Guild Wars 2

My account was compromised and I have already gotten it back thanks to a very speedy GM team with ArenaNet, however here is a little bit I have learned after examining my account after re obtaining access to it.

How it happened:
Around 6pm while working and unable to check my phone I recieved an email that stated my password had been changed and shortly after that I recieved numerous emails saying thank you for purchasing gems (Yes, I made the mistake of saving my card to the gemstore.) $400 worth of gems were purchased using my stored credit card that Arena Net has refunded according to the extremely helpful GM I spoke to regarding the entire debacle.

I believe that somehow the entity that was able to log in to my account was a gold and item seller, possibly affiliated with one of the larger websites that do such. I learned this by checking my in game mail. A letter was sent to my account during that time that said “I paid for 1000 not 500 so give me the rest.” This obviously shows gold sales. I believe they converted the purchased gems to gold and started purchasing from the trading post. The items purchased besides legendary weapons were not anything special in fact they were Vital Bronze Swords, Knight’s Primordus Longbows, and Carrion Primordus Short Bows. The were purchased for the average Trading Post Prices, but it was the sell that confused me. The same items were sold for 700+ gold, which is where I realized that in order to move money they are selling and buying items on the trading post for exorbitant amounts of gold to help make themselves appear slightly more legitimate (it isn’t working though).

This is money laundering Guild Wars 2 style and I find it extremely interesting.

TLDR:
Gem to gold conversion is the first step in the process.
In order to avoid the in game gold stopping features hackers are selling items for much higher costs on the TP. (An item that costs 7 silver for 750 gold.)

This next part is a suggestion to the devs
A possible way that this could be prevented and I’m not sure how this exactly would be implemented or how complex it would be, but items could have a maximum listing price on the trading post, excluding obvious items like the legendary weapons, or posting items for such large amounts on the trading post could raise a flag for manual account review.

Final Note
Everything in this except the recommendation regarding a potential way to make this harder for hackers has been relayed to the GM that helped my get my account back. This is just to give everyone a little bit of a read.

I had a funny feeling this was one of the ways they were selling their gold to players. However whenever I have mentioned it on these forums I was laughed at or ridiculed.

Thanks for the info and heads up. I am sure Anet has thought of this in the past and are watching the TP closely but tbh it is probably a big job and some of the items will slip through now and then.

It will be interesting tho if Anet does comment on this and/or if they post some of the crazy items and what their prices were.

Bag of Salt for 1 million gold anyone lol?

Paulytnz.7619:

I had a funny feeling this was one of the ways they were selling their gold to players. However whenever I have mentioned it on these forums I was laughed at or ridiculed.

Thanks for the info and heads up. I am sure Anet has thought of this in the past and are watching the TP closely but tbh it is probably a big job and some of the items will slip through now and then.

It will be interesting tho if Anet does comment on this and/or if they post some of the crazy items and what their prices were.

Bag of Salt for 1 million gold anyone lol?

It’s an interesting theory, the problem is that it needs items that are few in number to work. The buyer can’t select the price he wants to buy for unless its the lowest price or if he’s willing to buy all the lower priced items to get the high priced item. So if someone sells “packet of salt” for 1 million gold the buyer has to buy the tens of thousands of packets of salt that are less than 1 million gold first. That gets expensive. The other problem is undercutting. Put up item X for 1 million gold and if someone else decides to put up another item X for 9999,999 gold, the buyer has to buy the 999,999 gold item first to buy the 1 million gold item.

Just a flesh wound.3589:

Paulytnz.7619:

I had a funny feeling this was one of the ways they were selling their gold to players. However whenever I have mentioned it on these forums I was laughed at or ridiculed.

Thanks for the info and heads up. I am sure Anet has thought of this in the past and are watching the TP closely but tbh it is probably a big job and some of the items will slip through now and then.

It will be interesting tho if Anet does comment on this and/or if they post some of the crazy items and what their prices were.

Bag of Salt for 1 million gold anyone lol?

It’s an interesting theory, the problem is that it needs items that are few in number to work. The buyer can’t select the price he wants to buy for unless its the lowest price or if he’s willing to buy all the lower priced items to get the high priced item. So if someone sells “packet of salt” for 1 million gold the buyer has to buy the tens of thousands of packets of salt that are less than 1 million gold first. That gets expensive. The other problem is undercutting. Put up item X for 1 million gold and if someone else decides to put up another item X for 9999,999 gold, the buyer has to buy the 999,999 gold item first to buy the 1 million gold item.

Oh I didn’t know that. In another game I played they had a similar TP system but you could choose to pay whatever you liked for any item. You just type in the price. It became a problem there too so what they actually did was add specific values to each and every item to make sure this could not happen.

Yes it does take away some of the players determining the value of items but they did go up and down still somewhat, just not at drastic rates or over night as such as there were several fail safes put in.

As for myself I’m super lazy when it comes to the TP I just sell everything at the sell now value and buy what is the lowest price. I wont wait around trying to get more for my items by listing them or trying to get a cheaper item by listing an offer and hoping someone comes in and undercuts. So I guess I have not noticed this which you have mentioned.

Paulytnz.7619:

Just a flesh wound.3589:

Paulytnz.7619:

I had a funny feeling this was one of the ways they were selling their gold to players. However whenever I have mentioned it on these forums I was laughed at or ridiculed.

Thanks for the info and heads up. I am sure Anet has thought of this in the past and are watching the TP closely but tbh it is probably a big job and some of the items will slip through now and then.

It will be interesting tho if Anet does comment on this and/or if they post some of the crazy items and what their prices were.

Bag of Salt for 1 million gold anyone lol?

It’s an interesting theory, the problem is that it needs items that are few in number to work. The buyer can’t select the price he wants to buy for unless its the lowest price or if he’s willing to buy all the lower priced items to get the high priced item. So if someone sells “packet of salt” for 1 million gold the buyer has to buy the tens of thousands of packets of salt that are less than 1 million gold first. That gets expensive. The other problem is undercutting. Put up item X for 1 million gold and if someone else decides to put up another item X for 9999,999 gold, the buyer has to buy the 999,999 gold item first to buy the 1 million gold item.

Oh I didn’t know that. In another game I played they had a similar TP system but you could choose to pay whatever you liked for any item. You just type in the price. It became a problem there too so what they actually did was add specific values to each and every item to make sure this could not happen.

Yes it does take away some of the players determining the value of items but they did go up and down still somewhat, just not at drastic rates or over night as such as there were several fail safes put in.

As for myself I’m super lazy when it comes to the TP I just sell everything at the sell now value and buy what is the lowest price. I wont wait around trying to get more for my items by listing them or trying to get a cheaper item by listing an offer and hoping someone comes in and undercuts. So I guess I have not noticed this which you have mentioned.

Looking at the trading post history for vital bronze sword I suspect it is used in this one case as the OP suggested. It suspiciously bounces around in price and quantity. My guess is it’s being used to transfer gold between accounts with the hacker putting up a high priced sword and buying the few low priced swords to get to it.

https://www.gw2tp.com/item/14952-vital-bronze-sword

Something like this will work if they’re fast. If they aren’t fast then people who trade as a type of gameplay can keep an eye on items with low quantities and undercut to try to take advantage of the gold seller using this as a gold transfer method.

Very interesting observations you were able to make. I wonder if they really are just limited to putting the orders up for items in low quantity. I thought it was a little funny how sometimes I would see items sometimes priced ridiculously high on the tp. I wonder if there is just some way to recover the gold using the cancel option if needed? No idea. I haven’t the slightest clue how this would all work and that’s despite playing 4 years of spreadsheets in space (aka EVE Online haha).

I’m glad to hear that you got your account back and your cash, though! Phew. I’d have flipped all the tables hahaha

DougNotDougie.3590:

A letter was sent to my account during that time that said “I paid for 1000 not 500 so give me the rest.”

This was my favorite part, LOL. I hope you forwarded the player’s info to Anet as well. Although the player did not hack into your account, I would find them equally at fault for using a service that hurts a fellow player. I’m honestly surprised at this point that so many people attempt to buy gold this way (and then probably play dumb when Anet investigates).

I’m curious, do you use two-step verification? Seems the whole problem would have been avoided that way. If everyone was using it, they wouldn’t need to implement other barriers to hackers.

Rhapsody.8650:

DougNotDougie.3590:

A letter was sent to my account during that time that said “I paid for 1000 not 500 so give me the rest.”

This was my favorite part, LOL. I hope you forwarded the player’s info to Anet as well. Although the player did not hack into your account, I would find them equally at fault for using a service that hurts a fellow player. I’m honestly surprised at this point that so many people attempt to buy gold this way (and then probably play dumb when Anet investigates).

I’m curious, do you use two-step verification? Seems the whole problem would have been avoided that way. If everyone was using it, they wouldn’t need to implement other barriers to hackers.

Yeah, that’s what I’m wondering too. If your email and account are secure behind verification, it’s unlikely that they’ll get through. Even more so if you don’t share the email address used for the account as well as use the same login credentials elsewhere on the internet. Not buying from gold sellers also tends to help as well.

While Anet could certainly make those changes, they’d have impacts on players not involved in gold selling. For as long as these situations can be prevented by players who protect themselves and don’t do stupid things, I’m against any changes.

@ op, do you have ‘2-Step Verification’ security enabled?

I think another major issue is that there’s no easy way to clear our payment information from the GW2 client. As near as I can tell you can either enter fake information and save it over your real info or ticket CS to get it removed. I get that there is a trade off between convenience and security, and easily saving info but making it difficult to remove keeps that information there to grease impulse buys. But this is a game, and there’s a RMT business out there that hacks accounts. There really needs to be a delete payment information button.

Just a flesh wound.3589:

Paulytnz.7619:

I had a funny feeling this was one of the ways they were selling their gold to players. However whenever I have mentioned it on these forums I was laughed at or ridiculed.

Thanks for the info and heads up. I am sure Anet has thought of this in the past and are watching the TP closely but tbh it is probably a big job and some of the items will slip through now and then.

It will be interesting tho if Anet does comment on this and/or if they post some of the crazy items and what their prices were.

Bag of Salt for 1 million gold anyone lol?

It’s an interesting theory, the problem is that it needs items that are few in number to work. The buyer can’t select the price he wants to buy for unless its the lowest price or if he’s willing to buy all the lower priced items to get the high priced item. So if someone sells “packet of salt” for 1 million gold the buyer has to buy the tens of thousands of packets of salt that are less than 1 million gold first. That gets expensive. The other problem is undercutting. Put up item X for 1 million gold and if someone else decides to put up another item X for 9999,999 gold, the buyer has to buy the 999,999 gold item first to buy the 1 million gold item.

Another problem would be the listing value limit of 10k gold, so you would have to settle for listing 100 packets of salt at 10k gold, if you got the 50k gold to spare for the listing fees.

Wanze.8410:

Just a flesh wound.3589:

Paulytnz.7619:

I had a funny feeling this was one of the ways they were selling their gold to players. However whenever I have mentioned it on these forums I was laughed at or ridiculed.

Thanks for the info and heads up. I am sure Anet has thought of this in the past and are watching the TP closely but tbh it is probably a big job and some of the items will slip through now and then.

It will be interesting tho if Anet does comment on this and/or if they post some of the crazy items and what their prices were.

Bag of Salt for 1 million gold anyone lol?

It’s an interesting theory, the problem is that it needs items that are few in number to work. The buyer can’t select the price he wants to buy for unless its the lowest price or if he’s willing to buy all the lower priced items to get the high priced item. So if someone sells “packet of salt” for 1 million gold the buyer has to buy the tens of thousands of packets of salt that are less than 1 million gold first. That gets expensive. The other problem is undercutting. Put up item X for 1 million gold and if someone else decides to put up another item X for 9999,999 gold, the buyer has to buy the 999,999 gold item first to buy the 1 million gold item.

Another problem would be the listing value limit of 10k gold, so you would have to settle for listing 100 packets of salt at 10k gold, if you got the 50k gold to spare for the listing fees.

Yah, the listing fees would be a problem for someone using the trading post to transfer gold from gold seller to gold buyer. Although, if it’s transferring gold stolen from a hacked account to a gold buyers account it might not be that critical.

This is one of the reasons I don’t have my card saved to the gemstore. I’m not blaming you for not wanting to pull it out and type it in everytime but these kinds of things happen when info is saved like that.

Fremtid.3528:

This is one of the reasons I don’t have my card saved to the gemstore. I’m not blaming you for not wanting to pull it out and type it in everytime but these kinds of things happen when info is saved like that.

Paypal, yo. Easy to log into when you want gems, but it doesn’t save the data, so you still have to authenticate.

Sorry that happened to you, OP. :\ Please do be more careful in the future.

If I were to make something secure, I’d probably go with a passworded bank section.

Rauderi.8706:

Paypal, yo. Easy to log into when you want gems, but it doesn’t save the data, so you still have to authenticate.

The billing info and email are still saved in the client unless you go back and save over it with fake info by going halfway through the purchase process though. Yes you still need to authenticate, but your information is still hanging out visible to anyone with access to your client. The email address isn’t even obscured.

So a checkbox for remembering the info and a delete info button is still useful for Paypal users.

cadmiumgreen.8712:

Rauderi.8706:

Paypal, yo. Easy to log into when you want gems, but it doesn’t save the data, so you still have to authenticate.

The billing info and email are still saved in the client unless you go back and save over it with fake info by going halfway through the purchase process though. Yes you still need to authenticate, but your information is still hanging out visible to anyone with access to your client. The email address isn’t even obscured.

So a checkbox for remembering the info and a delete info button is still useful for Paypal users.

Yeh i wish we had the option to not save our info there

A simple checkbox like you suggested would do it Anet! pls

Are you saying it saves our CC (or whatever) information, even if we don’t check ‘Save Billing Information’?

I use PayPal and have for many years. If I were to every be compromised in this game they would only be able to affect the game. My PayPal login info is different.

Also I use texting protection so they would never get into my account IP / Network would trigger a text with code so I am safe there as well.

However working in IT there are so many ways to trick systems who knows if I am truly safe. Glad to see you were to get refunded and get account back

Just a tip if you are worried about details and such, something that might be helpful. Personally I use a prepaid credit card for online purchases. That is it is a credit card (Mastercard, Visa etc) like the standard ones but you only have credit on it when you put it on it. So I make sure to only have cash on it when I want to purchase something. If there is no cash on it, any purchase attempt will be shot down and you are not out of pocket due to hackers or what-not.

I am not sure if your banks offer similar options but it is def worth looking into. Things like this can give you an extra layer of protection and stop things like what the OP experienced from happening.

Yes Anet were awesome enough to refund what was spent. But there are a lot of other companies out there that are not so awesome or who wouldn’t refund. So again having something like this can be helpful.

Anet is really cool for being this helpful, lots of other companies would not do this. This gives me hope that anet does love their playerbase. Even tho they kittened up purchasing ascended armor. And can’t balance pvp. And go in circles when it comes to wvw. But ya anet is a cool guy/gal. Glad u got ur account and money back.

Ive used paypal for close on to a decade now…. Ive had numerous game accounts in the past become compromised, and not once have I had to contact paypal to handle any fraudulent charges. I keep separate emails for money accounts vs game accounts, and I believe that is the reason I have never had any issues with it in the past.

As a general security measure, it is typically wiser to use third parties, particularly paypal, for managing payments, due to their above-standard security procedures and strict attention to security given the dependency of their business hinging on it.

Also be sure to use 2FA to prevent malicious/unwanted access to your account, and do not use public wifi networks to access your GW2 account; transmissions can be recorded and decoded by attackers, and it isn’t uncommon for them to sell the information they get this way.

Reloadable gift cards/“prepaid debit” cards are a good option, however they typically have a reload cost associated to them every time you add more funds. It’s typically a few dollars and can be pretty inefficient if you don’t intend to keep a relatively high balance of a few hundred dollars.

I personally do the following and recommend it as the best option for maintaining security online: Get a credit card dedicated to online purchases that has a freeze or lock option on it, which can only be activated or deactivated on the credit card’s site via another login, and a separate, clean device used only for managing your online banking and billing which you use to unlock and lock the card when you go to purchase something (I use an old netbook due to its small size which fits nicely on my desk loaded with a Linux distro for fast booting speeds to get to the browser). For credit cards which have them, these are typically free features (and I think Discover does them best) and in the long run will save you money and potentially hassle over most reloadable debit options.. If you’re really into the security aspect of things, you can even set this device up on a different LAN.

Fremtid.3528:

This is one of the reasons I don’t have my card saved to the gemstore. I’m not blaming you for not wanting to pull it out and type it in everytime but these kinds of things happen when info is saved like that.

I’ve actually had a bug with my “buy gems”-interface for a long time now; it has saved my old, expired credit card info and absolutely refuses to rewrite over that. Every time I buy gems I type in my current card’s information, tick the box to save it, and the next time I open the interface I still see my old info there.

I thought this was annoying, but after reading these posts I actually don’t mind at all. Also, having to always pull the card out has actually made me to memorize the numbers, so no harm done here ;D

Some of these should go without saying, but here are some tips:

Run current anti-virus software on your computer.

Never enter your Anet credentials on any website that does not belong to Anet

USE A COMPLEX PASSWORD!
Use special characters (!@*&$) at least 2 of them
Use more than 8 characters total
Use upper and lower case letters
Use numbers as well.

If you follow that, the likelihood that your account would be compromised due to a dictionary based attack is very very slim.

Not only did the “hacker” have to get around using the correct password, but most likely anet sent the automated message to verify the new IP address that “you” were trying to connect from, so the hacker would also needed access to your email.

3 most common reasons for accounts getting “hacked”
Simplistic password and the same password used for a lot of different accounts.
Keylogger virus
Using gold buying sites (most likely the common cause of a lot of “hacks”)

Don’s use complex passwords. Use good passwords. NEVER save them, anywhere, EVER.

https://xkcd.com/936/

Nova.2890:

Some of these should go without saying, but here are some tips:

Run current anti-virus software on your computer.

Never enter your Anet credentials on any website that does not belong to Anet

USE A COMPLEX PASSWORD!
Use special characters (!@*&$) at least 2 of them
Use more than 8 characters total
Use upper and lower case letters
Use numbers as well.

If you follow that, the likelihood that your account would be compromised due to a dictionary based attack is very very slim.

Not only did the “hacker” have to get around using the correct password, but most likely anet sent the automated message to verify the new IP address that “you” were trying to connect from, so the hacker would also needed access to your email.

3 most common reasons for accounts getting “hacked”
Simplistic password and the same password used for a lot of different accounts.
Keylogger virus
Using gold buying sites (most likely the common cause of a lot of “hacks”)

Indeed as above said, you only need long passwords, not neccessarily “complex” ones.

Like having a password “ohhowIadorecuteAsurananimationsofwigglyearsandstumpylegs” compared to “1Xk#3_hH” should be somewhat harder to brute force.

PS: Sorry if I guessed someones password

Ardid.7203:

Don’s use complex passwords. Use good passwords. NEVER save them, anywhere, EVER.

https://xkcd.com/936/

If I wouldn’t save my passwords, ever, I’d only be able to use simple passwords, and the same everywhere at that… And unless you only play from a shared PC, you can safely put it in the shortcut. Or check the “remember my password” option at the login screen.

As a matter of fact, I don’t know my GW2 password at all. It’s nicely stored in a password application so I can make a ridiculously long password without the need of remembering it.

Gaile Gray.6029:

There are some interesting suggestions here, and I will pass them along today.

I’m sorry for what happened, Doug, but glad you got everything quickly sorted out! Thanks for sharing your observations, and thanks to others for adding their thoughts.

You should have to opt-in for the Billing area to save your information – like email address, etc. I think its terrible that people can have their accounts permanently banned because a hacker used the information found in Billing to use their account for bad things.

Lot’s of people giving out good cyber-security tips. I love it!

Bonus tip here since it hasn’t been mentioned. This may be a given, but if the password you used before getting hacked is used for ANY other services, CHANGE THEM NOW!! And since MMO’s in general are notorious hacker targets, even if you’re someone who likes using the same password for everything (oh I cringe at how many people do that), AT LEAST make your MMO’s and Steam passwords different.

Oh, and I’m a big fan of Dashlane password manager for what it’s worth.

LadyRhonwyn.2501:

Ardid.7203:

Don’s use complex passwords. Use good passwords. NEVER save them, anywhere, EVER.

https://xkcd.com/936/

If I wouldn’t save my passwords, ever, I’d only be able to use simple passwords, and the same everywhere at that… And unless you only play from a shared PC, you can safely put it in the shortcut. Or check the “remember my password” option at the login screen.

As a matter of fact, I don’t know my GW2 password at all. It’s nicely stored in a password application so I can make a ridiculously long password without the need of remembering it.

Well, I leanred the hard way that any program that store passwords can also be hacked, and your “safely stored” credentials can be acceded by attackers. It didn’t happened in a public computer, or in an “unsafe” one. It happened in a well secured work pc, in a well known and respected datacenter. Thanks to it being in a secure environment, we were able to contain the malware and trace the origin to a well known and very respected sftp client, wich stored password for user convenience but was vulnerable to programs that copy that list, program that got in through a well known and respected internet navigator.

Storing password IS A BAD PRACTICE. To make good passwords and put them in your head is the only habit I can reccomend today. That way even if your mother/friend/cat messes up the computer, you can still safely access your accounts anywhere. Depending on machines to do that kind of basic work for you is also bad for your own memory.

If you are afraid of forgetting multiple pass, there are good ways to make “sibling” passwords through realy simple mnemonic techniques, so you can create as many passwords as you need, and you will never forget any. I use regularly “20 something” character passwords, easy to remember and totally unhackable, unless someone tortures me or get me really drunk.

Ardid.7203:

LadyRhonwyn.2501:

Ardid.7203:

Don’s use complex passwords. Use good passwords. NEVER save them, anywhere, EVER.

https://xkcd.com/936/

If I wouldn’t save my passwords, ever, I’d only be able to use simple passwords, and the same everywhere at that… And unless you only play from a shared PC, you can safely put it in the shortcut. Or check the “remember my password” option at the login screen.

As a matter of fact, I don’t know my GW2 password at all. It’s nicely stored in a password application so I can make a ridiculously long password without the need of remembering it.

Well, I leanred the hard way that any program that store passwords can also be hacked, and your “safely stored” credentials can be acceded by attackers. It didn’t happened in a public computer, or in an “unsafe” one. It happened in a well secured work pc, in a well known and respected datacenter. Thanks to it being in a secure environment, we were able to contain the malware and trace the origin to a well known and very respected sftp client, wich stored password for user convenience but was vulnerable to programs that copy that list, program that got in through a well known and respected internet navigator.

Storing password IS A BAD PRACTICE. To make good passwords and put them in your head is the only habit I can reccomend today. That way even if your mother/friend/cat messes up the computer, you can still safely access your accounts anywhere. Depending on machines to do that kind of basic work for you is also bad for your own memory.

If you are afraid of forgetting multiple pass, there are good ways to make “sibling” passwords through realy simple mnemonic techniques, so you can create as many passwords as you need, and you will never forget any. I use regularly “20 something” character passwords, easy to remember and totally unhackable, unless someone tortures me or get me really drunk.

Sibling passwords? What’s that? Nothing relevant pulled up on google.

JAFW

Sibling passwords? What’s that? Nothing relevant pulled up on google.

You know, instead of using PASSWORD for everything, you mix it up. PASSWORD1, PASSWORD2, etc.

DeanBB.4268:

JAFW

Sibling passwords? What’s that? Nothing relevant pulled up on google.

You know, instead of using PASSWORD for everything, you mix it up. PASSWORD1, PASSWORD2, etc.

Yah. Those are really good passwords. Almost as good as 12345. :P

You should take that out to at least 12345678. You know, for security.

The use of “password” as a password above is only used as an example, not as an actual password. However, the concept of a sibling password is not necessarily bad. I like to have a theme to my passwords, to make it a bit easier to remember. For instance, I might use Mongolia as one password and UnitedKingdom for another. The places where I have to have numbers of special characters, I’d try to put them either as letter substitutes (Mongol1a) or in between syllables, to know that’s where it went.

If you are afraid of forget the password try to use the same alphanumeric password everywhere changing the first 2-3 letters (es. FB*****.. for facebook, GW2*****.. for Guild Wars 2).. and don’t share it with nobody.

DeceiverX.8361:

Also be sure to use 2FA to prevent malicious/unwanted access to your account, and do not use public wifi networks to access your GW2 account; transmissions can be recorded and decoded by attackers, and it isn’t uncommon for them to sell the information they get this way.

This is very true.

DeceiverX.8361:

Reloadable gift cards/“prepaid debit” cards are a good option, however they typically have a reload cost associated to them every time you add more funds. It’s typically a few dollars and can be pretty inefficient if you don’t intend to keep a relatively high balance of a few hundred dollars.

These types of cards come in handy for small amounts and limited purchases only. Note, however, that even here there are some additional caveats:

Remember, these types of cards are equivalent to carrying cash. If lost or stolen you’re pretty much S-O-L by the time you find out.

Do not purchase/load large quantities or amounts in one fell swoop. Reason: Terrorism, drug dealers (although I doubt anyone here on this board is purchasing them in large amounts or quantities necessary to flag the transaction).

The real kicker: Thanks to this little thing called asset forfeiture they can be confiscated by police/border patrol/TSA if you are ever pulled over/singled out/whatever if found carrying a large quantity. See reasons above. Suspicion – ain’t it special!?! Again, this probably won’t apply to the gamers reading this thread. Just putting it out there as a public service message.

DeceiverX.8361:

I personally do the following and recommend it as the best option for maintaining security online: Get a credit card dedicated to online purchases that has a freeze or lock option on it, which can only be activated or deactivated on the credit card’s site via another login

This too is great advice. Note that credit bureaus also offer a freeze of your data to prevent unscrupulous actors from accessing your data.

Also highly recommended: Use a different password and username for every site you log into that requires an account. That way, your login data that is hacked on one site can’t be used on different site. Never use your personal bank logon name and/or password for any other site, period!

It should go without saying, but never give your username/password out. Any email that you receive asking for that account information is almost guaranteed to be a hacker on a phishing expedition. Don’t be the fish that gets hooked!

Finally, use a free password manager such as Keepass or Lastpass to manage all of your username and password account information. These types of programs can generate random strong passwords for you. After using the program for a while you’ll find that you only need to remember the master password to access the others (which are cryptographically stored on your personal hard drive or USB device) as you make use of the program’s quick form-fill or copy/paste functions to log into sites and games.

I try to have themed passwords on stuff I’m not to concerned about where if I forget it or it’s hacked it’s not a big deal (such as a password to access comments on a news site). However there’s too many passwords for too many things to reasonably remember. For all those I have stored behind an app that require a password to open. For more security these passwords stored there can be one letter/number off. For example the password HorseBattery12 could be stored as JptdrNsyyrtu23. /shrug. That should be safe enough.

Just a captain obvious moment, but you CAN store your passwords… just not on a computer. Keepass and Lastpass sound good, but pen and paper are still the safest way to remember passwords.

Write them down in a notebook and keep them in a drawer away from your computer.

Also, taking a word and spelling it in “leetspeak” is not necessarily a good tactic. “PASSWORD” and “P455W0RD” are easily guessed. Better to pick random words and string them together such as “PickleUmbrellaFortyMango123???” is very much harder to guess.

I do have an observation about the gold laundering issue.

I noticed a low-level blue staff for sale today for 7K gold while looking at prices for precursers. I would not have had to buy (insert number) of things at a lower price in order to buy that item, so if I were a gold launderer, all I would have to do is email my client once I had the payment and tell him to list something for exhorbitant amounts so I could “buy” it and not raise a flag.

Just sayin….

Ashabhi.1365:

Just a captain obvious moment, but you CAN store your passwords… just not on a computer. Keepass and Lastpass sound good, but pen and paper are still the safest way to remember passwords.

Write them down in a notebook and keep them in a drawer away from your computer.

Also, taking a word and spelling it in “leetspeak” is not necessarily a good tactic. “PASSWORD” and “P455W0RD” are easily guessed. Better to pick random words and string them together such as “PickleUmbrellaFortyMango123???” is very much harder to guess.

I do have an observation about the gold laundering issue.

I noticed a low-level blue staff for sale today for 7K gold while looking at prices for precursers. I would not have had to buy (insert number) of things at a lower price in order to buy that item, so if I were a gold launderer, all I would have to do is email my client once I had the payment and tell him to list something for exhorbitant amounts so I could “buy” it and not raise a flag.

Just sayin….

What blue staff was that? Can you post a link?

Edit: Was it this one? https://www.gw2tp.com/item/37629-staff

Ashabhi.1365:

I noticed a low-level blue staff for sale today for 7K gold while looking at prices for precursers. I would not have had to buy (insert number) of things at a lower price in order to buy that item, so if I were a gold launderer, all I would have to do is email my client once I had the payment and tell him to list something for exhorbitant amounts so I could “buy” it and not raise a flag.

Just sayin….

This is exactly the kind of thing that Anet should have a script to flag.

I’m mostly interested in HOW you got hacked in the first place OP.

DeanBB.4268:

You should take that out to at least 12345678. You know, for security.

Kitten! That is exactly my password. How do you know? I will change it to “ABCDE” (hihi, now it is safe again)

Just a flesh wound.3589:

Ashabhi.1365:

Just a captain obvious moment, but you CAN store your passwords… just not on a computer. Keepass and Lastpass sound good, but pen and paper are still the safest way to remember passwords.

Write them down in a notebook and keep them in a drawer away from your computer.

Also, taking a word and spelling it in “leetspeak” is not necessarily a good tactic. “PASSWORD” and “P455W0RD” are easily guessed. Better to pick random words and string them together such as “PickleUmbrellaFortyMango123???” is very much harder to guess.

I do have an observation about the gold laundering issue.

I noticed a low-level blue staff for sale today for 7K gold while looking at prices for precursers. I would not have had to buy (insert number) of things at a lower price in order to buy that item, so if I were a gold launderer, all I would have to do is email my client once I had the payment and tell him to list something for exhorbitant amounts so I could “buy” it and not raise a flag.

Just sayin….

What blue staff was that? Can you post a link?

Edit: Was it this one? https://www.gw2tp.com/item/37629-staff

I don’t remember exactly, it might have been, or it may have been another. I just remember thinking it was odd that a plain low-level blue staff was for sale at that price point.

Dawdler.8521:

Indeed as above said, you only need long passwords, not neccessarily “complex” ones.

Like having a password “ohhowIadorecuteAsurananimationsofwigglyearsandstumpylegs” compared to “1Xk#3_hH” should be somewhat harder to brute force.

PS: Sorry if I guessed someones password

The problem if you exclude complex passwords is the following
simple lower case letters: only 26 possible combinations for each character slot in use
Add in case sensitive passwords: and now you have doubled it
Use numbers and letters, now you have 52+10 possible characters for each slot

Now add in special characters. Lets assume you can only use the ones on the keyboard keys and not alt codes as well
52+10+32=94 possible characters for each slot.

This is why a lot of government websites require the use of such passwords, because as you add in more possibilities for each used character spot, the time needed to brute force attack that password increases that much more.

So lets look at a couple simple passwords and see how many guesses are needed for each

lowercase simple letter only password 6 characters: 26×26×26x26x26×26 =
308,915,776 possible combinations.

Complex password 6 characters: 94×94×94x94x94×94 =
689,869,781,056 possible combinations

That’s why complex passwords are better, because even under brute force, there are so many many more combinations that the chance that a brute force attack would succeed and go unnoticed is unlikely.

For a while I was thinking of buying some gold in one of the sites thinking there were legitimately earned, and that their price were way cheaper. Upon hearing this I am glad that I didn’t do it. I am glad the OP decides to share this story, and I hope more potential gold buyers are reading this post.

Ashabhi.1365:

Just a flesh wound.3589:

Ashabhi.1365:

Just a captain obvious moment, but you CAN store your passwords… just not on a computer. Keepass and Lastpass sound good, but pen and paper are still the safest way to remember passwords.

Write them down in a notebook and keep them in a drawer away from your computer.

Also, taking a word and spelling it in “leetspeak” is not necessarily a good tactic. “PASSWORD” and “P455W0RD” are easily guessed. Better to pick random words and string them together such as “PickleUmbrellaFortyMango123???” is very much harder to guess.

I do have an observation about the gold laundering issue.

I noticed a low-level blue staff for sale today for 7K gold while looking at prices for precursers. I would not have had to buy (insert number) of things at a lower price in order to buy that item, so if I were a gold launderer, all I would have to do is email my client once I had the payment and tell him to list something for exhorbitant amounts so I could “buy” it and not raise a flag.

Just sayin….

What blue staff was that? Can you post a link?

Edit: Was it this one? https://www.gw2tp.com/item/37629-staff

I don’t remember exactly, it might have been, or it may have been another. I just remember thinking it was odd that a plain low-level blue staff was for sale at that price point.

It’s probably not the exact same one. It’s level 80 and 9,999!!!! gold. It’s been listed since January. My theory is, it was used to transfer gold between accounts and the account(s) got banned and that it’s left unbought as buying it now would send almost 10k to a banned account.

bigmonto.4215:

For a while I was thinking of buying some gold in one of the sites thinking there were legitimately earned, and that their price were way cheaper. Upon hearing this I am glad that I didn’t do it. I am glad the OP decides to share this story, and I hope more potential gold buyers are reading this post.

I know some people are going to roll their eyes at your story, but back when I first started playing (it was Guild Wars 1) I knew absolutely nothing about gold sellers.

So I got to Kamadan and this guy was advertising gold in chat. Since I already knew that Guild Wars 1 sold in their store skill unlocks (both PvE and PvP), access to ranger pets, upgrade unlocks to gear in PvP, and an NPC to fight beside you in PvE it didn’t strike me as odd that you could also buy gold. I went to the site to check it out but decided not to buy as I didn’t need gold. So I dodged a bullet then without even knowing it was there.

OGDeadHead.8326:

I’m mostly interested in HOW you got hacked in the first place OP.

This is my question as well. And as I asked earlier, do you have two-step verification enabled on your account?