We were able to speak with Sean Neil, Associate Producer of Aion, and Lance Stites, Executive Vice President of Game Operations and Production at NCsoft West, to bring you the scoop on this new system.
Join us past the cut to hear what they had to say.
Lance Stites: The implementation of this system in Korea did result in a very significant decline in hacked accounts. Keep in mind what "hacked" usually means -- phished or compromised by a Trojan horse. Our new PIN system is effective because it is integrated into the game client, whereas other web security systems that prompt players to enter name and password for account management could be recreated by those wishing to dupe players into sharing those credentials. Additionally, our PIN system requires players to enter the PIN via mouse input only, so it is less susceptible to key loggers.
Sean Neil: We're just starting to gather the data from the launch last week, but our Game Surveillance Unit has already seen marked decreases in active account hackings. We specifically timed this release right before the Aion Reactivation 10-day event so that players that had been taking a quick break from the game could log in and set their PINs.
Do you have quantifiable data as to how much this new measure actually increases security percentage wise?
Sean Neil: Like I said, we're only a week into it, but judging by Korea's experiences and what we've seen so far, this secondary Character PIN system is having a marked impact on our compromised accounts.
Why was this particular route chosen rather than something like the Blizzard authenticator?
Lance Stites: An authenticator is still a functional security system, but we wanted something that we could roll out for everyone to ensure a fun and safe gaming experience for all of our players. We have a team that's already working on our next generation authentication platform that'll further enhance our security measures, but that'll come in a future update.
When it comes to implementing additional security, many feel "the sooner, the better"; why the delay between implementing it in the Korean version of the game and the Western version?
Sean Neil: Similar to other aspects of the game, we wanted to localize and test the system to ensure a seamless release – remember, we localize every aspect of the game in the west. We also needed some time to integrate the system it into our billing, which is different from Korea's system, so that players would be able to manage their PIN without having to send in tickets and wait for responses from our Customer Service team. With something this sensitive, you can't "kinda" do it. You have to implement it right the first time.
There are instances of gamers who, for whatever reason or disability, cannot use a mouse. Will these gamers be able to access Aion in order to play? For instance, is there a way an individual account holder can request this feature to be turned off, or is there another type of work-around?
Sean Neil: Any type of pointing device will work, as you do have to click on the on-screen number pad with a cursor. This was a specific design integration we implemented to target keyloggers. As an additional preventive measure, the numbers re-arrange themselves every time you log in to the game in order to prevent mouse-tracking software from obtaining a player's PIN. Currently the system is not optional, and players can not opt out.
Are there other security loopholes [besides keylogging] that have been addressed?
Lance Stites: While this should definitely greatly improve protection against keyloggers, it's also helpful against phishing. There are a few other cases where I could see this being helpful, but I'd rather not give anyone ideas they've not already considered.
Besides not sharing their account information, what other measures can players take to increase security on their end?
Sean Neil: Always use unique passwords that you do not use for your email or logins for forums, websites, etc. Never share information with anyone, in-game, or via email, that say they are NCsoft employees. NCsoft staff will NEVER ASK FOR YOUR LOGIN INFORMATION TO VERIFY YOUR IDENTITY.
Lance Stites: Always be certain of the name in your address bar on your browser. The bad guys will duplicate a website and change a single character, say an "l" to a "1," then ask you to log into "your account" to claim a free gift. Using a level service or using RMT can also create vulnerabilities -- I've seen many sites advertising these services that deliver Trojans. Be careful to change your password frequently, and never use the same user name/password on a fansite as you do your game login -- I know of a few cases where the fansite's database was compromised and the bad guys churn through until they get a successful hit. Players can visit the PlaySmart page on our website (http://us.ncsoft.com/en/playsmart/) for additional preventive measures.
This feature states that anytime the game is launched from desktop, the PIN will be required to log into a character for the first time during that play session. There have been cases where a player was actually kicked offline by someone launching their account on a different computer. This PIN will then be required at the unauthorized attempt to log in, correct? If the player has this happen and contacts NCsoft immediately, is there a way for NCsoft to note where the unauthorized attempt came from to take action against the unauthorized user?
Sean Neil: Yes, any computer that logs in will be required to put the PIN in before allowing that computer to proceed past the character selection screen. Our Game Surveillance Unit is able to investigate many factors in determining whether an account is being accessed by the original owner. But we don't want to tip our hats too much, so I'll leave it at that.
Many players have expressed appreciation for the new feature, even if it delays their entrance into game by a bit. What negative comments have been expressed about this new feature and how do you respond to these concerns?
Sean Neil: We have seen very few negative complaints. I think it's pretty obvious from looking through past experiences that getting an account stripped then waiting for a restoration is the least optimal experience for any player, and I think our players see any extra step to avoid that frustration as a welcomed feature.
Do you think future developers will need to look for new authentication methods other than the traditional username/password to secure accounts?
Lance Stites: Without a doubt. This problem is not limited to Aion, nor NCsoft, nor Gaming. We're continuously working with our payment processors and are involved with the Merchant Risk Council, so we're looking at security and fraud well beyond this new Aion PIN system.
Do you think increased security is a feature likely to spread through other MMOs?
Sean Neil: Obviously, as time goes on, all developers see that having increased security affects their players in only a positive way. Minor inconvenience is always more welcome than major frustration.
Lance Stites: It's a certainty. Players invest a lot of time and energy and expect a reasonable level of security; fortunately, the Aion PIN system provides an effective, yet simple and elegant solution. If you'd like more detailed information on the Aion PIN system, please visit http://powerwiki.na.aiononline.com/aion/Character+PIN+System.
Thank you both for your time!