Guild Wars 2

Here’s a possible reason as to why so many accounts are being hacked.

!http://i3.photobucket.com/albums/y60/ShadowWolf81/GW2AccountProblem.jpg!

While the ‘forgot password’ option sends a confirmation e-mail to the account on file, if a hacker manages to ‘break’ your password and log in to the website, they are then able to IMMEDIATLY change your login credentials (which is basicaly your e-mail that is on file), and there is NO confirmation e-mail sent to the previous e-mail/login prior to this change taking effect. The change is immediate if done directly from the website.

How can you have a confirmation requirement for a ‘lost password’ but not have one for a ‘major’ account change?

Also, whats it gonna take for you guys at A-net to purchase a ‘digital’ Keygen (such as what you can get for Diablo 3, Aion, Star Wars: The Old Republic… all major AAA title games… except for GW2) for us to get?

Allowing us to get one of these would cause an immediate drop in the # of hacked accounts you guys are recieving. Then after you re-secure and return the ‘Thousands’ of hacked accounts to their rightfull owners, you’ll not have to worry about those accounts again either.

Just an update on this.. there apparently ‘is’ a confirmation e-mail… though its being sent to the NEW e-mail.. not the OLD e-mail. So all the ‘victim’ gets is a cheerful:

“Someone -hopefully you!- has requested to change the email address associated with your Guild Wars account.

Need help or have questions about your Guild Wars account? Visit our support site: http://support.guildwars2.com/.

Thanks!

-The ArenaNet Team"

Message, while the ‘hacker/new-owner’ of the account gets the ‘confirmation’ e-mail to whatever e-mail they put into the website to steal the account.

Talk about a crappy ‘confirmation’ system?

This happened to my friend the other day. I’m the biggest GW2 fanboy but Arena.net’s security is the absolute worst I’ve ever seen.

Email authentication was down at release and isn’t helping because of the terrible flaw mentioned in the OP.

Passwords can’t be reset… but the entire account email can be changed. Really? That’s a massive oversight that as far as I’m aware of has not been fixed, even before talking about the confirmation system.

There’s no phone support, even for hacked accounts, so it takes many days of slow back-and-forth messaging between service staff and customers to get anything resolved.

I got a lot of friends excited about this game and a couple have been hacked, though in both cases those hacks probably would have been defeated by more competent security precautions on Arena.net’s part.

Is this serious? LOLz
I mean, every single “thing” that give you the option to change your e-mail send a confirmation mail to your previous mail, not the new.
Well I’m sure they know this already and will do something about. (I hope)

Theres so many ways to create a better security, first of all:

1- Make a confirmation for previous e-mail when you try to change your e-mail. ]

2- If you lost your e-mail for some reason and cant confirm the change, you can use the support to use your key, name that you used in creation of the account/registration of cd key (remember that we used real names and last names with the keys?) plus a name of one character so you can change your e-mail without confirmation.

3- Use a PC confirmation not a IP (hotmail and STOnline have done that), IP changes everytime and not so many have a REAL static IP. It can last long but its not static.
You can use PC confirmation to enter in the game and web site.
They could even use both, IP and PC, for more security.

4- Keygen like another games have made

5- Cellphone confirmation, like korean games have and some e-mails (google for example)

A confirmation step is what I’ve been complaining about, also adding security secret question would help a great deal as well. This is something GW2 needs, since it’s standard in every other online game.

Rhapsody.6173:

Here’s a possible reason as to why so many accounts are being hacked.

!http://i3.photobucket.com/albums/y60/ShadowWolf81/GW2AccountProblem.jpg!

While the ‘forgot password’ option sends a confirmation e-mail to the account on file, if a hacker manages to ‘break’ your password and log in to the website, they are then able to IMMEDIATLY change your login credentials (which is basicaly your e-mail that is on file), and there is NO confirmation e-mail sent to the previous e-mail/login prior to this change taking effect. The change is immediate if done directly from the website.

If someone gets your email and password, your account can be compromised regardless of whether the person changes your password. If they sign into your account and take your gold, the damage has already been done even if they don’t change your password (or your email).

People are re-using the same login credentials at multiple locations. This is nothing new and it has been going on for years.

From a few years ago:
http://www.pcworld.com/article/188763/too_many_people_reuse_logins_study_finds.html

and more recently:
http://www.zdnet.com/one-in-five-hacked-logins-match-microsoft-accounts-7000000969/

People are reluctant to change their behavior, and there is not much ArenaNet can do if someone chooses to continue using the same email and password at various places.

Yes it would be nice if there was some kind of secondary authentication, such as a secret question or a hardware authenticator. But unfortunately some people would still have their accounts compromised even if they used two-factor authentication.

anonymouse.9053:

If someone gets your email and password, your account can be compromised regardless of whether the person changes your password. If they sign into your account and take your gold, the damage has already been done even if they don’t change your password (or your email).

…

But it do not change the fact that e-mail change do not ask for confirmation. It’s a simple and basic thing Anet just didnt implemented.
He can change my password, but when he changes my e-mail he will take my account.

I mean who cares if it need my ip to login in my account if he got e-mail? He will just allow his IP, done.

For example, a cracker can change my password, ok but they will hardly get into my e-mail with 2 authetication methods because he will need my cellphone so I’ll not lose my account. I can even lose itens, and everything else but not my account wich I PAYED for. Anyway, now, he can just change my e-mail without ANY confirmation and get my account. So yes, its ArenaNet fault in this case.

If you lose access to your email account because you change ISPs, or for any other reason, and you want to change your GW2 email, and ArenaNet decides you have to confirm the change at your old email address, you won’t be able to change it. Not every site requires that you have access to your current email address if you want to change that address within the site.

If you are loose with your password, or if you keep using the same login credentials that you have used elsewhere, or if you share your account with others, or if you have malware on your pc, that’s not ArenaNet’s fault.

anonymouse.9053:

If you lose access to your email account because you change ISPs, or for any other reason, and you want to change your GW2 email, and ArenaNet decides you have to confirm the change at your old email address, you won’t be able to change it. Not every site requires that you have access to your current email address if you want to change that address within the site.

If you are loose with your password, or if you keep using the same login credentials that you have used elsewhere, or if you share your account with others, or if you have malware on your pc, that’s not ArenaNet’s fault.

It is, that’s why support exist. If you do not have access to your old e-mail you can use a ticket and search for help. You can give your key number, the name and last you used in the registration of the key, a name of a character, your last e-mail, the name of your account (your forum name too) and the new e-mail you wanna trade for.
Do not have a confirmation e-mail when you change your e-mail is one of the worst security ways I ever seen.

Looking for your logic I cant see why they used a “ip” confirmation, since its not their fault someone got your password and entered your account. Right? It make even less sense when they try to block someone from enter in your account in game but let that same someone enter in your account in browser to steal the account changing your e-mail in seconds.

Wraith.4103:

It make even less sense when they try to block someone from enter in your account in game but let that same someone enter in your account in browser to steal the account changing your e-mail in seconds.

I see what you are saying. If I am understanding this correctly, what the account thieves can do is this…

1. Thief gets access to email and password (very easily done if people re-use credentials from site to site).
2. Thief signs into GW2 client when valid credentials are found. Thief can’t get in due to email verification. (They could just skip this step completely.)
3. Thief signs into web site using same valid email and password used in step 1. No verification needed other than email and password.
4. Thief changes email address to an email account he can access.
5. Thief signs into the client again. This time the verification email goes to the account he has access to.

The valid owner then can’t access his account because the thief has likely changed the email and the password.

If this indeed works as described above, it renders the email verification essentially useless.

It is still up to the account owner to ensure proper seccurity if his own GW2 credentials, but if any kinds of safeguards are going to be added then they shouldn’t have holes like what’s described above, assuming those steps are correct.

Oh geez, this is what the op originally stated. This is what I get for skimming through posts and not reading them in their entirety.

I thought it was obvious that people knew this is what the hackers were doing. I figured that out after the first time they stole my account. I’m still without an account now for 8 days.

One of the biggest issues I see with the premise that these hackers have a large list of emails and passwords to hack the AreaNet security is that the cycling through a list that large is abrute force attack against a single URL and would appear as a DNS attack and should be REALLY easy to pickup by security.

Something just doesn’t add up for me that the sole vector of attack is an email/password list combination attacking the login URL/client.

Widowmaker.5812:

I thought it was obvious that people knew this is what the hackers were doing. I figured that out after the first time they stole my account. I’m still without an account now for 8 days.

One of the biggest issues I see with the premise that these hackers have a large list of emails and passwords to hack the AreaNet security is that the cycling through a list that large is abrute force attack against a single URL and would appear as a DNS attack and should be REALLY easy to pickup by security.

Something just doesn’t add up for me that the sole vector of attack is an email/password list combination attacking the login URL/client.

If there are thousands of legimitate people signing in every minute, or even hundreds, another hundred or two from a subset of IP addresses won’t likely trigger any detection assuming ArenaNet is looking at the total number of attempted logins.

Considering how often people re-use their credentials from site to site, if the ones doing the account hijacking were using a large list of emails and passwords, especially a list obtained from another game, it most likely wouldn’t take many login attempts to find valid GW2 credentials.

I’ve already seen many posts here and elsewhere from people admitting they re-used their email and password in GW2 that they also used elsewhere. And that’s just the ones I read about who were willing to admit it. I’m sure the vast majority don’t fess up.

The hackers will just keep breaching accounts the same way after the first round of accounts get banned for gold farming/selling. Just move on to the next list of emails they have

anonymouse.9053:

Rhapsody.6173:

Here’s a possible reason as to why so many accounts are being hacked.

!http://i3.photobucket.com/albums/y60/ShadowWolf81/GW2AccountProblem.jpg!

While the ‘forgot password’ option sends a confirmation e-mail to the account on file, if a hacker manages to ‘break’ your password and log in to the website, they are then able to IMMEDIATLY change your login credentials (which is basicaly your e-mail that is on file), and there is NO confirmation e-mail sent to the previous e-mail/login prior to this change taking effect. The change is immediate if done directly from the website.

If someone gets your email and password, your account can be compromised regardless of whether the person changes your password. If they sign into your account and take your gold, the damage has already been done even if they don’t change your password (or your email).

This is true, but ‘normaly’ if they manage to get your password, they can only log Onto your account and do things, they cant outright take ‘controle’ of the account without also having access to your e-mail account itself in order to get the ‘confirmation e-mails’ required to make any changes permament.

The problem here is that there is NO confirmation sent when you change the LOGIN information. The only confirmation sent is to the NEW login. The old one gets nothing but the cheerfull “hello, someone just changed your login on you, your FUBAR now untill you spend 10+ days playing e-mail tag with support if it was not you that did this”.

Having an account hacked, and loseing a bit of gold, or items, or even a full character is one thing.. you can recover from that and re-secure your account and move on.

100% loosing controle of the account on the other hand, is a different matter.

anonymouse.9053:

If you lose access to your email account because you change ISPs, or for any other reason, and you want to change your GW2 email, and ArenaNet decides you have to confirm the change at your old email address, you won’t be able to change it. Not every site requires that you have access to your current email address if you want to change that address within the site.

If you are loose with your password, or if you keep using the same login credentials that you have used elsewhere, or if you share your account with others, or if you have malware on your pc, that’s not ArenaNet’s fault.

If you lose access to the old e-mail, then you call support. Thats what they are there for, to help you when you have lost access to an ISP e-mail account as you can give them the Game’s CD key, your old E-mail, billing information, registration information.. and so on.

Allowing an immediate and non-conformation-required change of this magnitude to be done is justkitten poor security practices.

anonymouse.9053:

Wraith.4103:

It make even less sense when they try to block someone from enter in your account in game but let that same someone enter in your account in browser to steal the account changing your e-mail in seconds.

I see what you are saying. If I am understanding this correctly, what the account thieves can do is this…

1. Thief gets access to email and password (very easily done if people re-use credentials from site to site).
2. Thief signs into GW2 client when valid credentials are found. Thief can’t get in due to email verification. (They could just skip this step completely.)
3. Thief signs into web site using same valid email and password used in step 1. No verification needed other than email and password.
4. Thief changes email address to an email account he can access.
5. Thief signs into the client again. This time the verification email goes to the account he has access to.

The valid owner then can’t access his account because the thief has likely changed the email and the password.

If this indeed works as described above, it renders the email verification essentially useless.

It is still up to the account owner to ensure proper seccurity if his own GW2 credentials, but if any kinds of safeguards are going to be added then they shouldn’t have holes like what’s described above, assuming those steps are correct.

Oh geez, this is what the op originally stated. This is what I get for skimming through posts and not reading them in their entirety.

your close =) its more along the lines of:

1. Thief uses aquired e-mail/password to log into GW2’s website.
2. Thief clicks on ‘my account’ to bring up the account information.
3. Thief clicks inside the ‘change account login/e-mail’ box and types in new e-mail.
4a. Thief instantly recieves the ‘confirmation’ e-mail in the e-mail they just entered into the website.
4b. Victom gets a ‘hey! someone just changed your account information! your screwed if it wasnt you!’ message.
5. Thief clicks the link and ‘confirms’
6. Thief now has 100% controle of the account without ever launching the client.
7. Thief logs into the patcher and clicks the little grey button to ‘re-confirm’ the new e-mail.
8. Thief logs in and does whatever the gold-farming SOB’s do.

Rhapsody.6173:

Just an update on this.. there apparently ‘is’ a confirmation e-mail… though its being sent to the NEW e-mail.. not the OLD e-mail.

Woah. Take about a really bad keystroke mistake! :S

Hope they fix that immediately.

I would like to add that, when I changed my e-mail credentials to one of my numerous “secondary” e-mails, I did not get a confirmation on either account. However, this may not mean anything, as I’m still accessing my account from an authorized IP address.

Also, oddly enough, when I “changed” the e-mail address, pushed to save it, and then went to change it back, I got a prompt saying “there’s an already an account using this e-mail” and err… well, it looks like my e-mail credentials weren’t actually changed to begin with.

I don’t have any other computer that I can use freely with a different IP. :S

I just changed my own account, and the confirmation e-mail is only sent to the new e-mail address.
The old e-mail address only receives a confirmation the e-mail address was changed, and they hope it was you who changed it.

I have a very simple suggestion to avoid account hijacking and allow people to reset their own account :

- The e-mail address you used to purchase the digital copy of the game, which is linked to your serial code, can not be changed or used as an account e-mail.
- Should your account be compromised, you can use that e-mail address, the serial code and a character name to recover your account.

It would stop the high volume of support calls and people would not have to wait hours and hours to have their account unlocked.

Another possible reason could be tabbed browsing and a malicious website grabbing your account name when you are logged into the forums.

I mean, it is really necessary to display your account name in plan text on the top right corner of this forum?

Rhapsody.6173:

anonymouse.9053:

Wraith.4103:

It make even less sense when they try to block someone from enter in your account in game but let that same someone enter in your account in browser to steal the account changing your e-mail in seconds.

I see what you are saying. If I am understanding this correctly, what the account thieves can do is this…

1. Thief gets access to email and password (very easily done if people re-use credentials from site to site).
2. Thief signs into GW2 client when valid credentials are found. Thief can’t get in due to email verification. (They could just skip this step completely.)
3. Thief signs into web site using same valid email and password used in step 1. No verification needed other than email and password.
4. Thief changes email address to an email account he can access.
5. Thief signs into the client again. This time the verification email goes to the account he has access to.

The valid owner then can’t access his account because the thief has likely changed the email and the password.

If this indeed works as described above, it renders the email verification essentially useless.

It is still up to the account owner to ensure proper seccurity if his own GW2 credentials, but if any kinds of safeguards are going to be added then they shouldn’t have holes like what’s described above, assuming those steps are correct.

Oh geez, this is what the op originally stated. This is what I get for skimming through posts and not reading them in their entirety.

your close =) its more along the lines of:

1. Thief uses aquired e-mail/password to log into GW2’s website.
2. Thief clicks on ‘my account’ to bring up the account information.
3. Thief clicks inside the ‘change account login/e-mail’ box and types in new e-mail.
4a. Thief instantly recieves the ‘confirmation’ e-mail in the e-mail they just entered into the website.
4b. Victom gets a ‘hey! someone just changed your account information! your screwed if it wasnt you!’ message.
5. Thief clicks the link and ‘confirms’
6. Thief now has 100% controle of the account without ever launching the client.
7. Thief logs into the patcher and clicks the little grey button to ‘re-confirm’ the new e-mail.
8. Thief logs in and does whatever the gold-farming SOB’s do.

And just to add, if we got a e-mail confirmation in the previous e-mail not the new one, assuming the e-mail password are not the same as the game or even better assuming the e-mail got two ways authentications like mine wich requires my cellphone to confirm the log in (gmail), its nearly impossible for someone to STEAL a account, because even if the cracker have change my password I can get another one using my e-mail that he could never enter no matter what. (just if he steal my cellphone too lol)
Then we get a system that actually works. The ip will block the entrance into the game, the two ways authetication will block into the e-mail and the confirmation e-mail will block them to steal someone’s account.

So in this case the only possible ways I know is using remote access to enter in game using someone’s account ON someone’s PC (to use the IP) or invade someone’s Internet (to use the IP), and even that way he could only get into the game to mess up there, but not make you lose your account. lol That way a cracker will lose so much time that will not worth at all.

My husband’s account was stolen this morning and the account e-mail was changed. In an effort to prevent the same from happening to mine, I’ve been trying to change my information. I have managed to change the password. However, when I attempt to change the account e-mail nothing happens. I receive no notice that the change was made on the account screen, in fact, the account e-mail field reverts to the original. I have not received any e-mail notification to either address that an attempted change was made (even when I changed the password).

So, if I am unable to change my account e-mail. How is that that just hours ago, the thief of my husband’s account was able to complete the process successfully??

Maybe they have made that change now. There was a guy in another topic with the same problem.
Submit a ticket for your husband and do a topic here with the ticket and the problem to help the solution to be faster. At least sometimes someone from Anet come here to see the problems, the support are taking more time than it was supposed to take.

Wraith.4103:

It is, that’s why support exist. If you do not have access to your old e-mail you can use a ticket and search for help. You can give your key number, the name and last you used in the registration of the key, a name of a character, your last e-mail, the name of your account (your forum name too) and the new e-mail you wanna trade for.
Do not have a confirmation e-mail when you change your e-mail is one of the worst security ways I ever seen.

Wraith, let me give you a little insight into a game called RIFT and the support of Trion Worlds staff when I attempted to change my email. The Trion Worlds database was compromised maybe 18ish months ago. They told players and asked them to change passwords – problem was email confirmation. Now I thought exactly the way that you thought, I have the game key, I have all the other information, surely I can get my account back.

The email address that I had been using had ceased to exist while I was away on a business trip some weeks prior to the hacking incident. However since all I needed to access my account was the login and password (and I could provide all the other details like address, key etc) it shouldn’t be a problem. I even logged in to the account to ask support the question asking them to change my email so I could receive the please change password and confirm email. Since I could read support emails on the site it didn’t matter that the email address I used for that account no longer existed. Except that it did. There was no way I could convince Trion Worlds Support that I was me. Not my credit card details, history of account details, not game key, not last receipt number for subscription, nothing. The one and only way I could get my account back was to click the confirmation email for password change in the email account which no longer existed. Now keep in mind all this time I could not play the game – shut out for security reasons sub being paid and I couldn’t cancel the sub payment because that required an email confirmation too.

I ended up having to go back to my old email provider and asking them to temporarily setup an account with my old credentials in order to be able to get my password then my email changed. I had hoped it would only be a matter of days. Password was easily confirmed once the email popped back into existence but changing my email was another nearly 3 month saga – at least though I could cancel my sub during that time.

I was exceptionally lucky my old provider did as I asked without charge and kept it open much longer than I had intended and had been agreed between us. I rather doubt that providers like ComCast or AOL would do this.

Amazon was much the same when I tried to change my email. Not connected to old account, cannot change it. Although Amazon did fix it in a matter of hours when I got access to the old address.