Guild Wars 2

I’m just curious, if someone swaps from E-mail Authentication to Mobile Authentication, would there be an e-mail sent to verify the change from E-mail to Mobile? Or will it be automatic?

Now I know that hackers won’t be able to access the account in the first place since there was e-mail notification, but just what if? What if, for some reason, hackers were able to access an account and wanted to change it from e-mail to mobile. If it was that easy to swap from e-mail to mobile, then I think that should be changed.

Forgive me if this seems like an impossible scenario, but I’d rather go through the hassle of multiple verifications to change security settings and be sure my account is safe.

I dunno, maybe I’m just getting too nervous about my account’s security. Anyways, just my 2 cents.

This happened to a lot of people lately after patch and a little time before the patch.
Hackers might got the accounts from forums and then go into account and change it to mobile authentication.
Hacked accounts are not able to get in because the mobile thing is on and asks for the numbers.
This is probably the worst situation since the start because it happens to account with secure passwords and never visited gold selling sites
One of my friends still waits for a response from A-Net

It wasn’t a very secure password if the ‘hacker’ got into Account Management to enable a Mobile Authenticator. Food for thought.

Actually they do not need your 22 character long game password or access to your computer. All they need is to get access to your web based email. Gaile posted that in nearly every one of the account compromises the thieves also had access to the user’s email . With the (account name) email they then can gain control of your game account AND prevent you from ever knowing they have done so until you try to log in and find your password does not work and there is a mobile authenticator installed on your account.

While it is a good thing that you are using a good strong password on your game account and virus scan your computer, you also need to perhaps check your smartphone, tablet or other places (computers) you access your email from. Just getting one malicious app installed on your phone or tablet will give them access to your email and all the business and personal information you store there.

Please remember, the people that are trying to steal your account these days are not the “noble hackers” or “kid that lives in his parents basement” or “poor gold farmer” any more. These are professional thieves that make a very good living at stealing your information and using it or selling it to people that will use it. So be sure to also secure and double check all the many possible ways you could be giving up your email password.

Gaile Gray.6029:

Very good advice, LyricDawnhagen!

Wulfheart, the fact is, if they have access to the e-mail account — if for example you use the same password for e-mail and game — sending a verification “Do you want to add this mobile authenticator” e-mail wouldn’t help.

However, I do understand the question, so I’ll discuss it with the team to learn if there’s benefit to adding that process to the change. I’ve asked before and basically I’ve been told that sending the e-mail isn’t necessary nor preventative of most hacks. But I’ll ask again.

My suggestion for this issue is this. Account manager will never send e-mail to the customer. E-mail is worst solution for verification. E-mail have same security as postcard have. When it goes thru all operators everybody who can Access those operators databases, can read your e-mail too.

If you really want to secure customer Account manager, and same time provide good custom security, there should be another type of verification in Account manager.

This is my suggestion:
Customer can add in their Account manager page pin-code. When ever there will be done some changes, like password change, e-mail change or mobile authenticator, there will open a panel, where customer need to click with their mouse that pin-code what they have add in the Account manager. Pin-code should be 5 – 8 digit long, and it should not allow more than 3 same digit in the pin-code. Also this pin-code should be added to the game, when player is pressing play button. In this way they have to manually click numbers and not typed in there. So even keyloggers are not a threat anymore. This is only secure way to prevent hacking account and changing passwords without external programs, like e-mail client, mobile phones etc.

LyricDawnhagen.7803:

Actually they do not need your 22 character long game password or access to your computer. All they need is to get access to your web based email. Gaile posted that in nearly every one of the account compromises the thieves also had access to the user’s email . With the (account name) email they then can gain control of your game account AND prevent you from ever knowing they have done so until you try to log in and find your password does not work and there is a mobile authenticator installed on your account.

While it is a good thing that you are using a good strong password on your game account and virus scan your computer, you also need to perhaps check your smartphone, tablet or other places (computers) you access your email from. Just getting one malicious app installed on your phone or tablet will give them access to your email and all the business and personal information you store there.

Please remember, the people that are trying to steal your account these days are not the “noble hackers” or “kid that lives in his parents basement” or “poor gold farmer” any more. These are professional thieves that make a very good living at stealing your information and using it or selling it to people that will use it. So be sure to also secure and double check all the many possible ways you could be giving up your email password.

I think you missed the point of the reply to Incalp.. but no iprobs.

To add though, for info.. I don’t use webmail and don’t use my phone for emails or online social media.. in fact I really should try to get a cheaper package for my phone contracts… I don’t think I have ever downloaded an app on my phone until yesterday when I put got the authenticator and linked it to my account.. and the info that site holds is at least 5 years out of date in regards to personal info and certainly isn’t the same using my GW2 email but aside from all that I am in total agreement with you.. its way to easy for others to get info on us all these days and use it for .. other purposes.

Then again its also nothing new either.. I was in NY 5 years ago and bought something using an online system.. going out for dinner that evening I was suddenly hit with having £1700 less in my account… so now I have completely different banks accounts, all manner of protections in place on the new accounts, killed off all online banking and I limit what online spending I do from an account that has nothing in it until I physically put it in… only thing I did do was change account passwords on that old email account .. so yeah call me nervous but I am pretty distrusting of anything online these days… but like many of us do, I do all I can to try and limit the potential, even though that’s never going to be enough.. hence I was hacked a few days back.

Interesting I read only today the latest security flaw with Microsoft IE…. No matter what we do to protect ourselves, ultimately we rely and trust in others to safeguard that info as well.. and sometimes that trust is left questionable.

Inculpatus cedo.9234:

It wasn’t a very secure password if the ‘hacker’ got into Account Management to enable a Mobile Authenticator. Food for thought.

IF the hacker gets into the associated email account (a bigger security problem than just your GW2 account), they can request a password reset AND that mobile authentication be turned on (and set it up to THEIR phone). This would take a 2 sentence email coming from the email account and Support would perform the actions no questions asked.

Just saying….(it happened to me…not the mobile authentication part, but the password reset).

@Gaile
Thanks for the reply. I know it may be some extra coding for the people who are in charge of account security and e-mail authentication, but I believe every little bit hels.

I had 10 passwords I cycle through every now and then, around 9 to 11 characters with letters, numbers and special characters in the mix.

I’ve checked my e-mail and it has never been accessed outside my IP or IP range the past month prior to my hack.

Nobody knows my passwords, true my close friends who I believe have no interest whatsoever in my GW2 account may have an idea of my past passwords but that was back when I only used letters and numbers, no caps nor special characters.

I don’t really go to sites that have malware and I loathe having to download extra ‘security’ software, but after this incident I’ve asked some people about good security software and have added some which most of them recommended.

Still, if someone with a 22 character password can get hacked then these gold sellers are really getting aggressive. I’m not sure but I’ve been checking the forms and I think it’s really bad these days, though I’m not sure if this is the worst ANet has suffered. I’m not saying that there really has been a breach with ANet and/or NCSoft, but at least it may be a good idea to think around that angle, don’t leave out any possibilities.

It kinda reminds me of this witty/corny line I made: “Where there’s a hack, there’s a way!”
I kinda said this as a joke before, but I’m believing I may have unknowingly hit on something there.

wulfheart.8206:

@Gaile
Thanks for the reply. I know it may be some extra coding for the people who are in charge of account security and e-mail authentication, but I believe every little bit hels.

I had 10 passwords I cycle through every now and then, around 9 to 11 characters with letters, numbers and special characters in the mix.

I’ve checked my e-mail and it has never been accessed outside my IP or IP range the past month prior to my hack.

Nobody knows my passwords, true my close friends who I believe have no interest whatsoever in my GW2 account may have an idea of my past passwords but that was back when I only used letters and numbers, no caps nor special characters.

I don’t really go to sites that have malware and I loathe having to download extra ‘security’ software, but after this incident I’ve asked some people about good security software and have added some which most of them recommended.

Still, if someone with a 22 character password can get hacked then these gold sellers are really getting aggressive. I’m not sure but I’ve been checking the forms and I think it’s really bad these days, though I’m not sure if this is the worst ANet has suffered. I’m not saying that there really has been a breach with ANet and/or NCSoft, but at least it may be a good idea to think around that angle, don’t leave out any possibilities.

It kinda reminds me of this witty/corny line I made: “Where there’s a hack, there’s a way!”
I kinda said this as a joke before, but I’m believing I may have unknowingly hit on something there.

I totally agree with you on the breach in ArenaNet’s/NCSoft’s systems, it’s far fetched but not impossible by any means. Experienced a similar thing in a different game years ago and with all these people being hacked out of the blue and the absurd amount of goldselling spammers in the game it all points in that direction as I see it anyway.

I know someone who absolutely positively did not have his email account compromised, yet got hacked and mobile authentication was set up — no emails confirmations appeared at all.

By the way, if you got hacked and you use a big email service like Gmail and Yahoo mail, you can check email access logs (check on Google — it’s a matter of following a few links once logged in).

The entire purpose of these access logs is for you to know if someone unauthorized has logged into your email, thus they are unalterable by you or anyone else who’s logged in.

What I don’t understand is how these hackers are getting a hold of people’s e-mail accounts. I understand the comment that 99.9% of the time the hacker has access to the e-mail, because obviously, they need to send an e-mail to themselves to change the GW2 password.

The question is, how is the hacker getting access to this private information?

People like myself (and I know I’m not alone) whom have a unique e-mail only used for Gw2 purposes. I keep my personal e-mail and Gw2 e-mail accounts completely separate. There is nothing interchangeable about the 2, nor are the passwords even remotely close together. All my passwords are also completely different from one another.

Remember, in order for the hack to take place, they need access to some information to begin with to compromise the account. In this case, all it seems like they need is an e-mail address.

I consider my e-mail address personal information linked to my account; I’m a bit uneasy as to how hackers got a hold of this information considering the e-mail that is linked to my Gw2 account, is a unique email only used for the account.

I’ve had the e-mail to my GW2 account changed. Just like DeadlySynz, it’s not going to be used for anything else aside for GW2 and I won’t be opening it very often, if I ever have to open it at all. And like some people have suggested, I won’t open it on the computer where I play GW2. So any hacks made to my account would be through a direct attack to ANet or my e-mail provider, or just one truly dedicated hacker.