Last night a hacker socially engineered one of our CS agents to gain control of Gaile’s account, and accessed GW1 using it. Gaile of course has two-factor auth on her account, and despite the social engineering, the two-factor auth worked and protected her, so the hacker had no access to her forum or GW2 accounts. Only GW1 pre-dates our 2FA/SMS system.
To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies. We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.
We want to protect all accounts as much as we want to protect our own. Some of you were particularly concerned about the impact to the game of hacking a GM account. You should know that we don’t give GM accounts or any accounts the ability to cheat progress, synthesize items, or manipulate the game’s economy. We play the game the same way you play the game. The hacker was able to use Gaile’s GM access to manipulate guild trims, but mostly he handed out Gaile’s personal items that she had collected from years of playing GW1.
We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.
I was just wondering if considering what happened in Guild Wars 1 last night if Anet have any plans to secure our accounts. It is quite alarming many of us have personal information attached to accounts. Names addresses phone numbers etc.
it is alarming how easily an account can be compromised and access given to both GW1 and GW2. Word is that all you need is to e-mail support with a character name and the person’s real name and they will allow a password reset for the account
I was wondering if a post about this subject existed…
And yes I’m worried about the same thing. But alas GW1 is like the unwanted brother Anet sort of wishes it never had (going on what they’re actually doing with it… which is EXACTLY NOTHING!!)
I’ve been reporting RMT spammers in GW1 for over a year, and yet they’re still in Spamadan. But no Anet doesn’t care.
You can lose your account to a social engineering attack.. but no, Anet doesn’t care (or appears not to).
Please Anet for the love of the six gods, do SOMETHING with GW1… recruit some volunteer gm’s or something… ANYTHING!
I couldnt find one so I created one. Sorry if one exists. I know you dont care about GW1. But if someone can get access to our accounts and our personal information, that is an issue. :/
Considering Gaile, the owner of the hacked account, works for ANet, the fact that her account was hacked by a player going through support with info is shocking. There should have been a call or email or a quick walk to her office to ask if she requested the password reset. Support staff should be expected to have a much higher threshold for accounts with moderator privileges.
Makes me wonder how secure accounts with just GW2 attached really are.
As you said, i don’t believe in conspiracy. It was just luck (maybe with some info inside, but still luck). Look at the chats, he didn’t know what to do at start. Why blaming a gm?, they give all for the game, most of the the time they are working for the company and in the free time they are playing but still helping where they can. What benefit could they have to give a account away. Keep in mind most people work there as if it is their hobby, so certainly they wont risk such a thing. So what you say, no sense.
@ seera read all posts, there is nothing wrong with gw2 accounts security.
As you said, i don’t believe in conspiracy. It was just luck (maybe with some info inside, but still luck). Look at the chats, he didn’t know what to do at start. Why blaming a gm?, they give all for the game, most of the the time they are working for the company and in the free time they are playing but still helping where they can. What benefit could they have to give a account away. Keep in mind most people work there as if it is their hobby, so certainly they wont risk such a thing. So what you say, no sense.
@ seera read all posts, there is nothing wrong with gw2 accounts security.
Those with linked GW1 and GW2 accounts do have to worry. Same long in info. And if players can get access to GW1 players accounts that easily, makes me wonder how easily someone besides me can get access to my account.
And it is appalling that the GM’s account was given away to someone else.
Seera ? No one has to worry. Account was given away. And that won’t happen again after this. And the wondering thing ? Why you say that? Any proof ? Oh the reddit 50% post, y lol.
good work on the speedy update to let the community know what happened. also a good lesson to everyone to understand how important 2 factor authentication is
That’s awful. I’m glad it was limited to what it was, but I really deeply hope that there is some way to restore her items. I’m sure she is feeling terrible
and the hacker tried a bunch of times and found one agent who didn’t.
How is this possible?
How could he tried multiple times without the account get some sort of a flag or so?
So you say, you have ZERO protection against multiple tries without providing the needed informations?
Gaile’s account (and every other) should get a real big warning that there are tries to take control of the account.
Because you wrote it without some comment, it seems you have no doubt about this insecure procedure.
Also it don’t explain the reports on reddit weeks and months ago with the same method. Your CS-Lead was also aware of it!
I agree with Vis above. How can someone try multiple times to get control and be declined by several CS agents to find one that doesn’t follow the policies and there be no flag that the account had been tried multiple times to be gotten into? There should have been an email sent to Gaile, or even the account locked, after the failed attempts to gain access.
Mr. O’Brien, I love GW and GW2, but as Vis also pointed out, this same method has been talked about for quite some time about being tried, and successfully. Please, please, consider releasing a GW2 specific authenticator for us to add to our GW2 and even GW1 accounts. There needs to be some visible sign that some added security is being provided.
Jaina Kitten, Level 80 Elementalist, Main
Yak’s Bend – Expletus
“We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.”
This.
This is the part that concerns me. As Vis pointed out, why was there no warning flag after the second attempt by said hacker to gain control of the account?
If your team of CS agents mostly follow the rules, but sometimes don’t….. then all of our accounts (GW1 & 2) are at risk unless changes are made.
Just to follow up on my previous post, something else occurs to me. I would assume Gaile’s GW1 account is linked to her GW2 account and if so, then the reset link would allow the PW to be changed inside of the GW2 account page as that controls the linked GW1 account. It would seem as if the two factor authentication for GW2 would be at risk because of the reset allowing them access to change the PW for GW1 inside it.
You really need to allow the use of more than one choice of two factor authentication and once again, a dedicated GW2 authenticator needs to be one of those options.
Jaina Kitten, Level 80 Elementalist, Main
Yak’s Bend – Expletus
Any comment on the multiple reports of CS giving access to GW2 accounts without the information you mentioned?
There is at least one person on reddit who has posted proof of gaining access to over 5 accounts and having them deactivate 2-factor even without the right information.
We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.
Mo
Then you’d best be terminating your contract with Zendesk and finding another potential outsource if you can’t handle CS in-house. If there’s one thing that has been consistent in my time of online gaming it is that Zendesk has been a terrible Customer Service provider in every game I’ve had the misfortune of dealing with them.
Not only have I had tickets go completely unanswered for weeks in other games, but even here in Guild Wars one of their agents was nice enough to hand over my account to someone else after having provided absolutely no proof of ownership. My account has since been secured as this happened last year, but not until after a three week long battle with customer service to have the problem corrected. I can count not only on one hand, but one finger, how many positive experiences I’ve had with Zendesk. That’s right, just one.
I doubt their long-term quality will change as a result of anything that has transpired in the last 24 hours; and I believe that long-term quality needs to be the goal here.
Aratyl ~Gate of Madness
Co-Leader of the Get Fresh Crew
Gaile is one of the most valuable resources Anet has and cannot be replaced. I think of her almost as family considering all she has done to help my wife and I when we got hacked and to hear this pains me greatly.
Anet employees have my information and (use your imagination)(use your imagination again) I would like to offer my support and assistance.
I used to do CS for a large banking company in my area. We would occasionally have somebody call in & attempt to fraudulently gain control of a customers account. After the first attempt, notations would be made on the account to give the next CS rep a heads up. After the second attempt, the account would be marked as “Transfer to Fraud Dept Immediately” if the hacker called again and the account would be locked down. The customer would also be notified.
Long story short – At what point was Gaile notified and what, if any, actions were taken by your CS team to secure the account before it was compromised?
If this is how your CS team handles situations like this, then we have a problem.
Poor Gaile, I’m really sorry to hear this happened to you. You’ve dedicated so many years of your life to being a friendly face towards a community that, while often is friendly, can often be very, very ugly in return. I hope you’re able to get all your items back.
I think the saddest part of this whole incident (and others) is just the fact that security like this is needed.
We live in a world where some people will try everything they can to ruin your day; where some people with no regard for others will spend their time brooding negativity.
I dream of a world where cars and houses — and digital accounts — don’t need locks…but I know this is just a fairytale.
Last night a hacker socially engineered one of our CS agents to gain control of Gaile’s account, and accessed GW1 using it. Gaile of course has two-factor auth on her account, and despite the social engineering, the two-factor auth worked and protected her, so the hacker had no access to her forum or GW2 accounts. Only GW1 pre-dates our 2FA/SMS system.
To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies. We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.
We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.
Mo
MO – then explain how exactly they obtained access into the GM’s account if you do not accept personal details as proof of account ownership.
So much contradiction in your statement there, its not even funny.
You say you take account security seriously, but with statements like that I cannot see how. If you have processes involved then singling out one CSR shouldn’t have been possible. With a weak link like that, there is no account security. PERIOD.
We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.
Sadly, this is not uncommon in the customer support world. Established policies or otherwise. Could be the person was new, could be the person didn’t read any notes on the account from previous CS members (assuming they have some sort of ticketing / note system that reliably searchable and or tied to user accounts). Could be any number of things, including simple negligence.
I am saddened to hear this happened to Gaile.
Don’t look at me like that. Whatever you’ve heard, it’s probably not true.
I used to do CS for a large banking company in my area. We would occasionally have somebody call in & attempt to fraudulently gain control of a customers account. After the first attempt, notations would be made on the account to give the next CS rep a heads up. After the second attempt, the account would be marked as “Transfer to Fraud Dept Immediately” if the hacker called again and the account would be locked down. The customer would also be notified.
Long story short – At what point was Gaile notified and what, if any, actions were taken by your CS team to secure the account before it was compromised?
If this is how your CS team handles situations like this, then we have a problem.
Probably a few thousand problems.
Game companies are not banks. There isn’t the same amount of risk involved. But the world is changing as is the nature of online gaming and your suggestion is a good one for them to consider.
Chaba Tangnu
Founding member of [NERF] Fort Engineer and driver for [TLC] The Legion of Charrs
RIP [SIC] Strident Iconoclast
I used to do CS for a large banking company in my area. We would occasionally have somebody call in & attempt to fraudulently gain control of a customers account. After the first attempt, notations would be made on the account to give the next CS rep a heads up. After the second attempt, the account would be marked as “Transfer to Fraud Dept Immediately” if the hacker called again and the account would be locked down. The customer would also be notified.
Long story short – At what point was Gaile notified and what, if any, actions were taken by your CS team to secure the account before it was compromised?
If this is how your CS team handles situations like this, then we have a problem.
Probably a few thousand problems.
Game companies are not banks. There isn’t the same amount of risk involved. But the world is changing as is the nature of online gaming and your suggestion is a good one for them to consider.
I’m well aware that they aren’t the same thing nor same amount of risk. But thanks for being condescending.
My point was, as others have said, the security measures in place aren’t working if all it takes is one CS rep not following the rules to compromise an account.
Game companies are not banks. There isn’t the same amount of risk involved. But the world is changing as is the nature of online gaming and your suggestion is a good one for them to consider.
Nope, that they are not. But Game companies often do store info such as Paypapl account info, CC info, home address, real names, birth dates…enough information for someone to steal your Identity if they wanted to.
But keep on thinking that Game companies don’t need similar level of security that you find at banks in today era of Technology.
I only hope that they will improve security in Guild Wars now. For the last few years it has been too easy to get your old banned account back if you only said that you want to play the game after you took a long break.
This mass influx of “new” accounts has lead to lots of syncing and shameless botting in PvP and I would guess in PvE aswell. There isn’t any support from Anet trying to prevent this, while there are many sites selling bots, accounts and Guild Wars money for real money, making those hackers profit on the loyal community.
I hope this hack was a huge red flag for Anet that they know they can’t leave the game without any support at all. That’s why I see this hack mostly as a cry for help and attention (and some giggles) towards Anet.
Great to hear you sorted it and Gaile’s account is secure.
I am not sure advertising that a hacker gained access after trying multiple times until they found a CS agent not following through procedure, is perhaps the wisest thing to be putting out there though
What a disgusting thing to happen to a lovely person. What sort of low life takes advantage of Gaile of all people? She is always so kind and helpful. You people blaming Anet security and the poor dupe who probably lost his/her job, consider the real culprit was one of us – a vile, nasty little player. Yuck.
What a disgusting thing to happen to a lovely person. What sort of low life takes advantage of Gaile of all people? She is always so kind and helpful. You people blaming Anet security and the poor dupe who probably lost his/her job, consider the real culprit was one of us – a vile, nasty little player. Yuck.
Does not really matter who hacked the account, what matters is how they were able to get away with it. And yes that solely falls on Anets lack of security and the CSR that let it happen for not following policy.
What a disgusting thing to happen to a lovely person. What sort of low life takes advantage of Gaile of all people? She is always so kind and helpful. You people blaming Anet security and the poor dupe who probably lost his/her job, consider the real culprit was one of us – a vile, nasty little player. Yuck.
We’re placing the blame on Anet security because that’s exactly where it belongs.
What a disgusting thing to happen to a lovely person. What sort of low life takes advantage of Gaile of all people? She is always so kind and helpful. You people blaming Anet security and the poor dupe who probably lost his/her job, consider the real culprit was one of us – a vile, nasty little player. Yuck.
Who else are you going to blame!? I’m not blaming the hacker because there should measures to stop this. Anet has credit card information stored on file god forbid he stole that sorta information. So go ahead and feel bad, I don’t, i want to know what’s going to be done to keep my information safe. I’m sure Gaile Grey is a good person but consider the consequences if this continues to happen. I do appreciate mike at least acknowledging but what is going to be done to prevent this weather it be gw1 or gw2.
We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.
Sadly, this is not uncommon in the customer support world. Established policies or otherwise. Could be the person was new, could be the person didn’t read any notes on the account from previous CS members (assuming they have some sort of ticketing / note system that reliably searchable and or tied to user accounts). Could be any number of things, including simple negligence.
I am saddened to hear this happened to Gaile.
Or maybe they know who Gaile is and thought “Oh wow, this person is important, I’d better get her back into her account ASAP!” Sounds crazy but it sometimes works.
In my old job we used to have at least 1 call a day from someone saying something like “Can I speak to [Chief Executive’s Name] please? I was speaking to her last week about your new internet contract.” In marketing it’s called ‘getting past the gate keeper’ – name drop someone important and hope the person answering the phone wouldn’t dare question or delay a call to such an important person. (And that the person you get through to won’t have a clue about whatever you’re selling them and will agree to whatever to get you off the phone.)
People are often the weak link in security. You can put the best lock in the world on a door but if the last person out is in a hurry and forgets to lock it you may as well have not bothered.
Just to follow up on my previous post, something else occurs to me. I would assume Gaile’s GW1 account is linked to her GW2 account and if so, then the reset link would allow the PW to be changed inside of the GW2 account page as that controls the linked GW1 account. It would seem as if the two factor authentication for GW2 would be at risk because of the reset allowing them access to change the PW for GW1 inside it.
You really need to allow the use of more than one choice of two factor authentication and once again, a dedicated GW2 authenticator needs to be one of those options.
I just checked – GW1’s ‘change password’ option redirects you to the GW2 website, and you need to use two-factor authentication to log into that.
Danielle Aurorel, Dear Dragon We Got Your Cookies [Nom], Desolation (EU).
“To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies. We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.”
I’m sorry but in my experience this simply isn’t true. I tried to recover one of my own accounts that I used to use for storage on Guild Wars 1 about 2 months back. I hadn’t used the account for a number of years, but needed somewhere for storage again for all my armor! I couldn’t remember my password or account name. All I had was my character name and my real name. I got the account back.
Now this was my own account so no big deal but if it was that easy, anyone could have done it. And my IP address wasn’t used for verification either because I live in a different country now to when I last logged into that account.
I’m sorry I’m really not trying to be awkward, but I am actually concerned about the security of my account and my personal information linked including credit cards and home addresses.
I just checked – GW1’s ‘change password’ option redirects you to the GW2 website, and you need to use two-factor authentication to log into that.
Yeah, and the link the CS agent would have sent would also have sent to the GW2 website as linked GW1 and GW2 accounts share the same username and pw. Unless you do it EXACTLY as the hacker did it you, nor anyone else, has anyway of knowing if there is a way to bypass two factor. We know the change password on the reset link the CS agent sent does not have the two factor linked to it or they never would have been able to change the pw in the first place.
Or maybe they know who Gaile is and thought “Oh wow, this person is important, I’d better get her back into her account ASAP!” Sounds crazy but it sometimes works.
In my old job we used to have at least 1 call a day from someone saying something like “Can I speak to [Chief Executive’s Name] please? I was speaking to her last week about your new internet contract.” In marketing it’s called ‘getting past the gate keeper’ – name drop someone important and hope the person answering the phone wouldn’t dare question or delay a call to such an important person.
And if they did know who Gaile is that should only have made them MORE wary and cautious, not less. Not to mention that is one of the first things taught by (proper) security is to not fall for that trap. No matter what the excuse, this incident is reason enough to drop Zendesk for multiple failures. I would hope NC Soft and Anet would take security in house, but at the very least they need to change to a more responsible security company.
Jaina Kitten, Level 80 Elementalist, Main
Yak’s Bend – Expletus
What a disgusting thing to happen to a lovely person. What sort of low life takes advantage of Gaile of all people? She is always so kind and helpful. You people blaming Anet security and the poor dupe who probably lost his/her job, consider the real culprit was one of us – a vile, nasty little player. Yuck.
No one is saying the hacker shouldn’t face consequences, but there is no way to make hackers stop trying to hack, so yes, security personnel are employed and need to be held accountable if they fail to follow policy or else there really is no security at all.
And no, the culprit wasn’t “one of us”. If you’re a vile, nasty little player, which you seem to be indicating as you are including yourself in your grouping, then thank you for the warning, but the majority of us are not nasty nor vile.
Jaina Kitten, Level 80 Elementalist, Main
Yak’s Bend – Expletus