|
Title: Security Issues Post by: Hawkbit on August 29, 2012, 10:48:07 AM I've got at least 10 emails in the last few days from Anet, people trying to change the password on my account. Hell, six of them are from within the last few hours.
Not that we need to be told - :awesome_for_real: - but make sure you have a strong password. It seems the hackers are going after this game hard. Title: Re: Security Issues Post by: Malakili on August 29, 2012, 10:50:52 AM Yeah, just got one of those myself
Title: Re: Security Issues Post by: Rasix on August 29, 2012, 10:50:53 AM Yep, I've gotten 2 emails already. I assume more will come.
Title: Re: Security Issues Post by: kildorn on August 29, 2012, 10:52:12 AM I've had one so far.
Title: Re: Security Issues Post by: 01101010 on August 29, 2012, 10:57:50 AM Three thus far... 10:35, 11:11, and 12:46. My abcd1234!@ passwords cannot be deciphered!!
Title: Re: Security Issues Post by: Trippy on August 29, 2012, 11:22:54 AM Change your account login -- your email you sign on with -- which is not to be confused by the email address A.Net sends notifications to which can be different :oh_i_see:
Title: Re: Security Issues Post by: kildorn on August 29, 2012, 11:47:35 AM The lack of brute force protection is probably the first clownshoes IT thing I've seen from them. I wonder how much drama that actually would cause gaming companies.
Title: Re: Security Issues Post by: Ginaz on August 29, 2012, 12:22:11 PM Emails are fake and not from ANet. I got 6 or 7 to an email thats not tied to my GW2 account. As always, don't click on anything. Change your password if you want but do it directly from their site and not the link in the emails.
Title: Re: Security Issues Post by: Amaron on August 29, 2012, 12:25:01 PM Do you mean you're getting mails from the password reset system? I would think they wouldn't bother with that if they didn't have access to your email account.
Title: Re: Security Issues Post by: Ginaz on August 29, 2012, 01:33:41 PM Do you mean you're getting mails from the password reset system? I would think they wouldn't bother with that if they didn't have access to your email account. I have a seperate email account I use only for a few of my online games. That one hasn't gotten any password reset requests. My more general email, which has no connection to GW2 at all, has gotten at least 6 or 7 password reset emails. Title: Re: Security Issues Post by: Tannhauser on August 29, 2012, 04:04:58 PM Yeah I got an email from ANet saying someone tried to change my password. My password is strong, but I may change it anyway.
Title: Re: Security Issues Post by: Abelian75 on August 29, 2012, 04:20:39 PM Yeah, I got that too. Kinda curious what the idea behind that is, because I'm pretty confident they don't have my email (I use a 2-step authenticator thingy for gmail. Also, nobody's logged into my GW2 account or changed my password.). Not sure what it accomplishes to do that before gaining access to the email account.
It doesn't appear to be a fake email, though. Links seem to go to the actual guildwars2.com website. I didn't change my password or click the links, in any event, if only because I figure if someone is trying to make me want to change my password, I probably should not do it. Title: Re: Security Issues Post by: Khaldun on August 30, 2012, 07:28:50 AM There's actually a thing on login in their own interface at the login screen that asks to confirm the email used for the game when you first sign up--the puzzling thing for me is that the confirmation link that pops up in email always reads as "expired" even if I go to it five seconds after getting the email. I think there's something funky going on with Arenanet's basic security set-up.
Title: Re: Security Issues Post by: MrHat on August 31, 2012, 08:42:45 AM Well, that's great.
Got an email while I was playing that said my account email has been changed. Guess who didn't change it? Put in a support ticket as I'm unable to log in now. Super duper. Title: Re: Security Issues Post by: Hawkbit on August 31, 2012, 09:11:05 AM I dropped your guild privs for the time being to remove the ability to withdraw items from the guild. Let us know when it gets up and running.
The guild stash has been open to all, the guild vault is deposit only for the time being. Title: Re: Security Issues Post by: MrHat on August 31, 2012, 09:12:22 AM I dropped your guild privs for the time being to remove the ability to withdraw items from the guild. Let us know when it gets up and running. The guild stash has been open to all, the guild vault is deposit only for the time being. Thanks. Glad I burned my collectors stuff already. Title: Re: Security Issues Post by: Merusk on August 31, 2012, 06:44:58 PM So I decided to try GW1 again and had my NCsoft pw reset and sent to me on Thursday. This morning it was hacked after I had changed the login email to a new account unconnected to anything. They've got some bad security problems over there.
Title: Re: Security Issues Post by: MisterNoisy on August 31, 2012, 11:23:27 PM Hilarious - I don't even have a GW2 account and have been getting emails about this shit.
Title: Re: Security Issues Post by: koro on September 01, 2012, 10:52:52 AM I got two emails last night: One of them alerting me that a password change had been requested on my account.
The second? The confirmation email for the previous password change. All links (barring the confirmation one, 'cause I wasn't clicking that) were legit. I do not have a Guild Wars account. :uhrr: Title: Re: Security Issues Post by: Mosesandstick on September 01, 2012, 01:33:53 PM I think my IP got changed because of some repairs being done my ISP. Now I need to re-authenticate but I'm not receiving a damn email...
Title: Re: Security Issues Post by: Evildrider on September 01, 2012, 01:50:14 PM I think my IP got changed because of some repairs being done my ISP. Now I need to re-authenticate but I'm not receiving a damn email... This is affecting a lot of people. I haven't been able to log in all day. :( Title: Re: Security Issues Post by: Nevermore on September 01, 2012, 01:55:57 PM Yup. Apparently their system is so
Title: Re: Security Issues Post by: Amaron on September 01, 2012, 02:09:29 PM All links (barring the confirmation one, 'cause I wasn't clicking that) were legit. I do not have a Guild Wars account. :uhrr: I'm lost on this as well. I got some messages to an email that isn't associated with the GW2 account. The links are legit though. Are they changing emails on already hacked accounts to ferret out which emails already have accounts? Title: Re: Security Issues Post by: Ingmar on September 01, 2012, 02:15:52 PM Almost all well-made phishing spam uses legit links on everything but one of the links. You can't base anything off the fact that it has legit links in it, unless even the actual confirmation link they want you to click is legit. I bet it isn't.
Title: Re: Security Issues Post by: Amaron on September 01, 2012, 02:29:35 PM Almost all well-made phishing spam uses legit links on everything but one of the links. You can't base anything off the fact that it has legit links in it, unless even the actual confirmation link they want you to click is legit. I bet it isn't. It is and it's the only link. Goes to account.guildwars2.com (even in the highlight). I can only think that they have a hacked account which they then attempt to change to known emails in order to fish out the ones with existing accounts. Title: Re: Security Issues Post by: Ingmar on September 01, 2012, 03:02:22 PM Yup. Apparently their system is so Yeah this is happening to us as well today. Clownshoes. Title: Re: Security Issues Post by: Nevermore on September 01, 2012, 04:52:21 PM I just saw a post by someone on Guild Wars 2 Guru that if you run the launcher as an administrator you'll get the email. I was doubtful but I tried it and it worked.
Edit: sounds like it was just a coincidence. Title: Re: Security Issues Post by: Phred on September 02, 2012, 12:17:30 AM Hilarious - I don't even have a GW2 account and have been getting emails about this shit. /me points MrNoisy at the definition of Phishing.Title: Re: Security Issues Post by: MrHat on September 02, 2012, 01:28:45 PM Well, that's great. Got an email while I was playing that said my account email has been changed. Guess who didn't change it? Put in a support ticket as I'm unable to log in now. Super duper. Just an update: 3 days later and not a word from the guild wars team. Seems my fun time with GW2 has ended. Title: Re: Security Issues Post by: KallDrexx on September 02, 2012, 03:02:27 PM Just an update: 3 days later and not a word from the guild wars team. Seems my fun time with GW2 has ended. Not that it's any consolation, but according to their status page (http://wiki.guildwars2.com/wiki/Game_status_updates) they are inundated with tickets and are only at August 30th tickets currently Title: Re: Security Issues Post by: Venkman on September 02, 2012, 03:55:54 PM Just an update: 3 days later and not a word from the guild wars team. Seems my fun time with GW2 has ended. No idea if this helps. But in the latest Anet update (http://wiki.guildwars2.com/wiki/Game_status_updates) they note: Quote Our customer support team is prioritizing tickets from customers with hacked accounts or who are otherwise blocked from logging into the game. If your account was hacked, please follow these instructions (http://en.support.guildwars2.com/app/answers/detail/a_id/9212) for submitting a ticket, to make sure that your ticket is correctly prioritized and to make sure you're submitting all the information we need to restore your access. I hope it helps! Title: Re: Security Issues Post by: MrHat on September 02, 2012, 05:24:08 PM Ya, I did everything correctly, looks like a 4-7 day turn around on accounts. Ah well.
Title: Re: Security Issues Post by: MrHat on September 02, 2012, 08:26:21 PM Back in, password new and improved.
Hopefully no more shenanigans anymore. Title: Re: Security Issues Post by: Tyrnan on September 03, 2012, 12:40:20 AM From the latest update on the wiki page:
Quote Scanning Accounts & Email Spam Yesterday, three malicious users each changed the account names of their own Guild Wars 2 accounts thousands of times, scanning through lists of email addresses stolen from other games and web sites, presumably to determine which email addresses were available (not already used for a Guild Wars 2 account) and which were taken. It obviously shouldn't be possible to change your own account name so frequently. We temporarily disabled account name changes and have now restored but limited them to prevent this. To the thousands of people who received emails stating, "the email address for your Guild Wars account has been changed," and are not even our customers, we sincerely apologize for the spam. Please be aware that your email address is on a list of account credentials that hackers have apparently stolen from other games and web sites and are systematically scanning. To Guild Wars 2 customers whose email addresses are being tested by hackers but not stolen, thank you for protecting your account by choosing a new, unique password for Guild Wars 2. Even though your unique password should protect you, we think you deserve to know if hackers have your email address on their list of credentials stolen from other games and web sites, so we'll send you periodic notifications when we see hackers testing your account. Reset Password We're leaving "reset password" disabled for now. Please contact customer support if you forgot your password. We believe hackers also have lists of compromised credentials for email accounts, and we don't want to allow them to login to a compromised email account and then use "reset password" to steal the associated Guild Wars 2 game account. Title: Re: Security Issues Post by: Arinon on September 03, 2012, 07:37:12 AM Why did we start forcing account names to be e-mail addresses again?
Title: Re: Security Issues Post by: Quinton on September 03, 2012, 08:07:41 AM It's been common for years now, I think largely because it solves a number of common issues:
- no need to separately enter an email address to verify (email verification is a useful security measure as well as a useful anti-account-creation-spam friction point) - reduces collision issues with usernames (most people have at least one unique email address) - easier for users to remember their one email address than some random username I often use myself-foo@example.com, myself+foo@example.com, or foo@myself.example.com type email addresses (all of which deliver to myself@example.com) with a different foo for each thing to avoid using the same email address as a login token for many different things. Of course you still want to avoid reusing passwords, but every thing you do to make it harder for brute force attempts on your credentials helps a little. Title: Re: Security Issues Post by: Tmon on September 03, 2012, 08:23:43 AM I'm sure it seemed like a good idea at the time. "Hey lets use something we know most of the players will remember and that is guaranteed unique."
Title: Re: Security Issues Post by: Amaron on September 03, 2012, 09:36:18 AM Quote Yesterday, three malicious users each changed the account names of their own Guild Wars 2 accounts thousands of times, scanning through lists of email addresses stolen from other games and web sites, presumably to determine which email addresses were available (not already used for a Guild Wars 2 account) and which were taken. It obviously shouldn't be possible to change your own account name so frequently. We temporarily disabled account name changes and have now restored but limited them to prevent this. Looks like I was right. Kind of face palm worthy. Title: Re: Security Issues Post by: ajax34i on September 03, 2012, 12:13:47 PM It's been common for years now, I think largely because it solves a number of common issues. Actually, if I remember correctly, it was forced on the users by Blizzard, and it was because they wanted RealID / "account friend" features. Title: Re: Security Issues Post by: Kageru on September 04, 2012, 12:11:08 AM Yes on both counts. It was massively unpopular at the time and purely for the convenience of Blizzard. Title: Re: Security Issues Post by: DraconianOne on September 08, 2012, 02:04:18 AM So I was hit by the email authentication last night because, apparently, I'd changed IP address (my ISP doesn't provide static IP addresses). Took ages for the email to come through and after finally getting through to the webpage that let me authorise the new IP address, it failed dismally and threw code errors. :oh_i_see: The word "clownshoes" comes to mind.
Have disabled email authentication. Title: Re: Security Issues Post by: Sky on September 08, 2012, 09:40:34 AM It's been common for years now, I think largely because it solves a number of common issues: It's funny, you sound similar to the google apps trainer who deflected every issue we had with 'going to google' with, well, just do it this way instead, where this way just ignored the issue. I like you, Q, but on this issue, you reek of the ivory tower.- no need to separately enter an email address to verify (email verification is a useful security measure as well as a useful anti-account-creation-spam friction point) - reduces collision issues with usernames (most people have at least one unique email address) - easier for users to remember their one email address than some random username I often use myself-foo@example.com, myself+foo@example.com, or foo@myself.example.com type email addresses (all of which deliver to myself@example.com) with a different foo for each thing to avoid using the same email address as a login token for many different things. Of course you still want to avoid reusing passwords, but every thing you do to make it harder for brute force attempts on your credentials helps a little. Separately stating an email = another layer of security. Collision issues = unique login IDs, mmo users especially are used to this, hell we all are from just trying to find a valid email address (jdoe1969 etc). Easier to remember = bullocks. See collision issues. But hey, keep on pushing that simple to remember and use google procedure, I'm sure someone who has trouble developing a login scheme will have no problem with it. Title: Re: Security Issues Post by: Ingmar on September 08, 2012, 10:07:16 AM Believe I had to use an email address as my logon for GW1 long before Real ID came along.
Title: Re: Security Issues Post by: KallDrexx on September 08, 2012, 10:15:11 AM still not sure what the big deal is about emails as usernames though.
I mean, yes it is clownshoes that users were able to change their email address thousands of times to find email addresses already in use but that's not really hard to prevent (timeouts in between points). Other then that what are the issues? Other places use usernames and they get hacked, and if people aren't smart enough to change passwords for different site then they sure as hell aren't going to change their usernames so therefore hackers already have the usernames AND emails (and probably passwords) through hacking of fansites and other games. Title: Re: Security Issues Post by: Venkman on September 08, 2012, 10:27:33 AM It increases customer service expenses and generates bad PR. If we were talking private game forusm, eh, who gives a shit? And even with subs, the worst that happens is someone's account was gutted for an IGE/eBay sale.
But these days, where there's dollars flowing all over the place in f2p games, large companies shouldn't really take chances needlessly. Because companies do become victims when enough individual stupidity affects them. I woulda thought we'd have long since gone to double-passwords or even the authenticator # thing. Title: Re: Security Issues Post by: Sky on September 08, 2012, 11:28:18 AM I'm definitely in favor of token authenticators for any online service, though that can get onerous unless you have a smart phone. But for a game or two, given how much hackers seem to go after their users, yeah. I don't think it should be optional.
Title: Re: Security Issues Post by: Ingmar on September 08, 2012, 11:29:54 AM I suspect it actually reduces customer service expenses, for the game company, otherwise they would never have changed in the first place. I'm sure it increases them for the email provider, but that probably doesn't matter from the game company's perspective.
Title: Re: Security Issues Post by: KallDrexx on September 08, 2012, 11:44:36 AM It increases customer service expenses and generates bad PR. If we were talking private game forusm, eh, who gives a shit? And even with subs, the worst that happens is someone's account was gutted for an IGE/eBay sale. I don't understand how it increases customer service expenses or generates bad PR as compared to usernames? The bad PR was because Anet's systems didn't account for certain security aspects, but most of those would still be valid with username authentication. Title: Re: Security Issues Post by: Quinton on September 08, 2012, 01:49:54 PM It's funny, you sound similar to the google apps trainer who deflected every issue we had with 'going to google' with, well, just do it this way instead, where this way just ignored the issue. I like you, Q, but on this issue, you reek of the ivory tower. ... But hey, keep on pushing that simple to remember and use google procedure, I'm sure someone who has trouble developing a login scheme will have no problem with it. Not trying to sell anyone on Google anything here -- just pointing out a way one could avoid having to use the same email address as your login for multiple services in a world where services insist on logins being email addresses -- and I'm pretty sure a similar workaround is possible with other webmail providers (foo+bar@ aliasing dates back to sendmail at the dawn of internet email after all), but I happen to use gmail for webmail so it's the only thing I'm familiar with off the top of my head. Upthread there were complaints that companies force users to use an email address as a login, exposing them to additional risk from hackers. It's not in my power to prevent random companies from deciding that your login must be an email address, but I can suggest a workaround using readily available tools (which I know to be available to gmail users and suspect are available to most other webmail users in one form or another) -- not sure how that qualifies as "Ivory Tower" thinking. Total agreement that two-factor authentication would be a massive win in most cases. I wish my frickin' bank would use two-factor auth for online banking. It would be nice if I didn't have to install a different proprietary auth app for every site doing two-factor authentication, though. At the risk of once again being written off as a Google shill, Google Authenticator supports RFC standard two factor formats (HOTP/TOTP), a number of ways of provisioning the shared secret, as well as allowing for multiple account support. It's good stuff, supports Android, iOS, Blackberry, and a serverside implementation for Linux, is open source, yadda yadda: http://code.google.com/p/google-authenticator/ Title: Re: Security Issues Post by: Venkman on September 08, 2012, 03:59:34 PM I don't understand how it increases customer service expenses or generates bad PR as compared to usernames? The bad PR was because Anet's systems didn't account for certain security aspects, but most of those would still be valid with username authentication. I have no numbers, so this is all speculation. But, I'm guessing this increases customer service and potential bad PR because of the higher probability of users getting account hacked due to all reasons mentioned in this thread. So that's more accounts to address, and if a sufficient number of them are hacked, a louder volume of complaints. Not nearly everyone is as transparent as Anet, but we all saw Reddit last week. At the same time, I would guess there's probably little difference between using the same email address everywhere and the same account name. Except someone probably doesn't have AnalEmoGaymer as their bank account name :grin: Title: Re: Security Issues Post by: KallDrexx on September 08, 2012, 05:55:26 PM At the same time, I would guess there's probably little difference between using the same email address everywhere and the same account name. Except someone probably doesn't have AnalEmoGaymer as their bank account name :grin: Honestly, that wouldn't surprise me if someone did :P Title: Re: Security Issues Post by: Quinton on September 08, 2012, 06:02:42 PM Dammit, now I need to change my account name for online banking.
Title: Re: Security Issues Post by: ajax34i on September 08, 2012, 08:37:05 PM Blizzard probably no longer wanted to deal with "I forgot my account name" cases. Must have been a high percentage of their tech support calls.
Title: Re: Security Issues Post by: Cadaverine on September 09, 2012, 01:10:31 AM At the same time, I would guess there's probably little difference between using the same email address everywhere and the same account name. Except someone probably doesn't have AnalEmoGaymer as their bank account name :grin: Honestly, that wouldn't surprise me if someone did :P Given some of the user ids I had people give me at TD Ameritrade, I can say with pretty fair certainty that someone out there has that, or something like it, as their bank account id. Title: Re: Security Issues Post by: Venkman on September 09, 2012, 01:43:17 PM Yeesh. Try and come up with an absurd scenario and end up needing to reset my bar on humanity...
Title: Re: Security Issues Post by: Tmon on October 10, 2012, 02:37:32 PM They have a beta version of two stage authentication up.
https://forum-en.guildwars2.com/forum/info/news/Beta-Feature-Mobile-Two-Factor-Authentication Title: Re: Security Issues Post by: Phred on October 10, 2012, 02:49:19 PM Doesnt really matter at this point as there is a serial code generator out there now. So they can generate all the spam/bot accounts they want for free. Guess it will be nice to stop them stealing all your lootz though.
Title: Re: Security Issues Post by: KallDrexx on October 10, 2012, 04:53:38 PM Wow, I don't think I've ever seen a serial key generator that works for an MMO before. The comments seem to suggest that the generator does indeed work heh, though I'm not stupid enough to try it out.
Title: Re: Security Issues Post by: Trippy on October 10, 2012, 04:59:04 PM Wow, I don't think I've ever seen a serial key generator that works for an MMO before. The comments seem to suggest that the generator does indeed work heh, though I'm not stupid enough to try it out. That's cause you still need a subscription for most NA MMORPGs so the incentive to create a serial code generator for a game like, say World of Warcraft, is a lot less than a game like Guild Wars or Guild Wars 2.Title: Re: Security Issues Post by: KallDrexx on October 10, 2012, 05:31:30 PM True
Title: Re: Security Issues Post by: rk47 on October 10, 2012, 06:40:42 PM (http://www.blogcdn.com/massively.joystiq.com/media/2012/10/damion-schubert-gdc2012-02.jpg)
Title: Re: Security Issues Post by: Phred on October 10, 2012, 07:21:56 PM Wow, I don't think I've ever seen a serial key generator that works for an MMO before. The comments seem to suggest that the generator does indeed work heh, though I'm not stupid enough to try it out. That's cause you still need a subscription for most NA MMORPGs so the incentive to create a serial code generator for a game like, say World of Warcraft, is a lot less than a game like Guild Wars or Guild Wars 2.edited to add basic. As steam codes don't appear to be hackable or I haven't heard of them being hacked yet. Title: Re: Security Issues Post by: Zetor on October 10, 2012, 09:55:33 PM In theory, a serial number is not any less secure than an auth token. It could be as simple as having the first x characters be randomly-generated, and the rest being a cryptographically strong digital signature of the first x characters - which couldn't be recreated or falsified without the vendor's secret key, and brute-forcing would be ineffective if the serial was sufficiently long.
In theory. (I'm also not sure customers would like entering 256/512/1024... hexadecimal characters even once -- even if base64-encoded for keyboard-friendliness :why_so_serious:) Title: Re: Security Issues Post by: PalmTrees on October 11, 2012, 10:33:32 AM I just hope they get rid of this email authentification stuff. It's such a nuisance to have to log into GW then log into my email and click on their link. Odd that the confirm access page that shows city/region used to have that info but now it displays 'unknown'.
Title: Re: Security Issues Post by: Fordel on October 11, 2012, 11:28:54 AM I haven't had to do that since the very first time. Do other people need to do that every time?
Title: Re: Security Issues Post by: Sjofn on October 11, 2012, 11:37:01 AM I haven't had to do it since the first time either.
Title: Re: Security Issues Post by: Ingmar on October 11, 2012, 11:40:19 AM Pretty sure there was a 'remember this location' checkbox or something to avoid that coming back every time.
Title: Re: Security Issues Post by: Numtini on October 11, 2012, 11:53:09 AM I got a notice a few weeks ago that someone had logged into my account from Beijing, so I'm rather happy about the mail validation.
What I'm not happy about is I had already moved the account to an email I use only for game logins and never ever on forums or other places. Nevermind where they got the password. Title: Re: Security Issues Post by: Fabricated on October 11, 2012, 12:49:26 PM I got a notice a few weeks ago that someone had logged into my account from Beijing, so I'm rather happy about the mail validation. They probably have some sort of workaround for the password; kinda like how I think RIFT had accounts broken into without the perpetrators actually ever getting the password.What I'm not happy about is I had already moved the account to an email I use only for game logins and never ever on forums or other places. Nevermind where they got the password. Title: Re: Security Issues Post by: Ingmar on October 15, 2012, 07:06:47 PM I keep getting in-game spam from characters with real sounding character names. Hacked accounts, definitely happening.
Title: Re: Security Issues Post by: PalmTrees on October 15, 2012, 11:22:02 PM Yeah, I first saw gold spam from chars with regular sounding names instead of a random string and I thought they might be using a random name generator to make their bots. Took a sec before I moved on to hacked. I block all those guys too, bet the character they get back is on alotta block lists.
Title: Re: Security Issues Post by: Sjofn on October 17, 2012, 01:17:58 PM Got my very first notification of someone trying to steal my account ever! In any game! It makes me sad.
|