Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Why do accounts get hacked?
blognorg
Member UncommonPosts: 643
I read an article recently talking about how a new virus can bypass Blizzard's authenticator. It got me thinking about why, exactly, accounts get hacked. Is it really just so that people (or companies) can strip gold and items from your character to sell for profit? I can't imagine that hacking is prolific as it is if trolling is the main motivation. So, if it really is just to perpetuate the gold-selling market, why haven't there been more in-game precautions, like, I dunno, make it so that you can't give away everything you own to a player you've never had contact with before? Like a friends list, and a trusted friends list or something. I'm not claiming to have all the answers; I'm mainly curious as to what I'm missing. What are the other factors and motives involved with hacking accounts?
Edit:
I'm going to rephrase my question a little. I wasn't asking so much why logistically, but the prime motivation. I assumed money, but if that was the case, it seemed like there would be more in-game measures that could be done which might trump technical security. Do you think that these measures aren't taken because it would remove too much player freedom, causing backlash? What are some ideas that you think would be acceptable, and still would mitigate theft?
Comments
some game companies have improved safety precautions
i like how ANET handles it
if you log in from any different ip -- you are required to verify login via an email in less than 10 minutes
EQ2 fan sites
Being a network engineer I can tell you most times its users that are the problem. They use the same password everywhere. The email account they use for their MMO is the same email they use to sign up on every forum and web page on the net. Places easy to hack and see what email you have and password you used on sites like that. If they cant log in with that info then they hack your email and reset your password on your game account with your hack email.
People also use really easy passwords and dont take time to come up with alpha numeric passwords. Take random words and string them together like theboatlikesblue and then change the t too 7 and the e too 3 and chuck in a random . , ! : somewhere in there and your password is 10 times harder to crack. Chuck in a random capital as well and you rocking.
Users are lazy and 90% of the problem! Go make a hotmail account you only for your MMO games and another email for the internet and make unique passwords that have nothing to do with who you are. You like bowling, then dont use the word bowling in your password. Dont use your birthday or your pets name.
To your later question here is the reason. Companies have tried and the players get made over the restrictions. They want to have full control over their accounts. GW2 drove me nuts that I could not trade items with people and only mail them 3 emails filled with items then you were blocked from any more for a many hours. My wife and I play together and we could not trade mats at a speed we farmed them. Also they made gold trade restriction on how much your could trade with players too stop that as well. You could trade no more gold then you had earned. This was too stop them from getting an account and making a level 1 char to send the bought gold and when they ban the account its no skin off the gold seller noses. But this stopped players from giving money to friends so they could buy weapons and items when they joined the game. Was a huge pain. Again, 90% of the problem is the players not the game companies.
Why do accounts get hacked? Simple. Money.
There are so many stupid people out there that buy gold and are willing to shell out big bucks for it.
As for Blizzard's account security measures. For the amount of "hacking" that occurs with their games. It's amazing how they still rely on their laughable account security they have in place.
Sure some can be the user's fault by going to suspicious/fake websites, phising emails, etc.
How ever. With so much money involved. Who's not to say some corrupted, customer support member isn't in on it? /tin foil hat
Either way. Would never touch another Blizzard game until they make serious account security improvements.
-Azure Prower
http://www.youtube.com/AzurePrower
So, the measures that ANet took didn't mitigate the gold-sellers at all? What did they do to bypass them?
The main motivation behind hacking accounts is not trolling, but rather money. A lot of money has been made off of hacked accounts in the past, and if anything this has only gotten more lucrative since then.
As long as players continue to pay money for progression (gold, items, etc.), then there will always be a market for people who steal such things and resell them. It's not fair, it's not right, but it's a demon we ourselves have created. Unfortunately it doesn't seem to be going away any time soon, because the average gamer just wants to 'beat' the game, and doesn't seem to care how they do it.
Hack players accounts who are dumb enough to use the same email and passwords to sign up all over the net and use that account to sell the gold and let the real player account get banned. Then it takes 1-3 weeks of talking to support to get things worked out. Any measures a company takes to stop gold sellers wont work in the end unless player get smarter with their account info. This also only cover one area gamers open them selves to getting hacked. We dont even need to start on things like add ons, going to porn web pages and TV and Movie download web pages that have one reason to be there. Infect your PC to make money off you. From banking info down too stealing your account info from everything down too what games you play. You have too also be smart on what free programs you install on your PC and where you get what free off the internet. They make money off you one way or another.
^^This^^
Never used an authenticator, never had a game hacked. UO,AC1,DAOC, WoW, GW2, and a lot more I can't think of atm I've played.
What happens when you log off your characters????.....
http://www.youtube.com/watch?v=GFQhfhnjYMk
Dark Age of Camelot
From my experience my issues usually come from third party programs in Windows. Windows doesn't have much protection. Especially in Windows XP (before there were things like user account control). Most people are administrators by default.
I find that there are a number of ways you can get things like key loggers, trojans, etc. when logged in as an administrator unwittingly. Many can come from trusted websites in things like flash ads.
One of the most helpful things I've found is flash block and ad block. They are available in Windows versions of Chrome and Firefox. They block all ads/flash unless you specifically allow it on a website. This can be done in Internet Explorer to an extent, but isn't as user friendly from my experience.
Obviously email attachments can contain software with various different nasty things as well.
Some trusted software like Java will have annoying additional software installs during installation if you are not careful to uncheck them. This software can occasionally screw up your computer.
Third party software many times has viruses. You have to be careful what you download and install. Usually free software from source forge is safe, but I wouldn't recommend installing software from random websites or places people suggest. When you download/install software from a torrent you are using it at your own risk lol. This is why tablets are so locked down to things like the app stores. Apple is even locking down their osx for desktop to the app store apps by default. Google does the same and Microsoft is heading in that direction. This is in part to protect people, in part to control people, and in part to make more money.
If you really want to protect yourself you can create a standard user. This generally prevents the installation of software on your PC. You can only install things into your own profile. If something bad happens you can usually just deleted your profile and then start over again with a new one.
To be honest Blizzard have some of the most secure accounts in the biz (after you removed the lugnut behind the keyboard) apart from the usual password security they have a system that lock your account down if your IP changes to drastlcly and on top of that you can (in my mind should) attach a keyfob to your account. If it is good enough for my bank it is good enough for my WoW account. (Yes i know there is a man-in.the-middle type attack now that bypass the authenticator.. Or more correct blocks you and jack your auth code. But it is still a very inefficient way to do things) Very few companies offer that kind of security.
As to why accounts get "hacked"... 9/10 human error... Heck the very few times there is a actual hack attack it is not your U/P they are after but more juicy stuff like e-mail and payment info. Heck more then a few times people willingly give their account info away to phising e-mails or random people in-game in the hopes of making a quick buck or get some free loot.
There is no way to design a system that is lugnut proof.
This have been a good conversation
Trojan.
As bad as this maybe there maybe a silver lining: that the addons that WoW players use as not so optional anymore (like DBM, as encounters are built around it now), can be implemented in the game itself. This is because the Lua code has been proven to compromise the computer (i.e., when the modder for Auctionator's account was hacked, and the hacker uploaded his file onto Curse) -- so no one can say now the Lua code in the addons are safe, it can and has compromised accounts.
Playing WoW without addons is like driving a barebone car, so if more and more attempts are made on addons to bypass authenticators (or compromise them), it's time for Blizzard to start adding the must haves -- like DBM, since they now build raids around it. Recount/Omni and a decent healing UI are also must haves.
.:| Kevyne@Shandris - Armory |:. - When WoW was #1 - .:| I AM A HOLY PALADIN - Guild Theme |:.
Dont want to get hacked... READ THIS!!!! Here is what I use and its really safe. Hotmail Alias. Click below to learn how to make one and this is how to use it so you never get hacked again. Make a new hotmail account and never use it on the internet or anywhere for that matter. Dont tell anyone about it. Now make an Alias under that hotmail account and use that on the internet for everything. Now if someone hacks a forum and gets your email addy they cant hack your hotmail account as they are trying to log in with the wrong email addy. Next make an Alias for each MMO you play and change your email on each MMO. For WoW make it wow999@outlook.com and for rift use rift222@outlook.com. Now if Blizzard dose get hacked like they did once, the hacker only has an alias for that game and cant get access too any other games with that email and password they got hacking. Best part, you only need to log into one place to get all your email. Any questions?
Click here
A lot of gold farmers are basically organized crime, doing whatever they need to do to make money and operating from places beyond the reach of your local police. If some are willing to do credit card fraud, it shouldn't be so surprising that they'll try to steal accounts. If it's easier to "farm" gold by stealing it off of real players' accounts than by having bots or humans farm it, then that's what they'll do.
As for why there isn't better account security, there are a variety of problems. One is that a lot of users are stupid. It's not just about picking weak passwords. Sometimes the problem is using exactly the same username and password for a game as for some other site like this one that doesn't have any real reason to fear being hacked. Sometimes it's giving your account information to someone who isn't trustworthy, who promptly uses the login credentials you just gave him to "hack" your account.
There's also the problem that, even if a company wants to implement strong security measures, how do you do it? If you don't have any real security expert in-house and want to hire one, how do you tell if he really knows what he's doing? Even some really big tech companies worth billions have made some colossal security blunders. I don't mean just the "hackers stole a database with 10 million accounts" stuff; that's hard to defend against. But there are some real "how could anyone ever think this was a good idea?" moments, such as RockYou's storing over 30 million passwords completely in the clear.
I didn't mean the measures with their security, but the in-game measures they have. You mentioned that they implemented limitations on how much of a character's goods can be transferred. What did hackers do to bypass that?
Most hacked accounts are actually just used as a means of selling goods on the AH and quickly funneling the proceeds to other accounts which are then used for gold selling. A lot of it is handled by botting programs, so efficiency is really high.
I actually had an account get compromised once. I logged out for about 15 minutes after a long session. When I logged back in, my character was in a different city, had about 20k gold (this was around the beginning of WotLK, and quite a bit a gold), and my AH had dozens of BoE purples listed (none of which I ever had). They did all that in 15 minutes.
After getting it straightened out with Blizzard, I got curious and did some real research into the whole thing, including looking at the programs and stuff they run to make it all happen. It seems that my account, for whatever reason, was used as a central account where other hacked accounts sent their gold and items. It was actually really crazy.
You make me like charity
I mentioned a few they did and they didnt stop them as I said in the above post they just used hacked gamers accounts to bypass it. Why? Because people are too lazy to make it hard to hack their account. So for one, in GW2 you could not trade more gold then you had earned, so at level, 5 you had earned 40 silver so you could not give someone else more then 40 silver to another player. Gold farmers will have an account they farm the gold with (high level char) and then they make a new account and with a level 1 char they use that account to sell the gold to players. Now ANet bans the low level account for gold selling and its no skin off their noses because the account thats making the gold is still open. So now the gold farmer just focused more on gamers with bad passwords like mentioned in my other posts in this thread. Use a players account to sell the gold over just opening a new account with a level 1 char. Again like I said before. Game companies can take all sorts of steps to stop gold farmers but if the players remain lazy with their email and passwords it wont matter. Its like a chain, its only as strong as its weakest link and gamers are 90% of the problem. If people also stopped buying gold the number of hacked account would drop to a nominal amount.
The other was you could not trade with players only in game mail players and you could only send 3 in game mail of items before you were restricted to send any more for X amount of time. Again, hacking players account was the answer and gamers make it easy for them to do so. Farmer hacks 3 accounts and now he send each hacked account 33% of what he earned so he can send 3 times as many in game mail with his hacked accounts. There were other steps ANet took but in the end the more measures ANet took the more the gold farmers focused on hacking accounts to make up what they lost to make gold/money other ways. You tell me a way thats better to stop gold farmers and I will tell you how getting hacked accounts will help balance your idea. Or how your idea will hinder the player so they demand the restriction is removed.
Many modern free to play MMOs have additional security systems in place, like the use of PINs after character select, email verification codes for logging in from new IPs/Computers and more.
Western companies are slow to adopt such practices, many citing people leaving because of them as reason not to do them. I've seen it before, where you have a mandatory complex password requirement on sign up and 70%+ of visitors don't sign up, without that complex requirement, 30% don't sign up... the difference is huge.
Most hacking though isn't really hacking, it is either brute force login attempts, running a list of public email addresses/potential usernames against the login form with logic based passwords until they get through or with trojan keyloggers on the user's computer. As we've seen with the latest scare, such a trojan is embedded in a fake curse client.. quite why anyone would download the curse client from anywhere other than the curse site baffles me though.
Users are simply, on average, stupid and lazy. Most of the people here I expect are more than capable of avoiding such scenarios, but most MMOs gamers would never come to a site like this, they just play and live in their own little bubble of ignorance.
Actually I do not understand why they require a password at all. It should be an optional thing that is only used if you use a public PC or to keep your children out (IE a parental thing)
When you log into a game it should ask you for your email and then work only on the machine you installed the game onto (maybe up to three machines for that account as an option).
If you need to add a machine you should be required to log on from the machine in question first and also reply from the email if you want instant access.
If your old machine DIED and it was the only way into the system then you should have a 1 week waiting period to get a transfer to the new machine which would also require the email address response and that the old machine not log in during the period. (YES for people who care it would be best if you set up your portable and your main computer as potential playsites so you can add from the portable if your PC dies).
Note also you could set it up so your smartphone had a confirmation app to avoid the above.
Curse (the name really applies!) has problems from Flash payload injections to the Auctionator modder who's account was hacked, and the hacker using the modder's account to upload a malicious version of the addon -- so even without the Curse client itself, as long as addons can be used to inject malicious code, it will happen again (they can return to the older method of eyeballing the code before approving it for uploads, though, but that may mean a week delay on updates).
I just wish Blizzard would update and improve their UI, instead, so we wouldn't need essential addons in the first place -- DBM is no longer optional when Blizzard builds raids around it, for example.
.:| Kevyne@Shandris - Armory |:. - When WoW was #1 - .:| I AM A HOLY PALADIN - Guild Theme |:.
A user gets hacked, get their accounts banned, and then spend weeks trying to get it back and get their characters re-made. They come to websites like this and whine, whine, whine that they weren't in the wrong and it wasn't them that did the things that the person that hacked their account did.
After you question them a few times, you finally find out that they went to those "free" websites for music, "recreational activities", and websites that are less secure than others. They don't scan their computers for viruses, and logon to their account from computers that aren't their own. They use horrible passwords that a 4-yr old can crack, and email addresses that they've signed up for everything with since the internet began.
Translation: The average user is an idiot that shouldn't own a computer.
It is tough, but what can you do? Companies can only go so far. Some do more than others, that much is certain. Authenticators are definitely a big bonus, as well as IP recognition. A combination of the two is better.
Raquelis in various games
Played: Everything
Playing: Nioh 2, Civ6
Wants: The World
Anticipating: Everquest Next Crowfall, Pantheon, Elden Ring
A virus / malware is not why accounts are getting hacked... The companies in question have a very prehistoric vulnerability management process and are not patching their 3rd party applications... Thus blackhats (Hackers) are finding exploits (vulnerabilities) in certain applications and gaining remote (from outside the company) access into their networked environment.
Most everyone patching windows products when prompted to do so by update reminders. 3rd party applications (non-microsoft) are usually left unpatched and vulnerable.
Many companies have many solutions for this. They can prove expensive to scan and roll out patches for small, even large companies. So instead of being secure, they do this all manually to save the money and miss a lot. Thus missing many patchable vulnerabilities. Impacts on these exploits vary, but a lot of exploits allow intruders to gain access to sensitive materials and to your account information.
The short version is that most MMO companies are too cheap to spend money on solutions to give them a proper vulnerability management process.
This
The frequency which my and some friends' accounts were compromised when we were not actively subscribed to WoW made me pretty certain that your tinfoil hat is both stylish and appropriate and that someone there is making some money with lists of inactive accounts.
Given that email verification isn't a reliable method, as most people who have their MMO account breached are likely to have their email breached through similar methods.
The only things I'd suggest are an additional password within the game client with a forced mouse to button input method, where the keypad randomises button locations on each client start (an example of this is in Aura Kingdom and most modern Asian MMOs).
Alternatively, a verification code to SMS to authenticate new computers/IPs on first login, within the game client as well. Gmail does this if you add your mobile/cell phone number to it and set the right security permissions. Though this method is expensive for the game developer/publisher and inconvenient for the gamer.
Most people can remember a PIN more so than a password, so less chance of it being written down or saved on the computer/email somewhere, plus a randomised keypad makes brute force attacks difficult, compared to a normal form field and keyboard input.