plaync website takes a step backward in security

Yes, it WOULD be rare - IF that was what thieves actually needed to do. But it isn't.

They don't need the GW password. They glitch into a random NCsoft master account (again, no password required), where they can set a new GW password without knowing the old one. They'll see your GW login ID there too.

Now all they need is a character name. If you used the same email address for GW and any forum... forums have been hacked, user details stolen - including email addresses. Now they check the GW login email address against the list of addresses stolen from forums... if they find a match, they search forum posts to see if a character name was posted. I imagine most of that will be done automatically by software.

See what a ridiculous situation that is? We have to use different email addresses everywhere (if you didn't make a new email address for GW 5 years ago... it's too late now). AND we must not reveal our character names anywhere.

And we have to jump through these hoops, because NCsoft doesn't take security seriously.

People who forget their Guild Wars passwords and need a reset probably don't have a lot to lose if their account is hacked. People like me who have spent literally thousands of hours in the game, who are emotionally tied to their characters, who accidentally type their GW password into their work applications out of sheer habit -- the ones that know their passwords are also the ones with the most to lose -- both emotionally and from in-game acquisitions -- if their account is compromised.

Guild Wars was my first on-line game. When I started it I didn't really understand the need for security. Who wants to break into my game anyway? What are they gonna do, play my character and keep me from seeing a mission? Consequently, because of my ignorance, my GW account name wasn't as secure as it should be, at least from people who were a little bit familiar to me. I mean, it asks for an e-mail address so I gave it the e-mail I was most likely to use. Then I had a problem and needed support. To get support I had to make an NC Soft Master Account. Again in ignorance I chose an account name I could easily remember. Now, even though I have made sincere and honest efforts, explaining exactly why I need changes made, asking support to change my GW account name, asking support to unlink my account so that I can increase my own security by changing my account name, asking for any help I can get with this, they will do nothing for me. Nothing. They won't allow me to cancel the contract that I made that allowed them to alter my GW account and thereby prevent me from changing my account name (people who haven't linked to NC Soft can change the e-mail address that comprises their GW account). They won't even abide by their own privacy agreement and remove all personal information (which would include the e-mail address used for GW effectively rendering the NC Soft Master Account useless). They don't keep their bargains. Now that I'm not so ignorant I still can't close any of the security holes that I created because the options are denied me simply because I screwed up and linked my account to NC Soft.

Now you tell me that one of the very few steps involved with security between NC Soft and my Guild Wars account has been removed and I shouldn't care because it's not a big deal anyway. ANY layer of security on my account is a big deal. A huge deal. It could very easily matter, because there aren't a lot of good layers to begin with. And NC Soft won't allow me to change that.

It matters. They need to fix it back. If they are going to go backwards with security then they need to allow us to step out of our relationship with them, unlink our game and cancel the Master Account.

*off topic*

Please do something to make the in-game store in GW2 available without an NC Soft account. I love buying the extras, but I will never again link ANYTHING to NC Soft. If they were reasonable in their business relationships it would be different but, unfortunately, they are not not.

Folks here, in particular some of the most critical voices, seem to be perfectly clear on that point to me.

And view your personal data...

1. That's not a very strong wall. IGN's abound in forums like this, in screenshots, and... well.. in game. Only the difficulty of associating the PlayNC account with the IGN stands between you and account theft.

2. It is massively inconvenient to have to safeguard your IGN as an account credential. It makes arranging any sort of activity outside of the game -- from trading to joining a guild to forming a group -- a downright dangerous thing. See Riot Narita's post for more on what a hassle that is. I daresay that the inconvenience of needing to protect your IGN is a bigger inconvenience to more people than the inconvenience of the few idiots who can't remember their passwords.

3. EVEN IF you were correct that the IGN was a sufficient wall (and a convenient one) -- and you aren't -- it would still remain the wiser practice to have more than one effective security feature in place.

And let's be honest here, right now IGN is the ONLY effective security feature we have right now. As recently as a few months ago it was possible to break the NCMA through any one of (1) brute force against the password reset, (2) glitching into someone else's account, (3) file mirroring the whole domain, (4) monkeywrenching the javascript(!!?) functions used for user verification, or (5) SQL injection (possible, unverified how far one could get this way). Unless and until NCSoft is ready to admit those problems existed and put forth some evidence that they've been fixed, I'm going to make the reasonable presumption that the NCMA remains utter Swiss cheese.

To illustrate that point, try to answer this simple question: Assume that on 7/1/2010 someone associated with an RMT business interested in stealing accounts, who already knows how to compromise NCMAs, will figure out how to obtain a list correlating NCMAs and IGNs. How many of those GW accounts would be stolen before you even know about the problem? How many more will be stolen before you can figure out how he's doing it? How many more yet before you can fix the problem? Now, how many accounts would be stolen if the old-password requirement had remained in place?


Which is as close as anyone from NCSoft or a-net has come to admitting that the story you keep telling us is bullshit and the real problem was with the NCMA.... Thank you for your (almost) honesty.

More annoying than...
...having your account stolen?
...having your account stripped and/or characters deleted?
...having to constantly guard your IGN?

I think this pretty much sums it up:

OK, in the spirit of being constructive, how's this:

There does not have to be a conflict between the interests of the tiny minority of morons who can't remember their passwords and the rest of us who would rather have a secure account. You should be able to design the NCMA to give the user the option to choose between more security or more "convenience." Let the morons opt out of the old-password requirement. Or let me opt in to the old-password requirement. Or, better yet, let me opt to sever my GW account from the NCMA -- which I will do in a heartbeat, and that will be the end of the problem.

Credit where credit is due: this has largely been resolved. The password reset mechanism now sends you an e-mail, which precludes pure brute force attempts using the password reset mechanism. So if you have a strong password, you should be OK there.

Can't speak to the other issues, as I'm not qualified to evaluate more advanced security issues.

Yes yes a million times yes. The NCMA confers no benefit to me whatsoever and is in fact a decided inconvenience where my account security is concerned, because of decisions I made when I was a newbie online gamer (see an earlier post in this thread for someone in the same boat as me); I would *love* to be able to do this and have been asking for it for the past three years. What I'm dreading the most - if I do ever decide to buy GW2, which is still extremely unlikely due to it being an NCsoft product - is having to link my GW2 account to my current NCMA.

. . Thank you, ANet/NCSoft! This is a big step in the right direction.

Absolutely!! That's the best answer right there.

Creating any NCSoft or ANet web-account linked to my game-account will be the last thing I do.

You can change the email address from the client, or at least you could a few months ago.

Until you link your account to PlayNC.

Anet should at least give us the courtecy to untie the GW account from the NSMA.

Nobody really knows how hackers do what they do or where they get their information but regardless of security measures, they try to find ways around them to steal people's stuff.

In my situation that I posted on Page 3 - Post 52, the account of mine that was stolen was a secondary account. I was not the original creator of the account. The only person that knew the original NCSoft info was the creator and even he did not remember his NCsoft username and password. I had since changed the GW password so now I was the only person that knew the game login password. The original owner and I were the only 2 that knew the game login username. IGN's were never posted on any website or attached to any outside source but IGN's can be found easily enough by searching in the friends log, but they still would have had to tie it to this account.

I guess what I'm saying is what possible security breach could have been used to gather the info needed to hack this account? Something somewhere allowed a hacker to get access without knowing this information.

The other issue I still have is that since I am not the original creator of the account, I am out of luck even though I am the one contacting support with documentation. However, the person that now has control, and would have had to hack through some part of the GW/NCSoft security does not have to prove anything. It's the attitude that we don't care unless you can prove yourself that is most disappointing.

^ Yes, for the love of god, yes.

Been a long time lurker and infrequent player of the game, and this is a concern for me. Its clear plaync doesnt know how to handle security, ill buy GW2 for sure but it will never be linked to my plaync master account.

petition to unlink....next on the list of petitions!
(twould be signed by just about everyone I know, and their brother)

Signed 100 times over

Note to a-net: This issue is not going to go away until some corrective action is taken.

I'm fairly certain Gaile said that it wasn't possible to unlink them. That or "not enough resources" excuse.

I think I also remember them saying something about make overs not being possible at one point too....though the not enough resources (eg, they dont really care) is probably the most likely reply. Still would be nice to have the option and not need to 'look over you shoulder' all the time.

Gaile said everything was impossible. She also said you could hit teammates with Poison Arrow. General rule of thumb: ignore Gaile. When it comes to these sorts of things, almost anything is possible; it's simply a matter of making somebody care enough to get around to doing it.

There is a god damn security breach. Nothing is ever 100% safe. I don't understand what is so god damn hard to grasp. It's a simple software engineering concept that all your programmers should have learned in intro courses.
Your dev's can't balance, your programmers fails at basic software concepts, your customer support are terrible, and your publisher is terrible and is the major cause for the security breach for both your game accounts and you players' private and personal information. I can't believed you failed at everything imaginable.
You should take a lesson from Blizzard. They have authenticators and flexible account management. They have good customer support both in game in the case of GM's, and a phone line you can actually call and get a live person to talk to within 10 minutes. They also have god damn account activity tracing and rollbacks. They have better security and security recovery.
You bet your entire company's future on GW2? You might want to offer the same service a six year old game have. How am I supposed to feel safe buying GW2? My account is just going to get hacked, private info released, and wait about a week getting an email back from support telling me to be more careful with my account as they can do nothing but tell me crap any non-idiot on the internet knows. You have a security problem. Just because you can't find it doesn't mean it doesn't exist. If you found it it wouldn't be a problem now would it?
Asking you to fix things is really that hard? It's obviously broken. You don't have enough resources to fix it? Then why would I want to pay money again to get screwed over again?
I remember when GW just came out and I was deciding whether I should play WoW or GW. I flipped a coin and fate chose GW. Maybe I should have stared fate in the face and told it no.

I'm curious, how many of you have tried this? Is it working properly? I've been too nervous to try it, figuring the benefit would be less than the risk of triggering some other sort of security breach. I just wouldn't be surprised if NCSoft emailed my activation link to the wrong person, or someone got my new password from a keylogger attached to the NCSoft site, etc.

I tested it on an alt that holds mostly junk (mods, mats). Doesn't look like it has been hacked since; the small amount of cash in the box is still there.

Gaile says way too many things aren't possible, when they are... aside from the fact that an unlink requires the removal of a 1kb piece of text representing a GW account from the matching NCsoft account name. but apparently this is a very exhausting process, especially designing a simple GUI workaround in HTML- ONCE for each user to unlink on their own terms themselves. Sometimes I wonder if they have enough resources to even function properly in real life.

Which is also something they've already done in the past: they could remove accounts for Dungeon Runners when it was shut down.

I'm pretty sure those accounts didn't simply disappear when the game went down, so they likely had to purge them manually.

I think its sometimes a pretty fine line between something they CAN'T do and something they just don't WANT to do-----
We have asked for a lot of things we were told could not be done only to get them at a later date----me'thinks this may be yet another of those.

In Gaile's defense, I don't recall ever reading her saying that unlinking GW accounts from the Goddamned NCMA was impossible. I do recall reading that it was difficult "because multiple teams are involved," or something like that. (Translation: NCSoft's involvement is required, and they refuse to do it.)

I'm absolutely dumbfounded by this post. I can't even begin to put into words how I feel about this. The closest I can come is WTF?

http://wiki.guildwars.com/index.php?..._ from_NCsoft

Apparently somebody told her it was impossible, which she relayed to people asking about it. Then somebody said an email from NCSoft confirmed that it was possible. So, who knows what's going on with that one. Can't fault her much for it either way in that situation.

When i wake up today, i read a happy email from Ncsoft (censored):

So.. unless i was dreamwalking... seems that their holes are still there.
I was using different pass at ncsoft <-> Gw account, long one, alphanumeric + numeric symbols, etc.

Good to see that i was able to reenter ncsoft acc, change GW pass again, and into the game it was all as i left it yesterday...

But still....

The thing is - if The Big Problem still exists at NCsoft... it doesn't matter how good/unique your passwords are. Because they don't need any passwords to get in.

Since your stuff was intact, chances are the thieves weren't able to guess one of your GW character names, or track one down from old forum posts etc (via stolen forum account names/email addresses etc).

I assume you're sure your system is clean? (no malware got in)

That was my point, no ncsoft password change nor using same pass as GW, still opened & changed GW pass ...

I will transfer my gw-money to my personal bank (2nd or 3rd mules) when i got time, but was a bit weird.

Under windoze, i cannot asure that 100%, but if i got malwares, they would have detected my pass / chars, as i change between some accounts, typing the 3 lines.

But i am safe now, ncsoft support reply me with a "we are aware of your ticket, kk?" mail. Sure, i feel....safe... [sarcasm mode off]

anyone else find it ironic that to change your Master Account pass you need to enter the current AND new passwords?

i found ironic that i could be hacked more easily from that website than exposing myself to malware threats (or sharing password).

I guess that i shouldnt have read the EULA & small letter for that free xunlai chest they gave me!.

It would be ok, just if they let us unlink the accounts. The other accounts i have are happy being orphans.

Hi Emily,

Thanks for taking the time to reply in detail. Could you please pass on our responses to your security team?

That is a huge mistake. While this may keep away some random hackers, what about non-random hackers? People who have a grudge against you from a GvG match or someone who just wants to grief you. [1] They know your IGN, and likely know your email and IM too. My IGN does not protect my account!

It's good that you are providing multi-factor for NCSoft accounts, but the cornerstone of multifactor is that the authentication methods are not available to attackers. My IGN is known to EVERYONE. It's not a secret!

On the other hand, my account password IS a secret. That is a great addition to multi-factor to make it harder for someone trying to take over my game account.

I know you made this decision by weighing your support load against the number of accounts that were protected by the password method. You were proabably also looking at a spike in returning users as GW2 came closer and put more pressure on your support queues. I work for a software company of roughly the same size as Anet and I have been unhappy when we make decisions like this, but I know the rationale behind it.

However, I ask you reconsider and enable game-account password authentication for any changes to the NCsoft master account. As others have said, the cost in a lost account is so much greater than someone needing to contact support for a password reset.

[1] The reason I'm asking for this is because my GW account is linked to a NCSoft master account with multiple users. Only one of my flatmates had a credit card and our GW accounts were linked to his NCsoft account (we were students, and we didn't think anything of it). While I generally trust him, I don't like the idea of someone having the ability to change the password on my GW account without telling me.

Back to GWG after a long while.

Is this the current situation? Has there been any more information about this? I am still searching but I don't find anything so far. I used the terms "ncsoft" and "secure" for my search.



\/