Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Guild Wars Account Hacking
Enko
Member Posts: 10
Think mmorpg.com could write up a news story concerning this?
http://www.guildwarsguru.com/forum/account-hackings-source-t10419779.html
It doesn't look like we'll be able to get the attention of NCSoft or Arena.Net in any other way. Account hacking has been going on largely uncombatted by the company who refuses to admit that they have a problem with their site.
Comments
You have 1 post. You dont explain anything... and you have to click 3 links deep and read through a horribly formatted wiki to even figure out what that stuff is talking about.
Last time I logged into Guild Wars there was in big, bright red text a warning about rampant account hacking, and they made me not only give my password but answer an additional security question. Explain to me how they "aren't admitting it" and "Aren't doing anything to combat it" again?
Tried: LotR, CoH, AoC, WAR, Jumpgate Classic
Played: SWG, Guild Wars, WoW
Playing: Eve Online, Counter-strike
Loved: Star Wars Galaxies
Waiting for: Earthrise, Guild Wars 2, anything sandbox.
Seems to be a lot of this going on. Ive seen other posts about WOW hacking as well. I received an email myself about an attempt to sell my WOW account and how it could be banned etc etc, so perhaps someone got it. So its not just GW. I realize its been going on for a long time but just seems to be more of it lately.
I am hoping your kidding. i get like 5 of those emails per day... the "from" field has been edited to make it look like its from blizzard... those emails are not from blizzard. They are trying to get you to click their links and then log into a fake site so it can steal your password
I dont have a WOW account and i get those emails.
I am hoping your kidding. i get like 5 of those emails per day... the "from" field has been edited to make it look like its from blizzard... those emails are not from blizzard. They are trying to get you to click their links and then log into a fake site so it can steal your password
I dont have a WOW account and i get those emails.
I didnt click anything i deleted it as junk mail. If it was from Blizz its of no matter as ive quit the game and do not care. Funny how they are only coming about WOW if its a hack attempt. Also seems odd you would get 5 per day if youve never played the game.
[quote=Abrahmm]
Last time I logged into Guild Wars there was in big, bright red text a warning about rampant account hacking, and they made me not only give my password but answer an additional security question. Explain to me how they "aren't admitting it" and "Aren't doing anything to combat it" again?[/quote]
You do realize that the additional security question is just the name of one of your characters which can be found if you're active on any kind of forum. Anet added that change which would've blocked a lot of the attempts. The main problem was that you could get into a random ncsoft master account by continually logging in and out until it sent you to someone else's account. From there you had total control and could change their passwords. You would also be able to view all of the private information associated with that account. NCSoft just made a change in the past hour or so that now requires us to put in the old password to change them so now after that thread's been posted on guru, they're finally actually doing something about it.
Before this, if you look at the explanations for all the account hacking that's been going on, NCSOFT (not Anet who doesn't have control of the master accounts) has continually claimed that its not an issue with their software or website.
These have been getting reported to NCSoft since October on the Aion forums and they continually say that its not them. They finally added in the requirement to know the old password to change a game account's password in the past few hours so they're finally doing something after it was shown how the master accounts were being broken into.
List of Known Vulnerabilities with the NCSoft Site:
* 1. Wrong Account Bug. Sometimes simply logging into the NCSoft site takes you to someone else's account instead, with FULL CONTROL over that account. An attacker need only use a bot to log into their own account over and over until the bug occurs, then steal the account the bug gives them.
* 2. Advanced Vulnerabilities Reported by Mung on Aion Forums
o "SQL injection is apparently NOT prevented very well. [Mung] was able to send a basic acknowledge request and instead of "page not found" or "incorrect login" [Mung] received an SQL ack!"
o "The ENTIRE web domain is unprotected from file mirroring (process of copying all files housed at the web host)." Chthon's note: HOLY SHIT! That's very bad....
o "[T]he majority of the process functions for each page under the "secure.ncsoft.com" domain are scripted in PERL but referencing Javascript multiple times for all sorts of verifying processes. This can easily be manipulated to a users intention."
* 3. Brute Force Vulnerabilities
o Login failure gives different error message for real usernames and non-usernames. An attacker can generate a list of valid usernames by systematically running all character strings against the NCSoft site's username field.
o Security questions for password reset have dangerously small search spaces that can be guessed quickly. The birthday question which is the default!) is particularly easy. So is the car color question.
o Failed attempt at answering security questions that includes one correctly guessed question returns error message that tells user which question is correct. This vastly reduces search time for a brute force attack.
o Password reset attempts are allowed too frequently. 5 attempts every 12 hours is too many given the small search spaces.
o IP's attempting multiple failed logins or password reset attempts are not blocked, blacklisted, or greylisted.
o Attacker can specify new NCSoft password immediately upon correctly guessing password reset questions. The system should create a random password sent in a confirmation e-mail it to the account's associated address.
o The GW username is displayed from the NCSoft site. It should not be. This gives an attacker 1/3 of the GW login credentials.
o Attacker can specify new GW password immediately upon accessing the NCSite. User should be required to enter old password and/or respond to confirmation e-mail to the account's associated address.
o No countermeasures at all against brute forcing NCSoft password.(Gaile states that she has been told there are, but forum members making repeated failed login attempts did not encounter lockout, blacklisting, or increasing delay. Suspect Gaile has been misinformed by NCSoft staff.)
* 4. GW usernames are present in old support tickets. This renders the new character name security question useless.
Same here. Not sure where the OP gets that ANet is not aware of the problem. They tell me about it everytime I log in.
Same here. Not sure where the OP gets that ANet is not aware of the problem. They tell me about it everytime I log in.
I said NCSoft won't admit its a problem. Anet has done stuff like making the ingame announcements and now requiring us to have a character name as well. NCSoft has known about these issues since October.
Ugh, well that's disappointing. ANet needs to find another publisher, NCSoft has always been weak about security. So basically anyone who has a NCSoft master account is at risk.
well now that a big enough stink's been made about it, as of an hour ago, they now require the old passwords to change account passwords now. both gaile and regina have said that ncsoft is working on it now. What is upsetting a lot of people is that it took customers finding the issues and reporting them and nothing was done for 3 months now. Some of the issues should never have made it to a live server if they had any kind of competent web programmers. They are taking steps finally so hopefully they'll continue and these problems will be fixed.
Alot of hacked accounts is due to the fact that the player has given a non-official blizzard website their password thinking that they are going to be receiving special benefits, blah blah blah. Its either that or an account trade was performed, but account trades can easily be turned into a scam by giving the other trader a fake account, so don't even try it. I'm also sure hacks can occur by viruses such as a keylogger, a virus that logs what you type,so a virus scanner and firewall could further optimize your security. Malacious software in general often gets onto a computer by popups and/or downloading files off the internet, so make sure whatever your downloading is legit.
Summary of some ways to get hacked:
Bad Security:
Bad security includes having no firewall/virus scanner, having an obvious password (such as it being similiar to your username), and ignoring symptoms of malacious software on your computer (spyware, viruses, etc.). There are some useful free virus scanners out there, but be careful where you look.
Stupidity:
Like I said in the first paragraph, alot of times it is the player's fault his account got hacked. Don't fall for somebody telling you something like this:
"Click here to download Guild Wars 2 for free! Enter your Guild Wars Campaign username and password in the boxes below."
Now, if you are up to date on your gaming news, GW2 does not come out for another few months. The person behind this kind of scam would be smart to do this because GW2 is a highly anticipated game and some people aren't patient or willing enough to wait for it. When you download that file, malacious software will be on your computer, and probably, will lead you to a fake GW2 login site, and when you do, its also very probable that when you try to login with your so called "new login and password" it will say something like this:
"Servers are full at the moment. Please try again later."
Then you keep trying to login and login and login then finally, when you try to login onto the real Guild Wars, you won't be able to. A lesson learned.
Account Trading/Real world trading scam:
This kind of goes with stupidity. Sometimes, people get a little too desperate. They ruin the game by trading other gaming accounts or real world items/money for another gaming account that they want, simply because they are too lazy to do the leveling themselves. The person trading you their account will, alot of times, give you a false account. So, there goes your wasted month's work of money.
I'm sure there are even more ways that you could get hacked, but the above are only the most common ones. Follow those guidelines and you will be playing your level 20 mesmer, your level 80 priest, or whatever game you play, happily and safely.
Happy New Years!
-zco12
that's what a lot of us originally thought when people kept complaining they were hacked. we now find out that wasn't the problem for everybody as some people's ncsoft master accounts were able to be logged into by other people by a problem with nscoft's website (you can randomly get logged into someone else's account instead of your own).
While i'm sure there are some accounts that were stolen due to what you're saying, there were quite a few people who said that they followed good internet security and still had their accounts stolen.
when i played aion i went to check on the aion site to see if i got mail and ended up getting somebody elses acct pop up when i log into the website after logging out and logging back in a few times it went back to normal
but i must say that i was shocked to see how bad the website is the acct i was logging into was a bot at that since the characters stuff was all basic just the starter stuff and the toon was lvl 10 the exact amount needed to be able to talk in chat and was a gladiator
it was quite clear from what i saw that this was a hacked acct since the name seemed legit but the toon was not
that was a different issue that was apparently only cosmetic. the issue with the ncsoft MASTER accounts was similar except that if you got into someone else's account, you had full control. You could view private information and change any passwords for accounts linked to the master account without any other verification. They have remedied since a few hours ago by requiring the old passwords to change the password now. This still doesn't close off that you can still view people's private information if you get into their master account. It's a good start but NCSoft still needs to fix all of the other security flaws in their system.
cosmetic? really i dont think so i was able to go in and change passwords and change cc info on the other acct if i had so desired the gw acct page and aion acct page are quite a bit the same they are all linked by the ncsoft master acct webpage
this is not cosmetic this is a severe lack of any intelligent thought on their part and i would not be suprised to see a decline in sales and a decline in hype for gw2 over this
even from gaile's own discussion leads to a point where they knew it was happening but chose to ignore it which is not very smart in any case
my password has never been asked to be changed only the security question about acct characters
I am hoping your kidding. i get like 5 of those emails per day... the "from" field has been edited to make it look like its from blizzard... those emails are not from blizzard. They are trying to get you to click their links and then log into a fake site so it can steal your password
I dont have a WOW account and i get those emails.
ya I get those also. Funny thing is, they get sent to my hotmail account and not the account linked to my battlenet account.
Heres a tip: If you use forums, register on guild web sites or anything else that has nothing to do with your credit card, link them to a seperate email address from things that have your credit card info. IE. use gmail or hotmaill for mmorpg.com and use a different email for your battlenet account, banking etc. A lot of times phishers are getting your email info from these sites and sending you an email phish to get your info
"If you want a picture of the future, imagine a robot foot stomping on a human face -- forever."
Sorry. Thought you were talking about the other issue Aion is having. Apparently on the Aion site where you can log in to check your stuff, it welcomes you with someone else's account name sometimes but everything else is your's.
The NCSoft Master Account log in issue is the huge problem.
Stop using gold farmers and 3rd party programs and you wont keep getting hacked.
Yeah, because you know those are the ONLY two ways you can EVER EVER EVER get hacked....*rolls eyes*
they have more security then most mmos so that they arent doing anything against it is bullshit and like i tell the 99% of the people who get hack they dont sit there and try random emails with random passwords that doesent work they use phishing sites and your dumb enough to type your info in or use the same email and password to your email and game to every website you register to no wonder you get hacked its not THERE fault ITS YOURS!! get it? cant get simpler then this
Oh yes...because everyone who gets hacked does this. Wow, no one has ever thought of this before. Let us blame the people who got hacked instead of the hackers. They went to the site, whatever site that might be, even if 99% are actually blocked by Firefox as a form of a bad website, even with no script on, you can still get hacked. People are just retarded, it is their fault, nothing else can happen to get them hack, it is their own stupidity. Yep.
Oh yes...because everyone who gets hacked does this. Wow, no one has ever thought of this before. Let us blame the people who got hacked instead of the hackers. They went to the site, whatever site that might be, even if 99% are actually blocked by Firefox as a form of a bad website, even with no script on, you can still get hacked. People are just retarded, it is their fault, nothing else can happen to get them hack, it is their own stupidity. Yep.
so what do you except arenanet to do about stupidity of the retards who do that? they have no reason to be blamed for your stupidity they cant do anything against you not clicking them except the big red announcment text everytime you login what do you want from them a fucking eye scan? like i said its your fault and your fault alone theres only so much they can do hell they even changed so you have to type in your char name everytime now when you login
Oh yes...because everyone who gets hacked does this. Wow, no one has ever thought of this before. Let us blame the people who got hacked instead of the hackers. They went to the site, whatever site that might be, even if 99% are actually blocked by Firefox as a form of a bad website, even with no script on, you can still get hacked. People are just retarded, it is their fault, nothing else can happen to get them hack, it is their own stupidity. Yep.
so what do you except arenanet to do about stupidity of the retards who do that? they have no reason to be blamed for your stupidity they cant do anything against you not clicking them except the big red announcment text everytime you login what do you want from them a fucking eye scan? like i said its your fault and your fault alone theres only so much they can do hell they even changed so you have to type in your char name everytime now when you login
Fighting with people who think they know what they are talking about is like fighting with a moron over the sky being blue and the grass being green. I'd stop right here, because there is no point on trying to prove anything to someone about anything when they think they are right and everyone else in the world is wrong. Congrats, man, you just showed the world you think you know what you are talking about...and yes, it is everyone else's fault, they are the idiots....you are absolutely correct.
Oh yes...because everyone who gets hacked does this. Wow, no one has ever thought of this before. Let us blame the people who got hacked instead of the hackers. They went to the site, whatever site that might be, even if 99% are actually blocked by Firefox as a form of a bad website, even with no script on, you can still get hacked. People are just retarded, it is their fault, nothing else can happen to get them hack, it is their own stupidity. Yep.
so what do you except arenanet to do about stupidity of the retards who do that? they have no reason to be blamed for your stupidity they cant do anything against you not clicking them except the big red announcment text everytime you login what do you want from them a fucking eye scan? like i said its your fault and your fault alone theres only so much they can do hell they even changed so you have to type in your char name everytime now when you login
Fighting with people who think they know what they are talking about is like fighting with a moron over the sky being blue and the grass being green. I'd stop right here, because there is no point on trying to prove anything to someone about anything when they think they are right and everyone else in the world is wrong. Congrats, man, you just showed the world you think you know what you are talking about...and yes, it is everyone else's fault, they are the idiots....you are absolutely correct.
dont get butt hurt cause you know i am right kkthxbye
Oh yes...because everyone who gets hacked does this. Wow, no one has ever thought of this before. Let us blame the people who got hacked instead of the hackers. They went to the site, whatever site that might be, even if 99% are actually blocked by Firefox as a form of a bad website, even with no script on, you can still get hacked. People are just retarded, it is their fault, nothing else can happen to get them hack, it is their own stupidity. Yep.
so what do you except arenanet to do about stupidity of the retards who do that? they have no reason to be blamed for your stupidity they cant do anything against you not clicking them except the big red announcment text everytime you login what do you want from them a fucking eye scan? like i said its your fault and your fault alone theres only so much they can do hell they even changed so you have to type in your char name everytime now when you login
Fighting with people who think they know what they are talking about is like fighting with a moron over the sky being blue and the grass being green. I'd stop right here, because there is no point on trying to prove anything to someone about anything when they think they are right and everyone else in the world is wrong. Congrats, man, you just showed the world you think you know what you are talking about...and yes, it is everyone else's fault, they are the idiots....you are absolutely correct.
dont get butt hurt cause you know i am right kkthxbye
Oh yes, great guru of the internet, you are right. Absolutely and totally right, you know all. *rolls eyes* Yep....you are the greatest, I am so butt hurt by you being soooooo right.