Guild Wars 2

Security Suggestions for GW2 Accounts

Further to a reply from one of the GMs earlier today, he suggested that I post some of the ideas I had, after being hacked for the fourth time recently. I would like all to post any further ideas and any pros or cons to any of the suggestions.

One of the problems of being hacked for the first time is that the original e-mail from Anet with your game code is stolen/copied and then deleted from your e-mails – giving them ‘ownership’ or ‘proof of’. So, when you do send in a ticket to Support, this information is not available to you.

I suggest a more robust multiple layer system, much like Online Banking. The choice of Mother’s Maiden Name, Pets Name, First School, etc should be used. Also a 5 digit number, whereby every time a choice of two of those digits is used. In addition, a memorable name should also be included. All of this is pretty standard for Online Banking. Maybe, Anet could supply (at a price) a calculator authenticator (such as Barclays Bank use).

One of the main attractions to hackers is the ‘high-end’ armours, bags, weapons, mini-pets and other collectables. There should be an option, whereby the player can soul-bound or account-bound these items. This would have a two fold effect, in not only protecting the items, but the economy as well, should the account be hacked. At the very least this option should be available at the Exotic, Ascended and Legendary level. At least the original Guild Wars had the option of account-binding the mini-pets and some armours.

Please do not use this thread as a rant about hacking or that its your fault for having lax security etc etc. This thread needs to be constructive ………………. we maybe able to change things. Thanks.

They should have free choice security questions and answers. That way players can put in questions and answers that they are highly sure only they know.

Of you change your password or communicate with support you have to answer those questions.

Guild banks and vaults should have the option of having a password. One more thing a hacker would have to figure out. Especially since support can’t roll back guild banks.

And remember have unique passwords for anything critical. Emails used for resetting those critical sites’ passwords should also have unique passwoeds

Seera.5916:

They should have free choice security questions and answers. That way players can put in questions and answers that they are highly sure only they know.

One problem with this is that many personal details are shared through social media and a little digging can turn up common answers like pets names and where a person grew up. Others enter nonsense answers like “first pet’s name:” “broccoli,” then forget the answers because they don’t match the questions. So either your just as vulnerable or you end up contacting support to talk your way around not knowing the security answers.

It’s approximately as secure as requiring info like credit card identifiers (Mastercard, exp 2019, -1234) and account authorization numbers, character names etc. but it’s not more secure than anything they do now.

Dana Hawkeye.9724:

One of the problems of being hacked for the first time is that the original e-mail from Anet with your game code is stolen/copied and then deleted from your e-mails – giving them ‘ownership’ or ‘proof of’. So, when you do send in a ticket to Support, this information is not available to you.

The first time I was hacked, the hacker had my product code (though I bought the boxed version of the game, so still had the code available to me). As a one-time courtesy, I was provided with a new product key.

I suggest a more robust multiple layer system, much like Online Banking. The choice of Mother’s Maiden Name, Pets Name, First School, etc should be used. Also a 5 digit number, whereby every time a choice of two of those digits is used. In addition, a memorable name should also be included. All of this is pretty standard for Online Banking. Maybe, Anet could supply (at a price) a calculator authenticator (such as Barclays Bank use).

As tolunart has pointed out, answers to such questions could be readily available – and not all users will put in nonsense answers into those fields. Perhaps simply providing a second (and even third) unique, secure password could be an option? Support would know THIS password, which would (hopefully) not even slightly resemble your log-in password.

I like the idea of a passnumber.

One of the main attractions to hackers is the ‘high-end’ armours, bags, weapons, mini-pets and other collectables. There should be an option, whereby the player can soul-bound or account-bound these items. This would have a two fold effect, in not only protecting the items, but the economy as well, should the account be hacked. At the very least this option should be available at the Exotic, Ascended and Legendary level. .

Most armour is soulbound or account bound on use. If we were somehow able to make these items unsalvagable, they would become much less enticing to hackers.

Gaile Gray.6029:

• Data shows that authentication helps a great deal, especially mobile authentication. It’s not flawless, but it’s extremely effective at reducing account thefts.

Is there any way to make the game’s mobile authentication NOT reset upon a username change? And for those players without smartphones, how unfeasably expensive would it be to offer the call/text verification provided by many email services?

The process of turning ON and OFF mobile authentication needs to be reviewed (IMO). This SHOULD be an iron clad method to prevent account hacks, but the fact that it can be rather easily bypassed (via identity theft) thru Support makes it a simply another step hackers need to take to compromise an account.

Also, in the OPs situation, WHY cannot the account be flagged or otherwise noted that NO changes should be made to the account based on the original purchase information if it is KNOWN that this information is compromised? Those situations would seem to require some special handling if for nothing more than continued protection of the account AND simply wasting both Support and Player’s time.

Another way to secure your Anet account/s is to go to the NC soft site and create a master account. Make sure that you have your game numbers. Also do not use your keyboard to put the numbers or anything in use the on screen keyboard. Those are not able to be keylogged from what I understand.

An NC soft master account lets you change your pass and even your contact email if needed on the NC soft games you have. If you have your GW account bound with your GW2 account then it will show only GW account, but anything you change on that will change on the GW2 account. Even if someone steals your GW/2 accounts through your email they cannot get the NC soft master account to do that if you use a second email for that. Just a suggestion as a back up if someone hacks your account use the NC soft account to change your pass and log back in kicking them back out they won’t know what happened.

Chyanne Waters.8719:

Another way to secure your Anet account/s is to go to the NC soft site and create a master account. Make sure that you have your game numbers. Also do not use your keyboard to put the numbers or anything in use the on screen keyboard. Those are not able to be keylogged from what I understand.

An NC soft master account lets you change your pass and even your contact email if needed on the NC soft games you have. If you have your GW account bound with your GW2 account then it will show only GW account, but anything you change on that will change on the GW2 account. Even if someone steals your GW/2 accounts through your email they cannot get the NC soft master account to do that if you use a second email for that. Just a suggestion as a back up if someone hacks your account use the NC soft account to change your pass and log back in kicking them back out they won’t know what happened.

You can not associate a Guild Wars 2 account with a Master NCSoft account.

Important Note: You cannot link your Guild Wars 2 account to the NCSOFT Account Management (NCMA) system or link the two games through your NCMA. In addition, you do not need access to your existing NCMA to purchase Guild Wars 2 or to link it to your existing Guild Wars account.

https://help.guildwars2.com/entries/28147506-Guild-Wars-Accounts-Their-Effect-on-Guild-Wars-2

How about a password or a pin on your bank and when you try to sell or buy items it worked very well on good old Runescape

Honestly, having never been hacked in any MMO I’ve played in over 13 years, I don’t see what all the fuss is about. I’ve had my account IDs, emails and game keys leaked through database hacks (pretty persistent 2-4 years ago and still on-going but to a lesser degree) yet still never gotten hacked (not through lack of trying, I still get a few emails every month from games I’ve long quit with “forgot your password?”).

Some tips I use though:
1. I keep a separate email I use for games and other secure accounts such as online banking and paypal. Everything else goes to a main email (including game accounts I don’t care much about and have actively shared different account/password info with other people, they haven’t gotten hacked either)
2. Firewalls don’t matter. Don’t go to seedy websites (to download pirated software and such). Hacking technology outpaces security technology by miles and simply visiting those websites will install worm/trojan viruses and keyloggers. Use programs such as “sandboxie” or virtual desktops (google them).
3. Mobile authenticators might help, but I find them a waste of time (experience with blizzard authenticator, I’m starting to hate it ><). Same with in-game PINs. If you take appropriate steps to keep your computer clean, you won’t need them.
4. Keep off “fan” sites. Many of these sites might ask you for your in-game ID and require your email. Add some self-installing malware on the homepage of those sites. Boom – your account may as well be theirs. Stick to large, reputable sites (IGN, Neoseeker, Kotaku, official ANet or ANet endorsed forums etc.)