they have more security then most mmos so that they arent doing anything against it is bullshit and like i tell the 99% of the people who get hack they dont sit there and try random emails with random passwords that doesent work they use phishing sites and your dumb enough to type your info in or use the same email and password to your email and game to every website you register to no wonder you get hacked its not THERE fault ITS YOURS!! get it? cant get simpler then this
Oh yes...because everyone who gets hacked does this. Wow, no one has ever thought of this before. Let us blame the people who got hacked instead of the hackers. They went to the site, whatever site that might be, even if 99% are actually blocked by Firefox as a form of a bad website, even with no script on, you can still get hacked. People are just retarded, it is their fault, nothing else can happen to get them hack, it is their own stupidity. Yep.
so what do you except arenanet to do about stupidity of the retards who do that? they have no reason to be blamed for your stupidity they cant do anything against you not clicking them except the big red announcment text everytime you login what do you want from them a fucking eye scan? like i said its your fault and your fault alone theres only so much they can do hell they even changed so you have to type in your char name everytime now when you login
you really might want to read what the issue is before saying anything. The issue is not with Arena.net. It is with NCSoft's website. There is a bug in their website that when you log into your NCSoft Master account, there is a chance that you will instead be logged into another user's account and have full control (including being able to change passwords. Old passwords weren't required to change passwords before). There have been numerous other security holes noted that NCSoft has refused to admit are a problem or have fixed. I fully believe that Arena.net has done what they can on their end (including requiring a character name to log into Guild Wars now) but NCSoft only made a change last night to require old passwords because this all came out. Now we shall see if they actually take action on their other security holes.
edit: Raizeen, calling other people names isn't going to change the fact that you started posting blaming users on getting hacked when there is an actualy problem with NCSoft's website. Sure there are probably plenty of people who get their accounts stolen through their own stupidity but we are discussing the problems with NCSoft which has resulted in numerous accounts that have been stolen INCLUDING ONE OF ARENA.NETS DEVELOPERS.
Originally posted by Pryetta Let us blame the people who got hacked instead of the hackers.
Yes.
GW account security measures are okay-ish. I've seen a lot worse. Nobody can guess your account name from looking at your characters, there's protection against people just knowing your account+pw but not your characters.
It is enough security for random attacks from strangers and that's enough. People love to blame some faceless "hacker" (using that works makes me cringe. this has nothing to do with hacking..). They're the witches of the mmorpg world.
Get a good password and don't tell it anyone else, don't use it anywhere else, and make sure you don't have keyloggers on your computer, and nobody will ever gain access to your account. It's simple security 101.
People whining about their compromised accounts are the same people who have no idea about account security.-
Let us blame the people who got hacked instead of the hackers.
Yes.
GW account security measures are okay-ish. I've seen a lot worse. Nobody can guess your account name from looking at your characters, there's protection against people just knowing your account+pw but not your characters.
It is enough security for random attacks from strangers and that's enough.
People love to blame some faceless "hacker" (using that works makes me cringe. this has nothing to do with hacking..). They're the witches of the mmorpg world.
Get a good password and don't tell it anyone else, don't use it anywhere else, and make sure you don't have keyloggers on your computer, and nobody will ever gain access to your account. It's simple security 101.
People whining about their compromised accounts are the same people who have no idea about account security.-
So lets see, I can have the greatest password in the world but if someone can just access the master account on NCSoft's website without any user information at all and be able to view our log in emails and change the passwords without any other verification, its suddenly still the user's fault?
People whining that this is all on the users have not read up on the issue. My account hasn't even been compromised but this is a big enough issue that it needs to be fixed.
Let us blame the people who got hacked instead of the hackers.
Yes.
GW account security measures are okay-ish. I've seen a lot worse. Nobody can guess your account name from looking at your characters, there's protection against people just knowing your account+pw but not your characters.
It is enough security for random attacks from strangers and that's enough.
People love to blame some faceless "hacker" (using that works makes me cringe. this has nothing to do with hacking..). They're the witches of the mmorpg world.
Get a good password and don't tell it anyone else, don't use it anywhere else, and make sure you don't have keyloggers on your computer, and nobody will ever gain access to your account. It's simple security 101.
People whining about their compromised accounts are the same people who have no idea about account security.-
Faceless hackers? Lol, oh we know who they are...most of those who get hacked on NcSoft...come from Korea and China....there are holes in the NcSoft's system...not Arenanet, not Aion's, etc...it is NcSoft themselves with a giant security hole in this great master account thing they have. Not only...get this, can they get your username and password very easily from this system but when they get it...they get ALL your accounts...it is simple especially since they can change everything on it. But that is besides the point, people love to blame those who were hacked, like people love to blame the victims of rape. It is their fault, they asked for it...they shouldn't of done this, shouldn't of done that, they brought this upon themselves....making them a victim twice.
I haven't seen any proof of that. Just a load of FUD.
So until there's good, solid proof with a good, solid step by step guide on how to compromise a well secured account, i'm going to call bullshit. Everyone loves to blame technical shortcomings if they're hit by simple old fashioned social engineering.
I haven't seen any proof of that. Just a load of FUD. So until there's good, solid proof with a good, solid step by step guide on how to compromise a well secured account, i'm going to call bullshit. Everyone loves to blame technical shortcomings if they're hit by simple old fashioned social engineering.
It is pretty easy...someone tried to hack my account a few times, even tried to tell me who I was, where I lived, who my family was...just simply by my "IP Address". But like I said before, fighting with someone who thinks they are right is like trying to fight with a moron about the sky being blue and the grass being green. There is no point in it, they will always be right in the their minds.
I haven't seen any proof of that. Just a load of FUD. So until there's good, solid proof with a good, solid step by step guide on how to compromise a well secured account, i'm going to call bullshit. Everyone loves to blame technical shortcomings if they're hit by simple old fashioned social engineering.
This list was compiled by an IT professional that goes by the name of Mung on the Aion forums.
Here's the step by step on compromising a NCSoft Master account. Log in, check to see if its your account. If it is, log back out, then repeat until you get someone else's account. Multiple people on guru including a moderator has vouched for this.
List of Known Vulnerabilities with the NCSoft Site:
* 1. Wrong Account Bug. Sometimes simply logging into the NCSoft site takes you to someone else's account instead, with FULL CONTROL over that account. An attacker need only use a bot to log into their own account over and over until the bug occurs, then steal the account the bug gives them.
* 2. Advanced Vulnerabilities Reported by Mung on Aion Forums
o "SQL injection is apparently NOT prevented very well. [Mung] was able to send a basic acknowledge request and instead of "page not found" or "incorrect login" [Mung] received an SQL ack!"
o "The ENTIRE web domain is unprotected from file mirroring (process of copying all files housed at the web host)."
o "[T]he majority of the process functions for each page under the "secure.ncsoft.com" domain are scripted in PERL but referencing Javascript multiple times for all sorts of verifying processes. This can easily be manipulated to a users intention."
* 3. Brute Force Vulnerabilities
o Login failure gives different error message for real usernames and non-usernames. An attacker can generate a list of valid usernames by systematically running all character strings against the NCSoft site's username field.
o Security questions for password reset have dangerously small search spaces that can be guessed quickly. The birthday question which is the default!) is particularly easy. So is the car color question.
o Failed attempt at answering security questions that includes one correctly guessed question returns error message that tells user which question is correct. This vastly reduces search time for a brute force attack.
o Password reset attempts are allowed too frequently. 5 attempts every 12 hours is too many given the small search spaces.
o IP's attempting multiple failed logins or password reset attempts are not blocked, blacklisted, or greylisted.
o Attacker can specify new NCSoft password immediately upon correctly guessing password reset questions. The system should create a random password sent in a confirmation e-mail it to the account's associated address.
o The GW username is displayed from the NCSoft site. It should not be. This gives an attacker 1/3 of the GW login credentials.
o Attacker can specify new GW password immediately upon accessing the NCSite. User should be required to enter old password and/or respond to confirmation e-mail to the account's associated address.
o No countermeasures at all against brute forcing NCSoft password.(Gaile states that she has been told there are, but forum members making repeated failed login attempts did not encounter lockout, blacklisting, or increasing delay. Suspect Gaile has been misinformed by NCSoft staff.)
* 4. GW usernames are present in old support tickets. This renders the new character name security question useless.
Comments
Oh yes...because everyone who gets hacked does this. Wow, no one has ever thought of this before. Let us blame the people who got hacked instead of the hackers. They went to the site, whatever site that might be, even if 99% are actually blocked by Firefox as a form of a bad website, even with no script on, you can still get hacked. People are just retarded, it is their fault, nothing else can happen to get them hack, it is their own stupidity. Yep.
so what do you except arenanet to do about stupidity of the retards who do that? they have no reason to be blamed for your stupidity they cant do anything against you not clicking them except the big red announcment text everytime you login what do you want from them a fucking eye scan? like i said its your fault and your fault alone theres only so much they can do hell they even changed so you have to type in your char name everytime now when you login
you really might want to read what the issue is before saying anything. The issue is not with Arena.net. It is with NCSoft's website. There is a bug in their website that when you log into your NCSoft Master account, there is a chance that you will instead be logged into another user's account and have full control (including being able to change passwords. Old passwords weren't required to change passwords before). There have been numerous other security holes noted that NCSoft has refused to admit are a problem or have fixed. I fully believe that Arena.net has done what they can on their end (including requiring a character name to log into Guild Wars now) but NCSoft only made a change last night to require old passwords because this all came out. Now we shall see if they actually take action on their other security holes.
edit: Raizeen, calling other people names isn't going to change the fact that you started posting blaming users on getting hacked when there is an actualy problem with NCSoft's website. Sure there are probably plenty of people who get their accounts stolen through their own stupidity but we are discussing the problems with NCSoft which has resulted in numerous accounts that have been stolen INCLUDING ONE OF ARENA.NETS DEVELOPERS.
Yes.
GW account security measures are okay-ish. I've seen a lot worse. Nobody can guess your account name from looking at your characters, there's protection against people just knowing your account+pw but not your characters.
It is enough security for random attacks from strangers and that's enough.
People love to blame some faceless "hacker" (using that works makes me cringe. this has nothing to do with hacking..). They're the witches of the mmorpg world.
Get a good password and don't tell it anyone else, don't use it anywhere else, and make sure you don't have keyloggers on your computer, and nobody will ever gain access to your account. It's simple security 101.
People whining about their compromised accounts are the same people who have no idea about account security.-
Yes.
GW account security measures are okay-ish. I've seen a lot worse. Nobody can guess your account name from looking at your characters, there's protection against people just knowing your account+pw but not your characters.
It is enough security for random attacks from strangers and that's enough.
People love to blame some faceless "hacker" (using that works makes me cringe. this has nothing to do with hacking..). They're the witches of the mmorpg world.
Get a good password and don't tell it anyone else, don't use it anywhere else, and make sure you don't have keyloggers on your computer, and nobody will ever gain access to your account. It's simple security 101.
People whining about their compromised accounts are the same people who have no idea about account security.-
So lets see, I can have the greatest password in the world but if someone can just access the master account on NCSoft's website without any user information at all and be able to view our log in emails and change the passwords without any other verification, its suddenly still the user's fault?
People whining that this is all on the users have not read up on the issue. My account hasn't even been compromised but this is a big enough issue that it needs to be fixed.
Yes.
GW account security measures are okay-ish. I've seen a lot worse. Nobody can guess your account name from looking at your characters, there's protection against people just knowing your account+pw but not your characters.
It is enough security for random attacks from strangers and that's enough.
People love to blame some faceless "hacker" (using that works makes me cringe. this has nothing to do with hacking..). They're the witches of the mmorpg world.
Get a good password and don't tell it anyone else, don't use it anywhere else, and make sure you don't have keyloggers on your computer, and nobody will ever gain access to your account. It's simple security 101.
People whining about their compromised accounts are the same people who have no idea about account security.-
Faceless hackers? Lol, oh we know who they are...most of those who get hacked on NcSoft...come from Korea and China....there are holes in the NcSoft's system...not Arenanet, not Aion's, etc...it is NcSoft themselves with a giant security hole in this great master account thing they have. Not only...get this, can they get your username and password very easily from this system but when they get it...they get ALL your accounts...it is simple especially since they can change everything on it. But that is besides the point, people love to blame those who were hacked, like people love to blame the victims of rape. It is their fault, they asked for it...they shouldn't of done this, shouldn't of done that, they brought this upon themselves....making them a victim twice.
I haven't seen any proof of that. Just a load of FUD.
So until there's good, solid proof with a good, solid step by step guide on how to compromise a well secured account, i'm going to call bullshit. Everyone loves to blame technical shortcomings if they're hit by simple old fashioned social engineering.
It is pretty easy...someone tried to hack my account a few times, even tried to tell me who I was, where I lived, who my family was...just simply by my "IP Address". But like I said before, fighting with someone who thinks they are right is like trying to fight with a moron about the sky being blue and the grass being green. There is no point in it, they will always be right in the their minds.
This list was compiled by an IT professional that goes by the name of Mung on the Aion forums.
Here's the step by step on compromising a NCSoft Master account. Log in, check to see if its your account. If it is, log back out, then repeat until you get someone else's account. Multiple people on guru including a moderator has vouched for this.
List of Known Vulnerabilities with the NCSoft Site:
* 1. Wrong Account Bug. Sometimes simply logging into the NCSoft site takes you to someone else's account instead, with FULL CONTROL over that account. An attacker need only use a bot to log into their own account over and over until the bug occurs, then steal the account the bug gives them.
* 2. Advanced Vulnerabilities Reported by Mung on Aion Forums
o "SQL injection is apparently NOT prevented very well. [Mung] was able to send a basic acknowledge request and instead of "page not found" or "incorrect login" [Mung] received an SQL ack!"
o "The ENTIRE web domain is unprotected from file mirroring (process of copying all files housed at the web host)."
o "[T]he majority of the process functions for each page under the "secure.ncsoft.com" domain are scripted in PERL but referencing Javascript multiple times for all sorts of verifying processes. This can easily be manipulated to a users intention."
* 3. Brute Force Vulnerabilities
o Login failure gives different error message for real usernames and non-usernames. An attacker can generate a list of valid usernames by systematically running all character strings against the NCSoft site's username field.
o Security questions for password reset have dangerously small search spaces that can be guessed quickly. The birthday question which is the default!) is particularly easy. So is the car color question.
o Failed attempt at answering security questions that includes one correctly guessed question returns error message that tells user which question is correct. This vastly reduces search time for a brute force attack.
o Password reset attempts are allowed too frequently. 5 attempts every 12 hours is too many given the small search spaces.
o IP's attempting multiple failed logins or password reset attempts are not blocked, blacklisted, or greylisted.
o Attacker can specify new NCSoft password immediately upon correctly guessing password reset questions. The system should create a random password sent in a confirmation e-mail it to the account's associated address.
o The GW username is displayed from the NCSoft site. It should not be. This gives an attacker 1/3 of the GW login credentials.
o Attacker can specify new GW password immediately upon accessing the NCSite. User should be required to enter old password and/or respond to confirmation e-mail to the account's associated address.
o No countermeasures at all against brute forcing NCSoft password.(Gaile states that she has been told there are, but forum members making repeated failed login attempts did not encounter lockout, blacklisting, or increasing delay. Suspect Gaile has been misinformed by NCSoft staff.)
* 4. GW usernames are present in old support tickets. This renders the new character name security question useless.