Poll: Account Security Solutions

Well it's game login is now asking "Enter the name of any character on this account".

It's a start, but more than a few have posted IGN in different forums. I have, but I don't think there's enough info to tie it to a specific account. I think it's a band-aid on a severed artery.

Yup, they came up with one we didn't think of. And it's a good one.

Case closed.

It is a good solution, though. It's very simple, and while yes, a lot of us have had our IGNs public, that fact alone isn't enough to compromise your account. Not unless you've posted your IGN and account login together. But frankly, if someone's ever posted something like "My IGN is III Ele III and my account is [email protected] and my password is hackmeplease" then they kind of have it coming to them.

Very Cool!!!

For any traders I would suggest sending in game character name contacts through private messages and not post your character name online for all to see.

(posted in the security question thread)
Outstanding Job!!! Thanks to ANET for adding this additional security. This is exactly the kind of thing needed to stick a finger in the eye of those RMTs.

Even if the NCsoft Master Hub account is broken into, this additional measure can buy the time needed to contact support and keep accounts from being stripped bare while support is locking the account and the true owner is proving ownership.

I appreciate this enough to make a "donation" and purchase the new costumes and show my support to ANET.

Thanks again

Where I see an issue is how many people used the same email here (or other forums) as the guild wars login and used the trade forum and posted my IGN is...

It is a pretty good first step, and will at least make the hackers work for their money; but I'd still like to see some simple change made at NCsoft to prevent a password change.

I doubt many people did this, but I created an e-mail just for my GW account back 4 years ago. Never used it for anything else, never posted it publicly, and used a different password on it from any other password. I left it idle and it was deleted. I'm not sure why I even did that in the first place, but in hindsight, it wasn't a bad idea, and I'll probably do the same thing for GW2. People new to GW or getting new accounts should probably think about doing something similar.

When a website is targeted the underground community already knows the vulnerabilities.



While the problem seems solved now with the addition of IGN I'd like to make some comment on this.

The company I work for runs a website with sensitive information.
You talk about 'code and test'. Code and test is individual developer thinking, not business thinking. Even emergency patches (we do apply them) need to be coded according to standards. Then they are put in a test environment for testing thoroughly (even when you 'know' nothing will break this needs to be done) on all critical functions.
Things get complicated when the change is not only in the code of the webserver but also in the underlying database tables. In our company the people maintaining the database are not the same people as the people maintaining the website and I think this is usual practice for many commercial parties. Meaning people need to work closely together and are available for the specific task.
After that the patch is approved and moved to production which often means bringing down the website for a brief moment. All this has a nice 'change management process' to make sure everything is done right.


This means while the actual coding and 'testing' requires only a few minutes the total process takes several hours or even days.
This means that in case of a severe vulnerability the website will be taken off-line while the patch is generated. This is a 'drop everything' situation that business usually will not take, often it's better to keep running and servicing customers instead of putting everyone in the dark. The damage from a compromise is often far less than the damage from being off-line for a long time.

This means that often when a vulnerability is reported a small team of people will be brought together to make an impact analysis. What's actually going on, what do we know, what don't we know and how can we gain information.
If needed the website will be brought down. People are asked to come with solutions. But not with 'quick wins', they are asked what the fundamental problem is and how to fix that. Only if that's clear and takes long to develop 'quick wins' are requested.

Why do we do things like this? Because those things eat resources. Developers are working on various other (important) things and those things cannot be worked on while developing a solution. So the less time those developers need to work on the solution for the vulnerability the better. They get a clear assignment with clear description what to fix and how to fix it. Don't waste time trying to fix something only to find out it's broken somewhere else. That's doing good business.

Maybe now you understand a little about why I say that 'easy fixes' might not be so easy after all.

What you've just written basically describes every software company. Granted, these processes are justified in the name of project resources and version mgmt. However, they should not prevent any firm from doing its job- serving its customers. Neither should these processes be used to explain long turnaround time. How fast patches can be delivered is a function of criticality, code complexity and resources. While I believe many will appreciate the empathy you are displaying, these processes that you have described should not detract from consumer concerns.

Also bear in mind that the time frame in question here is neither hours nor days, but weeks and months. Check out this talk page and the incgamer thread and see just how long this has been debated by the commmunity.

http://wiki.guildwars.com/wiki/Feedb...Support_Issues

http://guildwars.incgamers.com/showthread.php?t=492211

Also take into account the not very swift support (my account was reset after 5 days) and the stance of gaile and regina, and it's not very difficult to unserstand the frustration of players.RED ENGINE GO

I agree that the additional field added by anet is very helpful. But I cannot help feeling sorry for myself that it came four days too late for me. Nevertheless, it's a useful, if not altogether direct, measure. It's as if they made guildwars secure, undermine it with a questionable nc soft master account reset mechanism, then worked around it by changing guildwars again, if you get what I mean.

People that have been hacked and got the NCsoft email should get a free mini polar bear.

Click input for gw for starters.
Also, gw should have a built-in "KeyScrambler", so that keyloggers wouldn't read it.

Consumer concerns should be handled with through good communication, not by applying random suggestions from customers who don't know the system and don't know what's exactly going on.

Small example. Last year there was this thing called 'financial crisis'.
Now suppose my company invests substancial money for other companies.
And all of a sudden they realise their position is at risk and they demand immediate action: cancellation of all active trades, closing all derivative positions and selling all equity positions. Move all to safe investments! All to minimize risk.

Should my company listen to their customers?
Or should they explain carefully that taking action at this moment is not smart, even though their feeling shows otherwise. Because by acting now the way the customers ask will generate more problems.

I learned several things from the various crisis management meetings (during actual incidents and in practice setting) I attended.
When you want to take action you first need to know what is going on, as specific as possible. Acting based on partial information is wrong.
When concerned customers call in this stage you tell them that you are investigating and you will inform them when you actually know something.
Ask the customers to have confidence, explain what they can do to minimize risk. Keep in touch when it's a complex incident that takes a long time to sort.
When you know what is going on inform the customers when this information does not add additional risk. Give a timeframe for the solution if present.

It's impossible to do right in such situations. Customers will often demand fast solutions, work-arounds. Those might be very wrong, based on false or partial information or 'gut feeling'. What customers actually want is a 'secure' feeling, the feeling their concerns are taken serious. And the work-arounds they suggest will give that feeling, they see action and feel they are in control. But the work-arounds might not add real security and control, giving a false feeling. Impossible to tell for the customer, perhaps possible to tell for the company. However, how would you tell a customer that his sincere given work-arounds won't actually help because the situation is not what he thinks?
Specially when doing this would give additional information about the problem, exposing more of the vulnerability.

This is the kind of perception I am talking about.
My guess is that the main purpose of the reset is to make sure the user cannot access the master account, to buy time. Not so much to have access to the main account for long period of time. This master account might be linked to a non-existing or inaccessible e-mail account, so it's hard to ask for confirmation by e-mail. Making it possible to change the e-mail address (could well be possible already) would make it possible to send the reset to whatever address a hacker wants.
Is this part of a questionable reset mechanism?

No, the problem is that once a hacker is in he has the same control as the actual user. Something that could help is a mechanism that slows him down, but that would also slow the user down. Add an additional pin before the reset can be done? Sure, would cause many problems because people will forget. And the hacker is already in, resetting GW passwords. You want to slow that down? Suppose you gave the pass away by mistake, would be nice if you can do a quick reset, would it?

So what do you want? Today it's additional security, tomorrow you yell because you cannot do a password reset without waiting for 24 hours (for example) or you forgot your PIN and need to wait long for support to deal with it.

I'm not so sure your comparison is the best one to use. The customers in your model are investing monies. If they feel insecure they remove those monies. Your business fails. If your business gets to the point where guild wars was/is that you have several customers per day who are loosing all of their investments because "taking action at this moment is not smart", all of your remaining customers will remove their investments and your business is doomed and there is nothing you can do to save it.

Back to Guild Wars - What about an insurance policy? You pay a set fee (real money) for an insurance policy that allows you insure a set number of items. Once insured these items are "locked" and can't be traded, sold, or destroyed until you cancle the insurance. The info needed to cancle the insurance (policy number?) is emailed and not available at NCsoft, etc. On the off chance that a hacker is able to access these items your insurance will replace those items one time.

Gee, it sounds like your company is very inefficient. If your protocols stand in the way of quickly fixing critical problems, then you have bad protocols. Whether you fail to act in a timely fashion because your staff lacks the coding ability, or your management refuses to recognize a critical problem as such, or you've got bad protocols, the ultimate result is that you failed.

Agreed. That's why I criticized the move from a protest thread to a poll thread. >95% of the people here are unqualified to give even a general opinion on what would be a good security measure.

Acting on partial information is necessary. Complete information is an impossibility. Every person in every situation since the beginning of time has acted on partial information. The optimal time to act is when the cost of gathering additional information outweighs, for the first time, your best estimate of that information's value.

I'm guessing your firm is in the financial services industry. It might not be the best parallel. your firm can advise, but ultimately the client is in control of his funds. Your firm cannot prevent a client from divesting in a loss making investment, barring very rare circumstances. However I cannot withdraw any current money stream from anet, since this is a non subscription model. Whether or not anet's business model means they have carte blanche to act independently is another topic altogether. Another difference is that your firm can serve each client's needs individually, whereas anet's clients are all using a common product. Any action it takes therefore needs to be in the best interest of the majority of users. This I understand. However, it should not negate the need for timely responses. Again, bear in mind that the timeline here is in terms of weeks, not hours or days.

An agile organization can never have complete information when it makes a decision. There are the known unknowns, effects of which can be mitigated by risk mgmt. There are also unknown unknowns. When I say complexity of a patch, I mean to take these into account as well. It is up to an organization to decide when it feels that it has done enough risk assessment to warrant a rollout. However this does not mean that end users or customers cannot request for quicker action, based on their own assessment. If the firm disagrees, then I agree with you. It should communicate why (as much as it can) and commit to a mutually agreeable schedule. Sounds reasonable? How do you feel anet has done in that regard? I have provided gaile's support talk page and Regina's response is a few pages before this post. Personally, I think that not enough has been communicated. It is one thing to tell your customers to have confidence, as you've said. It's an entirely different thing earning that confidence, especially when the customer has already been damaged. True, more information might cause even more security leaks, but this does not mean that vulnerabilities should be swept under the carpet. This is why all software companies like Microsoft makes security announcements from time to time. Again it is up to the company to decide what to announce, what to keep under wraps. It does not stop users from announcing proof of concepts or from disagreeing with their policies. I shall point out that we are now beyond proof of concepts. And the patch is already delivered. So would you agree that *some* form of disclosure at this point in time would be the right thing to do?


A master account with direct access to multiple games should be at least tied to a verifiable email address wouldn't you say? Even gossip forums do that much nowadays. To be fair, I believe the ncsoft master account does that. If the master account allows for easy email change on top of easy password reset, then yes, this is another vulnerability with the potential to both take over a game account AND cut off the game owner's line of communication. In IT security, it never is possible to save 100% of idiot users (like myself). Nevertheless, a good security policy would attempt to mitigate that. What if an internet cafe user leaves his master account logged on at the end of his session? How can the website continue to ensure his various game accounts are still protected to a certain degree? In internet banking, this is done by what you know (your password) and what you have (an RSA token) (a third dimension is what you are (biometrics)). I am not suggesting all these be used, merely pointing out the dimensions of IT access control.

What else did I mean by questionable? The modification of the guildwars account via the nc soft master account is questionable. When I log into the ncsoft master account, I have only proven that I have the ncsoft master account password (one dimension of "know" and "have"). I have not proven that I am the owner of the guildwars account. The website assumes that I am, and therefore allows me to modify the guildwars account without further challenge. I fully understand that this could be to provide a convenient means for account reset for gamers who have forgotten their guildwars password. This intention does not mean that this is not a vulnerability. An airplane could crash, killing all its passengers. But all airplanes continue to have seat belts. The idea is not to remove all risks, but to mitigate them and negotiate a trade off.

Imagine if your internet banking account was reset if your email account was compromised. Do you think this is a acceptable tradeoff to cater to people who have forgotten their internet banking account passwords? Which scenario in your opinion has a bigger impact on the customer and the firm's reputation? This slew of hacking incidents, or the people who have forgotten their passwords and have to wait 24 hrs for a reset? As a corollary, how realistic is it that many gamers will forget their guildwars login/ password and remember their ncsoft master account login/ password?

I know I am arguing based on the premise that the NC soft master account was indeed a weak link, discounting the fansite(s) that leaked account info. Unfortunately, nothing in my experience or anet's communication gives me reason to modify that belief. If some sort of explanatory statement is given, i'd be more than happy to readjust my position.

If they expect players to assume full responsibility for the security of their accounts then the players should have more control over, and information regarding compromises to, said security.

If I'm to be liable for something I do believe I have a right to know what, precisely, I'm being held liable for.

This for truth.

I'm sick of ANet's attitude on security. Why don't they take a look at the poll results? It's pretty clear what this community wants most, and it isn't more condecending advice.