account theft – MMO Fallout

PSA: Fortnite Being Targeted By Account Thieves Racking Up Charges

As reported today by Kotaku, it looks like Fortnite players are finding their accounts compromised with the account thieves racking up hundreds of dollars in purchases of cosmetic items, expansion passes, and V-Bucks. Epic has activated two-factor authentication that can be accessed through your account options page on the main website.

Epic has stated that the accounts are being hacked using “well known hacking techniques,” and has posted a security bulletin with tips on how to keep your account safe including using unique passwords, logging in via Facebook (which would keep your password safe in case of keyloggers), and not clicking on those attractive fake ads for free V-Bucks. If you are still afraid of your account being compromised, MMO Fallout recommends not keeping your credit card information saved in the system.

(Source: Kotaku)

Well ****, More PSN Accounts Stolen…

Note: The above video contains strong language, not safe for work.

I imagine the above video pretty accurately describes how Playstation users are feeling today. In case you hadn’t heard, Sony has shut down the ability to log in outside of your playstation following an exploit that popped up allowing players to reset an account’s password knowing only the email and birth date of the user.

You can still log in from your Playstation and play online, and if you are affected you’ll know because you’ll receive an email thanking you for changing your password, which you obviously will not have done. There is no word at this time when the ability to log in via Playstation.com or Qriocity’s website will return.

To the best of my knowledge, this does not affect Sony Online Entertainment users.

How To End Security Issues For…Some Time.

Security. In the game of anything tech related, security would be the boss you fight before fighting Lucifer himself. The big question that lies heavy on the minds of the IT guys is: how do you save the consumers, when most of the time their biggest enemy is themselves? People losing their account because their had an easy to guess password, or a keylogger that was not detected due to the lack of properly updated anti-virus software, or the guy who loses his account to the gold farmer he bought power leveling, or the guy who downloaded a rogue cheat application. What about the family member who downloads everything they see on the internet?

Now that MMOs are mainstream, and the black market has hit a point where accounts and items can be worth hundreds if not thousands of dollars online, it’s about time that our developer friends started treating our account security as seriously as our banks do. A simple password doesn’t cut it anymore, and developers must assume that the computer is no longer safe.

You have entered a no dongle zone.

Make Cell Phones, Not Emails.

I voiced my concern for Rift’s Coinlock system out of a simple statement: If Trion admits that 80% of account theft takes place via keyloggers, then allowing your system to be bypassed by the first system to be hacked alongside your account is useless. If you lose your password to a keylogger, odds are your email is lost with it, either through having the same password or by having the separate password logged. As I originally stated, this is akin to having two locks on your door, both opened with the same key. Or, in the latter case, keeping both keys on the same keyring and losing the keyring.

Rather, why not allow the system to go to your cell phone? I’m not talking about smart phones, I don’t have one (although I do own an iPad). I mean simple text messages, which anyone with a cell phone should have. Going by Rift’s coin lock system, rather than having the code be sent to your email address, have the code texted to the phone number linked with your account. Let’s take the system even further, and say that anytime you want to log in from a new computer after the first (I’m a firm believer that the first time after creating your account shouldn’t be a hassle), you would be texted a confirmation key. This would stop someone who has your password from logging in to change your details.

In addition, you will have two separate forms of authentication to send when you log in from a new computer. Public and private. On private setting, the computer is authorized forever. On public setting, for those who use internet cafes, the computer will be authorized until you log out of the account.

In accordance with privacy concerns, the phone number would be treated like your credit card number, and display as (***)***-**46, varying depending on your country. And yes, I understand that there are those of you who don’t have cell phones, or at least cell phones capable of receiving text messages, but those of you with regular phones will also have the option of having a robo-call send you the code as a phone call. Think of how many people, using this method alone, would be protected from their accounts being stolen. Until Trion can give me an exact figure as to how many people also had their cell phones stolen with their Rift account, I’m going to go on a limb and say that (apart from social engineering) there is no way to hack this.

“Speaking of social engineering, what happens if I get drunk and my cell phone decides to take a bath in the punch bowl…that is to say, what happens if I lean over the altar too far in church and my cell phone (which was off because I’d never text in church) breaks against the Jesus statue? Yea…That’s the one.”

Good thing you asked. When you link your phone, you’ll be initially texted a code. If for any reason you have to change your phone number, you text that code from the new cell phone, and your new phone will be automatically set up. Of course, if you don’t want to pay the fee (if you don’t have unlimited texting), your computer should be authorized anyway to change your account details, so you’ll be able to log in and do it from your computer, without the need for the code.

I know what at least one developer would think when they read this. “Omali, setting up these texting services can get expensive.” Which is more expensive, sending texts or having to pay customer service to deal with each person individually when they lose their account, and the people who quit because of your backed up CS department? The texting service is automated, your CS workers require paychecks.

So there you have it. If you are online and carry a cell phone capable of texting, you can secure your account for the low, low price of twenty cents (without a texting plan, I believe that’s how much it costs).

So What Is The Conclusion?

The end result of this project is to create a system that separates the recovery from the PC, which means that email is no longer an option. My idea takes the authenticator system and expands upon it by including everyone who has a phone, not just those who have a smart phone capable of running a compatible app. The texts are 100% optional, and is ultimately a better system than the authenticator, which relies on a static algorithm that, although incredibly difficult, could theoretically be cracked.

I would like to note that this is a very basic draft of my idea, and there is like a workaround that I haven’t thought of. Another factor I’m aware of is using this to grief, such as a group of people finding a person’s account name/password and spamming their cell phone with the aim of racking up a lot of charges or using up their prepaid time. One method to combat would be to require the person to know their phone number in order to send the activation code, but the person would type it in via an onscreen keypad to combat keyloggers.

Ultimately, I posted this up to get feedback, and the sole intention is for you all to puncture holes in my theory. So, go ahead. Give me all you’ve got.

Rift: How About An Authenticator?

Rift launched last month to the fervor of a substantial number of people, opening up more than thirty servers in the days after launch to deal with population. With the mechanics involved, Rift has pulled in players from World of Warcraft and similar MMOs, by presenting a similar game with a new mechanic attached: Dynamic rifts. Of course, the attraction of the large crowd could lead to the two inevitabilities: A whole lot of compromised accounts and a whole lot of real money traders to steal those accounts.

In response to growing complaints of account security, Trion has responded by implementing the Coin Lock program. Coin Lock is similar to the computer identity systems your banks may have begun using recently, where a computer is identified as the “home computer” and any attempt to log in from another computer requires additional information in order to proceed. Without that information, the characters will go into coin lock, during which the following activities will be disabled:

Accessing the Auction House.
Sending Mail (can still receive and view mail or remove items).
Selling to vendors.
Deleting Characters
Salvage, Runebreak, or destroy items.
Trade.
You can continue to play and gain coin and items, but cannot get rid of them.

Coin Lock is a nice idea, but ineffective. Take Trion’s own statement:

“80% of the hacked accounts we’ve seen are from keyloggers.”

The method to unlock a character from coin lock is via a code sent through email, so if your account is compromised via key logger, and thus your email address compromised with it, this system won’t help. At all. Yet by Trion’s own admission, their new security system is going to help, at most, 20% of compromised accounts.

Trion should be utilizing other features in addition to the white list. Why not a black list? If I know that I will only play Rift from my location, why not be able to blacklist all other areas, no exceptions? How about an authenticator that operates through a smart phone app, ala World of Warcraft? A four digit pin that must be entered with the mouse instead of the keyboard, ala Aika Online and Runescape? There are plenty of options that Trion has, and they don’t even need to manufacture security dongles.

The feature of this white list is about as effective as having two locks on your door for extra security, but allowing the same key to work with both. Then again, this is just frustrating because, by Trion’s own admission, this will not help 80% of compromised accounts. It is a start, so we’ll see how this turns out.

Keep Your Battle.net Accounts Safe

Nothing kills interest in a game like having your account stolen and spending the next few days or weeks getting it back. Here at MMO Fallout, I like to do little PSAs when either myself or the company are putting out reminders. There’s no harm in a little protective gaming every now and then.

Battle.net has a lot of account thieves, and this month is likely to be a big one for theft. Cataclysm launches this month upping WoW account thefts. In addition, Blizzard performed a mass ban on Starcraft 2 accounts for cheating, which may result in a surge of account thefts by cheaters looking for free accounts.

As always, keep your password safe. Change it often, use different passwords on related fan sites.

AionSource.com: Another Reason To Use a Fake Email Address

starwars — I knew we couldn't trust the jedi!

My suggestion for dealing with fansites has always been, if you have to register for the forums, use a separate email and a separate password, and preferably a separate username than you use on the game the website is dedicated to. If your game of choice is Aion, an armed bodyguard following you around the internet may not be a bad decision either. NCsoft continues to wage the war against real money traders, and unfortunately it is the players who are getting caught in the crossfire, with several fansites being compromised in the past few months.

Not that I need an excuse to reiterate this point in a new article, but members of Aionsource.com should be very wary of what pops up in your email over the next few months. According to an email from Aionsource.com, their website was compromised several days ago and a list of email addresses was stolen, leading to a large number of Aion players receiving emails that are phishing scams.

If you are a member of Aionsource, consider changing your password. Passwords may not have been stolen this time, but there is no saying that won’t happen if there is a next time. Otherwise, still take that advice, but apply it to whatever non-corporate owned website you visit. Remember, if the hackers don’t get you, a disgruntled soon-to-be-ex administrator might.

More on Aion, account theft, and more as it comes.

Lord of the Rings: Keep Your Account Safe

It was bound to happen eventually, but it looks like NCsoft’s recent rise in account theft has bled over to Turbine and Lord of the Rings Online. Just a couple days ago, Turbine placed the above notice on the game launcher, reminding players to change their password regularly. Granted, if you have a password that isn’t easy to guess and keep your computer secure, such an act wouldn’t be necessary (I haven’t changed my passwords in years, and I use the same three passwords on everything), but to each his own.

Of course, increasing security is always a good thing. For every player like myself, who does not share a computer, there are those with siblings/parents who have the technical know-how of-hey check out this cool new Windows Theme, by the way your anti-virus wouldn’t stop blocking the website so I shut it off.

Play safe.

City of Heroes: Keep Your Accounts Safe

2010-01-06 23:07:52 — Ilamo cannot protect from those he cannot see...

Another day, another development in the ongoing NCsoft security issue. Amidst widespread fear of account theft, security holes, and random account logging, with Guild Wars and Aion leading the pack, it was only a matter of time before City of Heroes joined the pack warning users to increase their awareness. The reminder is standard trade: Keep your account safe, don’t share your details with others, change your passwords regularly, and try to stop downloading porn from shady websites.

“After investigating certain claims regarding current account security we discovered no malicious compromises having occurred in the manner described.”

I have an Aion player with an inactive, looted account that would disagree with you, but I do understand that Aion and NCsoft Master Account business is out of the hands of City of Heroes and the Paragaon Studios that develops it. Oddly enough, when snapping the screenshot above, I received a spam email from a gold farming advertiser. The account name: Aion Wars. Awfully convenient.

Oh well. I’m not going to saddle Paragon Studios with an issue NCsoft should be dealing with. Again, best of luck to those whose accounts have been compromised, and more on the 2009 NCsoft Account Issue as it appears.

NCSecurity: Phantom Hacker Steals Aion Account

G_Unit_pictures — G-Unit doesn't handle account theft.

(Important) Continue reading down to the bottom of the article. There is a follow up link at the bottom to a more recent explanation.

So I’ve been following the recent account thefts over at NCsoft (namely Aion and Guild Wars) pretty closely recently, not only because I play City of Heroes and if this account theft issue bleeds to other games it could affect me (gasp), but because the stories just keep getting stranger and stranger.

Case in point: An Aion account that was reportedly stolen, and looted of all of its items. The password was not reportedly changed, but the account was cleared of all items. In itself, this story doesn’t sound very exciting. Hundreds of accounts over a variety of MMOs get the same treatment every month. The account theft took place on December 19th and 21st, but take a good look at the account subscription history:

Analysis after the break…

Continue reading “NCSecurity: Phantom Hacker Steals Aion Account”

Your NCsoft Master Account: A Ticking Time Bomb?

I’ve been sitting on this article for a while now, and it seems like the best time as ever to put it forward. NCsoft is currently investigating heavy allegations of massive security holes in the master account system. As I’ve reported before, the number of stolen Guild Wars and Aion accounts has gone up dramatically in the past few months, which NC originally pointed towards a compromised fansite as the source of the theft.

Definitely the most serious, and frightening, of the allegations posted on Guild Wars Guru was that it doesn’t take any skill to hack an NCsoft master account. In fact, according to users, all it takes is spamming log in/log out, and eventually (through the process of happenstance and timing) you may find yourself logged into someone else’s account, able to change passwords, jot down personal details, and clean out accounts without ever being detected.

More after the break…

Continue reading “Your NCsoft Master Account: A Ticking Time Bomb?”

Spread It:

Spread It:

Make Cell Phones, Not Emails.

So What Is The Conclusion?

Spread It:

Spread It:

Spread It:

Spread It:

Spread It:

Spread It:

Spread It:

Spread It: