Guild Wars 2

So my friend was hacked most likely from his email was rolled back email and passwords changed then got hacked again, and was rolled back as it was the same hacker, email and passwords changed again. He did everything that was asked of him then he got hacked again and was told he had been rolled back already and there was nothing else they could do.

ok so here r a couple of problems with this

1. when he was hacked the 1st 2 times he asked if hacker has his key code if they will still b able to get in to his game(this question was NEVER answered from any of the mods who replied to these tickets) and if so could he get another key or not(this was never answered either)

#2-now with the 1st 2 questions unanswered passwords and emails changed 3Xs comp completely scanned ect he asked how they r still getting in and received no answer to that either

1. when on the 3rd time he was hacked he was told he had been rolled already and there was nothing to b done, but they rolled him forward to the time right after he had been hacked the 1st time why would Anet do this? makes no sense.

now his account is suspended again and all these questions r still unanswered im writing this because my friend is fed up understandably so and im worried for my account and those of my guilds, as a guild leader this is very disturbing and disappointing as the response was unhelpful to say the least. GM Khaos was very helpful but still neglected to answer the questions and the other mod seemed not to care that this was the same issue and didn’t answer the questions either but took the time to roll him forward WTF?

these hacking issues need to b dealt with in a better way as it seems to me that they r not getting fixed properly. oh and btw funny how on the day of china release this hack problem happened to him after over a year of no issues.

SO HOW ABOUT SOME ANSWERS TO THE QUESTIONS POSTED ABOVE PLZ thx.

Gigi…

Your best bet is to submit a support ticket the answers you want they wont tell you here.

It sounds like your friend has a key logger on their pc, I would suggest to have your friend format their pc to remove all the nasties on the hard drive. Change all the email/game passwords with stronger passwords.

The hackers are getting into email accounts (hotmail, gmail, yahoo..etc) and for folks that store their key codes in there, that’s a ticket to continue taking that account over and over again…

Best bet is to add an authenticator to your email account, add one to your GW2 account, and don’t store sensitive info in your email if you don’t have an authenticator attached to it (print it out, store it some place safe). Don’t wait for customer service to secure your stuff. Secure your stuff, and tell your friend to secure their stuff with the authenticators and assume someone has the key if you, or they have been hacked…. and ask it be changed.

*edit- fwiw, I’ve had the GW2 authenticator app attached to my account for awhile now. I love it. It’s free, it doesn’t nag me for a code unless my IP changes (some folks don’t like that, but I really don’t mind, I know how to check my computer/email security and do so on a regular basis) and you can and should print out the code and/or barcode image for it if you lose your phone/have to reset it so you don’t have to email Anet support to have it removed.
I have quite a few “free-mail” accounts I use for various things. One, I’ve had for going on 16 years that has never been hacked, but has had 3 log in attempts from China since May 23rd to June 3rd. I slapped an authenticator on it, even though I don’t use the account, I have no emails stored in it, and I keep it mainly for nostalgia purposes and the account name (it’s old and probably something people want, likely why it was targeted).. but I found it humorous that it was even targeted.. but it just goes to show you they’re going for email accounts..much more to be acquired that way.

You state the email was changed…..do you mean just the password or did you change the email account associated with GW2. If the later, did ANY information concerning the new email account ever get associated with the old account (did you set up email forwarding or send any email TO the new account, etc.). If ANY evidence of the new email address was ever sent to or saved at the old address, the hacker likely has the new email address as well. Hopefully, a different password was used…..

Keep in mind that even if you change the password on an web based email account, a hacker can keep the window open and STILL have access to the email account without ever having to log in with the new password (depends on the email provider and how they programmed the web interface pages). In most cases it will eventually time out and force the new log in, but scripts can be used to maintain “activity” on the page so the time out gets extended for a LONG time (potentially much longer than you would think possible).

A keylogger is possible, but those are extremely rare these days and most AV programs would find them very quickly.

It should also be stated that if a hacker has (or had) control of an email account that was used for other sites (potentially financial or retail ones), your GW2 account being hacked might be the least of your worries…..

1) Some questions will never be answered, due to security reasons.

2) Your friend’s PC security is lacking, or is using common as dirt passwords.

3) Players only get 1 Rollback per life of the account. But it may be possible the Customer Support agent made a mistake, and granted an additional Rollback. Regardless, your friend won’t be getting another one.

4) GW2-China has nothing to do with your friend getting hacked. It’s your friend’s fault for having been hacked so many times.

Gigi Thunderheart.3981:

1. when he was hacked the 1st 2 times he asked if hacker has his key code if they will still b able to get in to his game

The serial key trumps ANY protections you have on the account and if the hackers get a hold of it the only way you are ever going to be secure is to ask for a new one.

I had this exact situation happen with my wife’s account and it took weeks to get it fixed. One it was fixed though a new problem came up about 2 weeks later when the stolen credit card that the hackers used to buy gems while on her account got charged back and now she’s been banned for that lol.

Bottom line is that it’s going to be a LONG road back to account stability and knowing what you know now is it worth the time versus just buying another account?

Gaile,

Unless the policy has changed recently, I have to take exception to your comment about taking “lots of means of identifying the person”. Currently (as far as I know), if an email comes into Support from a valid email address that says, “Forgot my password.”, Support initiates a password change with NO information requested.

Correct me if I am wrong, but THAT (I believe) is the source of 90% of hacked accounts right now. A simple policy change could prevent ALL of those account hacks (even tho, it is NOT Anet’s fault to hacks are happening). Simply pointing all password change emails to the link to submit a ticket via the website (where validating information MUST be put in to submit a ticket) would close this (in my opinion) loophole in the system.

Not trying to be combative or contradictory, but just trying to point out that despite what you claim, more COULD be done to prevent MANY of these hacks. I get this would end up being more work on players and Support for legit password changes, but it would HAVE to cut down on Support being required to fix a multitude of hacks that would not happen in the first place.

Again, just my 2 cents.

i had exactly the same, even though i have my computer protected and i use long-kitten passwords i dont use anywhere else. might be a keylogger orso though. check for processes that are unwanted and maybe even the connections going in and out.

i contacted support and they helped me on this subject with fast responses. try it

Brother Grimm.5176:

Gaile,

Unless the policy has changed recently, I have to take exception to your comment about taking “lots of means of identifying the person”. Currently (as far as I know), if an email comes into Support from a valid email address that says, “Forgot my password.”, Support initiates a password change with NO information requested.

Correct me if I am wrong, but THAT (I believe) is the source of 90% of hacked accounts right now. A simple policy change could prevent ALL of those account hacks (even tho, it is NOT Anet’s fault to hacks are happening). Simply pointing all password change emails to the link to submit a ticket via the website (where validating information MUST be put in to submit a ticket) would close this (in my opinion) loophole in the system.

Not trying to be combative or contradictory, but just trying to point out that despite what you claim, more COULD be done to prevent MANY of these hacks. I get this would end up being more work on players and Support for legit password changes, but it would HAVE to cut down on Support being required to fix a multitude of hacks that would not happen in the first place.

Again, just my 2 cents.

So what you’re saying is that you want Anet to take additional measures, beyond a player’s valid e-mail address, to request changes? You seem to have missed the simple fact that if a player’s e-mail is compromised, there’s nothing else Anet can do that the hacker wouldn’t have access to. You could have 10 extra steps involved, and the account would still be stolen. Why? Because if the e-mail account isn’t secure enough to prevent someone from taking it over, nothing is secure.

Each of us is responsible for protecting our personal information. Be it e-mail access, or account access. There’s no point in putting up more barriers, when the key barrier (the e-mail account) is already breached.

Not excepting that as an answer.
It very easy to loose our emails to rogues.
And Anet shouldn’t allow them easy access cos ‘well it’s the customers fault’.

Its true that we must use only one email and unique passsword for gw2.
And its not keyloggers who are doing it. Technology has moved on from that. And so has the system of gathering emails.

Smooth Penguin.5294:

So what you’re saying is that you want Anet to take additional measures, beyond a player’s valid e-mail address, to request changes? You seem to have missed the simple fact that if a player’s e-mail is compromised, there’s nothing else Anet can do that the hacker wouldn’t have access to. You could have 10 extra steps involved, and the account would still be stolen. Why? Because if the e-mail account isn’t secure enough to prevent someone from taking it over, nothing is secure.

Each of us is responsible for protecting our personal information. Be it e-mail access, or account access. There’s no point in putting up more barriers, when the key barrier (the e-mail account) is already breached.

I’ve made this suggestion in the past (and been ignored) and always get this response from some other player. WHY do other players NOT want the system to be improved? I KNOW and have repeatedly acknowledged that this is NOT Anet’s fault, but improving a system does not always have to be about who’s responsibility it is to prevent the failure. I would pay RL money if I could tell ANet to Support to NEVER CHANGE MY PASSWORD WITH A SIMPLE EMAIL. Bottom line THAT would stop a significant number of hacked accounts.

My suggestion is simply that. If Anet REALLY wants to stop the obviously main source of account hacks these days AND reduce their overall Support resource demands, they would consider it. That is all I am saying.

I see NO reason why what I am suggesting would cause ANY additional work for Customer Service. There is ALREADY an automated email sent out from the ticket system and I have personally used Zendesk (what Anet is using for Support) and it has very easy tools to set up automated responses to include a link to the on-line web ticket submission page. The ticket would then be handled like every other ticket submitted via that AND would have info that could be verified rather easily (I’m hoping they have some automated system to throw up red flags if the info is missing or not even close to correct) by Support Agents.

I challenge anyone to prove that if 50% of hacks NEVER happen (I think this change would stop more than that), Anet Support would have MORE work to do. I think this makes sense and is a win-win for both players and the Support team. THAT is why I have been aggressive in making this suggestion when it seems appropriate.

If I am missing an actual down side to this proposed policy change, please enlighten me (and note, “Anet shouldn’t have to change it’s policy because your personal security sucks.”, is NOT an actual downside). Also note that I don’t argue that statement is false….it is certainly true, but what they shouldn’t have to do and what they COULD do to improve the system is my point.

My tip is still that they should simply allow us to use other login-names as our email addresses.
So even if a hacker has our email-address and password, he still don’t knows the login-name.

Or maybe adding a security question. Even ones on the level of Mother’s maiden name would stop hackers armed only with email and password.

Brother Grimm.5176:

Smooth Penguin.5294:

So what you’re saying is that you want Anet to take additional measures, beyond a player’s valid e-mail address, to request changes? You seem to have missed the simple fact that if a player’s e-mail is compromised, there’s nothing else Anet can do that the hacker wouldn’t have access to. You could have 10 extra steps involved, and the account would still be stolen. Why? Because if the e-mail account isn’t secure enough to prevent someone from taking it over, nothing is secure.

Each of us is responsible for protecting our personal information. Be it e-mail access, or account access. There’s no point in putting up more barriers, when the key barrier (the e-mail account) is already breached.

I’ve made this suggestion in the past (and been ignored) and always get this response from some other player. WHY do other players NOT want the system to be improved? I KNOW and have repeatedly acknowledged that this is NOT Anet’s fault, but improving a system does not always have to be about who’s responsibility it is to prevent the failure. I would pay RL money if I could tell ANet to Support to NEVER CHANGE MY PASSWORD WITH A SIMPLE EMAIL. Bottom line THAT would stop a significant number of hacked accounts.

My suggestion is simply that. If Anet REALLY wants to stop the obviously main source of account hacks these days AND reduce their overall Support resource demands, they would consider it. That is all I am saying.

I see NO reason why what I am suggesting would cause ANY additional work for Customer Service. There is ALREADY an automated email sent out from the ticket system and I have personally used Zendesk (what Anet is using for Support) and it has very easy tools to set up automated responses to include a link to the on-line web ticket submission page. The ticket would then be handled like every other ticket submitted via that AND would have info that could be verified rather easily (I’m hoping they have some automated system to throw up red flags if the info is missing or not even close to correct) by Support Agents.

I challenge anyone to prove that if 50% of hacks NEVER happen (I think this change would stop more than that), Anet Support would have MORE work to do. I think this makes sense and is a win-win for both players and the Support team. THAT is why I have been aggressive in making this suggestion when it seems appropriate.

If I am missing an actual down side to this proposed policy change, please enlighten me (and note, “Anet shouldn’t have to change it’s policy because your personal security sucks.”, is NOT an actual downside). Also note that I don’t argue that statement is false….it is certainly true, but what they shouldn’t have to do and what they COULD do to improve the system is my point.

I’m not saying I’m against protections (technically). Protections are always good. But in this case, not so much. I’m advocating that players stop getting their e-mails hacked in the first place. A majority of the time, it’s the player’s fault. Lack of PC security, poor pw choices, going to naughty websites, buying gold from an RMT, etc.

If a player makes poor choices, having their GW2 account get hacked can actually be a blessing in disguise. It would make them be more aware of their lack of security, and then they’ll take steps to protect themselves better. Think of it like a life lesson. It’s better to be sad that your GW2 account was hacked, than to be ruined if your identity was stolen. For this, I say no to additional protections.

Smooth Penguin.5294:

Brother Grimm.5176:

Smooth Penguin.5294:

So what you’re saying is that you want Anet to take additional measures, beyond a player’s valid e-mail address, to request changes? You seem to have missed the simple fact that if a player’s e-mail is compromised, there’s nothing else Anet can do that the hacker wouldn’t have access to. You could have 10 extra steps involved, and the account would still be stolen. Why? Because if the e-mail account isn’t secure enough to prevent someone from taking it over, nothing is secure.

Each of us is responsible for protecting our personal information. Be it e-mail access, or account access. There’s no point in putting up more barriers, when the key barrier (the e-mail account) is already breached.

I’ve made this suggestion in the past (and been ignored) and always get this response from some other player. WHY do other players NOT want the system to be improved? I KNOW and have repeatedly acknowledged that this is NOT Anet’s fault, but improving a system does not always have to be about who’s responsibility it is to prevent the failure. I would pay RL money if I could tell ANet to Support to NEVER CHANGE MY PASSWORD WITH A SIMPLE EMAIL. Bottom line THAT would stop a significant number of hacked accounts.

My suggestion is simply that. If Anet REALLY wants to stop the obviously main source of account hacks these days AND reduce their overall Support resource demands, they would consider it. That is all I am saying.

I see NO reason why what I am suggesting would cause ANY additional work for Customer Service. There is ALREADY an automated email sent out from the ticket system and I have personally used Zendesk (what Anet is using for Support) and it has very easy tools to set up automated responses to include a link to the on-line web ticket submission page. The ticket would then be handled like every other ticket submitted via that AND would have info that could be verified rather easily (I’m hoping they have some automated system to throw up red flags if the info is missing or not even close to correct) by Support Agents.

I challenge anyone to prove that if 50% of hacks NEVER happen (I think this change would stop more than that), Anet Support would have MORE work to do. I think this makes sense and is a win-win for both players and the Support team. THAT is why I have been aggressive in making this suggestion when it seems appropriate.

If I am missing an actual down side to this proposed policy change, please enlighten me (and note, “Anet shouldn’t have to change it’s policy because your personal security sucks.”, is NOT an actual downside). Also note that I don’t argue that statement is false….it is certainly true, but what they shouldn’t have to do and what they COULD do to improve the system is my point.

I’m not saying I’m against protections (technically). Protections are always good. But in this case, not so much. I’m advocating that players stop getting their e-mails hacked in the first place. A majority of the time, it’s the player’s fault. Lack of PC security, poor pw choices, going to naughty websites, buying gold from an RMT, etc.

If a player makes poor choices, having their GW2 account get hacked can actually be a blessing in disguise. It would make them be more aware of their lack of security, and then they’ll take steps to protect themselves better. Think of it like a life lesson. It’s better to be sad that your GW2 account was hacked, than to be ruined if your identity was stolen. For this, I say no to additional protections.

They could do more to reduce the chances. Security question for example. And that doesn’t even have to be mandatory. So that those who do not want it don’t have to have it. But for those of us who do, it’s there.

And I’d want it and I don’t go to shaddy sites, my email is secure, I don’t buy gold from gold sellers, etc. Because even with all of those protections, including a mobile authenticator for the game, I could still one day be hacked.

That’s all Brother Grimm is asking for.

Seera.5916:

They could do more to reduce the chances. Security question for example. And that doesn’t even have to be mandatory. So that those who do not want it don’t have to have it. But for those of us who do, it’s there.

And I’d want it and I don’t go to shaddy sites, my email is secure, I don’t buy gold from gold sellers, etc. Because even with all of those protections, including a mobile authenticator for the game, I could still one day be hacked.

That’s all Brother Grimm is asking for.

You need to actually read my post if you’re going to quote it. Players are sometimes unaware of what they’re doing. Being hacked is a wakeup call. It forces them to be more mindful of their online activities.

Now to be clear, I’m not “for” people getting hacked. Just putting that out there, since others can easily be confused. If everyone took care of their PC security, no one would be hacked in the first place. But there are players who don’t realize what they’re doing, so if a hacker gets through the current system in place, it’s a sign that worst things could happen. Someone might not have been aware that their e-mail was compromised. Having these additional security measures might protect their GW2 accounts, but that doesn’t fix the problem that the hacker still has access to the player’s e-mail.

So this is equivalent to letting a child play with a screwdriver and a light socket? I’ve never been a big advocate of idiot proofing the whole world but if the solution makes LESS work for Anet (which I fully feel it would), I sure would like to think the would at LEAST think about it (if for nothing more than overall cost savings).

Again, beyond the, “They won’t do that again!” argument, give me a valid downside to my proposal and I’ll be the first to agree it’s a bad idea.

I guess my real disappointment from this entire saga is that every time I have mentioned this possible change, no response has EVER come from any Anet rep. That makes my inner baby quagan sob a bit…..

Brother Grimm.5176:

So you are advocating using your GW2 account as a method to teach account security for you email and that’s reasonable, but my advocating a small policy change that would likely prevent a VAST number account hacks in this game is not.

As long as I know where we all stand….my suggestion remains unchanged, however.

That’s fine, as long as you can see why I’m against this. The huge problem that exists here is that a player’s e-mail is compromised. That’s not something you, me, or Anet can fix. And as I said above, a player might not even know a hacker has access to the e-mail account in the first place.

Depending on how additional security questions are implemented, there’s no way a player would know that someone is trying to get into their GW2 account. If a hacker has access to the e-mail already, the following could occur:

1) Anet sends security link to e-mail, which leads to an additional security question to be answered. The hacker follows the link, but can’t answer the question. An automated e-mail is sent to say that access is denied. Since the hacker is already in the e-mail, they simply need to delete the message.

2) Before a pw change is sent to the e-mail account, a security question needs to be answered. If the hacker can’t answer, an automated e-mail is sent, as in example #1. And again, if the hacker is already in the e-mail account, they just delete the message from Anet.

In both examples, the GW2 account is safe. But the player never knows that the e-mail address is compromised. This can go on until the hacker correctly guesses the security question, or the player sees the IP logs on their e-mail. I can tell you that most people don’t even bother to look at the IP logs, or if they even have access to that feature.

Smooth Penguin.5294:

Seera.5916:

They could do more to reduce the chances. Security question for example. And that doesn’t even have to be mandatory. So that those who do not want it don’t have to have it. But for those of us who do, it’s there.

And I’d want it and I don’t go to shaddy sites, my email is secure, I don’t buy gold from gold sellers, etc. Because even with all of those protections, including a mobile authenticator for the game, I could still one day be hacked.

That’s all Brother Grimm is asking for.

You need to actually read my post if you’re going to quote it. Players are sometimes unaware of what they’re doing. Being hacked is a wakeup call. It forces them to be more mindful of their online activities.

Now to be clear, I’m not “for” people getting hacked. Just putting that out there, since others can easily be confused. If everyone took care of their PC security, no one would be hacked in the first place. But there are players who don’t realize what they’re doing, so if a hacker gets through the current system in place, it’s a sign that worst things could happen. Someone might not have been aware that their e-mail was compromised. Having these additional security measures might protect their GW2 accounts, but that doesn’t fix the problem that the hacker still has access to the player’s e-mail.

There is a saying that goes, “the best is the enemy of the good.”

If you’ve never heard it before, it means that the ‘best’ solution is not always the best, because it’s impractical in some way. But because some people want the best solution, they won’t consider a solution that is simply good.

In your case you are suggesting what you think is the “best” solution. Allow people who are going to get hacked get a wake up call by having their account stolen. But this solution tells Anet not to tighten its security. That they should not make password changing as secure as possible to lessen their workload, protect their reputation and to protect people who paid for the game. This is the impracticality of your “best” solution.

It’s not ANet’s job to be part of a wake up call for players that have lax security. They are not their keepers or teachers. Their job is to keep the accounts secure for the good of the game, no more and no less.

Sorry, I edited my original post because I felt I was a bit harsh with you. My bad.

In MY suggestion, there would be NOTHING other than the link in the reply would take the hacker to a page where they would be unable to answer the questions required to even OPEN a ticket…..Support would NEVER be bothered with the issue and granted, the player would likely not know about the email hack (so there would be no “wake up call”). You say it isn’t Anet’s responsibility to ensure player email security so why would it be their responsibility to inform the player their email is hacked?

However, the account would NOT be compromised and Support would NOT be wasting resources (both changing password emails NOR having to deal with another hacked account). Eventually, organized hackers would realize there is no profit in trying to compromise accounts like this (because they can’t) and would move on to some other method (that I’m sure we would soon see evidence of in this forum).

I get what you are saying (that this account hack is a way for users to KNOW their email has been hacked), but you are the one that stated players personal account security is only one persons responsibility.

Part of my reason for my interest in this issue as that my account was hacked like this several months ago. I was lucky and the hacker got into my account for only a few minutes (according to Anet Support) and took nothing. However, MY wake up call wasn’t not being able to log in (I was taking a break from GW2 at the time), but the email from Support asking me to rate my recent support issue. What support issue?

The “change my password” email from the hacker. BTW, the entire issue was an ancient password on that email account I had used for years (that I had quit using, but NEVER updated that email account credentials….I hardly ever use that email address). It all worked out ok for me, but I realized just how hollow it felt that Anet Support themselves had played a crucial role in my account being compromised (granted, NO FAULT of theirs) and that this simple change could prevent LOTS of account hacks if made.

The irony of the situation was that the hacker used 4 words (2 of them misspelled) to get into my GW2 account (after hacking my poorly secured email) and I had to answer a dozen questions to get it back.

Yes it’s true that Anet isn’t in the business to protect players from themselves. But my examples aren’t meant as a way for “Anet to inform players”. Far from it. I’m saying that “the event” of a GW2 compromise helps players to understand that their e-mails aren’t secure. Two different things here.

Most companies rely on their customers having a secure e-mail. Places were it’s extremely importance to have tight security (i.e. banks), you’ll see multiple steps in accessing online accounts. Anet’s security, currently, is pretty good. They have their own security questions that must be answered before players can get assistance. GM Chris will even take time to comment on things in game and in the forums. So at no point should you assume that Anet doesn’t take security seriously.

Your suggestion is, ANet shouldn’t increase the security of its password change site so that people who are hacked will get a wake up call. If you take your suggestion to a logical extreme, then all noncritical online sites should have less than optimal security so that hacked emails can have this wake up call. (Do you see how ridiculous that sounds).

ANet is a company, not a teaching aid. Their job is to have the best possible security for the site. It’s not their job to be part of a warning system for other’s hacked emails. Basically you are telling them not to improve security since they need to be a part of a “wake up call.” This is not an appropriate thing for ANet to be doing.

Astral. Anet’s security measures are good as they currently are. You want Anet to increase security due to the lack of security from the players. Ok fine. But at what point will that be enough? Add 2 additional steps Add 3? Add 4? Put in DNA testing?

This is how I feel about this situation. I think it’s pretty ridiculous to expect Anet to constantly have to add security barriers, when the key cause of the problem isn’t on their end. I’ll use a real life example: US border security (note – I realize the example I’m using has different purposes, but the overall idea is the same)

People are crossing the border illegally, so the US puts up a fence and has check points to legally cross at. People climb the fence because they can’t pass the check point legally, so the US puts up a bigger fence. People still climb the new fence, so now they put up a wall, with an angled top that makes it hard to climb. People give up going over the fence, and now goes under. The US now employs underground radar equipment to find the tunnels. Etc. Etc. Etc.

You basically want Anet to do the same. Increase security measures because someone found a way around the first barrier. So they set up more barriers. But say the hackers can get by those too. So now we ask them to set up even more? And to be clear, these barriers are not weak ones. Once a hacker is able to determine passwords or answer security questions, the strongest barriers can be walked through. Like having the best lock in the world that can’t be broken, but the thief has the key.

I’ll say this again, I agree that it’s not Anet’s job to give “wake up calls” to players. But it’s fairly logical to assume that if a player has their e-mail compromised, losing your video game account is the least of their worries. THAT’S why I say it’s a blessing in disguise. If they lose their GW2 account, that can be rolled back. Your identity on the other hand, is a lot harder to fix.