Security Question

what if I have a empty account with no characters on it?

You don`t want to hear an answer to that, believe me.

You can untick the box, and use command line parameters to autofill the boxes you want. eg. use -email to fill in your account name, but still require manual entry of password and security question.
Read the FAQ... leave the security question blank.
Once you create a character you'll need to type its name at login, for the security question.

I have to say that this is a work of genius!

Kudos to whoever thought of it!

Brilliant update! Easy and straightforward solution.


Keep the good work going.

Great job Anet, its nice you guys even trying do someting

i like this...feel a bit safer now...
not sure how effective it will be though...
time and # of "i got hacked" threads will tell i guess...

Thank you. I think I'll go buy the costumes now

Thank you ArenaNet. This change is very welcome. I voted for a security question in the poll thread, because it seemed to be the easiest upgrade to apply. With almost four years invested in GW and the odds of getting hacked increasing, I am happy with any security measures you introduce. Keep them coming.

Only thing I would have liked is a separate tick box for remembering the account name and character name so that I only have to type the password and character each time i login.

Its not a major hassle but i just find having to type the account name aswell a bit annoying

edt.

edit. Thanks Hissy , never knew about this one.

Loving the update. I think I'll give my thank too buy getting either the BMP/Costume (anyone can advice which is better? :P). However, I can only hope that my CC info doesnt get breached.. D:

Even with this security upgrade, I am worried.

Many people use his main character name as forum user name. So, it continues being easy to enter in their accounts.

Would it be possible to choose what character's names can be used in the security question?

That simple add to the new security system can increase much more the efficiency.

Well as stated up above...

Something needed to be done.

this fix was very creative to say the least.

However, when Nick the Huntsman came to Presearing, I ran out and got a bunch of new accounts. So I have 5 accounts and could remember only enough to get me into 2 of my accounts.

So, I asked my wife and she remembered one toon. Because I had made a guild for all of my accounts I was able to go to the guild list and get some names and then by a process of elimination, one by one got into my accounts.


HOWEVER!!!!

There is a FLAW.

My ANET account is linked to the CHARACTER NAME of the FIRST toon that I made on my MAIN account. So if you got my first toon's name then you have my ANET account. Anet will not let me change that name cause its my LOGIN!!

So this is flawed.

Case in point. I was in presearing the other day with my Main account and someone asked me how long I had been playing. I told them and then they asked what was the first profession that I ever made and then he started to say what funny names he made and the name of his "first toon". as SOON as I saw that.. I got a shiver UP my Spine and he asked what was the name of my first toon!!


I said Chuck YOU Farley and took scrienies and sent them to ANET support knowing full well that my ANET account name was the name of the toon that this creap was going after.

SO, I sure as heck hope that ANET changes something on their main log in page as well.

The reason I know this is because when they came out with the fire imp at the online store I went to buy it and there was an ANET account already set up for me. I do not know how or why but the account name was the name of the mesmer that I had been playing. After I got the imp, I deleted my mesmer so no one would try and get my info cause if they can get the ANET account info.. they've got everything else.

That's a good idea.

Also, thanks ArenaNet for caring and implementing a security question .

Huge piece of mind that they did something after the fact? I've already invested 4+ years and countless thousands of hours into the game, and now my account is cleaned out.

This solution does what, exactly, for those of us who were already hacked?

I'm in the same boat as Valerius above - even though I've never used my username, character name and/or password all together in one place so that someone could connect them together, it still feels like it's a security risk having the info out there. If I'd known my character name would one day be a part of login security I'd never have used it as a forum name. Fingers crossed Inde's able to do that name change I requested...

Grats and thanks to ANet for coming up with this solution, though. I'm much less worried about my account than I was before this was implemented.

hahaha, i thought this was a suggestion!

THANK YOU ARENA NET! Going to buy the costume

Nothing, obviously. You'll never get your stuff back. Nobody will. You knew that.

This (and anything else they're planning to add) comes far too late for people have already been robbed.

Better late than never...

for people who use their character names as forum names, it is possible to change it if you pm an administrator.

excellent update...and for the people QQ'ing about having long names...u are really really lame if ure QQ'ing about ure own name!

Sure, I guess, you can use the cliche of better late than never.

In this instance I believe it's a flawed excuse rather than a solid reason. Is it really better late than never?

It goes beyond the coinage, the FoW armors, and the miscellanous other pixelated stuff that I no longer have on my characters.

My 4+ years and 6000+ hours of love for this game have been compromised, along with my trust of ANet's security. I'm not spending another 4+ years and 6000+ hours to get it all back when the security of thier servers undergoes band-aid solution after band-aid solution that leaves the larger issues unaddressed and wholly vulnerable.

What point would it serve to re-invest that time & energy when the possibility of it being compromised a 2nd time is still more likely to happen than not?

Why would I buy GW2, when it runs on the same security issue plagued principles? Why would I give my money to a company that has, up to this point, completely failed to provide any measure of timely or decent customer service?

Better late than never doesn't fix the problems that have already occurred, and I'm not referring to my "stuff" being gone.

Yes it is. I realise how much it sucks for you, but if it saves others from the same fate, it has to be A Good Thing.

Because it won't have the same security issues? They ARE doing something about account security. Finally. It seems there is more to come... hopefully they will plug the known holes and add stuff to mitigate damage in case of as-yet-unknown holes. If not for GW1 then at least for GW2.

If they don't... well, I will be thinking hard too, about whether to put time and money into GW2. Just have to wait and see, but for now I am optimistic.

Hmm. I wonder if all the other games under the NCsoft master account are making similar changes. Or is it only A-Net that's pulled their finger out of their proverbial?

Superb, a step in the right direction ANet.

Judging by what people have already stated on the whole getting "immediately" kicked thing for the update patch to be implemented, maybe next time a global announcement stating "Servers will be shut down in 30mins" (or something to that effect, counting down every 5 mins or so) so that people have forewarning and don't commit to anything (or have time to pick up that rare drop hehe). **Forgive me if this indeed happened, am at work atm **

I just logged in to GW without needing to retype anything. The -password works with the "remember" box checked. So my GW is still safe from keyloggers (it has an "only-GW" password).

if people can hack into the governments computers...an internet game will be a breeze, no matter whats implemented ...but against the small time hacktards...this update gets a thumbs up for me

Stupid question but...

"What if an account... has no characters currently on it?" Does it just get locked out for all time?

Leave the security question blank, until you created a character. It's in the FAQ :-D

Well, hopefully we will have less posts on here about accounts being hacked. It certainly seems like it's made it much more difficult for the gold sellers to hack accounts. As far as the other hackers, I don't know what else anet can do.

A word of precaution: Watch out all Guild that has Forums and webpages, you are gonna be hacked, lol.

I probably shouldn't mention this cos hackers might be reading too, but then if you don't say anything, people forgets and when it do happens its too late. So...

Seriously, I know this is a good addition for security, but I thought of it some last night and the only place I've ever let anyone know of my in game name is on Guild Forums. So, quickly go erase your traces now! especially if you are using the same email address and password. Check to see if your guild forum is infected before you do so too lol just in case. Yes I know I am paranoid.

<< under your avatar, under Guild, you might want to erase those too.

1. Let me start by saying that I am very, very pleased with this security update.

2. Let's take a look at how effective it's going to be. Right now, there's 4 known types of account theft going on:

• GW account is stolen via vulnerabilities in website for the NCSoft Master Account.
  Chinese RMT companies run automated attacks against the NCSoft website, gaining access to random accounts in bulk. This is the type of account theft that until now worried me the most because, unlike other theft methods, there's nothing the player can do to prevent the NCSoft Master Account from getting stolen. Worse yet, NCSoft seems dead set on pretending there's no problem, no matter how many accounts are stolen and how much evidence mounts.
  A-net's little fix puts a complete stop to this sort of theft. Stealing your NCSoft account gives the thief your GW username and password, but he has no way of obtaining your character names from the NCSoft account alone.
• GW accounts that had their username & password grabbed some time ago in the fansite breach, but the thieves are just now getting around to looting them
  If the stolen database had an IGN field (like Guru's used to), then this fix does very little. At most, it requires the hackers to reconfigure their account looting bots. On the other hand, if that data wasn't part of the fansite's database (or the hackers didn't bother collecting it), these guys are stopped.
• Various forms of user idiocy
  • User trusts a "friend" he shouldn't have with username & password
    No help. Anyone dumb enough to give out his username and password is also dumb enough to give out a character name.
  • Phishing and other social engineering
    Some help. The thieves now need to ask for username, password, and a character's name. That should sound a notch even more suspicious than asking for username and password. Unfortunately, many folks dumb enough to give username and password will fork over a character name too.
  • Spoofing and Cross-site scripting
    Some help. Every attack page needs to be rewritten, so (hopefully) some attackers may not bother. And the authors have to somehow justify asking for a character name on a webpage. Such sites should appear more suspicious now.
  • Keylogger + Insufficient Antivirus/Firewall
    Very little help. Attacker can just steal the character name too.
    What about putting it in the command line/checking the box to remember it? No use; if the attacker has obtained high enough privileges to execute his keylogger, he's also got high enough privileges to execute a program to scan your shortcut and your GW folder and grab any stored password or character name. At best, this knocks out low-level scum who lack programming ability and use a keylogger written by someone else.
• Targeted attacks against wealthy individuals.
  Since these attacks are done in varying, and possibly unknown (to me), ways, I can't really judge how effective the character name requirement will be.

3. As you can probably see, a-net plugged the biggest, worst security hole they had -- unfettered GW access once the NCSoft Master Account is compromised. (And it's pretty obvious to the cynics among us (me included) that fixing this particular problem was the goal of this patch.) There's still other holes to be plugged, and a lot more security features that need to be implemented before we have a "secure" game, but this is a very, very good start.

4. The instinct to protect one's IGN (as evidenced by the deluge of name-change requests to Inde) is correct. Since the GW username and password can be obtained from the NCSoft account, and the NCSoft account is utterly insecure, IGN is the only thing standing between you and account theft. At this point, the most important thing you can do to secure your account is to (1) keep you IGN's as private as possible, and (2) minimize connections between your IGN's, GW username, NCSoft username, and forum username. (Assuming, that is, you aren't engaging in plain old user idiocy. Ceasing idiocy would be more important.)

5. That said, IGN's on the forum are not as big an issue as people are making out out to be. First of all, matching an IGN to a NCSoft username or GW username is a potentially nigh-impossible task, and one that cannot easily be automated. Sure, if your NCsoft username is BobDole, and your forum username is BobDole, and your GW username is [email protected], and your IGN is Bob Dole, then you could be in trouble. If you've got a bit more variation, it's unlikely a bot could make the necessary associative leaps. (How, for example, could a bot connect a forum user named MsNyx with a posted IGN of Stevie Nix to either GW username [email protected] or NCSoft username fleetwood?) A human could do a better job. But human employees are expensive. And English-literate human employees are particularly expensive in China. No doubt there will be some lone wolves trawling the forums for info on high-value targets, but I think the odds of RMT companies turning to the forums to gather info for bulk account thefts are pretty low.

6.
Yes, it was. A-net scores some points in my book for going against NCSoft's manifest desire that they continue stonewalling. Perhaps a little late, but they ultimately chose to do right by their customers.

7. You know who else scores some points in my book? The community who finally pressured them into action. Particular thanks go to Shan for standing up and making herself heard, Martin Alvito for piecing together how NCSoft accounts could be so easily stolen, and Inde for more behind-the-scenes activism than we may ever know.

8. Why was the update done with no announcement? I lost my snowball tourney/VQ/Mission/girlfriend/etc. because of it!

Assume for a minute that a-net was correct when they said in the past that at least some of the accounts currently being stolen had their username & password grabbed some time ago, but the thieves are just now getting around to looting them, and it should be pretty obvious to you. If I were a thief given a few hours forewarning, I'd promptly write a bot to log into as many accounts as possible and grab a character name off them. If I had a half hour forewarning, I'd have my employees do the same manually.

9. Several folks have pointed out, once a thief has gotten into an account, he has an incentive to delete all the characters and create a new one with a different name in order to keep you out while he loots stuff. After some thought, I don't think this makes much sense. The thief needs to strip each character before he deletes it. By the time he's finished stripping the last character -- the time when he could finally lock you out -- he's finished and no longer cares if you get the account back or not.

In any event, insofar as that's a problem, the oft-requested character locks are the solution.

10. As for the folks complaining that they don't know the character names on their mule accounts, go contact support. Seriously, having to contact support to reclaim your intact account beats the hell out of having to contact support to reclaim your stripped account.

Ultimately, this is the bottom line:

To anyone who is having trouble remembering character names:

I just got an e-mail back from support with single character names on my forgotten-named accounts. I -DID NOT- have to prove ownership.

This is a step in the right direction for security, but I don't know how much good it will do. Let us wait and see.

In response to the post below me:

I did not need to provide CD keys or any other sort of proof of ownership. I simply told them the account e-mail and they provided me with character names.

interesting that this was added and all but still would have been nice to know ahead of time what day it was going to be implemented so we could get names on accounts we don't use often (XTH accounts)... support going to love me when they see about 40ish e-mail address... and even more so if they need the cd-keys lol

does this affect role-play land too? it must if you're posting in this thread. then again, I wouldn't doubt your complete nerdiness to post everywhere for no reason. did you also buy the upgrade called "fuse my human life into my guild wars account?" that one applies to you without a doubt

also sweet update d00d. after hundreds of people were already 'hacked'

The thief could use a stolen account to farm as follows:

1) Delete all characters
2) Make a new character
3) Run it to D'Alessio
4) Bot the lvl 10 trick
5) Run it to Gunnar's
6) Bot Dwarven Boxing to 20
7) Run to farm spot

But this is a fair amount of work. It would take a pretty organized thief in need of accounts.

I think the larger threat is thieves converting stolen accounts to gold spambots, which just requires pushing a new character through Chabek for Kamadan, and requires nothing to reach GToB. Those that are worrying are correct that thieves, IF they get the account, are incentivized to delete. However, thieves using automation are now foiled. Don't get keylogged, and you should be fine.

That is not wise for ArenaNet to do, what if some players haven't log in for some time, and the thief send a support email to ArenaNet?

I seriously hope you are joking...
This creates a even bigger security issue than what the patch was trying to fix.

Now if someone want to hack accounts they only need to guess account names, don't even need to guess the character name.

I hadn't thought of that. I was caught up in the current MO of stripping accounts for profitable items. However, don't thieves who steal accounts for long-term use (spam bots and farm bots) always change the password? Since you're going to be going through Support anyway, it's not like they get to keep the account any longer if they delete your guys than if they don't. Even if you had a NCSoft account, and they stole your GW account through some other means, once you reset the GW password, they don't get to keep the account any longer if they delete your guys than if they don't. They have nothing to gain; the only reason to do it is spite.

They'd have to break into your email too though, wouldn't they? To get the character names that support sends you? Still, it doesn't seem very clever.

By the way, big thanks to Chthon and Martin Alvito. Your well thought-out posts and insights have been invaluable the last few weeks.

Yeah, no. I'm not joking. They told me it was a one-time leniency because of people having mule accounts that are not accessed often, and the update being so abrupt.

The hackers would still need to know my password and my e-mails for the accounts, plus the character names.

I don't feel strangely or oddly that they answered my request. The hackers would still need to know far more than just the e-mail or the character name.