Guild Wars 2

We’re just going in circles with these “blame the hacker, no blame the CS reps, no blame Gaile” arguments.

The real question is – What, if anything, is Anet going to do to improve account security?

I get that GW1 is an old game & not actively supported, but this incident speaks to a larger issue that’s been here since GW2’s launch.

oshilator.4681:

We’re just going in circles with these “blame the hacker, no blame the CS reps, no blame Gaile” arguments.

The real question is – What, if anything, is Anet going to do to improve account security?

I get that GW1 is an old game & not actively supported, but this incident speaks to a larger issue that’s been here since GW2’s launch.

Again,why you think they didn’t adapt?

Luckily Gaile had pretty much nothing of value in guild wars, except for the 3 miniature frogs that have an unique binary code.
So in other words, this means that if Anets programmers could be bothered they could track those 3 items down and either get them back to her or delete them from the database and remake the3 frogs for Gaile. (cuz these are very special items that only belong to her).
Anything of the other stuff lost I’m pretty sure we can get her back in a few minutes as it were pretty much cheap things as far I can remember. (unless there was prenerf stuff/old dyes that on your armor)

For anyone claiming it can’t be done: https://wiki.guildwars.com/wiki/The_Rockmolder
This item used to be 20% and all versions, new and old got changed to 10%.

Sorry for your loss Gaile, I know how it feels, you did so much for me!
If anyone didn’t deserve this then it was absolutely you.

And Dwayna, also sorry to see you got hacked, you had a decent collection even if most of it was gained with questionable methods which you rightfully got permabanned for and then got unbanned through terrible customer support as of 2015 where lot’s of rightfully banned accounts all got unbanned.
No hard feelings, just stating some facts.

@mike o’brian, sad to see that some of the cs agents don’t do their work in line with the security polices.
But I’m sure you fixed the problem/made them aware this can’t happen again or there will be consequences.
Anyways, keep up the good work and thanks for creating the best game ever (guild wars1) and keeping it running.
HD remake? gogo

Silicato.4603:

I personally dislike how from anet, both MO and Gaile try to put the hacker as the only one “bad”.

How do you read MO’s post as saying the CS rep who failed wasn’t bad? ‘We have rules in place. One of our CS people didn’t follow the rules, and this bad thing happened." That in no way says anything to exonerate the failed CS person!

RedZebra.2345:

People asking more security why? Security is in place, but support can always circumvent that if they want, even with 2 auth.

It’s more asking for enforcement of their policies by support staff and having more safeguards on their end, than having upfront security features on the login process. The most important thing that seems to be lacking here are warnings between CS reps that indicate previous attempts at gaining access to an account. If such a flagging system was in place and used, this rep’s actions were just appallingly incompetent.

mrstealth.6701:

RedZebra.2345:

People asking more security why? Security is in place, but support can always circumvent that if they want, even with 2 auth.

It’s more asking for enforcement of their policies by support staff and having more safeguards on their end, than having upfront security features on the login process. The most important thing that seems to be lacking here are warnings between CS reps that indicate previous attempts at gaining access to an account. If such a flagging system was in place and used, this rep’s actions were just appallingly incompetent.

I can only agree what you said, this was a flaw in their support system. But they won’t be telling me or you what they did to prevent it from happening again. I’m just afraid they are going the hard way, thx to that noob hacker, honest people will suffer.

Laurie.1698:

This happens in all industries everywhere. Years ago, when the internet and all this was new and this began to happen, it irritated me so much that I took it upon myself to enter the server security field and dedicate my career to beating those at their own game. I’ve seen every “excuse” in the book, I’ve seen just about every way of doing this..nothing changes the fact that wrong is wrong….socially inept vigilantism is the most cringe worthy excuse I’ve seen for those examples. Odd, you could have just applied a simple principle everyone learned in Kindergarten…“if its not yours don’t touch it”

Bottom line is, this is something that will continue to happen in small percentages, this is a constant vigilance that needs to be maintain and is, accessing accounts for any reason is wrong, damaging, and the consequences should be severe for each and every person that not only did the account compromise but those who participated in knowing it was being done and doing nothing about it. They are the future ones who have obviously made their viewpoint on account compromise known as acceptable so are a danger as well.

Last thing….and most important. People are people, not computers, they are not perfect, that is exactly why procedures and protections are put into place in the first place. Mistakes will be made…its the nature of the business, the people business that make it so unpredictable. Every angle, every step, one step ahead at all times is an unacceptable expectation, its not possible. 20 years experience says its not physically possible. Do not blame the victim, blame the “kitten” who took it upon themselves to do this.

Not to worry though, they will be found, the hole they crawled in on will be not only closed but vigilantly watched from this point forward. Each time, the holes close tighter and tighter. People like me, and others, laugh in your face when we close your spider holes, another pest eliminated, crying and denouncing us and our procedures all the way. “If its not yours, don’t touch it.”

A key point here is the intent and action taken. In this case, the person went to far when they started messing with items on Gaile’s account. People that access accounts (in a game or anything else) to show the companies’ responsible for their security that there is a weakness are a vital part of keeping information/data/accounts secured. The fact is that there will always be those with malicious intent that have no desire to abide by the “if it’s not your, don’t touch it” principle. It’s those that “touch it” without malicious intent that allow those security holes to be closed before criminals discover them. Simply reacting to malicious breaches after the fact is letting the criminals get a laugh at those in charge of security.

RedZebra.2345:

mrstealth.6701:

It’s more asking for enforcement of their policies by support staff and having more safeguards on their end, than having upfront security features on the login process. The most important thing that seems to be lacking here are warnings between CS reps that indicate previous attempts at gaining access to an account. If such a flagging system was in place and used, this rep’s actions were just appallingly incompetent.

I can only agree what you said, this was a flaw in their system. But they won’t be telling me or you what they did to prevent it from happening again. I’m just afraid they are going the hard way, thx to that noob hacker, honest people will suffer.

That’s a concern we should all have right now. It’s quite possible that we’ll find out about Anet’s inaction through a crime spree of account thefts. If the information in this reddit post is accurate, Anet has already known about and chosen to ignore this problem for some time now. The most frightening aspect is that details on how it was done have already been publicly posted.

mrstealth.6701:

RedZebra.2345:

mrstealth.6701:

It’s more asking for enforcement of their policies by support staff and having more safeguards on their end, than having upfront security features on the login process. The most important thing that seems to be lacking here are warnings between CS reps that indicate previous attempts at gaining access to an account. If such a flagging system was in place and used, this rep’s actions were just appallingly incompetent.

I can only agree what you said, this was a flaw in their system. But they won’t be telling me or you what they did to prevent it from happening again. I’m just afraid they are going the hard way, thx to that noob hacker, honest people will suffer.

That’s a concern we should all have right now. It’s quite possible that we’ll find out about Anet’s inaction through a crime spree of account thefts. If the information in this reddit post is accurate, Anet has already known about and chosen to ignore this problem for some time now. The most frightening aspect is that details on how it was done have already been publicly posted.

i did nothing say about inaction.

RedZebra.2345:

mrstealth.6701:

RedZebra.2345:

mrstealth.6701:

It’s more asking for enforcement of their policies by support staff and having more safeguards on their end, than having upfront security features on the login process. The most important thing that seems to be lacking here are warnings between CS reps that indicate previous attempts at gaining access to an account. If such a flagging system was in place and used, this rep’s actions were just appallingly incompetent.

I can only agree what you said, this was a flaw in their system. But they won’t be telling me or you what they did to prevent it from happening again. I’m just afraid they are going the hard way, thx to that noob hacker, honest people will suffer.

That’s a concern we should all have right now. It’s quite possible that we’ll find out about Anet’s inaction through a crime spree of account thefts. If the information in this reddit post is accurate, Anet has already known about and chosen to ignore this problem for some time now. The most frightening aspect is that details on how it was done have already been publicly posted.

i did nothing say about inaction.

I assumed that’s what you meant by going(learning?) the hard way. Doing nothing or not enough to actually help insure this doesn’t happen again or on a larger scale. I take it that you were referring to Anet cracking down and making it harder to recover an account?

I’d actually prefer it to be difficult. For a change of email address they should require, without exception, that you be able to either show that you have access to the existing email, confirm via SMS, have the game key, or can provide the last 4 digits of the credit card used to purchase. In almost all cases, the owner should have access to at least one of those things.

Email would be the weakest link, as the email account itself could be compromised. If an account is taken via a compromised email account, that email itself can be recovered, and in turn used to recover the game account. Anet would just have to retain the original address on file for future recovery. Any further dispute between the two email addresses should require another of the verification forms, or result in the account being kept with the original email address.

To be short and blunt, I don’t want my account to be at risk because some irresponsible fool couldn’t keep track of their own information. If someone manages to lose access to all of those forms of verification and their account info, that’s on them.

Mike O Brien.4613:

Last night a hacker socially engineered one of our CS agents to gain control of Gaile’s account, and accessed GW1 using it. Gaile of course has two-factor auth on her account, and despite the social engineering, the two-factor auth worked and protected her, so the hacker had no access to her forum or GW2 accounts. Only GW1 pre-dates our 2FA/SMS system.

To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies. We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.

We want to protect all accounts as much as we want to protect our own. Some of you were particularly concerned about the impact to the game of hacking a GM account. You should know that we don’t give GM accounts or any accounts the ability to cheat progress, synthesize items, or manipulate the game’s economy. We play the game the same way you play the game. The hacker was able to use Gaile’s GM access to manipulate guild trims, but mostly he handed out Gaile’s personal items that she had collected from years of playing GW1.

We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.

Mo

I think you should log multiple attempts at trying to access one account personally… especially if that person was denied access each time! I’m not saying your system is flawed, or there’s some magic band-aid fix all but things like this shouldn’t happen even if they do contact support multiple times, notes should be placed to be wary of that person… and especially for someone like a CM or GM of the game extra steps should be taken to secure their profile…

@mrstealth in a ideal world i prefer the same they make it more difficult. But for Anet it’s a balance, keeping people secure and helping people if they lost their account info for some reason.What the semi hacker just did is trowing the balance in the wrong direction.

I’m sorry this happened gaile, hopefully the hacker was sucked into a vortex that brought them to a parallel world where the floor is made of tiny Legos that are spread out and the air smells of cat pee

RedZebra.2345:

@mrstealth in a ideal world i prefer the same they make it more difficult. But for Anet it’s a balance, keeping people secure and helping people if they lost their account info for some reason.What the semi hacker just did is trowing the balance in the wrong direction.

Their official policies, as described by Mo’s OP here, are pretty much what I want to see actually be happening. The problem is that some of their reps are being way too liberal in bending those rules, with this case with Gaile’s account being the extreme of that. I can understand some leniency in restoring access to previously compromised and banned accounts when the request are coming from the original email, but you can’t just grant someone access to any account because they asked nicely. And any attempt to to access an account in good standing should be met with the highest degree of scrutiny possible.

Trying to cater to people that are just careless with their own information is simply an unacceptable risk to everyone.

“A key point here is the intent and action taken. In this case, the person went to far when they started messing with items on Gaile’s account. People that access accounts (in a game or anything else) to show the companies’ responsible for their security that there is a weakness are a vital part of keeping information/data/accounts secured. The fact is that there will always be those with malicious intent that have no desire to abide by the “if it’s not your, don’t touch it” principle. It’s those that “touch it” without malicious intent that allow those security holes to be closed before criminals discover them. Simply reacting to malicious breaches after the fact is letting the criminals get a laugh at those in charge of security.”

You miss my point entirely. My work exists because people have no control over themselves and my work also exists because I am one step ahead, and as I stated, no one can be everywhere at once. I can plainly see believe me, that people do not do what is right, but majority do keep their hands off what doesn’t belong to them, and if they don’t, that is where they screwed up, as usual. To blame the person this happened to is not what should be mentioned. People will make mistakes. All companies strive to avoid any malicious nasties before they happen, that is a given. Do they succeed at all times? No they do not. Perfection is not in it, it never will be. But as I stated, they will be caught, lessons learned, holes closed, that IS a given. But your expectations of perfection in preventing every attack is not feasible in any environment in today’s world. “if its not yours don’t touch it” is a principle that means if you do you will get caught. Its not my “principle” but a fact. But I will not come back to argue about this at all, its not worth it. Its under control, I’ve had my say defending Gaile, and I’m done here.

Laurie.1698:

You miss my point entirely. My work exists because people have no control over themselves and my work also exists because I am one step ahead, and as I stated, no one can be everywhere at once. I can plainly see believe me, that people do not do what is right, but majority do keep their hands off what doesn’t belong to them, and if they don’t, that is where they screwed up, as usual. To blame the person this happened to is not what should be mentioned. People will make mistakes. All companies strive to avoid any malicious nasties before they happen, that is a given. Do they succeed at all times? No they do not. Perfection is not in it, it never will be. But as I stated, they will be caught, lessons learned, holes closed, that IS a given. But your expectations of perfection in preventing every attack is not feasible in any environment in today’s world. “if its not yours don’t touch it” is a principle that means if you do you will get caught. Its not my “principle” but a fact. But I will not come back to argue about this at all, its not worth it. Its under control, I’ve had my say defending Gaile, and I’m done here.

I was somewhat unsure of what point you were actually trying to make, and it seems you missed mine entirely as well. Your initial comment seemed more concerned with reacting to breaches after they were maliciously exploited, and denouncing the very idea of ‘white hat’ hacking in the security field. The person that accessed Gaile’s account was clearly malicious, whether or not they thought they were justified in their actions. Had they merely proven they could access the account by logging in and using the special GM chat colors/markers, I would be willing to defend their actions as being in the best interests of the community has a whole. My point is that cyber security as a whole would be much weaker if we did not have people without malicious intent constantly trying new ways to gain access to supposedly secure data.

And you’re right that the blame shouldn’t be placed on the victim, especially in a case like this where the victim had absolutely no role in the compromise. The blame here lies on the person that access the account and the careless CS rep that allowed it to happen by not following procedure. And I’m not calling for perfection. Nothing is 100% secure, and I don’t see a way that it ever will be. But there are certainly some major flaws in the way this case was handled, and there needs to be some action to help prevent it from happening again.

Silicato.4603:

I personally dislike how from anet, both MO and Gaile try to put the hacker as the only one “bad”. He/She is not the only one…

Yes, the hacker is the only “bad” person. If I accidentally leave my door unlocked, I am not “allowing” someone to break into my house. If someone takes advantage of my door being unlocked and steals my stuff, they are not justified. No matter how hard or easy it is, accessing someone else’s stuff without their permission is wrong.

I’m glad you guys caught it.

This is really a giant banner ad for using 2FA, gamers.

Also, Mo, it would be good if we could completely disable the GW1 account. Because there’s another vulnerability here as well: GW1 runs as admin. So, if the account is hacked, the hacker can spend a great deal of time trying to find a way to hack the game itself, and gain control of the user’s computer.

Another giant banner ad: make the game operate as any other application. Upgrades should use the upgrade process the OS provides. That way, it doesn’t need admin rights. Yeah, it’s a pain, but the alternative is really bad.

Daddicus.6128:

I’m glad you guys caught it.

This is really a giant banner ad for using 2FA, gamers.

Also, Mo, it would be good if we could completely disable the GW1 account. Because there’s another vulnerability here as well: GW1 runs as admin. So, if the account is hacked, the hacker can spend a great deal of time trying to find a way to hack the game itself, and gain control of the user’s computer.

Another giant banner ad: make the game operate as any other application. Upgrades should use the upgrade process the OS provides. That way, it doesn’t need admin rights. Yeah, it’s a pain, but the alternative is really bad.

Our GW1 accounts are the same as our GW2 accounts. They share login credentials and link our ingame data betweent the two games. Having the option to break that link would be a serious redesign and would likely break the functionality of carry-over titles and bonus items. It would be nice if GW1 could have 2FA enabled, but I don’t know if that is technically feasible. And it also wouldn’t matter if someone could get a CS rep to remove/reset the 2FA on the account.

And the GW1 client can’t cause any issues with security of someone’s computer if it’s not actually running on that system. Even if someone were to access your GW1 account, they are just logged into your account and its data that exist on Anet’s servers. That provides no connection to your computer for the hacker to even attempt to use.

The only remotely possible scenario for the game client to be an entry point would be if the game servers were compromised. And that would still require that the client be connected to the compromised server and have an exploitable vulnerability itself. It’s a quite unlikely series of events, especially considering that if your account has been hacked you aren’t likely to be logged into the game unless you have multiple accounts.

There is also no need to run GW1 as admin, though you will likely need to have it installed somewhere other than C:\Program Files (or other directories with special permissions) if UAC is enabled in Windows. This applies to a lot of games that have self-updaters, because it’s not really practical to have Window’s own installer service handle these updates. You’d be downloading the entire game with every update, as I don’t think that installer would be capable of updating the individual files used within most games’ proprietary packed files.

Djinn.9245:

Silicato.4603:

I personally dislike how from anet, both MO and Gaile try to put the hacker as the only one “bad”. He/She is not the only one…

Yes, the hacker is the only “bad” person. If I accidentally leave my door unlocked, I am not “allowing” someone to break into my house. If someone takes advantage of my door being unlocked and steals my stuff, they are not justified. No matter how hard or easy it is, accessing someone else’s stuff without their permission is wrong.

In this case not only you left your door unlocked, but you also did it for months if not years. Robber even warned you multiple times that this is a bad idea.

The issue falls strictly on Arena nets CS teams, Due to negligent staff which I’m sure has been very reprimanded. My only concern right now is why Arena Net chooses to neglect the damages in game done by this hacker. It’s been nearly five days and still things are left unfixed.

I’ve been away on holiday to York for a week, so it’s a late reply I guess, but I’m sorry this happened to you Gaile, glad it got sorted though.

mrstealth.6701:

Our GW1 accounts are the same as our GW2 accounts. They share login credentials and link our ingame data betweent the two games.

I’m not talking about nuking it. Just disable logon.

mrstealth.6701:

There is also no need to run GW1 as admin, though you will likely need to have it installed somewhere other than C:\Program Files (or other directories with special permissions) if UAC is enabled in Windows. This applies to a lot of games that have self-updaters, because it’s not really practical to have Window’s own installer service handle these updates. You’d be downloading the entire game with every update, as I don’t think that installer would be capable of updating the individual files used within most games’ proprietary packed files.

Programs can be tailored to install partial updates. However, in-game updates would be impossible. Still, that’s a worthy trade.

Nobody should ever run ANY program with admin rights if there’s no reason to. It’s the first rule of security: never run an unprivileged application from a privileged account. You’ll find a variant of it in every computer security book. I never run any applications as an admin, unless it’s a backup or security program that needs admin rights to do its job. Except GW.

On accounts that don’t have admin rights, tt least GW2 should back out of admin mode after the installation of an update is complete. Would require restarting the game, but would be worth it.

I wouldn’t say that the hacker is “bad” or that the CS person is “bad” either. According to the social engineer hacker on Redditt, it only took ONE time of trying, all the information was fake that he gave, and it was a GM’s account to boot. Not “He kept trying till one of our CS agents wasn’t so strict.” He tried ONE time, and got in. On a GM’s account. Not the multiple times that Anet is claiming it took. He had the ticket up and everything before the mods told him to take it down. If -I- were ANET I would want people to think it took multiple times too, to save face, but, according to the person who did this, who has absolutely nothing to lose by telling the truth, it only took one time.

The CS agent doesn’t need to be fired over this. He/she needs to be trained a bit more, along with all the rest of the CS agents, and ANET needs to pay attention when people tell them “yeah…you might wanna pay attention to this security break you have.”

The giving away of the frogs is not a big deal, she’s a GM and if someone had the code to make those frogs in the first place, they can make them again. She lost very little of value apart from the frogs, which, as I said, someone can just make for her again. There have been people offering to reimburse her the things she lost, which is very kind of them, and if I had anything of value in GW1 I would do the same. Gaile was basically just a high-profile name that would attract attention and that’s why her account was the one that got “hacked.”

Elyssandariel.2679:

I wouldn’t say that the hacker is “bad” or that the CS person is “bad” either. According to the social engineer hacker on Redditt, it only took ONE time of trying, all the information was fake that he gave, and it was a GM’s account to boot. Not “He kept trying till one of our CS agents wasn’t so strict.” He tried ONE time, and got in. On a GM’s account. Not the multiple times that Anet is claiming it took. He had the ticket up and everything before the mods told him to take it down. If -I- were ANET I would want people to think it took multiple times too, to save face, but, according to the person who did this, who has absolutely nothing to lose by telling the truth, it only took one time.

The CS agent doesn’t need to be fired over this. He/she needs to be trained a bit more, along with all the rest of the CS agents, and ANET needs to pay attention when people tell them “yeah…you might wanna pay attention to this security break you have.”

The giving away of the frogs is not a big deal, she’s a GM and if someone had the code to make those frogs in the first place, they can make them again. She lost very little of value apart from the frogs, which, as I said, someone can just make for her again. There have been people offering to reimburse her the things she lost, which is very kind of them, and if I had anything of value in GW1 I would do the same. Gaile was basically just a high-profile name that would attract attention and that’s why her account was the one that got “hacked.”

Taking the word of a thief, one who has already actively demonstrated that they do not consider their own given word to have any value, seems like a bad idea. Someone who says, essentially, “I am a liar, a cheater, a thief, and go back on my given word when I feel like it,” is not someone we should trust.

Elyssandariel.2679:

I wouldn’t say that the hacker is “bad” or that the CS person is “bad” either. According to the social engineer hacker on Redditt, it only took ONE time of trying, all the information was fake that he gave, and it was a GM’s account to boot. Not “He kept trying till one of our CS agents wasn’t so strict.” He tried ONE time, and got in. On a GM’s account. Not the multiple times that Anet is claiming it took. He had the ticket up and everything before the mods told him to take it down. If -I- were ANET I would want people to think it took multiple times too, to save face, but, according to the person who did this, who has absolutely nothing to lose by telling the truth, it only took one time.

The CS agent doesn’t need to be fired over this. He/she needs to be trained a bit more, along with all the rest of the CS agents, and ANET needs to pay attention when people tell them “yeah…you might wanna pay attention to this security break you have.”

The giving away of the frogs is not a big deal, she’s a GM and if someone had the code to make those frogs in the first place, they can make them again. She lost very little of value apart from the frogs, which, as I said, someone can just make for her again. There have been people offering to reimburse her the things she lost, which is very kind of them, and if I had anything of value in GW1 I would do the same. Gaile was basically just a high-profile name that would attract attention and that’s why her account was the one that got “hacked.”

The hacker only posted the successful attempt. ANet has come out and said that the hacker attempted multiple times.

He does have things to lose if he posts every attempt if his goal is to show quick and easy it is. One attempt shows a lot quicker and easier than several attempts.

Personally, given what the hacker did AFTER gaining access makes me give zero credibility to what he says. If there was not any evidence from players affected by what the hacker did and ANet’s statement in response to it, I’d say he made it up.

Personally, I trust ANet with regards to this. ANet had more to lose reputation wise by saying it took multiple tries. Reaching the CS agent who didn’t follow the rules on what’s acceptable as proof of ownership the first attempt is a lot better than not following the rules AND there not being any flags on the account or the CS agent also not noticing the flags on top of not following the rules.

Daddicus.6128:

mrstealth.6701:

Our GW1 accounts are the same as our GW2 accounts. They share login credentials and link our ingame data betweent the two games.

I’m not talking about nuking it. Just disable logon.

I believe that would still have the same effect with how the two games are setup. GW1 servers on contacted each time you login to verify your accomplishments in that game. Players logging in during the brief period where GW1 was taken down in this incident were temporarily stripped of those carry-overs.

Daddicus.6128:

mrstealth.6701:

There is also no need to run GW1 as admin, though you will likely need to have it installed somewhere other than C:\Program Files (or other directories with special permissions) if UAC is enabled in Windows. This applies to a lot of games that have self-updaters, because it’s not really practical to have Window’s own installer service handle these updates. You’d be downloading the entire game with every update, as I don’t think that installer would be capable of updating the individual files used within most games’ proprietary packed files.

Programs can be tailored to install partial updates. However, in-game updates would be impossible. Still, that’s a worthy trade.

Nobody should ever run ANY program with admin rights if there’s no reason to. It’s the first rule of security: never run an unprivileged application from a privileged account. You’ll find a variant of it in every computer security book. I never run any applications as an admin, unless it’s a backup or security program that needs admin rights to do its job. Except GW.

On accounts that don’t have admin rights, tt least GW2 should back out of admin mode after the installation of an update is complete. Would require restarting the game, but would be worth it.

I’m aware that running applications as admin is a generally bad idea and a potential security risk. My comment was pointing out the fact that you do not have to run GW1 as admin if you simply change the directory it’s installed to. You can even just move the current install and edit your game shortcuts, without having to reinstall the game. The game will run and update itself properly on a standard user account in this setup. It requires no admin rights as it has no need to write files to protected areas (like \Program Files).

Even with GW running as admin, the biggest security threat would be from malware that is already on your PC using it to gain privileges. And that would still mean the malware was designed to target GW and have a method to use the game’s admin rights to accomplish its goal.

For someone to exploit GW remotely, there would have to be multiple points of security failure before the game client running on your PC (and it would have to be running on your PC) could even be a potential vector of attack. To even be able to attempt establishing a connection with the game client would most likely require being able to bypass a router and software firewall (ISPs typically issue modem/firewall combo devices now and Windows has had a stock firewall for years). And after that, there still needs to be something remotely exploitable within the game client. It’s a possible, but highly unlikely, scenario.

GW running as admin (and you don’t even have to run it as admin anyway!) isn’t exactly the glaring security hole you’re trying to making it look like. Sure, it’s a good idea to not run it (or anything else you don’t absolutely have to) as admin. But the likelihood of the game actually being a point of attack on your PC is pretty low, and would almost certainly need some previous (and much more severe) security breaches to even be viable. Basically, if you already have a malware infestation or someone has managed to remotely connect to your PC, you have much bigger security problems to worry about than GW’s permissions.

TheRandomGuy.7246:

Djinn.9245:

Silicato.4603:

I personally dislike how from anet, both MO and Gaile try to put the hacker as the only one “bad”. He/She is not the only one…

Yes, the hacker is the only “bad” person. If I accidentally leave my door unlocked, I am not “allowing” someone to break into my house. If someone takes advantage of my door being unlocked and steals my stuff, they are not justified. No matter how hard or easy it is, accessing someone else’s stuff without their permission is wrong.

In this case not only you left your door unlocked, but you also did it for months if not years. Robber even warned you multiple times that this is a bad idea.

Guess what? People used to leave their doors open all the time. People used to leave their keys in their cars because it was easier. The only reason people don’t do that anymore is because of criminals. So the only bad people are the criminals, not anyone who makes a mistake in security. Making a mistake is human – anyone who tells me they have never made a mistake in their job is a liar.

Elyssandariel.2679:

I wouldn’t say that the hacker is “bad” or that the CS person is “bad” either. According to the social engineer hacker on Redditt

You are wrong – anyone who breaks into someone else’s account without their permission, no matter the reason, is a criminal. And why would you believe the words of a criminal?

Uhhh……my opinion can’t be “wrong.” It’s an opinion I could say your opinion is wrong, just the same way, if opinions could be wrong. But they can’t.

Elyssandariel.2679:

Uhhh……my opinion can’t be “wrong.” It’s an opinion I could say your opinion is wrong, just the same way, if opinions could be wrong. But they can’t.

Incorrect. Just because someone has an opinion doesn’t give that opinion special protected status.

If your opinion is something like, “vanilla ice cream is better than chocolate” where it’s subjective then it’s neither correct nor incorrect. However an opinion where part or all of the opinion is based on false facts will mean the opinion is also false.

A hacker is bad because he broke the law. He deliberately hurt another person by handing out items special to her to strangers, which she may never get back. The CS person might have made errors, but that’s not the same as breaking a law. Therefore the hacker is bad and the CS person is not.

Not going to argue about whether or not opinions are right or wrong. This is stupid. What matter is ANET wakes up and gets better security. It’s a shame this had to happen for it to come to light how lax their security is.

Years ago my GW1 account was hacked. It must’ve been 2011. I’d been playing the game for 6-7 years. It was my favourite game in the world but the hacker sold off my 50+ sets of elite armour on my account including some FoW sets and yes I was rather proud of my collection.

I got my account back but it was ransacked and the loss was so great that I haven’t had the heart since then to start over. It was too devastating and you guys were unable and/or unwilling to help me.

I have to wonder now if Gaile will get all her items back like I didn’t.

Honestly, I didn’t like GW2 much when it came out but it’s a lot better now in my view than it was back at the start, but also now that I play this game, I play it more casually because I do not trust your security but mostly, I do not trust you to help me appropriately. That trust was never restored, it wasn’t even attempted from your side.

With all the games I’ve played in the last 20 years or so, this was the only game where I got hacked. That could be just bad luck or coincidence. But it was also a situation where Anet were just not there to help out and that was the worst of the experience.

Even today, it’s still a bad memory that lingers. This occurrence really brings it back again and on the one hand it really makes me feel for Gaile because I’ve been there but at the same time I can’t help but think that you as Anet probably will give her her stuff back where you never wanted to do that for me.

It’s a shame but this really just reminded me on how poorly I was treated as a customer of many years by Anet and how I should remind myself not to get too invested in GW2 because if it goes wrong I still have little faith Anet will really support me as a customer.

Elyssandariel.2679:

Uhhh……my opinion can’t be “wrong.” It’s an opinion I could say your opinion is wrong, just the same way, if opinions could be wrong. But they can’t.

Actually, you can have an “opinion” that someone who steals another person’s car is not a criminal, but that opinion would be wrong. So yes, an opinion can be wrong. Of course you are still entitled to your opinion, even if it is wrong.

Just a flesh wound.3589:

Elyssandariel.2679:

Uhhh……my opinion can’t be “wrong.” It’s an opinion I could say your opinion is wrong, just the same way, if opinions could be wrong. But they can’t.

Incorrect. Just because someone has an opinion doesn’t give that opinion special protected status.

If your opinion is something like, “vanilla ice cream is better than chocolate” where it’s subjective then it’s neither correct nor incorrect. However an opinion where part or all of the opinion is based on false facts will mean the opinion is also false.

A hacker is bad because he broke the law. He deliberately hurt another person by handing out items special to her to strangers, which she may never get back. The CS person might have made errors, but that’s not the same as breaking a law. Therefore the hacker is bad and the CS person is not.

It’s not as clear cut as that. It’s true that we need these security measures because of criminals and hackers who are breaking laws, but that does not exonerate those who enable that crime through their own mistakes or negligence. For instance, in some jurisdictions it is illegal to leave a vehicle unattended with the key in the ignition, or even just having the doors unlocked. Having your car stolen can actually result in you being punished for failing to secure the vehicle, in addition to the charges brought against the thief.

In the case of Gaile’s account, the negligence by the CS rep is fairly astounding. Not only were set policies not followed, but the account owner should have been known by the rep. And even if this rep didn’t recognize her name, Gaile’s email was an @arena.net address. The personal info sent as verification was not the same as the information attached to the account. Yet, despite the multiple obvious warning signs, this rep went ahead and handed over the account without any contact with Gaile or anyone else at Anet to confirm the request was legit.

If I was that rep’s boss, they’d have been fired or put into a position where they had no chance of ever making a decision concerning security/access to a user’s account. The degree of negligence is truly amazing.

Gehenna.3625:

Years ago my GW1 account was hacked. It must’ve been 2011. I’d been playing the game for 6-7 years. It was my favourite game in the world but the hacker sold off my 50+ sets of elite armour on my account including some FoW sets and yes I was rather proud of my collection.

I got my account back but it was ransacked and the loss was so great that I haven’t had the heart since then to start over. It was too devastating and you guys were unable and/or unwilling to help me.

I have to wonder now if Gaile will get all her items back like I didn’t.

Honestly, I didn’t like GW2 much when it came out but it’s a lot better now in my view than it was back at the start, but also now that I play this game, I play it more casually because I do not trust your security but mostly, I do not trust you to help me appropriately. That trust was never restored, it wasn’t even attempted from your side.

With all the games I’ve played in the last 20 years or so, this was the only game where I got hacked. That could be just bad luck or coincidence. But it was also a situation where Anet were just not there to help out and that was the worst of the experience.

Even today, it’s still a bad memory that lingers. This occurrence really brings it back again and on the one hand it really makes me feel for Gaile because I’ve been there but at the same time I can’t help but think that you as Anet probably will give her her stuff back where you never wanted to do that for me.

It’s a shame but this really just reminded me on how poorly I was treated as a customer of many years by Anet and how I should remind myself not to get too invested in GW2 because if it goes wrong I still have little faith Anet will really support me as a customer.

I have heard many storied like this and it does affect my view on playing GW2 also. I have been considering buying more gems but this is one reason why I am having trouble making that decision. Why spend real money on a game when things like this can happen?

One thing I want to know is why Anet refused to replace items when stuff like this happened. I also heard a story of a player that was banned for trying to get his own account back.

Djinn.9245:

Gehenna.3625:

Years ago my GW1 account was hacked. It must’ve been 2011. I’d been playing the game for 6-7 years. It was my favourite game in the world but the hacker sold off my 50+ sets of elite armour on my account including some FoW sets and yes I was rather proud of my collection.

I got my account back but it was ransacked and the loss was so great that I haven’t had the heart since then to start over. It was too devastating and you guys were unable and/or unwilling to help me.

I have to wonder now if Gaile will get all her items back like I didn’t.

Honestly, I didn’t like GW2 much when it came out but it’s a lot better now in my view than it was back at the start, but also now that I play this game, I play it more casually because I do not trust your security but mostly, I do not trust you to help me appropriately. That trust was never restored, it wasn’t even attempted from your side.

With all the games I’ve played in the last 20 years or so, this was the only game where I got hacked. That could be just bad luck or coincidence. But it was also a situation where Anet were just not there to help out and that was the worst of the experience.

Even today, it’s still a bad memory that lingers. This occurrence really brings it back again and on the one hand it really makes me feel for Gaile because I’ve been there but at the same time I can’t help but think that you as Anet probably will give her her stuff back where you never wanted to do that for me.

It’s a shame but this really just reminded me on how poorly I was treated as a customer of many years by Anet and how I should remind myself not to get too invested in GW2 because if it goes wrong I still have little faith Anet will really support me as a customer.

I have heard many storied like this and it does affect my view on playing GW2 also. I have been considering buying more gems but this is one reason why I am having trouble making that decision. Why spend real money on a game when things like this can happen?

One thing I want to know is why Anet refused to replace items when stuff like this happened. I also heard a story of a player that was banned for trying to get his own account back.

Guild Wars had an account recovery/rollback option added in late 2011, which is a feature that carried over to GW2. They can restore your account back to one of its recent snapshotted states. It will likely result in some progress loss, as the rollback will revert to some time shortly before the account was lost. But it’s still much better to lose a few days/weeks, than to lose everything you have earned.

mrstealth.6701:

Djinn.9245:

I have heard many storied like this and it does affect my view on playing GW2 also. I have been considering buying more gems but this is one reason why I am having trouble making that decision. Why spend real money on a game when things like this can happen?

One thing I want to know is why Anet refused to replace items when stuff like this happened. I also heard a story of a player that was banned for trying to get his own account back.

Guild Wars had an account recovery/rollback option added in late 2011, which is a feature that carried over to GW2. They can restore your account back to one of its recent snapshotted states. It will likely result in some progress loss, as the rollback will revert to some time shortly before the account was lost. But it’s still much better to lose a few days/weeks, than to lose everything you have earned.

I wouldn’t want my entire account rolled-back because someone else stole my account. That’s a terrible idea unless they can roll it back to exactly the time the account was stolen (i.e. I don’t lose anything). If they have a snapshot of my account, they should replace anything I lost, not force me to lose EVEN MORE!

Djinn.9245:

mrstealth.6701:

Djinn.9245:

I have heard many storied like this and it does affect my view on playing GW2 also. I have been considering buying more gems but this is one reason why I am having trouble making that decision. Why spend real money on a game when things like this can happen?

One thing I want to know is why Anet refused to replace items when stuff like this happened. I also heard a story of a player that was banned for trying to get his own account back.

Guild Wars had an account recovery/rollback option added in late 2011, which is a feature that carried over to GW2. They can restore your account back to one of its recent snapshotted states. It will likely result in some progress loss, as the rollback will revert to some time shortly before the account was lost. But it’s still much better to lose a few days/weeks, than to lose everything you have earned.

I wouldn’t want my entire account rolled-back because someone else stole my account. That’s a terrible idea unless they can roll it back to exactly the time the account was stolen (i.e. I don’t lose anything). If they have a snapshot of my account, they should replace anything I lost, not force me to lose EVEN MORE!

You’re not losing more, you’re recovering all but the most recent earnings. The rollback is to a point before the account was stolen and items lost. The only loss would be things earned between the time the last snapshot was taken and when the account was lost.

example
I have 1000g
Account snapshot is taken
I get a rare weapon drop and sell it for 200g
I have 1200g now
My account is stolen, with all items/character lost
I recover the account and have it rolled back to the last snapshot
I have all 1000g (and all other characters/items at the time the snapshot was taken)

It’s not the ideal system, but it allows for an almost complete recovery without being an unreasonable technical burden. Maintaining near-live snapshots would be better, but it would also be a massive drain on server resources and data storage space.

Guild Wars 2 has an Account Restoration Tool, as well as a new tool for restoring deleted characters.

Guild Wars has no AR tool, at this time.

mrstealth.6701:

Guild Wars had an account recovery/rollback option added in late 2011, which is a feature that carried over to GW2. They can restore your account back to one of its recent snapshotted states. It will likely result in some progress loss, as the rollback will revert to some time shortly before the account was lost. But it’s still much better to lose a few days/weeks, than to lose everything you have earned.

They did say something about that not long after my account got hacked. I do remember they said they were gonna look into that. Of course it wouldn’t be retroactively applied so I didn’t follow it anymore.

Seems like it was implemented then. I also seem to remember that they would only allow you to get a rollback only once or twice per account. Was that part of the implementation? I would be interested to know how this was implemented.

Also, I hope nobody has had to use it, but if so I would like to know what their experience was with Anet at that moment.

Many players have had account restorations. You can look up (Google) the threads over in the Account Support sub-forum. Most that responded seemed to do so favorably.

Good luck.

mrstealth.6701:

Djinn.9245:

mrstealth.6701:

Djinn.9245:

I have heard many storied like this and it does affect my view on playing GW2 also. I have been considering buying more gems but this is one reason why I am having trouble making that decision. Why spend real money on a game when things like this can happen?

One thing I want to know is why Anet refused to replace items when stuff like this happened. I also heard a story of a player that was banned for trying to get his own account back.

Guild Wars had an account recovery/rollback option added in late 2011, which is a feature that carried over to GW2. They can restore your account back to one of its recent snapshotted states. It will likely result in some progress loss, as the rollback will revert to some time shortly before the account was lost. But it’s still much better to lose a few days/weeks, than to lose everything you have earned.

I wouldn’t want my entire account rolled-back because someone else stole my account. That’s a terrible idea unless they can roll it back to exactly the time the account was stolen (i.e. I don’t lose anything). If they have a snapshot of my account, they should replace anything I lost, not force me to lose EVEN MORE!

You’re not losing more, you’re recovering all but the most recent earnings.

If they have a snapshot of my account, they can look at it and give me back anything that is missing. Or they can rollback my account to some time before my account was hacked which causes me to lose anything between that time and when my account was hacked. The first option returns more. So yes, a rollback would cause me to lose more than just returning what was lost.

Djinn.9245:

mrstealth.6701:

Djinn.9245:

mrstealth.6701:

Djinn.9245:

I have heard many storied like this and it does affect my view on playing GW2 also. I have been considering buying more gems but this is one reason why I am having trouble making that decision. Why spend real money on a game when things like this can happen?

One thing I want to know is why Anet refused to replace items when stuff like this happened. I also heard a story of a player that was banned for trying to get his own account back.

Guild Wars had an account recovery/rollback option added in late 2011, which is a feature that carried over to GW2. They can restore your account back to one of its recent snapshotted states. It will likely result in some progress loss, as the rollback will revert to some time shortly before the account was lost. But it’s still much better to lose a few days/weeks, than to lose everything you have earned.

I wouldn’t want my entire account rolled-back because someone else stole my account. That’s a terrible idea unless they can roll it back to exactly the time the account was stolen (i.e. I don’t lose anything). If they have a snapshot of my account, they should replace anything I lost, not force me to lose EVEN MORE!

You’re not losing more, you’re recovering all but the most recent earnings.

If they have a snapshot of my account, they can look at it and give me back anything that is missing. Or they can rollback my account to some time before my account was hacked which causes me to lose anything between that time and when my account was hacked. The first option returns more. So yes, a rollback would cause me to lose more than just returning what was lost.

They would have no record of what you had gotten after the most recent snapshot. Typically, stolen accounts are fully cleaned out and often have the characters themselves deleted. Without the rollback, you would be left with nothing at all.

In an unusual case, where some recently acquired items were left intact by the hacker, you would be losing some things. That, however, is not what typically happens with compromised accounts. You would have to choose between keeping what the hacker left, or doing a rollback. The option you’re asking for isn’t possible because they (I believe intentionally) have no tools with the ability to give items to you. A rollback is the only option available to recover anything that was lost.

Djinn.9245:

If they have a snapshot of my account, they can look at it and give me back anything that is missing. Or they can rollback my account to some time before my account was hacked which causes me to lose anything between that time and when my account was hacked. The first option returns more. So yes, a rollback would cause me to lose more than just returning what was lost.

You’re talking about the same thing. They can “roll back” the account to the most recent snapshot (not the last time you logged in, it doesn’t work like that) upon request, with specific requirements. They may have changed the policy recently (and appear to have developed new restoration tools) but for most of GW2’s lifetime they refused rollbacks for accidental deletions or if your account was accessed by someone else using your computer (the “my brother did it” defense). If your account was accessed by someone from a different IP address they could offer a rollback to the most recent snapshot.

I don’t know how often they save these snapshots but if your account was hacked today (August 6) the most recent snapshot may be from June 6, meaning you will lose everything you did in the last two months but regain whatever you had in June. That is usually a better option than being left with one toon standing there in his underwear.

Lorenna.2130:

I’m sorry I’m really not trying to be awkward, but I am actually concerned about the security of my account and my personal information linked including credit cards and home addresses.

Never, ever, ever give out your personal information to some game company!

Inculpatus cedo.9234:

Guild Wars 2 has an Account Restoration Tool, as well as a new tool for restoring deleted characters.

Guild Wars has no AR tool, at this time.

Hmm that contradicts what the other guy said about GW1. So if GW1 doesn’t have it, I still do wonder if they’re going to make an exception for Gaile or if she’s just as stuffed as I am in GW1.

Glad to hear that GW2 does have better options. Although I have to admit that collecting armour sets was really a big thing in GW1 and in GW2 not so much. Other than legendary weapons, which I’m not really that interested in, there isn’t much to worry about. Still, it’s better to have an AR tool than not because people still put in hours and hours of effort in a game like this.

Gehenna.3625:

Inculpatus cedo.9234:

Guild Wars 2 has an Account Restoration Tool, as well as a new tool for restoring deleted characters.

Guild Wars has no AR tool, at this time.

Hmm that contradicts what the other guy said about GW1. So if GW1 doesn’t have it, I still do wonder if they’re going to make an exception for Gaile or if she’s just as stuffed as I am in GW1.

GW1 had a rollback option added in 2011, a bit under a year before GW2’s launch. I’ve seen nothing official concerning it either way (I’ve not followed GW1 much at all since GW2), but there’s been a couple mentions in this topic of post-GW2 changes breaking that tool. It makes sense, considering GW1 is no longer running on its original hardware, and has been sharing GW2’s servers since sometime around its launch.

GW2 didn’t even get it’s account restoration tool added until a few months into the game, no second level security either during that time. The accounts that got hacked during that time were SoL, including one of my friends who lost a lot of the first set of halloween skins.

Here’s the information (Unfortunately, the original links have a redirect to GW2 Knowledge Base now):

Restoring a compromised account

Since mid 2012, the Guild Wars Account Restoration Tool is no longer functional, so account restoration is unavailable. “At first we believed that the tool could be repaired, but at this point we know that it would require a programmer to completely rebuild it from the ground up and that it would take many weeks of programmer time. At this point, we do not have plans to rebuild the tool”.

When the Guild Wars Account Restoration Tool was functional, if your account got compromised (i.e. hacked), it could have sometimes been restored by ArenaNet under the following conditions:¹

The hack must have taken place on or after 1 October 2011.
You must have been able to verify ownership.
The hack could not have involved a third-party tool that you used.
Only the account could be restored and only to a specific point in time prior to the hack, e.g. you could not restore only a specific character or item(s).

https://wiki.guildwars.com/wiki/Account#Restoring_a_compromised_account