Turbine's new paywall crashes and burns

[CharlieMopps]

I can't summarize it better than /. did so I'll just link to their post:

http://games.slashdot.org/story/10/04/13/2056258/DDOs-Turbine-Partners-With-Notorious-SuperRewards

[Lantyssa]

They were jealous of all the publicity Mythic was getting.

[Xilren's Twin]

Some of the comments on slashdot and DDO's own forums are laugh worthy...

So what you're trying to say is, Turbine chose to get double the gold reward from the quest by gaining 3 evil alignment points? Who wouldn't do that in their shoes?

and

Having just watched Clash of the Titans last week I took the precaution of only looking at the wall through my wife's compact mirror which reflected the wall's link on my pc. By doing so I think I avoided the worst of the prefetching effects.

On the whole, greed plus incompetence = clownshoes.

[NiX]

There's more lulz in the LOTRO forum.

[UnSub]

In future times we'll reminisce about the innocence of MMOguls as a concept.

The interesting story would be how this got from the "here's an idea" stage to the "let's go live and ... oh..." stage.

[Hartsman]

One of the many reasons I'm thrilled about being as far away from the "Offer" and "Social Ad Network" market as possible. 

Replace one company name with any other, and the chances are that there's at least one person on the other end who thinks monetizing via popups and toolbar (read: spyware) installs is "brilliant!" 

That part of the "industry" is still too new and has too low of barriers to where it remains full of scum.

It's a real shame, since legit offers (that actually do provide relevant value) actually have potential to be genuinely interesting and useful.

[Ollie]

Grassroots social media is the Wild West of business practices. Things like values or ethics are yet to transition from conference room walls to day-to-day practices. As with any industry still in search of its business identity, there will be a lot of bandwagoning and a lot of poor judgement.

Part of the problem, though by no means restricted to social media, is how various talking heads are worshipped without any shred of criticism. People like Zuckenberg (Mr. Facebook) spouting naïve generalisations like that "privacy is dead" really make for a trying time for people who don't enjoy his brand of prescription drugs.

Here's a snippet from the LotRO forums that nicely describes the pathology of our age:

I have this new boss who has no background in the Tech sector, has a degree in Business Administration and a degree in Philosophy (not that I should be the one pointing that out, working in IT myself with a Bachelor's in Anthropology and another in Classical French Alchemy). He's a perfectly nice guy, but he really doesn't have a clue when he jumps on the same bandwagon World+Dog is on. Since Facebook is trendy, he insists that I develop a Facebook presence for our business and decommission our website! Since Twitter is trendy, he insists that I maintain a Twitter feed for our business.

Rather than maintain a VPN, he'd rather us use Google Docs for our sensitive Documents, never mind that this means anyone doing a Google Search can view the contents, because Google Docs is hip! Since iPhones are trendy, he insists I cancel my Contract with Sprint (and eat all the penalties) and get an iPhone on AT&T only to have him turn around a week later and decide that iPhones are so yesterday and that I need to cancel my new Contract with AT&T (again, eating all the penalty fees) and get an Android Smartphone on Verizon. Rather than perform my SystemAdmin duties, he'd rather have me developing iPad Apps (since all of our Programming Staff is too busy developing iPhone Apps) that we can sell to our Customers so they can pay to do with their iPad what they already can with a browser for free, just because the iPad is the "future" according to the trendy!

Basically, dealing with my boss is a never-ending joke of being a lemming jumping off one cliff after another just because that is what everyone else is doing.

People like Mr. Weathervane here are broken beyond reasonable repair, but the industry will work out its growing pains eventually. When the bubble bursts, as it did with IT ten years ago, the worst offenders will migrate to the next bandwagon.

[Stabs]

I wonder if Turbine were scammed by SuperRewards. They've been so careful in setting up a F2P model that doesn't harm their existing subscriber base up till now I can't imagine they agreed to pass over personal data when any player simply browses the OfferWall. I think SuperRewards might have assured them that information would only be gathered voluntarily (and lied).

Not that that excuses Turbine, they should have robust systems in place to protect people's privacy anyway.

[Ollie]

That's actually one of my regrets – that it's Turbine. They have a decade's worth of experience in providing on-line services. I would have expected some sort of ethical best-practices culture to have grown out of that.

Too bad I'm not only a LotRO lifer but also a Euro customer with limited clout to begin with (Codemasters run the servers here), so I can't vote with my wallet.

[DayDream]

I've played some DDO lately, did a free trial a while back and liked it enough to keep an eye on it.  Started playing when it went f2p.  Aside from some initial bumps which were mostly smoothed out, they did their MTX system well enough that I subscribed for a couple of months.

Of course, their buggy patching and customer support put an end to that, but still. I think they did a good job with creating a MTX business model.  So I stopped paying and played limited content.


With the ridiculous clownshoes aspect of this stuff though, I don't trust Turbine to actually keep my account info secure.  The /. thread mentioned getting turbine to remove CC info from their database, does anyone know anything about that? 

[Stabs]

Credit card information is always kept separate and more secure. Otherwise 19 year olds who've been at the company a month would be renting Ferraris for their weekend in Paris, coming back to get sacked on Monday.

[DayDream]

yeah, i don't care that turbine is "supposed" to keep it more secure, with all sorts of legal asspounding if they don't.  I imagine you're not "supposed" to get your customers email accounts into the hands of WoW-account phishers either.

[Stabs]

Card not present security standards for online transactions are:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

If you don't do these things companies like Visa will not let you accept credit card payments.

So far there is no indication of credit card details leaking out. The third party is getting the DDO player's user account name (but not password) and email address. The danger seems to be spam and phishing attempts rather than credit card fraud.

[El Gallo]

I have this new boss who has no background in the Tech sector, has a degree in Business Administration and a degree in Philosophy (not that I should be the one pointing that out, working in IT myself with a Bachelor's in Anthropology and another in Classical French Alchemy). He's a perfectly nice guy, but he really doesn't have a clue when he jumps on the same bandwagon World+Dog is on. Since Facebook is trendy, he insists that I develop a Facebook presence for our business and decommission our website! Since Twitter is trendy, he insists that I maintain a Twitter feed for our business.

has a degree in Business Administration and a degree in Philosophy (not that I should be the one pointing that out, working in IT myself with a Bachelor's in Anthropology and another in Classical French Alchemy). He's a perfectly nice guy, but he really doesn't have a clue when he jumps on the same bandwagon World+Dog is on.

working in IT myself with a Bachelor's in Anthropology and another in Classical French Alchemy). He's a perfectly nice guy,

Bachelor's in Anthropology and another in Classical French Alchemy

Classical French Alchemy

 

Edit: Apologies for the derail, but these are seriously the only two words I can see in the whole thread.  It's like I stared into the Sun again.

[Xilren's Twin]

I have this new boss who has no background in the Tech sector, has a degree in Business Administration and a degree in Philosophy (not that I should be the one pointing that out, working in IT myself with a Bachelor's in Anthropology and another in Classical French Alchemy). He's a perfectly nice guy, but he really doesn't have a clue when he jumps on the same bandwagon World+Dog is on. Since Facebook is trendy, he insists that I develop a Facebook presence for our business and decommission our website! Since Twitter is trendy, he insists that I maintain a Twitter feed for our business....

Yeah, my company has this issue too, but the clueless guy is our president and owner.  Despite running a Healthcare IT business for 30 years, he really doesnt understand much about techonology, software development processes and the like.  Our head of development was recently told to "get an iPad and develop an app so doctors can access our stuff stat!".  Course, being a unix and windows shop with no apple development experience at all didnt deter him for some odd reason and he's already getting marketing to start up the ad campaign work.... 

[Shatter]

This is why I play Aion, I have about a 20% chance to get my account hacked so its much more exciting!!  Can I login tonight or not..ooohhhh

[Mrbloodworth]

Offer Wall Update – 4/13/2010

Updated: We’re currently investigating the reports of privacy concerns with our new Offer Wall. That feedback has been escalated to our partners for deeper investigation. Until that investigation is complete we’ve taken the Super Rewards option out of the Offer Wall. We’ll let you know when we have more information!

[Mosesandstick]

This is epic. They were giving away their users' email adds.

[CharlieMopps]

Offer Wall Update – 4/13/2010

Updated: We’re currently investigating the reports of privacy concerns with our new Offer Wall. That feedback has been escalated to our partners for deeper investigation. Until that investigation is complete we’ve taken the Super Rewards option out of the Offer Wall. We’ll let you know when we have more information!

I think it's too little too late.

[Mrbloodworth]

This is epic. They were giving away their users' email adds.

You have to opt in.

[Grimwell]

This is epic. They were giving away their users' email adds.

You have to opt in.

This.

I don't understand how this is a travesty. Who uses the offer wall? Yuuup. No saving those folks anyway and anyone else who's dancing around in a tutu screaming "I for one am offended!" at Turbine is pointing out that they aren't going to use the offer wall and aren't at risk to anything they are upset about.

As to the fools... there was a quote about them and their money a long time ago wasn't there? Taking the wall down isn't going to save them anything either.

[CharlieMopps]

Um, no, you don't have to opt in.

All you had to do was be logged into DDOs site... which I'm sure they majority of their customers have "remember my password checked" then click on a link. Example:
http://www.ddo.com/news/957-get-more-free-turbine-points-with-new-offer-wall

Once you follow that like DDOs site would pass your userid and email address to whomever was making the offer.

[Mrbloodworth]

To be fair, the opt in part could be more clear.

Wurm uses a similar option for users to gain coins, however from what we have seen most of our users give bonk data. Some, have even gotten iPods out of it. The problem we faced though, is the systems do not verify age, how could it. It was my personal major concern about the system.

But we have different funding issues and considerations than turbine. Most stemming from Paypal and user regions.

Mopps:

Q. What about my personal information? Is it safe?
A. We do not share any personal information with the offer vendor other than an anonymous unique ID and an e-mail address for your receipt to be sent to. This information is not transmitted unless you participate in the offer wall system. You may be (and probably will be) asked to provide additional information to complete an offer. Turbine has no way to control what happens with that information or how it is handled. We recommend that you use your discretion when signing up for offers. As always, protecting your privacy requires vigilance.

I do not believe the data is sent until you complete the offer, the stuff in the HTML string is not sent until you agree. It is there when you view the offer, but thats more of an identifier holding until submission. If I understand correctly. Reasion its done this way, is because the system does not use Turbines data on a user, there is no link to the accounting database.

[Mosesandstick]

One of the guys was using a HTTP tracker thingy, just going to the offer wall page automatically sent your email and username as long as you were logged in. That's epic fail. Secondly a reputable company should not be condoning services that will load your computer with spyware and other shit, whether or not it's opt-in. Maybe if you include in huge letters at the beginning *THIS WILL FUCK YOUR COMPUTER UP* then it's ok.

[Mrbloodworth]

One of the guys was using a HTTP tracker thingy, just going to the offer wall page automatically sent your email and username as long as you were logged in. That's epic fail. Secondly a reputable company should not be condoning services that will load your computer with spyware and other shit, whether or not it's opt-in. Maybe if you include in huge letters at the beginning *THIS WILL FUCK YOUR COMPUTER UP* then it's ok.

Its held in the HTTP address of the page yes, also, this is not the first company to use it. Quite a few major publishers use the same system. Simply viewing does not submit the data, completing an offer does though.

He even says this in the post:

As long as you are using a standard browser (IE, Firefox, Chrome, Safari, etc), the offers do not have direct access to this information.

I have to agree with Grimwell, those that would use this type of system, have most likely already done so in the past, there was no helping them anyway. They probably send e-cards too, and download random supper awesome screen savers.

I mean.... :

[Reg]

Is there any issue where you don't come down on the wrong side Bloodworth? Jesus.

These guys are appalling scam artists with a well documented history and Turbine is directing their users right into their gaping maw.

People using this service are reporting almost immediate WoW phishing scams to their emails. It's not a coincidence.

[Mrbloodworth]

Is there any issue where you don't come down on the wrong side Bloodworth? Jesus.

These guys are appalling scam artists with a well documented history and Turbine is directing their users right into their gaping maw.

People using this service are reporting almost immediate WoW phishing scams to their emails. It's not a coincidence.

Look up who also uses the system. Also, people are prone to exaggeration.

I have no idea with the current successes of DDO, why they have chosen to do this, its definitely going to burn some karma points. People USING the system, key word, USING it. Those people wanted the new shoes.   

[Mosesandstick]

I think Turbine using this system and their customers getting sent WoW emails is delicious irony 

I actually spent the past 3 hours just reading up on super rewards, facebook and all that crap. I can't fathom who at Turbine thought this was a good idea, especially with an audience of geeks.

And as Reg said, people were testing and got sent the phishing emails after doing nothing but viewing the wall.

[Mrbloodworth]

And as Reg said, people were testing and got sent the phishing emails after doing nothing but viewing the wall.

IF, that is true, then yes its complete ass and turbine should be ashamed if not directly responsible, as its goes directly against their own stance on user data across all games. If its not, its just propaganda by forum users upset by the possibility.

However one forum post, does not make a "situation" or a concrete conclusion.

But, Turbine, due to feedback, has already disabled the entire thing.

If you don't use the system, you should not be compromised, however my personal sympathies stop right after you sign up for the offers.

[Mosesandstick]

The phishing emails were confirmed by two or three people at least. I think there's a pretty good reason why most people don't test whether or not their email is being given away. Turbine failed to comment on the e-mail issues, so the truth (or the corporate response) is still in the air...

[Mrbloodworth]

The phishing emails were confirmed by two or three people at least. I think there's a pretty good reason why most people don't test whether or not their email is being given away. Turbine failed to comment on the e-mail issues, so the truth (or the corporate response) is still in the air...

There is definitely some shadyness with that. Could very well be just a really bad implementation on turbines part.

EDIT: The reason they took it down was the e-mail issues, as per the notice.

[Lantyssa]

Grassroots social media is the Wild West of business practices. Things like values or ethics are yet to transition from conference room walls university lecture halls to day-to-day practices.

Fixed so we're not giving corporations too much credit.

[Lantyssa]

Its held in the HTTP address of the page yes, also, this is not the first company to use it. Quite a few major publishers use the same system. Simply viewing does not submit the data, completing an offer does though.

It's one line of php code to take information passed along through a referral link and stuff it in a database, even if nothing is submitted.  There's no reason an unscrupulous company wouldn't do that.

[Mrbloodworth]

Its held in the HTTP address of the page yes, also, this is not the first company to use it. Quite a few major publishers use the same system. Simply viewing does not submit the data, completing an offer does though.

It's one line of php code to take information passed along through a referral link and stuff it in a database, even if nothing is submitted.  There's no reason an unscrupulous company wouldn't do that.

True, but I don't think you ever leave turbines site until you click the link to the offer. I wonder what user name and e-mail is sent though, because my experiences is that at turbine, user name on the forums is different then account name, this goes for passwords too, E-mail on the forums (Forums user name and pass word is used for all My.lotro/DDO sites) is also a different entry than your account.

Account info is not the same as forum/My sites. Unless the user decided to use the same stuff.

[WayAbvPar]

They were jealous of all the publicity Mythic was getting.

 

I wish I could say I am shocked, but sadly this is about par for the course these days. Fuck the consumer as early and as often as you can.