New security feature for NCsoft master accounts

http://wiki.guildwars.com/wiki/User:...curity_Feature

Why is NCSoft unable to make it impossible to change the old password without knowing it?
I mean I can log into my master-account and change my GW password w/o knowing my old GW password...
And they keep implementing pointless security measures, which only burden the real person but do not stop hackers at all...

So NCSoft: CHANGE THE PASSWORD SYSTEM INSTEAD OF ADDING ADDITIONAL THINGS NOONE NEEDS!

I agree with the OP on the old password thing, but I certainly wouldn't call these security methods pointless. They'll be asking you to answer additional security questions the first time you access the Master Account from a new pc to verify its you, and after that you'll be able to log on as normal from that pc. Not only will they force people to know more about your master account before they can successfully access it, but they'll be able to identify the pcs that credit card fraudsters are using regardless of proxy.

Unless of course, their new security measures are rendered optional by lack of flash or use of NoScript (not sure on that one yet, seemed so this morning). Or your information is phished.

Big leap in the correct direction though.

The page is now in 'scheduled maintenance'.

I suppose it will be ready after that.

would rather they just put in "old password" instead of putting information on my pc (which has been rebuilt a few times) that I would rather NOT be there ..paranoid YES!

though I have no need of using the ncsoft master account anyways---still wish we could DELETE the link it has to our guild wars account.

Have had so much trouble in the past with NCSoft's system that I don't even know what my master password is anymore! All I can hope for is that I never *have* to change my password(s) as the original emails are long non-functional.

While I applaud NCSoft for committing manpower to account security, I'd prefer seeing anything which makes the account, hence your characters, immune to hacking or "cleaning" in a proactive way. The HoM makes it possible to register weapons, armors and all the stuff people care about and being expensive. It would be relatively easy to reproduce your items after a hack and lock characters permanently (so they cannot be deleted).

BTW: I don't think this measurement is good for anything, since once phishing occured, they know your account details (including security answers) anyway.

|: I want to have this option, too.

Personal irony that this happens having just been hacked on the only 2 accounts i have tied to a master account, when the other 2 are fine.

Finally admitting their master account security flaws?

It asked me for my date of birth.

This does not constitute allowing me "to create additional security questions" for my account.

Now add to this the fact that according to their support FAQ, the first time I logged in from this location it was supposed to prompt me to answer my password hint question.

*crickets chirping*

There are no prompts or instructions on the site, or links, pointing to where I can create these additional security questions.

I'm not impressed.

They should do both,

If the site can tell you what computer your at and knows its not you great, but what if a user has say a Trojan on there comp and its being remote accessed, so the site now thinks its you, security breach,

It should ask you a security question regardless, and i agree with the OP it should also ask you for your old Password, such a simple fix,

Of course they could remove the ability to reset your password from the account full stop?

Its as good step, yes, but for the love of god just ask users to input their old pw when they change their game account pw. Its a basic security feature that would ease the minds of so, so many people.

I guess it's better than nothing so long as it's implemented properly.

One thing they should've done ages ago is to allow you to assign approved IP addresses to your GW account. Most gamers only play from one or two locations anyway (in my experience), so it's not like it'd be a huge pain if you had to wait 48 hours (for instance) when adding a new IP. And it'd prevent RMT's from immediately logging into an account and wiping out everything of value.

i find it funny they added new stuff. people still get hacked with the other stuff they added what makes them think this would work? when past stuff hasnt worked out.

Well it might help distinguish those people going around faking that they were banned for no reason and were 'hacked'..meh atleast one step anyway

Does anyone know if it is possible to manually unauthorize a location without waiting for the automatic removal after a "long period of time"? [1]

NCSoft did in fact require you to input your old Guild Wars password in order to change it, but that security feature was deemed unnecessary and subsequently removed.

http://www.guildwarsguru.com/forum/p...urity+password

Martin Kerstein's response in the thread

Gaile Gray's statement

If it was me doing the new system, you could had login to your master acount without being asked any additional question and only when you wanted to change some important informations (example: the pasword for your gw account) you would had been asked one random chosed question from the additional questions.

The majority of people who are hacked are hacked via their own stupidity and greed, not because of any failure on the part of ANet/NCSoft's security measures.

Yes, I find it insane that you do not have to enter your old password correctly in order to change it... that's pretty basic and standard account security everywhere else - and yet, hacking still happens on an incredibly wide scale, even in games or other applications which require the old password.

Here's a tip - most of the time when someone hacks an account, they DO have the old password. This is why ANet/NCSoft doesn't feel requiring it to be entered is going to help matters any.

People are inherently stupid about their internet behaviors... they use the same password everywhere. They use stupid passwords like "password." They use one of these as their passwords. They go bleating their IGNs on forums such as this, or worse, use their IGNs as IDs on sites like this - along with the same password they use everywhere else... and sites like this are easy to hack. Not because of a failure on the part of the site management or site programmers, but because software like vBulletin is inherently chock full of security holes. They let friends/guildies log into their account. They have never learned to comprehend the idea that "if it seems too good to be true, it probably is." They are driven by greed, and will buy into any scam that they think is going to somehow gain them an advantage (beta keys, unique weapons, extra platinum, etc.). They're stupid enough to deal with RMTs. They don't pay attention to the links they're clicking on, will download questionable software, and end up with keyloggers on their system... and they don't have the sense to scan for these things regularly, or to change their passwords regularly, or to have a single dedicated email address for each game they play, etc.

The list goes on...

And of course, when they DO get hacked, they come here and cry about it... and insist that they never did any of those things.

Yes, they did.

IF their account being hacked was a result of an exploit on a site like Guru, there would be hundreds, if not thousands of people all reporting their accounts hacked over a period of days, if not hours.

People get hacked because they are lax about their own security... then they blame everyone else for their problem. It's never them... how often do we see a "damn, I got hacked because I was stupid" post?

Despite that usually being the reason the majority of them were hacked to begin with.

I spend about 10 hours a week of my 40+ hour work week dealing with gamers whose accounts have been hacked or whose credit card info has been phished. The instances where it was truly a failure on the side of the provider, rather than on the side of the client (player), are exceedingly rare.

Came to this thread hoping to see that Gaile was back and has been hired to do security.

I am disappoint.

<3 @ Gaile

yeah its true a large bunch could have been hacked due to be stupid. but you cant say all are! remember when some people got hacked due to a problem on here? so yeah some people have been hacked havent done stupid stuff as others had.

and what about people with dynamic ip? yes only one location, but dozens of ip addresses....so this wouldnt work either (and what happens if say, you provider goes chapter 13??? and now you have a new set of ip's?)

asking for the old password was better imho.

If they were hacked due to a problem on here, it's because they a) shared their IGN here and/or b) used the same password here and/or c) used the same email address here.

That is just as stupid as anything else I mentioned.

I agree with the additional security feature, but TheGizzy is absolutely right. As our society is well into the era of zero self-responsibility, NCsoft's efforts are more babysitting than anything else.

"If it wasn't for dickheads like you, there wouldn't be any thievery in this world, would there?"

This. Exactly this.

At least once a week I deal with a parent who has filed a chargeback on their credit card for gaming purchases made by their child. When we appeal the chargeback, they come running to us screaming about how we should have stopped their kid from making the purchase.



Yes, because it is our fault that they leave their wallets laying around where their lying, cheating, ill-mannered children can snag them... getting the CC#, the CSC#, etc. It's our fault that their kids are permitted to spend 6+ hours a day online, learning from other lying, cheating and ill-mannered children all sorts of interesting things...without parental supervision or intervention.

If I had a nickel for every time a parent said to me, "Johnny wouldn't do that... it must have been a hacker..." only for me to turn around and say, "well, your last 7 screaming emails to me came from IP address ________, and the 27 purchases over the last 3 months were made from that same IP address, and you HAD to have received at least one statement in that time in addition to the one you are currently yelling at me about..." I'd be on an Alaskan cruise instead of sitting here laughing about yet ANOTHER death threat I've received from yet ANOTHER parent who is pissed that their kid stole their CC and wants me to give them back the $2,790 their kid spent.

Or there's the kid we banned repeatedly over several months time... he kept coming back with new accounts, kept charging crap to the CCs of his parents, aunts/uncles, neighbors, etc. We kept banning his IP, he kept rolling to a new one. We finally got his ISP to intervene, and he couldn't get back on our sites. He turned around and sent me an email, pretending to be a state's attorney. When I told his father we were turning the case over to the actual state's attorney for prosecution, his whiteboywannabegangstaself (with a MySpace page to match... dude, you look like a fool at 40 years old, posing with your hat turned backwards and flashing phony gang signs) told me he would kill me, my husband, my children and my pets if I did - because his 10 year old kid wasn't going back to juvie over some "uptight ***** with a god complex."

Yup, my fault you're scum and raising your kid to be just as scummy. Absolutely.

I could spend hours regaling this forum with stories about all the ways people try to dodge responsibility for their own stupidity, just in relation to games. I'd lose my faith in humanity completely if it was all I had to judge people by... it is absolutely terrifying to me the number of people who either a) suffer from massive entitlement complexes or b) are masters at shirking responsibility.

Sure. That's why that database with gaming credentials Symantec found last year held 2 million NCSoft passwords, not because those would have come from some failure on NCSoft's side.

Did you research where those credentials were farmed from? It wasn't from NCSoft... it was from fansites, keyloggers, etc. NCSoft was one of many companies whose users were affected... and those who compiled the 44 million stolen credentials were using a trojan to validate them... which was also phishing still more credentials from the infected systems.

The hacking of gaming accounts becomes systemic... it's the rare online gamer who plays only one P2P or F2P game. So the hacker starts by getting info on one game, one email account. They then use a bot to send out emails from that hacked email account [which usually has the same PW'd as the gaming account(s)] doing password requests to all the other major MMOs, FPSs, etc. They're also farming the email messages looking for mention of other user accounts belonging to friends of the person who was hacked. It's rather surprising how many people will give out a user name/password to a friend (for any number of things, not just games) via email.

Hackers follow threads. They're very good at it. I'm so good at my job because as a teenager, I was also a hacker - usually into the phone company to wipe out my dial-up charges so my parents didn't kick my *ss. I'm very good at following threads, and thus very good at catching these people... but I don't forget where I learned to follow those threads in the first place, and I don't forget that these people are at least as good at it as I am, and sometimes better.

It's a war of information, it is ongoing, and no one is immune. It is up to the individual to educate themselves on how best to protect themselves... not rely on someone else to do it for them.

Would you leave your doors and windows unlocked, the keys in the ignition of your car, your curtains open so every passerby could see the $10,000 entertainment system in your living room... and then go on vacation, expecting that the neighbor is going to keep your stuff from being stolen?

If so, please email me your address and a schedule of when you're heading out of town...

I welcome the new security.

It goes some way to preventing the kind of breaches we saw a year or two ago, where thieves could log into their own NCsoft account, using their own machine... and glitch into someone else's NCsoft account at random. From there they could reset your GW password and clean you out. There was literally nothing the victim could do to prevent that, or protect themselves (other than not have an NCsoft master account).

A-net had to add the requirement of entering a character name at GW login to cripple that exploit, since NCSoft were simply burying their heads in the sand. But finally... NCsoft is doing something at their end *applause*

This may (!) ease my mind a little about linking GW2 to an NCsoft master account (should it be necessary for using the online store etc), posting my IGN's in forums etc

I suspect this is at least partly so that GW2 will no longer need to use character names as part of login security. They need a less sucky way to protect against master account breaches, and maybe this is it. I'm still hoping for SecurID-style hardware keys for GW2 though.

Limiting access to certain machines... nice idea, and I guess that's convenient for some people. I think I prefer to be prompted every time for my security questions, but I have to weigh that against the possibility of a keylogger managing to get on my system.

If I have to add any new security questions, they will of course - as usual - have lengthy unique answers that bear no relation to the questions :-D

newcomers to the game will not know that for a long time when you logged into the NCsoft site you sometimes got in to a total strangers account, with access to all their past support tickets, and to a pw change with no other security. This was just after we had been given the free storage panel but you had to link to NCsoft to get it.

People who told about it were disbelieved until an Anet employee was hacked.

Still we get the 'its-your-own-fault' shouted all over the place.

Well actually it is not the hacked persons fault - its the fault of the thief, and everytime you tell someone its their own fault you are taking the responsibilty for their actions away from the thief.

If I leave newly-baked cakes cooling on my windowsill and someone takes one - they are stealing, and they can say all they like that I should have had a barbed wire fence or a guard dog or not left my cakes there but it is them, not me, that was wrong. (I know - I still lost my cake).

I was lucky I remembered the answer to my security question.

It was something personal about someone I know...
...something that that person themselves forgot. >_<

Now I'm the only one on Earth that knows that. So it's a really secure question, as long as I remember the answer.

2 million? From keyloggers? I don't think so. They were farmed from NCSoft. This is old news.

IIrc other games, with more players had far less - several thousands to tens of thousands - accounts stolen. The difference in the amount of account credentials between NCSoft and other companies is enough indication that the majority of those accounts was not stolen from users, but from NCSoft itself.

I might agree with that in the real world, but we are talking about the Web and therefore need to establish a more appropriate analogue. After setting your cakes on your window sill, walk around your neighborhood with a sign which reads 'I live at 123 Main Street and just baked some cakes'. After a cake is stolen, complain to the police for their not having a patrolman stand next to your window. Even better, demand that your local supermarket rectify the situation by reimbursing you for the lost ingredients.

The thief is still guilty of theft, but all your neighbors are facepalming.

Lolz everything you said so far QFT!!! where i work, same thing here but it's a simple website portal i run at work. When i see another thread on Guru about how someon sayss they never did this or d/l that i just roll my eyes and wonder what shortcut they tired and go hacked....

I was working for one of the companies who was affected by that debacle. A very significant percentage of the credentials were initially farmed from two very popular industry fansites. NOT from a developer's or publisher's site. Then it was just a matter of the hackers sending bots out to follow the threads.

Now, does that mean that NCSoft's password recovery setup was not vulnerable to the bot farming? No... and their own mistakes made them MORE vulnerable than other companies. But the company I was working for was just as stupidly vulnerable much to my disgust...however, there are many times that I feel MOST industry sites are pretty lax in their own security measures. There are steps a gaming company can take to ensure that their password recovery system can't be tricked by bot-generated PWd requests. Sadly, they are not implemented nearly enough or on the scale they need to exist.

With that said - Wolf2581 offered an excellent analogy. Yes, certainly the majority of responsibility rests with the hackers themselves. But if I know there are people in the world who are out to steal my cake, and I know that my police department cannot have someone standing guard under my windowsill 24/7, then I'd be an absolute IDIOT to go parading around town letting every thief in earshot know that I've got a cake ready and waiting to be stolen... and that is exactly what players do when they bleat their IGNs on websites like this, when they use their IGNs as logins elsewhere, when they use the same password for everything, when they click on questionable links that promise some over-inflated reward for little work, etc.

We may as well just GIVE them our login details instead of demanding that someone else protect us from our own stupidity.

I love knowing I've got my local PD literally 3 blocks away... but I keep my doors locked... and about two months ago, that kept my house from being broken into while neighbors were robbed. I live in a small, rural town near the Michigan/Ohio border. This is the kind of place where people generally DO leave their doors unlocked. But I didn't grow up here... I grew up in Chicago. I don't leave my doors unlocked. I take responsibility for the safety of myself and my family... because I KNOW there are bad people in the world who wish me harm, and I KNOW that it's up to me to make it easier for the police to protect me, not harder by waving a neon sign in the air that says "open for robbery, come one, come all."

I tried to log into my NCSoft account today only to be presented with questions I must answer as part of the log in.

1. Phone number from original registration
2. Date of birth

I don't remember my phone number from five years ago. So I can't log into my account to set up any new security questions. So now I've started down the long and rocky road to getting someone to help. Wish me luck.