The Road to Mordor: Hacked!

"My kinship had just finished an instance run about a week-and-a-half ago and was in the process of reloading back into the world when I got the message that I was being disconnected because I had just logged into the Brandywine server. Huh? Suspecting the worst, I immediately hit up the Turbine Account page and changed my password then re-logged back into the game, which would boot the hacker offline just like I had been booted minutes earlier.

"I was lucky and did that before the hacker had time to switch servers to where my active characters are. Other kinmates have not been so lucky."

So goes the frightening tale of Pumping Irony's Scott, who shares this in the hopes that others may avoid a similar scare. Unfortunately, it seems as though stories such as these are becoming more and more common in Lord of the Rings Online, where the worst threat to your quest may not be the eye of Sauron but the malicious intent of hackers gutting your account while you're offline.

Today we're going to step off the path for a temporary side trail into the gloomy undergrowth of account security and an MMO under siege.

F2P: Free-to-play or free-to-plunder?

At the time I write this, the top stickied post in LotRO's general forums is A Word About Account Security. This is no casual public service announcement from a bored customer service rep but rather the response to a noticeable and disturbing increase of account hacks in the past few weeks. The forums are riddled with stories such as this one, in which the author notes that this is becoming a frequent event within his own kin: "Yet another member of our kinship has been hacked, which makes at least three so far."

This is the downside of LotRO's recent success: With more players coming to the game, thus come the hackers. Account theft, gold selling and other black market activities have always been around (as they are in most MMOs), but if you're anything like I am, you probably never figured that anyone was out to pry into your account and leave you high and dry. It's something I associate with the wild and woolly World of Warcraft, not our peaceful LotRO.

Another issue is that Turbine has had you sign up for the new forums using the same user name and password for your game login, which could offer thieves another opportunity to swipe the info without your knowledge -- or take your public user name and use a brute-force attack to get at your password. Sapience has played down such an angle: "Contrary to rumor and speculation there is no credible, verifiable evidence to suggest a tie to forum logins and compromised accounts."

I guess it's time I came to my senses in this regard. Account theft is a lot like someone swiping your wallet -- you're not going to get it all back, and it's going to annoy the snot out of you for a good while to come. We can only hope that good hackers are working on technology to allow you to physically punch someone through a computer screen if they ever try this sort of thing again.

The only one looking out for your account security is you

As much as I like Turbine in many areas, from all my reading on this issue it seems as though the company is not giving us great reason to feel secure about our accounts. Not only do we not know what is being done about the increase of account thefts (other than issuing a warning to the players), but it turns out that the company's customer service either cannot or will not roll your characters back to a previous state if a thief guts them.

Apparently, Turbine's response when a player loses items through hacking is to compensate that player with gold, which obviously cannot repurchase items that are bought without gold (such as quest rewards, LotRO store goods and rep items). A Casual Stroll to Mordor passed along a letter that had this report from a player who witnessed a few hacking events in his kinship:

"Watching someone go through a friend's toons one-by-one knowing that they were cleaning them out was traumatic. That player lost over 100 gold in cash alone as well as who knows how much in gear and other items. Turbine's fixing of the matter was to send him 4 gold. That's all. The second player lost several hundred gold and everything from their vault. On every character. The only thing left was the clothing they had on. God knows what Turbine will offer them as recompense. They were both lucky; some other players have reported having their toons deleted as well."


Codemasters has changed its policy regarding hacked accounts to something a lot more customer-friendly, and there is pressure that Turbine will follow suit. Turbine's position is that its systems are secure, so the onus of account protection falls on the player. Fairly or not, the only one standing between hackers' sticky fingers and your character's hard-earned goods is you.

So what should you do?

Paranoia, paranoia, they're all out to get you!

If thinking about all of this and admitting the possibility that your account could be compromised drives a big ol' wedge of uneasy in your stomach, I'm right there with you. Sure, lots of people will go their entire gaming careers without ever having to deal with this hassle, but then again, those who get hacked never think it'll happen to them. Let go of the unnecessary paranoia by taking a few common-sense steps to strengthening your security and peace of mind.

It first helps to understand how hackers think and approach your computer in general. Cracked.com wrote an excellent article a few days ago called 5 Things We All Do That Make Hackers' Lives Incredibly Easy. Lots of eye-opening (and perhaps personally embarrassing) facts are in there, as well as plenty of tips as to how to develop a strong password.

Speaking of passwords, when's the last time you changed your LotRO password? Like, never? OK, yes, I see the handful of diligent password-changers in the front row -- this is for the rest of the class. People, go change your password today. Come up with a better one that isn't just a word or name, but incorporates a bit of symbol mishmash to make it at least a challenge for someone trying to access your account.

If you don't have the holy trinity of computer protection -- spyware/malware checker, virus scanner and firewall -- then you have your next half hour cut out for you. Get one of each of these, make sure they're updated, and do a regular sweep. Yes, stuff gets through, but it's a much smaller percentage than those folks who eschew protection at all.

Finally, don't be stupid. And by "stupid" I mean "go to questionable websites, download unknown email attachments, install mods from Russian sites, and purchase gold yourself." Karma loves to play with stupid people.

Future imperfect

Some players have voiced support of a Blizzard-style Authenticators or Final Fantasy XIV Tokens to create a deeper layer of defense against unwarranted intrusions. Back when I played WoW, I used the Authenticator app on my iPhone to protect my account, and the security I felt using it made the token extra effort to log in worth it.

I sincerely hope that through the combined efforts of Codemasters, Turbine and players, hackers will be cut off from their dastardly deeds and summarily ejected from the lands of Middle-earth. It's probably too much to hope for, but if this rash of compromised accounts keeps up, it'll have dire effects on the long-term health of the game itself.

When not enjoying second breakfast and a pint of ale, Justin "Syp" Olivetti jaws about hobbits in his Lord of the Rings Online column, The Road to Mordor. You can contact him via email at justin@massively.com or through his gaming blog, Bio Break.

This article was originally published on Massively.