account-security
Latest
Guild Wars 2: Now with two-factor authentication
Security has kind of been a hot topic in Guild Wars 2. ArenaNet announced a couple weeks ago that they were working on bringing two-factor authentication into play, and that joyous day has arrived! A new post on the official forums introduces players to mobile two-factor security. ArenaNet is using Google's authenticator, which is available on iOS, Android, and Windows Phone, and players will use this authenticator to verify devices rather than the previous email authentication system. The team is advising people that this is currently a beta feature, and already has two changes planned for the near future. Soon, unlinking the mobile authentication system will require additional codes, and users will have an option to remember current networks rather than having to authenticate every login. Visit the official post for complete details for setting up the authentication system.
ArenaNet talks security in Guild Wars 2
Account security has been a hot topic in the world of Guild Wars 2 between the hubbub about the email verification system and the woes of hacked accounts. It's been such a hot topic that ArenaNet President Mike O'Brien wrote up a big ol' post about it. O'Brien began by reiterating one of the golden rules of account security: Use a strong and unique password for any account that you don't wish to have compromised. He pointed out that simply having a strong password does you almost no good if you've got the same password with the same email used for an account elsewhere -- if one such account is compromised, they all are. The same rule of having a unique password applies to the email account you use for authenticating your GW2 login attempts: the email authentication system can only protect you if your email is secure. Fans of two-factor authentication will be pleased to hear that Guild Wars 2 will have a two-step authentication system soon. "We had our own homegrown implementation of smartphone two-factor authenticator in testing, but we're going to pull it back and instead integrate Guild Wars 2 with Google Authenticator, which already has robust authenticator implementations on most major smartphone platforms. We expect to roll this out in the next two weeks." But that's not all! ArenaNet is also building a password blacklist (which is 20 million passwords long and growing) that blocks all passwords for which hackers are already scanning. According to O'Brien, "the rate of account hacking was about 1.5% for accounts created before this blacklist was in place, and is about 0.1% for accounts created after." This announcement comes with the request that existing customers change their password so that the blacklist protects them as well. Read O'Brien's full post on the GW2 news page.
GuildOx introduces Alt Detection
WoW database site GuildOx, which ranks guilds, players and loot from World of Warcraft by reading data via the official WoW API, has introduced a sparkly new service for would-be recruiters. Thanks to the introduction of account-wide achievements, GuildOx, along with any other site that is smart enough to extract this information from the API, can use the cross-account information to tell you exactly who that new player's alts are that's applying to your guild. So, if someone claims to have amazing gear, and anything else that isn't a linkable achievement on an alt, you can now check it out on GuildOx. The functionality could allow a guild leader to see if the new person they're picking up is actually the worst trade chat troll on the server, for example. As GuildOx says, this can provide extra insight into applicants when recruiting new guild members. If you think you'd benefit from this, then you can check it out on GuildOx's new service by viewing one of the site creator's characters, and all their alts. There is, of course, a down side.
World of Warcraft hiding information in screenshots
Like Transformers, there may be more to a World of Warcraft screenshot than meets the eye. Our sister site WoW Insider is reporting that players have discovered hidden watermarks in every in-game screenshot that contains several pieces of information. The watermark is made up of several strips of custom bar codes, which can be decoded to reveal information from the game. While the revealed information isn't extremely personal, it does contain the server IP, player account numbers, and a time stamp. The account number is publically accessable through Blizzard's Armory site and cannot be used to hack accounts. WoW Insider says that this information is most likely used by Blizzard to take down private servers, rogue employees, and cheaters.
Jagex announces new account security for RuneScape
Account security is a pretty big deal. Because it's a pretty big deal, Jagex has created the Jagex Account Guardian (J.A.G.) to help RuneScape players to better manage and defend their own security. Players can use the J.A.G. to connect specific trusted devices with their accounts for an extra line of defense. After the J.A.G. has been enabled on an account, any attempts to play from an untrusted device will require the user to go through additional steps of verification. Mark Gerhard, CEO of Jagex, says that "Ensuring the integrity and security of our valued community's information has always been a top priority," and adds that Jagex is taking the responsibility of protecting players' investments very seriously. [Source: Jagex press release]
Guild Wars 2 email authentication, status updates, sales halt [Updated]
Guild Wars 2 players have gotten absolutely slammed with phishing attempts following the game's launch. ArenaNet has accordingly beefed up security for the game, starting with the new email authentication system that's being rolled out today. The system is lightweight and works without players needing an extra code to enter at the login screen, instead relying upon the security of your designated email account. And all players need to do to activate the system is verify their email addresses (which can be done right on the login screen). Once the email is verified, every time the associated account tries to log in, the account holder will be sent an email requesting permission. Account holders can deny the logon, allow it for a single instance, or remember the location in question and always log on from there. It's not ironclad, but it should help players affected by these phishing attempts ensure that they'll be safe. [Thanks to Ring Bonefield for the tip!] [Update: ArenaNet has once again taken to Reddit to post updates as to the status of outstanding bugs and issues and bans in the game. The studio has also temporarily halted sales of the game through the ArenaNet website.]
Guild Wars 2 account phishing, outstanding issues [Updated]
With a game as large as Guild Wars 2, it's inevitable that the unscrupulous would try to compromise accounts. Perhaps the only unexpected part was how quickly the hacking attempts started -- even before launch players were receiving notifications of these attempts. And the problem appears to be escalating as more players are affected. Along with many others, multiple Massively staff received an email (or two) stating that someone had requested a password change, and it definitely wasn't them. In the case of receiving this notification, do as ArenaNet instructs in the email: Nothing. Some folks are also reporting phishing attempts to obtain account information. Never reply to such email, and remember that ArenaNet will never ask for your password. Players can take steps to increase their account security. Since the log-in name is required to be an email address, use an email dedicated to only the GW2 game account and nothing else. Also, make sure you use a unique (and hard to guess) password and never share it. [Update: Reader Ring Bonefield sent us this link to a discussion on Reddit in which ANet employees request that those players using an exclusive email address for GW2 file a support ticket to help the studio investigate the claims. ArenaNet has also published on Reddit a list of outstanding issues relating to security, grouping, forums, trading post, and more.]
North American players may now update their security questions
As an update to the security breach last week, players on North American realms will now be prompted to change their security question and answer when logging in to their Battle.net accounts. The security breach included no financial information; however, answers to personal security questions were compromised, as well as some information related to Mobile Authenticators. In addition to the security question update, players may now also update their Mobile Authenticators as well. Please note, this is only in regards to North American accounts; players in Europe need to do neither of these things. And remember, if you are a North American player and have not changed the password on your account, doing so is an excellent idea. Nethaera As a precaution following our recent security update, players on North American servers please take a moment to visit Battle.net account management, where you will be prompted to change your security question as well as update your Mobile Authenticator. There you'll also find helpful tips and an FAQ, as well as instructions on how to add additional layers of security to your account, including the Battle.net Authenticator or the Mobile Authenticator for those that aren't already using one. source
Blizzard security breach, no evidence that financial data was compromised
Mike Morhaime, the president of Blizzard Entertainment, reported today in a blog post posted on the official Blizzard website that a list of email addresses for Battle.net users, answers to security questions, and information relating to the Mobile and Dial-in Authenticator program were illegally accessed by outsiders. The security hole has been closed, but Blizzard is officially recommending that all Battle.net users change their passwords immediately. In the coming days, players will be prompted to automatically change their security questions and update their mobile authenticator software. A FAQ is available here. The full post is below. Mike Morhaime Players and Friends, Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened. At this time, we've found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed. Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts. We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well. In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here. We take the security of your personal information very seriously, and we are truly sorry that this has happened. Sincerely, Mike Morhaime source
Eight million gamigo user accounts compromised
Last March we told you about an attack on free-to-play publisher gamigo's account services. Today The Verge reports that the security leak has resulted in the credentials of over eight million users being posted on a password-cracking website. Steve Thomas, founder of a hacking alert service called PwnedList, says the gamigo breach is "the largest leak I've ever actually seen." Compromised data include usernames, passwords, and email addresses. Users who held gamigo accounts prior to March 2012 are being encouraged to change their credentials.
Microsoft fights back against Xbox Live account threats, begs you to update your security settings
Redmond's console gaming network may not have suffered a breach of security comparable to last year's PSN fumble, but that doesn't mean it hasn't braced for impact. According to Xbox Live General Manager Alex Garden, Microsoft has made great strides in account security by taking legal action against sites who share phished usernames and passwords, enacting two-step login verification for untrusted devices and pushing fresh security updates to devices. Even so, Garden says that many of Xbox Live's account protection measures rely on member profiles being up to date, and heartily encourages users to make sure their security information is accurate. Get the word directly from the horses mouth at the source link below.
Blizzard issues account security alert after Riot Games breach
Not the first time we've seen something like this: Nakatoir of the EU community team posted this account security alert after Riot Games' EU branch warned its users that hackers "gained access to certain personal player data contained in certain EU West and EU Nordic & East databases." This information included email addresses and encrypted account passwords, and more than half of the passwords were considered simple and at risk of being cracked. Blizzard issues its security alert because many players who play various Blizzard games like WoW and Diablo III or StarCraft II also play League of Legends; therefore, if they use the same email address for Battle.net as League of Legends or the same passwords, those Battle.net accounts may also be at risk. This is not an announcement that Blizzard itself has been hacked, mind you. It's simply a precaution based on the habits of players of many games to use the same passwords and login information for multiple accounts. If you're not a League of Legends player in the affected EU regions, there's no way for this to affect you. The full announcement is after the break.
You cannot get hacked by playing public games in Diablo 3
After years of keyloggers and trojans from unsafe browsing, unsecured computers, or just plain bad luck, WoW players should be pretty used to the concept of a compromised account and how said compromises happen. Unfortunately, Diablo III players don't appear to be as familiar with them, which has resulted in some pretty maddening discourse on the official forums and across the internet. Just like WoW accounts, Diablo III accounts are worth real money. Blizzard has had experience dealing with compromised accounts for years. This is why it introduced the Battle.net Authenticator, a second level of security that makes it very, very difficult to get your account compromised. Authenticators don't make it impossible to get your account compromised, but they do make compromising your account much more trouble than it's worth in the face of mass keylogging, which is how accounts are normally stolen. Some people who haven't had a WoW account before but bought Diablo III were undoubtedly surprised when their accounts were compromised, which is understandable. An editor at Eurogamer had his account hacked and responded with an article suggesting that players were getting their sessions hijacked by joining public games and that people were getting compromised with this method even with authenticators attached to their account. Unfortunately, sites all over the internet picked up the story and also reported the session hijacks and bypassed authenticators as fact. The problem is that neither of those things were correct. In fact, Blizzard says it's actually impossible to do with Diablo III due to the way the infrastructure is set up.
The Daily Grind: How do you keep track of your passwords?
It's a hazard of the job that we accumulate scores of passwords while writing at Massively. It makes sense: Every new MMO tried means a new account, and because I'm not stupid, a new password. Unfortunately, the numbers began to pile up on me and I began to realize that there was no way I was going to remember all of these for when I'd go back to a game months after the fact. My old system used a common theme (say, names of Pokemon) that allowed for different passwords while giving me a chance at guessing them if I forgot. My new system is a $0.99 notebook that I desperately hope my kids don't discover and chew up. It's a slight improvement but not perfect. So I'm curious: How do you keep track of your passwords? Do you memorize them, write them down in a notebook, have a text file on your computer, or use a password manager program? Every morning, the Massively bloggers probe the minds of their readers with deep, thought-provoking questions about that most serious of topics: massively online gaming. We crave your opinions, so grab your caffeinated beverage of choice and chime in on today's Daily Grind!
F2P publisher gamigo's account services offline after hack [Updated]
If you're a fan of gamigo's free-to-play MMO library, you may have run into some trouble accessing your account info as of yesterday. The company "detected an illegal intrusion into [its] gamigo account system," according to an official post on the Jagged Alliance forums. The hack resulted in a temporary cessation of registration, account management, and payment services. The company says that while the game servers are still up and running, "the gAS services might be down for a while." gamigo also says that it encrypts passwords and that "no access to account names and other data is confirmed." [Thanks for the tip, Tim!] [Update: gamigo has now posted a letter to its website discussing the intrusion and recommending steps players should take to reset passwords and secure their accounts.]
Nexon bringing Mabinogi back online, compensating affected players
Nexon has brought Mabinogi back online, and the company tells Massively that "the issues that led us to temporarily disable service have been addressed." The free-to-play sandbox was offline for nearly 40 hours last weekend, and Nexon will be compensating players with 5,000 NX (the company's cash shop currency), a two-day extension of VIP/Premium/Inventory Plus service, and a forthcoming double XP event. Nexon also tells us that players who were directly affected by the recent malicious activity will receive an additional 5,000 NX (10,000 total) and will have their lost items restored. If you think you've been affected by the recent attacks, contact Nexon Support directly, and be sure to provide the following info when submitting your ticket: account name character name character server date of malicious activity items missing/removed name of malicious character (if available) Finally, affected players should include the keyword MUGWORTS in their support ticket summary field to assist in filtering and processing. [Source: Nexon press release]
Star Wars: The Old Republic launches Android authenticator and upcoming test server
If analyst predictions hold true, Star Wars: The Old Republic is going to be big. And that means that it's going to be heir to the natural problem of account hackings, the sort of thing that goes hand in hand with every major MMO. Luckily, the game has launched with security authenticators already available, with a physical version and an Apple app available right out of the gate. The mobile authenticator for Android devices is also now available, meaning that you have a multitude of ways to ensure that the only threats to your characters are those of the blaster-wielding variety. Once you've gotten through the authenticator stage, however, perhaps you'd like to see what's coming next for the game? Ask a Jedi reports that it looks like BioWare is in the process of setting up a public test server, giving every subscriber a chance to enjoy the upcoming patches and updates before they go live. While players will not be able to copy characters from the live servers to the test environment at this time, the team behind Star Wars: The Old Republic seems to be polishing up the game on a daily basis even though it's just launched, so that likely won't remain the case for long.
MapleStory breached, 13 million accounts exposed
The famously hacked Sony has a sympathetic shoulder this week, as Nexon recently discovered a massive breach that's exposed over 13 million MapleStory player accounts to cyber ne'er-do-wells. Discovered this past Thursday, the breach was solely limited to South Korea, as Nexon hosts separate countries on their own servers. This means that any South Korean MapleStory player's information is at risk, including user IDs, names, passwords, and residential registration numbers. This information could potentially be stolen and used for a variety of crimes. While there's been no word whether actual personal information has been stolen, Nexon nevertheless urged these 13+ million subscribers to change their passwords. The company has contacted the police to ask for a formal investigation. This comes at an unfortunate time for the company, as Nexon is poised to present its IPO on the Tokyo Stock Exchange in December.
BioWare steps up The Old Republic account security
As Star Wars: The Old Republic's launch date draws ever nearer, BioWare has announced that it is stepping up account security for the game. Any players whose accounts were created prior to October 21st will be required to change their passwords in order to conform to the new standards. Those standards, for the curious, dictate that the password must be between eight and 15 characters and must contain at least one uppercase letter, one lowercase letter, and one number. For the full details, head on over to The Old Republic's official site.
Turbine addresses LotRO forum security concerns
While it's not quite a conspiracy unmasked, Turbine has officially acknowledged a bit of a security issue with its Lord of the Rings Online-related web applications. Last week we reported on the temporary closure of the game's official forums, and today Turbine has issued a press release that touches on the situation. As you would expect, it's all very hush-hush in terms of details, and the release recommends password changes for all LotRO players. While the game itself remains open for business, there is no time table for the restoration of forum services. "We are continuing to investigate and the forums will not reopen until this work is complete," Turbine says.
