Guild Wars 2

My friend’s account just got hacked and lost over 750g, lots of tormented and phoenix skins, along with all his ectos. If an account gets hacked there is no last stand of defense for your account.

Having to type in a pin to enter your bank/wallet can potentially save your account and losing your possessions. Any chance of this being implemented?

First things first, your “friend” may have bought gold from a gold seller thus leading to the compromising of the account. Stop buying gold from gold sellers.

Second, use a secure password with at least 12 characters.

Third, make sure your email password and your account password are different.

Fourth, use either the mobile device security code or the email IP notification.

Lastly, in order to implement a pin system, they have to allow for resetting of the pin in case it is forgotten. A patient hacker can just change the account password and reset the pin then wait the time for the pin to reset (IIRC usually 24-48 hours).

Yeah, your friend must not have used even reasonable security for this day and age. Adding one more step is just going to add a layer of frustration for the majority and we’d still have the same issues anyways.

No I’m sorry accusing him of buying from gold sellers and having bad password were all wrong (he used upper, lower case, and symbols for his password and dungeons spammers don’t need gold sellers). All I’m saying is it’s possible for anyone to get hacked, and if it is there is nothing you have to protect yourself as a last resort. Even if they make a pin reset they can have a couple days for the new one to work which by then you can change all your passwords.

Luckily he’s being a good sport about losing his things for the most part because he doesn’t want too many things atm…

Eight Samurai.6840:

My friend’s account just got hacked and lost over 750g, lots of tormented and phoenix skins, along with all his ectos. If an account gets hacked there is no last stand of defense for your account.

Having to type in a pin to enter your bank/wallet can potentially save your account and losing your possessions. Any chance of this being implemented?

Mobile authentication, it;s similar to what real banks use.

Also, this should really be standard practice – do not tick the box that says “remember this network” just because of laziness.

Eight Samurai.6840:

No I’m sorry accusing him of buying from gold sellers and having bad password were all wrong (he used upper, lower case, and symbols for his password and dungeons spammers don’t need gold sellers). All I’m saying is it’s possible for anyone to get hacked, and if it is there is nothing you have to protect yourself as a last resort. Even if they make a pin reset they can have a couple days for the new one to work which by then you can change all your passwords.

Luckily he’s being a good sport about losing his things for the most part because he doesn’t want too many things atm…

The case of characters in a password is often very secondary to other qualities, such as uniqueness and length. And 12 characters is pretty short, I don’t choose passwords that short unless I am willing to give my account away. However, having additional authentication measures is definitely something Anet should add.

Your friend probably visited sites he shouldn’t have (gold sellers), and/or downloaded things he shouldn’t have (hacks/bots).

In 16 years I’ve never had a single account for anything on the internet hacked, and I don’t even care for account security.

“Hacking accounts” for videogames does not exist.
Giving your secure information away does exist.

A PIN code is a waste of development time, and it won’t solve stupidity.

Account bank and wallet should be given back to you.. guild bank.. i’m happy with how it is.. Just don’t store your most vals there. but in your own bank

Your friend should read the articles here: https://help.guildwars2.com/forums/22305053-Account-Security and follow the instructions for an Account Recovery.

Good luck.

Eight Samurai.6840:

My friend’s account just got hacked and lost over 750g, lots of tormented and phoenix skins, along with all his ectos. If an account gets hacked there is no last stand of defense for your account.

Having to type in a pin to enter your bank/wallet can potentially save your account and losing your possessions. Any chance of this being implemented?

Most cases of accounts getting hacked start with hacking the mail account (due to the need to authorize unknown ip login attempt). And if your mail account is compromised, any password protection on your bank/wallet can be reset at will by the hacker anyway.

(Note: Throughout this post ‘you’ is used in a general sense, not referring to any specific person. Technically I should be saying ‘one’ but that sounds insufferably pretentious.)

The idea of a secure password being one that’s a mess of letters, numbers and symbols is very out dated. These days it’s relatively rare for someone to ‘hack’ your password by guessing what it is. It does help a bit by increasing the number of possible passwords, but not much.

Unless you’re using one of the 100 most commonly used passwords (like abc123 qwerty or password) one password is as secure as any other. It’s how you use it that matters.

Here’s some common ways accounts can be hacked:

1. The same email and password combination is used elsewhere.
Particularly relatively unsecure websites like 3rd party forums. Most of these use the same software (phpBB, simple machines etc.) and most of these are open source, which means anyone who wants to can look at (and edit) the code. This makes them very vulnerable to having their databases (including account names and passwords) stolen. This is compounded by the fact that most of them are run by small groups of volunteer admins who need to update the software in their free time (which is a pain in the kitten to do, especially if you’re not that familiar with the process) so they may not even be using the latest security.

If you’re using the same email and password for everything then once they’ve gotten the details for one of your accounts they’ve got them all. And often the type of site can tell them a lot about where you’re likely to have accounts. For example if they got their list of emails and passwords from an MMO forum they’ll sell it to gold sellers to try on MMOs and odds are a lot of them will work.

2. Using virtually identical passwords
If your password for one site/game is ‘mypassword101’ and your password for a 2nd is ‘mypassword102’ then you’re effectively using the same password for both. It’s such an obvious, incredibly common approach that it’s the first thing any hacker will try if your password has a number in it and their first attempt doesn’t work.

3. Key loggers and other phishing software
This is software that’s installed on your computer without you knowing, often because it’s hidden in another download from dodgy websites. It tracks what you do and sends all of it (or if it’s well written the useful bits) to the person who created the program. Useful bits being things like programs and websites you log into and the passwords you used to do so.

You can protect your computer by installing and using up to date anti-virus and anti-spyware programs. (Using in bold because I wish I had £1 for every person I know who installs an antivirus, disables it because it keeps saying there’s updates and then never uses it again, then blames the program when they get a virus.)

You can also protect yourself by being careful about logging in to sites and programs from other peoples computers. My mum uninstalled Spybot because it stopped her free IE tool bars from working. That was the day I stopped using her computer to log into any site where I wanted to keep my account.

4. Using the same password for your email
This should be less of an issue because most email providers are relatively secure (compared to things like 3rd party forums) but it still means you’ve removed a layer of security. If you’re using the same password for your email account and your other accounts they don’t even have to try using the ’I’ve forgotten my password’ option, they’ve got everything in one go.

Realist.5812:

Your friend probably visited sites he shouldn’t have (gold sellers), and/or downloaded things he shouldn’t have (hacks/bots).

In 16 years I’ve never had a single account for anything on the internet hacked, and I don’t even care for account security.

“Hacking accounts” for videogames does not exist.
Giving your secure information away does exist.

A PIN code is a waste of development time, and it won’t solve stupidity.

How incredibly sanctimonious … You of course have total knowledge of this persons browsing and downloading habits etc to make such accusations.. either that or you are completely naïve about the whole issues at hand.
You of course also know that this person was downloading things that he shouldn’t have because that’s the only way “hacks and bots” can bypass one’s protections.. .. please share with us what we should or shouldn’t be downloading.. hmmm I’ll hazard a guess you don’t even know the first thing about what you are talking about and are just copycatting comments from other “expert posters” who make the same assumptions.

For your info -
I have long complex passwords for any account I hold and all are unique without any kind of pattern to them. I had a unique email that was used for GW2 and nothing more and was none of the widely known providers. My email provider assured me that they had not been hacked and have their own protection inbuilt as an added security to my account.
I utilise as much protection that is available to the average everyday person including 3 sets of virus/malware protection all regularly updated and scanned twice daily as well as firewalls and router protections… I have never visited a goldseller (in fact I don’t think I have ever had more than 200gold ingame and have played since BWE1) and don’t frequent “dodgy site”s or download things I shouldn’t and certainly don’t give out my personal info to anyone.. yet somehow my GW2 account got hacked a few months back.. and like you I had never been hacked in 20yrs of using online material… so please share your oooh so wise wisdom .. I am all eyes and ears.

I agree with the OP thatANET needs to implement better Guild Bank / Personal Bank security feature because it only takes one person to be hacked and a whole guild can suffer the consequences… and please don’t play the " guild leaders need to manage better cos if that person gets hacked it makes no difference how they manage guild bank privileges etc.

What your friend should do now

1. Change his GW2 password, and his email account password (just in case). Use two different passwords he’s never used anywhere before.

2. Log in to the GW2 site, go to My Account > Security and disable all authorised networks.

3. Run anti-virus and anti-spyware checks on his computer. It might not find anything, but just in case.

4. Contact support, tell them he was hacked but now has the account back in his control and ask for a roll-back. This is like using System Restore on a PC – it will reset his account to sometime before he was hacked. So he’ll get all his stuff back, but also lose anything he’s got since. (This means it’s not worth farming until the roll-back has happened.) Anything that was stored in a guild bank, even a personal one, is gone however.

Incidentally I realise that having unique passwords for everything can be a right kitten, especially when so many things these days require them. The way I get around that is I have 1 password for relatively unsecure sites (like 3rd party forums) where it’s not really a problem if my account gets stolen. Then I use different, unique, passwords for important things like GW2 and logging into the server at work.

This means the vast majority of sites I log into all use the same password and it’s easy for me to remember, but even if all of them got hacked it’s no big deal because they can’t use that password anywhere it matters. What are they going to do on a forum? Pretend to be me and insult my friends?

Also I’ve never seen it mentioned but I think it also helps that there’s no connection between my email address/account name(s) and my password. I had one friend who went for the xkcd approach of using a string of words as her password. But to help her remember it her email address was the first half of a saying and her password was the second half. And it was a very well known saying. (Not the real one but a bit like her email being Maytheforce@yahoo.com and her password being ‘bewithyou’.) Unsurprisingly she got hacked.

Ravion Hawk.4736:

First things first, your “friend” may have bought gold from a gold seller thus leading to the compromising of the account. Stop buying gold from gold sellers.

Second, use a secure password with at least 12 characters.

Third, make sure your email password and your account password are different.

Fourth, use either the mobile device security code or the email IP notification.

Lastly, in order to implement a pin system, they have to allow for resetting of the pin in case it is forgotten. A patient hacker can just change the account password and reset the pin then wait the time for the pin to reset (IIRC usually 24-48 hours).

In other words… this is a first world problem, stop looking to anet for a solution.

Eight Samurai.6840:

No I’m sorry accusing him of buying from gold sellers and having bad password were all wrong (he used upper, lower case, and symbols for his password and dungeons spammers don’t need gold sellers). All I’m saying is it’s possible for anyone to get hacked, and if it is there is nothing you have to protect yourself as a last resort. Even if they make a pin reset they can have a couple days for the new one to work which by then you can change all your passwords.

Luckily he’s being a good sport about losing his things for the most part because he doesn’t want too many things atm…

Been Playing MMO’s since EverQuest. Played More MMO’s than I can count. I have never had an account hacked. I have also never bought gold. I also use completely random numbers , letters bit caps and small.. and …I’ve never been hacked.

See how that works?

If the hacker is able to steal your data for the GW2 and for the email account then he will easily able to steal your PIN too.

Ah victim blaming is fun!… you know, instead of feeling bad for the guy, saying that sucks, next time use mobile authentication (if you have a phone that can do that) and move on. No, we gotta all assume all the bad things he must have done to bring this upon himself!

Lothirieth.3408:

Ah victim blaming is fun!… you know, instead of feeling bad for the guy, saying that sucks, next time use mobile authentication (if you have a phone that can do that) and move on. No, we gotta all assume all the bad things he must have done to bring this upon himself!

The only way to be hacked is if

A: Anet got hacked and everyone has their account info stolen

or

B: He did something to compromise his account security

There is no C, those are the only ways an account can be hacked.

Don’t use the same passwords on multiple sites. Smaller sites, particularly gaming forum sites use much less security and their sites are frequently compromised. Use a password of at least 10 characters and use symbols numbers and letters. Don’t visit shady sites, and make sure your anti-virus is up to date. Use a secure and unique email and use mobile authentication. If you do all those things you will not be hacked.

Lothirieth.3408:

Ah victim blaming is fun!… you know, instead of feeling bad for the guy, saying that sucks, next time use mobile authentication (if you have a phone that can do that) and move on. No, we gotta all assume all the bad things he must have done to bring this upon himself!

It is not blaming the victim, it is telling the person what he did wrong. The old saying, ‘Stupid is as stupid does’ is so true.

Another thing can happen – there has been quite a few phishing emails are going around. These emails say; “Your GW2 account is going to be suspended for 72 hours for illegal activity unless you log into – give a spoofed link to A.Net.” Hackers and gold sellers then have your email and password.

They had to have the email and password in order to get in. Then the IP authentication of A.Net kicks in – they can say this IP is OK and then take/sell your ‘friends’ stuff.

‘YOUR FRIEND’ did one of several booboo’s – 1. used the same password more than once (very common). 2. Used a common word. 3. Was phished (as above). 4. Keylogger.

There is one other thing – make sure your friend is using an AV program and that he scans his computer often.

A.Net can put all the security in place they want but that security is only as good as the user. If the user has no security, then there is no security in the game.

Bloodstealer.5978:

Realist.5812:

Your friend probably visited sites he shouldn’t have (gold sellers), and/or downloaded things he shouldn’t have (hacks/bots).

In 16 years I’ve never had a single account for anything on the internet hacked, and I don’t even care for account security.

“Hacking accounts” for videogames does not exist.
Giving your secure information away does exist.

A PIN code is a waste of development time, and it won’t solve stupidity.

How incredibly sanctimonious … You of course have total knowledge of this persons browsing and downloading habits etc to make such accusations.. either that or you are completely naïve about the whole issues at hand.
You of course also know that this person was downloading things that he shouldn’t have because that’s the only way “hacks and bots” can bypass one’s protections.. .. please share with us what we should or shouldn’t be downloading.. hmmm I’ll hazard a guess you don’t even know the first thing about what you are talking about and are just copycatting comments from other “expert posters” who make the same assumptions.

For your info -
I have long complex passwords for any account I hold and all are unique without any kind of pattern to them. I had a unique email that was used for GW2 and nothing more and was none of the widely known providers. My email provider assured me that they had not been hacked and have their own protection inbuilt as an added security to my account.
I utilise as much protection that is available to the average everyday person including 3 sets of virus/malware protection all regularly updated and scanned twice daily as well as firewalls and router protections… I have never visited a goldseller (in fact I don’t think I have ever had more than 200gold ingame and have played since BWE1) and don’t frequent “dodgy site”s or download things I shouldn’t and certainly don’t give out my personal info to anyone.. yet somehow my GW2 account got hacked a few months back.. and like you I had never been hacked in 20yrs of using online material… so please share your oooh so wise wisdom .. I am all eyes and ears.

I agree with the OP thatANET needs to implement better Guild Bank / Personal Bank security feature because it only takes one person to be hacked and a whole guild can suffer the consequences… and please don’t play the " guild leaders need to manage better cos if that person gets hacked it makes no difference how they manage guild bank privileges etc.

I’m not entirely sure what you’re trying to do here, but I’ll respond in some kind of way to appease you.

Bear with me.

I could give my account information to a random person in the street, and it is utterly useless to them unless they know where to use it. They might try it in a few random places, but it won’t work, and they’ll throw the info away.

Even if your account information was obtained through whatever random virus/keylogger/malware from some random place on the internet, unless the “hacker” knows where to use it it is useless.

Game accounts get hacked because the person who obtains said account information KNOWS it is for the game, it isn’t a 1 in a billion lucky guess as to where to use the information. They were searching for specific information for a specific program/site. They have an invested interest in this game at some level, and this is why they specifically searched for account information related to the game.

Now tell me, what kind of people are interested in video game accounts?

- Gold sellers
- Hack/Bot scripters
- Random person playing the game who just wants to get ahead, and knows how to trick people into giving out their info.

In what way will the above people try to obtain account information?

- Commonly through phishing emails (pose as staff from the game)
- Commonly through scam sites by entering account information (gold seller, power levelling etc)
- Very very rarely through keyloggers and other viruses/malware. If your site or application is well known to contain viruses, word would spread and no one visits it or downloads it ever again. The above 2 are more subtle, hence more commonly used for game accounts.
_______________________________

What I’m trying to say is:

If your video game account gets “hacked”, it isn’t because some seedy guy who infected your computer from a dodgey porn site thought it would be funny to try the info he obtained in every single video game ever invented until it worked, then delete your stuff.

It is because you literally handed it to a person who has an invested interest in this video game. Viruses are not used to obtain video game account information, getting someone to simply write it down on your site, or in an email, or in your hack/bot program are the methods used.

Google Authenticator. Use it.

You friend didn’t get his GW2 account hacked. It was his e-mail account.
ArenaNet are not responsible for that. Hell, they even give us a way to protect ourselves by linking an authenticator.

Zanshin.5379:

Google Authenticator. Use it.

You friend didn’t get his GW2 account hacked. It was his e-mail account.
ArenaNet are not responsible for that. Hell, they even give us a way to protect us by linking an authenticator.

Actually, his email account might not have been hacked or touched in any way.

Hackers can very easily get a list of passwords/emails/IP address from other game sites that were compromised, even very large game companies that were recently hacked (including EA and Steam). If that password is in anyway similar to the password used for Guild wars 2, then its a matter of changing a password here or there and entering email addresses. Anet actually made a long blog post about that months ago indirectly admitting that a compromised email account might not be the cause despite claiming that a vast majority of hacked accounts was due to a hacked email account.

This raised serious questions about what was actually going on, and it raises further questions about whether their Email/IP address authentication is actually encrypted well enough to do its job properly. Some message boards have suggested that it is as simple as changing bits around from a default authentication email link to include the proper IP address and email address, completely going around any security that this may have offered.

So, yeah. If you don’t have Google Authenticator, you need to get it since all of Anet’s other levels of security concerning your account are quite pathetic.

Also, this thread will probably be closed due to the subject matter….

Eight Samurai.6840:

No I’m sorry accusing him of buying from gold sellers and having bad password were all wrong (he used upper, lower case, and symbols for his password and dungeons spammers don’t need gold sellers). All I’m saying is it’s possible for anyone to get hacked, and if it is there is nothing you have to protect yourself as a last resort. Even if they make a pin reset they can have a couple days for the new one to work which by then you can change all your passwords.

Luckily he’s being a good sport about losing his things for the most part because he doesn’t want too many things atm…

But did he have an authenticator? Just asking since I’ve got one, and I’m always a bit weary, always afraid the authenticator isn’t enough.

Realist.5812:

Bloodstealer.5978:

Realist.5812:

Your friend probably visited sites he shouldn’t have (gold sellers), and/or downloaded things he shouldn’t have (hacks/bots).

In 16 years I’ve never had a single account for anything on the internet hacked, and I don’t even care for account security.

“Hacking accounts” for videogames does not exist.
Giving your secure information away does exist.

A PIN code is a waste of development time, and it won’t solve stupidity.

How incredibly sanctimonious … You of course have total knowledge of this persons browsing and downloading habits etc to make such accusations.. either that or you are completely naïve about the whole issues at hand.
You of course also know that this person was downloading things that he shouldn’t have because that’s the only way “hacks and bots” can bypass one’s protections.. .. please share with us what we should or shouldn’t be downloading.. hmmm I’ll hazard a guess you don’t even know the first thing about what you are talking about and are just copycatting comments from other “expert posters” who make the same assumptions.

For your info -
I have long complex passwords for any account I hold and all are unique without any kind of pattern to them. I had a unique email that was used for GW2 and nothing more and was none of the widely known providers. My email provider assured me that they had not been hacked and have their own protection inbuilt as an added security to my account.
I utilise as much protection that is available to the average everyday person including 3 sets of virus/malware protection all regularly updated and scanned twice daily as well as firewalls and router protections… I have never visited a goldseller (in fact I don’t think I have ever had more than 200gold ingame and have played since BWE1) and don’t frequent “dodgy site”s or download things I shouldn’t and certainly don’t give out my personal info to anyone.. yet somehow my GW2 account got hacked a few months back.. and like you I had never been hacked in 20yrs of using online material… so please share your oooh so wise wisdom .. I am all eyes and ears.

I agree with the OP thatANET needs to implement better Guild Bank / Personal Bank security feature because it only takes one person to be hacked and a whole guild can suffer the consequences… and please don’t play the " guild leaders need to manage better cos if that person gets hacked it makes no difference how they manage guild bank privileges etc.

- – WALL ‘O’ TEXT – -

Spare me your copy & paste internet blurb, but I am more than aware of the why’s, how’s and what for’s.. however you did not answer the questions posed to you , but hey nice wallotext to get around it.
Your natural assumption is to call people out for visiting dodgy sites, download seedy stuff etc.. so I will ask a simpler question.. what does a dodgy site or a seedy download look like, so that we can steer clear of such things across the interweeebs????

Not everyone visits such sites, or downloads such stuff or lacks the few brain cells reqd to consider IT / Data security.. some of us do everything we can with what is available to us as well as using common sense to not click on email links that seem to good to be true.. only to be then accused by the likes of you for “obviously” doing something untoward with our viewing/downloading habits.
Actually lets take it one step further shall we.. lets say person X visits Porn site Y.. .. by your definition all such sites and content are the basis for bad things to happen… I don’t go to those kind of sites, but I am pretty sure those companies might have something to say in counter to your baseless theories that their sites are so obviously dodgy.
So what makes such sites the dodgy deal.. and not say… hmmm Guildwars2.com or WoW or Honda, Sony.com, Ebay, Pentagon etc etc
Any site can be classed as dodgy – if cyberskittens want to get hold of as many details as possible they will attack any given site to get such information out of us..

So maybe take your mind out of the gutter before engaging keystrokes is my advice.. your idea of players being hacked stems solely from baseless assumptions and accusations that those people" obviously" frequented Sallythehotsauce.kitten etc one time too many and used duplicated passwords or worse gave out their details to some random hotsauce kitty in the porn chatroom….