Account Security - What you need to know!

Account Security - What you need to know!

in Account & Technical Support

Posted by: Chris Cleary

Chris Cleary

Game Security Lead

Next

How Hackers Steal Accounts

Most of the security advice we’ve all seen through the years has focused on how to choose a strong password. You might therefore think that the primary way hackers break into accounts is by preying on accounts with weak passwords, perhaps scanning every word in the dictionary looking for matches. That’s rarely the case.

The basic truth is this: hackers steal game accounts because they already know the account name and password. They know them because they stole them (via security breaches or spyware) from another game or site where the person used the same account name and password.

So unfortunately, if the lesson you’ve learned from security advice through the years is to pick a single complicated password, memorize it, and then use it everywhere, that’s exactly the wrong lesson for today’s security environment. To keep accounts on different sites secure in today’s environment, you need to use a unique password for each account.

We have some ability at ArenaNet to watch hacking attempts live, and it tells a fascinating story. We watch as hackers use tens of thousands of different IP addresses to scan through millions of attempted account names and passwords, almost all of which are for accounts that don’t even exist in our database, looking for matches. They’re not guessing or brute-forcing passwords; they’re trying a very specific account name and password for each attempt. For example, account name “joe.user@example.com”, password “alligator101?. If they don’t get a match immediately, they may try a variant like “alligator100? or “alligator102?, then they quickly move on to the next entry on their list. And it’s interesting to see that the passwords on these lists are mostly quite good passwords. For every one account on the hackers’ lists with a password like “twilight” (real example, ?_?), there are dozens of accounts with good strong passwords. So the world at large clearly knows how to pick good passwords; the reason people are still getting hacked is because they use the same passwords on multiple sites.

The security environment has certainly changed. We didn’t see hackers testing these vast lists of stolen account names and passwords when we launched the first Guild Wars. But in recent years, a truly staggering number of game companies and web sites have had their account databases breached. These reports of security breaches — 77 million accounts, 25 million accounts, 24 million accounts, untold millions more — may seem abstract, too big to be real, but they’re obviously not. The information stolen from database breaches is worth a lot of money to hackers, who can take the stolen account credentials and use them to attack each new game that’s released.

So if it ever seemed safe to memorize one strong password and then use it for multiple accounts, it certainly isn’t safe anymore. Today it’s critically important to use a unique password for each account you care about and want to keep.

Professor of Bearbow Math @ Tyria State // @Shazbawt // “The Crippler”

(edited by Chris Cleary.8017)

Account Security - What you need to know!

in Account & Technical Support

Posted by: Chris Cleary

Previous

Chris Cleary

Game Security Lead

Next

Email Authentication

We have a feature in place, email authentication, that’s designed to help keep your account secure even if a hacker does know your account name and password.

Here’s how it works. When you first login, we ask you to validate your email address. After that, whenever you attempt to login from a new location, we send email asking you to approve or deny the login attempt.

So keep in mind, if you ever see an unexpected email asking you to validate a login attempt from a location where you’re not playing from, that means a hacker already knows your account name and password! The only thing that’s keeping him from logging in as you is the email authentication system! Change your password immediately.

Unfortunately, even with this system in place, people still get their accounts hacked. Here’s how:

First, about a third of players haven’t verified their email address yet. We can’t require email authentication for players with unverified email addresses.

Second, in many cases hackers have stolen credentials for the player’s email account too, and thus can access the authentication email message and approve their own login attempt. In particular this happens because people use the same password for their email account as they do for their Guild Wars 2 account and other accounts.

So, to be protected, be sure to verify your email address, and be sure to use a different password for your email account than you use for your game account.

Professor of Bearbow Math @ Tyria State // @Shazbawt // “The Crippler”

(edited by Chris Cleary.8017)

Account Security - What you need to know!

in Account & Technical Support

Posted by: Chris Cleary

Previous

Chris Cleary

Game Security Lead

Next

Two-Factor Authentication

With email authentication in place, you can further protect your account by setting up two-factor authentication on your email account. Which, honestly, is a good idea anyway. Using email authentication this way protects your account in a very similar way to typical game implementations of two-factor authentication: the game will challenge any login attempt from a new location in a way that you’ll have to use two-factor authentication to approve.

We know customers also want a native implementation of two-factor authentication, and we want it too. This is an area where we should act faster as a company, and we’re going to. We had our own homegrown implementation of smartphone two-factor authenticator in testing, but we’re going to pull it back and instead integrate Guild Wars 2 with Google Authenticator, which already has robust authenticator implementations on most major smartphone platforms. This feature is already rolled out and ready to be used.

You can find all these options under My Account > Security or by visiting https://account.guildwars2.com/account/security

Two-factor authentication is a great tool for security-conscious customers to protect their accounts. But we know it will take time to get a significant portion of our customer base to adopt two-factor authentication, and in the meantime people are getting hacked every day by creating accounts with account names and passwords that hackers already know. So we need a solution that can protect everyone, not just the most security-conscious, and do it quickly. Thus we’ve rolling out our next initiative, password blacklisting.

Professor of Bearbow Math @ Tyria State // @Shazbawt // “The Crippler”

(edited by Chris Cleary.8017)

Account Security - What you need to know!

in Account & Technical Support

Posted by: Chris Cleary

Previous

Chris Cleary

Game Security Lead

Next

Password Blacklisting

Since we’ve been observing hackers constantly scanning accounts that don’t even exist yet, waiting for someone to create those accounts, we obviously want to make sure that if those new customers do join the game, they don’t use the password that the hackers are waiting for. Thus we’re building a blacklist of all the passwords that hackers are scanning for — it’s already at 20 million passwords and growing — and we’re preventing new customers from choosing any of those passwords. (The blacklist contains passwords only, not account names.)

This system has substantially eliminated hackers’ ability to steal new accounts, as all new accounts now cannot possibly match what the hackers have been scanning for. The rate of account hacking was about 1.5% for accounts created before this blacklist was in place, and is about 0.1% for accounts created after.

Because this has been so successful at protecting new accounts, we want to extend it to protect existing accounts too. But it’s harder for us to know whether passwords of existing accounts are known to hackers: it’s difficult to distinguish between a login attempt by the real customer and a login attempt by a hacker.

When you change your password, the system won’t allow you to pick your previous password, or any password that we’ve seen tested against any existing or non-existent account. Thus, after changing your password, you’ll be confident that your new password is unique within Guild Wars 2. (However, your password only stays unique if you then don’t use it for other games and web sites, so please don’t!)

By the way, if you have trouble thinking of a new unique password, now that millions of possible passwords are blacklisted, we advise you to build a password out of four random words, as shown in this comic strip . Use a password like “correct horse battery staple”. As the comic strip calculates, even if everyone selects their words from the same 2,000 most common words, that’s still 16 trillion possible passwords.

Professor of Bearbow Math @ Tyria State // @Shazbawt // “The Crippler”

(edited by Chris Cleary.8017)

Account Security - What you need to know!

in Account & Technical Support

Posted by: Chris Cleary

Previous

Chris Cleary

Game Security Lead

Next

Database Breaches

We’ve seen some players theorize that hacked accounts were due to a Guild Wars database breach. We have very strict blocks in place to keep network attacks from reaching our customer databases, and a team constantly monitoring for any signs of intrusion, and we’re confident that there has been no such breach.

We take security very seriously. Perhaps you can tell from this blog post. And of all the things we protect at ArenaNet, we protect our customers’ data most of all.

Companies like Blizzard and Valve presumably also had a commitment to security, yet they ultimately suffered breaches of their account databases. One day will we become such a target that a hack attempt will finally overwhelm our defenses?

If that ever were to happen, we’d be up-front with you about it, and we’d take immediate steps to ensure that it didn’t lead to widespread account hacking. And here’s something else to think about. Because we’re requiring all Guild Wars 2 players to use unique passwords for Guild Wars 2, there’s actually nothing a hacker can steal from Guild Wars 2 to help attack other games or web sites. Using unique passwords benefits you both ways. In general, making a commitment to use a unique password for each account you care about is the best way to protect yourself, not only from being hacked today, but also from being hacked as the result of any future security breach of any company you deal with.

Commerce Security

We’ve seen a very few cases where hackers purchased gems on accounts after hacking them. This is an uncommon type of attack because we do have in-game restrictions in place to prevent wealth from being transferred off an account in a case like this.

We’ve deployed new restrictions to prevent hackers from using stored credit cards on stolen accounts in this way, and we also now provide users the option to delete stored credit cards.

Of course, if any customer finds that a hacker has created unauthorized charges against his credit card, that player can contact our support team to get the charges refunded.

Professor of Bearbow Math @ Tyria State // @Shazbawt // “The Crippler”

(edited by Chris Cleary.8017)

Account Security - What you need to know!

in Account & Technical Support

Posted by: Chris Cleary

Previous

Chris Cleary

Game Security Lead

Next

Best Practices

Phishing – If an email links you to a site that asks you to type in your password, don’t type in your password. It could be a fake site. Go to the real account management site by typing “account.guildwars2.com”, or use a bookmark.

Social engineering – If someone claims to work for ArenaNet or NCsoft and asks you for your password, don’t tell them your password. Our customer support team doesn’t need your password.

Trojan horses and Spyware – Don’t download and run software, or open files attached to emails, from a source you aren’t 100% sure about. Malicious software can install a keylogger on your system to record your passwords and transmit them.

Email security – Keep the email address associated with your Guild Wars 2 account secure, just like you keep your Guild Wars 2 account itself secure. Use a strong, unique password there too, which you’ve never used anywhere else.

The Root Cause

Why do hackers work so hard to steal accounts? Because they make money from it.

Real-money trading companies want to sell you gold for cash. To do that, they have to collect the gold, and they have to advertise it. They collect gold by looting it off stolen accounts, and by using stolen accounts for botting. They advertise it by using stolen accounts for spamming.

If people wouldn’t buy gold from these real-money trading companies, the cash incentive to steal accounts would disappear. We’d see almost no account hacking, account looting, organized botting, or spamming ads.

We used to think wistfully about that with the original Guild Wars, and posted challenges to our players to stop supporting the real-money trading companies. But we knew that it was ultimately a lost cause. You can’t stop people from buying something they want to buy.

So with Guild Wars 2, we legitimatized buying gold, but did it in a way that puts the power in the hands of the players, not in the hands of the real-money trading companies. Players who want to buy gold can now do it in the game, in an open market with other players, trading gold for gems, which the receiving players can use to buy any microtransactions they want but can’t convert back to cash. As long as players purchase their gold this way, there isn’t a flow of cash back to the real-money trading companies, and thus there isn’t a profit incentive to hack accounts.

So the roots of our protection go deep into the design of Guild Wars 2, and we’ll leverage that design to keep Guild Wars 2 a safer environment than traditional MMOs.

But nothing is black-or-white. No matter how much we remove profit incentive, the fact remains that Guild Wars 2 is a popular game, and any popular game will attract hackers. So we keep security at the forefront of everything we do. We introduce new features, such as email authentication, two-factor authentication, and password blacklisting, to help keep accounts secure. We maintain an open dialog with our players about what the real threats are, so that players know how to protect themselves. And we have a team of GMs standing by to help those who do get hacked.

Professor of Bearbow Math @ Tyria State // @Shazbawt // “The Crippler”

(edited by Chris Cleary.8017)

Account Security - What you need to know!

in Account & Technical Support

Posted by: Gaile Gray

Previous

Gaile Gray

ArenaNet Communications Manager

Although this post may duplicate some information shared above, I want to post it here because it contains vital information related to account compromise incidents and e-mail accounts:

Account and E-mail Compromise Incidents

We are finding that nearly every time a game account is compromised, the e-mail account is also compromised. Many times, hackers are clever enough to mask their access to the e-mail account, rendering that illicit access invisible to the user. That is, the legitimate e-mail account holder is not even aware that the e-mail account is being accessed by a hacker.

But although we often are told “My e-mail is secure” we also frequently note that the account hacker has deleted authentication authorization requests related to the hacking location, or has deleted e-mailed receipts. The hacker hides his access by removing auth e-mails and steals the serial code and/or order number and deletes it so the legitimate owner no longer can find that vital info.

You can see this yourself when you read forum threads and the player says, “I cannot locate my receipt e-mail” or “I must have deleted my receipt.” Actually, in most cases that statement points to the e-mail account having been hacked, with the various “proofs of ownership” now being solely in the hands of the hacker (after being deleted so the owner can’t get to them). And, sadly, you see this when someone states “The only authentication e-mails are my own access points” but one or more additional authorization requests were sent but were deleted by the hacker.

Basically, even if someone believes his/her e-mail is secure, a hacker very often is in the account and is intercepting mails or authorizing access to the stolen account.

Specific questions to ask if your GW2 account has been compromised:

  1. Do you have e-mail or mobile authentication? Great!
  2. Are you using or have you every used your GW2 password anywhere else? That’s a recipe for disaster.
  3. Are you using a unique e-mail account for GW2 only? That’s a very good idea.
  4. Have you reset your e-mail password recently?
  5. Do you have authentication on your e-mail account, where it verifies access to your e-mail account through a mobile device or an alternate e-mail account?

We will help you with your compromised account but if you were hacked after installing e-mail authentication, the consensus is that someone has access to your GW2 account credentials and your e-mail account.

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet

(edited by Gaile Gray.6029)