Guild Wars 2

Yes it is true what you say.
I still find it hard to believe they are bruteforcing, as this would take hours upon hours to break just 1 password, last weekend there was about 10 000 new tickets if remember correctly, mainly hacked accounts. So most likely they have gathered this info elsewhere.

Regarding https://account.guildwars2.com/recovery
This is only usable if the hacker have not changed your e-mail which is the first step they seem to take. Thats what I want them(Anet) to change, give us the possibility to restore our accounts based on some other info other than the e-mail or give us the ability to restore our account e-mail.

Chobiko.9182:

Yes, I have seen this before and however much I’d like to believe this is a safe measure, it isn’t.

People use easily compromised email addresses as their master address without thinking twice resulting in a very serious security concern.

ArenaNet is already using the games serial as a recovery method, this serial should not be stored in your email address where most of us first got it. It should be copied and stored in a safe vault, and the email containing it should be deleted from the mail server.

That way you should be 100% in control of your account, even if it were to be hijacked.
You can recover your account by using account name, serial and a character name on your account.

Now that last, part of the verification process (character name) is a weak leg and should be replaced with either card number, personal secrets, or phone verification (do you hear ArenaNet?).

Hmm, not sure if I agree with that 100%.
My e-mail has an unique password and I got hacked, im thinking that the majority of the hackers dont target the e-mail adress, they’d be stupid not to change credentials of the mail account aswell or atleast remove the mails sent by Anet stating that the e-mail has been changed, to further delay the recovery, they might be to stupid for this though.
I can admit I used the same password for GW2 that I have used for other games and services (Such as twitter and dropbox.), lesson learned!.

I have never had an comprimised account before, my Microsoft Essentials had not reported anything suspicious, I have since this incident added multiple layers of security that actually caught some spyware/malware so I think this is one of their ways in.

The strange thing I find is all the reports of compromised accounts that ensure that they have had unique passwords for both e-mail and GW2, pointing towards a breach at Anet. Im relatively sure they arent bruteforcing their way in (some cases they seem to do but it seems like they already have your info when they try to access your account)

Regarding the statement of having the serial secured, this is very true but you wont be 100% in control of your account as when Anet asks for account name the in fact mean E-Mail. If the e-mail is changed you’re 0% in control. I think you are confusing Display name and account name?

Anyway I think this soloution is still very much valid as everyone seem to have access to their e-mail accounts still. If this feature was implemented right now I could just reset the e-mail and Change passwords for both mail and GW2, solving thousands of tickets of hacked accounts and preventing more tickets with issues of gear and money gone.

If their system is anything like an normal account database this is an very quick fix.
Im sure one of the seasoned experts at Anet could get this system rolling in a local test enviroment in a matter of hours. I see no downsides to trying this.

Thanks for the feedback, keep discussing any further ideas to improve the support, it’s better than to just pressing F5 the whole day

@marcusbash.8642
Thank you, hopfully we will recieve a response on this

So in all this madness, me as a amateur webdeveloper is wondering why you have not implemented a master e-mail table in your account database.

Example:
1. Make a new table in the database, “gw_mastermail” we will call this table. (Here the original e-mail that we registered the product will go, and the users cant change this in any way.)

2. Make the users understand that the e-mail they register the account to will become master e-mail (This can only be changed via support, however users can still change their active e-mail adress as they do today)

3. Add this option to the Recovery so we have the ability to choose;
1 Recover Password,
2 Recover E-Mail

When a user requests an e-mail restore, you grab the data in table “gw_mastermail”
and write it to the active account e-mail.

If the original e-mail adress is completely gone out of your database when accounts are hacked, im sure you have logs to grab the original e-mail adresses from, just shell script it and add it to this “gw_mastermail” Im pretty sure that I myself could have done this in 1 day. Just make a copy out of the current database and make local tests.

Also dont forget step 4

4. Just watch as thousands of tickets automaticly gets resolved.

Please give us some feedback on your thoughts on this at Anet.

Thank you for your time, hope you are working on something like this or that I maybe gave you an idea to how to solve some problems.