GW2 - Poorest Account Security ever?

[Deleted]

Okay so being hacked is a pretty terrible thing to have happen, and in many respects you could argue that using the same email and password as you use for WoW (as I did for GW2) is a pretty irresponsible thing to do (although in 7 years of WoW, and having used my email for WoW, banking, MSN, Skype, Facebook et al. I have never once been hacked).

Last night, I got hacked and was like "oh, how did that happen?" Apparently people are able (once logging into your account) to change the email of your GW2 account without your authorisation. To put this simply, if you want to change an email for your battle.net account it'll work like this:

Current email: email1
New email: email2

> log in using email1
> change to email2
> email gets sent to email1 asking for verification

^ the third step does not happen in the GW2 email changing "thing".

So now I'm left with two options:
- email a support ticket to A-Net (I've done this)
- let my account be forever hacked and lost

I sent in a support ticket and this was the response I got after supplying my CD key, RL information, passport photo etc. Giving away pretty much my entire identity - this was the received response:

"Thank you for contacting NCsoft! We have been receiving an overwhelming response to Guild Wars 2 and we are doing our very best to answer questions as quickly as possible. You are receiving this automated message based on information provided in your original submission that indicates that we may be able to answer your question with the information provided below. As a result of this we are no longer accepting new tickets. Thank you for your patience."

NCSoft (rather the automated message) gives you this link and asks for the following information (which I have already supplied by the way):

1. Go to account.guildwars2.com/recovery
2. In the Email / Account Name field, enter the email address used for your Guild Wars 2 account.
3. In the Serial Code field, enter the serial code you registered to the account.
4. In the Character Name field, enter the name of an existing character on your account.
5. Click Verify.
Be sure to set your account password to a strong, unique password that you've never used anywhere else!

So naturally I go to the supplied link and put in all my details and this is the ultimate response I recieve:

"There's been an error. Please contact support."

Thus, the loop begins: contact CS > get automated email > get told to click on link and supply information you've already supplied > get told to contact CS

Surprisingly, I then did a bit of digging and found this thread:
forum-en.guildwars2.com/forum/support/account/Account-Hacked-Permanently-Banned-Post-here-merged-1/first

That's 17 pages of notified complaints. At roughly 45 new posts per page, that's a total of 765 hacked accounts. This of course doesn't include the myriad of people who cannot post because ... they've been hacked and thus they can't log in. Anyway I digress. I'd like to know, ultimately, in an age where so much of our information is available to people - why, when we're paying £50 for a game, the said game doesn't come with any means of protection. The security systems in place are completely non-existent and the systems to fix these issues are non-existent too. I'm completely stumped.

[draykorinee]

I find it weird that on the first page of threads a quarter of the posts are asking for technical help, this is due to the piss poor customer services of Anet, the account security is ludicrous but you'll get Drakwurrm in here telling you its your fault you got hacked and that you deserve it. I got hacked in WoW bought an authenticator never hacked again, in fact I haven't been hacked on my GW2 account yet but the fact is I dont have much defence against them if they tried.
A AAA game with Z quality security on release

Do not call out other users on this forum. Not only is it inappropriate to the conversation here but is also rude. If you have a bone to pick do it elsewhere. Consider this a warning, next time is an infraction.

- Fencers

Was just joking apolgies to drake :P

[mirodin]

Keep being persistent, 60$ is not a small price to pay. For future don't buy game from publisher you don't trust.

[Deleted]

Well, since people are in mood if bashing, ill bite. I have never been "hacked". I use different passwords for all the games i play and also i use different password from any fan sites.

Most poeple that have been "hacked" is because fan sotes have been hacked and people used the same password, but yeah totally arena net fault here.....

[Deleted]

I'm sorry. But sure. Some blame has to be passed on to ArenaNet.

But nowadays, if you manage to get hacked it's more than likely down to the users incompetence.

[Omertocracy]

Their customer service is why I have NCsoft and ArenaNet on boycot. January 2011 I decided to go play GW1 again, found out I had been hacked in my 6 month hiatus, about a week before I came back actually. The first automated email I recieved was the usual how to fix it. The second, after I asked if there was a way to restore it was responded to with an email that said basically that yes, they knew that I had been hacked, they knew I wasn't the one that had done it, they knew who had, what province in China he was in, yes they had the technical ability to restore my stolen items, but they were not going to because of some policy.

So in summary, NCsoft and ArenaNet have no protection at all against being hacked besides passwords, which can be reset by anyone, and they will not restore anything taken while you were hacked.

[Deleted]

I don't accept the premise that I should be *forced* to use 15 billion different emails and passwords just to keep my security. I don't have to lie about where I live to everyone who asks me, and I don't have to rely on 15 billion different mobile phone numbers to stop potential stalkers. ANet simply do not have the proper systems in place to prevent being hacked: from what it looks like, I didn't even receive an email that my account email had been changed. Nor did I receive an email regarding an "intrusion" - simply, the email was changed without my authorisation.

From what it looks like, someone could simply *guess* the details - without needing to hack, just guess because the systems aren't in place to stop intrusions or even warn you.

[Tomac]

That's 17 pages of notified complaints. At roughly 45 new posts per page, that's a total of 765 hacked accounts.

I'm sorry but your logic is a bit flawed here. It would be true if each person could only post once but that's obviously not the case. Only 19 different people posted on the first page.

Also there will most likely be people who haven't had their accounts hacked who will also post in the thread.

And of course however many Arenanet posts.

[shalnath]

I don't accept the premise that I should be *forced* to use 15 billion different emails and passwords just to keep my security. I don't have to lie about where I live to everyone who asks me, and I don't have to rely on 15 billion different mobile phone numbers to stop potential stalkers. ANet simply do not have the proper systems in place to prevent being hacked: from what it looks like, I didn't even receive an email that my account email had been changed. Nor did I receive an email regarding an "intrusion" - simply, the email was changed without my authorisation.

From what it looks like, someone could simply *guess* the details - without needing to hack, just guess because the systems aren't in place to stop intrusions or even warn you.

Better bust out the rolodex and start writing!

[Deleted]

I'm sorry but your logic is a bit flawed here. It would be true if each person could only post once but that's obviously not the case. Only 19 different people posted on the first page.

Also there will most likely be people who haven't had their accounts hacked who will also post in the thread.

And of course however many Arenanet posts.

This is of course true, but it would be silly to deny that A-Net have done a terrible job of supplying the proper account security.

Example:
edge-online.com/news/guild-wars-2-11000-accounts-hacked

Quoting from the article: " developer ArenaNet says they only have themselves to blame for not using unique usernames and passwords."

A-Net are basically shafting 11000 people here because they do have proper account security, or a means to restore their account as both options end in error (for me and others).

[Deleted]

I don't accept the premise that I should be *forced* to use 15 billion different emails and passwords just to keep my security.

Hyperbole apart, it's strongly encouraged, that you may accept it or not.

I knew people with authenticator that got hacked. Seems like it's only harder but not impossible.
Internet security looks like a battle you can't win, just stall.

[Stormgnoef]

it's not arenanet fault people using same password/email for other mmos.

[Deleted]

Hyperbole apart, it's strongly encouraged, that you may accept it or not.

I knew people with authenticator that got hacked. Seems like it's only harder but not impossible.
Internet security looks like a battle you can't win, just stall.

If someone were to hack my hotmail account, or simply know my information and log in from a different country, Hotmail would lock down the email address and stop all incoming/outgoing emails until I had proven it was "my account" - I would do this through a variety of means, providing photo ID, providing answers to some various secret questions etc.

None of these systems are in place for GW2.

Hell, surely one must admit it's pretty damn terrible when someone can change your email without the CURRENT EMAIL receiving notification?

[Deleted]

it's not arenanet fault people using same password/email for other mmos.

Not just MMOs actually. Everything you subscribe on internet may have its databases compromised.
I get your email/pswd from that newsletter about friends of deer hunting, and i try it on GW2...et voila, say goodbye to your account.
The email authorization is already a good thing, but an authenticator would be nice. As i said, it won't give me 100% protection but would be still something.

If someone were to hack my hotmail account, or simply know my information and log in from a different country, Hotmail would lock down the email address and stop all incoming/outgoing emails until I had proven it was "my account" - I would do this through a variety of means, providing photo ID, providing answers to some various secret questions etc.

None of these systems are in place for GW2.

Hell, surely one must admit it's pretty damn terrible when someone can change your email without the CURRENT EMAIL receiving notification?

I admit it's annoying, but what about mail authorization? In order fro the hackers to change your pswd, isn't required a login? In that case, you should receive a mail from Anet (it actually happened that many players got mails from login attempts from a chinese location).
That would be the real flaw.

[mirodin]

If someone were to hack my hotmail account, or simply know my information and log in from a different country, Hotmail would lock down the email address and stop all incoming/outgoing emails until I had proven it was "my account" - I would do this through a variety of means, providing photo ID, providing answers to some various secret questions etc.

None of these systems are in place for GW2.

Hell, surely one must admit it's pretty damn terrible when someone can change your email without the CURRENT EMAIL receiving notification?

Maybe it's the companies policy to employ a Darwinistic method, or maybe because of the no sub they hope the ones that got hacked buy the game again (this is way out there ).

[Deleted]

If someone were to hack my hotmail account, or simply know my information and log in from a different country, Hotmail would lock down the email address and stop all incoming/outgoing emails until I had proven it was "my account" - I would do this through a variety of means, providing photo ID, providing answers to some various secret questions etc.

None of these systems are in place for GW2.

Hell, surely one must admit it's pretty damn terrible when someone can change your email without the CURRENT EMAIL receiving notification?

If you've verified your email, people can't log into your account without you giving permission, which is sent to your email.

[Deleted]

Yes, that is how it should work.

In practice it doesn't, however. It would seem to be not only me having this issue: the system itself is completely broken.

[DrMosh]

I feel the OP's pain. I got hacked myself, and although I didn't lose my account I did lose my 51 necro (deleted) all my gear on my alts, items in my bank and inventory and subsequently my cash as well. When I discovered this I also filled out a ticket began jumping through Anet's hoops hoping to get my characters, gears and alts restored. Instead what I got was I got a canned response saying my access had been restored to my account.

WTF? That wasn't even my initial query, I had specifically stated that I haven't lost access to the account. I replied and asked if they even read the initial query and 6 days after my ticket I receive the following response..

Hello NAME,

I apologize for the delay in our response; we have an unusually high ticket volume which we are working through as quickly as possible.

The Guild Wars 2 Support Team is unable to restore missing characters or items. I understand this may be frustrating, but we simply do not have the capabilities to do this.

Thanks,
Nick


I'll save the rhetoric on the merits of launching a game without certain admin tools and functionality since its debatable that character/item restoration should be a core function of their support services. However, I'm still disappointed that it took almost a week to receive this information. ANet got their $80.00 from me, the best I can do is make sure they never get any more of my money (and time!).

[Deleted]

Yes, that is how it should work.

In practice it doesn't, however. It would seem to be not only me having this issue: the system itself is completely broken.

Did you actually verify your email? like when asked to do so the first time you login in the game/ every time until you actually do it? Because after that the next time you login you will be asked to validate your connection , by clicking a link sent directly to your email adress and that's only to log in the game, and it will show login attempt location , hour and stuff.

If you skipped the "verify" email step each time you logged for the past 2 weeks then you can only blame yourself.

[Tekkommo]

I'm a firm believer that if you get hacked, it's your fault.