Guild Wars 2

I recently had my account hacked. Twice….. I appreciate Arena Nets efforts in restoring my account.

But one thing that i noticed is that they had the IP Addresses that were authorized to access my account. It is worth noting that the hackers had Canadian and California IP Addresses.

I was thinking about this earlier and it seemed to me that if it is possible to track the IP Addresses that it should be possible to prevent unauthorized IP Addresses from accessing accounts. I know that that there is an email authentication system and the authentication system App (which appears problematic).

Why not prevent IP Addresses from different states(or countries) from accessing an account? You could even enable a Traveling option of some kind that could be enable usage in different areas. I would suggest something like a 48 hour delay from when traveling mode was enables and when it could be used. Also, I would suggest both email and in game mail notifying that it had been enabled.

The system would be very automated so it would require minimal maintenance and the IP Tracking system is already in place so this tweek should be simple.

I think that it would save Arena Net time and money because of the efforts required to track down and restore hacked accounts.

Thank you for consideration.

Other companies have this can’t see why they can’t do that here. There’s one in particular that outright prevents a login even if they have all the right stuff until you click the link on the email addy message sent to you immediately. If they don’t receive a reply within a standard amount of time, they block the ip.

Talzed.4153:

I know that that there is an email authentication system and the authentication system App (which appears problematic).

I’ve been using the authenticator since it first became available, no problems.

No point trying to block IP addresses when many of these hackers are probably using Tor or other proxies and can simply change their visible region.

The real question though is how are people getting hacked? Are you using the same username/password across multiple games/email accounts, or are you responding to the flood of fake emails supposedly originating from ANet (but actually originate from China, like those Blizzard ones) about a shady account questionnaire or dodgy account access?

Email authenticator has been waterproof to me. However, I use a safe email (which isn’t linked or used anywhere but in the game) to make sure that I never get anything from friends or the such. I also change password every week. I would recommend you to do this while making a new password:

Take something that cannot be associated to you in anyway, i.e. a historical event;
The Fall of Sparta – change letters to numbers and symbols.
-_-7H3F@!!0f5P@rT@+/+ ===> Special random characters, big and small letters, numbers = Fail safe to any bruteforce attempt. All that remains is you using your brain and not clicking email links.

God no, don’t do this. The only thing you’ll achieve is forgetting your password and making it a major annoyance to type it, any good brute force tool (e.g. John the Ripper) doesn’t care about 1337 speak if the DB should ever get compromised. Just use a long password or better a sentence, about 20 characters are sufficient, but keep it reasonable. In this case, length is what matters. Special characters also don’t hurt of course.
Live attacks don’t matter anyway - they’re not going to try passes on the production system as the account would be blocked and it’s just too slow. They’ll use compromised PCs and accounts where people use the same password for their E-Mail accounts for example. So with a unique password and the authenticator, you’re safe until a trojan actually intercepts your login - then pretty much nothing helps.

This still holds true for the biggest part: http://xkcd.com/936/
Although advanced tools like the one mentioned above are capable of cracking almost every password you could possibly invent, unless it’s really, really long and complex. Don’t use correct horse battery staple =) Or bible quotes, lyrics and stuff like that, always use something unique.

I’ve once hear that a good password is with special symbols, but a better password is a extrem long password, ea: Ioncewenttoagroceryandsawmanykittensinabasketsoikilledthemall
If you now add some symbol, not even chuck noris will ever hack this password

I’ve done alright with just tossing any Email accts through Thunderbird, with scripts/remote data blocked.
A lot of hacking is pure social engineering. Watch your butt on random links/attachments, it goes a long way. Except for bloody Hotmail – that crap’s sliced through on the regular.
It also helps to use unrelated words/symbols. Some of mine are old pen-and-paper RPG character names. Go ahead, try to dictionary-strike a word that doesn’t naturally exist, plus random numbers/non-numeric characters. It’s doable, but will take far longer than someone with the “classics” (crap like DOB/parent’s name/etc.)

Iruwen.3164:

God no, don’t do this. The only thing you’ll achieve is forgetting your password and making it a major annoyance to type it, any good brute force tool (e.g. John the Ripper) doesn’t care about 1337 speak if the DB should ever get compromised. Just use a long password or better a sentence, about 20 characters are sufficient, but keep it reasonable.

You find it hard to put a post-it on the side of your computer screen? And security always outguns annoyance. Dictionary hacking breaks down a sentance in less than ten seconds. You can actually find articles about hackers using multiple graphic cards to amp up hack speed. Using 1337 speak sure as hell doesn’t hurt, especially when it’s combined with the actual letters i.e. l3t7Ers.

Read my post again please. And if a post-it is your idea of security... well. Just ask Gaile how many accounts have been compromised by friends, partners and especially younger siblings.

Dynamic IP’s are give out randomly by your ISP. It does no good to ban a IP when another person will be using it, after the hack changes their IP.

Iruwen.3164:

And if a post-it is your idea of security… well. Just ask Gaile how many accounts have been compromised by friends, partners and especially younger siblings.

Partners? Friends? Really..? Sure if younger sibling compromises your account lol. The other two are just out-right ridiculous examples. If you have siblings, which I do not (thus not counting it as a factor), then hide the notes? There are a million ways to hide them or make them understandable to no one but yourself.

Using nothing but a simple sentence takes less than half a minute for a dictionary cracker to break. Just saying.

Most of the guys who get their accounts hacked are at fault themselves.
If you got a keylogger on your system, it’s your fault. If you use the same password for every single website and game, it’s your fault, too(I handle it that way: 1 Password, I reuse for most forums and websites, unique passwords for steam, paypal, GW2, … If someone hacked my account on some random Dota or Manga forum, I wouldn’t even care lol)