plaync website takes a step backward in security

My character names have nothing to do with my email OR password. If you're dumb enough to have [email protected] frediscool & Fred the Warrior, you probably deserve to lose your account. I truly fail to see the connection between my character names and email/password. :|

With that said, you should use a different password for you GW account as well as an email.

Uh... the whole point of letting your character name slip means that the "hacker" now knows your character name, which is another requirement in order to log into your Guild Wars account along with the email and password. It's just another chance you're taking.

The problem is, if it's still possible to glitch into somebody else's NCsoft master account...

...then what NCsoft just did, is once again make your character name into your ONLY protection against random GW account theft. That and luck. Because if they glitch into your master account, they'll see your GW login (email), and they can change your GW password without knowing the old one. All that's left, is to find a character name.

So unless you feel lucky, you should protect your character names. Don't make it easy to trace your IGN through forum posts - especially if you used the same email for GW and for forums. (bear in mind, they may already know your email address from compromised forum sites)

Master account -> GW email -> Forum email -> forum name -> your IGN if you posted it -> you get raped.

Makes me wonder why NCsoft doesn't have community people that browse forums like this, to address these kinds of issues instead of asking ANet to play messenger boy to our complaints.

I'm just going to throw this out there.

Preventing people from playing at all or annoying them and security are often at odds with each other. Difficult forum registration is an example as it applies to sites with spam prevention, etc. Too much in either way never leads to anything good, so the only way to deal with it is adapt and find creative ways that don't ruin the game for everyone else.

Still waiting.....

hey regina/martin/emily/pierre yall gonna fix this or what?

I totally volunteer to get paid to troll...wait...if I work for them I probably wouldn't be allowed to post...nvm...on a side note +1 to this idea...

afaik that was solved when they updated their site. You're free to try it though.

I personally don't think it was directly linked. I think that the random log in issue was just lumped into the many other issues that were brought up. In addition to adding the character name they updated their site. You had to know your old password in order to change it. Character names being your "only protection" is apparently recent and I certainly feel like it isn't your -only- protection. When you change your password you get an email.

Again. If you're dumb enough to use the same email/name/password for everything you probably deserve to get your account compromised. It's posted pretty much everywhere to use a different email/password for anything important. Even with your explanation I fail to see how they're going to magically guess that I'm "Green Tea Sierra" in game through my plaync account or my login information.

There's also a flaw in your chart. In your User CP you can adjust who can see what in your profile. You can also hide your email address from everyone but admins. I highly doubt someone is going to magically guess any of my info when none of it is related to each other.

Please see above.

Why do you think it is fixed? Is that just an assumption? I haven't heard anything about it being fixed - if you have a source, please post it.

Even if it IS fixed, removing the "enter old password" requirement again... has set everybody up for maximum damage, the next time a master account exploit is found.

NCsoft did no such thing.

It's A-Net who put in the character name requirement, for GW players - and thank God they did, because NCsoft wasn't stepping up at that time.

Aion players got nothing, they were left hung out to dry.

Yes. An email telling you your password has ALREADY been changed. What use is that?

The email tells you in effect: "somebody changed your password. If it wasn't you, then I'm afraid your account has just been emptied, and possibly your characters are deleted"

Yes, everybody gets that.

The point is: character names are part of your account security now.
It's simply not good practice to give away ANY login information, anywhere.

There were people who randomly lost their accounts even though they DID EVERYTHING RIGHT. Unique passwords and email addresses everywhere, strong passwords, full and up-to-date security on their PC's, no dodgy downloads or visiting unsafe websites etc. And it still wasn't enough, because of NCsoft's failures - an aspect of security that we have no control over.

Protect the things you CAN protect. Don't rely on NC-soft, arena-net, guru, or anywhere else that is out of your control... to protect your information. Who knows what exploits may emerge that will let somebody put all the pieces together, or bypass some of them? It's happened before.

Several GW fansites have been compromised, including guru. Email addresses were stolen, and maybe forum names (not sure)... and who knows what else. In other words, when a site gets hacked, your CP settings aren't going to save you. The hackers are likely to see everything anyway.

But by all means - make whatever assumptions you want, take whatever chances you like with your character names. If you used different emails and screen names everywhere, the chances are slim that anyone can match an IGN you posted, to a GW account.

But personally, I'll take every precaution available to me. I don't want to take chances, no matter how small.

I really don't know where to stand because I get mixed stories even by the people I trust.

I think there IS a problem with NC security, but that does NOT by ANY means dismiss the problem that people still make mistakes on their parts, which makes it looks really bad when a few people get hacked "for no reason" and some people get hacked "for a reason", and it inflates. As I said, I still think there is a problem, but that fact still does not dismiss that some people are at fault for losing their own accounts.

I for one, have gotten asked .. by a friend, who played guild wars once, never signed up for ANYTHING using his email, game related, and he kept getting emails saying his account password was reset. The gunny thing was, these weren't fake ones, they were the real deal. Someone managed to pull his information from somewhere, or managed to spoof it somehow to NC to get in. And I believe this.

But there are still some really stupid people out there who don't help the situation, which blow the situation up and out of proportion.

I'd seriously LOL though if some Guild was behind a lot of the "hacked accounts" and some of the stories we heard were fabricated just to make other players more paranoid and to make them click *anything* with NCsoft on it in their email inboxes, even skipping their instinct and clicking on fake NC email, to give some random stranger their information.

You gotta wonder though....because I've seen those faked emails, I think one was even posted here by someone, and the IP address has one or two octets exceeding 255, lmao.

Well, with due respect... I found your post to be a little smug. I take your response as if im firing shots at you for being bad at account security (which we know is false, I'm not accusing you) but it looked that way to me. Again..sorry.

But you ARE right, if your character name and other credentials are common, it's possible for a hacker to get you, if you're smart (as you said, and like I am at security) you should be fine.

I looked at it this way.

Say I'm a TOTAL jackass at account security (but I'm not), I could post an email here of mine for someone to contact me. If it's in the open or even in a PM, if it gets out, it gets out. Now, a hacker sees a potential victim. He can ASSUME my char name is "Bob Slydell" and that the email he has is my GW one. Then he can go on maybe assuming that I in some way an an Office Space fan................ crazy enough to name my password something like.. I dunno. Innitech123 or MichaelBolton ...bam he's in!!!!.

We all know people do that shit, that's all I tried to explain with my little "point #2" people can tag things together to get a clearer understanding of you, we all know this. I just wanna make sure you know thats what I meant.

The lucky hacker may have hit the jackpot in my little description, but luckily for me, in real life on one never figure out my credentials, unless Jesus returns and decides to take up GW account hacking.

Just had to fix that little slip up there.

That is precisely the point we repeatedly attempted to communicate to the ANet community reps without result during the rash of hackings at the end of 2009. Some people are dumb about security, and they lose their accounts as a result. We can treat when errors happen as random. The number of hackings at any given time is thus a stochastic process, but the number of hackings should vary within a certain range. Once the number of reported hackings becomes sufficiently great, it's time to start looking for security holes on the ANet/NCSoft side.

Let me assure you that there are still a ton of flaws with the PlayNC site. It's about as secure as the website of a third-rate e-merchant. They just don't seem to get that doing business in the American market requires first class security. Their primary competitors understand.

I finally broke down and bought an unlinked account to store my valuables on during the account thefts, using an e-mail that I just don't use as the account name. But the fact that I had to take that step has made me unlikely to purchase GW2.

If you're not going to take action anyway...

I've recently found that problem. Recovering but eh, the hacking was because I was a retard and didn't think of my NCSoft stuff as needed initially, and as Gennadios said, for exactly that reason.

Still waiting. Lucy, you got some 'splaining to do!

NCSoft is the worst online gaming company in history when it comes to security and transparency. They should be ashamed of this shit... Totally uncalled for, in every sense of the words....

Take a memo from Blizzard: Authenticators (mobile and stand alone)

Heya,

Gaile posted an update on her support page on this issue:

In December of 2009, players raised concerns about the security of NCsoft Master Accounts. While we investigated those concerns, we added a second layer of security that required players to input their game password before making a change, even though they already had logged into their NCMA and had passed its security measures.

After extensive research, the Guild Wars and NCsoft teams were unable to identify any security breaches in the NCsoft Master Account system. This means that the delays that customers were experiencing related to account resets added no value from a security standpoint. We removed the second password requirement a few weeks ago. We have monitored daily for any upswing in stolen accounts and have seen no increase whatsoever. We will continue to monitor the situation and if we notice any adverse effects as a result of the change, we will address the issue immediately. Please see Gaile's Support Page for more detailed information.

In other words:
"We decided to open the stable door.
This stops idiots from bumping into the closed door, when they want to pet the horse.
It also makes the stable-hand's job easier.
The horse hasn't bolted yet, so we'll leave it open.
If the horse ever does bolt, we might think about about closing it again. After the horse has gone."

Great plan /sarcasm

Edit: I seriously hope there will be no requirement to link GW2 accounts to an NCsoft master account - and the bad joke that NCsoft calls "security". eg. to get any goodies from our GW1 HoM's. Because if that's the case... if I buy GW2 at all - I will simply do without HoM goodies, even if I earned them. That won't be due to a temper tantrum, throwing my toys out of the pram - but because it will be the only sane choice available to me.

Why the hell do you guys not have account activity tracing like WoW? If someone gets hacked on WoW, upon proving it to a GM, a quick rollback results in zero loss. GW doesn't offer the same service, so if you get hacked, you email support, wait a few days, and get the "these are the precautions you can take" crap. How does that help anyone?
If you have account tracing, you can rollback AND FIND OUT WHO HACKED YOUR ACCOUNT. Someone has to transfer your items to another account. If you know this it helps SOLVE the problem instead of letting the hacker run rampant.
So what if the hacker DELETED your characters as well? All those years of playing for nothing? How will you handle that then?
There are several reasons why WoW has more players, this is one of them.
Are you honestly going to assume your software and server is 100% safe? No software and server is 100% safe. Any freshman in CS Major will tell you that.
All these people get hacked and you just assume everyone is a retard that hands out his or her account info or download shady third-party apps? Great business approach imo, having terrible customer support on the only game your company depend on. Maybe I shouldn't hold my breath for GW2 if my account is just going to get hacked anyway.

Sorry Martin, Thats a silly rationale.

No one has hacked us yet so we'll remove security until they do.

Imagine a bank saying 'we've tested our security and since no one has hacked us yet and passwords are such a pain to the customer we've decided to remove them from our online banking system'

For Guild wars 2... Please keep the character name check and add other features to stop accounts being hacked or trashed outside of the NCsoft layer..