Poll: Account Security Solutions

It's pretty clear to anyone who has ever browsed dev/commentary forums/blogs on this issue that threatening to leave an MMO community (not buy future releases or other boycotts) is about as effective as walking into a bank with a banana, pointing the banana at your own head, and then demanding one million dollars in unmarked Gummy Bears... sure, you might get a few laughs, but you won't be taken very seriously.

The numbers of the players threatening to walk is always far too low, the number of players who actually carry out the threat are insignificant. And in GW's case, they're looking more at new players to expand their base far more than player retention, or at least, they should be. Even for a smaller game (like GW) such threats could be, at best, chuckle worthy.

Why don't we start here with a Riverside thread urging people to not buy anything from the online and the ingame store?

True enough. A boycott isn't scary. The collective action problem is just too much to overcome. But the thesis that people who have been hacked are less likely to buy further content seems intuitive to me. The apparent contributory negligence on the part of NCSoft just makes purchases that much less likely. The role of trust in MMORPGs doesn't come up that often. It's possible to recover from breaching that trust; EVE managed to do so after that ugly incident with GM manipulation. But I guarantee you that incident cost them a substantial amount of money.

Call me crazy, but I just don't see why it's prohibitive for a cash-flush company to provide a quality, modern website with basic, well-understood data protections. You claim your game is a top-ten seller all-time? Act like it.

I'm sure almost no one does these days anyway. Inflicting a paper cut won't accomplish anything, or even signal how upset we are.

The main idea behind it was to gather all the info that points in the direction that using those stores is something that increases the risk to one's account. And then spread this information on all the forums.
This isn't so much about pissing all over A.Net. This is more about us knowing that is potentially unsafe behaviour and as users it's best to refrain from it.
The same way that people post info on new scams to prevent more from happening.

At the very least, i'd like to see some if not MOST of these implemented into GW2. Then they will have more buyers guaranteed. Everyone likes to feel safe right?

Account restoration and a new way of keeping track of where the money go is the only way to do this.

I know you Chthon so I think you already know that: such an action could not only get you into trouble from a legal standpoint, but it's also very likely to put some "bad" ideas (strong emphasis on the quotes around "bad") into the mind of some players who may not have had them otherwise. From experience, I know that it doesn't take a lot to turn a tech-savvy players into a script kiddie, once they've googled the right stuff. While there's no reason to be afraid to talk straight about security, there's a social component of a discussion on security that can get wrong very quickly.

I've worked around security for years and most stories where players try to push the company into "taking actions" (Anet/NCsoft already did) end up badly, with the company forced to take a stronger stance (which will annoy the many who are ok and for which the new measures won't improve security and WILL increase the cost of their products) and the players being very angry, even if nothing happened to them (e.g. they're angry over a principle). As I tried to explain in my Guru security guide, there's a fine balance between security and convenience, and security understanding and paranoia. I do not wish to stir more controversy into this thread but I want everyone to understand that this is a topic that's extremely difficult to discuss here.

I do know and acknowlege that this is a primordial issue, but I disagree that this is the way to do it. Such a thread creates more emotions than needed to be able to reflect correctly upon the problem at hand. While you and a few others clearly have a good understanding, I doubt that it's going to serve the purpose of educating people, it's more likely to scare them.

I also despise the attitude that consists in threatening via sales. Yes people should make informed opinions, but No sales or no sales is not a way to send a message "get your act together". If anyone at a Gamestop would say the words I've read here, Gamestop would be sued and NCsoft would suffer, making a big problem into a terribly huge one (e.g. it's a bit like becoming the "bad guys" who want to steal/harm NCsoft).

Players just want something done. The problems and weaknesses of the ANet/NCSoft security level are well known and well documented. Yet nothing is every done.

There are two areas here that need attention.

1) Make it harder to hack
2) Limit the consequence of the hack

Why doesn't ANet want to do either?

So in light of all the hacked accounts, whats Anet's official response?

Do we just not do business with NCsoft ever again? Thats the only solution im hearing. I dont think thats what they want, so what are they doing to fix this problem?

Yeap.

1.Try to wipe out all personal info from NCSoft
2. Change the email account that is tied into NCSoft to a different email address that is DIFFERNT from you'r GW's login email address.
This way, if they do a password reset, it's still not the real login info for your GW's account.
3. Remove any save CC, if any, info.
4. etc...

Basically, try to make the NCSoft account as useless as possible to the point where if you were to give your account info to someone, he/she couldn't do anything with it since it contains all false information.

That's the only reason why I'm trying to get my NCSoft's acct# so I can log into NCSoft; to wipe out as much info as I can or replace it w/ useless garbage:

First Name: First
Last Name: Last
Address: 123 Address
ZipCode: 90210
State: CA
Email: [email protected]

"ever again" is up to Anet. I won't be buying anything until I see changes in security with Guild wars/NCsoft. If they can't fix this, I have to assume everything new will be broken as well.

Thanks for the response, this was what I was looking for. So they cant change your guildwars passowrd without having your personal info? I dont have any credit card details except for my personal info on that site , I dont want to risk logging in to change stuff that wont help. Im staying far away from ncsoft as possible and will be warning everyone I know to stay clear of their games.

Its a shame, I was just about to give Aion a whirl. Dont want to risk my GW account though. Sorry NCSoft, get your **** together.

Updates from ArenaNet are in this thread:

http://www.guildwarsguru.com/forum/s...php?t=10410963

From that reading, seems like Fansites is another possibility. Again, do not ever use real info on forums, including Guru .

I started looking at all my postings and deleting my IGN after the sell/buy. Also, remember don't register on any fansite w/ the same email address you use to login w/.

Personally, I'm staying away from NCSoft or buying anything through NCSoft website, incuding Aion.

I rather buy the box from a retail store than online through NCSoft even if there is a special promotion.

@ Chthon: I have to agree with Fril that you probably don't want to go there.

As I see it, there are presently three problems to overcome:

1) Players are unaware of the identified problems with NCSoft accounts.

This has been a topic of somewhat muted debate for months, if not years. The volume of reports of accounts getting hacked via password reset using the NCSoft account, coupled with the fact that many of these reports cannot be explained well by the usual keylogger/trojan source of hacks, is what has pushed the topic onto the front burner. Most players were not following the original discussions about possible vulnerabilities. The last two weeks have changed that somewhat, but I suspect that the vast majority of players still are unaware. Hopefully, the word will spread.

2) Convince NCSoft/ANet that these problems will cost them more if left unresolved.

It will cost them resources to fix the issues that have been raised. That costs money. This is at the heart of why the problems exist in the first place. We want perfect security, but it costs too much to be feasible.

Many of you posting here are dancing around this issue. You suggest boycotts and announcements as the way to address this problem. Neither will work; there's ample evidence and quality economic theory to tell you otherwise. What NCSoft needs to understand is that hacks kill MMORPGs. It doesn't matter whether it's hacking the client to dupe/scam/etc. or hacking players' accounts to loot them. Such hacks undermine the reasons why many of you still you log in - to accomplish something in a virtual world. If you can't trust that your efforts won't pay off, you won't play or make future purchases.

Account thefts are even worse for an MMORPG, because players certainly aren't going to spend money to add things to their accounts when they fear having the account taken away (again). That undermines the revenue model.

Now, NCSoft might argue that GW is a dead game from which they derive no revenue, and that it therefore doesn't make sense to fix the problems. However, if these problems are left unresolved, then what is happening now will likely seem a child's prank compared to what will happen at the release of GW2. Delaying fixing these issues will only convince players that they cannot trust the company they are doing business with to care, and abusing that trust is likely to lead to lost future sales.

3) ANet's communications with us.

Gaile and others don't seem to understand that their communications are less than reassuring. Let me put this bluntly. The players cannot discriminate between the following motivations for the continued stance that hacks are our fault:

a) Gaile is being truthful, and ANet has valid evidence that proves that the NCSoft accounts are not a matter of concern.
b) Gaile is being lied to by the security staff or by managers relaying their communications.
c) Gaile is being told to lie by Legal, Marketing or both.
d) The people managing the security of NCSoft accounts are incompetent.

We know that admitting that the breaches in account security are the fault of ANet/NCSoft might be costly, so there are incentives to lie. We also know that the people in charge of NCSoft security, if incompetent, don't want to admit it for fear of their jobs. So there are incentives to lie there as well. In the absence of evidence that shows that the NCSoft accounts are not the problem, anything from a) to d) could be true.

If a) is true, I understand why you do not want to release such evidence for public consumption. However, you need to realize that in the absence of evidence, we're going to rationally believe that b), c), or d) could be true and that your protestations that a) is true are wasted effort. The evidence that we observe suggests that it very likely is not true.

Moreover, your past commentaries suggest that you do not understand the problem. You have posted on the wiki that your investigative strategy is to find the common thread that links the account thefts together. However, it is a virtual certainty that you have multiple individuals, likely with different strategies, attacking the integrity of game accounts in multiple ways. If you're looking for an archvillain behind it all, you're going to discard correct hypotheses about how accounts are being hacked due to evidence that doesn't fit your approach.

The combined effect is the impression that you don't understand the problem and don't care about your players. I know that this is not the impression that you wish to leave with us, but it is what I take away, and it appears to be what others are taking away judging from their posts.

1. In case anyone somehow came to doubt this, please remember: My opinions are mine alone and do not necessarily reflect the opinions of any other person or organization.

2.
Breaching an account that you have been given permission to access is not illegal. At least not in my country.

Given how many posts detailing the gaping hole sin NCSoft's security are already up, those ideas are already in people's heads.

I'm not particularly fond of it, but, since NCSoft/a-net is unwilling to even discuss the issue, what other tools do we have at our disposal?

You only say that because you're a silly British person. Such as case would not only be unwinnable in the US, it might even be considered frivolous and result in fee-shifting and sanctions for wasting the court's time. In the US, a defamation claimant must prove the falsity of the allegedly defamatory statement. Moreover, for pressworthy matters (and this is one), the claimant must not only prove the statement was false, but also that it was uttered with actual knowledge or reckless disregard for its falsity. Is NCSoft ready to prove their lax security isn't responsible for a large chunk of recent account thefts? (And that a person couldn't reasonably believe they were responsible given the available information?) After American-style discovery proceedings? I very much doubt that.

I chose Gamestop employees for my hypothetical because they, at least in my experience, have a tendency to offer their opinions on which products customers should buy, even if the customer doesn't ask for their opinion. By and large I find them somewhat helpful in this respect.

3.
I don't know.

4.
I don't know. For the sake of not wasting my money on something easily stolen, that's going to be my personal response. As for calling for it as a collective response, I don't much like the idea, but I don't see any other options. The status quo is unacceptable. NCSoft won't even listen to the community about the problem, much less make changes. Now we can either accept the unacceptable or we can walk away. What other choice have we?

5. This is my final post on this topic.

This thread highlights a problem I have with MMOs (and RPGs in general): "achievement". People put in a lot of work - even to the extent of doing things they don't even enjoy - for the sake of in-game "achievement" that is tied completely to an account stored and controlled by someone else. This achievement completely evaporates if the account is ever deleted or stolen, for any of a number of reasons (including something as mundane as the game servers shutting down). In contrast, when someone plays Street Fighter or Starcraft, the main benefit they're getting (aside from the joy of playing) is skill, and that's something that can't be taken away easily. Ultimately, that makes competitive games of skill a much more attractive entertainment option than games of time investment and "achievement".

It's clear that most posters on these sorts of threads are getting two things mixed up.

As i'm sure you know, security comes in two main parts.

Stopping 'bad' people getting in and
Stopping them creating havoc if they do.

In this case the first part belongs to Ncsoft, the second falls to Areanet.

The community seems to be merging the two, which in this case is two separate companies and getting two companies to agree to a change is hard let alone admit something is up.

Most efforts seem to be focussed on the first part, but as we've seen and has been demonstrated efforts to get this changed have failed.

As Gaile stated getting the first part fixed, is very hard and requires lots of effort, so focusing on the second part makes more sense. At least in the pre GW2 timescales.

It also brings in a degree of accountability that has not been there previously. I.e it's not us its them, it's not us but you. How can it be me, it's clearly you etc etc.

By focusing on the parts Anet can change we shift the ground from pointing fingers to helping out,

To put it simply Areanet needs to be persuaded that limiting malicious damage to an account once access has been gained is simply the most important thing they can be doing at the moment.

It's not the ideal solution, but in firefighting mode you limit the damage then go on to fix the issue.

The key message is not that their security is a has a weakness, but that damage limitation improvements need to be greatly improved and quickly. That is a subtle but key difference,

Implying there is a weakness here (even if there could be) simply puts a company in defensive mode and in such a state that change is less likely.

I believe these threads have been diluted by trying the change the apparently unchangeable(Gaile has been trying for years remember).

Forget about who or what's to blame. The message i believe the community should be sending is that for the moment damage limitation is the number one game improvement Anet should be making.

I think that the only stuff Anet can do is something like Anticheats in Counter Strike , some detection of bots, keyloggers with the game ... but it is also "tricky" . Security between client and NCSoft has 2 parts , if client did fine i think most of the problem is solved.
Imho , the only thing left is damage done by hackers and for that , the delete option is the best. Rest of them seem like an attempt to load some clients task on security to Anet/NCSoft ... looks kinda gray ish for me.

Yes.

That's why my #1 choice is the option to make a character permanently undeletable. I want my main characters to survive into GW2. Lost items would be annoying, but I don't have anything of any great rarity or value, and I could re-acquire the stuff I have.

My main characters though... if they were deleted, that would be game over for me - I couldn't face re-creating those. And I'd really have to think hard about GW2 if the same thing could happen there, regardless of precautions on my part.