Account Hackings - The Source

I did read and understand.

People log and log and log and suddenly they are in a different account that doesn't belong to them.

Then they can change the password and log in game.

So it is a bug that happens on occasion.

Thereby, the more times someone log the higher is the change to log into someone else account.

Now you are someone interested into stealing accounts. You make a script to log in and out multiple times. Additionally the script can identify the email and log into a file for the hacker. At the same time, the script changes the password of any accounts it logs in - most of the time the script just changes the password of the hacker account.

Now have a few PCs doing that.

In not too long you will have accessed all the accounts in there and changed the passwords of those emails.

True, the request for the character name makes this more difficult and now requiring old password even more.

So, if this method was being used we would have heard of massive account hacking and not only that but those people would be complaining that their password had been changed and they couldn't log in.

Until is proven otherwise, I will take Regina word that the large majority of hacks didn't include a password change and password change is way to hacking using this method.

This is my point exactly. No problem=no action. Explain then, naysayers, if you can, why action was taken so promptly, and so aggressively.

I think one of the points a lot of people are missing is that we paid for this game, some of us paid a lot of money, r/l money that we have to work for. I myself have spent (As I've said before) over $600aud on mine and my wifes account. That's without the 3 extra storage panes each and 3 extra character slots each.

IMHO, I prefer that they get bad publicity, simply for not attacking the problem the very instant it arose. This is our r/l hard-earned money, and our r/l invested hours, in a game that a lot of us are passionate about. If you don't share that passion, then good for you. Don't try to speak for the rest of us, as no-one here has asked you to. It is obvious who has dropped the ball, and it isn't aNet.

The way that the Aion community has been neglected, who pay even more out than we do, make it bloody obvious who is at fault here. We wouldn't need a witchhunt if there wasn't a bloody big witch around pilfering as many accounts as they can get their grubby hands on, would we?

Who else here thinks that these same nay-sayers would be the one's to screech the loudest if it were them getting screwed over?

Yeah.. Truth is truth.

Evidently. Well, good.

That is entirely possible. I think there are more accounts lost this way than you, but that's just my opinion - based on the many postings we've seen here (in spite of the hostile community, and mods closing "hacked" threads on sight), and other sites, including Aion forums. No point debating that though, and we'll probably never know the true extent. I accept that plenty of people lose their accounts due to their own stupidity, and they may be the majority. But no matter how big or small the remaining minority is, I believe they deserve protection from the master account vulnerability. Even a fraction of 1% is a LOT of real people.

What A-Net has done - doesn't that make you happy?

You accept that there was a chance that any of us with NCsoft master accounts could have had our GW accounts randomly robbed or characters deleted, right? Through no fault of our own. Even if that chance is tiny (my opinion, its not so tiny)... it's unnacceptable. There should be no chance at all! I don't want to be in that minority that lost their account this way. Aren't you glad they added more protection to your account too?

I could accept losing my account because I was stupid... but not because NCsoft or Anet were negligent. I take a lot of precautions against account theft, where I am able to. And I am glad A-Net is finally doing something about the things I am NOT able to do anything about.

I hope NCsoft follows Anet's lead and fixes the master account security properly. I note that Aion players are still wide-open to this master account abuse. Look at what A-Net achieved in such short amount of time - when their backs were against the wall, and they cared enought to fix it. NCsoft needs a rocket up the ass to put THEM against the wall and give them the will to fix their mess. This thread and others like it, are that rocket.

You seem to regard that as hysteria, and you don't like it. But my view is that it is justified anger - I don't think its unreasonable to pressure A-Net and NCsoft when our accounts and characters are at stake... and they could so easily fix it, if only they had the will to do it.

That is exactly the point your missing, there have been massive amounts of accounts being hacked, up until recently there would be a new person coming onto the forum(s) reporting that they'd been hacked DAILY! in fact sometimes 2-5 a day, and remember those people that posted on the forums are not the only ones, I was one of them.

Account 1 : Hacked, is linked to NCMA.
I did not share my details for either my game or NCMA with any other site on the Internet, I use extremely complex passwords. in fact I wrote my own software to auto generate the password out of randomness at 8-13 character length, additionally my password recovery questions are responded to my equally random textual strings that are even longer because the box allows more characters.

Curious I ran a mathematical equation over the password string I was using, but first before we do that because some random passwords are weak; for example.

"AAweiu32!"
It's weaknesses are thus;
Double usage of same case characters "AA"
Consecutive usage of upper case characters "AA"
Consecutive usage of lower case characters "weiu"
Consecutive usage of numbers "32"
It too short.
It's only redeeming feature is it uses an "!", which NCSoft or Guild Wars do not allow.

A decent password
Az1%x8Kf+q|3zE^qW

Now the password I was using when the originally hacked my account was along the lines of the decent password yet it was hacked.

Account 2: Was not hacked, wasn't to my knowledge linked to a NCMA at all, and because my wife has trouble with passwords it was an extremely simple password long but simple.

The end result of account 1's password to brute force it, would have taken 2.9million years.

What's the difference there ?

I'm not saying it is impossible and every bit of security is helpful.

Still, the simple addition of a current password field, which is quite simple makes no significant difference.

Something this serious would be answered with the website being taken offline and recoded. That expense easily outweighs potential losses due to a website security issue.

If anyone thinks the addition of a "current password" field means that this problems is acknowledge or fixed, they are wrong. A quick band aid would be take the site offline.

And was the password changed? Or were the characters just stripped? Because with this exploit a hacker doesn't need to brute force passwords just change it to a password of his choice.

Most importantly, the Master Acct as I see it is only the symptom of a much larger problem: How do we get NcSoft unlinked from ArenaNet?

This money grubbing, non-creative, in fact destructive game publisher is just a giant bloodsucking tick on ArenaNet's back! They've destroyed the Lineage franchise by taking it over and wringing it dry. How long do we let them do this to GW? They're the opposite of King Midas, everything they touch turns to sh*t!

Secondly, ArenaNet, I know it may be hard to do, but stop making excuses and own up to this. It's like someone selling an unshielded microwave and saying "well, less than half the house fires can be directly linked to us so..."! Like that lame excuse does anything for the people who HAVE suffered because of this security breach.

If even ONE account has been breached because of such simple security precautions as - 1. making sure one acct doesn't "randomly" access another, and 2. you have to input your old password to change it - then that's ONE acct too many! And to try to offhandedly blame the OP for "creating" the problem by exposing the security flaw has been one of the biggest problems in IT security for decades! The open-source community has known for decades what you keep failing to learn: Only by exposing these security flaws can we hope to build a more secure product! Hiding these flaws encourages laziness, why fix a security flaw that no one knows about, until it's too late!

I'm much more disgusted with NcSoft, because they obviously only care about the cash, and not the community or the game. But ArenaNet, be careful. If you keep blindly following NcSoft's lead, you will assist in your own destruction.

Oops thanks for pointing that out, yes I was emailed that my password had change since I was unable at the time to even play Guild Wars because my PC had blown up 2 weeks before hand I was curious as to how my password was changed when I wasn't even playing the game, or accessing anything to do with NCSoft or Guild Wars.

the simple change makes a huge difference for the log in/log out master account method. whoever gets on someone else's account can longer just simply change their password. how you see this as making no significant difference is beyond me since now they actually have to spend the time to either brute the old password or actually break open the database. at the very least, this will slow them down immensely.

this is a quick band aid that still keeps the website up and will most likely stop the majority of the gw accounts being stolen. sadly, it doesn't help the aion guys. if they were truly serious about fixing it, they would take it down and keep it down until all of the problems are fixed.

1. While I certainly welcome the addition of needing the old GW password to change the GW password on the NCSoft site, we're not out of the woods yet. If Mung is correct, the NCSoft site is still vulnerable to SQL injection and file mirroring -- either of which alone is sufficient to extract that bit of info from the NCSoft site.

Also, and a-net should pay attention here either of those vectors could leave the attacker with a list of GW usernames and passwords without needing to do a password reset. Sound familiar?

2. I want to reverse my position from several pages back. It appears that a-net is making some headway in getting NCSoft to at least take some action on this issue. So long as you believe you can get them to come around and adequately secure their site, I can understand the decision not to fix this from the GW side and face the consequences for insubordination.

3. Re: About 50% of the hacked accounts weren't linked to NCSoft.

We've been over this a dozen times. The flaw in the logic here has been pointed out repeatedly. It may be true, but it does not support the proposition that the NCMA is secure. And yet both Gaile and Regina keep repeating this. What's more, they've each posted something indicating that they understand how the logic is flawed. And they still keep repeating it. Why?

My guess is that NCSoft told them this statistic is the official cover story that they must repeat to defend the company. That's the best way I can explain two rather intelligent people, who appear to understand what's wrong with the argument, nonetheless repeating it over and over.


4. I can answer a couple of your questions, DragonRogue.

Nothing. The hackers generally don't own the accounts they use. Those accounts get a temp ban, which is lifted when the true owner contacts support. I'm sure if a-net was able to find accounts owned by hackers, those would be perma banned before you could say "bye bye." I'm sure they'd also love to involve law enforcement, but the hackers tend to operate from China and other southeast Asian countries that don't much care to cooperate on matters like this.

A-net says that a fansite was compromised. I have no reason to doubt them. Also, a couple of forum members here whom I trust have hinted they know which site it was. Anyone who was foolish enough to reuse the same username or password on that forum as on GW is in trouble.

Also, if the NCMA has the SQL injection and file mirroring vulnerabilities it's claimed to have, a list of login credentials could come from there as well.

5.
Yes, I believe they are. And I applaud them for it. I truly hope they succeed, both for our sake and theirs.

I agree. And I applaud them too.

OK, your comments have reached the point where I have to ask: idiot or troll? Seriously, there were several posts on the Aion forums confirming the bug; there were posts in this thread confirming the bug (and then even more after you posted); and you could have tested it yourself if you really felt like doubting all those people's honesty. So, what's your deal? Too dumb to read before you post or just trolling us all? Given that I can't recall reading a single post from you before this issue cropped up, I'm suspecting troll.

Would those specific vulnerabilities, the weaker ones working in tandem with eachother, aid in either the extraction of (such as the file mirroring) or the building of (the latter of which would require a LOT of effort, but it seems like a lot of the vulnerabilities would make it quicker) the supposed leaked password database that Regina blamed for a significant portion of the hacks?

Also, the fact that an extracted password database (if it was indeed extracted from a server) alone would allow hackers access to the account shows to me negligence on the part of whoever is in charge of the password lists. For a game with over 6 million accounts sold, I'd expect both the login name and the password to have one-way encryption. If the password database actually did anything then it was either a) a disgruntled ex-employee who either knew the encryption algorithm or had the necessary knowledge to derive the the algorithm; b) the result of a weak algorithm or the worst of all; c) they were stored in plain-text.

I'm going to go ahead and assume NCSoft controls the database since we must deal with their support (not ANet's) and it's changeable from the NCMA. If this is the case, then it's your move, NCSoft.

Edit: Is it possible that a hacker could have just used SQL injection on the password change page to be able to access the database? I recall that RockYou!'s plaintext database was retrieved through SQL injection...

SQL injection is generally used to bypass security. eg; logging into a site without a password and/or username. Anyone with basic knowledge or anyone with time + a search engine could do it depending on what was vulnerable.

Someone with more advanced knowledge and luck at guessing how the database was designed could potentially use SQL injection to change or reset info in a database.

Using SQL injection to get a list of info (like logins) from the database is a lot harder (not skill-wise, but opportunity-wise) and I would put the chance of that at very very VERY slim.

In principle, either SQL injection or file mirroring alone would be sufficient to learn anything a given website knows. Because it would be illegal to actually start making unauthorized SQL queries or copying their files, Mung did not go that far. So there is a slim possibility that some unexpected measure protects the GW passwords, despite the lack of obvious industry-standard measures.

Thanks for the clarification.

Also, if you consider the sheer number of people who reported being hacked (not to mention those who could've got hacked, but either a) aren't really playing GW anymore; b) didn't bother to say anything given the generally negative response from the community)... that's a lot of people. There are always going to be people who lose their accounts through keyloggers, giving away their passwords to people who then turn around and steal their stuff, buying gold etc. - sure, you can say that that's their own fault, but what about those who lost theirs through no discernible fault of their own?

I saw something on an earlier page about witch-hunts, and well. I don't really think it's a witch-hunt (generally speaking, people appear to be rational enough to point out that Anet, at least, responded.); but you can't blame people for being angry and wanting NCSoft to own up. We should never have had to make this much noise for them to add something as simple as keying in your old password to change it to a new one, and that was achieved only through the efforts of Anet - no other NCSoft game has had anything like that despite them complaining for as long if not longer.

Seriously, I think the only reason why we even got that additional password field is because Anet pushed for it. If the other NCSoft games aren't even getting that password field, I highly doubt NCSoft is going to get the website taken down. (I personally trust that the Anet team is doing their best, but there's only so much they can do if NCSoft won't listen.)

That's not entirely true ... the Asian community, by and large, is at the forefront of developing, implementing, and enforcing virtual property laws that thoroughly protect gamers from precisely these sorts of actions. Thailand in particular (if memory serves) would be a good place to live if your account was hacked.

Hey, everyone. There's been a lot of discussion going on within NCsoft and ArenaNet based upon the feedback in this thread. The Aion team is also involved in these discussions, and I'm actively working with their community managers on this issue. I would like to let you know that actions are being taken by the NCsoft security team to address the security concerns outlined. This includes the random login issue (reportedly being able to randomly login to another player's NCsoft Master Account), which the Security team is actively researching and investigating. They are also looking at the other points as outlined, such as brute force vulnerabilities, web site vulnerabilities. I will keep you updated with information on the steps being taken on our end to the extent that I'm able. If you have information that could potentially help our team with their investigation (in particular, the random account switching bug), but which is too sensitive to display on a public forum, you're welcome to contact me or customer support directly. Thank you very much, and we appreciate the feedback you've been giving us so far.

Speaking entirely for myself(Others have their own voices)I'd just like to say thank you very much for being so actively involved and prompt in this matter Regina. This goes a very long way towards reassuring my wife and I that as far as aNet are concerned, we do matter, and that our concerns aren't falling on deaf ears.

Keep up the good work, and please do keep us all informed.

GG!

Thanks, Regina.

The last 48 hours has restored much of my faith in the Arena.net team. Looks like a lot of the crap you guys take really should have been directed at the NCSoft guys.

Anet should seriously provide a way for players to make purchases WITHOUT forcing the customer to link to an NCSoft master account.

There are a lot of purchases I would like to make but I refuse to link any of my accounts and hence cannot purchase anything from the NCSoft store.

If you go through the in-game store, you do not need a NcSoft master acct. All you need is a credit card. I realize not everyone has one, or even wants one. If you fall into that category, get a prepaid card and only load it when you need to use it.

If this is true then really what is the point of changing passwords and character names in the log in screen?

Quite simple. Elimination of variables.

Because not all of the attacks were thru the NCSoft master site. (Per data recieved here on Guru and Aionsource.)
The log-in change is a 'second layer' to hopefully prevent brute force attacks, aimed directly at your GW account.

even if someone got onto your master account and changed your password, they still wouldn't be able to log into your account unless they knew one of your character names. they wouldn't have access to that unless you had an old support ticket that had one. if someone got on your master account then, they would be able to change your password but not log in and you could hopefully get your account back afterward.

changing passwords wouldn't have stopped the master account issue but if a list of passwords was stolen like they said, then it would have stopped those.

I'm wondering if the people who all got hack were really rich in guildwars or showed off some title or armor on these forums. I had a idea that the hackers might have been recording names of people showing off their achievements in Guildwars. This could be a possibility of one way they could of got peoples game name.

that could happen in a sql database if the code is written badly and an exploit used.. if it just randomly accesses someone elses data at random- that's pretty bad programming.. can't really see that happening.. probably more likey a inside job at ncsoft- someone on the inside took a look at/had access to the database and leaked it

Alot of the crap they have taken should not have been dealt to anyone

Indeed thank you for the update Regina (and Gaile). Looking forward to what NCSoft's response will be. But like I said, never before have I seen or heard of an online game, or online companies period, that has had such blatantly glaring flaws in their security. Congrats, NCSoft.

Thanks, Regina and Gaile. It's good to know we're being listened to.

Sorry, this is NOT true. I have tried it. This may have worked in the past, but not any more. You MUST have the linked NCSoft Master Account. That's the only way. At least for me in the US. Maybe it's different elsewhere, though I doubt it.

If it were that easy then why would I even have posted the complaint? Due to the security issues I refuse to link my accounts, and you MUST link to make a purchase. Once linked, the process is irreversible and you are forever linked to the NCSoft account with its security risks.

From the in-game store

Then you get 2 options, either log in to your NCSoft account or create a new one.

Since they apparently allowed purchases without the linked account in the past, then it shouldn't be too hard to go back to that former policy.

I think they understand the out rage and don't take any of it too personally, however we are rightful and justified in our anger at this situation.

As I've stated before, if characters could be rolled back or there items given back in some way then we'd be less so, because then being hacked wouldn't be anywhere near as big a deal.

Added to this, some countries simply don't have prepaid cards, so those people are forced to go through NCSoft to buy something GW related.

I just wanted to elaborate on one of the points I made earlier regarding the random account switching bug, which, according to reports made here, is a possible security vulnerability. The Security team has added logging in order to reproduce it internally so it can be tested. At this point, they have been unable to reproduce it internally. Until we're able to reproduce the bug, we won't be able to verify the vulnerability exists. While we made changes to processes, adding additional checks before an account's password can be changed, based upon the possibility that this error exists, we also continue to work on internal testing to reproduce the problem, so it can be addressed. So far, the information we have about this is vague. We're doing everything we can, in terms of testing, with the info we do currently have. More details would be useful. If you have information that could help us reproduce the error, we would appreciate if you could contact us. Thanks again.

Well if that's what it says for you, I'm certainly not going to disbelieve. All I can tell you is neither of my son's accounts are linked to an NcSoft master acct. and they've both used my cc to buy items through the in-game store. I do live in the US, so I don't know why it would work differently for us.

I for some reason never really understood the connection between my guild wars login/password and my in game name. _____ Sierra isn't close to my login name at all. My login name doesn't even contain an S in it.

I have problems believing that people were targeted personally too (which is kinda what I get from your post.) If people WERE being targeted, more high end traders who frequent Ventari's with rare and expensive items should have been hacked. (They're the type to QQ about it too.)

As a side note: DL is a secure forum and a nice guild. :P We (as a guild) would never do anything to jeopardize current and future member's guild wars account.

I wanted to add that I'm happy to see Gaile & Regina working hard in response to this thread. <3

What you need to do is find one of these idiots that broke it and get him to reproduce it, in a sense you need to get a hold of one or more of these hackers and lock them in a room and tell them to spill the beans.

By the way, when your finished with them could me and and my steal bat come for a visit, to play long swing shots at private parts of his anatomy ?

Just a thought something you might like to consider, maybe the solution to the problem with reproduction evades your tests because your team isn't doing something a hacker is before attempting repeated logins, or alternatively perhaps as is sometimes the case seeking someone outside of the group for technical assistants that can look at the problem from a fresh perspective.

Here is a question and sorry if it's already been answered somewhere
I did try the help on support but nothing came up there in the search.
Can you delete the support tickets that have all your info char name account name etc when you ask a question?
I can't find anyway to do it only to close a ticket or update it.
Thanks in advance.

I wasn't in favor of this thread at all (which IMHO has much more negative sides than people would like to see) but, in defense of the OP, security doesn't classify people into hackers or normal. There's actually a concept of "white hat hacker" which the OP and a few others applied here: they "highlight" vulnerabilities so that companies are forced to fix them. Some white hat hackers do it outside of the public eye, some prefer to do it in front of everyone (see Black Hat conference). Many white hat hackers are hired by pro security companies. ("black hat hackers" also find vulnerabilities but exploit them for them own benefit, this is what people traditionally call "hackers")

I thought Regina said they fixed it to ask for the old password?

they already changed that for guild wars accounts. aion and master account passwords can still be changed without the old password.