Guild Wars 2

This is a great post, and I’m glad that Arenanet have responded.

I sometimes joke about the odd consistency of the various balance/content updates that we get for GW2, I made a somewhat unartistic comic about it to share with him last week which may be relevant:

http://i.imgur.com/tnbEY6k.jpg

Don’t get me wrong, I love this game and Arenanet but some of the updates are just bizarre in terms of priority, especially how long it takes to fix glaring acknowledged issues!

I agree that there is a problem, I’m just offering a solution for him to reasonably help with the fight without respeccing or buying another set of gear. Unfortunately all of these bosses are essentially zone events consisting of a maximum of 50 random players with random builds, so there’s very little control over whether you succeed or not. Maybe everyone there will by chance be a clerics guardian, maybe not. It’s not good design to make open world bosses require specific builds, which is why hardly anyone bothers killing tequatl and hardly anyone bothers attempting the triple headed wurm.

Unfortunately Arenanet, despite absolutely having statistics on how many people experience these bosses that they added, seem to be happy with it.

I accepted a while back that conditions are just bad in pve, and I think that’s a shame, and that the bleed cap is a big problem, but afaik Arenanet have never explained why it was added. People have talked about it being a bandwidth issue, but it should be fairly easy to use clientside prediction for bleed damage since the client knows how much condition damage you have and how many stacks you have on a boss, so as there is no condition mitigation in the game it shouldn’t need to know every tick damage of every bleed every second, which is what I heard the problem was.

However that could be completely wrong, who knows

However, necros can do decent zerker damage in pve so I just use that instead.

Hi,
I have played necro since day 1 of this game, largely using conditions although I have a set of gear for most builds. I have a full dire ascended set for wvw, and mostly for pve I use zerker dagger/wells.

While I agree that this boss is not especially rewarding to fight, you can easily help by simply equipping an axe and using skills 1-2, putting on signet of spite for the extra power if you don’t want to bother swapping out to a zerker set, and simply un-trait dhuumfire so you don’t burn yourself. Use the flesh wurm and bone fiend, and perhaps lich form for a bit of extra damage. All of these skills will work fine against the boss, you’ll barely damage yourself using the automatic bleed on crit skill even if you’re using full rabid.
Death shroud auto attack is another option you have, and won’t inflict any self damage. Building death shroud is easy using the staff auto-attack, which also won’t do any conditions to you, and you’ll get some life force if your minions die to the boss. If you find yourself taking bleed damage, use the blood fiend instead of consume conditions, which will heal you for around 900 every time it attacks, which is more than enough to make up for any damage you take, and also does a little damage too. You could even trait for minion damage since you have the slot unlocked as you have 30 in spite, which will help significantly as their damage is unrelated to your gear.

This build will work just fine!

Ascended dire gear is still very strong in wvw, so just because it doesn’t work in one boss fight doesn’t mean Arenanet hate you or zerker warriors are evil at heart.

You still do condition damage with zero condition damage, hover over your tooltip.
The ‘source’ only shows one player, presumably the last person to inflict it.

Your bleeds were overriding the bleeds of another player.

Hi,
I’ve posted this in the Tequatl forum, so sorry if this is not allowed, but it does concern the rest of the game too!

I play a Necro, one of the many powerful condition damage classes in the game. As you all know, the bleed stacks on any enemy in the game is capped at 25, which at decent condition damage is around 4000dps. This is a reasonable amount of damage for one player to inflict on a PVE boss, but it is not a reasonable amount of damage for 10 players to inflict on a PVE boss, or, indeed, 100 players. Poison does not stack intensity, nor does burning.
Let’s assume that a reasonable proportion of all the people fighting the boss use condition damage. Perhaps this is how Arenanet have balanced this fight. What if every player there uses condition damage? Most of them will be doing almost zero damage to the boss. Their bleeds won’t actually work, their burning and poison will be useless.
I heard that the reason for the 25 stack limit is because of technical limitations – something about having to tell every client the damage of every tick of every bleed they do. This sounds like an issue, but there has to be a workaround.
Surely all that the client has to know is their current condition damage plus how many stacks of bleed they have on the boss? They don’t have to be told by the server how much each bleed ticks for, because there is no condition damage mitigation in the game. I’m no coder so perhaps this wouldn’t work, but predicting (incredibly accurately) the bleed damage on the client seems to be a good solution to this problem, because this is not fair to condition damage players. You cannot just balance a PVE boss fight in this game around only having a certain number of condition damage users. Most of them are not doing any significant damage to the boss, and yet the boss presumably gains an equal amount of scaled health because of those players doing the event.
This is also the issue of which bleeds overwrite which, what if a warrior’s sword auto-attack is hitting the boss without much condition damage, what happens to the existing bleeds from someone with max CD gear?
Thoughts, anyone else, or with any luck someone from Arenanet?

Hi,

I play a Necro, one of the many powerful condition damage classes in the game. As you all know, the bleed stacks on any enemy in the game is capped at 25, which at decent condition damage is around 4000dps. This is a reasonable amount of damage for one player to inflict on a PVE boss, but it is not a reasonable amount of damage for 10 players to inflict on a PVE boss, or, indeed, 100 players. Poison does not stack intensity, nor does burning.

Let’s assume that a reasonable proportion of all the people fighting the boss use condition damage. Perhaps this is how Arenanet have balanced this fight. What if every player there uses condition damage? Most of them will be doing almost zero damage to the boss. Their bleeds won’t actually work, their burning and poison will be useless.
I heard that the reason for the 25 stack limit is because of technical limitations – something about having to tell every client the damage of every tick of every bleed they do. This sounds like an issue, but there has to be a workaround.

Surely all that the client has to know is their current condition damage plus how many stacks of bleed they have on the boss? They don’t have to be told by the server how much each bleed ticks for, because there is no condition damage mitigation in the game. I’m no coder so perhaps this wouldn’t work, but predicting (incredibly accurately) the bleed damage on the client seems to be a good solution to this problem, because this is not fair to condition damage players. You cannot just balance a PVE boss fight in this game around only having a certain number of condition damage users. Most of them are not doing any significant damage to the boss, and yet the boss presumably gains an equal amount of scaled health because of those players doing the event.

This is also the issue of which bleeds overwrite which, what if a warrior’s sword auto-attack is hitting the boss without much condition damage, what happens to the existing bleeds from someone with max CD gear?

Thoughts, anyone else, or with any luck someone from Arenanet?

I’d just like to add there are various fights which also are “bugged” in that they completely screw players who choose condition damage, including the dredge fractal boss (debuff for massive damage doesn’t affect condition damage).

okay, thank you!

I have a total of +100% condition duration on my necro, and with or without this trait, my <600 distance fear is 3 seconds long, double the 1.5 second base.
Shouldn’t it be more like 3.75 if I have this trait, with +100% condition damage?

I’ve tested what you said and it is completely true, but from what I can tell, this trait is not stacking with something that I’m using to increase fear duration.

Hi,

This trait is supposed to increase fear duration by 50% (of base). As far as I can tell, it has never worked. I’ve tested it several times since release, and it neither increases the tooltip duration of your fear skills, nor the actual duration of the condition itself. Can anyone else please confirm this?

Supposedly a lot of builds posted on forums include this trait, which is baffling if it doesn’t actually work in the first place. Perhaps I’m missing something, I hope so!

I am happy to help you learn the long-lost art of clicking on waypoints in other maps. Truly those of us who do this absolutely consider ourselves fearless.

Blacktide could probably put up more of a fight if their primary alpha super amazing WvW guild actually left their borderlands. However, I do sympathise as there are a lot less friendly guards to snuggle up to in EB and opposing borderlands! I can absolutely respect their devotion towards protecting the right honourable Veteran Sentry, as it is worth far more WxP than actually killing players and taking camps and towers in other maps.

Hyung.6140:

athuria.2751:

It wouldn’t even be that big of a punch of it was something that only hit Phantasm recharges but IC affects so much more (Phase Retreat, iLeap which remember is buggy as kitten, Mirror Blade, etc), so it punches our main mechanic and a lot of our weapon’s utility by stretching them out. Anyone using Decoy (Or Mirror Images, if anyone not a shatter build does that) just got a longer CD on it as well.

Yep, I absolutely agree. It’s more than a straight up damage nerf. 5 points in Illusions was always a complete necessity for mesmers, now 25 points in Illusions is a necessity.

Yay diversity! \o/

athuria.2751:

shimmerless.4560:

It probably wasn’t intended that you’d get fantastic uptime on phants without speccing into Illusions. My real worry is that Celerity is still too integral to the class because almost all of our weapon skills and utils are tied to clones.

If only the Illusions line wasn’t otherwise by and large useless for Phantasms. Even Haste is a give or take since it doesn’t even work properly on a lot of them. \o/

Exactly. There’s a reason most phant builds only go 5 into Illusions. Putting 25 into Illusions basically means it’s not a phant build anymore…

I have a mesmer which I’ve played extensively and I’ve never had to put any points into illusions. I think it’s a trait that is overrated, and the other trait lines have so much potential if you look outside the box.

I haven’t played WvW though, maybe it’s different there?

Hi,
I’ve noticed for a long time now that condition damage is not affected by the various percentage increases you can get, and I’d like to know whether or not this is intentional or if it’s likely to be changed, because to a necromancer and presumably any other class that uses condition damage, it doesn’t make sense.

The various things I am talking about include:

Sigil of Force – 5% damage on weapon
Close to Death – http://wiki.guildwars2.com/wiki/Close_to_Death – 20% damage bonus on targets below 50% health. This trait is in the power and condition duration line, so it’s ridiculous that it doesn’t actually affect most of our damage unless we’re using an axe or a dagger.
Strength of Undeath – http://wiki.guildwars2.com/wiki/Strength_of_Undeath – 5% more damage if above 90% health.
The bonuses that are given by speccing into guard offence for WvW, again, give a percentage damage increase against guards.
Infusions for the ascended gear include WvW influsions, which increase damage to guards by 1%.

It’s also notable that none of these things affect minion damage, which is more likely to be intentional than the previous, but as necros generally either do condition damage, minion damage, or basic damage, having all of these buffs only affect basic damage, which essentially means anything other than an axe or a dagger mainhand is unaffected, is not great.

I’m sure there are many examples in the other classes that use condition damage where many of your traits do not affect what could be the main source of your damage. Is this something that you’ve done by design, Arenanet, or is it simply an oversight that’s never been fixed?

All of these nice % increases that are available via traits or the WvW abilities should be available to any class regardless of how they want to deal damage, shouldn’t they?

I apologise if this has been brought up before, but the search option wasn’t being very helpful and didn’t seem to find things that are on the front page let alone anywhere else!

I don’t wish to cause offence but if you haven’t tried any form of pvp in GW2, how can you compare the tactical depth of it to GW1 pvp? They are completely different games, both in terms of skill and strategy, GW1 was all about your choosing your skills, not necessarily executing them.

In GW2 every player effectively has two seconds of invulnerability while dodging, and this can be used to great effect to avoid certain enemy attacks, which is just as useful in PVP as it is in PVE. If you can dodge the cripple, chill, or knockback of a ranger, they’re gonna have a lot harder time kiting you. Mobs don’t do this, so they are completely trivial.

Malcastus.6240:

I am more upset about the “craft 10 items” part. That is the only one making you use the materials at your disposal against your will, so to speak.

What if people wish to sell the materials, or MF them into higher tiered things? Not everyone has the need to craft and you are FORCING them to do so. That really annoys me. 280-310 items I need crafting in a month, without me needing or wanting to. There are also players out there that sell most of the materials they find.

It has become much more of a nuisance, but of course there are prices at the end to be had. Still, it bugs me they would do such.

Bring back the diverse kills instead of the crafting part.

This includes refining logs into planks or ore into bars, which does nothing to reduce the value of the item if you wish to sell it on the trading post.

Penny.1095:

Toothy.8640:

I sincerely hope that I never end up in a group with anyone here who does not seem to consider dodging attacks as part of their standard gameplay – you are either doing nothing but farming completely trivial mobs all game or one of those players who gets downed by incredibly obvious slow hammer attacks from the archdiviner or gets pulled in by Kholer.

As for reviving teammates, it doesn’t have to be from deaths – just do a few dungeons with randoms or play some WvW. I can understand being annoyed by the combo field one, because that takes a little coordination if your class is not combo laden, but dodging? Seriously? The one remotely skillful element of the game and it’s considered a burden by mmo players.

Just another thing to add – it seems like some of you think it means 15 consecutive dodges? To get this achievement, you have to find 1 mob mob in the entire game world of Guild Wars 2, and dodge it 15 times. You know, if for some reason dodging isn’t part of your normal playstyle…
It does not affect anything you may or may not do with other players, why can’t both of you dodge the same mob? They swap agro all the time!

I sincerely hope I never wind up in a group with someone who doesn’t understand how powerful and potent a truly exceptional ranger can be. As several others have pointed out, good rangers believe a simple mantra – if you’ve been hit or taken aggro, you’ve screwed up. Do better next time.

I find it incredibly unnatural to let anything get me in range; I use my pet, I use my head. I don’t face-roll a bunch of “pound-em” skills and then evade/evade/evade while they swing at me. Your assumption that I farm mobs or play low is not only wrong, it is insulting.

Dodging doesn’t take skill, my friend. It takes the ability to double-tap a key. Setting up a fight with the entire field in mind, with the sense of the motion of the mobs keeping you on your toes, with a strong sense of how to balance your attack against your pet’s attack, and with the stated goal of walking away from a massive, uncontrollable, mob scene without so much as a smudge on your jerkin…. nowTHAT takes skill.

There is no player in the world that can keep a reasonable player out of melee range in pvp indefinitely, considering all melee classes have a guaranteed way to close ground at least once. Similarly, all ranged classes have the ability to fire at you from just as far as you fire at them, presumably if you pvp at all you’d have to avoid some of those attacks?

Keeping mobs out of melee range is admirable, but there is no ‘agro’ system in Guild Wars 2 like in other mmos – no matter how good you are, or how smart you play, you will get targetted by mob or boss attacks sometimes, and some of these attacks will be ranged.

Just a quick example, what if a thief stealths and makes his way towards you, then starts spamming heartseeker (as they generally do). Presumably you roll then? What if you want to skip some mobs in a dungeon, like CoF1?

Comfort zones? Interaction? All of these dailies can be done in no time at all, by yourself. I’d be delighted to hear which one you are having difficulty with!

I sincerely hope that I never end up in a group with anyone here who does not seem to consider dodging attacks as part of their standard gameplay – you are either doing nothing but farming completely trivial mobs all game or one of those players who gets downed by incredibly obvious slow hammer attacks from the archdiviner or gets pulled in by Kholer.

As for reviving teammates, it doesn’t have to be from deaths – just do a few dungeons with randoms or play some WvW. I can understand being annoyed by the combo field one, because that takes a little coordination if your class is not combo laden, but dodging? Seriously? The one remotely skillful element of the game and it’s considered a burden by mmo players.

Just another thing to add – it seems like some of you think it means 15 consecutive dodges? To get this achievement, you have to find 1 mob mob in the entire game world of Guild Wars 2, and dodge it 15 times. You know, if for some reason dodging isn’t part of your normal playstyle…
It does not affect anything you may or may not do with other players, why can’t both of you dodge the same mob? They swap agro all the time!

Xia.3485:

Dunyas.8043:

You actually bring up a good point. But it’s not PC I’d be worried about. Using a compromised machine requires that it be on. I think something else people may be over looking is their router. If your system is compromised, it would take no time at all to set up a VPN on your router. Most people shut down a PC when they are done using it, they wouldn’t unplug their router. Making sure that your routers security is good would be important as well. Don’t use a default password for logging in and such.

Once they have access to your file system, they can grab your game settings (which includes your auto-login) and your email client files and your browser cookies. With those they have access to your login information and your emails. Possibly your serial code for GW2 too (too lazy to check). All they need is to wait for your machine to be on to use it like a proxy to swindle your account.

Anyone who uses auto-login, for the game or anywhere on the web, is begging to be hacked.

You don’t need to be an IT pro to do it either. Just install the game and copy over the other guys settings. Or install the same email client and copy over the other guys details. etc etc.

Seriously A-Net, disable the auto-login option. Make sure the password is never stored on the machine. Make sure the serial number isn’t stored on the machine either (don’t know if it is, but it better not be). There should also be an authenticator service in the form of an iOS and droid app as well as a stand alone device you can sell. IP address detection is a good step, but its far from being enough.

If they have access to your machine they can log your keystrokes anyway?
Please don’t write things as fact when you haven’t thought them through!

Why would they have access to your cdkey? Why would it be stored considering it is only used to create your account?

Poxy Violence.3782:

So here is what happened to me just about 3 hours ago. First, I have an email and password dedicated to GW2 and nothing else. I also have the mobile authenticator enabled. I am 100% sure there are no trojons, or keyloggers on my computer. I logged on this evening and was put into a Lions Arch overflow server. I was standing at the bank when I was asked to ping my Twilight in /say, which I did. About 1 minute later I was disconnected to the character select screen, I jumped back in the game and was disconnected almost instantly. Jumped back on, disconnected again but this time a message popped up saying something along the lines of the account being used from another location. I immediately went to the account management page and tried to access my account but of course my password had been changed. I was able to reset it to a totally never before used password and log back on. In a period of maybe 3 minutes the hacker had got all my gold, t6 mats, and a good bit of my other mats. Of course when I logged back on I imagine the hacker got kicked to the character select screen and so we battled for control back and forth for a few minutes. Here is the strange part tho, once I stopped getting kicked I went to log into account management only to discover my password was changed again! Within maybe 8 minutes of me setting it to a totally unique password the hacker had changed it! This time I was unable to reset it and created a support ticket. Support was able to help me get control of the account again but I’m not at all sure that it will stay that way considering how quickly and easily it was hacked in the first place.

Most of the people who have been hacked in this thread have had it done via support tickets. If they kept changing your password like that, it sounds like your computer has been infected with a keylogger. However, it doesn’t make sense if you’re positive you had the mobile authenticator enabled, unless they used said keylogger as a proxy somehow, which would fit in with one of the posts above who said he had mobile authentication enabled and lived alone and yet his account was hacked without any other IPs accessing it.

Thank you for contacting everyone Gaile, the restoration is definitely a long-awaited thing that I’m sure everyone is very pleased out.

One thing though, even if the accounts are restored, there is still the issue of how they were compromised. If someone does not know why it happened, they cannot be sure it won’t happen again, and a few people in the thread have not had their emails compromised and some even bought the game retail.
If Arenanet can find out how it happened, could you please post the results? People definitely have a right to know if their computer is not secure, and if Arenanet cannot find any problem with the tickets, ie. the cdkeys WERE provided, that means these people could have vulnerable computers or email accounts. However, I still cannot see any way these hackers could have provided the cdkeys of people who bought the game retail, that would indicate their house was broken into or they’ve had a keylogger on their pc since the game was released. Either way, they should be told to what extent they have been compromised.

Cyrus.8261:

Iruwen.3164:

If you have spyware on your PC, it’s probably gonna log the game authentication too. If the forum is using the same authentication backend, which it probably does, this is purely a frontend problem which can be solved for the most part by using TOTP two-factor authentication, which definitely everybody should do. It seems reliable considering it has been available for a longer time now and I haven’t heard of any fundamental issues with it so far.

There is a big issue with the two-factor authentication: You don’t get prompted for a code when you log in from an authorized network. You don’t need the two-factor to authorize a network. That makes it easy to bypass when the hackers manage to change your email address, which appears to have happened in the cases in this thread.

I thought you needed to login to authorise a new network?

People have been hacked who are using mobile authentication. If someone finds out their key, which only Arenanet and their phone have a copy of, it wouldn’t necessarily stop you logging in now, would it.

Gaile Gray.6028:

Irontodge.9524:

Thanks for the quick response Gaile.

I understand and appreciate how the tool may not be backward compatible.

I wont hold high hopes for recovering my deleted characters to save dissapointment, however, if at the time it is possible it would be awesome.

Dawn wasnt cheap and I am going to have a tough time collating the gold for it again!

I admire your good attitude, and thank you for it! Believe me, I love my characters and I truly do sympathize with the loss that you’ve gone through. (I won’t go into the whole "The first time someone PKd my Diablo II character, I cried, but I imagine if I did mention that, at least a few people would understand. )

It’s my dream we can reset qualifying accounts and I’m hoping that is what we find we can do!

Please do forgive me if I’m wrong but wasn’t PKing in D2 more or less consensual? You didn’t have to play it online, whereas if these people have lost their accounts without actually doing something wrong (which only Arenanet will be able to find out) it’s a little different, even if it is the same grade of loss!

It’s definitely awful to lose a character either way but imagine if you’d been pked by someone while playing in singleplayer, somehow :/

If neither of you stored your cdkey, either the GMs changed email without asking for or checking the cdkey given, or someone has found a way to steal your cdkey ingame, which shouldn’t be possible at all since it’d be insane for cdkeys to be transmitted at all once the account is created.

Neither of these options seem likely :/

Perfectxshot there are various emails which allow you to check the login history of the email account. People aren’t just saying ‘oh, they didn’t change my email password so it wasn’t compromised’. Also, at least one person got hacked who bought the game retail, so his cdkey was never stored online.

I don’t know how relevant the French part of this is, but I assume that most of the tickets are being looked into by Arenanet and they are making absolutely sure that the cdkey was provided in the case of these accounts being stolen.

However, a few people have said that they bought the game retail and thus there is no way the cdkey can have been provided unless they have found some way to get it.

Could Arenanet please make a statement that the tickets are being looked into?

Also, asking people for things like character names and codes seems strange because they are both freely available. Why not add a security question someone can choose for customer support to ask them?

Could someone from Arenanet please confirm that changing email via a support ticket does not remove the mobile authenticator, otherwise this is ridiculous.

If they got your account email changed but couldn’t log in to unlink your authenticator, that seems like they did use a support ticket, because it still requires your authenticator to approve the new IP address used to log in.

If they are using support tickets, Arenanet, imo, have a responsibility to tell players what information is being provided by these people to get the account email changed – if it includes the cdkey, then something is seriously wrong, because some of them are saying their email has not been compromised, by IP checking.

The most basic thing to establish is this – are they hackers using a support ticket to change the email?

If they are, and they are providing arenanet with the cdkey WITHOUT the victim’s email being compromised, then something is massively wrong.
If they are stealing an account which is protected by mobile authentication without the victim having their phone stolen, something is also massively wrong.
Please arenanet, look into this asap and tell us. Just tell us so that people are not feeling massively insecure and worried.

If they are changing the email without making a support ticket, and the account is verified, something is also massively wrong.
It should be simple to get an answer from customer support as to WHY they changed email and what information was given to them.

I’m curious to know if anyone has had their account stolen who has mobile authentication on. If they are, this means either there’s an exploit in the system somehow, or they have had their phone stolen?

A fair few people from Surmia have been hacked now, and it seems like a strangely bizarre coincidence – some of them used the surmia forums, some did not, and I think they all had their accounts stolen using a support ticket. This is a bit worrying and I hope they can get some straight answers from support as to how exactly their accounts were taken with the initial ticket.

I’m not an expert on keyloggers but I’d assume if they log keystrokes they can probably also log anything that’s been put in your clipboard. However if the hackers are using support, they would not need your password at all, they’d need various other bits of information, which they shouldn’t be getting without access to your email account. However, if any of the people have not had their email accounts breached (gmail keeps an IP log) then I cannot see any possible way support are changing email addresses based on what should be no more than a character code and a character name, and possibly an email address if some other forum got hacked. This can’t be enough for Arenanet to do it, so what is going on?

I know of a couple of people on our server who were hacked, and none of them have reported suspicious activity on their email accounts (gmail keeps an IP login history). If you cannot change email on the website, they must be doing it using support tickets. It’d be fantastic if Arenanet could look into the original tickets which resulted in the accounts’ email being changed, and try to see if anything is fishy.

Can anyone else confirm that standard email change function is currently not working?

Hi,
I apologise profusely as I realise you are very busy, but I wanted to post a followup question on my thread which you answered an hour ago. I do appreciate the response!

I’m delighted to hear that the GMs do request more than the account key, and I see now why asking for payment information has problems. The thing is, my friend WAS only asked for his cdkey. It is of course possible that the GM would ask for more as a followup, but it doesn’t make sense to not ask for it all initially – why would they ask for a cdkey, then more information later on? When I’ve contacted customer support before, they have asked for as much information as possible, and given a variety of examples like character names.
If there is no email change function on the account website, which there currently is not, then these stolen accounts must be lost via customer support. I completely understand that if their email is compromised then their account is lost either way, so is the explanation that the account is being lost by information being provided such as cdkey, character names, account creation date? If this is the case, then I guess it all works out and it’s something that is unavoidable as long as people allow their email to be compromised. The only thing I’d ask is if players are allowed to ask customer support for details of how their email was changed in the first place, and which information was provided by the hacker – this could help them a great deal with avoiding it from happening again in the future!
I hope this message does not seem rude,
Thanks,
Alasdair.

Hi,
I’ve read a fair bit about a number of people who have had their accounts compromised recently, and it has actually happened to a friend of mine, yesterday. His password was apparently not all that strong, however it’s not something that could reasonably be guessed or brute-forced, and he doesn’t use it for anything else on the internet. He scanned for a keylogger, and his hotmail account does not have an ip login history.

Like a few other people I know of, he received an email from Arenanet saying that his account email had been changed. Now, there is no option to change your account email on the account website. This means that regardless of what he’d lost, be it his password, his email account, which would be required if the hacker wanted to log in and approve a new IP address – none of this matters, because there is NO option to change email address on the account website at this time. It has not been on there for a few days at least, because someone who made a trial account pointed this out to a guild mate.

Basically, this means the only way someone can change the email address for your account is to make a support ticket and provide enough information to convince customer support that you own the account. I don’t know what information this is, and this is where my theory will hopefully be answered.

My friend, who did get his account back (albeit with no items, as they have no tools to do so yet, I hope they add them asap!), was first asked for his cdkey. If you bought the game online, this was emailed to you, and most people probably kept this email in case they ever needed the key again. I HOPE that this is not sufficient for customer support to decide that the account belongs to the person making the ticket, because if a hacker has got access to your email login, which they often do in such cases, that means they also have your cdkey, as it was mailed to you!

I think that in order to request ownership of an account, Arenanet should demand proof of purchase in the form of the payment details. This may already be the case, in which case this thread is pointless, but they DID ask him for the key, and if all a hacker needs is a key, which can be found inside an email, this is a massive security flaw.

I realise that if they had access to a player’s email account they would be able to steal everything anyhow, but as there is no email change option on the account website, this must be how they are doing it. This other other option is that the link to change email was removed but the functionality remains there and the url was used directly.

To summarise, please consider changing your policy so that a player has to provide some form of payment information (address or ccv number) in order to get control over the account back from customer support.

I hope this does not get deleted, and I hope that people can ask customer support how it happened, because although they were excellent and prompt with regard to giving him his account back, he did get a pasted response afterwards when he asked how it happend with general security advice.

I’d also advise players to keep a record of the cdkey elsewhere and delete the email, if this does prove to be the case.

I did look for a way to contact Mike O’Brien about this, as his article on account security was excellent, but I couldn’t find any contact details.