Gold Spam implications and account security

[Cial]

Sorry Dark, but I think you're way off base here. Your whole premise for not using authenticators is based on conjecture and hyperbole.

They do work as a piece of layered security. You're basing denial on an imaginary group of people solely relying on them and casting all other security practices to the wayside in a previously imaginary experience and implying that a future group is destined to do the same. I think we know where that faulty logic lies - on a stick in the cornfield.

The perception and marketing of authenticators doesn't make their appropriate place in layered security any less effective or relevant.

Since the implementation of CoinLock and authenticators (provided free via smartphone app) in RIFT true hacking have become virtually non-existent. Even compromise via social engineering has diminished greatly. Trion has implemented and offered good layered security to its customers and the results speak for themselves. In addition it's good marketing and PR. The expense, whatever it was, has paid for itself by engendering confidence and goodwill with the customer base.

No security measure is going to be 100% effective. Then again they don't have to be. They just need to discourage and frustrate and be effective enough that the target isn't worth the effort. They just need to be effective enough that the fringe cases can be dealt with with minimal effort and expense. By the way you haven't proved they provide a false sense of security or that they reduce effective security due to instilling a lax attitude. That is all hyperbole.

Is it really so much to ask Turbine to implement better security? Is the added support cost too much for a company that claims to have the number 2 MMO and number 4 game and has their most successful expansion to date?

If improved security measures reduced compromised accounts and account restoration then it should pay for itself along with providing good press.

Pretty much sums it up.

The fact is, MMO accounts aren't being stolen by some genius Kevin Mitnick/Black Hat hackers. They are compromised by some guy in China or Korea working for a gold farming operation. MMO accounts are hacked to steal gold and re sell them for real money. Of course authenticators aren't perfect security....but they are an additional layer to use against these bottom feeding gold farmers. The chances of these guys hacking companies like RSA to get the authentication seeds is practically nil. Whoever went after RSA is not concerned with small potatoes like gaming accounts.

The long term benefit of authenticators is win-win for Turbine and players. Added security, less customer service tickets, and goodwill toward the community. Not to mention it effectively dries up one of the gold farmers' primary methods of "farming" gold : stealing it.

[Almagnus1]

I just posted this but it's worth another shot because you people seem to think that it's only on their end they hack you.

If you got hacked it's probably your own fault because you visited a malicious website or downloaded something shady.

1) Get NoScript for Firefox or similar for chrome, or whatever. If you use IE, you're a fool to begin with.
2) Don't visit goldspammer websites
3) Only allow scripts you trust, through NoSCript or similar
4) Don't download stuff that seems shady
5) If something seems too good to be true, it is
6) ??????
7) Profit

Did you get hacked anyway? Turbine will get you your items back. Credit card? No problem, your bank will refund up to a certain limit (about 2000 euro is usually standard, at least in Europe).

Stop being stupid and visit gold sites or any other #### on the internet. Be clever. As I like to say, it's like sex. Protect yourself to avoid herpes and kids.

I have never been hacked with LotRO.

Keep in mind that your forum name IS your account name.... they come here, they've got account names for EVERY poster that posts here. Turbine USED to let us have different forum names than our account names... that went away, and they actually made us less secure because of it.

I would rather be safe than sorry, you're free to read it how you want to.

[Kerin_Eldar]

I have never been hacked with LotRO.

Keep in mind that your forum name IS your account name.... they come here, they've got account names for EVERY poster that posts here. Turbine USED to let us have different forum names than our account names... that went away, and they actually made us less secure because of it.

Er, my forum name (the one shown on my posts) isn't my account name.

If you mean the name we log in with well yes, that was a crass move by Turbine in reducing our security.

[Georgee]

Keep in mind that your forum name IS your account name.... they come here, they've got account names for EVERY poster that posts here. Turbine USED to let us have different forum names than our account names... that went away, and they actually made us less secure because of it.

??? my account username is different that my forum name. I migrated from Europe 3 months ago and did not receive any email about any change.

[Naesraen]

Keep in mind that your forum name IS your account name.... they come here, they've got account names for EVERY poster that posts here. Turbine USED to let us have different forum names than our account names... that went away, and they actually made us less secure because of it.

hang on, no it's not? i know for a very certain fact that the forum name this message is posted with is NOT my account name. when i set up my forum ID here, i had to choose a name to be known by on the forums, that wasn't my account name.

one of the very few - possibly the only - advantage the Turbine forums have over the old Codies forums is that my forum name is NOT my account name.

[Almagnus1]

I could be remembering it wrong, but I thought they stripped all of the old US accounts of their forum names a while back, so login name = forum name....

Wouldn't be the first time I remembered something wrong XD

[Zetsubousensei]

Keep in mind that your forum name IS your account name

Not in all cases. Mine is the F2P open beta test account and has no characters. My play account hasn't got a forum connection, and never will, both for security and because I choose to opt out of Turbine's "social platform" or whatever they call that nonsense which exposes your characters through your forum account.

[vladtheimplementor]

"but I do recall that they recently changed the policy to the effect that we have a week or 10 days to notice our account has been compromised"


Thats INCREDIBLY LAZY on their part.

With increased incidents it will come back to bite them as many players will simply quit rather than
do business with a company that has so little regard for their customers for problems that are a result of their negligence and inept security systems.

[Spydre]

There's another ugly side to things I overlooked when I made this post last night.

I also play DDO, and there was some severe store lag last year for awhile in the store. During this laggy period sometimes it would complete a transaction without indicating this to the customer. Lengthy periods of time could go by without your points being added to your account after you purchased them, for example. So people would think the transaction hadn't gone through and try again.

Some people ended up being charged hundreds of dollars for points and Turbine refused to refund the purchases.

If someone hacks my account, they can maliciously use my card to purchase a bunch of points which Turbine will then refuse to refund the purchases back to me.

All the while Turbine refuses to provide additional account security measures and pretends there's no problem.

But hey ... if that happens they get our money and what's honesty compared to a quick profit right?

This is why it's best to buy with a credit card for any purchase in MMOs. If this happens and they refuse to refund you dispute with your CC company and let them persuade Turbine to set it right. The CC companies have a lot more pull (and lawyers) than we do and they don't like others messing with their money.

[Mark_J]

Sorry Drk, you're so far off base I don't know if you can find your way back without some help!

The algorithm for SecureID was NEVER compromised, if the date that was compromised was left unaddressed it MAY have resulted in attacks that MAY have been able to compromise the algorithm. RSA knew what data was compromised and immediately enacted steps to safeguard SecureID. Authenticators were NEVER cracked and accounts were not exposed. Authenticators are an extremely effective layer of security which is why 240 million Smartphone users employ that technology along with another 40 million Authenticators.

As for Authenticators providing a false sense of security, people are inherently lazy when it comes to online security and will tend to do the easiest thing not necessarily the best. That said, if I could only have one layer of security I would take an Authenticator over a User created password any day.

There is no good reason not to employ technologies like Authenticators or CoinLock for LOTRO, this conversation comes up regularly over the past 4-5 years and the outcome has always been the same. It's past time for Turbine to catch up with the other games in terms of providing additional layers of security to protect the players...

[Zarador]

Without trying to derail the thread, I'm a bit curious why the title is not simply "Account Security".

I have been playing online games for well over a decade now, as have most my friends in real life and those I met in game. That's just a small sampling of of the huge player base of the games we have enjoyed together, but not one of them has suffered a "hack" that was not somehow related to their own actions.

• Some shared accounts with friends, room mates, real life partners and the like. One only needs to refer to the multi page thread of several years on this site complaining that they can't split off their shared accounts to see a shining example of sharing (which is against the TOS).
• Others logged into any computer or device they could get their hands on to post in the forums or conduct (gasp) their financial transactions.
• I'm fairly certain that some were "hacked" by their own IT departments where they managed to sneak around the forums or even the game while being paid to work or on break/lunch.
• Some got "hacked" by using the same passwords and login names for every site and game they ever played.
• Some got "hacked" when they purchased services in this game or another game from some slime third party site.

The point of the above is that there is no substitution for self secure online practices. Yes, you can indeed create all kinds of hoops for the would be "hacker" to jump through, but most "hackers" are practical in that they look for the greatest return on the least effort. In other words, there are enough people out there practicing the breeches that I noted to feed off of.

Having been in security for many years in a management capacity, I can assure you that few people will admit that they were lax. No one wants to admit that they left something unlocked, had the keys in the car, wrote sensitive information on a post it or were simply lazy. It had to be some Pink Panther sleuth or international famed hacker that brought them down.

You can create the most secure locks in the software industry at some expense to the company and inconvenience to customer, however the bulk of those being hacked are being hacked as a result of their own careless actions.

[Valiant_Turtle]

In regards to the RSA hack: Even in the worst case scenario that there is a hacker out there who can get the seed for any token they would still need to get the serial number off the token. My company has replaced all of ours (at RSA's expense) and reading the serial numbers on some of the ones that have been around for a while is not easy. Admittedly the newer ones are better and have barcodes for easy data-entry.

From what I've read about it and from the communication my company got from RSA there is some evidence that one of their clients (Lockheed Martin - a major defense contractor) was compromised. This means that someone had physical access to a token to get the Serial Number off from somebody pretty high up. This was a case of top-tier professional corporate espionage (if it did happen). Furthermore it was implied that based on the files accessed some tokens were not at risk, but this isn't clear either.

So even after having to replace a few hundred tokens in my company I would still much rather have one. They aren't perfect, but considering the primary threat is foreign hackers it's a very potent defense. That bit of stealing accounts without authenticators and putting an authenticator on it would certainly be annoying, but seeing as there is an expense in getting the authenticators I doubt it's something your average gold-farming company is going to do.

Coin-lock seems to be pretty effective as well and I'd certainly be happy to see it.

In any case, Turbine really needs to do something to increase our account security.

[Kerin_Eldar]

The algorithm for SecureID was NEVER compromised

You're making that up, no one knows, and in any case even if the algorithm itself wasn't 'stolen' the security based on it WAS compromised, even RSA admitted that since they replaced 40m+ security tokens, so obviously SecureID WAS compromised.

However, don't take my word for it, take that of RSA itself and one of the many well-known security web sites that starts of this article with:

RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens.

http://www.net-security.org/secworld.php?id=11122

[Arbalister]

"but I do recall that they recently changed the policy to the effect that we have a week or 10 days to notice our account has been compromised"


Thats INCREDIBLY LAZY on their part.

I'm sorry?

In response to people being hacked Turbine implemented systems that allow them to return most of lost items, and restore characters. No such mechanism existed before about the last year or less. They implemented it shortly after Codemasters did the same.

Prior to that there was ZERO recourse. Your characters and items were gone. End of story.

So yeah, there's a time limit. There should be - besides probably technical reasons - ie, how long do you keep logs and backups - it's not up to them to hunt through years of old data.

[TanisWhisperwind]

I just posted this but it's worth another shot because you people seem to think that it's only on their end they hack you.

If you got hacked it's probably your own fault because you visited a malicious website or downloaded something shady.

1) Get NoScript for Firefox or similar for chrome, or whatever. If you use IE, you're a fool to begin with.
2) Don't visit goldspammer websites
3) Only allow scripts you trust, through NoSCript or similar
4) Don't download stuff that seems shady
5) If something seems too good to be true, it is
6) ??????
7) Profit

Did you get hacked anyway? Turbine will get you your items back. Credit card? No problem, your bank will refund up to a certain limit (about 2000 euro is usually standard, at least in Europe).

Stop being stupid and visit gold sites or any other #### on the internet. Be clever. As I like to say, it's like sex. Protect yourself to avoid herpes and kids.

Lot of opinions, aren't there? And typically, the user is blamed for getting hacked (I'm not even going into which is the 'best' browser to use, people have their own opinions and justifications, which is fine... but calling people fools for using IE...?)

And yes, my account was hacked before the policy was changed so that you 'might' get your items back. The bank thing, yeah, but it's the fact that people have to go through that hassle to begin with that is a problem.

And no, I wasn't 'being stupid'. I don't visit gold sites or any site that is suspect, for that matter. And running Windows 7, 64-bit with the UAC on so I know when something tries to install is another safe guard. Here's another tip... ads on legitimate sites can infect you without clicking on them, as well.

Oh, and as far as 'protection' goes, nothing is 100%... but then, it must be the user's fault for that, too.

[Celestrata]

Hey everyone! Let me just step in here and say that everyone's security is still very much secure on our side of things. While we understand that the gold spam is irritating everyone, it's most certainly not related to the security of your account. We've also put together a post detailing what security measures you can take as well to keep things on your side as secure as possible.

[Dormouse2]

I got my account hijacked once on a different game due to forum spoofing. ANY place where you type in your credentials (username/password) is fair game for account hijacks, and unfortunately, the way lotro has set up for the web, it looks like it would be tremendously easy to confuse people by just adding lotro.com to, well, pretty much anything and it's game over.