11,000 accounts compromised

[Sylvanie]

The ONLY way to get into an account protected this way is by gagging the machine trying to authenticate and authenticate using the codes it's sending (man in the middle attack). It's VERY hard to pull off and isn't something you can really do in an targeted way.

It's actually not that hard. It's why several countries use more sophisticated authentication these days for internet banking. What happened was that in these countries 2FA did indeed become universal for internet banking, so hackers did start going the extra mile for man-in-the-middle attacks. Which is why, for example, in Germany, Austria, and (to my understanding) South Africa these days it is all but mandatory to authorize each individual transaction via a one time code that is specific to that transaction.

It's not a problem in MMOs, because comparatively few players use authenticators; as a result, there's plenty of poorly protected accounts (low hanging fruit) that can be hacked without investing the extra effort.

[mercutiouk]

Two-step authentication for Gmail uses the exact same kind of system that these VASCO authenticators use. So yes, my account is equally secure as if there was an authenticator on it.

Could I add an extra layer with the authenticator code to my account? Sure, maybe I could, but that gets redundant. If you're going to add multiple layers of security, they shouldn't be redundant layers.

Also: JSYK, Blizzard also doesn't ask for your authenticator code if it's an "authorized" IP address that it recognizes. Blizzard accounts are just as vulnerable to IP spoofing as GW2 accounts.

Ok, if you are using an email account with a similar security setup, deal, it's safe (missed that bit or misunderstood it).

As far as the blizzard setup - it's not based on just IP address. Try updating your graphics drivers and logging in, you'll likely get asked. It tracks quite a few "undocumented" system aspects NOT just the IP. It's not "smart" as such and, again, if someone wanted JUST your details they could likely get a setup that would be able to trick the system into not asking. But targeted threats aren't really where the issue is in online security, it's hackers wanting ANYONE'S details and using a drag net to see how many it can fish out.

[DrakeWurrum]

So an elderly couple in their 80's who forget to lock their garage get burgled one night... They deserved it?

Yes. Stupid mistake. Stupidity has consequences.

A single mother who is trying to get her baby in and out of the car whilst trying to unload shopping forgets to lock her car, has her car stolen... She deserves it?

Yes. Stupid mistake. Stupidity has consequences.

A cyclist locks his bike to railings with a top of the range lock, yet it still gets stolen... He deserves it?

Did he use two top-of-the-line bike locks, one combo and one key, and both made of good solid metal? (Mind you, this is a very common bike theft prevention technique - why would they cut into YOUR bike locks, when the bike over there has only one bike lock, and it's made of plastic?) Where did he lock up his bike? Was it to a railing that would be difficult to cut through with a welding tool? If you've ever lived in Austin, you know that people make a living off stealing bikes, and will have such tools. In such locales, which are publicly known for bike thefts, you'd be smart enough to take your bike into where you live.

People need to get out of this "nice" mentality of trying to save everybody from everything. Even in modern society, it's survival of the fittest. We do need a nicer community where we treat everybody with some respect, but if they make a mistake, they deserve to suffer the consequences of said mistake. There's 6 billion people in the world, nobody is special.

The asura have a very similar attitude, and I don't fault them for it, though I despise the way they treat other people with their big egos.
"You're smart, and you survive...or not."

[mercutiouk]

It's actually not that hard. It's why several countries use more sophisticated authentication these days for internet banking. What happened was that in these countries 2FA did indeed become universal for internet banking, so hackers did start going the extra mile for man-in-the-middle attacks. Which is why, for example, in Germany, Austria, and (to my understanding) South Africa these days it is all but mandatory to authorize each individual transaction via a one time code that is specific to that transaction.

It's not a problem in MMOs, because comparatively few players use authenticators; as a result, there's plenty of poorly protected accounts (low hanging fruit) that can be hacked without investing the extra effort.

My post you quoted I meant to say "It's VERY hard to pull off and is only something you can really do in an targeted way." Man in the middle attacks work, no question. The malware that sits and watches for programs launching that generally have the security tokens associated with them and starts re-directing traffic also work but the first is VERY targetted the second requires a stupid user.

Authenticators/Tokens don't work if you have someone who isn't careful which is why I made the point above about the 80% and 99%. They cover almost all aspects of the last 20% needed once you have an educated user using them.

[Cinnamohn]

I'd have to assume those 11,000 either didn't use the secured login location or did use the same password for their email as they do for their account.

An email from a couple of days ago that I just now saw:

A login attempt from the following location is currently awaiting your authorization.

Address: <snip>
City: Liuzhou
Region: 16
Country: CN

They're definitely finding passwords from somewhere, as I don't visit anything outside of FB/YT/Here/GWWiki.

[Jalfrezi]

Yes. Stupid mistake. Stupidity has consequences.

Yes. Stupid mistake. Stupidity has consequences.

Did he use two top-of-the-line bike locks, one combo and one key, and both made of good solid metal? Where did he lock up his bike? Was it to a railing that would be difficult to cut through with a welding tool? If you've ever lived in Austin, you know that people make a living off stealing bikes, and will have such tools. In such locales, which are publicly known for bike thefts, you'd be smart enough to take your bike into where you live.

People need to get out of this "nice" mentality of trying to save everybody from everything. We do need a nicer community where we treat everybody with some respect, but if they make a mistake, they deserve to suffer the consequences of said mistake. There's 7 billion people in the world, nobody is special.

Fixed that there.

But nah... people don't need to get out of this "nice" mentality. Being nice is good, acting the way you do is bad. Simple. I have no idea why you think acting like a hard man on the internet is cool... it's not. But then again, it's the only place you will get away with it.... for now.

[DrakeWurrum]

Fixed that there.

Fair enough.

But nah... people don't need to get out of this "nice" mentality. Being nice is good, acting the way you do is bad. Simple. I have no idea why you think acting like a hard man on the internet is cool... it's not. But then again, it's the only place you will get away with it.... for now.

I'm not acting like a "hard man on the internet" to be cool. I genuinely believe that stupid people get what they deserve. Doesn't mean I'm not going to help them clean up the mess, or help them attempt to avoid making that mess to begin with. But I do think they very much deserve it, and they would be naive to stubbornly claim that they don't deserve it.

Being a "nice elderly couple" or a "single mother with a baby" does not excuse you from the consequences of your mistakes. (in the latter case, she's already clearly made some mistakes, and is suffering from them, so she should not be foreign to the concept)

That's what life is all about, and you have to learn to deal with it. Everything has consequences.

[reckoner04]

That's what life is all about, and you have to learn to deal with it. Everything has consequences.

Having to live with the consequences of your actions isn't the same as deserving them.

Also, how do you separate "stupid mistakes" from "mistakes"?

I wouldn't expect most PC users to know a lot about PC security (though the standarts are slowly rising). You certainly spent more time reading up on the topic than the average gamer, who probably already does more than the average internet user, so it's clear to you that some things are pretty risky. But it isn't to others, and it's certainly not common.

Getting hacked isn't a stupid mistake, just a mistake, and you should learn from it.

[Vasti]

I very much subscribe to "survival of the fittest" in general. Stupid choices should have repurcussions.

---------- Post added 2012-09-09 at 12:58 PM ----------


How ironic, since GW2's two-factor authentication is e-mail authentication.

What if a stupid choice was made in a forest and there was nothing around to cause repercussions. Does that still count as a stupid choice?

[Deleted]

And then we get posts like 'My brother deleted by level 80 ranger, what do?'. :/

Kill brother

[Deleted]

The fansite in question was MMO-Champion, hurr durr.

[Fencers]

So you guys are like making terrible posts. Like really awful. Please stop.

I am most definitely "not nice" when folks post badly or break our rules.

--Fencers

[DrakeWurrum]

What if a stupid choice was made in a forest and there was nothing around to cause repercussions. Does that still count as a stupid choice?

O_o

There's always something around to cause such repercussions!

---------- Post added 2012-09-09 at 03:29 PM ----------

Having to live with the consequences of your actions isn't the same as deserving them.

I don't see a distinction here.

[reckoner04]

I don't see a distinction here.

The reputable firm I got my computer from pre-installed a keylogger on my computer and I get hacked as a result of it. Do I have to live with the consequences? Yes. Do I deserve it? No.


I go on a hacker forum and post my GW2 account info and get hacked as a result of it. Do I have to live with the consequences? Yes. Do I deserve it? Yes.

[Gray_Matter]

I use the same password for everything, and yet somehow manage to not be hacked (Ever. Not in RIFT, not in WoW, not in SWtOR, Tera, or goddamn UO. Same password for all things since I was twelve) so I kind of take offense to all this 'Internet 101' bullshit. The real answer is stay away from shady websites, not have a small notebook with a list of all twenty-five of your different passwords locked up in your computer desk. If it isn't official don't give them your email address; far easier than having all those passwords.

The problem is that you don't need to visit shady site to get "hacked" using this approach. You are as weak as the weakest link. How many big reliable companies have been hacked lately? You trust them not to store your password and to take adequate precautions. That's a brave thing to do because a lot of them don't do things properly.

[iCandy]

^this

Sounds like 11,000 accounts that very much deserved to be hacked.

Nobody that didn't willingly give their info the a thief deserves their account to be hacked. What a stupid, stupid comment.

OT - As others have said make sure you use an email/pw only for games and another email/pw only for forums/fan sites.

The only real sad part about people getting their stuff taken in GW2 is that Anets customer support wont give anything back. None of the stolen items will be returned and your account will most likely be locked.

[VibrantViolet]

In this case, no, it's not worse. My two-step Gmail authentication sends a code to my cell phone anytime somebody tries to access my e-mail from an unauthorized IP, and only those who access my e-mail can be authorized to log into my GW2 account, and both accounts use unique passwords.

Same here. I use the same Gmail address, but everything has a different password. The password here is different from my email password, my GW2 password, my password on another site, ect.

[DrakeWurrum]

Nobody that didn't willingly give their info the a thief deserves their account to be hacked.

If you have the same password for GW2 as you do for other places, you essentially did give your info to them. Willingly or not, you deserved to be hacked for making a choice that resulted in you being hacked.

Stop being a douche now with the "you deserve to be hacked" shit. Now. -Edge

[iCandy]

If you have the same password for GW2 as you do for other places, you essentially did give your info to them. Willingly or not, you deserved to be hacked for making a choice that resulted in you being hacked.

I can see there is no reasoning with you, since there has been 6 pages of people pointing out how stupid your comment was and you're still sticking to it I can only assume you have a huge ego problem.

Again, nobody deserves their account to be hacked unless they ofc gave the thief their info.

She deserved to be raped because she wasn't carrying mace or a gun.
They deserved to have their house burglarized because they didn't install steel bars on the windows and a $10,000 alarm.
He deserved to get mugged because he didn't have 5 friends with him.

All of these, including yours, are very stupid statements.

I don't know what it's like to have my account hacked and I hope I never do, but I can only assume it sucks and it's a huge invasion of privacy, not to mention a loss of time spent. So how about you act like an adult or just stop posting on this subject?

[Rustedsaint]

can't help but think, oboy more spam bots to report =_=
sure glad I use a different password for every game and site I sign up on.