Account Security

This was originally posted on my userpage on Guildwars wiki. Several of my friends were asking me how they were hacked even though they had updated antivirus, browser, never opened any phishing emails etc... They were following the basic procedures deemed necessary by NCsoft and Anet. So as it turns out, one person's antivirus didn't pick up a keylogger, and neither did spybot. Other people had similar issues where their updated security software was insufficient to keep their account secure. This "rant" is a set of critisisms about NCsoft's outdated security measures and practices, and how people can defend against certain flaws, and dispell some of the myths with the NCMA... and I'd thought I'd post this here since my page on the wiki had a total of 4 views since yesterday and the more people reading this and spreading the word, the better IMO; and if anyone has anything else to add, I'd update this as needed.

==A change of heart==

A month ago I would have said to someone who had their account hacked to update your anti-virus, check your firewall, download this, run that scan, etc etc, and I would have defended Anet's security and rode the "blame the ignorant user" bandwagon. But I came to the conclusion... Why should we (the customer) spend time and money to download/buy antiviruses, run lengthy scans, and learn how to use a outbound firewall, and spend a lot of time learning scattered and conflicting information about cybersecurity. I'm not saying that people shouldn't learn about internet security, but I think it's unreasonable to expect everyone to be well versed in cybersecurity to keep their account secure. Yeah there isn't any "vulnerabilities" inherent in the system that NCsoft and Anet uses... but their security practices are outdated compared to the industry average, and improved security practices could and would prevent a very large number of account hackings, saving the time of the support staff to concentrate on other matters like botting, cheating, misconduct etc.

==What's wrong with their security?==
===Password changes are direct without intermediate authorization steps.===

:The NCsoft master account account allows anyone to change the game password without knowledge of the current game password. After the password change, the victim is only informed that the password has changed and to contact support immediately if they did not change the password. This makes it such that the attacker would only need the credentials for the NCsoft master account to steal your game account.

===There are no mechanisms in place to defeat keyloggers.===

:Lets face it, tens millions of computers around the world are infected with some type of virus/worm/keylogger/malware/etc etc. No single antivirus solution is able to detect 100% of these threats, and there are many new variants that can’t be detected by any antivirus that lacks good heuristics. Even the industry leading behavioral engine can only detect up to 75% of new threats that isn’t contained in the virus definition file. On top of that, windows firewall is not very good at detecting unauthorized outbound connections that keyloggers use to send their payload to a remote server.
:There are certain things you can do to reduce the chance getting keylogged... When logging into NCMA allow the browser to remember the password, if you are using a private computer. This will allow logins without typing anything. Using a browser that allows the user to set a master password will add another layer of security since even if they keylogged the master password, they still can’t keylog the actual account credential. Also, again if you have a PRIVATE computer that ONLY you use you can use [[Command_line|command lines]] for character, password, and email such that you don’t need to type anything. Now this will open the computer up to remote attacks designed to steal credentials stored in short cuts, and browser profiles. Ones that steal credentials from short cuts are very rare... in fact I’ve never heard of such a thing. However, malware that steals browser profile files do exist, but no where as common as keyloggers, but that can be mitigated by using master passwords to protect the saved passwords, if the browser supports it.

===Secondary credentials needed to access the account is widely known===

:Character name. Now that “did” add one more level of security, however many people use their exact character names for forums and wiki user pages, while other people use variants of their in game name which can be easily matched by guessing. This made the “added” security meaningless for many people, while others forgot their ingame name because this system didn’t exist before when they quit the game. For hackers that don’t know the character name but knows the password and email, all the hacker would have to do is send a phishing email asking just for the character name. There are many ways to do this, for example, the phisher can say that” you have won a ingame prize for 15 ectos on a random NCsoft sweepstakes, please reply with your ingame name so that we can contact you in game to give you your prize.“ There are many variants to this and since they aren’t asking for the password, the victim is more likely to give away the character name. With the advent of the HOM calculator, people are more likely now to advertise their character name to show off their “stuff” despite the ability to use the in calculator link to hide the character name.

===NCsoft and Anet believes that obscurity is security===

:This is actually a fairly common practice among most companies. For example, vulnerabilities on various Adobe software has been known for a long time. Details in many cases are never released, even if it is being actively exploited because in their view, “if” the details are released then the number of exploitations will dramatically increase. So many companies like Adobe take their time until they release a patch. Apple has been guilty of this as well with the knowledge that most viruses are built for windows systems, they have been laxed in closing vulnerabilities that many types of malware could exploit because those malware didn’t exist in the past. But with recent upsurge in MacOSX marketshare, viruses and exploits that target apple software are becoming more common and now they are taking a more proactive approach. Unlike Apple which are changing their philosophy, NCsoft and Anet hasn’t changed their philosophy and don’t believe in proactively closing possible vulnerabilities that are either obscure or rare in a timely manner. Communication of security issues should be relayed in-game automatically like the Aionsource security breach, the dangers of having common passwords for forums and game accounts, but that never happens.

===NCsoft and Anet does not believe that successful exploits do not equate to vulnerability===

:This has more to do with outdated security practices than anything else. Yes their system works just fine, and no successful theft of account credentials were obtained by breaking into the actual secure NCsoft or Anet servers. That’s because hackers don’t need to. Breaking into secure servers from an outside source is actually quite a rare occurrence. It is “MUCH” easier to fool an ignorant employee into opening an attachment containing a virus to steal information. For example, lets say hackers want to steal blueprints and schematic for a novel microprocessor. Now that data is securely stored in the main server safe and sound. But the head engineer works on it very often so he has a copy on his laptop and flash drive. The hackers, determined to steal the schematic obtains as much information as possible about the engineer to craft a personalized phishing email. The engineer clicks on the link in the email which took him to an attack site designed to exploit a flaw in his favorite web browser that allows driveby dowloads. The engineer unknowingly downloads a malware designed to steal that very data the hackers are wanting to get, while the engineer mistakingly thinks this is well crafted phishing attempt was a message from a love interest from a long time ago wanting to get together again. The above scenario occurs in the tech industry fairly often due to laxed net security policies or laxed enforcement of said policies and due to the value of the information for competitors and to nations that are playing catchup.
:Now value for value, guildwars accounts aren’t worth that much so phishing emails are generic, nondescript, and they are fairly easy to spot. However account theft via phishing, keylogging, trojans, hacking fansites, and other methods are the “ONLY” way hackers are stealing accounts. Hackers aren’t attacking the main gamer server. The average computer user and gamer is quite ignorant of what constitutes secure Internet practices, and Anet and NCsoft has been ineffective in educating the gamer community. Much like the engineer that specialized in semiconductor physics and assembly code, his knowledge of modern cybersecurity practices were outdated. I truly do not think that it is the sole responsibility of the gamers and clients to educate themselves to keep things secure. Much like a responsible IT department at a large corporations communicated clearly and effectively with every single employee, Anet and NCsoft should figure out how to communicate with every single active player via mass emails or ingame messages or anything. Modern IT now recognize the potential vulnerability an ignorant workforce poses, and I think Anet and NCsoft should recognize that too.

===NCsoft support login is not encrypted===

:This is not the NCsoft master account, it is the support page at NCsoft, here...http://help.ncsoft.com/cgi-bin/ncsof...acct_login.php. If you notice, there is no https on that site. When you log into the system the login name and password is sent through as plain text, which can be easily intercepted using password sniffers in the local area network. This becomes a problem when someone has the same login name and password as the NCMA for the NCsoft support system. An easy way to avoid this issue is to simply change your password such that it is different than the NCMA. Remember there are two different log in system for NCsoft... one for support, and the other for the master account. The one for support is not encrypted while the one for NCMA is. Also if you had communicated about account keys, the hacker can take these keys from the support logs associated with the account, leading to another way of stealing your account.

==Vulnerabilities not directly associated with NCMA or the game system.==
===Forums have atrocious security===

:Now most have heard that fourms are unsafe, don’t use the same password for everything etc etc... Why aren’t they safe? Well to start, most forums do not use SSL or any encryption techniques to encrypt the password as it gets sent for authorization. For example, Aionsource’s forum’s login and GWW/Gwiki/etc is sent via standard HTTP with no encryption. If someone on the network is using a man in the middle attack with a password sniffer, it can be easily extracted from the packet or packets containing the credentials. Guildwarsguru is a bit smarter. Their login is still unencrypted but the password is hashed via MD5 encryption. So if someone is using a password sniffer, they would get the MD5 hash for the password instead of plain text. While MD5 provides some security it is still quite easy to decrypt MD5 hashes.
:Now what the heck is a man in the middle attack? This is a problem with institutions that have very large networks. The most common source of these attacks occur in corporations, universities, and generally the attack must occur locally. The attacker would either poison an unprotected wireless router with fake ARP requests to spoof the attacker’s MAC address with the victims. Now this is a multi-step process but there are malicious tool kits available that automates this. Once its’s successfully spoofed, the router sends the information to the attacker’s computer, allowing the attacker to capture packets. On a wired connection, another thing an attacker can do is to plug in their computer to a monitoring port on network routers.
:Now there are ways to do with remotely, but is a lot more difficult. One would have to spread at bot-net that performs the same function as an attacker that captures passwords and poisons ARP requests automatically, as it sends captured passwords to a remote server. Also, same kinds of malware can be uploaded to major ISP’s and with knowledge of their internal network structure, they can capture any password that goes through that local ISP.
:So... this is why you don’t use the same passwords for everything.

===Can someone sniff my password when I log into the NCMA or when I log into guildwars?===

:To put it simply, that would be quite difficult to do. The NCMA login system uses SSL encryption, and while SSL is not fool proof, it would take a very dedicated hacker to crack it... and only to crack one password. It’s just not efficient to harvest passwords in this manner. The guildwars log in at first glance seems unsecure. It uses an unencrypted HTTP connection though port 80. But the login credentials are obfuscated and uses an unknown encryption scheme. But the packets containing the credentials is only about 300 bytes so it wouldn’t be unreasonable to expect that a dedicated hacker can crack it... but again we run into the same efficiency problem. Like I said before, using a keylogger is much simpler than trying to crack the encryption.

Regardless of the known account issues, most people who complain on forums being hacked have a lacking knowledge of how to protect data. Getting a keylogger or any malware is mostly due to dubious browsing activity.

Personally I'd be fine if they fixed some minor issues on password security and provided enough tools to restore accounts individually to a state before the hack happened.

And which part of this is new?

I believe they're just posting information to help other players protect themselves against hackers. Old information to you may be new information to someone else.

I spose I guess I'm comming from the idea that all this is common knowledge by now but I guess some newer players havent heard I guess.

Can we get

added at the end.

This was what got me. I forgot that I had an old password on my Master-Account and well they changed the pw from my GW account.
This is a security step that can be changed in less than 5 minutes and many problems would resolve themselves.
It is just a bad joke that something like that is even possible.

While I agree NCsoft could do more to secure their systems and the game we all play, the security of your own computer IS your responsibility. Security is only as strong as the weakest point. It doesn't matter what Anetdoe, the vast majority of game thefts are down to the user not being diligent in their own security.

Software engineers can only do so much, and while they can do a huge amount, the weakest link in account theft is almost always down to some oversight by the end user, or even just accidental use of their computer, but still inviting unwanted software onto their system.

I agree that all the steps you suggest are important, but the user needs to learn to secure their system. It's not too hard to learn a few basic security techniques, like password protecting their Windows account and using a separate administrator account, making their everyday account a standard user. This can mitigate about 90% of accidental installations of malware.

Password complexity is a good idea, using varieties of letters, numbers, punctuation and other symbols.

I think it would be a good idea for Anet to implement an RSA key system as an optional technique. Many companies use the small password generating tokens for remote users and even blizzard sells one for users of warcraft. I think all online games should definitely implement this.

Seriously though you wouldn't leave your car unlocked and then blame the manufacturer when it gets stolen so why don't you use the security systems on your computer?

Unfortunately NCsoft IS the weakest point, for anyone who DOES take all the usual personal precautions.

Last year, thieves found a way to randomly get into someone else's NCsoft master account. Once in the master account, it didn't matter how good your password was, what good practices you'd used, what precautions you'd taken. It was all for naught, the master account allowed thieves to bypass it all. NOTHING could protect you from being robbed in this way, except blind luck.

Even now, the only thing standing between you and the same thing happening with any current or future master account exploit... is your character name.

So now we have to protect our email addresses and character names, and never post them in such a way that they could be matched/linked/traced to the details visible in the master account.

That sucks. You either conceal your email address, or make a disposable address for your game account. We shouldn't have to do either of those, to make up for poor security at A-Net/NCsoft.

And our IGN's simply shouldn't form part of our login security. We should be able to post our IGN's willy-nilly, anywhere and everywhere, without a care. A-Net was forced to implement that, because otherwise there was no protection against thieves using the master accounts. They shouldn't have had to do that. NCsoft should have taken security seriously, and dealt with it promptly and properly. They did neither. They eventually put in a change, so that you had to know the old GW password before you could set a new one using the master account. But once the dust had settled... they took it out again! Such incompetence beggars belief.

"NCsoft, you ARE the weakest link. Goodbye."
I really, really hope we see something like that for GW2. I'd pay for that option.

The problem is that NCsoft's practices are far below the industry standard for a major MMO company and dismal when it comes to the industry standard for online identity verification.

Learning is an obstacle, and most "cybersecurity" websites and tutorials contain conflicting, unclear, and inaccessible information for the layman. Time is also an issue, learning from scratch about cybersecurity takes a long time... you need to learn definitions, lingo, and concepts that are quite abstract for the uninitiated. This makes learning something like that not only a hassle, but completely unenjoyable. There is so much misinformation out there, that only people experienced in cybersecurity can weed out the noise.

What Anet and NCsoft needs to do better is communication. This is not a new complaint. People have said that for years, and their communications skills have only degraded. Important security issues/news aren't being relayed efficiently with clear unambiguous language to the general player base. Sure guru and wiki users get the news really quickly, but how many GW gamers actually read wiki talk pages, and the guru forum on a daily basis?

Also they should also be publishing a monthly or bimonthly report of the top account hack methods used and ways to prevent such an attack. An example is this http://www.symantec.com/business/the...d=threatreport. The report contains top threat trends, possible future trends, and recommendations for IT practices to mitigates these threats.

My NCMA was recently hacked. They somehow managed to get in, change my contact email, and then my game passwords, all without me getting an email. While support was very quick to get my account restored, it left me wondering how I was compromised in the first place. I can't remember the last time I accessed my NCMA, and since I'm the only one that uses this pc, I have my game login info tied to a shortcut, so they couldn't have gotten any information via keylogger. All I can think of is that they somehow either cracked NCSoft's site again.

It all boils down to NCSoft needing better security. When I managed to get access back, I was able to change my passwords without needing anything at all. The NCMA asked for the old password to change, but if you're already logged in of course you've got that one. I was able to change my game password without needing the old one, and only got an email saying it had been done after I had changed it.

If it required knowledge of the existing passwords before you could change your game passwords, or confirmation via email that the password was being changed, that would be a huge step up in security. As for changing the contact email, I should have received a verification that the contact was being changed. Perhaps I would have been able to stop the thieves sooner.

NCSoft's security is horrible right now. About a week ago my NCMA was hacked, and reset the password on all my GW accounts. Then they were all blocked because a gold seller hacked into them. Nothing was stolen or anything. Thank goodness! I got all my accounts unlocked a few days later.

NCSoft please delete the concept of NCMA or improve it. Thanks!

Here is one improvement to the NCMA:

The user is not able to do any changes to the GW accounts. In order to reset or change the password to a GW account, the user must provide an access key # on the account. If you try to reset the password on the client, you must enter a valid character name and then the email.

Basically if a user hacks into your NCMA, your done for.

I claim ignorance to internet security and programming so please tell me if my suggestion is useless, easy to circumvent or otherwise inefficient. Here goes:

Would it be possible for the developers to add a check box to the Guild Wars client's log-in screen with something like this?:

or

It might cause other problems but at least it would be an optional security measure.

I myself have been playing guildwars for 4 years active and personally i beleive if you get hacked its "the players" fault. Usually these hackings happen because you go on forums and use your same email address and password as your guildwars information, as shown on when guildwars guru was hacked... and yet people continue to use the same info....really dumb.
Honestly all you need is 2 email adresses to keep your account's safe.
I use my 1st email for when I Dl a game and need it to varify,
For just about anything else IE, forums, i use my second email address.
Also for my email address's i use 2 different passwords that i Do NOT use for anything else to make it less likely for people to get my game and my email address making it nearly impossible to get an account back.

Also for making passwords just use acronyms with words and numbers in random places that is really easy for you to remember but really hard for other people to guess, really they don't even need to be long....

Ya ya i know there are a few misspellings...but seriously who needs spelling when you have guildwars.....

You might not need spelling, but you need to read threads before you post in them.

A password is like a door lock, "It just keeps the honest man honest". If someone wants in bad enough, they will get in.

I guess a person can be paranoid and change their password every so often. Does that make your account safer? Who knows. Does having the same password, you started with 5 or 6 years ago, mean your account is more vulnerable than it would be if you changed it weekly? Again, who knows, as you have to go through someone with known security issues, to change it.

The IP thing would cause problems since most people don't have static IP's, but rather dynamic IP's that change over time. The computer ID verification is something that is fairly commonly used by various online banking systems, and would be something that would be great for the guildwars client IMO.

There are other systems that's also common like online site keys that are unique per account, and this would help defend against phishing attacks. This would be something useful for the NCMA login site to make it more secure where it is a multistep log in system. You type in for username and hit enter. Then it will show a site key (usually an image with a user made phrase), and if you don't recognize it, then it is unsafe to enter the password, but if you do recognize it then it's likely safe.

NCsoft doesn't have to invent anything new. All they'd have to do is see at what is around/available... see what works etc and use a similar system. Online banking is usually fairly secure with multiple redundant security steps. This is necessary because the average online bank user is even less informed about account security than the average gamer...and the target is very high value. But some of the systems are fairly annoying to get through, so they'd have to balance usability and security.

Most often it IS the players fault. But, when flaws in the NCsoft master account are exploited, it doesn't matter how smart you are about logins, emails, passwords:

These are the things I would want:
a) authenticators (optional, so people who are convinced they are too good at security to get hacked can skip them ).
and
b) optional delete locks (account restore has been said not to be possible due to database issues; rolling back one character means rolling back the entire game).

Of course, better NCMA practices would be great too.

And since NO antivirus/firewall is 100% secure, telling people it is "their fault" for getting hacked is just ignorant. Sure, poor security practices (like using the same e-mail/password at forums etc) increase your likelyhood of getting hacked manyfold, but people with good practices can and do get hacked also. People who have not been hacked have been lucky, not good.

While I'm not really happy about resetting any passwords without either knowing the previous password or direct contact with support, I would point out one thing:

Anet and NCsoft have already stated that the alleged vulnerability of the NC master accounts was not confirmed. I remember the statement that half of the accounts that claimed to have been hacked did not even HAVE an NC master account - not that it wasn't used, in half the cases there wasn't an existing account to use at all. People who got into accounts got in by already having the passwords.

Just because it gets repeated on the forums ad nauseam doesn't make it true.

There are many ways accounts get robbed. Nobody is saying that ALL thefts were due to NCsoft master account.

The evidence at the time, posted on both GW and Aion forums showed that a proportion of account thefts were indeed due to an NCsoft security failure that was being exploited. Regardless of whether NCsoft wanted to "state" a "confirmation" of it.

Also, do you seriously trust the word of a company that thinks it's good practice to remove the requirement of entering the old GW password, before letting you set a new one? Do you seriously think they would have put in that requirement (temporarily) in the first place, if there wasn't a problem?

This is a company thinks it's acceptable to have login screens that tell you if you guessed a valid ID, or the answer to one of the security questions etc etc etc. They are clueless, and not to be trusted.

By the same token, just because you don't want to believe it... doesn't make it untrue, or impossible. And you cannot deny that if/when a master account vulnerability is found and exploited... NCsoft have done nothing to limit or prevent the resulting damage - quite the opposite.

I don't remember any evidence, actually. Allegations, yes, enough that Anet and NCsoft added the security question and investigated further. However, upon investigation, they found no evidence of the "random NC account access" bug.

That, I don't deny. I'm NOT happy about being able to change passwords without actually having those passwords (at least, not without contacting support).

The point I'm making is that we have allegations, Anet/NC investigation, and no confirming evidence found by the investigation. Yet the forums start with the assumption that a vulnerability exists.

I consider the evidence, tests and analyses posted by Erys Vasburg, Martin Alvito etc back in January to be conclusive. Did you read that all that stuff?

And like I said, I simpy can't trust anything NCsoft says. Given the pathetic and sub-industry-standard "security" that we plainly see on the NCsoft site - I put no faith in their "investigation", nor do I believe that if they did find a flaw they would own up to it.

Well, you're free to believe whatever you want to believe. I've made it clear what I believe, and it's not because I am prone to alarmist paranoia. And sorry - but I will continue to slag off NCsoft when the opportunity arises, until they provide something approaching "good practice". Because they shouldn't be allowed to continue with their cavalier approach to security.

Meanwhile I just pray that A-net does what they can to make GW2 immune to master account vulnerabilities - be they real or imagined. They did it for GW1 (character name requirement) but that was hardly a satisfactory solution.

That depends how strong the password (or door lock) is though. With a strong enough and unique password no one is going to 'crack' it.
If your password is strong enough there is no reason to change it, of course this doesn't stop a keylogger or security flaw from being the culprit but those risks can be minimised as well.

The bottom line is:

1. NCSoft's account security is well below the average
2. Their no restoration policy is atrocious

http://www.guildwarsguru.com/forum/a...t10419779.html

Yes, I did read it at the time. Now take a look at the official comments, posted in updates in the first post of the topic.

There is no evidence there. There's a lot of screaming and forum posting, but no confirmations. Amazing how people got into other people's accounts - and not a single one took a screeny as proof. Everyone just calmly logged out. Strange, isn't it?

As I said - these are allegations, not evidence.

And you forget the bottom line, in a later post by Martin Kerstein:

And I know you know it, Riot Narita. Nice strawman you put in in right the next post, starting with the assumption that the gate was open and horses free to run, instead of recognizing that the stable hand has, upon notification that the door was open, added a second door, and having looked and found the original door locked, decided to remove the second door.

Iuris, like I said - you can believe whatever you want to believe.

You can believe that A-net and NCsoft are 100% open, honest and upfront, if you want. I don't.

You can believe that all allegations against them are false, if you want. I don't.

You can dismiss all evidence, that hasn't been "confirmed" by A-Net or NCsoft, if you want. I don't.

This isn't because I suffer from some irrational hatred. And I don't blindly take all allegations seriously.

I take the view I do, because back in January there was too much that just didn't add up, and that couldn't be explained away by "official statements". And because anyone can see for themselves how sub-standard the security is on the master accounts... never mind the detailed tests and analyses that have been posted - and the list of tested vulnerabilities that Cthon compiled. And yet they do nothing to improve it, they even take backward steps, and meanwhile they tell us that their security is great.

I think your trust in NCsoft (or their PR) is very, very misplaced.
Pointless. Since I no longer consider their "official statements" trustworthy - for the reasons above.

Evidence is there, but you don't choose to believe it. eg. I consider the likes faer and fenix to be trustworthy - and if they confirm that it is real, or they have duplicated it - I believe them. There is plenty more, although some of it has been deleted since it was originally posted.

No, what's strange is you thinking there would be screenshots, and that a lack of screenshots proves anything.

Of course there are no screenshots. Because a screenshot would prove nothing. All it would show, is somebody looking at a master account. There's no way to show that it was somebody else's that you glitched into, or your own. And you couldn't post screenshots of someone else's account details on guru anyway.

No assumption. It was actually happening. But you don't believe it, because A-net and NCsoft denied it.

Even if this was true - that second door should have been there from the start. That they put it in, and then removed it again - is yet more proof that NCsoft are incompetent, and not to be trusted. As if we needed more proof.

I think the thing that bothers me most is you can't unlink your Master account. I'd like an option to unlink once done buying character slots or what have you.

Luckily my master account is not the same email as my forum/user/wiki account. In fact I don't even disclose it to anyone.

A good precaution for those with Windows 7 is just to play/surf forums on a limited user account, since it will bug you to "authorize" any plug-ins and "updates". A good firewall is helpful as well as an antivirus, but it's amazing how much crap people get on their computers even with both of these.

For those with banking and whatnot, I'd run 2 OSes, honestly. You want to run anything risky (torrents, youtube, facebook, anything in Flashplayer, games with copy protection which hook onto Windows explorer) either in Linux or on a separate OS (either virtual or a full partition).

And I have had a few alerts just from surfing Guru and GWO (which is rampant with gold ads). A good way to avoid infections to use the "Windows XP mode" which runs everything in a Virtual OS and to use Adblock on Firefox. I would have recommended Chrome but Google got busted for spying on people and it doesn't have Adblock and Noscript.

I don't believe that the NCMA was ever actually compromised... however I think the NCsoft support login was. It is not encrypted and anyone on the network monitoring traffic can sniff the password. If that password is the same as the NCMA, or GW, then to support it'll look like the same person logging in because they are both from the same IP range... as in college campuses. Thus people get banned for botting or scamming because, well... it's the same IP range, it has to be the same person! lol... I've updated this on the OP.

That's not limited to Win7 users. Windows XP, Windows vista users can also configure a limited user account (LUA), and yeah it will prevent a lot of vulnerabilities from being exploited. But at the same time, it won't protect you from everything... especially malware that doesn't need admin access to steal info... which includes many types of key loggers. Also read this http://www.prevx.com/blog/83/Is-Limi...ot-really.html for those interested that talks about limitations of LUA in Vista... this also applies to Win7 and XP as well.
Linux is great, and in addition people with some technical skill should create a linux boot CD or USB stick that runs a virus scanner. This will help with detecting and getting rid of malicious root kits. But at the same time, Linux have their own sets of vulnerabilities that linux targeting malware can exploit... the same goes for OSX as well.

As plaync.com is currently configured, FireFox complains that the security is not trustworthy.

Isn't it about time that the site had a proper security certificate?

That's because secure.plaync.com doesn't exist anymore. It automatically redirects to secure.ncsoft.com, but with the certificate for the new site. Since the certificate isn't for secure.plaync.com but for secure.ncsoft.com instead it triggers a security warning because of a certificate mismatch.

I have to wonder why ncsoft doesnt improve their security....then I look at guildwars, a 5+ year old game that they only got money from the day purchased.....then I come to the realization that its probably just not worth their time to improve security on a virtually dead game with no income----makes sense then.
Areanet cares since they are still creating new games, but ncsoft is just a big corporation only looking at the bottom line...and that for guildwars is bleak right now. Truly sad.

I hope that when gw2 comes out that anet can put a little punch behind their cries for improved security.....otherwise I see no reason (business side) for them to do anything to 'improve' something they dont see as worth it.

I’m a IT person, so I know to keep my virus definitions updated, I know not to open suspicious e-mails, I use different e-mails and passwords for my different accounts. I have taken every precaution that Anet and NCSoft say to take and then some.

Now, let me share my nightmare with NCSoft and their lack of security.

At 9:12 AM I receive an e-mail from NCSoft saying , “Someone at 38.105.20.111 has reset your Guild Wars Game Account password for account [email protected] If you did not make this change, please contact support immediately at [email protected] I was at work, but actually had my e-mail open when this came in. I immediately sent an e-mail to NCSoft support saying I didn’t authorize this change. I get no response from them. I e-mail again and go to the NCSoft site and open a ticket. Still no response.

At 10:44 AM I get another e-mail, “Someone at 38.105.20.111 has reset the password and/or the password hint questions and answers for your NCsoft account xxx. If you did not make this change, please contact support immediately at [email protected] Again, I immediately e-mail support saying I didn’t authorize this change. I frantically look for a number to call and find one. Their hours of operation are 1 to 5 PM Central time, so I can’t call them for at least another 3 hours!

I call them at the stroke of 1:00 Central time and after jumping through some hoops, they reset my passwords again. I go home and log in to my account to find everything is gone. Five years’ worth of armor, dyes, materials, weapons all gone. The only thing they didn’t do was delete my characters.

There’s still an open ticket, so I update it that everything I’ve done over the last 5 years has been stripped and I get no response.

Moral of the story is NCSoft security is garbage. I will never, ever buy another game from them or any company associated with them.

The only problem is, is that the GAME ITSELF, sends you to plaync.com if you want to change something on your account.

I used to work in IT for a short while but I found it way too unstimulating... much better to keep it as a hobby IMO, plus my boss was retarded (he didn't believe in antivirus software) ^_^. The thing is that Anet/NCsoft's recommendations are not enough because their security practices are crap. I'm really not sure how strong the encryption that the GWclient uses when you log in but it does just use standard HTTP. I'm sure a dedicated hacker can crack it quite easily. Basically to be safe, you need to log into the support site via a trusted encrypted VPN (if your local area network is unsecure like in college campuses), use network intrusion detection systems, and multiple redundant security systems and software on top of Anet/NCsoft's recommendations.

Yes. this is huge problem. The fact that NCSoft created a system this way shows their incompetence. The fact that they returned the system to this state to save on support costs shows that they just don't give a shit.

Describe for me one possible mechanism that a game company could implement to defeat keyloggers. I submit that there is none. All the game company can hope to do is minimize the damage when a keylogger comes through. That's where suggestions like a character lock/item lock come into play.

(Do not suggest things along the lines of "put your password in your shortcut so you don't have to type it." That's moronic. If I've compromised your system well enough to install my keylogger, I've also compromised your system well enough to install my little bot that searches the file where the password is stored.)

I can't really blame a-net for this one. It was a quick and dirty fix to the problem of the NCMA being both totally insecure and totally capable of compromising your GW account. It fixes that problem beautifully by requiring a piece of information from outside the NCMA to get into a GW account. Now, could it be improved upon? You bet. I'd like to see "write your own security question," or at least "pick ONLY ONE character name which is the right answer to the security question" (ie your never-played mule character).

Fair criticism.

Have you been living under a rock? That's precisely what DID happen. For a significant stretch of time NCMA was vulnerable to SLQ injection, file mirroring, brute force against the password reset, a bug that rarely and randomly logged a user into someone else's account, and probably other flaws that I don't know about. Moreover, from all appearances, it seems like we're seeing another uptick in NCMA's being compromised out of the blue -- enough now that I feel comfortable in concluding that there's another wide-open vulnerability out there right now.

I don't see this as a particularly bad problem. Sure, it would be better if support were encrypted than not encrypted, but I don't think it's a place too many thieves are going to focus on. It would be like hanging around and mugging people on their way out of Bankruptcy Court.

1. From what I've heard, GWGuru has decent security in place. Or at least had, pre-Curse. I don't know about post-Curse.

2. So what? Aside from idiots who use their GW or NCSoft password as their forum password, it's a non-issue. But for the fact that I'd rather not have anyone impersonating me on Guru, I would be perfectly happy to post my Guru password on the forums. Both my username and my password are throwaways with no relation to my GW/NCMA/other important account credentials.

SSL is actually rather thoroughly defeated at this point. It's just that everyone with both the capacity and the willingness to do so is too busy intercepting online banking data to care about GW.


---------------------------


The most important thing regarding GW security is something you leave out: The NCMA is RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GOing Swiss cheese that can be compromised solely through NCSoft-side vulnerabilities in spite of good, or even perfect, security practices on the user's part. If your GW account is linked to the NCMA, the secrecy of your character names is the only barrier between your account and the thieves who would like to take it.


---------------------------


I also happen to disagree with your fundamental point. There's enough blame here for both stupid users and stupid NCSoft. YES, I agree that NCSoft has horrific security; and I agree that they deserve a significant portion of the blame for a lot of account theft past and present; and I'd even agree that they deserve the lion's share of the blame. However, this does not absolve dumb users. If you re-use your GW password elsewhere, or waive your IGN around for all to see, or download that "hacks," warez, and pron even though you know you shouldn't, or click on links in e-mails from [email protected], then you contribute to your account getting stolen. (Solely to blame? No. But you contributed to it.) While I feel bad for someone who loses their account through their own stupidity, I feel a thousand times worse for someone who did everything right but loses their account through NCSoft's stupidity.

Hold on, you got no response from support to your email? I'd like to see that email...

A virtual keyboard. Logging mouse clicks and aligning that with what key the mouse pressed on the virtual keyboard is a lot more difficult to do than logging keystrokes, since you have to account for different screen resolutions, font and graphic size in the browser/game client, position of the virtual keyboard on the screen, etc....

I've tried breaking into the NCMA... tried that "logging into someone else's account thing" via brute force... none of that worked. I've also tried some SQL injection attacks... which also failed. Maybe I wasn't using the right code, would you mind sharing that code since it's fixed now as you say? I'm simply not convinced that the NCMA can be broken into more easily than stealing credentials any other way, or that the actual NCMA was "hacked" into. I know all the info started in january like wild fire and supposedly tested by erys vasburg and others, but like others said... there is just no verifiable information, no screenshots, no actual post-fix exploit code released anywhere...
Depends on how strong the cipher the server uses for the SSL encryption and the version of SSL they are using. The point is, it's just way freaking easier to use other methods than try to crack the NCMA's SSL encryption cipher to steal accounts. NCMA uses an RC4 128bit cipher, and it's quite difficult to crack since it's hard to collect a lot of NCMA HTTPS login packets even in very large networks to reduce the amount of computing power needed to crack it... still would like to see 256bit AES instead though... that one is very very difficult to crack, and you need an insane amount of computing power.

Yeah I agree. there are no shortage of idiots and IMO they deserve to get hacked when they do idiotic things. But when someone does everything Anet and NCsoft reccomends and still gets their credentials stolen... yeah... I think everyone can agree that NCsoft security practices are just garbage. >_<

You have some interesting info there. You may want to hint NC Soft about those points.

I'm not convinced. Logging click x/y is as easy as logging keystrokes. Screen resolution is easy to read from the registry. A game-specific screen resolution that was stored serverside would complicate matters. Assuming you couldn't intercept it, and assuming you couldn't deduce the resolution from the highest, lowest, and spacing of the x/y values, it would increase search time by a factor of 20 or so by requiring you to brute force against what-the-click-would-have-been for each resolution. Most games use their own fixed font/button size that you can simply measure from your own copy of the game. Position of the keyboard on the screen is usually fixed because most games run in full-screen. When running windowed, initial position is usually stored in registry or .ini and can easily be read. Randomizing initial placement or instructing the user to move the window before use would make it harder. The best thing virtual keyboards have going for them is randomizing which letter belongs to which button. Getting past that requires brute forcing that that pattern of x/y positions would have been for each keyboard permutation. Also, you have to pay attention that whoever is implementing your virtual keyboard doesn't just simulate keystrokes on the backend (that happens more than you'd think). At best, the simulated keyboard is only a few orders of magnitude harder to log than the physical keyboard.

Worse than that though, is the fact that, if I have access to install my keylogger, I also have access to install a small program that listens for you to start GW, then takes a screenshot immediately following every click for the next 5 minutes. Why even bother trying to log what you can screenshot?

You shouldn't need proof-of-concept code to understand how "what color was your first car?" got brute forced...

Go back through that thread and the other two large security-related threads around that time. Marvin Alvito has several posts cogently explaining the brute force issues. There are links to posts by an AionSource user, Mung, who performed the file mirroring and SQL injection - you may follow up on Aion Source if you like. Wrong-account-login bug was verified by forum members here whom I trust. Their word is good enough for me (and I don't much care if it's good enough for anyone else). Post 299 in this thread is a summary of known vulnerabilities at that time. (Some have been fixed since then. At least one was fixed and then re-introduced. At least one probably isn't on there (whatever is being used now).)

Depends on what other methods are available and what their payoff is, but, in general, yes. In any event, for those who can break SSL, the payoff from attacking online banking is much higher than the payoff from attacking GW and the potential jailtime is the same (18 USC 1030). So we can agree that SSL attacks against NCMA are very unlikely.

On that, I completely agree.

Flash-based keyloggers are not uncommon, due to Flash having all sorts of security vulnerabilities which Adobe often takes a while to fix, and anti-virus software isn't guaranteed to catch. They generally don't even install anything, but just intercept keystrokes while they are running. If you aren't using something like Flashblock, then at least don't login and enter passwords with a web browser up.