Guild Wars 2

Hi all,

Thanks for the feedback thus far, and please keep it coming. Your experiences are very valuable in calibrating the experiments we’re doing and helping us narrow in on the optimal settings for the latency compensation system.

A quick clarification on ping times and latency compensation
I should have explained this clearer initially, so I apologize for the confusion. Ping time is not affected by the latency compensator and there is no correlation between ping time and the experiments we’re doing.

Traditionally, ping is a measure of how long it takes a message to get from your computer to the servers. In GW2, we actually combine this data with a second statistic, which is a guess at how long it will take the server to actually process and respond to your message. So ping measures two things for us: network health and server responsiveness.

A longer ping time in GW2 terms means either your network/Internet connection is slow or losing message, or the server is busy and can’t respond quickly (or both at once). However, the system that monitors ping is completely outside the system that handles latency compensation, so any adjustments we make to the compensator will have no measurable impact on ping times.

There is one way that ping and latency compensation interact, however. If ping time is steady, the LC experiment should make the connection feel a bit smoother. However, if ping time is unsteady or very high, there will be no noticeable improvement, because the message response time will be higher regardless.

Suppose you start with a ping of 100. Our adjustments to the latency compensator should make that ping “feel” more responsive. If your ping goes up to 200, however, the difference made will sort of be swallowed up by the doubling in ping time. If it spikes to 500, as an example, the half-second delay will be impossible to totally hide from view, and the connection will feel worse.

You can think of it like a teaspoon of sugar. If you add the sugar (latency experiments) to a small glass of water (good pings) you get sweet water. If you add the sugar to a swimming pool (bad pings) you won’t even notice the sugar. Also, drinking a swimming pool is bad for you, don’t try it ;-)

It is in some ways unfortunate that so many players are having ping time spikes during this experiment, because it makes it hard to tell if the fine-tuning is working. However, based on our data, it looks like there is an improvement, it’s just subtle, and again it gets swallowed up by the ping problems.

We’re examining our server responsiveness constantly, and there are separate efforts underway to improve that.

The latency experiments are carefully designed to control for ping time spikes and other complications. Suffice it to say it is tricky to sort out the real effects of these experiments, but they are working and making a positive difference. In the spirit of doing good science, I unfortunately can’t reveal all of our testing methods, without risk of introducing bias into the data we collect. So I thank you all for your responses, whether you’ve been benefiting from the experiments or otherwise.

Please keep it coming!

The Java vulnerability is certainly something worth being aware of, and it’s definitely true that everyone should take precautions against such system-wide security issues.

However, I just wanted to point out that this has no direct relation to GW2. No part of our game or web services is based on Java (not to be confused with JavaScript – Java is to JavaScript as car is to carpet). Any malicious persons or programs which exploit the Java vulnerability are doing so independently of GW2’s technology.

anonymouse is, for better or worse, completely correct; GW2 account compromises are – with only rare exceptions – generally due to poor security practices on the part of the account owners. To be fair, being truly secure (versus just feeling secure) in the modern online universe is extraordinarily difficult :-)

The link you sent looks correct to me; have you noticed any other oddities with browsing HTTPS sites or anything along those lines? Unfortunately the best thing I can suggest at this point is to carefully check your system for any software (including unwanted malware) that might be interfering with your web browsing.

Send me a PM with the full link, I’ll take a look and see if I can sort out what’s going on!

That looks correct… are you able to visit https://account.guildwars2.com/ in your browser?

Can you post the first section of the copied/pasted URL? (i.e. everything up to the .com or whatever)

Hi all,

First and foremost: please be aware that your accounts are still protected by the mobile authenticator at this time.

Here’s what has happened:

- We have been developing a “remember this network” feature for the mobile authenticator in line with the same feature used by email authentication

- This feature became active tonight during the planned maintenance updates

- For any account which has already selected to remember a network, the mobile authenticator will respect your existing settings

- This means that if you are logging in from a location that you permitted via email authentication, the mobile authenticator will not currently prompt you for a secondary code

Your account is still covered by the authenticator for logins from unverified locations.

This is the result of an oversight on my part and I’d like to apologize for any uncertainty and worry. We’ve double checked the systems and authentication is working correctly for unverified logins.

Unlinking the authenticator was temporarily disabled due to a configuration accident; this has been corrected and should work again.

For the moment we do not have a user interface for editing your “remembered” network locations. As a result, please be very cautious when selecting to allow new locations from the emails (or, in the near future, from the mobile authenticator login screen).

Thanks for bearing with us while we get the rest of the mobile authenticator features ready to go.

Account recovery requires us to strike a difficult balance.

We need to ask for information that you know, but only you should know; the easier those questions are to answer, the less secure the recovery process. However, the harder those questions are to answer, the less likely that our players will be able to actually reclaim their own accounts through that mechanism.

Obviously we want to protect accounts as much as possible, but we also have another real concern to manage, which is helping players get back into the game as quickly as possible. Account recovery has been carefully designed to be generally secure (in terms of the questions it asks) while still being effective for as many players as we can help.

The combination of serial code and character name has proven to be a very effective balance for meeting these requirements. Keep in mind that unless you are being very selectively targeted by an attacker, the odds of them knowing your character names and serial code are extremely small. Account recovery is secure in the face of anonymous mass attacks based on stolen password databases and so on.

At some point we have to draw the line. There is no conceivable set of hoops to make you jump through in account recovery that could not be compromised by a suitably dedicated attacker. The fact is that protecting your account is a cooperative effort – we are happy to do everything we can, but there are also steps that individuals need to take to protect themselves.

Securing your email address with a unique password is a good first step. (And I don’t mean just “password123” instead of “password” – something totally unrelated to your other passwords is a good idea.)

We are working on a “remember this connection” type feature so that you don’t need to provide a secondary code for recognized login locations. That should be available soon.

Additionally, we’re always open to feedback and suggestions for the game’s security features; if anyone has any specific ideas, please feel free to post them in the official feedback thread.

Thanks!

Thanks for your reply. For the record, I didn’t lock the other topic, and I’m not actually sure who did; my apologies for the confusion.

There are indeed a lot of bots, and this is something we are actively working on curtailing. In fact we’ve made some great strides in this area and hope to see some really visible results in-game in the next few weeks. Rest assured we take this issue very seriously and are working as hard as we can on getting it taken care of.

We keep close track on the number of compromised accounts and it is certainly not enough to explain the volume of bots in-game. Sadly, there are plenty of other sources for these accounts besides just stolen credentials; I can’t go into much detail beyond that, unfortunately.

I have no reason to believe that your personal security practices were at fault here; what we typically see is that it’s some third party’s security that is compromised, and account information is harvested from other services. If any of your passwords happen to be used in multiple online services, and one of those other services is breached, it is entirely possible for an attacker to obtain that password and try it against a multitude of services (such as GW2). We are aware of other services that have been compromised in the past and their databases of account information have been used to try and break into GW2 accounts. All it takes is one stolen database and everyone is suddenly at risk.

This is why we strongly encourage all of our players to select unique passwords for Guild Wars 2 and not reuse them for any other service. This is a good habit to be in generally, and for someone who is security conscious such as yourself, it’s a great tool to have in the arsenal against attackers.

Klarick.1682:

Hi Brian,

Thanks for the advice. Though, using the forum as a measurement of how many accounts have been hacked is not logical.

Although the number of issues reported via the forums is naturally smaller than the number of issues reported directly to support, the forums actually get a consistent proportion of our reports. It is perfectly logical to expect that if tens of thousands of people were being hacked every day that there would be more reports of it on the forums.

Klarick.1682:

ANet has sent thousands of emails encouraging people to change their password. I know this because ANet says so in this forum. There is a reason these mails were sent. Logic tells me that something has happened, on a very large scale, that prompted ANet to send those mailers out.

This isn’t quite accurate. We are not emailing people asking them to change their password; there is a small reminder that is visible when logging in to the game, but no emails to the best of my knowledge. The logic behind that reminder has been clearly explained here.

Simply put, we have security measures that are proven to help protect your account, and people with old or possibly compromised passwords are not protected by those measures. Changing your password will ensure that you’ve taken advantage of these features.

Klarick.1682:

I still believe they were hacked. All the big games: WoW and Rift to name two have been hacked. The likelyhood of ANet being hacked is high.

The likelihood is more or less irrelevant; the fact is that we have no evidence suggesting that our user data has been breached or compromised at this time. We would be absolutely up front with our players should this ever occur, and would emphatically not sneak around trying to cover it up with mysterious “please change your password” reminders or something similar ;-)

Klarick.1682:

What we need is an authenticator like: SWTOR, Rift, WoW, or pretty much every other MMO.

I believe this one has already been covered :-)

The launcher should open a maximum of two connections when permitted to do its job. What you are seeing is definitely not “by design” behavior, but then again, your “test” is not really testing what the game does under normal circumstances.

BiJay is absolutely correct. By blocking these connections you’re not just exacerbating the issue, but creating it; the game will attempt to connect to multiple different endpoints if one connection fails.

For the record, I see a total of 2 outbound connection attempts when running a similar test myself, without blocking the connections.

Also, the reason for the launcher’s resource usage is well known: it’s rendered at high framerates and the transparency blending effect is not computationally cheap.

Hi Beltaine,

In addition to Entity’s suggestion, can you tell me what type of phone you’re using? We’ve seen intermittent problems with the QR codes and any details we can get that help narrow down the issue would be highly useful.

Thanks!

International legal matters are extraordinarily complicated to begin with; and that’s assuming you’re talking about something that both countries involved consider illegal.

Fantasma Of Doom.2409:

Small update:

I can still log-in from this pc without that authorize log in mail…
My IP-adress has changed since monday. (just checked)

Am I missing something?

Depending on how much your IP changes, we might still consider it to be the same “location.” Chances are that’s what’s happened here.

This is simply a precautionary measure; since, as you stated, you changed your password before the blacklist came into effect, there is a chance that it is already on the blacklist as a known vulnerable password. In this particular case, that sounds exceedingly unlikely, since you used what seems like a strong password selection method.

Here’s the wrinkle: we can’t see your password (which is good for everyone). We have no way to find out how long it is, how complex it is, or anything else about it. All we know is the last date and time at which you changed your password.

This message simply checks that date/time, and compares it to the effective date of the password blacklist. If your last password change was prior to blacklisting coming into effect, you might see this message.

It’s only a suggestion, but if you have any concerns whatsoever about your password, we recommend changing it to be safe. The blacklist will ensure that nobody else knows that password (assuming you don’t use it anywhere else on the internet/etc.).

I just realized I didn’t actually say this in my post: I’ve gathered a list of accounts affected by this bug and reversed the account terminations. Everyone in this group should be good to go.

Hi all,

First of all, please accept my apologies for the turnaround time on this matter. As you are aware, this occurred on a Friday evening for us here at ArenaNet, and for hopefully obvious reasons that complicates the timing of things. However, I’ve managed to identify the origin of this problem and have taken steps to correct for it.

While I’m here, I’d like to address a few concerns that have come up in this thread.

First and foremost: we do not issue automatic bans based solely on player reports. All player reports are investigated and bans are issued where appropriate. There is no reason to worry about other players maliciously and falsely reporting you; our policy is to consider hard evidence, not simply anecdotal reports.

Secondly: identifying and solving this problem is a largely technical issue, and involves many confidential aspects of our systems. Please understand that we cannot detail the process that goes into working on issues like this because of their sensitive nature. I apologize that we cannot provide frequent updates, but the fact of the matter is that we face a difficult choice between spending time updating here and actually solving the problem at hand. I trust we can all agree that solving the problem itself should take priority ;-)

Third: the root issue behind this situation was a technical failure. Obviously I cannot go into detail, but the bottom line is that our entirely human reviewed banning procedure was conducted based on corrupt data. We review all evidence prior to issuing account terminations for tampering with the game; in this situation, our evidence was incorrect. I am actively working on improving our procedures to ensure we are less likely to make incorrect conclusions based on faulty data in the future.

Thank you all for your patience and understanding.

Hi all,

I’m investigating this situation. It’s not clear exactly what happened at the moment, but I will try to keep this thread updated as we learn more.

Thank you for your patience and understanding while we sort this out.

There is no time limit between scanning the QR code (or manually entering the secret) and entering the first numeric code. The server checks to see if your code is correct at the moment you click Submit.

If this is stuck and not accepting your numeric codes, there is a problem with the clock times someplace. It could be on your device itself, or it could be that our server is out of sync. The first thing to try would be to go into the Google Authenticator app, open the Settings menu, and select Time Correction for Codes, as detailed here.

If that doesn’t help, please do let us know, as we might need to adjust our server’s time window a bit to better align with the rest of the world.

Thanks!

I can’t think of any reason why guath4win wouldn’t work; if someone is up for giving it a shot, I’d love to know how it turns out!

The fix for the QR codes and account names is in the process of being deployed as we speak. It should be active well before the end of the day (PDT).

Setting the account name in the QR code to something more readily associated with GW2 is a great idea. I’ll make sure we do that, thanks!

I’m not sure off the top of my head of how using command line arguments would interfere with the use of the mobile authenticator; but that’s likely just because I can’t remember all of the command line options offhand ;-) If you find a combo that doesn’t work, please feel free to report it in the official feedback thread

For those who don’t have access to a smartphone, there are hardware devices you can purchase which support the same standard that we use. Just check for “OATH” or “TOTP” devices which comply with RFC 6238. Naturally, we cannot recommend or endorse any specific products.

This is just a reminder; it shouldn’t be taken as evidence that your account is in danger.

Also, please note that the warning may not disappear until after you close, reopen, and re-login to the launcher.

Any system that supports RFC 6238 should work with our authenticator implementation.

I’m showing that the account has been reinstated as of 10/05/2012 16:32 GMT (so basically, a few minutes ago). Please let us know if you have any more trouble getting back in!

I’ve checked into this incident and discovered that it was actually an oversight on my own part that led to your account being terminated after it was successfully reinstated. We will be taking measures to ensure that this does not happen in the future to other accounts.

My profuse apologies for the inconvenience, and thank you for bringing this to our attention!

We wanted to address some of the concerns around ‘botting’, and let everyone know what we’ve been doing about it, as well as our plans for continuing to tackle this issue.

Our monitoring of ‘bot’ activity has already resulted in over 1600 account terminations world-wide in the last week alone, and we are actively tracking the most common ‘bots’ in use, so that we can continue to eliminate them from the game. As we continue to gather information on these ‘bots’, we will be increasing the rate of account termination to remove them. Please continue to report players that you suspect of ‘botting’ – your support is much appreciated.

We are actively improving our means of detecting ‘bot’ activity in the game automatically. This includes tools for our customer support team to help them verify ‘botting’ reports and efficiently issue account terminations. Recently we have also hired a team of data specialists who will be helping us create more effective tools for analyzing reports of ‘botting.’

As a side effect, these efforts directly impact the operations of third-party gold sellers (and spammers). In conjunction with ‘bot’ removal we also take Real Money Trading very seriously and actively remove hundreds of gold spammers and sellers each day.

In short, we are fully committed to keeping this community free of bots and illicit gold sellers, and we very much appreciate your assistance in identifying and eliminating them.

Thank you for your understanding and patience as we continue to improve our ability to deal with this issue.

We’ll take a look at this and get it squared away.

Thanks for bringing this to our attention!

We of course have such limitations in place. The difficulty with that is that hackers have access to a virtually unlimited supply of new IPs to try from.

Usually it goes something like this:

- Joe Example signs up for SketchyWebsite.com and uses his “standard” password
– SketchyWebsite gets hacked or otherwise leaks their password data
– Hackers take this and recover Joe’s “standard” password
– They then may sell this data to any number of additional parties
– Someone decides to attack GW2, and acquires a large number of stolen account passwords
– They then proceed to use every single one of them to see if any line up with a valid account

The thing to realize is that there is a very active black market for stolen account information. The original leak may have nothing to do with video games at all; but the accounts are valuable, and the data can change hands any number of times before it finds its way to someone who wants to specifically hit GW2 (or any other online service).

Password strength is a complete red herring in most modern account compromises. Keyloggers also are a popular scapegoat but are actually not used as widely as some claim; the fact is that scraping the data from a keylogger to find passwords is actually very manual-labor intensive and not cost-effective for hackers.

The reality is that attackers are not using brute-force methods to obtain credentials. They already know the credentials, because they have them from other leaks and breaches from around the internet.

As the blog post states (better than I could), the problem is that people reuse their passwords/passphrases/magic tokens/etc. and that leaves them vulnerable to precisely this kind of compromise.

I think Crise already did a great job covering the mathematics behind password strength, so I only have this to add: the problem is that it is far easier to remember “correct horse battery staple” than it is to remember “MA4n4%$&7854kkn4q32kl2$(24cb” (which is the same length).

What we would like is for our players to select comparatively strong passwords (versus “twilight” which is weak in about every sense of the word) which they can remember easily. Mnemonic passwords like the 4-word example are much easier to handle as a player than cryptic “strong” passwords.

Our experience shows that if it comes down to choosing a traditional, “strong” password, versus something easy to remember, people will elect for what they can remember virtually every time.

If we can help players increase the security factor of their passwords without compromising the memorability, then everyone wins. That is the motivation behind the blog post.

It wouldn’t surprise me if your new “friends” were used for laundering your money and items. If you still have the contact names, can you PM me the display names of the accounts that you don’t recognize? I’ll investigate along with Customer Support to see if we can identify a pattern. It would be very useful for us to see if the hackers are using common mule accounts to gather money from hacked players.

We can also correlate the names you provide with our own watch-lists to see if they are known RMT agents.

Try running the game one time with the -diag command line option, as described here: http://wiki.guildwars2.com/wiki/Command_line_arguments

After that, run one time with the -log command line option, and grab the file called Gw2.log in My Documents\Guild Wars 2.

Post the contents of both files here and we’ll take a look and see if we can figure out what’s up.

Yes, please PM me your ticket number(s) and I will try and get it taken care of.

Thanks!

If you are specifically seeing a message about “hacking” or “tampering with the game” then this is a different situation from your account being compromised.

Regarding that specific message (i.e. hacking/tampering), there may have been a mistake with our security monitoring systems last night around the time that the nightly update was released. I am investigating the data from that time period to make sure that we aren’t locking out players without good cause. If I discover that this has occurred I will work with Customer Support to get those accounts reinstated as soon as possible.

Thanks for your patience while we get to the bottom of this!

The pause is deliberately short because we don’t want to interfere with people who legitimately need a minute to remember (or correctly type) their password. As I mentioned, we wanted to make sure that it doesn’t inconvenience people. So the rate at which you can “humanly” hit the login page won’t cause issues until you’re doing a substantial number of attempts.

Automated attempts generally have to be done at very high volume to be effective, though, and the rate limiting will hit those attackers much harder than it will ever hit someone who just retypes their password a few times on the login screen.

Obviously I can’t get too specific, but suffice it to say we are monitoring the rate of login attempts from various sources, and we have strong evidence that this system is hampering attackers precisely as we intended.

CAPTCHAs on logins are certainly an option, but creating one that is still human readable while being immune to computer cracking is extremely difficult. Even the best known methods are mostly broken, such as reCAPTCHA (which has an 80% crack rate at this point using a variety of attacks). Since we don’t have any experts to help create a strong CAPTCHA system internally, our general feeling is that we can do other things which have better bang for the buck so to speak.

Hi all,

I’d like to clarify our position on this particular question.

First and foremost – there is a rate limiting mechanism in place, which severely impairs the ability of automated attackers to brute-force account logins. We have carefully balanced this mechanism so as not to inconvenience legitimate users, while still presenting a substantial impediment to unauthorized account access.

Second, it is correct that we do not currently lock out accounts for failed login attempts. The reasoning for this is that if an attacker knows your email address, he can basically deny you access to the forums/game indefinitely by just logging in with bogus passwords every few seconds – something trivial to automate. This form of attack would be much more difficult to stop and create a much larger burden on customer support for resolving “locked account” issues.

Last but not least – we take security very seriously and are making every effort to ensure that our game and associated services are as trustworthy and safe as possible. We appreciate your feedback on these issues and welcome further suggestions regarding how to improve our collective safety.

Thanks!