Suggestion: Account security

Please forgive me as it is another my account was hacked post. But it is a little more too. Please no flamming or trolling. My account was secure( I thought). Took someone 5 years to get into it. So if the thread needs to be closed then I'm sure it will be.

First off I would like to say I'm sorry if these suggestions has been made. I searched but didn't find it. I'll admit I didn't do a extensive look around.


The reason I thought this idea up is as with many people recently getting their accounts hacked. I got hacked. I haven't logged in much in the past year. Maybe 4 times or so with a weekend event or whatnot. My account was hacked via the Ncsoft Master account.
I got an email on my blackberry stating that my Ncsoft account password change was successful.
Of course I was like O noes I didn't request that change. So I immediately emailed support back. After I changed my second account password and logged in to check things out. Yes some one had been logged into my account. Stole a bunch of stuff I had collected over the years. I would say I lost over 3 million gold if you would liquidate all the stuff.
Now I know account security is ultimately up to me. And I thought I was safe. I had a 10 digit real random alpha numeric password on all my accounts(different).
But(lol) I have a gripe about how the NCSoft account password can be changed. ( I have read that they changed something about the ncsoft account security and it may be this, I'm sure someone will let me know).
Anyway,
(Suggestion 1)
So you can change it via the web and plug in your new password. But I noticed when changing my second account's password instead of telling it a new password, the system generated a new one and emailed it too me.
Shouldn't it be like that with the Ncsoft account? So if you request a password change you must submit all the proper answers to the questions(which I don't remember having to setup). Then the server generates a new password and email it to me. That way the only way a hacker can get the new password is by actually having my email account hacked. Which they didn't in this case. And I would guess they don't in many if not any of the other cases. And I wouldn't have been hacked.
(Suggestion 2)
I don't know if it is possible. But I think it should be this way from the start and if it can't be implemented in GW1 it should be seriously looked into GW2 if not too late. (Whatever coding restrictions that may be there since the game is close to being finished).
So If you request a password to be changed and are successful, then that account cannot trade(merchant or player) or drop items for at least 24 hours. I would even go as far as 72 hours.
If this 24 hour period was in effect I wouldn't have lost a dime. As I emailed support as soon as I got the email about the password change. And the investigation began with the account locked.

This all happened to me just last month. I was so bitter and angry I dared not posting about it until I cooled off. I do have my account back. But I have lost a great deal in the cyberspace world of GW. I do have my perspectives and understand that in the grand scheme of things it's not that big of a deal. But I do wish I had all that was stolen back.

Once again sorry Inde if this thread is just more of the same. I'm sure you and others are tired of dealing with them.

this actually isn't that bad of an idea. how often does anyone really need to change their password? probably not often so this wouldn't really affect people that much except for the ones who are stealing accounts.

1) email password seems obvious, but what if you no longer have that email address?
2) is better, you can never stop hacking as there are numerous ways, but you can limit the consequence of the hack. Locking some functions out after a password reset is an option, but probably hard to implement, maybe loss of storage access would be more doable, better still, have a no delete option on characters (either permanent or for a time).

it shouldn't be that hard to implement since the function is already there. newly created accounts cannot trade for 24 hours. they can just reset that upon password change.

They have added recently to the login where you need email address, password and character name which makes it much more secure, (as the OP said he thought there had been something) as now you can get two of the three info from NCSoft but then need to know whose account it is, (IGN). Whilst possible stops most of the hacks, although obviously more is still better.

Edit: Only thing with 2 is whether then people will just hack and delete accounts to be malicious in response to change, (since they can get no value from it, make sure that the acc holder loses EVERYTHING).

Yeah late for my account though.

I disagree for 2 reasons:
A. Folks are doing this to turn around and make money. This would waste their time.
B. Anet could even go as far as locking the account for just play only. No deletion, trading, or dropping.

I believe this implementation would in one swift code change crush the hacking account for profit market. Which is what I would guess is 99% of the hacking that's going on.

Better to go to support because you no longer have that email address, than go to support because your account was raped.

While it's true that you can't change the email address that you use to log into GW once you've made purchases on that account, you can change the email address that ncsoft uses to contact you. So there is no problem keeping your email up to date. Since this is changeable, someone could access your acct, change the contact info, then request a password reset, but at least it's one more layer. ncsoft could maybe make it so a certain period of time has to transpire between an email address update and a password reset.

I think the no-delete lock on characters is the one thing I would MOST like to see implimented. I think it should be permanent and non-reversable. I'd rather have char lock remorse than char loss remorse and you can always buy more slots. As far as the items, I wish they would do rollbacks, but I'm more concerned with the time investment on my characters than their items.

BTW EmptySkull, I'm sorry you were one more on a long list of unfortunates.

Oh, look, another thread discussing account vulnerability.

No, I don't think hackers really spend that much time staking out someone's account or trying to crack their passwords or security measures. Perhaps a few months, maybe, since that seems to be the relative timeframe that all of this nonsense has been escalating.

So, to condense:

1) Change the password reset to a system where a new, random password is e-mailed to you. This is a common precaution, and it's effective because it prevents unauthorized access except in the event of user errors the site has no control over (keylogger, credential sharing). I think most players would go for that.

2) Prohibit trades for a certain window in the event of a reset. There are situations where that might be annoying, but giving players a window to dispute a reset and lock the account would be a solid fail-safe.

I'll tell you this: #1 is common and easy to implement. #2 is a tougher coding fix, because you have to teach the server and the client a lot of things. It would help, but you're starting to push whether it's worth it from a cost/benefit standpoint.

I support #1. I was shocked to learn this isn't how it works.

#2 may not be as hard as it sounds. Nesting Material is already untradeable/unsellable/undroppable/etc. I'm sure it wouldn't be so hard to apply those attributes to any item on a temporary basis.

Sorry my point was lost on such a snob-ish and narrow attitude. I didn't mean that someone has been trying to hack my account for 5 years. I meant that my personal security measures worked for 5 years. I have complex 10 digit alpha-numeric real random passwords. Not pseudo-random computer generated one. A simple die, chart and coin will give you a real random password.

I don't have key loggers or log on to GW on a unsecured computer.

I did everything I was supposed to do to maintain the highest level of security. Yet I was still hacked via the NCSoft account. So who is at fault for this. Well I blame NCSoft.

If this is all that one has to do to gain access to one of Ncsoft's game to pillage, then I'm not interested in shelling out money for nothing.

Please comment on the suggestions don't troll. If you have nothing to add then just don't post.


I believe that implementing this idea in some way would crush the hacking accounts for profit market. I know that some folks wouldn't notice the email that an account reset was requested. And the wait period would pass and the hacker would win in that instance. But I know it would seriously reduce the success of stealing accounts.


Cost Effective?
I have 2 thoughts intially. I assume you mean cost effective for the company.

1 How about the cost of loss of players that don't trust your security because they know that they did what they were supposed to do yet had their account looted. I have 2 GW accounts. I have purchased everything possible save the pvp unlocks and anything offered after the storage panels. Will I buy GW2 now? Dunno.

2 How about the increase of sales because you can tout a technology that is very secure but in the event that an account is hacked the customer is protected for a short time. All the customer would have to do is check their email daily. Which is what most do anyway.

Also zcoins.

the ability for an entire account to be unable to trade is already there as i mentioned. new accounts can't trade for 24 hours after creation. just have that same thing apply to after your password gets changed.

THIS.


Seriously, it's pretty much the standard across the board. Just about every site I'm a member of be it forums or shopping, handle it this way. Would it kill NCsoft to adopt an industry standard that closes the biggest loophole in their security?

Even some of the most casual and low-traffic forums I frequent reset passwords like that. It's hard to believe NCSoft doesn't offer similar or better account integrity protection for a commercial service that stores personal and possibly even financial info. And of course, our game accounts!

Right which is why I suggested it. If it had been this way, the night I got the email telling me that my password was successfully changed instead it would have been an email telling me the new password. Which would have been unknown to the hacker. And my account would still be untouched. They may have been able to screw around with my NCsoft account, but my GW account would have been protected.

I thought suggestions were supposed to be posted in the suggestion sub-fourm, Sardelac Sanitarium, but I guess I'm just going crazy.

3 security questions, adding 2 more.

1) Oldest Character's Name
2) Guild's Name
3) one Friend's Character's Name on your friend's list (this is probably stored on our computer, not sure, might not be safe)

the number one best account security....I wish they would make one for GW but at least for GW2

A USB authenticator ...you can not access the game account with out this plugged in your computer!!!


Please make one Anet!!! Please!!!

1. Sardelac is for suggestions about changes to the game qua game. Security features don't fit squarely into that rubric.

2. It's a matter of significant community concern, and those belong in Riverside. (We all know that nothing in Sardelac gets read anyway....)

and what if the hacker pwns you when you are in bed? and simply doesn't change your password becouse he knows he can't trade for 72 hours if he does change passwords?

My account was hacked via Ncsoft master account. He changed my password through there and then logged into my account. Then stole the stuff. If the feature was implemented no way he would've gotten anything.

The only other way my account could have been logged into was by brute force busting a 10 digit real random number derived using a die, chart and coin.

Well if they had gotten in that way(which they couldn't because you can't brute force the actual account due to Anet security) then so be it.

The way I was hacked and a lot of others were was via a breach in Ncsoft security. And the suggestion I made would have prevented theft.

Didn't want to resurrect an old thread, but does this look familiar? notice the date of the post Sep 20, 2006, so they haven't resolve the problem? Yet have us all link our accounts to NCsoft master account? Is Plaync = NCsoft?

linkie

Yes, PlayNC = NCSoft.

The language of the post you link doesn't acknowledge a problem with PlayNC security. Gaile maintains in that post that credential sharing and social engineering led to the hacks.

A PlayNC account is the older name for a NCSoft Master Account (NCMA). I don't remember if the PlayNC accounts used the current website design in 2006. I want to say that there was a site redesign around 2007, but I could easily be mistaken in my recollection.

i definetley think the e-mail your new password thing works, at least if its random numbers and letters they could send a verification notice before they confirm the password change

Can't say its more secure either nothing is impossible hackers gets better over time to walk through the park. It would be real bad if they go for the database over character names etc.

I know Blizzard added a dongle u can buy for like 9 euros from their website there is one way to go to make it even more secure.
NCSoft should really consider using the same way its good that ANet stepped up and did something but i doubt the hacking wont end just because of that.

They don't even have to implement a dongle to make this happen though. In Korea, NCSoft has an app that you can download to your cell phone that generates a random password for you. It's all ready in their games.

But you know, pffft, the Western audience. We're just here for some side profit. NCSoft only cares about their asian players.

http://aion.plaync.co.kr/side/ncotp