Account Hackings - The Source

1. This is bad. Worse than I knew... which was plenty bad already.

2. The character-name question is not going to protect GW accounts when the NCSoft account is compromised because of the old support tickets that contain character names.

The best quick fix would be to delete all the old support tickets ASAP. Since that requires NCSoft to cooperate, it probably won't happen.

Plan B. Change the GW security question so that the user may specify ONE particular character name as the only correct answer. (Presumably everyone has an obscure character that's never been used in a support ticket.)

3. Read #2. It's important.

4. Again, I want to call for EITHER
Let us sever our GW accounts from the NCSoft account
OR
Remove the NCSoft account's ability to reset the GW password (from the GW side).

5.
Since it's already known to the bad guys, there's not much more harm to do. If this were a first release, I'd feel a little more miffed that NCSoft wasn't given a private warning first. Since the info has already been available for 4 months elsewhere, I'm not terribly upset.

Hopefully the knowledge that ANYONE can now hack any account, might pressure NCSoft into finally acting.

6.
Perhaps not a regular, but not a brand new Guru account either:
Here's one possibility: Improper pointer to a memory address that is not properly allocated and preserved for the duration of the pointer. When the number indexing that account in the database is calculated, it gets stored at that address. Then the memory gets released. Then the pointer comes by and references it. If the system doesn't happen to reuse that memory address for anything in the meantime, the correct value is still there, and the pointer returns the correct value exactly as planned. If the system has reused it, the value is essentially random, and the pointer returns a random value. Hard bug to catch and fix, since sometimes -- even usually -- it works just fine, and the condition that triggers incorrect behavior is wholly external to the program or its inputs.

I'm sure there's thousands of other programming errors that could produce a similar result. That's just the one that came to my mind.

More jurisdictions than you can count, more legal frameworks than you can count. Some jurisdictions consider the EULA a binding addition to your purchase agreement. Some jurisdictions consider the EULA mere toilet paper. All jurisdictions are going to have trouble quantifying players' losses. Did you lose the purchase price of the game? The e-bay value of your best items? Some sort of emotional harm? It's a relatively new issue, and courts are universally bad at dealing with new issues. My guess is that the most favorable jurisdiction to try something like would be somewhere in the EU. And that's out of my area of expertise.

Well, I guess I have one more thought to add: You'll never get a judge or jury to understand how accounts are getting hacked and how exactly that fails to live up to the level of care a reasonable and prudent game company would use. But, "you knew there was a big hole in your security and you just sat there and denied it while doing nothing to fix it" is something that everyone understands. As is often the case, the coverup is more damning than the negligence.

yes, that's my exact thoughts into this, but a load of peeps think this, thought it might be shared.

I've seen something similar at a company I was at a few years ago. A timeout on a database lookup being handled improperly and the process proceeding with data from a previous session that hadn't been cleared from the server's memory. Two huge coding problems.

Probably not in any way related to what's going on here because if all this is true, people can log on to accounts that haven't been logged on to in ages. Anyway, just posting this to point out that one should never underestimate the power of bad coding.

Just a note of caution for those trying to log in and out multiple times to see if this works,

I would be worried that as part of the "solution" they might start banning all accounts that logged in and out a large number of times in a short period of time.

I understand the desire to see if this is real, but it's going to be tough to use the defense that you were just trying to help if they get over aggressive with the ban bat.

It don't require just bad coding, it require not fix the bad code. It would be hardly a secret to ncsoft if the problem was so extensive.
Thinking they didn't fixed it ASAP and people are still doing that, well that is hard to gulp down.

Yet, clearly the beans(account info) got spilled somewhere.

I hope players keep reminding anet that the current lack of security on ncsofts website is unacceptable and must be fixed.

Well when I bought the game, I put my trust in Anet, didn't even know who NCSoft was. Is seperating the GW account from the main account and destroying old tickets + personal info even an option?

This, pretty much. I want to be able to unlink my GW account from the NCSoft master account. What the heck is the point of Anet upping security on GW if someone hacking into the NCSoft master account can bypass all of these?

Yeah... I really want my accounts unlinked at this point. I don't care how safe you are, how crazy your PW is, it doesn't MATTER if this is true.

Ugh.

brb, throwing my keyboard all the way down the goddamn hallway.

Perhaps we should all start sending EMails to ANet/NCSoft requesting a bit of info on What The RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GOing Hell they plan on doing about this...
Or perhaps just letting us un link from that useless website.

OH i get it now, you put a random acct name in the URL and bam, you can change their shit. HahahhaHAHHAA LOLOLOLOLOOOLOLLOO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!

This is a very serious issue. If Arenanet was 1% serious they would force NCSoft to act now. This is the most stupid security issue a game company can have.

But it is NCSoft we're talking about here. From the great country of Denial of everything they do wrong. So if something is done, it might be in 2 years (and probably just make it worst)

If at least it asked for anything at all other than writing new password to change it. Even without the login issue it is stupid to make changing password this simple.

Edit: Maybe we should suggest to people who have been hacked to get themselves a random account from NCSoft. Since this is how it look right now, a big Jar of publicly exposed accounts that anyone can pick in.

Tell me you are RED ENGINE GORED kidding me!

"hurrr durrrr 99% of hacked accounts are through the fault of the players themselves durr hurrr hurrrr"

What now, douchebags?

Agreed. I feel sorry for all the forum users in the past who got flamed for losing their accounts to no fault of their own. You guys didn't deserve the treatment you got from this forum.

I just went to my master plaync account and did not see any old tickets. I've only used the account for the free storage pane. Am I not looking in the right place on my nc account for old information?

And will having a different email accounts on gw and plaync be beneficial?

Whaaaaaaaaat?

Couple that with the trick to generate legit account names and I'm stunned we haven't ALL been hacked by now.

I'm dead serious man.

No telling when this will be fixed, and it could be a while given that NCsoft has never taken security seriously in the past. (Security is weak even without this latest gaff).

If your character names are splurged in support tickets (or your NCsoft account name matches your forums name, and you've posted your IGN in forums)... and you want to protect yourself in the meantime... changing your character names is an option.

But you have to pay for that... which sucks royally. I still did it though - actually I did it as soon as character names become part of our account security. I changed the names of all characters whose names I had posted in forums or anywhere. I had to pay for that "insurance", I can't risk my main character getting deleted.