Poll: Account Security Solutions

or if you know the user name of someone you can lock it for them for the lolz..

On a more semi serious note, perhaps you can use this to lock your account within Taiwan or Chinese working hours...

So what we are seeing here is a community with a total loss of confidence in the game's security and a customer relations that simply won't respond adequately.

Now we even have a big red note on the login screen telling us to perform an action none of us has any confidence in. Is anyone here trusting the recommendation?

This is a big mess and we're being picked off one by one while FailNet seems to assume it's all our fault.

GW2 sales are not going to be great if GW1 players lose their accounts to hackers. We need a way to protect our key assets.

I don't really feel the need to go change any of my passwords.

Everything about both my NCMA and GW game login is completely unique and strong. They're tied to different emails, neither of which I've ever used to register at any GW or general gaming sites. They use different, strong passwords that I've never used anywhere else. Nothing anywhere online holds any hint or starting point to derive my NCMA username or registered email, nor the email address that's my GW game login. My character names are also totally unrelated to any information on my NCMA or GW login credentials.

Also, the only time I've ever logged on to my NCMA account, was to add the free anniversary storage, which was 7 months ago. The data I entered into my NCMA account was the bare minimum I needed to proceed and doesn't hold any revealing information that could lead to easy password retrieval or reset.

If my NCMA password is going to be miraculously reset by a gentleman from Taiwan, I'm not going to blame myself.

Nope,I started reading it but ended up ignoring it.

incident: 091218-000170
password reset: 17th dec, 3pm
my first request to support: 17th dec, 7 pm
subsequent upload of cd keys: 18th dec, 9am
first contact by support, who tells me i'm getting routed: 18th dec, 10.30am

time taken so far to respond to my lock/ reset account request as at 18th dec 4.30pm: 22 hrs and counting.

anybody knows if these support guys work weekends or whether i can expect to wait until monday?

Hi Rinoa, what did the GM need to prove your ownership of the account? i've uploaded pictures of my cd keys to preempt their responses. if they require more proof, i'd want to preempt those as well.

sigh.

hm. i've tried to force lock my actual guild wars account using this method (multiple wrong passwords) but it didn't happen. bummer.

actually, for those whose ncsoft master accounts have not been compromised, a password change would be more effective i'd think.

Actually, I searched for that right after I replied to the password reset email. I found this form:

http://help.ncsoft.com/cgi-bin/ncsof...p?p_faqid=3562

I filled it out and pasted it between the green lines of their generic response email in my reply. They didn't ask me for anything else. It was a real hassle to find all my boxes, though!

I hope they resolve it quickly and without any hassle--they did mine in under 24 hours. I got nothing between the generic email response and the resolution, so it was a surprise this morning.

What amazes me is that it seems to be the same ISP and possibly person responsible for a couple of hackings that have been posted about. I'm assuming there are a limited amount of accounts that are directly receiving the stolen items from hacked accounts.

Thank you. Seems I've done all I can then. my only consolation is that the last log in on my toon was 1 day ago. wonder how long it took to expert salvage 4 sets of fow.

From what my fiance told me (he checked the guild roster), between the password reset and when they were through (or at least set to offline) was about 2 hours. I emailed NcSoft Support about 20 minutes after the hacker reset my password.

There is a support group for hacked players over on the Player Match-up Forum on GW Incgamers forums--other players are being very generous and understanding about those of us who've had our accounts hacked. I can't imagine how you must feel with 4 FoW armor sets. It took me forever to get one, and it's gone, and with 4, I can't imagine.

You must be doing something wrong because my own account is locked out still.

I click on the Forgot Your Password link and enter the correct username, and I believe I enter the correct or fake B-Day and tried to get my password email to me, but instead, ended up locking myself out.

As of now, I'm still lock out.

thanks. maybe i'll mosey over...


i believe what you've described locks out the ncsoft master account. my guild wars game account has already been compromised, so there's really no point in me locking out my master account since he knows the actual game account password.

i wanted to lock up my guild wars game account (hence the multiple login attempts on my game client), since support has not responded to my request.

That is a very nice thing being done for victims of stolen accounts.

However, ANET and NCsoft should be totally ashamed that their game has spawned an actual support group for this. That has to be the saddest thing I have heard yet.

No kidding...

it's just a matter of time before someone here at GWG with some legal knowledge points out that gamers are protected by their federal/state/provincial/whichever (wholly depends on where you live) laws.

here in ontario my consumer protection act governs all agreements, including eula's, and if my gw account were hacked, looted, and not restored i'd chase after anet with a lawsuit based on unconscionable representations and trespass on chattels.

it wouldn't even be a landmark or precedent setting case. others have done it for precisely the same thing: hacked & looted account that the game company refused to restore.

the great part of this story: they won.

clean up your act, anet. it's just a matter of time before someone gets fed up with the backhanded way you treat your customers.

Wow, it can not be more clear than this. So a simple question to Regina and Gaile, or preferably, a programmer at the company would be this:

Do you think that the points listed below are possible security vulnerabilities in the NCSoft account or not?

If you answer no, then we know it is pointless even continuing this thread. If you say yes, then follow up with how much time exactly it will take to fix the items below that are risk factors and when we can expect them to be finished (not some general, generic answer, just the best estimate you can relay from an actual programmer who has looked at these factors.)

This is very simple and will end the thread. Risk factors or not? How much time to fix or not fix?

As a person who was hacked last Sunday and finally had my account restored last night (Friday - 5 days later), I can tell you what to expect from the process:

I tried to log in on Sunday morning on my main account multiple times with no success. I could log into my linked secondary account, which used a similar password, so I suspected my main account had been compromised.

I then checked my email and there was a confirmation from NCSoft saying my password had been changed at my request. Obviously, I did not make that request.

The NCSoft password change email had arrived less than an hour earlier, so I hoped I might be able change my password back to prevent further damage. I quickly sent a reply email to NCSoft saying I did NOT request a password change and to please lock the account from futher access. I then attempted to log into my NCSoft account on the website. My password there had also been changed including all of my security information (mother's maiden name, street I grew up on, etc.) that might allow me access back in.

I checked my email again, and saw the automated response from NCSoft saying they had received my request, and asked for some standard, additional information that I provided.

About two hours after the first password reset request, I received another email from NCSoft saying the password on my Secondary account had now been reset. I, of course, immediately sent an email saying this second password change was also not authorized by me.

The next day (Monday), I received an email from NCSoft saying that my case was being "elevated."

Two days later (Wednesday) I received an email form NCSoft requesting information to confirm I was the owner of the account. For example, what was the mailing address I used when I opened the account, what were the access keys, etc.

Two days after that (Friday), I received an email with a reset password. I used this last night to change my passwords and security information, and see what had become of my accounts.

Neither account had been accessed again since the original Sunday. The thieves appear to be very efficient and only requred about an hour or two with each account.

None of the characters had been deleted. The only armor that had been destroyed was my FOW armor on my Mesmer - presumably salvaged for ectos and shards. Curiously, the only runes that seem to be missing are the Vigor's. They appeared to use perfect salvage kits because no armor was destroyed (other than the FOW) but the sup vigors are all gone.

All gold was gone. My chest was maxed and each of 10 characters had about 70k each, so I estimate 1.7 million in gold alone was taken. Most rare materials were cleaned out (they left the silk and charcoal). Most common materials were not taken (they took all iron). All Party, sugar, and alcohol were removed. I had around 2,000 sugar points (rock candy) and about 20-25 stacks of alchohol plus 5 kegs.

All weapons in storage were removed, but no weapons on my characters were taken. All tomes were taken. All "books" were left. None of my equipment packs were taken (I have 4 heavy). Some mini-pets were removed and some were left. They seemed to know the valuable ones.

Nothing was taken from my pre-searing character. The only gold to my name now is the 16k he has.

It is actually kind of amazing that the amount of stuff I had was processed so quickly. I suppose that most everything could be converted to ecto's pretty fast, but all those tomes, sugar items and alcohol items take up quite amount of space. They only needed an hour to remove a lot.

It also seems strange that they in no way crippled my ability to continue to play. My characters have all their armor and weapons including heroes (minus vigors and my FOW, naturally), and I have plenty of storage space now. On the one hand, that is good. Nothing "vindictive" was done. It was all very "professional." My full HOM is still there. No one in my guild was "kicked." On the other hand, I feel that if I play now, I will be just acquiring stuff for the next time hackers come to clean me out. Unless something significant is done to restore my confidence in the game's security, I do not intend to play Guild Wars again.

Sad. Their efficiency is probably testament to how often they've pulled that crap.

I've jokingly suggested before that the rising ecto price might have more to do with all the stolen gold that is turned into ecto at the material trader than any changes to the UW. I'm rather surprised they're also taking huge amounts of items that can't be converted as easily. They can't have any of that stuff sitting around on any account for long, because they'd lose it all when ANet goes after accounts that systematically receive stolen goods. That points to either them having a very efficient infrastructure that can turn anything to gold or ecto in very little time, or very slow and lacking GM action. Or both of course.

I'm sorry for your loss.

This should be in the options but it is not!

Use an industrial strength authentication system! For example, Microsoft LiveID and let somebody else worry about the securty of your accounts.

I can only hope that all those who account are being hack have never bought anything from these RMTs. If you did, than you deserve to be hack because you're helping the RMTs stay in business.

Ok... All my 3 guild wars accounts got hacked last night and I'm still not able to login to any of them. Still waiting on NCSoft support to get back to me. They hacked my master account on NCSoft's site to do this.

4 Fow armors, 12 characters all with elite armors and all with sup vigor runes, a bunch of ectos, several q9 weapons including 2 q9 celestial compasses, a q9 frog scepter, several q9 chrysocola, moldavite, astral staves, 1 tormented staff, q9 storm daggers all being looted right now as I type this.

I vote for every security measure right now.

Were all these accounts linked to the same NCsoft Master Account? If yes, that may be the strongest evidence yet that NCSoft is where the security hole lies. As if any more is needed for action to be taken. Gaile/Regina's denial of the situation is just astounding.

Has anyone else had multiple accounts hacked simultaneously? Or, does anyone who's been hacked have other, unhacked accounts linked to the same NCMA?

2 of my accounts were hacked within a timeframe of 2 minutes and they were linked. They had to hack into my master account on NCSoft's site to do so. Rinoa had a reply from NCSoft support confirming the same about her account hack,

Source : http://guildwars.incgamers.com/showt...492211&page=48

So yeah, change the password to NCSoft's master account too if possible.

powercozmic, that's the exact same email I received. I think it's the standard issue "Oops, our security sucks!" email they've been sending out to a lot of people lately.

More than a day and i'm still waiting for a reply....

It took over 48 hours before I received a response to my initial contact with them about not authorizing a password reset to begin with ... and then more time on top of that to regain access to my PlayNC account. They aren't exactly the pinnacle of speedy customer service.

Yes, I noticed Gaile mention nearly half of the violated accounts weren't even linked to NCsoft master accounts, thereby proving that a flaw in NCsoft master accounts isn't the problem, she'd know... she has spread sheets of data!

But she failed to mention what percentage of accounts are even linked to NCsoft master accounts in the first place... making her assertions look like the desperate misinformation work of a CR/PR trying to convince us that smoking has no ill effects on our health...

Lets be honest, if only 20% of all Guild Wars accounts are linked to an NCsoft master account, and yet such linked accounts make up MORE THAN HALF of those recently hacked... then linking an account to the NCsoft master account would mean you're five times more likely to be hacked... but there is no problem here.

So, amongst all of that data Gaile has collected... is there any mention of the percentage of Guild Wars accounts actually linked to the NCsoft Master accounts, not just those recently hacked accounts, but in total? Enquiring minds want to know... instead of telling us what you think the data supports, just give us the data, we can think for ourselves.

Lies, damned lies, and statistics!

Edit: Sorry for not replying sooner, I have this habit of getting banned

First of all, I have to apologize for my English. It's not my native language.

All these posts here sound familiar to me.

My husband has been hacked one day before the new red and shiny log-in announcement. He got an e-mail that his password was changed.
We traced the IP – it was from Beijing, China -.-

He tried to log on to his NCMA but the pw was wrong. He managed to reset it and then changed it. Then he changed the pw for his game account via the NCMA.
After logging on, you can imagine what was left. They took everything valuable.
All Gold, rare materials, 1 Fow, 1 Torm Shield, Tomes, Consumables, sup Vigors, rare minis etc., etc. Everything was earned honestly over almost 4 years -.-

He was always extremely careful with his private data. He's working with PCs for nearly 30 years now and he never had a virus or a key logger or anything like that.
He used his log-in information (pw and e-mail address) for Guild Wars ONLY. It was long, complex and he didn't tell it to anybody.
We are, or should I say, were in a one man / one woman guild all the years and he never registered at any game-related forums or anything.
He didn't play any other games over these years.

All the security stuff (Anti virus, Anti Malware, Firewall etc.) was always running and up to date. There have never been any threats.

He contacted support and that is at least as annoying as the hack itself. Head → desk!

They blocked his account AFTER he changed his password – for „security reasons“.
Great! Why didn't they block it when that friendly Chinese hacker with his Chinese IP logged into his German account with a German IP?

Oh, and they blame him, of course. They told him „that someone stole his account shows that he is careless“.
They don't even seem to read what their customers write.

They just send these „copy and paste“ answers like „read the security FAQ; we are sooo terribly sorry but we won't restore anything“ and calling their customers liars indirectly.


Dear A-Net employees,
not all of your customers are naive and careless, you know. Believe it or not.

There are posts in which you tell us you are working on the issue.

Which issue, please? You tell your customers that you don't have any security problems.
It sounds like your system is as safe as the White House.
Oh wait! Didn't they hack the White House Servers once?

If you don't have a security problem why are you „developing solutions to improve account security“?
What the heck are you working on? I don't get it.

It's all your customers fault, anyway. We are all careless and use our account information for everything else.
Maybe we were carless because we also gave you our private data, such as address, birthday, credit card information, etc.

Nevertheless you are committed to handle these sensitive data carefully and confidentially.

In my opinion, game account information and private data should not be kept together and make it easier for the hackers to do even more harm then steeling virtual items.
No matter how they accessed the game account.
How do you handle this?

How do you plan to compensate the victims for the sudden loss. Has all the effort over those years been in vain?

How come, a Chinese RMT can gain access to another country's account and the owner does not even get an e-mail in which he has to confirm the password change?

How come, you do not block the hackers when they try to steal an account? IP-check anyone? Btw, it took us 10 seconds to trace the IP (manually!).

If someone forgot his NCMA information, he has to prove that the account really belongs to him. The hackers, however, are not expected to do so.

The moral of the story:
It was a lot of fun playing Guild Wars.
But after all we feel stupid because we bought the game and invested a lot of money and a lot of time.
And what's left in the end?
For me, it doesn't make any sense to play GW without my husband.
My husband feels like beeing harvested. It doesn't make any sense to him playing GW again, just to collect new "Christmas gifts" for new hackers.
Furthermore, he doesn't feel like looking at his empty, stained account anymore..


Game Over and Merry Christmas to all!
(and sorry for this long wall of text)

I wonder how many password resets are actually genuine and how many are RMT hacks. Shame they decided to put that stupid "Change your password" instruction up on the login page, just to totally swamp what support they had.

Well, I haven't played in a while. I log in about once every two months to check for my character's B-Day presents. I did my routine two month log in and found that I have been hacked. My password was the same, but my gold and gold minis were gone, along with a few valuable weapons in my storage. My only gold is the 477 gold left on my paragon. I was thinking of just getting up one day and giving away all my stuff, and this basically confirms that I will. I'm not gonna make support go through and try to recover my account that has been largely untouched for a year and a half.

Ultrix -

First of all sorry about the hack.
Second, I feel the same. When (not if) my account is hacked, I'm pretty much done with it as well. I've only been playing 2 years, but to just loose everything and know it would take that long again... not worth it.
There are a lot of other games out there I haven't tried yet. If I have to start over, I'd rather it be a whole new experience.

I'm not going to read through the entire thread to see if my idea has been posted... but what if:

They added a "lock box" to your storage as an extra slot. The only way to access that would be to point and click a random set password you gave it. Basically keeping your REALLY valuable items some better safety.

How many more reports like this is it going to take for a-net/NCSoft to admit to themselves (if not publicly) that there's a serious vulnerability that's NOT on the players' side?

I really really really do feel your pain and anger. It was the same for me when my account was hacked. After the account was unlocked and I had seen the damage, I could not bring myself to log in again for a couple of days.

I still feel that same anger and frustration when I visit my Hall of Monuments and see all my beautiful rare minipets and obsidian armour that they stole :-((

However, two months later, I am probably enjoying the game more than I have for some time. Losing everything can either make you give up, or as I was surprised to find out, motivate you to try and rebuild.

I will never have as much in-game wealth as I had before I was hacked (I reckon I lost 5million the hackers) and to be honest I am spending any money I get rather than letting it build up on the account. They also ruined my chances of getting two of the three titles I needed for GWAMM as they took all my sweets and party things I had been saving to do a double hit on the titles and I doubt I will make enough cash to replace them in a long long time.

I am still totally amazed at ANets stance on these issues.

We have had two months solid of mass hacks.

We know there is a major weakness in the NCSoft Account security and that by fixing this up to 50% of the hacks could e prevented.

The community has offered several good suggestions as to what needs to be fixed and how to fix it, yet victims are still being told that it is their fault that they have been hacked. This just rubs salt into a very open wound.

Anet should admit they have a serious problem, fix it immediately, and compensate anyone hacked within the last two or three months with some kind of ingame compensation.

Somewhere in China there are one or more groups of hackers reading these posts and laughing their damn heads off and they will continue to laugh until Anet fix this issue for good. They are making a hell of a lot of REAL money from selling the stuff that we players have worked for in some cases for over four years.

Proof or this is not true.

The 'different message for valid and invalid accounts' is/was already present in the current GW client.
Brute-forcing the GW password? Also possible.

On Chthon's Step 3: Obtain the newly-reset NCSoft password.
I don't know how this is done. Based on the fact that the attackers seem to be bypassing the user, I have 3 theories I'd like to test.
When I looked at this it was possible to give a new password from within the NC website.

What we can see is that there is an increase in hacked NCSoft accounts.
Does that by definition mean there is a major weakness in the website? No!
It means that there is profit to get.
And the profit is higher than getting it somewhere else.

It could well be that it's harder to crack a NCSoft account than a GW account. However, since NCSoft does offer access to various games with items that can be converted to real money it's worth it.

Compare this to burglary. Some burglars will target every home, try the door and move on if closed. Others put more effort into breaking in to special homes with more security because there is more to gain.
If there is an increase in break-ins at those special homes, does that mean there are major vulnerabilities in their alarm systems? No, it probably means more people are putting effort in breaking into those homes. Only when there is a certain pattern we can say that there might be a vulnerability.

At this moment the only 'pattern' is that people with NCSoft accounts get hacked. We do not know if the effort to hack the combined NC games is decreased. If this is the case it's just a switch of target, not an indication of a vulnerability.

This does not mean that there is no room for improvement on the NCSoft website. Chthon stated a few, though from the perspective of a software vendor several of those fixes are no 'easy fixes'.
There may be valid reasons why certain things are the way they are. We don't know the code and logic behind everything. I've been in the field of Info-sec long enough to know that 'easy fixes' may not be that easy after all.

Ah HUH! account linked to NCSoft master account got hacked! as I have suspected, i was hacked soon after the link to get the extra storage pane.

I have another account that was not link which was not hacked. Do more checking ArenaNet.

Hard not to agree with this... I am more than willing to agree that this is probably not ANETs/NCsoft vunerability, however accounts continue to be stolen because hacking the NCsoft Master Hub is the Jackpot. Aion, Guild Wars accounts linked to it are easy pickings once inside. This is not hard to determine. How many more automated emails from the NCsoft site does everyone need to see on this??? How many accounts are we NOT hearing about, since those people may not belong to a forum????

IMO ANET/NCsoft continues to be preoccupied with how the hackers are getting in and telling us it is not their fault. I agree, not your fault, I got it. However even though it is not your fault, it does NOT mean that you cannot help to fix the issue by making it harder to change the password in that site!!! And in the process making many of us even more safe and scoring points with the community on top of it.

Requiring a game CD Key could be one way to ensure that hackers once inside the site cannot change passwords at will, they should not have this information at all. Confirmation Emails has been asked for repeatedly and would also be great way to help feel safer.

Others (who are way smarter than me) do not agree, and think there may be other vunerabilities in the site. This could be totally correct, but since we cannot gain access to the information we need to confirm this, it is reduced to "its your fault" "no its not" arguement. It is a shame that it has been reduced to that.

Unfortunately until this is resolved I do not feel safe (no matter how illogical this may be) using the NCsoft site. It is a shame since I would have been happy to "donate" $10 for the costumes being offered for both my accounts.

Until a remedy is applied to the NCsoft site, I will not purchase anything using that site. ANET/NCsoft should step up and do the right thing and help its players by making that site even more secure.

It's pretty simple really...account hacks happend before linking the accounts during the promotion, but not with great regularity. They happen now at a frightening pace. Anet, you could compare the amount of hacks pre-link, to the amount post link...there's your answer.

Wait, what?!?!?!
You can specify the new NCSoft password during a password reset? I thought the system decided the new password and sent it to you.

Well, shit. If that's the case, every detail of how accounts are being stolen is now publicly available. Even if this method wasn't being used by our Chinese RMT buddies to steal accounts (and I'm pretty sure it has been), it will be now...

My estimates of how long it would take me to code and test each fix:

< 5min

< 5min

~1week (assuming I'm doing my own analysis of the search spaces). Getting account holders to come by and migrate to new questions is a bigger problem.

< 1day (hard part is already coded in the optional "write your own question" question) Getting account holders to come by and migrate to new questions is a bigger problem.

< 1week. Copy/paste job to lockout on failed login attempts.

~ 1week. Copy/paste job to blacklist on failed login attempts.

< 5min

~1week

In my opinion, everything there is doable. And doable in a shorter timeframe than this thread's been sitting here without prompting fixes. What's more upsetting is that a few 5-minute fixes would probably be enough to halt the account thefts, at least for now.

Which is why I'm on about the reset mechanism in the first place; the whole website as it stands is one-stop-shopping for a feasible automated attack that will complete in a realistic time frame. No human intervention needed; it's a Pindlebot on steroids...

https://secure.ncsoft.com/cgi-bin/plaync_login.pl

To reset the NCsoft Master account password:

At the Login screen you can click on "Forgot your Password?" Link:

The next screen asks you for your account name
(if you forgot account name you have to contact support)

Next screen asks you for your birthday (drop down for the month and the other 2 blocks require manual input) and the letters/numbers you see in a displayed image (typically 4 characters) (different letter position/backgrounds each time)

the next screen asks you for:
Please enter the appropriate response to your password hint below. Your response must be entered exactly as during registration.

It displays whatever hint you put in when you created the account and has a block for manual input of the answer.

I stopped at this point, but willing to bet once that answer is inputted it takes you to a password reset screen. At all times the https: was displayed.

Hopefully the hackers do not have my account name/bday now...



Once in you can (according to the NCsoft site):

What is a NCsoft master account for? Does this mean I'm ready to play your games?

Answer
Once you have created your NCsoft master account you can:

Add the 20-digit serial code/25-digit access key from your game to create your game account.
Activate or reactivate that game account with your credit/debit card information or a prepaid game time card.
Change your billing status, options or information
Manage your game account password from the Game Accounts section.Manage your contact information from the Account Profile section.


IF you had to input the 20-digit serial code/25-digit access key from your game at some point then how hard is it to ask for it again when changing the password?????

These are all the games the hackers have access to once they have cracked your NCsoft account(provided you own all of them and they are linked)

Choose the game that you want to reset the password for from the list below.

City of Heroes/City of Villains
Aion
Exteel
Dungeon Runners
Guild Wars
Lineage
Lineage II