Feedback: Compromised Account Reimbursement Policy

[ericpae1]

I would like to thank Turbine and all who processed my acct issue. I logged in to find all gone and then had my acct suspended. I did as I was told and within hours my acct was back up and so far one char has received all items/gold back.

I just wanted to say thanks to all involved. I was actually shocked at how fast a GM responded, as soon as I submitted it they were on it, at least it seems that way.

Great job all and thanks for making a ?????? afternoon turn out ok!

I do have a question tho. I did not get any of the shared storage items back. is there a reason for that? I used that for flakes, shards and what-not so it would be a bummer not to get it back. I can give a list and amounts if needed.

[drunes]

First I am pleased to see they have this policy. However as a owner of four lifetime accounts I am more than a little concerned that I was hacked while on line playing. Kicked off and locked out of the account. level 65 charcaters from back in Jan of 08 deleted, these were my raid ready chracters who I had set up for the release of Isengard. Needless to say I am more than just a little concerned.

I will reserve judgement until after I have seen what gets replaced or recovered. While everyone may lay this claim there was really no way to know my account our my password as they were unique to me and I do not belong to a kin nor do I typically write ont he forumn including this official one. So the question that still baffles me is how and why. In my case they deleted the level 65 charcates and left the low level characters.

As I said I will reserve judgement but consider the number of store points I used to modify items and stats will those be replaced. Will the charcaters come back at thier prior glory. considering the time taken to complete all the quest gain kinship status with all the various factions and hours of slaving for no other reason than to know I had maxed out all virtues.

Perhaps all the time I have spent over the past four years has been a waste of time I hope not but we will see.

[cliebo]

I just wanted to say thank you Turbine, you really do care for your players. My story is I came home from a family vacation to find out that my account was hacked. Not even 24hours after I opened a ticket I had all my gold and items returned to all 9 of my toons, thank you.

[Brastil]

To the above poster, you seem to have lucked out. Same thing happened to me. All gold (150+), consumables, crafting items were stolen because of a compromised account. Know what I got back? 20 gold and 100 skirmish marks.

Seems hardly caring in their response to me.

[DrPipper]

checkcheckcheck

[Milogson]

Please move this post to an appropriate thread if necessary; I couldn't find another on short notice.

First off: thanks Turbine that you actually have such an acct reimbursement policy. some other companies don't.

With that being said I am sorry to say that such a policy is only a treatment of the symptoms not of the origins of the problem.

Where do these origins lie?
1. Well first and most obviously they lie with the account hackers themselves. If nobody hacked we and Turbine wouldn't need such a policy nor would we players have to worry about loosing a long time investment in the game. But as this case is (sadly) only wishful thinking some steps should be taken to prevent such hacking. But as legal prosecution of such individuals is very difficult, or in many cases even impossible, they get away with a slap on the wrist and continue their work with another account soon afterwards.

2./3. Password security both on the players' and Turbine's side of the fence
If players' choose a password (pw) such as Test1234 oder password1234 and assume that such is a safe password they should have their heads examined.
But if players intend to use passwords like "X2o§4$5%öß! as their security measure then let them. The problem is that Turbine does NOT allow non-standard alphanumerical characters except for a very limited choice. That is substandard security from a period of security (actually from the late 1980's) when memory and storage space were at a premium. Today such concerns should be only of very limited concern when viewing security measures. And please don't go into the difficulties of programming such an interface expansion; it is virtually nil. Unicode was formulated and standardized long before the programming for LOTRO began.

4. Account security measures
Here I am again sorry to say that Turbine has woefully outdated security measures. Let's just list a few topics which could and can be implemented at very short notice and which do not require a long phase of testing nor programming
- IP-range logging of account logins
- different pws for account management, forum, and game logins
- scrambled account data (especially email and credit card info) in account management interface without verification
- security lockout after a limited number of login attempts into either the account management interface as well as the game interface
- vacation lockout of accounts by account owner (an owner of an acct can lockout his/her account by setting up a time/date stamp until which his/her acct cannot be used at all)
- in-game anti-exploitation measures by locking out sales/auctioning/postal sending/trading/item destruction if non-authenticated IPs are logged; characters from such locked out accounts can also not be deleted or changed in appearance; such lockout can be released after email/iphone/ hotline authentication of the original owner
- in-game safety net for trusted players (Trusted Players List could be an extention of the friends-list or even kinship lists, which can be setup by the account owner. If any persons in the safety net list notice a hacking attempt on the owner's account they may trigger the safety net (button in their friends list/saftey net interface) which will result in _immediate_ lockout of the account's item/character deletion/swapping/trading capabilities as well as all kinship privileges being in hiatus in addition to immediately scrambling ALL account info in the Turbine account management interface. In such cases both the triggering account for the saftey net as well as the account for the which the safety net option has been triggered will be both IP-logged as well as under observation by GMs as soon as possible.
- seperate login data for forum/account management/game logins (nuff said on this, sorry, I just HAD to repeat that here)
- a secure database as well as all external connections by the provider of the game as well as the server farm which can not be easily hacked (cough-cough: forum account database compromised).

As you can see many of the features I have listed have not even been contemplated by Turbine yet (or none of the official Turbine representatives have voiced their official opinion of these measures in the forums).
That is why I consider the player-game-provider-relationship to be seriously and woefully misrepresented both in the forums and in reality.

Why am I so vociferous about this?
Well, in the last one-and-a-half years I had to accept that three accounts of my kinship had been hacked; the last case occured yesterday, Oct 26, 2011. While five (5) others of my kinship including myself had to helplessly watch this account being burglarised despite all of our combined efforts at sending tickets and screaming for GM help on all open channels. A character was completed robbed, our kinship hall storage plundered, this character then deleted, another character logged on, probably cleaned out as well.

All our attempts at getting help were replied to with the same non-commital automated reply: While this problem is being looked into it can take some time until we can reply to it. If we need more information we will contact you within the next days (!!!!) via email.
All of these replies came from exactly one (1) GM.
This is a liberal translation from German and I was not able to glean any more information at all about our compromised kinship hall at all.
After a few hours all (!) of our tickets were closed and we could not even reply to any of these tickets.

While I am not our kinship leader I was given the responsibility of looking after it for the duraion of our kinship leaders 3 week vacation. Unluckily this account hack happened during the 12th day of his absence. As such he won't be able to contact any of his Turbine accounts within the 10 day reimbursement period. This was stated in several of my tickets when I asked for help; the same answer I always recieved was (in short): "We cannot discuss reimbursement with anyone outside the account owner. Bye. Don't bother us again."

This is neither fair nor does it help us, the compromised, in any way. On the contrary it raises grievances against Turbine and their incredibly lax security measures.
ANY of the above listed measures would have reduced if not prevented the outcome of this account hack.
NONE of them are implemented.

We as players suffer; the criminals get away with a slap on the wrist, even if what they do truely is a criminal act. Prosecution of such persons is virtually nil.
I am not talking about some minor violation of netiquette here; several years of leasure time have in many cases been sunk into these accounts by their original owners. Any loss of these resources thus consitutes a loss of many hours worth of 'work' which could be summed up as lots of real life money being stolen here.

Does anyone consider this to be a fair treatment of those who have been compromised?
Even when they implemented all of a very limited set of security measures supplied by Turbine?
IMHO not (!)

[Vardiel]

Does anyone consider this to be a fair treatment of those who have been compromised?
Even when they implemented all of a very limited set of security measures supplied by Turbine?
IMHO not (!)

Definitely +rep'd (long read but all good).