) ,but which no longer wish for them to be linked to be able to unlink the account from your side of the connection.

We no longer trust NCsoft and we no longer wish to be open to this vulnerability.In my opinion there should be absolutely no work on GW2 untill you can sort out this problem,if you do not we will have the same problems with GW2.But I am simply one player in the thousands of players that play this game, so my opinion will most likely be disregarded, which is not unexpected.

Thank you.

A concerned player.

Good Luck! and hope your account doesn't get hack! Remember, we don't need your original password to reset your password.

That's like saying to the Locksmith:
Thief: This is my house, could you let me in?
Locksmith: As long as I get pay for my service, I don't give a damn if its your house or not. Not my job. My job is to open locks.

Sorry, but you do not have all the information our security team has about this issue, so you cannot accurately determine how effective one method is over another. Furthermore, this isn't the only way we're trying to help protect players. Our development team is continuing to work on solutions.

I just want to echo Fay Vert's frustration, not just because I fear my account could get hacked at any time, but because I don't feel like you are giving as any useful information. Giving us ambiguous statements like "were working on it" or "lots of games have been getting hacked recently" tells us nothing. Many people have asked specific questions that seem to me very reasonable. For example:

Since accounts are being hacked through resetting the password on the playNC website, a common question is: why can't you implement e-mail confirmation when resetting passwords? Is it because that is something NCSoft has control over? If so, why are you not pressuring NCSoft to change it, and if you are, why are they doing nothing?

True we do not have the info you all do. On top of it ANET will not release it to us since it will help the hackers. We get it.

However, there have been a numerous people that have reported accounts being stolen/hacked and getting the email from NCsoft Master Hub notifying them the password has been changed by IP addresses from RMTs in China.

Common sense tells us that the weak point is there. So it does not take a rocket scientist to determine that if the function was turned off for now it would reduce the amount of accounts stolen.

While I am not saying all of the hacked accounts are because of NCsoft site, it is obvious that once that login and password are hacked it is giving the hackers free access to any and all accounts tied to the NCsoft Master Hub.

Please disable that sites ability to change passwords. With Wintersday coming up tomorrow, I can imagine that alot of people that have not played in awhile will be returning and if they forgot the passwords it is nice to be able to direct them to the automated site to reset it. But this needs to happen and soon despite the influx. Which is going to cost more: Having support reset passwords manually or dealing with the increase of hacked accounts.

What we do have is the info we see from people who have been hacked - and time and time again it points back to ncsoft.

When I change my password from the ingame menu it wants my current password. When I change it from ncsoft it just wants a new password. That equals zero security. I agree with the above request, remove the abilty to change passwords from the ncsoft menu.

This was.. 7 hours ago. Sent an email to support requesting to reset or to lock account, took the initiative to provide my cd key, lots of fingernail biting - nothing. as a doublewhammy, i was holding off dedicating my HoM items. 3 years worth of hard earned minipets, together with weapons and fow armors. the dude must be having fun. may his family jewels rot and fall off.

okay, venting aside, i was reminiscing of the good old days in thunderhead keep and eternal grove. enemies attacking on multiple fronts, a small team of adventurers fending them off in a fort. When one entry point was under extreme duress, the team was reshuffled immediately to stem the threat, with much frantic pinging and arrows drawing on the minimap. failure to do so usually resulted in a wipeout. many dwarven kings and tree singers must have fallen in the course of guild wars. good times.

on to these account breaches. i have read gaile's and regina's statements on these account breaches. The general strategy seems to be a) change password b) wait while the team comes up with a resolution.

a) is not really an ideal response to these breaches. many players are on hiatus and do not even log in or follow the forums. I was only aware of all these issues after receiving that dreaded email. of course, now that i know, there is no way for me to change my password without support's assistance.

b) is well and good. but it seems to be more skewed towards the mid or long term. this "brainstorming" is not about how to hustle that warrior to the west gate, it is about how to slay the evil lich king at his lair. thunderhead keep could well be lost by the time we figure out how to slay the lich king, in which case we will never get to him.

to summarize my opinions:

a) short, medium, long term solutions are required. this is true in every crisis. what are the short terms resolutions offered so far? the first post in this thread was 10th dec. it has been almost a week since then. many accounts could have been saved if some form of short term action was taken.

b) service support standards are lacking. this is an online game. the account governs my ownership of the game. theft of my account equals theft of my copy of the game. 7 hours (and counting) is too long a wait for a simple account lock request or even an initial contact by a support rep. i have not even been attended to, so i can only wonder how long it'll take for that to happen.

c) separation of concerns is a standard audit procedure. i am at fault for reusing passwords for forums and internet support accounts like ncsoft. to be realistic, few users are going to have separate passwords for the multitudes of websites out there. however, i practice tranching. i make it a point to have a different username and password for accounts which require higher security. guild wars was one of those accounts. that my guild wars account was breached possibly because a different forum account was breached stinks of irregularity.

d) keyloggers and trojans are a possibility, but i'm confident there would have been some actual reports of malicious software on someone's pc considering the severity of this outbreak. occam's razor.

e) this is not the bigger battle. the bigger battle is guild wars 2. i've just had 3 to 4 years of gaming effort on guild wars compromised. the heart-break is hard for a non-gamer to imagine (afterall, it's all virtual right?). i have serious misgivings about any online games which cannot safeguard my progress/ ownership. it may well be that this is my farewell to tyria.

That is too much common sense and an easy fix. It would take maybe one programmer one hour at most to do, if that. Much better to spend time in meetings thinking of solutions, pondering what this data means, and changing the log in screen text to tell people to change your password right now. Heaven forbid they do an easy fix on that security hole and fix at least some of the problem. My password in game is already hell-a-hard to guess, but a fat lot of good that does when it can be changed through NCsoft master account.

descr: New Century InfoComm Tech. Co., Ltd.
descr: 1F~11F, No. 218, Rueiguang Road
descr: Taipei Taiwan 114

Do a whois from a command prompt for more detail information.

And yes I am another one that was hacked, without sharing info on any forum or website.

Uhmm, guess my avatar needs changing

Sorry to hear about the above members getting hacked.

ANET/NCsoft:
Two more examples of gold sellers stealing accounts. Regardless of how they were hacked, the NCsoft Master Hub Password reset function needs to be turned off. It is the finish line for the hackers and should be disabled immediately.

Are we going to see a flood of accounts hacked with the return of many members due to the event weekend?


VV what he said below VV

Regina/Anet

Accounts are being compromised everyday and there needs to be some level of damage limitation ASAP, allow people to at least lock characters otherwise you will see more folks walking away from GW and GW2. If any of my friends get hacked they will not get GW2.

Accounts have been hacked for a long time already and there needs to be immediate damage limitation. There is no comfort for those who have been compromised, nor does the fact that anet are working on solutions. Me and others are not prepared to spend at the store and everyday folks are scared that there account is another statistic, regardless of how it happened.

Please make this possible before more fans and players are compromised.

TY

Don't forget the huge number of people linking to NCsoft to buy costumes. I suspect that will generate quite a few new hacks as well.

This might even be the same person who got me yesterday:

Someone at 122.147.127.156 has reset your Guild Wars Game Account password for account [...]. If you did not make this change, please contact support immediately at [email protected].

Did a whois, got:
descr: New Century InfoComm Tech. Co., Ltd.
descr: 1F~11F, No. 218, Rueiguang Road
descr: Taipei Taiwan 114
country: TW

and a person's name, email, apartment number. It's been 18 hours since I filled out a support ticket, still got nothing but the automated response.

I posted in Bellissima's thread on GWO. From NCSoft, I only got the generic "your password has been reset" email, and then tried to login to my PlayNC/NCSoft account, and could not. Someone hacked into my PlayNC account, changed my security questions/answers, and changed my Guild Wars password. Even though I use a unique password for Guild Wars, which I haven't typed in ages (I use the Properties shortcut), apparently you don't even need to enter your old Guild Wars password in PlayNC to change it.

So, essentially, all that is standing between you and $150 worth of game is a very hackable website. I wish there were an unlinking option, or heck, requiring your old GW password to change to a new one.

At least my characters have not been deleted -- someone was kind enough to check, and my igns are still addable to the Friends List.

Otherwise, I second this post:

I am back in this thread but briefly.

No amount "our security team knows better than you do" is going to make anyone with even the slightest shred of common sense believe that the NCSoft site doing things like telling anyone whether a given string is a valid username or allowing unlimited login attempts with no delay is OK.


I am very sorry about your account.

That name is the name of the contact info for New Century InfoComm Tech. Co., Ltd., which is most likely just an ISP. That person is probably not responsible and probably not willing or able to help figure out who is.

Perhaps, something is being done though:
Has anyone checked to see if the same gaping security flaws are still there?

I can see it now.

GW Update: A Bank has been added to GW. Like a regular bank, you need an ATM card to deposit and withdraw anything from the bank. How will this work? Your ATM card can be anything you have in inventory, materials, rare drops, armor, dyes, etc...

Once you place the ATM item into the Bank, you will then be require to enter a 4 digit pin #. If the wrong ATM item is placed in, it WILL still ask you for a 4 digit pin #. This is to prevent hackers from guessing if they have the right ATM item or not. Once the correct pin# is enter, you can store anything you want into the bank; gold, materials, weapons, etc... and even the ability to lock up any characters from deletion!!!

Ex. ATM Item: 4 Pile of Glittering Dust (NOTE: This is not the same as 1 Pile of Glittering Dust or a Stack of Dust). The 4 IS IMPORTANT!!!!

Timer: Wait 5sec REGARDLESS of correct ATM item or not
Enter Pin.
Wait 5 sec
Bank Unlock if correct.

Why the timers? Like I said, to prevent hackers. Long time ago, Unix hackers would be able to guess a username easily if they got the Password prompt immediately. Getting the Password prompt means the username exist and therefore returns the Password prompt instantly. However, if the username doesn't exist, it searches its "passwd" file for the username that was enter and this takes about 5-10secs. Hackers would know if it takes more than 5sec, an invalid username have been enter and to try the next username. Don't ask how I know. LOL!!!

Fun part back then was passwd wasn't encrypted till later on. Someone could've just type on "cat passwd" and log the entire output to a txt file. Later on, encryption was implemented and passwd- <---hyphen added, but still wasn't secure. Anyways, I'm digressing.

But you get the point...a Bank added!!!! all yours for the low price of $9.99!!!!

NOTE: This idea is (tm) and patent pending!!! To use this feature, please contact me for royalties fees.
LOL!!!

Is the master account vulnerable? Probably no more and no less than the GW account itself. It might be that the NC website allows a faster process of brute-forcing accounts, but I cannot tell because I don't know the mechanics behind it.
However, I'm not convinced that the NC website is less secure than the GW login. It's just a better target for hackers than the individual game accounts.

From my point of view the link to the NC account does not make the GW account less secure, it seems like two entry points but just as a normal burglar they can work most efficient on one door at the time.

What I do know is that targeting the NC account is far more profitable for a hacker than the GW account. Because the account might be linked to several games. It might well be that the criminals figured this out and are now working full-force on the NC accounts and less on the GW/Aion/whatever accounts they used to work on. Meaning an increased amount of people getting hacked on their NC account.

Thank you. As for the name, I can't say it is the hacker, but it gave me an apartment number from the address, a name, an email (hotmail, no less). I'm not going to do anything with it because I don't know what I would do--not even sure this is the right person, and I don't speak Taiwanese. I guess it's just a waiting game now, until NCSoft restores access to my account.

What we keep seeing is somehow they get into the NCsoft account - maybe brute force, maybe because we are dumb enough to use the same name and password at other sites, maybe they have found a weak link there?, etc.

Regardless of how, once they get into NCsoft, it is as you said, they have access to any game account you have linked. From that point they don't need to know any passwords, they can change the game passwords at will and start cleaning your accounts.

A number of security flaws are present on that ncsoft account website, which have been pointed out numerous times and all are still present.

The same forced entry tricks remain, as far as I can tell.

It seems like we all should start calling you names Regina, it seems like that is the only way we get a response.

Can you not try to answer some of our questions without being so vauge?

Is the way NCsoft account retreivel system set up a vulnerabilty?
Would you advice us against linking our accounts?
etc etc etc.....

If you dont want to answer, or most likely if you are not allowed to answer a particular questions, you could say "no comment" instead of the normal walk around the bush answer.

"Most of the hacks are coming from keyloggers etcetc" Does not answer the question on how secure NCsoft is.

Keyloggers, Fan Site Hacked, Malware, Same Password for everything, Santa brought them a list of accounts and passwords for Xmas, they are all being used to hit NCsoft Master Hub and gain access to all accounts linked there.

I hope that NCsoft has taken our advice and disabled the password reset as seen by the screenshot flubber posted in another thread. Would be nice to get something official stating this is the case.

Very good point!

I'd be curious to see if some of the devs, or people with otherwise very rare minis, would be willing to reset their passwords thru the NCsoft site. Kindof a "put your money where your mouth is" experiment.

I can see it now.

Guru people: "Hey Gaile, would you mind doing a pw reset thru the PlayNC site and let us know how that works out for you?"

Gaile: (to herself) "What the..? These people have lost their motherf*cking minds?" (aloud) "Ahem, uhh... um... yes, our dev team is diligently working on this situation. And don't forget to change your password immediately..."

Guru people: "How 'bout you Wasabi? You prob can get the homie hookup thru your ZoS buddies, how 'bout testing out that NCsoft pw reset for us?"

/crickets

Guru people: "Hello?"

Regarding the comments linking NCsoft Master Accounts and hacked game accounts: our security team has conducted extensive research on this, and there doesn't appear to be an increased risk of getting an account stolen if you have an NCsoft Master Account. According to our support team, in a cross-sampling of accounts, nearly half did not have an NCsoft Master account at all. So, while there is a perceived risk factor about the NCsoft Master account, the actual data shows that this connection does not seem to be an element in this situation.

[More info]

I've reset my NCSoft and Guild Wars password now 3 times over the last 3 weeks. As just an FYI to try it out. I don't mind being a guinea pig. All in the name of science you know. My account is all right.

I'm not saying this draws any conclusions but thought you may want to know that I have indeed tried it out.

Your missing the point Regina.

We understand that some of the accounts hacked are not linkedto NCsoft, our problem is with the accounts that are linked.Have the accounts that have been hacked through NCsoft been mostly breached by people just trying dozen of times untill they got lucky, or are the accounts breached from the first try, which would mean the hacker knew the password already, which no security would alliviate.

So to really get a answer to this issue, you would have to disregard the accounts hacked from other ways and only focus on this hacked from NCsoft, if you can say that most of the accounts were breached immediatly you would know that someone had already got the password, so then most of the work would be in remember people to not share or use the same passwords etc.

If however the accounts are breached by inputing possible passwords hunder of times untill the person got lucky you would know that there is a problem with letting someone attempt to enter the password excessive ammount of times.

On the email activation issue,I simply do not so any reason to not impliment this,the email account to where the email announcing that your password has been changed (after it already was) can be change to any new adress, so people not having access to the old original guildwars login email is not an issue.The only reason why NCsoft would not be able to work on this is because they dont want to as there isnt any reason I can come up with.

The wiki link is poiting out the same thing I am,which is that it seems like you do not understand what our point is,you read "NCsoft linked account hacked" and you go into a autoresponse mode,instead of looking at the points we are trying to get across.At least that it is how it seems.

As I said loads of posts ago. We are getting hung up on the NCSoft website. We need not wait for NCsoft to sort out the website. Anet can implement damage limitation measures without them WHILE the website is being sorted or reviewed. It's not an either or.

Even such things as rare mats being unable to be salvaged any more from Elite armors would help people and thats just a simple change to a loot table.

The problem with that is that it would take a lot of work,a lot more then say a website change.And on that I dont think its hard to believe that Anet may have no control over that.I personally would rather not people have access to my account, instead of having securities for when they are already in.

Most of us fully understand that not EVERYONE is getting their accounts stolen due to the NCsoft site. Also we are aware that people have gotten information stolen (by various methods) that allow the hackers to gain access to the NCsoft site.

Point is that once INSIDE the NCsoft site any and all accounts linked are easy pickings since the hackers can change passwords at will. Regardless of whatever iron clad password are applied at the individual games. This needs to be shut down until fixed. It is not ANETs/NCsoft fault that the information is being stolen, BUT that site is golden cow once it is breached. Why the refusal to help the community by turning the password reset option off at the NCsoft site is confusing.

How many more people have to post here and at other sites until ANET/NCsoft sees this???

Regina, how many times do I have to tell you that your conclusion does not follow from the data? First of all, you can't draw that conclusion unless at least half of all game accounts have an NCSoft Master Account. If less than half of all accounts have an NCMA, it's pretty clear that Pr(hacked|NCMA) > Pr(hacked|no NCMA) based on that datum you cite.

You're also not telling us the exact discrepancy or your sample size. If you have a smallish discrepancy, about half of GW accounts have NCMAs, and you looked at hundreds or thousands of accounts, then you almost certainly have a problem with the NCMA. If your sample size is very small (you sampled fifty of 1000 hacked accounts), it's not realistic to believe that the sample is representative or random.

You're not giving us sufficient information with which to validate your claim. Without that information, we're not going to update our beliefs. The best information available to us tells us that there is a problem with the NCMA.

You are doing nothing to disprove that claim, and you're only making your PR problem worse. You're making it look like either you're being disingenuous, or that your team doesn't know its business, by repeatedly citing a datum that doesn't necessarily support your argument.

In short, while it may be the case that the majority of accounts are being stolen by keylogger or through unsecured personal data, it looks to us like there is a sizable minority that is being stolen through the NCMA. The frustrating part about this is that, if this is true, we lack any control over the situation. If we get hacked for the reasons you claim we are getting hacked, we have no one to blame but ourselves. But if we get hacked due to NCMA vulnerabilities, we are blameless but you will not accept responsibility for the situation. Further, there is nothing for us to do but wait to get hacked via the NCMA if the thesis is true and you refuse to do anything about it.

Making elite armor not worth salvaging would deter the gold sellers from salvaging it. That at least would help.

I doubt changing loot tables is a lot of work. So is making certain items untradable or unable to be dropped or salvaged.

Even if it is, we still have at least two ways in, from the NCsoft website and from not using it. Therefore with two ways in it makes sense for Anet to limit the effects on an account once a hacker has got in..

What you say-

What I hear -

"According to our support team, in a cross-sampling of accounts, over half did have an NCsoft Master account after all."

And yes, as said above, all the numbers matter. If, for example, only 27 percent of all Guild Wars users have an NCsoft account, but over half of the accounts that been hacked had an NC soft account, the numbers are pretty damning. On the other hand, if 97 percent of all Guild wars users have an NCsoft account, and only half of the hacked accounts had an NCsoft account, then that's pretty much an even split down the middle.


I will admit that I would have only myself to blame if I use the same login name and password for my NCsoft account as I do for every forum and web site that I visit. But is it really too much to ask that you guys make a simple change and either remove the option to change the password at NCsoft or at least add some security at that point and request the existing game password, email conformation, or something?

I guess the real question is we have perceived a security flaw here. We keep asking about it, and all we hear is we are wrong, your data shows it's not a problem. I for one don't feel better knowing what your data says. I see a problem here that I'd like to see fixed.

Why not humor us and change it? If you're right, you prove us wrong and win some "told you so" points. If we're right, the number of hacks will drop. Either way, nobody looses.

I totally agree that the NCsoft site isn't the only problem/solution. But it's a start.

I got access back to PlayNC. Changed all my passwords and security questions. They took care of this a lot sooner than I thought.

I appreciate how they handled this, but it really should not have happened in the first place. At the very least, I'd like to receive confirmation emails for any changes to my PlayNC account.

As for my Guild Wars account... Ugh. So far, what's been taken:

- My one and only Obsidian Armor (Mesmer) is gone except the gloves (they were left in storage for some reason).
- All my rare materials gone, including about 40 ecto.
- All my plat (but 64g left on my monk!).
- All black and white dyes.
- All consumables.
- Kuunavang and all gold and green minipets, including the PC Gamer promos (but not Shiro).
- Everything on my dervish (she had all my valuable golds and greens).
- Any armor piece with a Sup Vigor, which, unfortunately for me, are chest pieces. My ranger's norn chest piece, many of my Mesmer's chest pieces, and a whole lot of my other chars' are gone.

While I am saddened by what's happened, I have to say my guildies and friends have been really supportive, and I'm very lucky to have such kind people around me.

The security hole that is PlayNC needs to be closed, but as Shanaeri has said, there are a lot of things they could do to minimize damage. Not making armor salvageable would have personally helped me quite a bit.

From Regina's post it seems GW is like a house with two entrances(NCsoft and non NCsoft). The locks on both doors can be broken into, so it makes no sense to put all the effort into securing one door only.

IMHO it makes more sense to try to fix both but in the mean time make it so thieves can't steal the contents of the house while you do so.

I.e Damage limitation first.

*****************READ ME*****************

I was trying to log into my NCSoft account to reset my password to something I can't even memorize, using extended ASCII characters if possible and over 500 characters if allowed, but couldn't get my password reset. After many failed attempts, my account was lock out temporary or maybe permanently.

Just curious, how long is the lock out for? Is it permanently till I contact Support? If yes, than WE FOUND OUR SOLUTION!!!! We purposely lock our account out so no one, not even ourself, can log into NCSoft until we contact Support.

However, if the lockout is only for an hour or so, than guess this won't work.

We may have found a solution!!! I'm locked out of my NCSoft account now and will have to try again in 1 hour to see if it goes unlock. Hopefully, it stays lock forever till I contact Customer Support.

Five attempts at resetting a password appears to lock an account for twelve hours.

Wish I had known this yesterday!

I hate being drawn into this conversation again, but I cannot let that go by unchallenged.

We've seen, and debunked, this same flawed reasoning before. Accounts are stolen in multiple ways. The fact that ~45% of accounts are definitely not stolen via the NCSoft account in no way means that accounts are not, or cannot be, stolen through the NCSoft account.

By way of metaphor, your argument (which was Gaile's before you) is essentially that of an automobile maker, whose door locks and ignitions can be easily picked with a paperclip, arguing that your crummy locks are not a risk factor in car theft because ~45% of cars are stolen at gunpoint. It's ludicrous. Continuing to repeat it after it's been debunked is a sign of either stupidity or dishonesty.

Moreover, even if accounts were not being stolen through weaknesses in the NCSoft account (and all evidence available to us strongly suggests that they are), the documented vulnerabilities mean that somebody could start doing so at any time. Isn't that reason enough to fix them?

Now, I'm going to re-post a summary of vulnerabilities just to make clear how shoddy the NCSoft site is and how easy it would be to fix.

How to steal GW accounts via the NCSoft master account:

• Step 1: Generate a list of NCSoft usernames.
  Systematically run all character strings against the NCSoft site's username field. It will respond differently to real usernames and non-usernames. Save the list of real usernames.
  Easy Fix: Give the same error message regardless of whether the entered string is a real username.
• Step 2: Reset the NCSoft password.
  Brute force the security questions. Many have small enough search spaces to be guessed quickly. The default birthday question is particularly easy, since you can frontload your search with birthdays in more likely age ranges for players. So is the car color question. (How many color words are there?) Skip accounts with difficult questions. When you guess only one question correctly, the site will notify you which one. You get 5 tries on each account every 12 hours. Each account will take a few months to crack. Maintain adequate yield by working on many accounts in parallel.
  Easy Fix 1: Do not notify user if they guessed a question correctly.
  Easy Fix 2: Only offer questions with large search spaces.
  Easy Fix 3: Require all account holders to use a "write your own question" question.
  Easy Fix 4: Lock out account and notify support and e-mail account holder after repeated failed password-reset attempts.
  Easy Fix 5: Blacklist IP's making multiple failed password-reset attempts to multiple accounts. (While attackers could mask IP's, this would add time to every iteration and slow down their attack.)
• Step 3: Obtain the newly-reset NCSoft password.
  I don't know how this is done. Based on the fact that the attackers seem to be bypassing the user, I have 3 theories I'd like to test.
• Step 4: Copy GW username fromthe NCSoft site.
  It's there. Copy it.
  Easy Fix: Do not display GW username in the NCSoft account.
• Step 5: Change GW password to whatever you like.
  There is no further security to stop you.
  Easy Fix: Require the user to enter the current GW password and/or respond to a confirmation e-mail before allowing the user at the NCSoft site to change the GW password.
• Step 6: Log in the to GW account and loot it.

Also, the NCSoft account appears to have no countermeasures at all against brute forcing the NCSoft password. Apparently you can try over and over without getting the account locked out, or getting IP banned, or even getting a delay between login attempts. This is probably (?) slower than brute forcing the password-reset questions because of the comparatively larger answer space.
Easy Fix 1: Lock out account and notify support and e-mail account holder after repeated failed login attempts.
Easy Fix 2: Blacklist IP's making multiple failed login attempts to multiple accounts.

Responsible Short-Term Fix While Resolving Other Issues: Disable the ability to reset GW password through NCSoft account.
Put it back if/when it's not so easy to get into NCSoft accounts.

Would you mind resetting your password several more times and recording some things for me?

Awesome. So we can lock our own account by attempting to brute force it using data we know is incorrect. BRB, setting up a bot to run 5 fake resets every 12 hours.