(edited by wizgamer.7123)
ArenaNet on Bank Watchlist
I had the same response from Lloyds in London. They told me they’d been getting a lot of us cancelling our cards for the same reason as I did within a very short space of time. Had them a bit worried. Not sure if they’ve done anything about it though. Might just have been an observation.
I wonder if any of the reviewing sites have had their accounts compromised. That would look bad, but honestly, HONESTLY, these issues have nothing to do with the game, just the company itself (which appears to be incompetent for a release this large). I have heard the game itself is wonderful so hopefully they can fix this up and overhaul their security systems. I have been playing mmorpgs for 10 years now. Tons of AAA releases from Funcom, to Blizzard, to SOE, and never has my information been compromised like this. It’s frightening.
Has anyone had any luck getting a refund? Maybe if you get a refund, you can just rebuy the game?
I wonder if any of the reviewing sites have had their accounts compromised. That would look bad, but honestly, HONESTLY, these issues have nothing to do with the game, just the company itself (which appears to be incompetent for a release this large). I have heard the game itself is wonderful so hopefully they can fix this up and overhaul their security systems. I have been playing mmorpgs for 10 years now. Tons of AAA releases from Funcom, to Blizzard, to SOE, and never has my information been compromised like this. It’s frightening.
Your 10 years of experience means you probably built up a diverse online persona, which gives hackers different accounts to try.
And Battle.Net was recently hacked and I am willing to bet a lot of players are using their old emails from BNet.
Just because it happened to you this time doesn’t mean it didn’t happen to others when those other games launched either
Wrecking Krew [Krew] – Borlis Pass
I had an interesting conversation with my personal bank assistant. I wanted to flag NCsoft EU and PlayNC EU, because Im unable to unstore my CC details in the gem shop. With whats happening with accounts being stolen, I wanted to make sure I wouldnt get locked out of my account with the cc details still stored. I cant get in contact with Arenanet, because my support account isnt resetting my password, and the wait time would not be tolerable anyway. – When I spoke to him he told me Nordea had already been contacted by other customers, most regarding chargebacks from arenanet for the actual game.
I had to explain the difference between NCsoft and the gemshop and Arenanet, but he put both on watchlist, told me he would flag them to ensure no payment transactions would go through without contacting me first – which is possible because the sale date, and the charge dates are often 2-3 days apart – but if there is not a feature in the gem shop VERY VERY soon that enables me to remove the CC details, Im going to have to get my visa re-issued. Oh and also, we spoke about the fact that the gemshop also stores the CVV2 code, which isnt legal, and Visa actually straight out prohibits it. – He is looking into forwarding the information to higher ups. (because he also happens to be an mmo gamer and was getting more and more annoyed as I told him about the gemshop and how it was holding on to my information LOL)
If for any reason my account was stolen, and someone was able to purchase gems, then NCsoft wont able to get the money from my account, Im sure my account would never be returned to me. I would then make chargeback arrangements with my bank. It would not hurt my standings with them or make it harder for me to be reissued a visa in the future. Im a premium customer in my bank and I read elsewhere that an arenanet employee had discouraged people from doing chargebacks because it might hurt them in that fashion. – Well talk to your bank and see if thats has any bearing. Banks operate very differently in different countries.
Another forum said they get charged 20 dollars per charge back. I guess it’s different for every bank like you said.
No unauthorized purchases on my account, but this “feels” like fraud.
Another forum said they get charged 20 dollars per charge back. I guess it’s different for every bank like you said.
No unauthorized purchases on my account, but this “feels” like fraud.
And the abuse of chargebacks isn’t fraud? You all need to step back and look what you are doing because this is getting ridiculous.
And how many times are we going to hear about someone talking to their bankers and learning of ArenaNet being put on a watchlist.
You cannot scare them into helping you all. It won’t work and it’s just making a lot of you look immature
Wrecking Krew [Krew] – Borlis Pass
Branskins maybe you’re too young to understand how credit cards and chargebacks work. Chargebacks generally don’t have repercussions on the bank-end at all because they are often multiple accidental purchases or fraudulent access to the card. Once I went to the movies and they accidentally charged me twice. I couldn’t call them up for a refund, so I called my bank and got it cleared away. Getting a chargeback for an online purchase is common if the purchase was defective and you couldn’t get it properly refunded. There is nothing fraudulent about chargebacks. Ask your parents or read more about it: http://www.busams.com/guide/chargeback.htm
Also, for you military out there, USAA kicks money butt.
ALSO, more generally http://en.wikipedia.org/wiki/Chargeback
Two accepted reasons for chargebacks:
Quality: Consumer claims to have never received the goods as promised at the time of purchase.
Fraud: Consumer claims they did not authorize the purchase or identity theft.
Read more here: http://corporate.visa.com/about-visa/our-business/operating-regulations.shtml
(edited by wizgamer.7123)
Im unable to unstore my CC details in the gem shop.
… Oh and also, we spoke about the fact that the gemshop also stores the CVV2 code, which isnt legal, and Visa actually straight out prohibits it.
Interesting. Now I am concerned. I’ve already been through issues with someone stealing my CC info and using it (through a game my son had, but did not use). I purchased gems to get my extra three character slots. The gem store is getting errors in my game ATM. I want to check. If I’m ever ASKED if I want to leave my CC info on a site I say no. This never occurred to me.
If you did not click yes to save your card details, then they were not saved. In my case it wouldnt let my purchase go through without clicking yes, but I see other people have been able to click, and then unclick and still make purchases just fine.
The issue is that not only did it store your usual long line of digits, it also stored the 3 digit code on the back of your card. Its called the CVV2 code for visa cards, and visa prohibits merchants in trades where the card is not present, from storing these numbers. To add a little security for you the card holder.
When trying to unclick the card nothing happens, so atm, should a person gain access to my account, they could rack up as much money in gems as they wished – This annoys me ofcourse.
But if you never saved your details to begin with, you dont have to worry about this issue. And the gempshop did present you with an option to tick – save card – So if you dont remember doing this, your card is not saved. Hope this makes you feel more secure.
Branskins maybe you’re too young to understand how credit cards and chargebacks work. Chargebacks generally don’t have repercussions on the bank-end at all because they are often multiple accidental purchases or fraudulent access to the card. Once I went to the movies and they accidentally charged me twice. I couldn’t call them up for a refund, so I called my bank and got it cleared away. Getting a chargeback for an online purchase is common if the purchase was defective and you couldn’t get it properly refunded. There is nothing fraudulent about chargebacks. Ask your parents or read more about it: http://www.busams.com/guide/chargeback.htm
Also, for you military out there, USAA kicks money butt.
ALSO, more generally http://en.wikipedia.org/wiki/Chargeback
Two accepted reasons for chargebacks:
Quality: Consumer claims to have never received the goods as promised at the time of purchase.
Fraud: Consumer claims they did not authorize the purchase or identity theft.Read more here: http://corporate.visa.com/about-visa/our-business/operating-regulations.shtml
Your condescending tone is slightly annoying but I will look passed that. How about you read the EULA where they explain that a hacked account is your fault since it…is. This is unless they are covering up some leak which if true I would join your crusade.
Ok so ANet delivered the service to you, you used an account that was already leaked or easy to hack, and now you want to issue a chargeback because the goods weren’t delivered? They were and due to an error on YOUR end, you have to wait in a queue for help. This is ABUSE of the system. If I buy a car which is then stolen from me, I screw over the dealer who sold it to me assuming they had no involvement?
So tell me, where is this warranted? Being charged twice at a movie theatre makes sense obviously, but here this is YOUR mistake. Read your EULA.
I hope they fight these claims based on the principal
Wrecking Krew [Krew] – Borlis Pass
I think you two are muddling up two different issues.
1 is the account thefts, which Branskins has a point in saying is probably in most cases to do with peoples poor use of re-use of login and password details.
the other is what people can do if their accounts are taken over, and they had already stored their credit card details in the shop. It is reasonable to argue that NCsoft should provide an option to unstore details, just as every other game does, and all other NCsoft titles do – and infact they are working on implementing these changes. Untill they do however, people have to ask support to do this for them.
In the time between your account theft, and your discovery of this theft, real money can be taken through the gemshop from your account. You are entitled to ask for chargebacks in this case if you are a visa card holder. Because Visa prohibits the storing of the cvv2 code in online purchases. Because NCsoft has stored these digits along with the rest of the information,(and because the user is unable to remove that information themselves) they have brought themselves into a situation where someone who wouldnt have a case for a full game refund chargeback, now has a case for chargeback of any purchases made while the account was stolen.
What I have been trying to get amended is this small but detrimental security risk their system adds, and which has become a major risk in light of the recent breach of the database of a popular GW2 website.
I hope this clears it up a bit.
I do not not if other credit cards prohibits the storing of the cvv codes that Visa does, so I cant speculate on those situations.
Branskins maybe you’re too young to understand how credit cards and chargebacks work. Chargebacks generally don’t have repercussions on the bank-end at all because they are often multiple accidental purchases or fraudulent access to the card. Once I went to the movies and they accidentally charged me twice. I couldn’t call them up for a refund, so I called my bank and got it cleared away. Getting a chargeback for an online purchase is common if the purchase was defective and you couldn’t get it properly refunded. There is nothing fraudulent about chargebacks. Ask your parents or read more about it: http://www.busams.com/guide/chargeback.htm
Also, for you military out there, USAA kicks money butt.
ALSO, more generally http://en.wikipedia.org/wiki/Chargeback
Two accepted reasons for chargebacks:
Quality: Consumer claims to have never received the goods as promised at the time of purchase.
Fraud: Consumer claims they did not authorize the purchase or identity theft.Read more here: http://corporate.visa.com/about-visa/our-business/operating-regulations.shtml
Your condescending tone is slightly annoying but I will look passed that. How about you read the EULA where they explain that a hacked account is your fault since it…is. This is unless they are covering up some leak which if true I would join your crusade.
Ok so ANet delivered the service to you, you used an account that was already leaked or easy to hack, and now you want to issue a chargeback because the goods weren’t delivered? They were and due to an error on YOUR end, you have to wait in a queue for help. This is ABUSE of the system. If I buy a car which is then stolen from me, I screw over the dealer who sold it to me assuming they had no involvement?
So tell me, where is this warranted? Being charged twice at a movie theatre makes sense obviously, but here this is YOUR mistake. Read your EULA.
I hope they fight these claims based on the principal
You aren’t understanding the problem. The problem isn’t the hacked accounts. The problem is the credit card information we cannot remove. Our credit card information is liable to hackers. Read the posts where people are getting undesired charges from gem purchases. This is not OUR mistake. You don’t understand the problem at all.
(edited by wizgamer.7123)
There seems to be a lot of anger out and about here. The problems with hijackers are affecting a lot of people, and the forumers start to aggregate hate between each other and blame the easiest target, now we know it’s not easy to blame the real thief here, the ones who stole your accounts because… you don’t know who they are, so you blame the next best, the ones whom you rely on for the service.
Take this into perspective then: You buy an ebook from amazon, you enjoy reading this ebook, but one day your amazon account is compromised, and you are not the only one, suddenly millions of users are experiencing the same thing. Amazon is now dealing with support tickets way over their capacity, you can’t access your account so you can’t delete your cc info, and support takes “years”, so now you want a chargeback for not only the book you bought, but also for the kindle itself.
Now ANet has said they will implement the remove feature as soon as possible, currently you can request the information removed through support. Storing a CSC number is not illegal anywhere. Visa strongly discourages it, but they cannot enforce any law as to how their card is used by merchants. Just like the “verified by visa”-feature, the CSC is a feature. Just that it became a standard, many countries don’t use that feature or has just begun, like Japan. Here you can purchase with or without that code, it is not at all necessary to make a purchase.
Now, it’s not a good idea for a merchant to store the CSC info, but ANet chose to do so to make purchases more streamlined.
It is entirely on the user’s shoulder to take any formal action to stop fraud in the case of a compromised user account. You can read all about that here:
https://www.guildwars2.com/en/legal/guild-wars-2-user-agreement/
Extract from 4. (a)
“…You are responsible for any use and related liabilities with respect to any Account if you make the Account available to a third Party intentionally or negligently. It is Your responsibility to safeguard any access control mechanisms You may have related to an Account such as a password or PIN…”
I believe most of us has already “accepted” this EULA and therefore have to abide by it regarding this game.
So before making any uninformed claims about rights, please consult the EULA and the laws of your own country.
As for chargebacks these only hurt the merchant and is not a nice way of settling things just because the consumer is in a bit of a rage. The merchant will suffer from their bank and the bank from the card vendors, merchant with high chargeback frequency will suffer higher penalties.
Chargebacks were meant to be a last resort if you couldn’t get your money refunded, but has become somewhat a “friendly fraud”-thing for consumers.
If you want to settle this, send a ticket to ANet asking for a refund. I can’t seriously see how someone would want to hurt a merchant over $60. I guess some people like to sit on their high chairs and fight for a principle when the failure of following it hurt them. But hey, we are all easily bu**hurt these days right?!
EDIT: @Wizgamer. You can have your credit card information removed. Contact support, this was never an issue before the hijacks started. And even after you have been hijacked you wouldn’t be able to access your account to remove that information anyway. You better ask them to remove the CSC code from the stored info, as that is much more helpful.
(edited by Chobiko.9182)
At the end of the day Its your responsibility to be in control of your own details.. It clearly gives you the choice of saving your details or not saving them. its not arenanets fault that you have clicked the box that says save details...
I do agree however its nice if you have changed your mind to have the option to remove those details, or to have arenanet send a confirmation email for all purchases.. Ask them and it will come...
Tis not what they can do for you
Tis only what you can do for all
Tis only what you can do for all
You make a lot of good points but you are wrong about your csc data.
I feel I have already written enough so I found this for you http://en.wikipedia.org/wiki/Card_Security_Code#Security_benefits and encourage you to look at it. Specifically the parts about The Payment Card Industry Data Security Standard (PCI DSS) who prohibits the storage of CSC post transaction authorisation.
That bit is important because it is the nature of the one time purchase in a gemshop that distinguishes the gem shop from fx recurrent payment plans such as subscriptions where the authorisation is an ongoing contract. There are systems in place to allow these types of transactions which could otherwise not work as the merchant isnt allowed to store those 3 digits> hence the recurring payment options we have these days in many games.
Everything else you say I agree with, however the Eula does not override the laws concerning credit card security, and when those are not upheld by a merchant they are liable should any abuse occur, nomatter what the Eula says. They are changing the system, I am completely certain it was an overseight from the start, and I do not and have not once thought it was some malicious plot to stealz my datorz.
I would like to point out to anyone else, that it is ok for people to want to protect their credit card information, especially should they feel that circumstances have made them feel less secure aboutt their account safety. It is also ok for them to become upset and frustrated when they find themselves powerless to remove this sensitive data. It is even ok for them to question the process and push for it to be changed (which is will be at some point) – and it does not necessarily have ANYTHING to do with chargebacks – these issues are seperate.
People who have no access to their accounts may threaten with chargebacks of the full game for example but that has nothing to do with the underlaying issue of the csc being stored.
Others, would just like to see procedure changed for the benefit of EVERYONE, including Arenanet. – and because jezath is right in what she/he says in his opening line; it is our responsibility to protect our personal information, therefor it is certainly ok when we try to make sure that we are given the tools to do just that. It could easily read as though perhaps out of courtecy to a great developer of games you would rather we dont take control of our details and try as we might to rectify our mistakes when we identify them.
Ps. I do have a support ticket, mainly to see how long it would actually take for such an issue to be rectified without an automated system in place – and ofcourse because I would like to do what I can to rectify the mistake I made in storing the data in the first place. I will go stand in the corner now.
(edited by Sorry.6741)
Thanks Sorry. I realize I gave them my information, but it’s still important to check your card and see if there were charges made. Also, I said I’d prefer not getting a chargeback. I can’t even get one as I prepurchased the game in May.
@Sorry I see your Wiki reference and throw you this https://www.pcisecuritystandards.org/security_standards/why_comply.php
Please research before making statements. It is not required by law, but encouraged.
To make this issue more clear.
I have no idea whether or not ArenaNet under NCSoft is regarded as compliant with the PCI DSS and approved as such or not. However, when it says compliance requires something, this doesn’t mean it’s applicable by law. As I said, CSC is just a feature meant to heighten security of internet purchases, and is thus definitely not a required feature of any online merchant. The CSC is simply a way of telling that the consumer can see the card information (preferably the card itself) when making the purchase. Thus the compliance of not saving this information.
When ArenaNet asked you if you wanted to save the information, it should state that the CSC value will not be stored if it didn’t store it, and you as a consumer are always responsible of making sure of what you are storing when you store your card information.
So now we have hopefully made all this clear.
(edited by Chobiko.9182)
Thank you Chobiko, I did read that page it is one of the sources I linked earlier; They are the standards all major credit card issuers require merchants to live up to in order to even accept those credit cards in payment. It is not law, but if not followed it does become illegal to use those credit cards in transactions – probably for security reasons. This maybe is a more clear way of explaining it. I didnt mean a bank police was gonna swoop in and steal all arenents bases.
Those are rules and standards are part of what merchants must (!) live up to, in order to process payments through large credit card issuers, fx Visa. If they comply with them they get accredited and become VISA accredited merchants (meaning they may accept visa in their payment methods). If they dont comply, by FX storing the cvv2 data, they are prohibited by VISA from using visa in the payment transactions. (actually no selfrespecting company handling millions of transactions every year does not comply with those standards. Its totally unheard of)
Im saying what they are doing with VISA holders info atm, is not legal because it is in breach of the requirements made by that credit card issuer for any merchant to use them in transactions.
Just making sure I specifically stated I did not know if the other credit card issuers had this restriction with regards to csc, but VISA does, and VISA requires a compliance attestation of the very points you linked to in your post done every year.
What I do know is that it is not a good thing for NCsoft or Arenanet to not be in compliance with these standards.
Maybe you would like to see this from VISA? its on their website here:
http://www.visaeurope.com/en/businesses__retailers/retailers_and_merchants/security/payment_security.aspx
and in more detail as to what they must live up to here:
http://www.visaeurope.com/en/businesses__retailers/payment_security/merchants.aspx
(edited by Sorry.6741)
@Sorry
You are right about visa. However I believe whether or not a merchant utilises the CSC or not does not is up to them. I have never been asked for my CSC when shopping online at .jp sites mind you.
But let’s now assume that ANet is in compliance here, and I believe they are. From where do we know that the CSC is stored?
They might be like iTunes or Amazon using a special agreement that allows for purchase without the CSC.
This would require a bill to be issued of some sort. I believe that if it has been the case that someone has had their cards charged by NCSoft by unauthorised purchase, then they would have gotten such a bill.
Since NCSoft might (instead of saving CSC) be using the same agreement as many other large retailers I imagine that it shouldn’t be hard to flag these charges just like you did.
(edited by Chobiko.9182)
Well I put my cvv2 code down on my first purchase, so they did require it. When the card details were down, I was give the option to store it. And I clicked yes. – When next I made a purchase all I needed was to click amount, stored visa ending in xxxx and OK.
If it didnt store part of the information and excluded the cvv2 – then its a very unfortunate oversight that it does not ask me for the 3 digits on my second purchase.
Your suggestion that they may have a special agreement has precedence but I dont see any way to confirming it.
In fact if they do store the cvv2 I wouldnt even care, if I just could remove the credit card details myself. Its so frustrating, and I do blame myself for being in this situation.
Well I put my cvv2 code down on my first purchase, so they did require it. When the card details were down, I was give the option to store it. And I clicked yes. – When next I made a purchase all I needed was to click amount, stored visa ending in xxxx and OK.
If it didnt store part of the information and excluded the cvv2 – then its a very unfortunate oversight that it does not ask me for the 3 digits on my second purchase.
Your suggestion that they may have a special agreement has precedence but I dont see any way to confirming it.
In fact if they do store the cvv2 I wouldnt even care, if I just could remove the credit card details myself. Its so frustrating, and I do blame myself for being in this situation.
Indeed, I understand your frustration. Here’s the thing, the rumour about them storing the CSC is false. They don’t.
Just like when you register your card on an iTunes account or Paypal account it won’t ask you for your CSC on the subsequent purchases. The card info is stored with a third party, a billing agent, and processed through it. They do a verification check upon purchase through the billing agent, and then process the payment either automatically or manually. This doesn’t require a CSC value as you have already agreed to “store” your card information which in actual terms means letting them charge your card whenever you make a purchase.
With such an agreement you can refund payments made through ArenaNet, just like you can refund through apple, within 30 days of purchase. I suggest anyone who has been victim to fraud not only does this, but reports the fraud to the police.
Removing your stored card information should not be more problematic than shooting them a ticket or an email requesting that they remove it. Due to the unexpected situation with all the account hijacks I suspect it might take some time before they handle it. It is therefore best to handle it like you did flag transactions, and if possible region lock as well.
There are some banks that allow for more security measures like only allowing purchases made with “verified by visa” (the password protected payment feature) or by using PIN. Many banks also offer to send a mail when the card has been charged, with what amount and the possibility to instantly cancel that payment.
It doesn’t require the CVV/CVC code if you enter a monthly or subscription payment plan as that is done on the first payment and is setup to be accepted per month.
On the Black Lion Trading system it isn’t set for systematic purchasing in the same time frame and can be done at any time, thusly it should ask for the CVV/CVC each time, but they have illegally stored that info which is now causing all the problems of people getting money taking out of their accounts/card balances (some cards are not CC but debit cards which is worse as their is no limit per say except for the amount in their bank accounts).
Thats good news know jopefully they will catch some of these hackers
Tis not what they can do for you
Tis only what you can do for all
Tis only what you can do for all
Did they say in the EULA that they were storing our CVVs for the gem purchases? When I pre-purchased I don’t remember reading that.
Speaking of Debit cards not having a limit, not true. As a Debit card user myself I have a set limit that prevents unauthorized persons from emptying my bank account. You the user of a Debit Card must tell the bank to set a limit…
Speaking of ANet, got a email from my bank letting everyone know that since bank gotten lot of complaints and fears of credit/debit cards are being compromised they have put Anet and NCSoft on the watch list and notified US Federal Law Enforcement namely the United States Secret Service and the FBI about the situation.
That seems a little excessive. Are you sure about that?
@Aetheogh – “limit per say” =/= a sure fire limit.