Securing an account, for real

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

So, I was reading the Mike O’Brian article…and got annoyed by it.

story time A while ago me and my fiancé bought GW2 and started playing(2 accounts). We were both using the same password that we’ve been both using since we met. Then came the blacklist and the “please, change your password”. I, being a good girl, did exactly that. When I told him he should, he looked at me and told me they can go puppy themselves. I had a bran new GW2-approved password, he didn’t. Roughly a month later I received 15 authentication e-mails in 2 days. All Chinese IPs(we live in the Netherlands). Mailed support, got another brand new password. Got banned for RMT 2 days later. Mailed support again, proved it was me, all good. Few months passed, I got bored of GW2 and played a different game for 10 months or so. Upon returning 1 month ago, I found my account banned for botting. Went through the usual support fun, had my account restored, got yet another brand new password.

It was at that point that I noticed how anybody who adds me as friend(which I don’t need to agree to) automatically becomes the owner of 50% of my account(he has the log-in name and a char name). Then I listed to my fiancé talking to people about how long they’ve been playing GW2…anybody in that conversation was 75% account owner of each of those accounts. Disturbing, right? Back to the story…

31.12 I woke up and tried to log in on the forum. Wrong password. I got yet another new password and found yet another Chinese IP authorized to log in my account. There was no trace of the password change or the new IP in my e-mail… I’m still waiting for support to respond in any way end story

So, here’s the problem. My PC undergoes weekly full scans. No threats found. My e-mail holds 2 serial codes(for me and my fiancé). I followed all their security instructions while he ignored them completely. I lose my account on a monthly basis. His is intact, never even attempted to login. What can I do(apart from unistalling GW2 and never looking back) for this to stop happening? I sincerely regret changing my password last year…because that’s when it all started…should’ve known better, I guess…

Securing an account, for real

in Account & Technical Support

Posted by: SandraSolace.7682

SandraSolace.7682

Looks like it’s not the game that is the problem but your email account isn’t save.

As long as that isn’t secured you will keep getting these emails and that is how they get your account info.

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

Looks like it’s not the game that is the problem but your email account isn’t save.

As long as that isn’t secured you will keep getting these emails and that is how they get your account info.

But my e-mail has 2 accounts’ infos in it. Why is only mine getting hit?

Also, is there a way to change the e-mail?

Securing an account, for real

in Account & Technical Support

Posted by: SandraSolace.7682

SandraSolace.7682

I don’t know, I can’t tell you how hackers think and act.

But I would change your log in info for your email just to be sure.

Changing your email is possible, but you will have to talk to support about that.

Securing an account, for real

in Account & Technical Support

Posted by: Inculpatus cedo.9234

Inculpatus cedo.9234

I’m not sure how anyone adding you as a friend gets 50% of your log-in information. Your display name has nothing to do with logging into your account. One uses the Account name to log in, not the Display name.

It does sound as though your email account has been compromised. Or, you might have a keylogger. There are free programs to check for keyloggers, you might want to find one. CNet has some viable choices. You can speak to CS about securing your computer, and they will be happy to help.

Good luck.

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

I’m not sure how anyone adding you as a friend gets 50% of your log-in information. Your display name has nothing to do with logging into your account. One uses the Account name to log in, not the Display name.

When you have your account restored, they ask you 4 question to prove you are the owner.
1. Display name(the blabla.1234)
2. Name of a char on the account
3. Creation time with 3 days error margin
4. Serial code

When you add somebody as friend, you get 1 and 2. That’s half the proof of account ownership.

Securing an account, for real

in Account & Technical Support

Posted by: Inculpatus cedo.9234

Inculpatus cedo.9234

Well, cool, you were lucky then. They asked me a lot more than 4 questions. Considering all the signatures on the forum that include character names, I guess many accounts have given out some percentage of the information needed. But none of the information needed for logging in, thankfully. =)

Securing an account, for real

in Account & Technical Support

Posted by: chris.9142

chris.9142

There’s also the fact that your probably using your registered email address don’t forget this part for many people

Or at least one that you had registered against it if the hacker has changed it

I5-4670k @4.2Ghz – 8Gb 2133mhz Gskill
Msi Z87 Gaming Board AMD R9 270x
-crucial 256 M500 SSD -Samsung 500Gb HDD

Securing an account, for real

in Account & Technical Support

Posted by: Rajani Isa.6294

Rajani Isa.6294

I don’t know, I can’t tell you how hackers think and act.

But I would change your log in info for your email just to be sure.

Changing your email is possible, but you will have to talk to support about that.

If you have a smart phone and your mail provider offers it, I’d also add some form of mobile authentication (such as a texted code, or using something like Google Auth for the constantly changing codes, etc).

A link to an article on the ZoneAlarm page http://www.zonealarm.com/blog/2013/08/how-to-turn-on-two-factor-authentication-for-your-email-accounts/

Also, if you are going to change your email, I’d start by contacting support from the new address, with mention of WHY (namely, the fact that you’ve been made unsecure in some way on your other email account). Don’t mention the new email in any contact with the old email.

Securing an account, for real

in Account & Technical Support

Posted by: ShiningSquirrel.3751

ShiningSquirrel.3751

This is something I have mentioned before, and it is the biggest mistake Anet has made and the most serious of all security flaws in their system.

Simply, the forums use the same login and password as the game.

If you have the forum remember your password, it is stored in your browser. This information can be extracted by any malicious website. All the website really needs to know is the website they want the login and password to. So if you want to steal logins and passwords to https://forum-en.gw2archive.eu, you create a site that will attract GW2 players. Maybe show hints, maps, or even just armor pictures. The player visits the site, the site owner then has their login and password to the game. It’s really that simple. You can have a “secure” computer, but just visiting one of these sites can expose your info.
From the demo I was given at my employers, there where many different factors that could make your computer vulnerable to this, java version (newest is NOT always best), browser version, browser security settings, etc. To be completely safe, do not allow your browser to remember your login and password, and be VERY selective what GW2 related sites you visit.

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

The problem is that I don’t actually know what the problem is. My best guess would be a secondary e-mail associated with the account(because if my e-mail was compromised it just doesn’t make sense that they’d arbitrary choose to take my account and ignore the second account info). And since they are changing my password, they should have my serial code as well, no? I was going to slowly request changes to my account until the issue is resolved, but yesterday saw they offer 1 rollback per account. I like GW2 just enough to consider starting over for the second time, but I definitely don’t like it enough to keep starting over every 3 weeks. Since their solution is “change your password and don’t share it with family”(obviously not working), I guess I’m looking for changes to my account that’ll plug all perceivable leaks. New e-mail, new password(that I’ll probably forget again so I guess the forum will be out of the question…), new…what else?

On an amusing side-note: My fiancé mailed them last night to ask what the puppy is happening and why aren’t they replying to my 6 days old e-mail. He got a response this morning. I’m still waiting with only an automated answer to show for it….

(edited by TWMagimay.9057)

Securing an account, for real

in Account & Technical Support

Posted by: ShiningSquirrel.3751

ShiningSquirrel.3751

So you are saying you have your fiancé’s login and password in your email account? That is not a good idea. You are making a few incorrect assumptions. Only 1 email address is associated with an account. A serial code is not needed to change a password, all that is needed is the old password.
First, you should make sure your computer is secure. Then contact support and ask them to change the email account associated with your GW2 account. The new email address will then be your new login name. Use a secure password and be sure to setup email authentication at the very least. Also, NEVER use the same password for both your email and GW2 account.

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

So you are saying you have your fiancé’s login and password in your email account? That is not a good idea.

Well, I don’t have my password in my e-mail either. My e-mail contains the exact same amount of information for my account as it does for his(well, did, I moved to paper copies out of the boredom the last 6 days).

You are making a few incorrect assumptions. Only 1 email address is associated with an account. A serial code is not needed to change a password, all that is needed is the old password.

Oh…I just always use the “forgot password”-option. In that case, how do they get passwords that I’ve never used in my life and don’t even know myself the next week?

First, you should make sure your computer is secure. Then contact support and ask them to change the email account associated with your GW2 account. The new email address will then be your new login name. Use a secure password and be sure to setup email authentication at the very least. Also, NEVER use the same password for both your email and GW2 account.

Weekly scans got that covered. I got e-mail authentication set-up, I just don’t seem to receive mails from it(now that you mention it…could it have been turned off?). I never had a matching password between my GW2 account and my e-mail. The last game to use the mail password closed servers 5 years ago and I haven’t used that password for any accounts in the last 4 years.

Securing an account, for real

in Account & Technical Support

Posted by: ShiningSquirrel.3751

ShiningSquirrel.3751

It sounds like you have a handle on most of it. From what you are saying, it does sound more and more like they have access to your email account.

As to how they get the passwords, it’s anyone’s guess. I had a VERY secure password when I setup my account. Not 10 minutes after setting it up, I had someone from China try to login. My machine was completely clean (actually a new install less then 24 hours old). Firewalls, high security on routers, etc. I do computer security for a living so I know it was not from my end, especially in 10 minutes time but somehow they got my login and password all the same.

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

So, new e-mail it is…

You seem fairly familiar with this stuff… Question: I just received a mail to my ticket to rate the support. The only response to my ticket was the automated msg and now this. Does that mean they consider my issue resolved in which case should I mail them back and politely tell them they are idiots? Or is it just a random mail and I should sit tight so I dun get pushed back in the queue(if that even happens in GW2?)?

Securing an account, for real

in Account & Technical Support

Posted by: ShiningSquirrel.3751

ShiningSquirrel.3751

It’s hard to know, but if you have not heard anything specific back, just the automated response, it’s likely they are still working on it. If it’s been more then 72 hours since the last response, you should post your ticket # in the thread below.

https://forum-en.gw2archive.eu/forum/support/account/Tickets-for-Review-3-days-and-older-merged

Securing an account, for real

in Account & Technical Support

Posted by: Rajani Isa.6294

Rajani Isa.6294

[quote=3458074;TWMagimay.9057:]

Securing an account, for real

in Account & Technical Support

Posted by: Rajani Isa.6294

Rajani Isa.6294

Oh…I just always use the “forgot password”-option. In that case, how do they get passwords that I’ve never used in my life and don’t even know myself the next week?

First, you should make sure your computer is secure. Then contact support and ask them to change the email account associated with your GW2 account. The new email address will then be your new login name. Use a secure password and be sure to setup email authentication at the very least. Also, NEVER use the same password for both your email and GW2 account.

Weekly scans got that covered. I got e-mail authentication set-up, I just don’t seem to receive mails from it(now that you mention it…could it have been turned off?). I never had a matching password between my GW2 account and my e-mail. The last game to use the mail password closed servers 5 years ago and I haven’t used that password for any accounts in the last 4 years.

While they ask for it, the password reset does not require a serial code. If you can supply enough other info, they’ll reset it. (non-automated though).

Also, they do offer Google-auth two-factor – you’d have to use it to sign in every time though.

https://support.google.com/accounts/answer/1066447?hl=en

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

It’s hard to know, but if you have not heard anything specific back, just the automated response, it’s likely they are still working on it. If it’s been more then 72 hours since the last response, you should post your ticket # in the thread below.

https://forum-en.gw2archive.eu/forum/support/account/Tickets-for-Review-3-days-and-older-merged

I did that…yesterday… I’m usually very patient with support requests, have been known to wait for a month before making any fuss about it… But I was recently in an accident(2 days after the incident) so now I literally have nothing to do. Just sit on a chair and refresh my e-mail… I finally understand why people complain about long support wait times…

On a side-not: If I were to play GW2 and just mail my farmed stuff to my fiancé every day…and then get that account rollback…will we get in trouble?

Securing an account, for real

in Account & Technical Support

Posted by: Brother Grimm.5176

Brother Grimm.5176

Is your account still tied to the “suspect” email account? If it is, there can be no doubt someone else has compromised your email account. Never use it again.

Hackers don’t really care about your Serial #s as Anet can pretty quickly determine account ownership without it (and who is NOT the owner even if they have the SN).

What kind of passwords are you using? If they are guessing it (or you are using one you have used on another website in the past), then by all means make a LONG password of 4 to 6 unrelated words you can easily remember. An 8 character long password (with letters, numbers AND punctuation) can be guessed in less than 24 hours by an i5 computer. A 16 chracter password of just lower case letters would take hundreds of years to guess.

We go out in the world and take our chances
Fate is just the weight of circumstances
That’s the way that lady luck dances

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

What kind of passwords are you using? If they are guessing it (or you are using one you have used on another website in the past), then by all means make a LONG password of 4 to 6 unrelated words you can easily remember. An 8 character long password (with letters, numbers AND punctuation) can be guessed in less than 24 hours by an i5 computer. A 16 chracter password of just lower case letters would take hundreds of years to guess.

The last password was 12 letters and numbers, I have never-ever used it before. I’m the typical noob who has 1 password for everything and changes it like once every 2-3 years, GW2 is forcing me to come up with new passwords that I can never remember. Funny thing is, my usual password never lead to account issues(my fiancé still uses the same password that’s tied to about 5 e-mail accounts, countless forums and games without an issue -.-), it only started after I used my first GW2-specific password…

PS: I finally created a new e-mail and mailed them from it to request a change. That was 3h ago, I didn’t even receive an automated msg…

(edited by TWMagimay.9057)

Securing an account, for real

in Account & Technical Support

Posted by: Inculpatus cedo.9234

Inculpatus cedo.9234

It’s hard to know, but if you have not heard anything specific back, just the automated response, it’s likely they are still working on it. If it’s been more then 72 hours since the last response, you should post your ticket # in the thread below.

https://forum-en.gw2archive.eu/forum/support/account/Tickets-for-Review-3-days-and-older-merged

I did that…yesterday… I’m usually very patient with support requests, have been known to wait for a month before making any fuss about it… But I was recently in an accident(2 days after the incident) so now I literally have nothing to do. Just sit on a chair and refresh my e-mail… I finally understand why people complain about long support wait times…

On a side-not: If I were to play GW2 and just mail my farmed stuff to my fiancé every day…and then get that account rollback…will we get in trouble?

You already got your once-only account rollback, so farming mats and keeping them (or sending them off) shouldn’t be a problem.

4) That THAT response was also a booboo on support’s part; they can’t roll an account back 6 whole months (I didn’t think that they could!)

Mine was allegedly rolled back 11 months…

Went through the usual support fun, had my account restored, got yet another brand new password.

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

You already got your once-only account rollback, so farming mats and keeping them (or sending them off) shouldn’t be a problem.

What can I say…I’m an optimist. Until support tells me “No!” I’ll pretend it can all work out.

PS: I think they closed my old ticket just for funzies. Since I got a reply to the mail from this evening. They reset my password. Adorable. facetail

Securing an account, for real

in Account & Technical Support

Posted by: Gaile Gray

Gaile Gray

ArenaNet Communications Manager

Next

So let me be clear — you had not had a single human response (just the “got your ticket” auto-response) and then a survey? I’m thinking that the access to your e-mail account may include someone deleting our responses, but could you give me this ticket number, please?

I don’t like to think we’d say “How’d we do?” until we, you know, did something.

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

So let me be clear — you had not had a single human response (just the “got your ticket” auto-response) and then a survey? I’m thinking that the access to your e-mail account may include someone deleting our responses, but could you give me this ticket number, please?

I don’t like to think we’d say “How’d we do?” until we, you know, did something.

Ticket is 217896. It’s a windows live mail so I get a very loud ding every time I receive a mail(and it’s been open since the whole thing started). I’m more thinking it’s that mails not getting delivered thing since I made a new e-mail last night and the issue got almost resolved in about 3h(I’m still waiting to hear about whether restoration would be possible or not because your guys just sort of ignore it every time I bring it up, that ticket is 235962).

Oh, btw, in that “reminding you what the ticket was about”-part, it has only my writing in it…

Securing an account, for real

in Account & Technical Support

Posted by: Firion Corodix.4510

Firion Corodix.4510

I might have something that can help you to get more secure passwords. I also used to have 1 password for everything, so a friend of mine pointed me towards a free open source program called KeePass.
It’s a program in which you can store passwords, and you use it to generate new random passwords for you. It’s protected by a master password of your choice. I use it in combination with its firefox plugin, which allows me to easily login on any site without having to enter the username/password myself. When I need to make a new account somewhere I just generate a new password with that program and then save the username and password in that program, with a Title that matches the name of the game/site that the account is for. This way I don’t need to remember my passwords as I can just look them up in that program and copy/paste them when I need them. So if you currently only use 1 password for almost everything or have trouble remembering passwords, then you might want to give it a try.
If you decide to use it then do make sure to make regular backups, as if you lose it then all your passwords are gone to.

Here’s a review if you’re interested: http://www.pcworld.com/article/2026547/review-keepass-makes-strong-passwords-and-keeps-them-safe.html

(edited by Firion Corodix.4510)

Securing an account, for real

in Account & Technical Support

Posted by: TWMagimay.9057

TWMagimay.9057

Hmmm, isn’t that a bit…dangerous? If somebody gets access to such an account, they literally take over your entire life… Yes, I’ve grown paranoid over the last few days.

On the paranoid note: Support decided to mail my new log in address to the old e-mail. I deleted it roughly 3h after it arrived(I sleep at night), didn’t seem to have been touched… Should I be worried?

Securing an account, for real

in Account & Technical Support

Posted by: Gaile Gray

Previous

Gaile Gray

ArenaNet Communications Manager

Hmmm, isn’t that a bit…dangerous? If somebody gets access to such an account, they literally take over your entire life… Yes, I’ve grown paranoid over the last few days.

On the paranoid note: Support decided to mail my new log in address to the old e-mail. I deleted it roughly 3h after it arrived(I sleep at night), didn’t seem to have been touched… Should I be worried?

My advice: Can’t be too careful. Update the ticket through the NEW email address. Tell them what happened and ask that they auto-generate you a NEW password and send it only to that address. Explain that if the system sends to both the old and new addresses, that can put your account at risk. In this situation, the agent may be ahead to manually reset and not send you an auto-generated password. If he/she does that, simply change the password to something of your choosing once you access the account.

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet