Got a "Password reset success" e-mail from NCSoft Support today, which I verified to be accurate. Problem is, I didn't request my password to be reset. When I re-reset it, nothing about my account had changed, so I'm assuming whoever tried to hack my account got stopped by the character name portion of the login. For what its worth, I traced the IP to South Korea.
So if they didn't reset my password in-game, they must have done it through the NCSoft site, much like what happened to me (and hundreds or thousands of others) a while back. Beware of accounts linked to the NCSoft site, as I believe their security hole is back.
Support has been super helpful (as usual), getting back to me a whopping 7 hours later with a response that my ticket would be forwarded onto the accounting department. I expect that that's the most helpful information I'll get out of this.
Flame this, close this, deny this, do whatever you want. Not looking for answers, just trying to warn others so that they don't lose the 3 million gold I lost the first time this happened.
NC Soft Linked Accounts Vulnerable Again
Starmidder
Psirdark
Thanks man. I was also screwed during the last round. I wish I could change my email address, or they would allow special chars; the bastards are so not helpful . . .
Lord Dagon
so glad im not linked to NCSoft....
Chthon
I wish I could say I'm surprised, but I'm not.
Let's just hope a-net has learned their lesson and keeps GW2 as far away from the damned NCMA as possible.
Sigh....
Let's just hope a-net has learned their lesson and keeps GW2 as far away from the damned NCMA as possible.
Sigh....
Chrisworld
I welcome the challenge. ME vs. THE WORLDDDDD
Shanaeri Rynale
So long as your character names are secure, then hopefully so will your GW account. Mind you, it's concerns like the above that really makes something like the opt for a WoW style authenticator, proper account recovery and delete protection essential in GW2
yitjuan
how does one get linked to NCsoft anyway? Im trying to figure out if i ever did that or not
Aeronwen
Most people got linked with the free storage panel, or if you have bought anything through the online shop.
damkel
Also:
Keep usernames/passwords for forums separate from usernames/passwords for logging into the actual game.
Most MMO hacks happen when a community forum is vulnerable and stolen usernames/passwords are used to log into the game.
Keep usernames/passwords for forums separate from usernames/passwords for logging into the actual game.
Most MMO hacks happen when a community forum is vulnerable and stolen usernames/passwords are used to log into the game.
Isfit
Nevertheless, its a dumb joke that you can change the password for your GW account through the master-account w/o even knowing the old password
Showtime
this reminds me of my one time dealing with them. when they had the free storage panel going for having the game and all the expansions, i couldn't get it to work cuz i lost the account name. so i contacted them and they actually asked for my game keys. wtf is up with that? i was told to never give it out and they needed it for what? i obviously have all the content. it was all paid for. what needed to be authenticated. just add the panel that was so generously offered and advertised (to get people to buy missing content imo). the only thing that came to mind was they would be able to reset everything with that info. going to email them one last to see if they could just add the panel. doubt it will happen.
JONO51
Quote:
|
Originally Posted by Isfit
Nevertheless, its a dumb joke that you can change the password for your GW account through the master-account w/o even knowing the old password
|
Too bad ncsoft is busy making shitty korean mmos to fix it.
LifeInfusion
Quote:
|
Originally Posted by Isfit
Nevertheless, its a dumb joke that you can change the password for your GW account through the master-account w/o even knowing the old password
|
Rehnahvah Gahro
Here we go again, every few weeks a thread like this pops up (I still remember mine) and nothing gets resolved at NCSoft. It's a shame that ArenaNet has to put up with this Security-flawed system, I bet if they were in charge of something that important they would handle it way better than NC. Hell, anyone could handle security better at this point.
I don't understand (as in "It won't go into my frickin' head") why this problem is still not resolved, even when we faced major security issues over the years with this mindboggling NCSoft Masteraccount.
And I guess this thread will just dwindle down like the others, because it is never a problem until it affects YOU.
And then the ones telling others that it was probably their own fault are QQing on the next thread.
I sure hope that by the time GW2 comes around all this will be out of the way. The game can get the highest ratings, if the customer support and security is left in the hands of NCSoft you will not have much of an account to play with for very long.
Someone at Anet needs to step up and tell it how it is: Security at NC is terrible, and it needs to improve! How about putting that in your financial report for next quarter...
I don't understand (as in "It won't go into my frickin' head") why this problem is still not resolved, even when we faced major security issues over the years with this mindboggling NCSoft Masteraccount.
And I guess this thread will just dwindle down like the others, because it is never a problem until it affects YOU.
And then the ones telling others that it was probably their own fault are QQing on the next thread.
I sure hope that by the time GW2 comes around all this will be out of the way. The game can get the highest ratings, if the customer support and security is left in the hands of NCSoft you will not have much of an account to play with for very long.
Someone at Anet needs to step up and tell it how it is: Security at NC is terrible, and it needs to improve! How about putting that in your financial report for next quarter...
Shanaeri Rynale
Actually, there was a huge thread on this months ago when a lot of pressure was put on Anet to do something. They did so, which is why we have the character name field on login. As soon as they did this reports of hacks dropped off substantially.
So Anet didn't ignore the community and you can tell from the tone of their responses at the time and historically there was a degree of tension between themselves and NCsoft. I suspect (and this is pure speculation on my part) that the solution Anet implemented was partly born from this frustration. I.e if you won't fix it, we will.
What is clear is that lessons need to be learned for GW2.
So Anet didn't ignore the community and you can tell from the tone of their responses at the time and historically there was a degree of tension between themselves and NCsoft. I suspect (and this is pure speculation on my part) that the solution Anet implemented was partly born from this frustration. I.e if you won't fix it, we will.
What is clear is that lessons need to be learned for GW2.
Deviant Angel
Quote:
|
Originally Posted by Isfit
Nevertheless, its a dumb joke that you can change the password for your GW account through the master-account w/o even knowing the old password
|
I can't think of any other company that allows you to change your password without providing the old one first. It's like they are trying to make hijacking accounts easier. Newsflash! I'm not buying another account or any other NCSoft game if my account is compromised because of their stupidity. Business is gonna be baaaaad... nerk!
Is requiring the old/current password really too much to ask? It shouldn't be.
Riot Narita
Quote:
|
Originally Posted by Deviant Angel
Is requiring the old/current password really too much to ask? It shouldn't be.
|
But later, after the dust had settled, and A-net had largely fixed the problem (for GW, not Aion etc) by adding the character name check...
...they took it out again
Incredible. This makes it indisputably clear, that NCsoft do not take security seriously. NCsoft simply should not be trusted with our accounts.
This is why I do not want GW2 to require an NCsoft master account for any reason.
Lucky for us (and OP) that A-net put in that character name check, because it was only a matter of time before a new master account hole was found and exploited.
But it's still unsatisfactory: our IGN's are our only defense against master account breaches, and now we have to be careful where we post them. That sucks. I hope GW2 offers something better than that, and ideally the option of securID-style hardware.
Lest121
Quote:
|
Originally Posted by Tobi Madera
so glad im not linked to NCSoft....
|
mrmango
Quote:
|
Originally Posted by LifeInfusion
This is what bothers me. Not the account linking.
|
cosyfiep
Quote:
|
Originally Posted by Isfit
Nevertheless, its a dumb joke that you can change the password for your GW account through the master-account w/o even knowing the old password
|
I agree, and the attempt that anet made to try to keep others out (the character name--which I NEVER put on any forum)....security is still very weak.
I doubt ncsoft even cares about this since they have all the moneys they will get from this game when you buy it (basically) why bother with real security??? Its pretty sad.
Deviant Angel
Quote:
|
Originally Posted by Riot Narita
During the last spate of account thefts, due to master account (lack of) security... they actually put in that requirement.
But later, after the dust had settled, and A-net had largely fixed the problem (for GW, not Aion etc) by adding the character name check... ...they took it out again Incredible. This makes it indisputably clear, that NCsoft do not take security seriously. NCsoft simply should not be trusted with our accounts. This is why I do not want GW2 to require an NCsoft master account for any reason. Lucky for us (and OP) that A-net put in that character name check, because it was only a matter of time before a new master account hole was found and exploited. But it's still unsatisfactory: our IGN's are our only defense against master account breaches, and now we have to be careful where we post them. That sucks. I hope GW2 offers something better than that, and ideally the option of securID-style hardware. |
Nobody in their right mind will complain about a few extra hoops to jump through for changing passwords and account information. Oh...noes... my fingers are going to fall off because they want verification that the account is mine! Give me a break. PUT IT BACK!!!
If they don't step it up in the security department, they are gonna be dealing with a lot of angry customers when GW2 is released. It's stupid to expect us to link our accounts when they can't even add the most basic forms of security to keep our accounts safe once we do. That being said, I linked mine way back in the day when the online store was added. Long before the threads started popping up about the security issues. I feel pretty confident that my GW account is safe, but there will always be that little "what if" nagging me until they at least pretend to care.
Chthon
Quote:
|
Originally Posted by Riot Narita
During the last spate of account thefts, due to master account (lack of) security... they actually put in that requirement.
But later, after the dust had settled, and A-net had largely fixed the problem (for GW, not Aion etc) by adding the character name check... ...they took it out again Incredible. This makes it indisputably clear, that NCsoft do not take security seriously. NCsoft simply should not be trusted with our accounts. This is why I do not want GW2 to require an NCsoft master account for any reason. Lucky for us (and OP) that A-net put in that character name check, because it was only a matter of time before a new master account hole was found and exploited. But it's still unsatisfactory: our IGN's are our only defense against master account breaches, and now we have to be careful where we post them. That sucks. I hope GW2 offers something better than that, and ideally the option of securID-style hardware. |
Lensor
Since HoM will be linked to GW2 through an in-game item, I really hope the link will be done by, in a GW2 interphase, entering your GW1 info (just like logging in). That way no NCMA is needed. I think this would be the best way, not only for security reasons, but also since a lot (A LOT) of people made an NCMA account several years ago to be able to use the in-game store and never looked back.
Nyta
Quote:
|
Originally Posted by Riot Narita
During the last spate of account thefts, due to master account (lack of) security... they actually put in that requirement.
But later, after the dust had settled, and A-net had largely fixed the problem (for GW, not Aion etc) by adding the character name check... ...they took it out again Incredible. This makes it indisputably clear, that NCsoft do not take security seriously. NCsoft simply should not be trusted with our accounts. This is why I do not want GW2 to require an NCsoft master account for any reason. Lucky for us (and OP) that A-net put in that character name check, because it was only a matter of time before a new master account hole was found and exploited. But it's still unsatisfactory: our IGN's are our only defense against master account breaches, and now we have to be careful where we post them. That sucks. I hope GW2 offers something better than that, and ideally the option of securID-style hardware. |
The character name requirement, as I understand it, had nothing to do with the NCMA.
Tom Swift
Quote:
|
Originally Posted by Nyta
Actually, to my understanding, the character name requirement was added as a counter to losing the account due to forum hackings (people using the same log-in credentials on forums and in-game losing their accounts; the problem got kinda bad towards the end of last year). The requirement to enter your old password to change it was added as a response to the issue people claimed to have with randomly logging into someone else's NCsoft account when logging into their own. The reason that was changed back was because they couldn't duplicate that problem and, iirc, no one that happened to ever actually provided evidence of it happening when they did it.
The character name requirement, as I understand it, had nothing to do with the NCMA. |
Chrisworld
Would it be too crazy for me to suggest to setup a virtual machine or 2nd small PC with Linux on it just for the security? You could do your NCMA business only on that Operating System, so your chances of being keylogged at the NCMA level are high less. I ONLY log onto my NCMA from my Mac or iPod Touch, and change the passwords from there only. I think that is a pretty superior layer of security, given keyloggers are win32 applications. Don't count linux out, its even free. Now, the only GW password you would enter in Windows would be your GW acct pass. Just be smart where you browse and use super strong passwords. But mostly where you browse... as a super strong password means nothing for a keylogger, since that captures text.
Hackers go for people in Windows systems, because thats where GW is and thats easiest target. Stop doing NCMA in windows and do it in Linux, you've just increased your NCMA security 1000 times over.
Hackers go for people in Windows systems, because thats where GW is and thats easiest target. Stop doing NCMA in windows and do it in Linux, you've just increased your NCMA security 1000 times over.
Cool Name
"Just be smart where you browse and use super strong passwords."
Just do this. Using linux is overkill, and pretty much pointless. From reading this thread it seems the majority of stolen accounts don't come from keyloggers. They come from having username and passwords being stolen, and using them to try get GW accounts.
The simple solution is don't use the same password for everything. If you are paranoid specifically about your GW account, change the email address to something you only use for your GW account. Using linux just to do one thing is pointless. (This is nothing against linux, just your reasoning for using it)
Just do this. Using linux is overkill, and pretty much pointless. From reading this thread it seems the majority of stolen accounts don't come from keyloggers. They come from having username and passwords being stolen, and using them to try get GW accounts.
The simple solution is don't use the same password for everything. If you are paranoid specifically about your GW account, change the email address to something you only use for your GW account. Using linux just to do one thing is pointless. (This is nothing against linux, just your reasoning for using it)
Chrisworld
Quote:
|
Originally Posted by Pthoms T
"Just be smart where you browse and use super strong passwords."
Just do this. Using linux is overkill, and pretty much pointless. From reading this thread it seems the majority of stolen accounts don't come from keyloggers. They come from having username and passwords being stolen, and using them to try get GW accounts. The simple solution is don't use the same password for everything. If you are paranoid specifically about your GW account, change the email address to something you only use for your GW account. Using linux just to do one thing is pointless. (This is nothing against linux, just your reasoning for using it) |
I'll revise it a bit: If you use Linux, Mac or iPod Touch/iPhone/iPad or Android phones for more than just a few things, do your NCMA on that rather than Windows, it'll be much more secure.
Crimson Robes
Quote:
|
Originally Posted by Chrisworld
If you use Linux, Mac or iPod Touch/iPhone/iPad or Android phones for more than just a few things, do your NCMA on that rather than Windows, it'll be much more secure.
|
Starmidder
UPDATE: My account is now locked (wasn't locked as of Saturday night) and I have heard zero back from anyone at NCSoft. Customer service department should be renamed customer disservice as they have made a bad situation even worse by preventing me from just playing the damn game. It would be nice if SOMEONE from Arena Net would step it at some point during this process so I'm not dealing with the incompetency of NCSoft the entire time, but I guess that is too much to ask.
As someone else said earlier in this thread, if NCSoft has anything to do with GW2 in game, I will not be purchasing it.
As someone else said earlier in this thread, if NCSoft has anything to do with GW2 in game, I will not be purchasing it.
Chthon
Quote:
|
Originally Posted by Nyta
Actually, to my understanding, the character name requirement was added as a counter to losing the account due to forum hackings (people using the same log-in credentials on forums and in-game losing their accounts; the problem got kinda bad towards the end of last year). The requirement to enter your old password to change it was added as a response to the issue people claimed to have with randomly logging into someone else's NCsoft account when logging into their own. The reason that was changed back was because they couldn't duplicate that problem and, iirc, no one that happened to ever actually provided evidence of it happening when they did it.
The character name requirement, as I understand it, had nothing to do with the NCMA. |
Quote:
|
Originally Posted by Tom Swift
No - the addition of the character name requirement was actually in direct response to the complaints about the NCMA. Ideally, it prevented someone who managed to hack the NCMA from accessing GW from the NCMA. At the same time there were a lot of people claiming their Aion accounts had been accessed from NCMA glitch. it was actually the number of people losing their Aion accounts that called attention to GW and resulted in ANet including the security question.
|
Nyta
Quote:
|
Originally Posted by Tom Swift
No - the addition of the character name requirement was actually in direct response to the complaints about the NCMA. Ideally, it prevented someone who managed to hack the NCMA from accessing GW from the NCMA. At the same time there were a lot of people claiming their Aion accounts had been accessed from NCMA glitch. it was actually the number of people losing their Aion accounts that called attention to GW and resulted in ANet including the security question.
|
Regarding the alleged security breach:
Quote:
|
Let me share a few details: We do not know that any accounts have been stolen through this reported security weakness. We have not confirmed if there is a weakness; we surely understand the concerns and comments, but we have not had an opportunity to test it. We made the "old password required" change as a conservative measure in the event that research does confirm a potential exploit. In other words, we took proactive measures, which I'm sure players appreciate. We do know that the vast majority of accounts have been stolen by people who: * Know the user name * Know the password * Do not change the password This means that getting into the NCMA to access the account isn't the method of choice for the RMT account hackers who have been so active in recent weeks. Fully half of the accounts they're stealing do not have an NCMA at all. Fred -- your account was stolen by an RMT, as you've been told. As far as we can tell, RMTs have not been involved in the reported security issue with NCMAs. -- Gaile 04:12, 2 January 2010 (UTC) |
Quote:
|
As you will have noted if you were playing within the last hour, we have instituted a new security measure for your account. And personally, I'm pretty darn happy about this! When you log into the game, you will be ask to supply the name of one of the characters on your account. "Why?" you may ask. Well, because nearly all of the accounts that have been stolen in recent months have been stolen by RMT (Real-Money Traders) who are getting access through external sources. And those RMTs will be very unlikely to know the names of characters on your account! Simple, eh? You give a name -- and remember to spell it exactly correctly, and to use proper capitalization -- and you will get access. If you have trouble or forget the names, support will be happy to assist you, of course. Please head to the FAQ for more info. And if you have feedback, you're welcome to share it here. -- Gaile 03:01, 22 December 2009 (UTC) |
Quote:
|
In December of 2009, players alerted us to a possible security issue with NCsoft Master Accounts. In order to maximize security while we researched the matter, we added an additional security requirement involving Guild Wars accounts. This secondary layer of security required a player who wanted to reset his game password not only to pass the security requirements for his NCsoft Master Account but also to input the game password in order to reset it. As you can imagine, most players who reset their passwords are doing so because they have forgotten the original password. So with that extra security requirement, players no longer were able to do a direct reset but instead were required to contact Guild Wars Support for help. This increased ticket volumes and response times, and players were unable to join Guild Wars while they awaited assistance. Both the Guild Wars and NCsoft teams conducted a lot of research on the reported security issue. The teams were unable to replicate the reported glitch and they could find no evidence that any Guild Wars accounts were stolen as a result of such an issue. We know there was confusion between fansite forums, websites, and game accounts themselves around that time; perhaps the issues that players reported were related to that confusion. We can state, though, that the security of the NCMA system checked out thoroughly. Because the NCMA system successfully passed all the research and testing that the teams conducted, we removed the secondary account password requirement a few weeks ago. We did this because the extra step is unnecessary, and because it causes our players significant inconvenience. If we see any indication—and we monitor daily—that account security requirements need to be increased or enhanced, we will take steps to do so immediately. But at this time, we feel confident that it is appropriate to allow players who have access to their NCsoft Master Account to go ahead and change their game password without requiring them to jump through additional hoops. Please let me know if you have any questions or concerns about this or any other support-related issues. I'll be happy to assist in any way possible. -- Gaile 18:54, 5 May 2010 (UTC) |
fortior
NCsoft: "Security? Naaah, if they get hacked they'll just buy a new account, brb making a grinding mmo"
this is such a load of bullshit NCsoft. Jesus christ man. AGAIN?
this is such a load of bullshit NCsoft. Jesus christ man. AGAIN?
Iuris
NCsoft keeps saying that there's nothing wrong with the master account security. But for some reason, people would rather believe their "friend of a friend what got hacked" instead of considering that maybe that friend of a friend would rather not admit he's not as savy and safe as he'd like to think himself to be...
fortior
distrust in a company isn't so strange when they remove security features and treat you like dirt when you need support..
Faer
I'm afraid I am going to have to close this, Starmidder, because it's starting to open a can of worms that we really don't need open right now. The whole topic of whether or not the NCMA Account Roulette bug ever/never existed isn't really something that is going to lead to any positive discussion and I'm cutting it off here before people get any more ridiculous about it. For anyone interested in the history, there is plenty on it in Gaile's wiki archives, both supporting and denying the existence of the error. People who care should go dig through those pages and PM each other about it for the time being, until we have another epidemic of compromised accounts, at which point discussion of this sort of problem might actually be able to held intelligently, instead of being a bunch of "he said, she said" and "friend of a friend" nonsense. If enough people start having this problem again, and get some statements or documentation on it, feel free to be the first one to start the rally anew.
Regardless of the circumstances, know that we feel for your loss, and hope that Support gets everything straightened out with your account soon.
Regardless of the circumstances, know that we feel for your loss, and hope that Support gets everything straightened out with your account soon.