Guild Wars 2

Email Authentication

We have a feature in place, email authentication, that’s designed to help keep your account secure even if a hacker does know your account name and password.

Here’s how it works. When you first login, we ask you to validate your email address. After that, whenever you attempt to login from a new location, we send email asking you to approve or deny the login attempt.

So keep in mind, if you ever see an unexpected email asking you to validate a login attempt from a location where you’re not playing from, that means a hacker already knows your account name and password! The only thing that’s keeping him from logging in as you is the email authentication system! Change your password immediately.

Unfortunately, even with this system in place, people still get their accounts hacked. Here’s how:

First, about a third of players haven’t verified their email address yet. We can’t require email authentication for players with unverified email addresses.

Second, in many cases hackers have stolen credentials for the player’s email account too, and thus can access the authentication email message and approve their own login attempt. In particular this happens because people use the same password for their email account as they do for their Guild Wars 2 account and other accounts.

So, to be protected, be sure to verify your email address, and be sure to use a different password for your email account than you use for your game account.

Two-Factor Authentication

With email authentication in place, you can further protect your account by setting up two-factor authentication on your email account. Which, honestly, is a good idea anyway. Using email authentication this way protects your account in a very similar way to typical game implementations of two-factor authentication: the game will challenge any login attempt from a new location in a way that you’ll have to use two-factor authentication to approve.

We know customers also want a native implementation of two-factor authentication, and we want it too. This is an area where we should act faster as a company, and we’re going to. We had our own homegrown implementation of smartphone two-factor authenticator in testing, but we’re going to pull it back and instead integrate Guild Wars 2 with Google Authenticator, which already has robust authenticator implementations on most major smartphone platforms. This feature is already rolled out and ready to be used.

You can find all these options under My Account > Security or by visiting https://account.guildwars2.com/account/security

Two-factor authentication is a great tool for security-conscious customers to protect their accounts. But we know it will take time to get a significant portion of our customer base to adopt two-factor authentication, and in the meantime people are getting hacked every day by creating accounts with account names and passwords that hackers already know. So we need a solution that can protect everyone, not just the most security-conscious, and do it quickly. Thus we’ve rolling out our next initiative, password blacklisting.

Password Blacklisting

Since we’ve been observing hackers constantly scanning accounts that don’t even exist yet, waiting for someone to create those accounts, we obviously want to make sure that if those new customers do join the game, they don’t use the password that the hackers are waiting for. Thus we’re building a blacklist of all the passwords that hackers are scanning for — it’s already at 20 million passwords and growing — and we’re preventing new customers from choosing any of those passwords. (The blacklist contains passwords only, not account names.)

This system has substantially eliminated hackers’ ability to steal new accounts, as all new accounts now cannot possibly match what the hackers have been scanning for. The rate of account hacking was about 1.5% for accounts created before this blacklist was in place, and is about 0.1% for accounts created after.

Because this has been so successful at protecting new accounts, we want to extend it to protect existing accounts too. But it’s harder for us to know whether passwords of existing accounts are known to hackers: it’s difficult to distinguish between a login attempt by the real customer and a login attempt by a hacker.

When you change your password, the system won’t allow you to pick your previous password, or any password that we’ve seen tested against any existing or non-existent account. Thus, after changing your password, you’ll be confident that your new password is unique within Guild Wars 2. (However, your password only stays unique if you then don’t use it for other games and web sites, so please don’t!)

By the way, if you have trouble thinking of a new unique password, now that millions of possible passwords are blacklisted, we advise you to build a password out of four random words, as shown in this comic strip . Use a password like “correct horse battery staple”. As the comic strip calculates, even if everyone selects their words from the same 2,000 most common words, that’s still 16 trillion possible passwords.

Best Practices

Phishing – If an email links you to a site that asks you to type in your password, don’t type in your password. It could be a fake site. Go to the real account management site by typing “account.guildwars2.com”, or use a bookmark.

Social engineering – If someone claims to work for ArenaNet or NCsoft and asks you for your password, don’t tell them your password. Our customer support team doesn’t need your password.

Trojan horses and Spyware – Don’t download and run software, or open files attached to emails, from a source you aren’t 100% sure about. Malicious software can install a keylogger on your system to record your passwords and transmit them.

Email security – Keep the email address associated with your Guild Wars 2 account secure, just like you keep your Guild Wars 2 account itself secure. Use a strong, unique password there too, which you’ve never used anywhere else.

The Root Cause

Why do hackers work so hard to steal accounts? Because they make money from it.

Real-money trading companies want to sell you gold for cash. To do that, they have to collect the gold, and they have to advertise it. They collect gold by looting it off stolen accounts, and by using stolen accounts for botting. They advertise it by using stolen accounts for spamming.

If people wouldn’t buy gold from these real-money trading companies, the cash incentive to steal accounts would disappear. We’d see almost no account hacking, account looting, organized botting, or spamming ads.

We used to think wistfully about that with the original Guild Wars, and posted challenges to our players to stop supporting the real-money trading companies. But we knew that it was ultimately a lost cause. You can’t stop people from buying something they want to buy.

So with Guild Wars 2, we legitimatized buying gold, but did it in a way that puts the power in the hands of the players, not in the hands of the real-money trading companies. Players who want to buy gold can now do it in the game, in an open market with other players, trading gold for gems, which the receiving players can use to buy any microtransactions they want but can’t convert back to cash. As long as players purchase their gold this way, there isn’t a flow of cash back to the real-money trading companies, and thus there isn’t a profit incentive to hack accounts.

So the roots of our protection go deep into the design of Guild Wars 2, and we’ll leverage that design to keep Guild Wars 2 a safer environment than traditional MMOs.

But nothing is black-or-white. No matter how much we remove profit incentive, the fact remains that Guild Wars 2 is a popular game, and any popular game will attract hackers. So we keep security at the forefront of everything we do. We introduce new features, such as email authentication, two-factor authentication, and password blacklisting, to help keep accounts secure. We maintain an open dialog with our players about what the real threats are, so that players know how to protect themselves. And we have a team of GMs standing by to help those who do get hacked.

Although this post may duplicate some information shared above, I want to post it here because it contains vital information related to account compromise incidents and e-mail accounts:

Account and E-mail Compromise Incidents

We are finding that nearly every time a game account is compromised, the e-mail account is also compromised. Many times, hackers are clever enough to mask their access to the e-mail account, rendering that illicit access invisible to the user. That is, the legitimate e-mail account holder is not even aware that the e-mail account is being accessed by a hacker.

But although we often are told “My e-mail is secure” we also frequently note that the account hacker has deleted authentication authorization requests related to the hacking location, or has deleted e-mailed receipts. The hacker hides his access by removing auth e-mails and steals the serial code and/or order number and deletes it so the legitimate owner no longer can find that vital info.

You can see this yourself when you read forum threads and the player says, “I cannot locate my receipt e-mail” or “I must have deleted my receipt.” Actually, in most cases that statement points to the e-mail account having been hacked, with the various “proofs of ownership” now being solely in the hands of the hacker (after being deleted so the owner can’t get to them). And, sadly, you see this when someone states “The only authentication e-mails are my own access points” but one or more additional authorization requests were sent but were deleted by the hacker.

Basically, even if someone believes his/her e-mail is secure, a hacker very often is in the account and is intercepting mails or authorizing access to the stolen account.

Specific questions to ask if your GW2 account has been compromised:

1. Do you have e-mail or mobile authentication? Great!
2. Are you using or have you every used your GW2 password anywhere else? That’s a recipe for disaster.
3. Are you using a unique e-mail account for GW2 only? That’s a very good idea.
4. Have you reset your e-mail password recently?
5. Do you have authentication on your e-mail account, where it verifies access to your e-mail account through a mobile device or an alternate e-mail account?

We will help you with your compromised account but if you were hacked after installing e-mail authentication, the consensus is that someone has access to your GW2 account credentials and your e-mail account.