Petition to Turbine: Please Revise Hacked Account Policy

[scrumtrelescent]

Please sign below if you agree that Turbine needs a complete overhaul of it's current policy for dealing with hacked accounts.

Turbine, I love your game. LOTRO is great. And though I was a skeptic, you've won me over with the F2P model. I am a happy VIP subscriber since 2007, and am still enjoying your game. But despite the fact that I am happy overall with your product, I have to make one significant complaint:

Your policy on handling hacked accounts is severely lacking.

Currently, Turbine will not restore ANY items lost due to hacking. They simply give you gold to try to replace what you've lost. The problem is that for many people, gold is of little value in replacing liquidated items. You can't buy radiance gear on the AH. The meager amount of gold they reimburse certainly isn't enough to replace a level 70 LI that you've used thousands of skirmish marks to buy scrolls of empowerment to upgrade. Heck, one single scroll of empowerment goes for 17-20 gold onthe Silverlode AH. I used about 10 of them to upgrade my captains sword, and I earned them through skirmishing and quests.

The problem is getting a bit out of hand, Turbine. We had a kin member get hacked this week, and not only did the hacker clean out our friend, he also cleaned out our kinship hall chests. Should we maybe have removed him from kin for inactivity? Perhaps, but he's a good friend of ours that's been a member for about 3 years and has been away for health reasons. We shouldn't have to remove our friends from kin because your policy for reimbursing over hacking is inadequate.

Other games (WoW, for example) have policies that allow for restoral of the account to its pre-hacked condition. Why can't this be done? I'm sure you're running constant backups of your files, so I doubt restoring them is impossible to do. I understand that there is the risk of people abusing the system, but there are ways to address that. Someone gets hacked once? Restore them. Hacked 3 times in 30 days? Maybe they're abusing the system and deal with that situation differently.

But the bottom line is this: a lot of people are getting hacked, and they are getting frustrated. And it will affect your bottom line: some people, upon seeing that hundreds of hours grinding for skirmish marks to get radiance gear, upgrade LIs, etc etc etc now have lost everything and are getting 30 gold in return will simply throw up their hands and walk away. It is in your financial interest to overhaul your hacked account policy.

I like your game a lot Turbine. I've spent money on a sub and money in the LOTRO store. But this policy is making a lot of people very unhappy, and I sincerely hope you will consider revising it.

Again, please /sign below if you agree that Turbine needs to take a long hard look at their hacked account policy.

[Jamesm429]

Being an IT Manager, I full agree and support this..

[Khafar]

If they're going to have to spend significant development to address this, I'd really rather they aimed it at minimizing the amount of "hacking" going on in the first place. If LOTRO were to gain a reputation as a game that offers little reward for time spent for would-be hackers, that alone would help keep hacking rates quite low. These guys aren't motivated by a desire to screw over LOTRO players for profit -- they're motivated by a desire to maximize their profits, period. If it's not easy in LOTRO, they'll hunt elsewhere.

Some ideas:

• Offer much better customer education on how to be as secure as possible.
• Score both account IDs and passwords (whenever they're changed), allowing players to see how strong they are. Refuse to accept ones below a minimal score - ones that are words found in a dictionary or are the same as their forum name, for example.
• Offer a SecurID option for players who want that.
• Offer optional/configurable secondary passwords for gold transactions over a certain amount.
• Improve the granularity of permissions on kinship chests, down to the per-item or per-type basis.
• Allow players to lock items of their choice in a way such that they cannot be traded, sold, or mailed until a 72-hour waiting period expires.
• The current EULA gives Turbine our consent to monitor our computers for cheats, botting software, etc. Well.... use that to monitor for common keyloggers too, and warn players not to log in if it detects one.

That way, we get the tools to keep our own accounts secure instead of driving up customer service costs trying to shut the barn door after the horses have bolted. All of those are technical solutions, and once developed, only the "keylogger monitor" would need much in the way of updates.

Khafar

[BellusDuFenna]

As a general rule, I don't get involved in so-called Petition threads, but I will say I do agree with the ideas presented by the OP. I would very much like to see Turbine develop a means with which they can restore player accounts after they have been recovered from a compromised situation, as well as recovering Kin assets stolen while the account was under control of the thief. As this hasn't bee implemented yet, I assume it would be difficult to code with the current state of the game, but I believe this would be a worthwhile expenditure for Turbine, in the long run.

Codemasters is following this path with LOTRO EU, so I expect it is at least possible to accomplish with the North American version of the game. But only time will tell if Turbine has the will to do this.

[Thalian39]

Codemasters is following this path with LOTRO EU, so I expect it is at least possible to accomplish with the North American version of the game. But only time will tell if Turbine has the will to do this.

That's encouraging at least. You'd think it'd be only a matter of time before they implement it here.

*doesn't hold breath*

Thal

[Asileth]

./signed.

words

[Umbrael]

Signed. Whole-heartedly.

If it were me? I would not want gold. You can keep your gold. I'd just want my stuff back. I could honestly earn my own gold back if I wanted or had to, but gold isn't going to buy the actual things that would be missing in the event someone managed to break into my account. Why there's no system in place - other than what someone at Turbine considers is the amount of gold THEY think MY loss would be worth - is beyond rational comprehension. I'd very much like to see roll-backs instituted. I'd like to see some sort of pin number or seperate passwords for forum and game, et cetera. I further have to agree with Khafar, that there should also be better preliminary measures in place to prevent this from happening in the first place. Some of the ideas are perfectly viable ones. But its the actions taken on the part of the company itself -after the hacking fact - that I'm genuinely unhappy with. And not for myself, but purely on behalf of others who have had to go through such a nightmarish scenario.

My system is secure. I update things and scan things and scrub things, weekly (sometimes bi-weekly). I change my password often enough. I do not need a lesson in how to do that. I simply don't feel the game, itself, is as secure as it quite possibly could be on it's end, as it is on my end. Nor do I feel the policy in dealing with those who have been hacked is a fair one by throwing gold at them. It's most likely the easiest way of dealing with it. By no means is it the best way. The Euro servers are onto something which sounds like a better plan. I hope its swiftly implemented, over here. But I'm not going to hold my breath either, because I know these things take time. Hopefully not too much more time! Gosh.

I've always had a good experience with GM's in-game and Turbine reps over the phone. I'm not trying to utterly trash the service I've been given. I've had a pretty good time in this game, and if I ever had questions or a problem, then they were answered in a quick and timely manner. But if there's a wrong to be righted, here? I think this pretty much qualifies.

Just my two cents. Plink. Plink.

[Nepenthea]

A thread on this forum was started just a few days ago discussing this very thing, specifically EU LOTRO (Codemaster) new policy on hacked accounts. Its definitely worth a read.

http://forums.lotro.com/showthread.p...t-LOTRO-Europe

[Ayrolen]

If they're going to have to spend significant development to address this, I'd really rather they aimed it at minimizing the amount of "hacking" going on in the first place. If LOTRO were to gain a reputation as a game that offers little reward for time spent for would-be hackers, that alone would help keep hacking rates quite low. These guys aren't motivated by a desire to screw over LOTRO players for profit -- they're motivated by a desire to maximize their profits, period. If it's not easy in LOTRO, they'll hunt elsewhere.

Some ideas:

• Offer much better customer education on how to be as secure as possible.
• Score both account IDs and passwords (whenever they're changed), allowing players to see how strong they are. Refuse to accept ones below a minimal score - ones that are words found in a dictionary or are the same as their forum name, for example.
• Offer a SecurID option for players who want that.
• Offer optional/configurable secondary passwords for gold transactions over a certain amount.
• Improve the granularity of permissions on kinship chests, down to the per-item or per-type basis.
• Allow players to lock items of their choice in a way such that they cannot be traded, sold, or mailed until a 72-hour waiting period expires.
• The current EULA gives Turbine our consent to monitor our computers for cheats, botting software, etc. Well.... use that to monitor for common keyloggers too, and warn players not to log in if it detects one.

That way, we get the tools to keep our own accounts secure instead of driving up customer service costs trying to shut the barn door after the horses have bolted. All of those are technical solutions, and once developed, only the "keylogger monitor" would need much in the way of updates.

Khafar

+1 for all of this. I sympathize with those who have been hacked and lost everything. I'd probably throw in the towel if it happened to me. But I don't want it to take up a ton of development time if they choose to change their policy. I still believe that most account hacks happen due to keyloggers that people pick up on shady sites, poor antivirus/malware protection, and weak passwords, none of which are Turbine's fault.

Also, petitions don't work. Never have. Patience said as much over a year ago.

[henry316]

If they're going to have to spend significant development to address this, I'd really rather they aimed it at minimizing the amount of "hacking" going on in the first place. If LOTRO were to gain a reputation as a game that offers little reward for time spent for would-be hackers, that alone would help keep hacking rates quite low. These guys aren't motivated by a desire to screw over LOTRO players for profit -- they're motivated by a desire to maximize their profits, period. If it's not easy in LOTRO, they'll hunt elsewhere.

Some ideas:

• Offer much better customer education on how to be as secure as possible.
• Score both account IDs and passwords (whenever they're changed), allowing players to see how strong they are. Refuse to accept ones below a minimal score - ones that are words found in a dictionary or are the same as their forum name, for example.
• Offer a SecurID option for players who want that.
• Offer optional/configurable secondary passwords for gold transactions over a certain amount.
• Improve the granularity of permissions on kinship chests, down to the per-item or per-type basis.
• Allow players to lock items of their choice in a way such that they cannot be traded, sold, or mailed until a 72-hour waiting period expires.
• The current EULA gives Turbine our consent to monitor our computers for cheats, botting software, etc. Well.... use that to monitor for common keyloggers too, and warn players not to log in if it detects one.

That way, we get the tools to keep our own accounts secure instead of driving up customer service costs trying to shut the barn door after the horses have bolted. All of those are technical solutions, and once developed, only the "keylogger monitor" would need much in the way of updates.

Khafar

All good.

And...

Please stop sending out User IDs and Passwords in email for new accounts! Please quit sending every new account's credentials across the internet on a postcard. You are making the accounts vulnerable to exposure the moment they are created. To whomever came up with this idea recently, it is bad. It was bad ten years ago and it's even worse today. Bad bad bad. This a security 101 no-no. Period.

[Jaliki55]

/signed. I agree that a policy where an account is restored to its pre-hacked state is just good moral business.

I disagree on "The current EULA gives Turbine our consent to monitor our computers for cheats, botting software, etc. Well.... use that to monitor for common keyloggers too, and warn players not to log in if it detects one." This amounts to sanctioned malware and I can imagine the privacy concerns would be far greater.

Alterations must be server side (to the extent a reasonable player has taken reasonable measures on the end-user side). A password rater is excellent and simple. I would also suggest that the account management interface require a different password than the game's login (unless they already are, but afaik they're not). Better in-game permissions is also an excellent idea, as would be requiring a 4 or 5 digit "key" (enterable once when first logging in at least) to be able to sell/trade/etc certain items (like LIs, money, full stacks of an item).

On the other hand, ANY change affecting a user must be made optional. If a user does not want to use a key, they should not have to, but at least making the option available means taking a proactive step towards helping combat unauthorized use or hacks.

Oh, require a password to delete characters (or use that key idea, but not the same as the login pass). I'd hate to be the guy who gets hacked, looted, then erased. I could deal with being looted, but the time spent leveling a toon to 65 is an irreversible loss and honestly, no amount of gold or restoration can fix that (unless the "restore to pre-hacked state" will address this).

tl;dr? - signed, but the last bullet from the OP has privacy issues. Stronger/more/diverse passwords are nice too.

[Elfheart]

Well it seems to me that a lot more people are complaining about getting hacked now that our game logons are the same as our forum logon. I think those need to be separated again because it sure looks to be part of the problem.

I also totally agree with the OP. With all the backups that must be run on Turbines end they must have a way to fully restore an account to a previously unhacked state. If Codemasters can do it and it isn't even their game then Turbine MUST be able to do it. It is really in their best interest to offer this to their customers, not only to retain their current customers but to generate good will for this game and any future offerings to potential customers.

[azurelady]

/signed

In addition, they need to do something to increase the security of accounts and account information where and when possible including the very forums that we are now posting on that require our account passwords to log in.

[Ayrolen]

Well it seems to me that a lot more people are complaining about getting hacked now that our game logons are the same as our forum logon. I think those need to be separated again because it sure looks to be part of the problem.

It just seems that way because more people are playing. More accounts = more hacks. But I'd wager that the overall percentage of hacks is still the same.

[scrumtrelescent]

If they're going to have to spend significant development to address this, I'd really rather they aimed it at minimizing the amount of "hacking" going on in the first place. If LOTRO were to gain a reputation as a game that offers little reward for time spent for would-be hackers, that alone would help keep hacking rates quite low. These guys aren't motivated by a desire to screw over LOTRO players for profit -- they're motivated by a desire to maximize their profits, period. If it's not easy in LOTRO, they'll hunt elsewhere.

Some ideas:

• Offer much better customer education on how to be as secure as possible.
• Score both account IDs and passwords (whenever they're changed), allowing players to see how strong they are. Refuse to accept ones below a minimal score - ones that are words found in a dictionary or are the same as their forum name, for example.
• Offer a SecurID option for players who want that.
• Offer optional/configurable secondary passwords for gold transactions over a certain amount.
• Improve the granularity of permissions on kinship chests, down to the per-item or per-type basis.
• Allow players to lock items of their choice in a way such that they cannot be traded, sold, or mailed until a 72-hour waiting period expires.
• The current EULA gives Turbine our consent to monitor our computers for cheats, botting software, etc. Well.... use that to monitor for common keyloggers too, and warn players not to log in if it detects one.

That way, we get the tools to keep our own accounts secure instead of driving up customer service costs trying to shut the barn door after the horses have bolted. All of those are technical solutions, and once developed, only the "keylogger monitor" would need much in the way of updates.

Khafar

All very good points. To be honest, I don't care how Turbine addresses the problem: if they implement suggestions like you made here, I think the end result would be less hacking and less lost stuff. You are particularly correct on the idea that if Turbine makes it hard enough to hack that it isn't in the hackers' interest to do it in the first place, then that's awesome too.

I will say that I don't think the problem is solely on the player side: our kin member that got hacked recently is a computer engineer. He has very, very thorough security on his PCs and if he can be hacked, then nearly anyone can.

[sarahbarah]

/signed

Even SWG has a policy to restore what's been lost due to hacking, as I recall, and so I see no excuse at all for Turbine.

[probitas]

From my own experience with a hacked account:

#1 - Turbine CSR will not in any way accept that perhaps their policies or software contribute to an account being hacked. Even if it's logically presented to them. It's not their fault, it's YOURS. I suppose their thinking is that since you choose to play the game, you have also chosen to experience anything related to the game as well, even if it's a metagame hack, and therefore it's not their problem if they give you a two part key to the front door, and leave one half of the key lying in plain site for anyone to use....

#2 - They certainly could fix your char back to a previous state, all server farms run backups for the unlikely event of a server meltdown and consequent rollback. It's standard operating procedure as well to hold onto these backups for at least a week. It was at POLYSAR when I worked there in Sarnia. While the byte size in storage might be large, the physical space requirement is minimal, and Gigabytes (or more likely TERA) are cheaper now then back in the day. So why such a lame duck response to a victimized consumer? No money in it. That is pretty much it. With the store being how we play now, with the excepting of VIP lifers and those who still subscribe, the only money they see is from store purchases that require cashy money, not free points the game hands out. And while they claim to be doing even better than before, the overall lack of adequate treatment of a hacked account in the US simply suggests that no one person is spending enough coin to pay for the resolution in any adequate way.

Perhaps if the game was not f2p, they would put effort into treating consumers better, but since it's not, and you can in fact play without paying, they have no reason to do anything to keep you. Does that sound flippant? Well, it's a fact nonetheless. For every paying account that drops the sub fee, they got a bunch more suckers paying for points until they drop out too. At a certain point market saturation will be reached, and those who pay for points will have everything they want, and will stop paying....and then what? I don't know, but I bet I won't like it. (If I was a paranoid person who saw conspiracies everywhere, I might point out that it would be a very ingenious way to shut the game down by making it possible to effectively get a lifetime account without paying the huge bucks for one, and all without making it look like that's what you intended all along, regardless of any spewing about future expansions...)

How do I know this? Consider it like buying a car. Pay cash up front and you get pretty c r a p p y ( that word does not in any way require censoring you philistines) treatment from the dealer, but if you pay for it over time, it's in their interest to keep you happy while they are waiting for the rest of the money to come in. Just like lifers, so too goes Turbine. They got all they are likely going to get, so when a lifer gets hacked, it's a 'so what' response. No money in it for them. They got all they are going to get, so why be nice to a lifer, there is nothing more for them to get. Basic human nature, and not the good parts either.

It would be interesting to see how many accounts that got hacked are from lifers/subs vs f2p people. Seems like every account I hear about getting hacked has been around a long time, I have yet to hear about some account 3 months old getting the hack.

[rededdi]

I totally agree things need to change. Wow went with the authenicator, which most folks have now. I got mine because I was the GL there and lord, hitting our guild bank would have been something to really cry about. However our guild is very small in LOTRO and we do not have alot, but...what happened to one of our guildmates was almost a game breaker for some. His account was hacked, and then banned, and Turbine would not reinstate the account, even though they knew it had been hacked, and he was not even playing at the time, he was still playing WoW. He had to start a completely new account and start over with his characters.

The one thing I do, is I do not type in my password. I copy and paste it in rather than type. Now I have no idea if that is good or not, but I have not been hacked in either WoW or LOTRO. Perhaps just luck.

But I can certainly understand folks frustration at not having their items replaced. It would seem a very easy thing for Turbine to do.

[racabu_beta]

It is easy to handle with hacking.
People hack for what reason? Money.
Why they hack? To sell gold.

So do the following, any person who did a transaction with a gold-seller, just undo the transaction and make the character with negative gold... whatever. Place a marker in his account and the next time it does happen, ban him.
How to find where are the gold sellers? Just track all transactions done by a hacked account. When a hacker sells all the gold, to what character the gold goes to? To who he does sell the gold?
BIG transactions like trades and selling overpriced gods on the AH are very common ways of sending money on the game also.

So get the buyers... they are sloppy. The hackers may not be.

[Malachi108]

Absolutely supported. It would even be good for the business eventually: If someone loses 2 years worth of investment, they might leave out of frustration, not willing to waste that much time again. But if the CS restores their character in 5 days, they wipe the sweat, breathe a sign of relief and continue to play, pay monthly fee and use LOTRO Store. Definitely good for the game in general.

[probitas]

It is easy to handle with hacking.
People hack for what reason? Money.
Why they hack? To sell gold.

So do the following, any person who did a transaction with a gold-seller, just undo the transaction and make the character with negative gold... whatever. Place a marker in his account and the next time it does happen, ban him.
How to find where are the gold sellers? Just track all transactions done by a hacked account. When a hacker sells all the gold, to what character the gold goes to? To who he does sell the gold?
BIG transactions like trades and selling overpriced gods on the AH are very common ways of sending money on the game also.

So get the buyers... they are sloppy. The hackers may not be.

Problem #1 with your suggestion....not everyone who pays for an overpriced item on the AH is involved with gold buying/selling. I myself recently bought a stack of Khazad iron ingots for 1.5 gold. A bit high, but still, I wanted it bad enough to front the game coin. What you're suggesting is to punish anyone who buys something they think is worth the cost in pixel money. That's too arbitrary. It makes more sense to just increase the security of the door rather than attempt to find the fox after it's in the hen house. The first would make the thefts/sales decrease across the board, the 2nd would require endless fixes and resolve nothing, not to mention victimize more people.

[probitas]

If someone really wanted to make a point, they could claim that they want fair value for their pixel items, since with the advent of the store, TURBINE has now placed a real currency value on most in game items. (points per dollar - points per item - final dollar cost). A case could be made now that if you have made purchase in game with either game coin or store coin (including time spent increase an items game worth via the legendary system), and those items are then vendored, you could probably make a case for that item having a real coin value outside the game world, and demand that it be rendored, since TURBINE is making it easier for hackers to get into your account simply by giving them half the code (ID) and a place to start the PW hack...

[Ryssadis]

/signed.
A friend of mine was hacked. Account cleared out, top legendaries gone. Turbine gave him 45 gold after him pestering Turbine for two weeks.
I not only think stronger prevention methods need to be in place, but a faster and more effective response is needed.

[ThePasserby]

Being a new player, and subscriber, I'm surprised that this is Turbine's policy. This tells me that I should reconsider continuing the subscription.

[demby]

/signed

This should be a basic standard policy for any game with virtual currency and items, and especially for ones that allow items to be directly purchased with real money.