Update - Tuesday, December 22, 2009
isildorbiafra
Besides I bet most of these multiple accounts have been bought ingame for botted/ leeched gold; and did not contribute one iota of income to anet. Get over it. I myself feel alot safer with the new security measures in place.
tom32304
Quote:
|
Originally Posted by Aldric
It in no way discourages me from having multiple accounts and anyone who feels agrieved at being forced to remember an account name in order to play a game should really blame themselves rather than Anet.
|
I blame ANET for not telling me I needed to remember the toon name.
But the real problem is that this will result in a black eye for GW. Anyone with an IQ above room temp knows this is not a real security feature, even Gayle said there are other "top secret double probation" security features ANET is not telling. This is just a stumbling block for legit users and a small loss for hackers who will just switch to an easier target.
Anyone who thinks this name your toon question is real security needs to take a computer course.
Zahr Dalsk
Quote:
|
Originally Posted by isildorbiafra
Besides I bet most of these multiple accounts have been bought ingame for botted/ leeched gold; and did not contribute one iota of income to anet.
|
Quote:
|
Originally Posted by Lihinel
Just shows you how most people don't put any effort into character creation and how extreme makeover credits can go for the price they do and have that sort of a demand.
|
Fay Vert
People with multiple accounts have been putting more money in ANet's pockets.
Lest121
I can't log and i don't have my account link to NC soft what gives.......I haven't played in 18months all i do every month is check on my account to make sure it's not hacked, the password is so strong and so random it took me a few days to memorize it.
isildorbiafra
[QUOTE=Zahr Dalsk;4989348] Any account which was sold for ingame gold obviously had to have been bought from ArenaNet in the first place, or there'd be no one to sell it for ingame gold. [QUOTE]
Not true. That account was bought by someone else who for whatever reason somewhere along the line decided to sell it. Be it because they quit the game or just wanted to make some cash. The fact the account was bought for ingame gold in no way adds money to anets pocket.
Not true. That account was bought by someone else who for whatever reason somewhere along the line decided to sell it. Be it because they quit the game or just wanted to make some cash. The fact the account was bought for ingame gold in no way adds money to anets pocket.
JordanH
This change has really annoyed me because I'm a very casual user and I've logged on for the first time in approx a year to play. I really don't have a clue what I named my character and I presume support are closed or at limited capacity over Xmas. 
Personally, I would sacrifice this little bit of added security to be able to log in without having to go through this tedious process. However, I understand how for many players, this is a needed security measure - I think this could have been implemented wayyyy better so that casual players don't lose out.
Chances are I'll probably miss all the Wintersday events unless their support team is a little more responsive...
Personally, I would sacrifice this little bit of added security to be able to log in without having to go through this tedious process. However, I understand how for many players, this is a needed security measure - I think this could have been implemented wayyyy better so that casual players don't lose out.
Chances are I'll probably miss all the Wintersday events unless their support team is a little more responsive...
Zahr Dalsk
Quote:
|
Originally Posted by isildorbiafra
The fact the account was bought for ingame gold in no way adds money to anets pocket.
|
Lest121
Can log.........everything is there.......i may not play anymore while i wait for GW2 but i have accomplish a lot.
isildorbiafra
Quote:
|
Originally Posted by Zahr Dalsk
The ingame transaction itself, no. But the original acquisition of the account DID give ArenaNet money.
|
HawkofStorms
Quote:
|
Originally Posted by Esprit
I like how people somehow think that it's Anet's fault that they can't remember their own character names.
|
This isn't a big deal. This is MUCH less controversial of a decision (hey, more security = good) then the introduction of microtransactions. Yet for some reason, people support that and are angry at this. Boggles the mind. People who are whining are just whining for the sake of whining.
Lucci_Slevin
I originally posted this in its own thread but it was deleted because there are too many threads about this issue. I have been given permission to post this here.
I think I know the reason for this change.
There are theories of the hacks having been caused by trojans/keyloggers,brute forcing of the log-in or hacking of the NCsoft master account.
But I have been following the feedback from Anet over the past couple of months and I do not think any of those are the case. I know there is a sticky at the top but not everything is there.
I thought I would post the most important statements here in one thread so that people who may not have read them can see the how things transpired. And also to have this thread open for discussion.
Dates are at the end of the quotes(chronological order). A short blurb describes each quote.
On retrieving lost items.
On brute forcing GW client
On brute forcing NCsoft site
Log-in info taken from a website.
On revealing which website that was.
Anet does more research. Note the part about vulnerable forum software.
Confirmation on the the breach.
Research on possible Ncsoft site hacks.
The purpose of the recent update.
I just wanted to show that Anet was on the case from the beginning, though they mostly posted on the wiki and not here. And that the more complex theories of the hackers methods were probably not the case. Most of the hacks were probably due to the database breach in the second quote.
I am aware that this thread has the potential to become a a witch hunt of GWG and GWO admins. Please be respectful. I would like for this thread to remain open so that people may read it and comment.
I think I know the reason for this change.
There are theories of the hacks having been caused by trojans/keyloggers,brute forcing of the log-in or hacking of the NCsoft master account.
But I have been following the feedback from Anet over the past couple of months and I do not think any of those are the case. I know there is a sticky at the top but not everything is there.
I thought I would post the most important statements here in one thread so that people who may not have read them can see the how things transpired. And also to have this thread open for discussion.
Dates are at the end of the quotes(chronological order). A short blurb describes each quote.
On retrieving lost items.
Quote:
| Sometimes -- very rarely -- we have a clear-cut path that enables us to return items. When we can, we do. Many people who read this page can attest to that, for I've talked to some of them personally and have returned the items they lost. But for most cases, it's simply not possible. Not because we don't care. Not because we don't try. But simply because we cannot do it in a fair and equitable way. -- Gaile 01:05, 3 November 2009 (UTC) |
Quote:
There is a different kind of brute force prevention system in place. Instead of those irritating "You ran out of tries, please wait a lifetime to try again"  systems, the Guild Wars password system is set to take longer and longer to become available. It was explained to me a couple of years ago that this system does effectively the same thing: it prevents an automatic brute force program from working. The team felt this was more user friendly. However, I will pass along your concern and your suggestion to the team members I am writing this afternoon. -- Gaile 01:32, 3 November 2009 (UTC)
|
Quote:
| Update: I have been exchanging emails with a number of team members in two different states. One concern I took to the team was about not having "time outs" or other means of preventing brute forcing of passwords on the NCsoft site. Here is part of the answer that I received: "The account management secure site does indeed have velocity checks in place to prevent the brute forcing of master accounts. If too many attempts are made within a given period of time, the user will be temporarily blocked from making any further efforts to login. In addition, there are velocity checks on the action of attempting to change the passwords themselves." -- Gaile 20:10, 4 November 2009 (UTC) |
Quote:
|
Fansite Security Breach We learned today that one of the trading sites associated with Guild Wars may have experienced a security breach and its account database (including user names and passwords) may be in the hands of hackers. So far we have identified more than 20 Guild Wars account that appear to have been accessed by unauthorized individuals who may have been involved in the fansite's database breach. Our security recommendations have never been more timely, particularly those that suggest that you always use a unique password for every single account that you own. We have closed the game accounts of those involved in the account thefts. We will be watchful for further episodes. And we will be contacting the fansite owner to continue gathering information related to this incident. -- Gaile 21:48, 9 November 2009 (UTC) |
Quote:
| Hi KJ. I knew that question would arise. I've talked to the Community Team and at this point, they would rather we not mention a site name because we have not had a chance to interface with the site, or to gather all the info we need to confirm the matter with 100% certainty. Perhaps the site's name will be mentioned once we have more details, but at this point, anyone using the same password on any site -- fansite, forum site, trading site, social networking site, email site, whatever -- should change passwords so that each one is different. It shouldn't take a breach for all of us Internet users to keep security in the forefront of our minds, but this thread may alert a few more people to this very real issue and may help a few more folks increase their security. -- Gaile 22:05, 9 November 2009 (UTC) |
Quote:
|
Hacked Accounts: Research Continues We've seen comments on this page, on the Guild Wars Wiki in general, and on fan forums that show a rising concern about account thefts. And it's true that the number of hacked accounts has risen somewhat over, say, a year or two ago, even while it's not a major crisis. Security is of paramount importance to us, as we know it is to you. I wanted to give an update on what we've done and what we've learned so far: * ArenaNet and NCsoft have taken a hard look at both game and network security, and no breaches have been discovered. We've worked independently and collaboratively to research the matter and will continue those efforts into the future. * We've contacted fansites and let them know of certain database breaches that have taken place on fan forums and trading sites. Certain popular forum programs have security updates several times a year because they are targets for hackers, and as a result they experience security breaches from time to time. * We've been in continued contact with a fansite that did experience a relatively-minor database breach. The site owner has made visitors aware of the problem and has taken steps to beef up security. * We've interviewed a few hundred victims of account thefts about security matters, including their participation in external sites, their use of third-party programs including chat software and social media, how they use ArenaNet and NCsoft resources, and more than 30 others points of data. * Tonight or tomorrow, I will be emailing a small number of players to interview them about a few questions related to security issues. These aren’t hacking victims, this time, but we feel the info they can give us will be invaluable in continuing our analysis of the whole issue. If you get an email that seems to come from me, it probably does. But feel free to ping me via this wiki email address to verify, if you wish to do so. And remember, I will not ask for your account credentials or other confidential information, nor will anyone else from ArenaNet or NCsoft. -- Gaile 04:04, 21 November 2009 (UTC) |
Quote:
|
Update: 2 December 2009 We did confirm that one fansite had a security breach. The website owner has been very open and forthcoming about the issue. The webmaster posted on the site to let site visitors know about the situation and to urge site members to update their credentials in order to eliminate matching credentials on the site and on any game account. We appreciate the fansite staff’s cooperation and believe that the enhanced security that the webmaster suggested will help prevent further breaches related to that site’s issue. As mentioned previously, all fansites for which we have current contact information have been contacted by the Community Team to heighten their awareness of security concerns. -- Gaile 00:52, 3 December 2009 (UTC) |
Quote:
|
Update: 15 December 2009 I've noticed a number of comments about NCsoft Master Accounts and hacked game accounts. It appears that some players are assuming that there is a connection, that if you have an NCsoft Master Account (NCMA) you may be at increased risk of account theft. We have conducted extensive research on this factor, and I have data as current as this morning that shows that this does not appear to be true. Of a cross-sampling of accounts, nearly half did not have an NCMA at all. I hope that this information puts your mind at ease on any perceived "risk factor" regarding whether a game account is tied to an NCMA or not, for that truly does not seem to be an element in the current situation. Today, as many have already noted, we changed the in-game account security messaging to make it more noticeable. (Feedback given in an existing thread will be relayed to the Live Team.) More information on the subject of account security will be coming soon. -- Gaile 21:34, 15 December 2009 (UTC) |
Quote:
| TahiriVeila: Please read the text in red located on the right side of the login screen. That message says that hackers are trying to login to Guild Wars accounts using passwords stolen from other games and web sites. In other words, in this case, the hackers do not have character information. They have existing lists of passwords and emails that they are just trying in Guild Wars to see if they work. They aren't only using this in GW, but also other games. No account theft prevention measure is perfect, however this update will make accounts more secure in instances like this, where hackers have emails and passwords that they've harvested en masse, that they're trying to use in a lot of games, including Guild Wars. --Regina Buenaobra Image:User_Regina_Buenaobra_sig.png 20:06, 22 December 2009 (UTC) |
I am aware that this thread has the potential to become a a witch hunt of GWG and GWO admins. Please be respectful. I would like for this thread to remain open so that people may read it and comment.
To Chicken To Die
So what if I get drunk again and delete all my chars and close guildwars? I mean no chars is no charname?
Still this is unexpected and strange in the same way. People using the same passwords and fansites and forums are simply dumb. They are warned and if they still do... well that will teach them. I see the vision of people saying this helps. It has a benefit even tho getting 1 char name isn't that hard. I mean use the same nickname as the fansite and like 99% BINGO.
I would like to see this being an optional function. Choose not to use it and get hacked your problem.
Still this is unexpected and strange in the same way. People using the same passwords and fansites and forums are simply dumb. They are warned and if they still do... well that will teach them. I see the vision of people saying this helps. It has a benefit even tho getting 1 char name isn't that hard. I mean use the same nickname as the fansite and like 99% BINGO.
I would like to see this being an optional function. Choose not to use it and get hacked your problem.
Alesa
Quote:
|
Originally Posted by Lucci_Slevin
wall of text
|
On that note, I think this was a pretty clever thing that Anet did. I don't think it's escaped most users notice though that this was all on Anet's side and that NCSoft might still be vulnerable.
Martin Alvito
Quote:
|
Originally Posted by Lucci_Slevin
I just wanted to show that Anet was on the case from the beginning, though they mostly posted on the wiki and not here. And that the more complex theories of the hackers methods were probably not the case. Most of the hacks were probably due to the database breach in the second quote.
|
This website had character names available as of a month ago. I'll bet that most users registered on both GWO and Guru used the same account names. If GWO was breached, the hackers had character names for a lot of accounts. This update does nothing to solve that problem.
However, the update does do quite a lot to deal with the NCSoft problem. Even if you crack an NCSoft Master Account and change the GW password, you can't gain unauthorized access to the account. So now there's no point in cracking the NCMA.
This is nothing more than a clever PR move. The hacks will stop and ANet can claim that their story is true, regardless of whether or not it is. But the official story just doesn't fit the facts. It may fit the facts of how some accounts were getting stolen without involving the NCMA. But it does not fit the facts for a lot of the observed hacks.
Lucci_Slevin
Quote:
|
Originally Posted by Alesa
You say you've been following it and yet miss some of the key points that the players made. That NCSoft security is lax. That ArenaNet has let it go on far too long. That no one at this point even believes it was a fansite breech considering the wide variety of accounts that were hacked. That some people signed up on the forums to report being hacked. That people who reset their passwords were hacked within a matter of a few minutes... and a billion other points that anyone following along would have caught on to. But congratulations I guess on being able to quote ArenaNet and their great strides to blame the users.
On that note, I think this was a pretty clever thing that Anet did. I don't think it's escaped most users notice though that this was all on Anet's side and that NCSoft might still be vulnerable. |
As for the other stuff you posted, there are a million different stories on the internet. Not to discount any of them, but it is something to keep in mind.
I just think the discussion is important.
Edit- Perhaps a user made compendium of the various stories would be useful in getting to the bottom of the situation?
Deviant Angel
Quote:
|
Originally Posted by AngelWJedi
I find it sad you look down on people who dont remember ever single name. i am luck i remembered my main toons name. otherwise i wouldnt have been able to get back on. my 7 other girls where named in another language because i like to role play them pretending that they came from a certian county. thus some if not all are hard to spell. plus add in the fact didnt take in that some people have dyslexia. gg anet! one of my guildies has that. and it took her like 5-10 minutes to sign in.
|
Unless she's also blind, I don't understand why the "remember account name and security question" option was ignored. Putting your login information into the shortcut is also an option. It shouldn't take her, or anybody, 5-10 minutes to sign in after using one of those.
As for everyone forgetting their character names... wth? I remember what I named characters in games that I played less than an hour. I guess it's easy for me since I don't consider Afdsgfsd Jdasfkdsf a name.
I swear that some of you live to complain.
I think this update was a step in the right direction. Having to type in a character name when I change accounts is a very minor inconvenience.
tom32304
And all of this thread so far still does not address my points.
GW sales are falling, the game is not stocked in many big stores, prices at the online store are sky high, NIB stuff is super cheap on ebay.
To make matters worse ANET now has some kinda name your toon security system and if you forgot the name of your toon you are stuck dealing with a slow to respond support system; oh yea all of this comes down when traffic is highest on the GW servers.
I am not so sure this will result in more revenue for ANET.
GW sales are falling, the game is not stocked in many big stores, prices at the online store are sky high, NIB stuff is super cheap on ebay.
To make matters worse ANET now has some kinda name your toon security system and if you forgot the name of your toon you are stuck dealing with a slow to respond support system; oh yea all of this comes down when traffic is highest on the GW servers.
I am not so sure this will result in more revenue for ANET.
Curo
I'm surprised to see so many people that actually don't know the names of their characters. You think that if you had enough time/money/items to buy other accounts and fill them up with mule stuff, you'd at least have names you can remember. I notice many users on GWG that leave little notes in their sell threads to remind themselves of which items are on which characters.
Sorry I guess I just can't understand having so many accounts that you don't even pay attention to the character names. Life must be good. I don't even have NF, and you people are complaining about having too many accounts. I don't think I've ever used this before on these forums, but now is a good time:
QQ
And good job ANet, we are glad to see some kind of step towards better security measures. It means that we here are not going unnoticed.
Sorry I guess I just can't understand having so many accounts that you don't even pay attention to the character names. Life must be good. I don't even have NF, and you people are complaining about having too many accounts. I don't think I've ever used this before on these forums, but now is a good time:
And good job ANet, we are glad to see some kind of step towards better security measures. It means that we here are not going unnoticed.
AngelWJedi
Quote:
|
Originally Posted by Deviant Angel
I'm not trying to be insensitive, but may I ask how long it took your friend to sign in before yesterday? Some people refuse to make strong passwords for whatever reason, but I would hope that her password is more complex than any character name on her account. If her dyslexia is as bad as you're making it seem, chances are good that it was taking her 5-10 minutes to sign in anyway. Shall we whine about the fact that an email and password is required as well?
Unless she's also blind, I don't understand why the "remember account name and security question" option was ignored. Putting your login information into the shortcut is also an option. It shouldn't take her, or anybody, 5-10 minutes to sign in after using one of those. As for everyone forgetting their character names... wth? I remember what I named characters in games that I played less than an hour. I guess it's easy for me since I don't consider Afdsgfsd Jdasfkdsf a name. I swear that some of you live to complain. I think this update was a step in the right direction. Having to type in a character name when I change accounts is a very minor inconvenience. |
and please reread my post. unlike others who name their chair billy bob or sue smith i like to create cute and unquie names. 
Chthon
Reposting my response from the other thread:
Also,
1. If you took the time to read this thread (and several others), you'd see that (a) the reasoning in some of those statements by Gaile is dead wrong and roundly refuted several times, and (b) the NCSoft site has huge and obvious flaws.
2. The manifest purpose of this fix is to change the "breaking the NCSoft account also breaks the GW account" situation. It completely and utterly defeats that method of account theft. It does little-to-nothing against other common methods of account theft. If the NCSoft account wasn't the problem, why implement a fix so directly targeted at it? Hmmmmm?
Quote:
|
Originally Posted by Chthon
1. Let me start by saying that I am very, very pleased with this security update.
2. Let's take a look at how effective it's going to be. Right now, there's 4 known types of account theft going on:
3. As you can probably see, a-net plugged the biggest, worst security hole they had -- unfettered GW access once the NCSoft Master Account is compromised. (And it's pretty obvious to the cynics among us (me included) that fixing this particular problem was the goal of this patch.) There's still other holes to be plugged, and a lot more security features that need to be implemented before we have a "secure" game, but this is a very, very good start. 4. The instinct to protect one's IGN (as evidenced by the deluge of name-change requests to Inde) is correct. Since the GW username and password can be obtained from the NCSoft account, and the NCSoft account is utterly insecure, IGN is the only thing standing between you and account theft. At this point, the most important thing you can do to secure your account is to (1) keep you IGN's as private as possible, and (2) minimize connections between your IGN's, GW username, NCSoft username, and forum username. (Assuming, that is, you aren't engaging in plain old user idiocy. Ceasing idiocy would be more important.) 5. That said, IGN's on the forum are not as big an issue as people are making out out to be. First of all, matching an IGN to a NCSoft username or GW username is a potentially nigh-impossible task, and one that cannot easily be automated. Sure, if your NCsoft username is BobDole, and your forum username is BobDole, and your GW username is [email protected], and your IGN is Bob Dole, then you could be in trouble. If you've got a bit more variation, it's unlikely a bot could make the necessary associative leaps. (How, for example, could a bot connect a forum user named MsNyx with a posted IGN of Stevie Nix to either GW username [email protected] or NCSoft username fleetwood?) A human could do a better job. But human employees are expensive. And English-literate human employees are particularly expensive in China. No doubt there will be some lone wolves trawling the forums for info on high-value targets, but I think the odds of RMT companies turning to the forums to gather info for bulk account thefts are pretty low. 6. Quote:
7. You know who else scores some points in my book? The community who finally pressured them into action. Particular thanks go to Shan for standing up and making herself heard, Martin Alvito for piecing together how NCSoft accounts could be so easily stolen, and Inde for more behind-the-scenes activism than we may ever know. 8. Why was the update done with no announcement? I lost my snowball tourney/VQ/Mission/girlfriend/etc. because of it! Assume for a minute that a-net was correct when they said in the past that at least some of the accounts currently being stolen had their username & password grabbed some time ago, but the thieves are just now getting around to looting them, and it should be pretty obvious to you. If I were a thief given a few hours forewarning, I'd promptly write a bot to log into as many accounts as possible and grab a character name off them. If I had a half hour forewarning, I'd have my employees do the same manually. 9. Several folks have pointed out, once a thief has gotten into an account, he has an incentive to delete all the characters and create a new one with a different name in order to keep you out while he loots stuff. After some thought, I don't think this makes much sense. The thief needs to strip each character before he deletes it. By the time he's finished stripping the last character -- the time when he could finally lock you out -- he's finished and no longer cares if you get the account back or not. In any event, insofar as that's a problem, the oft-requested character locks are the solution. 10. As for the folks complaining that they don't know the character names on their mule accounts, go contact support. Seriously, having to contact support to reclaim your intact account beats the hell out of having to contact support to reclaim your stripped account. Ultimately, this is the bottom line: Quote:
|
Quote:
|
Originally Posted by Lucci_Slevin
<numerous Gaile quotes>
|
2. The manifest purpose of this fix is to change the "breaking the NCSoft account also breaks the GW account" situation. It completely and utterly defeats that method of account theft. It does little-to-nothing against other common methods of account theft. If the NCSoft account wasn't the problem, why implement a fix so directly targeted at it? Hmmmmm?
Martin Alvito
Quote:
|
Originally Posted by tom32304
I am not so sure this will result in more revenue for ANET.
|
HawkofStorms
Quote:
|
Originally Posted by tom32304
And all of this thread so far still does not address my points.
GW sales are falling, the game is not stocked in many big stores, prices at the online store are sky high, NIB stuff is super cheap on ebay. |
Good god man, A.net is a brand new game company whose first product was a multimillion dollar hit. This game is WELL beyond its expected shelf-life. A.net is very happy with the sales figures they have. They obviously want more revenue, who doesn't? Thus the new stuff from the in game store. And they will get more with GW2.
But if anybody is honestly saying "OMG A.net is in trouble because their 5 year old product isn't selling that much anymore"... what reality are you living in where you'd expect that to happen?
tom32304
Quote:
|
Originally Posted by HawkofStorms
Of course it is. It's a 4, close to 5, year old game. How many people still go around buying Halo 2?
Good god man, A.net is a brand new game company whose first product was a multimillion dollar hit. This game is WELL beyond its expected shelf-life. A.net is very happy with the sales figures they have. They obviously want more revenue, who doesn't? Thus the new stuff from the in game store. And they will get more with GW2. But if anybody is honestly saying "OMG A.net is in trouble because their 5 year old product isn't selling that much anymore"... what reality are you living in where you'd expect that to happen? |
I quit playing D2 and switched to GW because I was sick of waiting for D3 to come out. Its been so long I can't remember when I saw the first D3 trailer. So talk of GW2 and a kool trailer for it does not really convince me to hold my breath till GW2 is released, or that GW2 will produce any revenue stream.
Sjeng
Quote:
|
Originally Posted by Hyperventilate
A: I can't recall names of my storage characters on another accounts.
B: I have multiple Prophecies CD keys -- I can't tell who's who. C: I'm not sure if I know where all said keys are, so I cannot prove that I own them. |
If your mules aren't in any guilds, check your recent trade window (N).
If all of the above fails, well, I guess you'll have to try and remember their names or contact support anyway.
Lucci_Slevin
Quote:
|
Originally Posted by Chthon
the NCSoft site has huge and obvious flaws.
|
Quote:
|
Originally Posted by Martin Alvito
Even if you crack an NCSoft Master Account and change the GW password, you can't gain unauthorized access to the account.
|
Referring to the December 15th quote in my earlier post(I know, wall of text, sorry) only half of all hack victims even had a NCsoft account. At the very least the other half could not have been hacked through NCsoft. Of course, this does not rule out that the half that did have a NCSMA got hacked that way.
However I still doubt that those people got hacked that way because there is one common thread between everyone who has been hacked and has gone to Gaile.
One more Gaile quote(bolded the important part)
Quote:
|
As much as I admire a good Conspiracy Theory, no, I do not think it's possible that an employee is hacking accounts. I believe that is not the case for a variety of reasons, including the fact that, as far as I recall, passwords are not exposed to view in the database and cannot be read, or copied, or cut-and-pasted, by anyone. I certainly am willing to verify that by checking with one of the key programmers, but I can't help but recall that every single victim with whom I've had contact via a phone call or email -- including you -- has used common user names and passwords in multiple places. I believe that is the source of the problem -- a external site has been successfully hacked and their database of credentials is being used by RMT hackers to access Guild Wars accounts. And when I see the tries, the failures, and the retries that the hackers are making -- and we are able to pull that data, as you know -- the theory of an external breach seems well supported. I've always said that I hope that if we do find that there's an internal weakness or an employee-rendered breach we will fix it and make the details known. We pride ourselves on trying for a high level of transparency, and I'm proud of that and believe we'll continue with that in the future. I've also said since the start of these incidents that I will not say "It's not us" out of some knee-jerk protective mechanism or what players called "PR" type efforts to cover up our responsibility. At this point, I can say, with truth, "It does not appear to be us" because I've seen, and been involved in, a lot of the hack investigation and I truly believe that the source is external. -- Gaile 04:18, 17 December 2009 (UTC) |
Riot Narita
Quote:
|
Originally Posted by Lucci_Slevin
Which is why I think the fan website hack theory is the most likely cause.
|
I personally believe that yes, fan website hack is one source... but also that NCsoft master accounts are another, and of course user stupidity is a third. There may be more.
w00t!
Quote:
|
Originally Posted by Riot Narita
It's a mistake to imagine there is only one cause, or only one method of attack that has been working.
I personally believe that yes, fan website hack is one source... but also that NCsoft master accounts are another, and of course user stupidity is a third. There may be more. |
1) Stupidity
2) Stupidity (Stupid is as stupid does)
3) Fan Site Hack
4) NCsoft accounts
If this follows general trends, stupidity will account for about 80%, Fansite 15%, and the remainder would be NCSoft. Although the majority of those might fall into the stupidity category.
HawkofStorms
To break down that stupidity into separate subcategories of stupidity
1) Going to a "hack" or other shady GW site and getting a keylogger.
2) Using the same user/password on another website (like a guild or fan website)
3) Giving the password to a friend, gold seller (so he can deposit items), or leaving the passwords written down somewhereand such nonsense
But yeah, multiple ways people can get hacked. The NCSoft master account thing is just the newest in a stream of conspiracy theories. People used to think Texmod was responsible for hacks. Although the Master Account IS venerable, and likely is the cause of some hacks, people were getting hacked LONG before that came about. There have always been people getting hacked in GW. There is no silver bullet to stop all vulnerability. Since... it's usually user stupidity in the first place.
1) Going to a "hack" or other shady GW site and getting a keylogger.
2) Using the same user/password on another website (like a guild or fan website)
3) Giving the password to a friend, gold seller (so he can deposit items), or leaving the passwords written down somewhereand such nonsense
But yeah, multiple ways people can get hacked. The NCSoft master account thing is just the newest in a stream of conspiracy theories. People used to think Texmod was responsible for hacks. Although the Master Account IS venerable, and likely is the cause of some hacks, people were getting hacked LONG before that came about. There have always been people getting hacked in GW. There is no silver bullet to stop all vulnerability. Since... it's usually user stupidity in the first place.
Chthon
Quote:
|
Originally Posted by Lucci_Slevin
The main problem I have with the NCsoft website hack theory is that having an NCSMA was not a common thread in the hacks.
|
Since you somehow managed to miss it, there is no common thread because accounts are stolen in multiple ways by multiple groups of thieves working independently. There's 4 ways that we know about:
- User stupidity (gives password to "friend," falls for phishing, downloads keylogger, etc.)
- GW login credentials same as hacked fansite
- NCSoft Master Account brute forced because of weak security
- Targeted attacks on wealthy individuals
Quote:
| Which is why I think the fan website hack theory is the most likely cause. |
Now, as for which type of attack caused the sudden jump in account thefts? Well, ask yourself "which one did a-net's update fix completely?" and you should be able to reason your way backward to it. If you can't, just go read the entirety of my post that you quoted and I spell it out for you.
w00t!
Quote:
|
Originally Posted by Chthon
There is no "most likely cause." There are multiple causes and they are all 100% likely, because they have all been happening.
|
Quote:
|
Originally Posted by Chthon
Now, as for which type of attack caused the sudden jump in account thefts? Well, ask yourself "which one did a-net's update fix completely?" and you should be able to reason your way backward to it. If you can't, just go read the entirety of my post that you quoted and I spell it out for you.
|
I don't know about you, but my NCSoft Master Account has a different password, and has no information about any characters on my account, so even if they brute forced NCSoft (horribly inefficient), they still couldn't access my GW account with the new security in place. So I guess in a sense they also plug a potential flaw here, even though the probability of Brute Force attacks is much smaller.
Miscreant_Moon
Quote:
|
Originally Posted by Lucci_Slevin
Which is why I think the fan website hack theory is the most likely cause.
|
I'm going to refer you to this thread: http://www.guildwarsguru.com/forum/a...0407405p2.html Where you can see quite clearly that a "fansite" hacking is quite literally false and borders on the ridiculous. Wow, you mean a single hacker has managed to infiltrate and acquire the passwords, emails and usernames of every single GW fansite, across multiple softwares, in multiple languages? Amazing.
Lucci_Slevin
Quote:
|
Originally Posted by Riot Narita
It's a mistake to imagine there is only one cause, or only one method of attack that has been working.
|
Quote:
|
Originally Posted by Chthon
If you had read the other thread, you would have seen it thoroughly refuted twice.
|
It is a complex issue and it is hard to respond in a concise way. But I have not seen a situation in which (criticism X=NCsoft site is hackable)
Not that I know 100% that the site is not hackable. I just think that it would be hard/unlikely for that to have been done, even considering the stuff that was mentioned on this forum and on the wiki.
Quote:
|
Originally Posted by Chthon
NCSoft Master Account brute forced because of weak security
|
Quote:
| Update: I have been exchanging emails with a number of team members in two different states. One concern I took to the team was about not having "time outs" or other means of preventing brute forcing of passwords on the NCsoft site. Here is part of the answer that I received: "The account management secure site does indeed have velocity checks in place to prevent the brute forcing of master accounts. If too many attempts are made within a given period of time, the user will be temporarily blocked from making any further efforts to login. In addition, there are velocity checks on the action of attempting to change the passwords themselves." -- Gaile 20:10, 4 November 2009 (UTC) |
Quote:
|
Originally Posted by Chthon
Now, as for which type of attack caused the sudden jump in account thefts? Well, ask yourself "which one did a-net's update fix completely?" and you should be able to reason your way backward to it. If you can't, just go read the entirety of my post that you quoted and I spell it out for you.
|
Quote:
| TahiriVeila: Please read the text in red located on the right side of the login screen. That message says that hackers are trying to login to Guild Wars accounts using passwords stolen from other games and web sites. In other words, in this case, the hackers do not have character information. They have existing lists of passwords and emails that they are just trying in Guild Wars to see if they work. They aren't only using this in GW, but also other games. No account theft prevention measure is perfect, however this update will make accounts more secure in instances like this, where hackers have emails and passwords that they've harvested en masse, that they're trying to use in a lot of games, including Guild Wars. --Regina Buenaobra Image:User_Regina_Buenaobra_sig.png 20:06, 22 December 2009 (UTC) |
If hackers managed to pull a user database from a fan site, they would have emails and passwords that they would be able to punch in to the GW client. If they did not get the the character names in their previous pass they are going to have a much harder time now. They now have to hunt through user's posts to see if they gave away their ign and that will slow them down big time, stop them in some cases.
The last thing I want to say is not directed at anyone in particular. People should use unique passwords for GW despite these changes and here is why.
A google search of 'vbulletin hack' returns 3.4 million results. There is a whole community based around the hacking of this software. It is like a hobby for those people.
It is not because it is a bad software, it is good and it is popular for that reason. But because it is so popular it has the attention of many hackers. Not just hackers who know about GW. And once one of them learns how to defeat a security measure, the whole community finds out and then they all have that ability.
The reason I am talking about this is because I think future breaches can still happen. So always use different passwords.
That is about all I have to say about the subject because that is basically the extent of what I know, so do not be offended if I do not respond right away. If the wiki discussions turn up anything interesting in the future I will post them here.
Since there are multiple lines of discussion going on in the thread here is a compendium of my posts. 1,2,3
Happy holidays, and stay E-safe
Miscreant_Moon
In case you didn't follow that link I posted Lucci, not all those forums use VBulletin. I'd also like to point to the numerous gaming development companies who use VBulletin for their own official forum software who don't seem to be having problems.
http://forums.lotro.com/index.php
http://forums.ddo.com/
Let's not even mention that the Test Krewe uses VBulletin too. Ironic decision if it's as unsafe as you say.
I'd also like to point out the numerous cases just like this posted today on the wiki:
http://wiki.guildwars.com/wiki/Feedb..._091215-002191
Someone who's husband has never visited a forum. Who is not American. Who has mysteriously been hacked. I'm guessing your simple response to them is that they're lying. Despite the fact that I could do my own searching and pull up story after story of these incidents. I'd also love to see you explain the cases of those who reset their passwords and were hacked within minutes to hours of changing their password through the NCSoft site. Nah, guess they were all lying too. If you'd care to jump over to AionSource.com I'd like to see you explain their hackings too, of password resets, IP's from China, and the same stories you see here. Nah, that's just coincidence. Your theory starts to fall apart if you would stop looking to ArenaNet's PR department for your answers.
http://forums.lotro.com/index.php
http://forums.ddo.com/
Let's not even mention that the Test Krewe uses VBulletin too. Ironic decision if it's as unsafe as you say.
I'd also like to point out the numerous cases just like this posted today on the wiki:
http://wiki.guildwars.com/wiki/Feedb..._091215-002191
Someone who's husband has never visited a forum. Who is not American. Who has mysteriously been hacked. I'm guessing your simple response to them is that they're lying. Despite the fact that I could do my own searching and pull up story after story of these incidents. I'd also love to see you explain the cases of those who reset their passwords and were hacked within minutes to hours of changing their password through the NCSoft site. Nah, guess they were all lying too. If you'd care to jump over to AionSource.com I'd like to see you explain their hackings too, of password resets, IP's from China, and the same stories you see here. Nah, that's just coincidence. Your theory starts to fall apart if you would stop looking to ArenaNet's PR department for your answers.
w00t!
Quote:
|
Originally Posted by Lucci_Slevin
(snip)
The last thing I want to say is not directed at anyone in particular. People should use unique passwords for GW despite these changes and here is why. Happy holidays, and stay E-safe |
One last thing of note for the general populace. There are several freeware password managers out there that will generate unique and very safe passwords. Then you can simply cut/paste ID/pwd them into the login screen. I use one so that I'm not tempted to reuse passwords. Sourceforge.net is a good place to look, and you can trust them to not contain Trojans.
Of course this won't protect from keyloggers or social engineering, but not much will.
Martin Alvito
Quote:
|
Originally Posted by Lucci_Slevin
In case it was missed, I want to point out again that the NCsoft site has velocity checks against brute forcing. It was in the Nov. 4th quote of my earlier post(I know, wall of text, sorry)
|
EDIT: To see this, suppose that you have two security questions. One has 10000 possible responses and one has 5000 possible responses. If you do not advise on when a security question has been inputted correctly, it takes 5000*10000 = 50,000,000 attempts to be certain of success. Given 5 attempts every 12 hours, you're looking at 3650 attempts per year. Not good odds.
However, if you tell the user when you get a response to a security question correct, then the maximum number of attempts needed is just 10,000 to brute force an account. That means that you can brute force any account in three years for certain...which means that over the course of months you're going to brute force a lot of accounts due to luck.
Quote:
|
Originally Posted by Lucci_Slevin
I did, you mentioned that the fix is targeting a NCsoft breach. Regina said this was not the case and I do not think it is reasonable to assume she is not being truthful.
|
Chthon
Quote:
|
Originally Posted by w00t!
And to further expose myself to flames, it appears that the one Anet fixed completely is "gw login credentials same as hacked website".
|
Quote:
|
Originally Posted by Lucci_Slevin
Not that I know 100% that the site is not hackable. I just think that it would be hard/unlikely for that to have been done, even considering the stuff that was mentioned on this forum and on the wiki.
|
Quote:
| In case it was missed, I want to point out again that the NCsoft site has velocity checks against brute forcing. It was in the Nov. 4th quote of my earlier post(I know, wall of text, sorry) |
Alesa
And here you go. As much admission as NCSoft will probably give you. There's a new Aion account login screen as of today:
NCsoft Password and Account Security Notice
Due to an increase in account theft in Aion and other online games, it is critical that you take these important steps.
http://na.aiononline.com/board/notic...leID=184&page=
NCsoft Password and Account Security Notice
Due to an increase in account theft in Aion and other online games, it is critical that you take these important steps.
http://na.aiononline.com/board/notic...leID=184&page=
Faer
Quote:
|
Originally Posted by Lucci_Slevin
A google search of 'vbulletin hack' returns 3.4 million results. There is a whole community based around the hacking of this software. It is like a hobby for those people.
|
Unfortunately for you, "vBulletin Hack" is another term for "vBulletin Module", a beneficial software addition to the core forum software. Things that further protect account information? vBulletin Hacks. Things that make the site prettier? vBulletin Hacks. Things that keep the real names of 180 Test Krewe members secure? Well, that's not a vBulletin Hack, that's just knowing how to set up incredibly basic forum permissions, but I think you get the idea.
Yeah, making vBulletin Hacks is a hobby for a lot of us. That doesn't mean it's malicious. Learn what something actually means before you try and use it to defend somebody. Yes, people should use unique passwords for everything, but your logic is flawed in that you have no idea what you are talking about.
Inde
Screenshot for those who are interested.