Guild Wars 2

On behalf of my friend whom I am currently talking to via Skype. Why on this God’s earth has Arena-net not implemented a system that you need to CONFIRM via email a change in email. If I have got this straight, you need only the username and password to permanently steal an account.

I don’t mean to be rude, but the pain and hurt that every single one of the people’s accounts who have been hacked, which is an act of CRIMINAL THEFT could have been prevented by any system in place that required a security question, an email confirmation, or could at least be reverted through a process via phone line in which they personally confirm their identity.

I absolutely love this game and this company for the product they have put out. But why in the hell have you allowed the weakest system of protection available on the internet to be present for your new blockbuster game. I am calling you out on this Arena-net. You have the power to fix it. Please do!

Edit:

IN SHORT:

Problem:
You do not need to confirm change in password or change in email. If your email get’s changed it sends your old email a message to the affect of, ‘Your email has been changed, I hope it was you.’

Question:
I’m sorry this is okay how Arenanet? This allows a thief to obtain COMPLETE control of your account, instead of having a security question or confirmation email to prevent account theft. Account theft (its entirely gone) and account hacking (my stuff is gone) are two different things!

Definitely sounds like something they should implement

This is fairly rediculous that something like this has not been done.

I would also like to add, despite the fact I like the confirmation system on logging in from a new location. That REALLY doesn’t help him when they logged into the site first, and changed his email to their own. That part by the way, does NOT require confirmation. I am only asking for a fix Arenanet.

Two Factor Authentication has been around for a long time now and offers additional security to accounts and with lots of people now having smart enable devices like android / ios phones and tablets its very easy to implement. Google offer a free Two Factor Authentication service for free which has all the ground work covered and supports many platforms, having this would fix a lot of Anet’s problems. Blizzard has been using it for ages now, and I must admit their focus of account security is far superior to that of Anet’s.

At least SW:TOR did that right.

I cant believe Anet has completely turned its back on account security like this, There are FREE mmos that HAVE better security, I’m a paying customer and I deserve more protection than this, Had i known this would be an issue before I bought it, I would have taken my hard earned money else where………………

Literally, if you knew a friends account information and one day decided you hated him, there is nothing they can do. I still don’t understand how you can allow someone to change your email without confirming it via your old email. Or changing your password without answering a security question. I figured that was a universal rule of making websites. I mean 5$ forums that you can buy off cheap websites have that.

i believe its called, cutting corners and blaming their customers for not having different emails for everything you do. I do agree we should take steps on securing our private information, but its always nice to know the company that you payed for a service has your back.

I’m not defending Anet here, but shouldn’t people take at least some responsibility for their own account security?

I don’t understand how you can say if someone has your account information. My account was hack yesterday (Im using my husbands right now) and the email address, yes I use elsewhere but my GW password is unique to it, the only other place this hacker could have gotten it is from GW1. ?! Just wondering how that may have happened….

In every website or game I have ever been apart of, there is a security question involved in changing major pieces of information, or there is an email confirmation. In your present system, there is neither and it allows for the hackers to take COMPLETE control of the account without the user being able to do anything about it.

In everything I have ever been familiar with, the most a hacker can do is change your password and steal all of your stuff. Now, they can even seize complete control over the account by changing the email and log in name. I respectfully don’t understand how you do not realize this.

P.S. I would like to add, that if either of those systems were implimented even if hackers could ‘hack’ your account, you would not have tickets and posts from people to ‘PLEASE GET MY ACCOUNT BACK, I haven’t been able to play for a week’ you would only get ‘where is all my stuff I was hacked’. If you had systems in place, the users could fix most of the issues them self.

I have seen “hacked” messages all over the forum, but I am cherry picking this one because Gaile has asked for suggestions on how to improve.

GaileGray.9587:

…in the end, those being affected by this problem are not using appropriate security measures, most likely are using credentials that were used elsewhere, giving a would-be thief the info s/he needs to steal the GW2 account.

This is true. Even if you guys required a username like “Ritz” rather than an email address, if I have another account online name Ritz with the same password, I’m just as exposed.

GaileGray.9587:

If someone has your account name and password, how do you suggest that we protect the account?

Many people call for a confirmation, but as long as the thief uses a real email address, requiring a confirmation isn’t going to help much when the confirmation email is sent to the “new” address.

But I don’t think is what people mean or expect, even if the following isn’t practiced very often. What if the policy was to require a confirmation from the pre-existing address (or perhaps… both)?

Sure, this would lock out users who no longer have access to their old inbox… but I think that in most cases, users are moving from one valid address to another.

tl;dr: Require a confirmation when changing the email address that must be approved from both the old inbox as well as from the new inbox. This would seriously limit the amount of customers who have lost all methods of recovery due to hacking.

Would it not be a lighter burden to deal with occasional lockout due to changing ISPs and losing access to an old inbox, rather than deal with the constant stream of “help, I’ve been hacked” tickets?

GaileGray.9587:

We have one form of authentication and will soon have another. We’re putting in safeguards for players.

This is good news, please consider everyone’s suggestions, although I am sure you do.

Ritz.6597:

What if the policy was to require a confirmation from the pre-existing address

This has been what I have been saying! Also, the post ‘Hackers and You’ I (and other people) have said the same thing.

Does anyone know if Anet’s new security measures are active yet?

no, they are not, the email validation service is running but i wouldn’t call that “security”. To be honest Two Factor Authentication would solve any problems that currently exist. It could be an opt-in service that once enabled by the end user means anything you want to change would require a new one-time auth key from the user as well as their password. it would also prevent accounts being hacked in the first place even is the attacker knows both the email address and the password. Coupled with GEOIP restrictions to log in systems it would be extremely hard for a attacker from france to gain access to someone’s account in sweden.

@ GaileGray, Has Anet even considered this? why have they not implemented this technology, its proven its self over the years. so much so that even bank account are now commonly protected by such methods.

GaileGray.9587:

If someone has your account name and password, how do you suggest that we protect the account? We have one form of authentication and will soon have another. We’re putting in safeguards for players. But in the end, those being affected by this problem are not using appropriate security measures, most likely are using credentials that were used elsewhere, giving a would-be thief the info s/he needs to steal the GW2 account.

Simple email authentication would be a start, no? Rather than a patronising ‘oops we hope it was you!’ message?

“most likely are using credentials that were used elsewhere”

Like in Guild Wars 1? Mine and my hubbys accounts were linked on April 10th to our original game accounts. We even pressed the ‘please use a new email address, and here it is’ buttons to make sure we could use more current details.

But when the beta came, we found the details were still the same.
When the game launched the details we still the same.

I’ve tried to change my email address to a more current one, but when I do it comes up as ‘already in use’ because it’s in the system from April, when we requested our accounts be linked.

I’m sat here, looking at the forum ID and email above this box and the email there is not the email I login with. It’s the email I requested back in April. But when I log into the game, I have to use the email from Guild Wars 1.

I emailed support, 29 August. No reply, ticket closed Sept 10. The reason we didn’t get these email addresses changed was because of the lack of reply from support. And now he’s lost both his GW1 and GW2 account.

Regardless of how his email and PW were gathered… (I suspect LinkedIn or one of the other ‘hacks’ as he does not use Games websites or forums, and neither do I as a rule)

Some form of email reset request alert and authorisation should be in place.

It is very shabby. As others have said pretty much every online service I use would never reset a password/email without an authorisation request