GSU Team's Message About Account Security

I personally won't unless either ncsoft gets their shit straight or anet separates from ncsoft. Truthfully I doubt either will happen. So it looks like no Guild Wars 2 for me...

Same basic idea of why I didn't buy MW2. They do something I disagree with I won't support them.
(ended up winning a free copy and tried it...and remembered why I will just stick with cod4)

All talk. The day GW2 comes out, i start a thread about people who didn't buy it. And i will demand solid proof.

All this boils down to for me is further distrust of NCSoft. I believe ArenaNet have their hearts in the right place and I will continue to support them in that. But NCSoft.... well I feel like I was slapped in the face with that message. Observably we've seen actions of lots of accounts being hacked, additional security measures added by ArenaNet, followed by the (basic) increase of NCSoft security, a drop in accounts being hacked and then a large increase of phishing attempts. I suppose that all those actions are coincidental and unrelated... (/sarcasm)

I appreciate what ArenaNet have done to look after us (albeit they could do more). As for NCSoft... well sometimes saying nothing is the best policy.

what i dont understand is that IF anet really have proved beyond all reasonable doubt that these security issues are flawed and that obtaining someone elses details via the ncsoft website is not possible, why aren't they persuing a legal case with the people who think otherwise? The people who have dragged anet/ncsoft through the dirt and gave them such a bad reputation over these past few weeks/months. its obviously going to affect sales of guildwars 2 and put them out of pocket.

there was i thread a read a while back about a blogger who is in a lawsuit with a big firm (ebony i think it was) for putting on his blog unfounded accusations.

now im not calling anyone a liar, but this has caused some serious controversy on all the guildwars forums and has brought anet into disripute. have the people who made these accusations provided SOLID evidence that they got someone elses account details randomly?

because at the moment, we have a few people saying that they have randomly got peoples account info but anet is saying they have looked into it and found nothing of the sort?

Because Anet and NCsoft are smart enough to know that the more you stir manure around, the more it stinks.

Serious companies don't go into litigation against people who simply talk on forums, because they know the huge hassle of finding out who the poster really is, what laws actually apply and how to gather evidence simply isn't worth the effort. They COULD, but the end gain is so small compared to the hassle, it's not worth it.

Also, the fact that they don't shows a level of professionality that some appreciate more than hot blooded litigation.


Also, do note the subjective bias. Everyone is claiming to be hacked, and NO one of them admits to falling for scams, low security and similar. But they won't admit that's not true, not even to themselves.

Some earlier posts (mid-December) from the sticky thread seemed appropriate to consider with respect to the GSU Team message.

Cross-sampling? Only nearly half? <roll eyes>

From that GSU Team message:

For ANet, a suggestion would be to do some research and arm Mike O'Brien with info for his next executive-level meeting.

How do you explain the increased in hacked account RIGHT AFTER THE FREE STORAGE PANE PROMOTION DRIVE of linking accounts to NCsoft master account? explained that please.

Things to watch in Alliance Chat now-a-days seem to be OMG I'VE BEEN HACKED! true story

yup, had a guild member hacked a couple of weeks ago and saw an alliance member leave due to being hacked a few days ago. i hadnt saw one for ages and ages, but it seems lately there is certainly an influx of accounts compromised. whether its down to ncsofts website or not, i doubt we'll ever know

You probably won't ever get to make such thread.

Mark my words.

You do know that's Gaile Gray you're qouting, right? The woman who got mental break-down on a fansite forum and got moved from CM to another position but still as incompetent, that's her.

So what do you expect from her, really?

1) Don't share your password with anyone. Don't let your friends log in to your game account.
2) Don't use bots. Ever
3) Don't buy in-game money
4) Don't use power-leveling services.
5) Don't run programs designed by third parties for use with our games.
6) Beware of phishing
7) Beware of keylogger links on forums.
8) Protect your system.

Not forgetting 9) do not link your account to NCSoft master account, which is bad.

50 % unlinked account are most probably cause by 1-8 and the other 50% of the players whose account were hacked has linked NCsoft Master Account, do your own maths, no cross referencing needed.


At lease answer people's email when they send in detail information through the official wiki email system.

QFT!

From around mid October to the end of December, you could rarely log on here without seeing a new "I've been hacked post".

Since the changes were made to the NCSoft site and the Guild Wars login, the number of hacks reported here has dropped to almost zero. The only two recent ones I can find were someone who hadn't played in ages whose account was probably hacked months ago, and someone who admitted to getting caught by a phishing email.

The amount of phising emails being sent out has increased exponentially.

There would certainly seem to be more than a casual relationship between these things no matter how much it is denied.

I thought it might be worth noting another somewhat obvious security vulnerability associated with the NCMA that's probably still continuing is the availability of e-mail addresses through the NCMA which are part of the GW login credentials.

It's been ameloriated somewhat by the ANet's additional requirement of character name to the login credentials, but based on the account credentials previously using just e-mail address and password, I can imagine many of the account hacks (if involving the NCMA) may not necessarily have involved password changes (which ANet indicates were "very few"), but were facilitated by information (e-mail address) being available on the NCMA (which the account thieves might not otherwise have). E.g., player uses same password on all accounts, hacker gets login and password from third-party site, hacker accesses player's NCMA using same information, hacker gets e-mail address from NCMA, hacker accesses GW account using the same password and e-mail address obtained from NCMA.

Perhaps masking of the e-mail addresses given that they're key to account credentials for GW might have made sense. Given the security team has so many years of experience, I would think the issue would've been flagged and something would have been done about that as well.

greenthumb and others seem to not be noticing the most obvious problem.


Hackers who broke into your NCMA could then auto change your passwords for GW and other games without even needing those passwords. There was no password verification for your old passwords. Once they got into the NCMA, you had access to all the games, regardless of how secure your passwords were.

This was an OBVIOUS flaw which is real. Heck, I'm pretty sure that's still how the password reset function works.

There are posts on the Aion forum about people who had inactive accounts (ie, were no longer paying the $15 a month and no longer playing the game) getting their NCMA's hacked into, getting their password reset, and then the hackers adding game time to their account to use them.

OBVIOUSLY the NCMA had to have been hacked into, because that is the only way to add game time or change the password of an Aion account. This is such an obvious lie that it's just pathetic.

yes ncsoft is a piece of crap but arguing about you not buying gw2 is retarded because we all know you will or else you wouldn't be here.

Look at what an NCSoft representative responded to one of the Aion players who's account was hacked while his subscription wasn't even active.



Didn't see any mention of that in their big security announcement. A flaw with one of NCSoft's games. Or does "packet manipulation" fall under the user's fault category as well?

I started playing in 2006.
I am not ignorant of the need and practice of internet/computer security. I've been surfing the web, playing games, purchasing products, using credit cards, etc etc. for 15 years or how ever long you could do that kind of stuff online.

I have never been hacked in any of my online transactions.

Until November of last year when my GW account was stolen and pillaged.

I followed all the guidelines listed there. The only 2 fansites I registered and visited was this one and gwonline. I haven't read that those 2 were hacked for passwords and besides the password for my NCSoft account was different than the websites.

My account was hacked "somehow" via the NCMA. They gained access and changed my password to my GW account. For some stupid reason instead of a new password being generated and sent to me via email they could just change it there. But since they could and did all my virtual wealth was taken.

Is it really important in the grand scheme of life? No. I have perspective.

But it is still very disappointing that I couldn't leave my account alone and come back to it when ever I want and what I had accumulated still be there.

This letter offends me in the highest order. I did what I was supposed to do to protect my account.

I blame NCSoft for this not A.net. But I am afraid A.net will feel my personal protest. I know that little me will not be a blip on their radar but the 100's of dollars I spent on GW will be the last dollar I spend on NCSoft game.

I have no other way to proclaim my dissatisfaction. I cannot invest 100's of dollars and 7000+ hours into another game to have it taken in less than one hour.

NO! Fool me once shame on you. Fool me twice shame on me.

What annoys me the most is his closing sentence: "Now if you'll excuse me, I have another gold farmer cartel to ban."

As if we were wasting his time by making him write this response! Absolutely disgusting. What a way to take your customers seriously. I don't give a dang thing about those "Gold farmer cartels", it's the player's own fault for buying from them. Also, I love the way he calls them "cartels", as those companies's practices of selling virtual money are probably completely legal under country law. Of course, they are a source of bots and accounts being compromised, but wouldn't it be better to listen to the customers and making your product's own security safer instead of chasing ghosts? In the Netherlands we have a saying for that, it's called drying the floor using a mop, with the water tap open.

I can't help but wonder how ArenaNET's employees feel about this message. I bet they are pissed as hell, but they can't say anything, being owned by NCSoft. Also, I'd like to thank Regina for posting this.

Finally, in regard to the Wikipedia article on NCSoft, I'd like to refer to the paragraph on customer satisfaction:

I think this says it all. Way to go Scott Jennings.

Actions speak louder than words. Why spend lots of time and resources on improving security when apparently there isn't a problem?
It makes me wonder if they want all of us old farts out of the game early enough to ensure that we aren't still around to kick up a stink and put the potential new players/customers off when GW2 is released...

Up until a few weeks ago, I would have certainly bought it. NCsoft has shot itself in the foot over this whole affair, and clearly shown that it has scant regard for its' costumer base. Anet, however, has appeared to come out of this relatively well with its' quick responses and patches to the failings of the NCsoft website, despite the understandable 'support' it has to give to NCsoft statements such as the one Regina linked in her post.

If accounts have to be linked via the NCsoft website for HoM achievements to be transferred between a GW1 account and a GW2 account, then I won't buy it. If the keycode for GW2 can be added to a GW1 account (as if it was another campaign or expansion) for direct in-game transfer, then I will. I'm assuming that all the problems identified with the NCsoft website won't have been fixed by the time GW2 comes out.

I agree with you, but someone at NCSoft clearly does not. My guess is that Legal is behind this stance, and that they're afraid that admitting fault would open the door to an easy class action. Standing wouldn't be hard to prove given the admission of fault.

You're ignoring the mountain of evidence that points at the NCMA as a vulnerability. Dozens of players that were knowledgeable about security reported being hacked despite following the guidelines NCSoft claims will protect your account. The vector of attack was invariably the NCMA. We repeatedly asked them to put protections on the password reset mechanism, and they repeatedly refused. When they finally did so, the hacks stopped.

I don't know what more you want to demonstrate causality. Either dozens of people were all lying in a futile attempt to get ANet to restore their stuff, or NCSoft is lying.

There you're wrong, and it's that sort of arrogant thinking that destroys companies in the software business.

This is the first time I've ever heard of a man-in-the-middle attack in one of NCsoft's game. I'm genuinely impressed (in an academic kind of way), this is very advanced and thus probably required long/painful log analyses. The rest of the post suggests that NCsoft has been under very heavy attacks from RMTs and hackers, in a variety of complicated ways, thus justifuing Jennings' expression of "war". As someone who's studied similar problems I'm not surprised in the slightest.

Btw Jennings was hired for the GSU in November 2009. He also talks about RMT in this article. People should read it.

This all reminds me of old stories about Microsoft...

Scott isn't the one people need to be yelling at anyway.
He can only say what his bosses want him to.

while i agree with all the rage its too bad anet cant leave ncsoft. i'll only be interested in gw2 if the only thing that's related to ncsoft is the actual retail box with the ncsoft logo on it...no website, no customer support, nothing.

on a side note, has anyone likened this "war on rmt" to the "war on drugs"?

edit: planescape-torment is pretty bad ass

Just to make a point about wikipedia. Take everything you see on it with 2lb's of salt.

Directly from the source site [12], if you follow that link you will see that NCSoft actually has a rating of C-, not an F.

Now I'm not saying that they lied. They could very well have had an F while that information was written, but it is old data and not currently correct.

Wikipedia as a source requires verification of that source.

Somewhat an enjoyable read; thrilling adventure which had me tense at parts.
Actually enough joking around cheers Anet, i'm very greatful for this as even someone who uses computers on a regular basis there is no harm in reminding me every so often

Agreed i lol'd at the we will not give free holiday gifts but looking at in context this does need to be stressed. There is no need for the company that owns the game to request such information off their users.

GSU huh? I had never heard of the GSU at NCSoft before. A new unit developed to fight against RMT's? Okay, that's a step.

And the password reset changes are a step.

A-Net instituting the requirement to know a character's name on the account before you can log into the account, that's a step.

There are several steps in the right direction. Maybe NCSoft willl continue to walk the walk even while doing the double-talk. The talk doesn't matter to me nearly as much as the steps -- and right now they are very real, obvious and verifiable -- being made to get a tighter handle on security.

To be honest I'd still like to know the names of the people that head up the security departments at both NCSoft and A-Net, and I still want to be able to un-link my GW account from the NCSoft master account, but I'm pleased with the direction that things are currently moving. It's a very different direction than it was last September.

The right to unlink the Guild Wars account from the NC Soft master account is huge in my mind. How can they legally force me to keep the information tied together? I bought the right to that account -- and according to the EULA it's the one thing I paid for when I purchased the game -- why isn't it my choice to unlink it from NCSoft? If I were to write them a letter and say that I no longer want the information linked, would it be legal for them to keep it linked? A contract is only good as long as it benefits both parties, and if I give NCSoft a 30 day notice and tell them I no longer want my personal information, Guild Wars log-in information, or support information to be used in their database can they legally keep it there? Is there any way to force NC Soft to terminate the master account?

hhmm..date..

http://en.wikipedia.org/wiki/Scott_J...(game_designer)
to
http://brokentoys.org/
down to "Posted by Scott Jennings in _ on December 23rd, 2009 "
Oh, hi. I work at NCsoft now, again. On Aion support.
...so GSU is like 20 days old...or less

http://na.aiononline.com/board/notic...leID=197&page=
same copy an past bull....

I'll sign.

I wasn't going to buy GW2 but when ANet forced NCsoft to act over the holiday season I almost changed my mind. This letter, however, has changed it back. I will buy only if there is a full separation between ANet and NCsoft.

And I'll be happy to prove it by scanning the blank receipt which will not list the game I didn't buy.

Scott wrote this in November 2009 (the GSU may have existed before that actually):
http://www.morpg.com/showFeature.cfm...-Problems.html
Just to clarify /end-off-topic

They will find a way to blame us for packet manipulation...they'll blame us for some how thinly linking to bullying someone online who is a known hacker or some stupid bullshit.

If they really do come up with a reason that is so far fetched beyond our control they might as well just say: "Anyone who bought Guild Wars should have never been born."

Unless I'm horribly mistaken, ArenaNet is a wholly owned subsidiary of NCSoft. They are not truly separate companies, and as such, a split is not going to happen. Martin or Regina could probably explain this situation in more detail.

There's a compilation of known vulnerabilities in this post. (There may be others we don't know about.) You can read through the entire thread for confirmations by various forumgoers (including a Ventari Mod), or, if you don't trust people on Guru, you can go verify them for yourself using your own NCSoft account.

Translation: "Someone at corporate wrote that for me. I cannot deviate from it."

This. There are people on these forums and Aion's who have done everything right in terms of security and still had their accounts stolen because of NCSoft's incompetence. Everyone who has a NCSoft account has their game accounts at risk of being stolen, even if they personally do everything right in terms of security. There are people on these forums and Aion's who have gone above and beyond the call of duty to help NCSoft figure out what's wrong with their security so it can be fixed. NCSoft's response, to call us a bunch of fools and liars.

Why do we always blame the lawyers? This feels to me more like some corporate exec or maybe a really bad lawyer. (Though a-net 's lawyer is known to have failed to trademark "Eye of the North" in a timely fashion and lucked out that no one went and registered it first after the news broke...)

First, a good lawyer understands that pissing people off can turn a forgettable incident into a lawsuit. A flat-out admission is still maybe a no-go, but libeling honest people who are upset with you, but have nonetheless gone out of their way to help you, is just not a smart move. If they're not ready to make an admission, continued silence would have been a better idea.

Second, the mountain of evidence is so high that withholding an admission doesn't accomplish much. If they did get sued, they'd be certain to lose on that issue. Withholding an admission is only legally useful as a dilatory move at this point. To me, it feels a lot more like foolish pride than sound legal judgment.

Third, when I said a couple lines back that NCSoft is "libeling honest people who are upset with [them], but have nonetheless gone out of their way to help [them]," I was using "libel" in its technical sense. Their message is libelous. They called us liars, in print, about a specific factual issue that we are provably not lying about. (And when I say "us," I include myself in particular, since I strongly suspect my compilation is the "detailed... list of security vulnerabilities" cited in the letter.) If I were feeling pissed off enough to litigate this (and calling me a liar sure didn't help in that respect), I'd start off with a libel suit in the US, with lots of US-style discovery proceedings; then turn around and take the fruits of my discovery proceedings to a class action suit in whatever European country is going to go the farthest to wipe its ass with the EULA. They're lucky I'm not feeling very litigious right now. Back to my point, though, no competent lawyer would ever be dumb enough to issue a defamatory official statement like that. It's got to be a dumbass corporate type.

How are we supposed to prove if we didn't buy something? Show you our bank account?

That ridiculous.

Tbh, I'm already looking for games to replace GW for me once GW2 comes out (and no, GW2 is not an option unless Anet and NCSoft split). I've found several that I'm interested in, and I don't plan on changing my mind.

If I recall correctly, it's happened before and could most assuredly happen again.

I agree wholeheartedly.

I'm not so sure. Standing is probably demonstrable if you got hacked; you could probably claim emotional harm in the right jurisdiction. I can't see a case other than contributory negligence here, though.

I'm guessing they think they can get it bounced before discovery in a US case. If they can beat the standing claim, or if they can get a looser liability standard to apply, they can win prior to discovery.

If you can't get discovery, making a case would be tough.

They could sell it.

However, I acknowledge the highly unlikely nature of that - so most likely I will not be buying GW2 anyway.

Thanks for that, I was wondering what the explanation would be. I stopped visiting the Aion forums since I quit the game in disgust at paying for worse support than GW has for free, so I've not kept up to date with the hacking threads there.

*

I was thinking more of the "war on terror" and of the conspiracy theory surrounding 9/11. I feel sorry for the ordinary people in China, who are probably going to find their internet access for ordinary legal pursuits severely restricted as a result of this and other pressures from the West.

*

I very much doubt I'll be buying GW2. I just can't justify supporting NCsoft's poor attitude and bad business practices with my money, no matter how much I like the existing game. They're going to have to make major changes to make me change my mind. Besides which, I've discovered that the MMO called Real Life that so many people like to post about is in fact pretty damn good.

Actually, I think they could legally leave NCSoft, but it doesn't matter. We wont see that happen in our time.

The guys who ran Anet that actually had cojones are long since gone.

Lawsuit between anet and ncsoft would be most beneficial in my opinion...if it could be proven that the security issues were on ncsofts side they could probably get the courts involved saying that NcSofts actions were harmful to anets business model and that action needs to be taken against ncsoft in the form of separating anet from ncsoft?


I have never been big on getting courts involved....but with the way ncsoft is going...They don't deserve a cent from anet in order to separate.

Just my thoughts on a lawsuit that would benefit everyone not just individuals.

oh and lets not all forget what happens what goes on to the person after they get an account hacked/ unfairly perma-banned.

I acctually have an example on the perma-banned one. About 4~5 months ago i took on my friends account because they wanted to have me beat NF, Proph and factions for them(and if i got it done quick enough possibly EOTN). Well i decided to go along in proph go at a liesurely pace to help out my good friend. So, i stop in LA to see if anyone needs help because im gonan go and do the campaign why not help some ppl along the way right? i start askign if anyone wants help progressing in proph because i was gonan do it anyway. Imediatly i get at least 4 PMs saying "We are going to report ur @$$ you account-stealign F***-tard". or right along those lines. Wrote down the names for later so i could report them for language and took pics. Went through the campaign up to about the dessert missions for that day and logged off. Came back the next day w/ a perma-ban on my friends account saying i tried to hack peoples acoRED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GOs or "account buy". I emailed support immediatly exsplaing i was helping my friends account and that i had been offering to help other people. They went back (i emailed them the pics of earlier about the the ppl usign the language. They told me to provide key info on the account. Well i couldnt due to my friend being an online-one that i talked through various means like IMing. I told them i was unable to send them due to the above fact so they told me there was nothing to do.

I immediatly told my online buddy who went on there to support my story of him letting me barrow the account. the problem was he could prove via his NCSoft acount the GW accoutn was his, but its like the proverb i learned recently *junk is worthless crap you keep for 10years and throw out 3 weeks before you need it* and he dint have his account key. So, not only did they keep his account banned due to lack of attention from the ppl at support, but his NCSoft got terminated(or banned not really sure)so he got screwed out of any info he couldve used to prove his case in 1 swoop.

So really, i've lost faith in NCSoft, i still trust a.net a bit due to ppl like regina, lindsey, and martin.. but im even losing faith in them due to the fact regina could blindly post somethign like this w/out any idea how bad this would piss off the community.. so GJ anet/NCSoft.. you've just proved we are all jerk-wads out to get you. bravo...

I'm not talking about standing or the theory of the case in general here. Whether or not they admit the huge fricking holes in the NCSoft account website impacts one narrow issue: whether or not there are huge fricking holes in the NCSoft account website. Which there are. And which one could probably show without an admission, and even without liberal US-style discovery. So, why would a sensible lawyer insist on withholding an admission when it would do so much PR good? The only reason I can think of is dilation. Or that a lawyer isn't calling the shots.

Apropos a general theory of the case, I agree that a theory of damages would be tricky here. I'm no expert, but I understand that the Europeans have much stronger consumer protection laws (contract) than here in the US. More importantly, they have much stronger privacy laws protecting the dissemination of personal information. I'd wager the privacy violation might pay out better.

I'm talking a libel case. Defamation. Totally separate case. Totally separate misdeed. The misdeed is that they've sullied my reputation (and yours and several other people's too for that matter) by publicly branding me a liar when I am not. It's a classic libel case, a slam dunk case. They can't deny they said it. They can't deny what they said is damaging to a person's reputation. They only issue they can dispute is whether what they said is true. And issues in honest dispute survive summary judgment so long as each side has at least some bit of evidence, and go to discovery. The only thing standing between them and a libel suit is my laziness and disinclination to hurt a-net collaterally.

But, back to my original point. A lawyer would know enough not to commit defamation in their official statements, certainly not slam dunk defamation cases, not even arguable defamation cases. You just don't do it. You increase your potential liability and gain nothing in the process. There's no way a lawyer wrote that statement. It had to be a corporate fool.

----

Having not seen the contracts or corporate charters involved, I've got zero insight into that as a legal matter. As a practical matter, a-net cannot fund the development and publication of its games without a large investor to back it. Unless a "white knight" was waiting in the wings, they'd be fools to break away from NCSoft. And, given NCSoft's recent behavior, they'd be fools to stay. Guess they're just screwed no matter what they do.

You got your friends account FAIRLY perma-banned. It is a violation to allow another person access to your account. It can and will get that account banned if it is found to have occurred.

They might not have had it right in the first instance, but your contacting them was the death knell. Should have had your online friend do that part.

We all know that many people share accounts. It is still a violation of the EULA. This is the reason you do not broadcast that fact anywhere.