Guild Wars 2

So in all this madness, me as a amateur webdeveloper is wondering why you have not implemented a master e-mail table in your account database.

Example:
1. Make a new table in the database, “gw_mastermail” we will call this table. (Here the original e-mail that we registered the product will go, and the users cant change this in any way.)

2. Make the users understand that the e-mail they register the account to will become master e-mail (This can only be changed via support, however users can still change their active e-mail adress as they do today)

3. Add this option to the Recovery so we have the ability to choose;
1 Recover Password,
2 Recover E-Mail

When a user requests an e-mail restore, you grab the data in table “gw_mastermail”
and write it to the active account e-mail.

If the original e-mail adress is completely gone out of your database when accounts are hacked, im sure you have logs to grab the original e-mail adresses from, just shell script it and add it to this “gw_mastermail” Im pretty sure that I myself could have done this in 1 day. Just make a copy out of the current database and make local tests.

Also dont forget step 4

4. Just watch as thousands of tickets automaticly gets resolved.

Please give us some feedback on your thoughts on this at Anet.

Thank you for your time, hope you are working on something like this or that I maybe gave you an idea to how to solve some problems.

PLEASE PLEASE PLEASE READ THIS MODS. PLEASE. PLEASE. FOR THE LOVE OF GOD. This man is smarter then your whole company, hire him ><;

This is why I was so happy after my GW1 account email ceased to exist and I registered a new email without having to change the account name. Was rather disappointed that my account name got changed for GW2 since I could not “activate” it at the old address. Really there is nothing stopping us having a login address, a billing address, and a master address. As it stands a hacker on an authenticated account needs to gain access to the login address and the actual login mail account – yet after that they have access to do anything, no block for purchasing items if people want the one stop convenience of saved CC info, change the account email, change names, details, etc.

Of course to make it work you need people to understand that they can’t just have emails MyName001, MyName002, MyName003, or even GWGame, GWBills, GWMaster with passwords just as simple.

@marcusbash.8642
Thank you, hopfully we will recieve a response on this

Problem goes beyond this. Hackers target the user’s email first a lot of times. If they have access to the email account and the user no longer has control of their ‘master email’ then they get screwed on both fronts. They can’t change their master email, and they can’t recover. This creates a new and deeper security concern. Giving users the ability to change the email assigned to the account allows them to avoid this security concern should their original email be compromised.

Yes, I have seen this before and however much I’d like to believe this is a safe measure, it isn’t.

People use easily compromised email addresses as their master address without thinking twice resulting in a very serious security concern.

ArenaNet is already using the games serial as a recovery method, this serial should not be stored in your email address where most of us first got it. It should be copied and stored in a safe vault, and the email containing it should be deleted from the mail server.

That way you should be 100% in control of your account, even if it were to be hijacked.
You can recover your account by using account name, serial and a character name on your account.

Now that last, part of the verification process (character name) is a weak leg and should be replaced with either card number, personal secrets, or phone verification (do you hear ArenaNet?).

Chobiko.9182:

Yes, I have seen this before and however much I’d like to believe this is a safe measure, it isn’t.

People use easily compromised email addresses as their master address without thinking twice resulting in a very serious security concern.

ArenaNet is already using the games serial as a recovery method, this serial should not be stored in your email address where most of us first got it. It should be copied and stored in a safe vault, and the email containing it should be deleted from the mail server.

That way you should be 100% in control of your account, even if it were to be hijacked.
You can recover your account by using account name, serial and a character name on your account.

Now that last, part of the verification process (character name) is a weak leg and should be replaced with either card number, personal secrets, or phone verification (do you hear ArenaNet?).

Hmm, not sure if I agree with that 100%.
My e-mail has an unique password and I got hacked, im thinking that the majority of the hackers dont target the e-mail adress, they’d be stupid not to change credentials of the mail account aswell or atleast remove the mails sent by Anet stating that the e-mail has been changed, to further delay the recovery, they might be to stupid for this though.
I can admit I used the same password for GW2 that I have used for other games and services (Such as twitter and dropbox.), lesson learned!.

I have never had an comprimised account before, my Microsoft Essentials had not reported anything suspicious, I have since this incident added multiple layers of security that actually caught some spyware/malware so I think this is one of their ways in.

The strange thing I find is all the reports of compromised accounts that ensure that they have had unique passwords for both e-mail and GW2, pointing towards a breach at Anet. Im relatively sure they arent bruteforcing their way in (some cases they seem to do but it seems like they already have your info when they try to access your account)

Regarding the statement of having the serial secured, this is very true but you wont be 100% in control of your account as when Anet asks for account name the in fact mean E-Mail. If the e-mail is changed you’re 0% in control. I think you are confusing Display name and account name?

Anyway I think this soloution is still very much valid as everyone seem to have access to their e-mail accounts still. If this feature was implemented right now I could just reset the e-mail and Change passwords for both mail and GW2, solving thousands of tickets of hacked accounts and preventing more tickets with issues of gear and money gone.

If their system is anything like an normal account database this is an very quick fix.
Im sure one of the seasoned experts at Anet could get this system rolling in a local test enviroment in a matter of hours. I see no downsides to trying this.

Thanks for the feedback, keep discussing any further ideas to improve the support, it’s better than to just pressing F5 the whole day

You seem to be slightly more enlightened than the average user. You see many users on here suffer the same problem as others they use passwords like “password” “12345” etc.
Most of the hacked accounts are these types users, and also those who have had their credentials exposed from accounts in other games.

While the master email works nicely with other games I have played, in exactly this situation I am seeing a lot of people having their email accounts hijacked as well (there are a number of threads on the forums, stating that not only the game account was hijacked).

Some users are reporting having had high security, I believe maybe half of them, as with the karma exploit we saw a few days ago, people tend to lie about their situation to put themselves in a better light.

Now to those who actually had a safe unique password, unique is not only enough, Arenanet should implement some sort of password try limit. As hackers can try limitless times now to guess your password. That’s why not only is a unique password enough, it should be really safe from guessing as well. And using a unique email will help you get off most of the hackers lists.

That said, spyware and malware is one thing, connection security is another, people might be listening in on your wifi for example. Other problems are Windows loopholes (and there are many of them, like remote desktop), if someone knows your ip and username and password on your computer they can easily listen in on your computer as well.

Now for those with compromised accounts.
Try this:

https://account.guildwars2.com/recovery

it should help most of you, as once you notice that your account is compromised you can quickly recover it before characters are deleted or whatever.

Yes it is true what you say.
I still find it hard to believe they are bruteforcing, as this would take hours upon hours to break just 1 password, last weekend there was about 10 000 new tickets if remember correctly, mainly hacked accounts. So most likely they have gathered this info elsewhere.

Regarding https://account.guildwars2.com/recovery
This is only usable if the hacker have not changed your e-mail which is the first step they seem to take. Thats what I want them(Anet) to change, give us the possibility to restore our accounts based on some other info other than the e-mail or give us the ability to restore our account e-mail.

Yes, this is most likely a compromised database on a fansite or in another game, as I have heard (confirmed) rumours of.

And about the https.//account.guildwars2.com/recovery
I was under the impression that the account name “name.xxxx” was sufficient to reset the password online. I have not tested it as I have not been hijacked. Some clarification on that matter would probably help. Still if we could use our account name (name.xxxx), and the serial, character name on the account would either have to be replaced with some other verification method as hijackers can simply delete characters… or deleted characters would also be have to be valid. If that doesn’t change the auto-recovery is somewhat flawed.

At the end of the day the problem for compromised accounts lie solely with the user in most cases. So many people whether they self identify as a gamer or not tend to use the same (often easily accessible web based) mail system with weak passwords or the same password.

As many are now finding out all it takes is a forum account to be lifted and they are in hot water. If you were able to educate people to use a master account address with a strong password, which was registered no where else on the internet it wouldn’t be the headache I think you are imagining it Chobiko.

You have to remember that most “hackers” trying to compromise MMO accounts are gold selling companies who even if they only have access to your account for a couple of hours have already made money off compromising your account. The first place these businesses are going to look for insecure accounts will be fan sites because they can be fairly sure to capture more than a few accounts that way. Then other MMO databases they have hacked before, and so on.

The only time they’d have to start bother trying to compromise the email account actual is in the case of authenticators and other security measures. The reason people have lost accounts so easily at GW2 launch was that no approval was needed in anyway to change email. With the authenticator now in place I’m guessing that many using gmail or hotmail addresses are probably being probe for weak/same passwords.

Gold sellers will take the path of least resistance to get at players accounts and in most cases the first place they will try to get hold of your game account will be by trying to log in as you – not randomly hacking actual email addresses.

Indeed. And as I was saying, with the authentication system now in place the hijackers are turning to the mail addresses, which is where we must focus now, so that players don’t have their mail address compromised. I know most accounts got compromised before the authentication system came in place, but we still see people being compromised which means they are either clicking the authentication link, or somebody is clicking it for them.

About a master email system I think this; “If you were able to educate people to use a master account address with a strong password…” is where I lost hope in humanity. No matter how much you post/use capital letters/scream. It seems that most people doesn’t want to care. They think; “meh, it won’t happen to me, it happens to so many others so they are probably satisfied with that and won’t come for me”. Or they simply fail to still get the information.

I have this feeling people will never learn proper internet etiquette…

They’re targeting emails. Compromised accounts aren’t just now popping up. They’ve existed since before the game came out, when the associated emails use to be actively used for a World of Warcraft account.

Chobiko.9182:

About a master email system I think this; “If you were able to educate people to use a master account address with a strong password…” is where I lost hope in humanity. No matter how much you post/use capital letters/scream. It seems that most people doesn’t want to care. They think; “meh, it won’t happen to me, it happens to so many others so they are probably satisfied with that and won’t come for me”. Or they simply fail to still get the information.

The number of – I used this account on WoW/Rift/ToR for years and never had any problem – I’ve been seeing here more than proves it. I think a lot of people don’t understand that if they were paying a sub based game and quit (hence not paying the sub) then they wouldn’t notice even if their account details had been lifted straight from the game servers.

Particularly WoW players – it’s a large game which has lasted years, the market there is huge for gold sellers therefore the chance of players being compromised from WoW forum sites, or Bnet is huge.

No its not, authenticators, etc. And you have to authorize a change in your password/username, it doesn’t just go straight through. Not to mention my WoW account got hacked once, all my chars and equips and money were gone, they had it all back and I was playing again in less than 30 minutes. So..false.

Halfcentaur.9706:

They’re targeting emails. Compromised accounts aren’t just now popping up. They’ve existed since before the game came out, when the associated emails use to be actively used for a World of Warcraft account.

Just as I was saying. They directly logged into the game with those accounts that had the same credentials. Compromised email accounts has existed for a long time, but the hijackers didn’t start to use them to log into the game before the authentication system went up, was what I wanted to say. Now even though your game password is safe hijackers can access your mail account and use the serial key there along with a character name to reset your password. It’s very very very fragile at this moment. ANet is doing what they can to recover accounts, what players can do is start to protect them, or they should have long time ago, and this wouldn’t have escalated to where it is today.

@marcusbash The problem here is that ANet employs 30 people, blizzard 200, and an extra 50 in their CS. This problem did not exist at launch for Blizzard since there were no accounts before that game to compromise. Your account restored in 30 minutes was the result of 1 out of the 50 CS having something to fiddle with for 30 minutes that day.