Petition to Turbine: Please Revise Hacked Account Policy

[Ozthorn]

/signed

Hopefully Turbine will do something in line with CodeMasters.

[probitas]

The Codemaster's policy is fine except for one point I have to disagree with...that you have to file the in game ticket within 7 days of the hacking. I have a kin member that was out of commission for several months as he underwent a very debilitating cancer treatment. Should he not have the ability to report his account being hacked and getting assistance?

Yes, BUT, after such a long absence, it's likely they don't have a recent backup that is pre-hack, since there is no telling how long ago it occurred. While most companies that deal with databases do keep backups, they don't keep them forever, and normally rotate the old ones out as they are replaced with newer backups. I think they may have 4 weeks worth, one each week, for a month of backup data, depending on size of course, though with the advent of Terabyte drives and Blue ray storage, it may not matter anymore. That is likely why the short notice window, thought that IS a bit low, people do go on vacation for longer than that in a single stretch, particularly high school kids in the summer.

[Mindle]

What Codemasters is doing is a good start and we can only hope that Turbine catches up eventually. This is still being reactive to a problem instead of proactive and better prevention steps should be in place.

With the way accounts are setup now, since there is no subscription anymore, our accounts are always active so there is no way to place a hold on your account if you do need to take a break from the game. At least before, if you canceled your account, a hacker would have to pay to activate your account to do any damage which is some form of protection.

Just about everyone is going to take a break from time to time and even with this new policy that Codemasters has it forces people to monitor their accounts when they are on that break. The best and only real solution to this problem is security tokens.

I feel that since my account can be hacked at any point, due to poor security features provided by Turbine, why should I bother advancing any of my characters. My account was hacked once and I have no idea how they managed to get my account info for this game but it was the same as my WOW account and my WOW account was not touched. (No Turbine fanboys Blizzard did not hack my Lotro account)

tldr: Get authenticators for our accounts, that will save everyone time and grief once these are applied to people's accounts. They will almost make this roll back policy, or lack of one, a non-issue.

[Ayrolen]

I think we ought to be able to call up account support and request a player-initiated "ban" of sorts be put on our account if we know for certain that we'd be gone for an extended amount of time and unable to log in.

[Zalexia]

Please sign below if you agree that Turbine needs a complete overhaul of it's current policy for dealing with hacked accounts.

Turbine, I love your game. LOTRO is great. And though I was a skeptic, you've won me over with the F2P model. I am a happy VIP subscriber since 2007, and am still enjoying your game. But despite the fact that I am happy overall with your product, I have to make one significant complaint:

Your policy on handling hacked accounts is severely lacking.

Currently, Turbine will not restore ANY items lost due to hacking. They simply give you gold to try to replace what you've lost. The problem is that for many people, gold is of little value in replacing liquidated items. You can't buy radiance gear on the AH. The meager amount of gold they reimburse certainly isn't enough to replace a level 70 LI that you've used thousands of skirmish marks to buy scrolls of empowerment to upgrade. Heck, one single scroll of empowerment goes for 17-20 gold onthe Silverlode AH. I used about 10 of them to upgrade my captains sword, and I earned them through skirmishing and quests.

The problem is getting a bit out of hand, Turbine. We had a kin member get hacked this week, and not only did the hacker clean out our friend, he also cleaned out our kinship hall chests. Should we maybe have removed him from kin for inactivity? Perhaps, but he's a good friend of ours that's been a member for about 3 years and has been away for health reasons. We shouldn't have to remove our friends from kin because your policy for reimbursing over hacking is inadequate.

Other games (WoW, for example) have policies that allow for restoral of the account to its pre-hacked condition. Why can't this be done? I'm sure you're running constant backups of your files, so I doubt restoring them is impossible to do. I understand that there is the risk of people abusing the system, but there are ways to address that. Someone gets hacked once? Restore them. Hacked 3 times in 30 days? Maybe they're abusing the system and deal with that situation differently.

But the bottom line is this: a lot of people are getting hacked, and they are getting frustrated. And it will affect your bottom line: some people, upon seeing that hundreds of hours grinding for skirmish marks to get radiance gear, upgrade LIs, etc etc etc now have lost everything and are getting 30 gold in return will simply throw up their hands and walk away. It is in your financial interest to overhaul your hacked account policy.

I like your game a lot Turbine. I've spent money on a sub and money in the LOTRO store. But this policy is making a lot of people very unhappy, and I sincerely hope you will consider revising it.

Again, please /sign below if you agree that Turbine needs to take a long hard look at their hacked account policy.

in all honesty they should have a back up system. this would solve that solution. most companies have back up files incase of corruption. yea its a lot of work to go back in them and find what you lost, but how do i know u back up ur system? roll backs. we go back 15 minutes from the server reset. So just take the time to update player files while doing so so that when people are hacked they can get their stuff back they worked hard for.

It is no different then backing up your legal documentation or any tax information etc. stuff u dont want to lose u back up.
just think that u should be able to do this if u did back up they may miss 1 or two items if it was before the back up date but its better than losing your whole thing. not to mention i think they should add in the authenticator system that wow has. not that i like wow, but its a sure fire way to protect your account.

/salute for this post and /sign.

[Ayrolen]

in all honesty they should have a back up system.

As someone already mentioned on this same page, they probably do. but how far back their back-up system goes is the question. they aren't going to keep back-up logs indefinitely, which is why Codemasters has the policy that tickets must be sent no later than 7 days after the loss of items occurred. it would obviously suck a whole lot to come back to the game after a year off to find all of your stuff gone, but I couldn't possibly expect Turbine to go back an entire year and dig through logs to find my stuff.

[Darmokk]

The Codemaster's policy is fine except for one point I have to disagree with...that you have to file the in game ticket within 7 days of the hacking. I have a kin member that was out of commission for several months as he underwent a very debilitating cancer treatment. Should he not have the ability to report his account being hacked and getting assistance?

I noticed that, too.

I don't think that the age of the backup plays a role, even if they do -say- 7 daily copies as backup depth.

Let's say you last played 6 months ago and the account was stripped 5 months ago. In all likelihood it would not change from that stage forward. So if Codemasters saves 7 daily copies all it would take is not save copies that are identical to the least one. That was a pre-hack copy would be there.

[probitas]

I noticed that, too.

I don't think that the age of the backup plays a role, even if they do -say- 7 daily copies as backup depth.

Let's say you last played 6 months ago and the account was stripped 5 months ago. In all likelihood it would not change from that stage forward. So if Codemasters saves 7 daily copies all it would take is not save copies that are identical to the least one. That was a pre-hack copy would be there.

I doubt very much they keep backups of every single account. It is more likely one large database, which is why it takes time to perform maintenance and restart the server. So when the database gets backed up, every single record gets backed up at the same time. If you leave the game for a while, and come back to find you got cleaned out, don't expect to see much, unless you told them ahead of time what you were doing, and then maybe they might make a copy just for you on the off chance that while you were absent someone messed with your data. People tell the phone company to turn off the phone while they are away on extended vacations, people should perhaps mention that to Turbine too.

[Darmokk]

I doubt very much they keep backups of every single account. It is more likely one large database, which is why it takes time to perform maintenance and restart the server. So when the database gets backed up, every single record gets backed up at the same time. If you leave the game for a while, and come back to find you got cleaned out, don't expect to see much, unless you told them ahead of time what you were doing, and then maybe they might make a copy just for you on the off chance that while you were absent someone messed with your data. People tell the phone company to turn off the phone while they are away on extended vacations, people should perhaps mention that to Turbine too.

Hard to tell.

For example, all the base character data is already dumped for my.lotro.com. It wouldn't be rocket science to store that permanently by account, and only overwrite old backups when something changed.

[leojreimroc]

If I would get hacked, and my stuff wouldn't get restored, I would be out, simple as that. Now I've never been hacked and I don't plan on it, but you never know. I've had many friends have their WoW accounts hacked, and they received all their stuff back. They lost a few days of gameplay, but in the end, the customer service was excellent, and they kept playing. It comes down to keeping your customers happy. Some games have good policies on the matter, Turbine does not.

There's absolutely no reason why bound items shouldn't get refunded. You can't abuse a system like that. At the very least, hard to get equipment should get refunded, but idealy, everything should get returned.

[Cadennza]

With more and more of my kinmates being hacked, I feel it's only a matter of time before it's my turn to go through this.

I've read and heard that Turbine's policy seems to try to push more of the blame on us, the users. For example, hate the people who buy gold not us. If they didn't buy it, there wouldn't be a need to hack and steal it. I would expect and appreciate feeling that Turbine is taking hacking a bit more seriously than that and will listen to the really good ideas that are being expressed.

I've never bought gold, Turbine. What little I have has been earned through hours and hours of playing. I have spent almost all that I've made in trying to get good legendary weapons (another tangent, legendary weapons). All many of us are asking for is to restore what we've fought so hard to obtain.

/signed

[Asileth]

There's absolutely no reason why bound items shouldn't get refunded. You can't abuse a system like that. At the very least, hard to get equipment should get refunded, but idealy, everything should get returned.

Agree 110% with this reasoning. I really hope Turbine reconsiders and follows Codemaster's example.

[Darmokk]

There's absolutely no reason why bound items shouldn't get refunded. You can't abuse a system like that. At the very least, hard to get equipment should get refunded, but idealy, everything should get returned.

Quest items are not difficult to get again. They are impossible to get again since you can't repeat the quest.

[Soopervilin2]

/signed

I've been playing off and on pretty much since the beginning and had never had any trouble with account security until I was hacked toward the end of last year. No spyware, no keyloggers, nothing on my system that would cause this kind of security breach. The only anomaly is that I logged into the myLotro site, from within the game client itself, to look at what one of my characters on a different server had equipped, the day before my account was compromised.

When I realized what had happened, I immediately changed my password, opened tickets for each of my characters and followed the instructions I was given by an in-game GM and Account Management over the phone. I even have the specific day and time I was hacked, and after providing this and all relevant information, I was told I should make tickets for the items I want restored, and after a short investigation I should expect to have them restored. I was told this by both Account Management over the phone and the in-game GMs that responded to my tickets. What I got was a measly sum of gold, a "Sorry this happened to you" and nothing else. In fact, when I raised the issue again to get some clarification over what happened, I was threatened with having my account banned.

I have a lifetime account, and that's the only reason I even bother playing this game anymore.

[Mynar]

Quest items are not difficult to get again. They are impossible to get again since you can't repeat the quest.

Maybe this changes depending on which GM handles it, but after I got my compensation sans any items I wanted, I submitted a separate ticket detailing all quest and deed reward items that I could think of that I wanted back. It generally involved things like the Prized Pie and things like that, generally fluff items. I did ask for all five of my Scrolls of the Ages back (gotten from the old Fangs for Nothing chain) and didn't get them back. I'm theorizing (not saying this is how its done) that if you ask for quest rewards that are not consumables (like potions, scrolls, etc.), then it is much easier for them to confirm that you should have it and give it back to you.

I guess what I'm saying is that its not impossible to get these items back. It may just depend on the specific GM's willingness to go through your completed quests and deeds to see if you actually should have that item. If you give them a detailed list of every item you want back, they may not look through the list as they won't be able to give the majority of them back, but if you give a specific list of quest/deed rewards and say that they are quest/deed reward that you can't, then I think they would give them back. It worked for me, so its worth a shot.

[avilla]

/signed

Please Turbine. If Codemasters can do it, so can you. Make it happen. We may lose a highly respected member of our kin who was recently hacked. This will severely weaken us, and if it continues on a wide scale, you will lose many customers--and not just those who were hacked.

[Darej]

/signed

Please Turbine. If Codemasters can do it, so can you. Make it happen. We may lose a highly respected member of our kin who was recently hacked. This will severely weaken us, and if it continues on a wide scale, you will lose many customers--and not just those who were hacked.

you are right...they can and should..but...

just remember...it took CM a looong time to do it...

CM also had more employees and resources to throw at it....

you cant rush these things....dont believe me...

http://maycontaingamers.blogspot.com...-and-i-am.html

thats the CS manager for Codemasters.

[Celebags]

Dear Turbine,
This is a magnificent game with a loyal and devoted fan base. The risk of an account hack creates uncertainty within that fan base. An actual account hack carries with it the very strong risk of losing customers. The community/kinship system means that hacks have ripple effects well beyong the individuals who are the victims of account theft and character deletions. A policy that means that deleted avatars can be recovered offers justice to victims, as well as security to a dedicated fan base. It may be time consuming. It may be difficult. But it's the right thing to do.

[carpleloctrapus]

Wow this thread is still going? Again I vote no and do not sign any thing to do with this thread. Codemasters has a different policy and idea of the game. If Turbine reimbursed and such 'Hacked Accounts' it would be a message to allow every single person who intends to play and has been playing a license to experiment with items and things their younger family members experiment and use constantly and download even before downloading and installing any game. Which means you all think you have a right to break the eula and use not permitted items because you use them in other online mmo's free play or otherwise. 95 percent of account security loss not caused by a person, known or unknown to the player using the computer at the house for that said game which is caused by a visitor being mean and getting back at said person IE: a person who has access to the computer rather you know it or not, are caused by using and going to sites that are a violation of the eula. In other words, you asked for it. Naaaaay no way to this, play fair or don't play at all.

[Celebags]

Unfortunately the thread is still going, because the issue remains.
The point here is that some players are victims of account hacks, whatever the cause may be. The capacity to recover deleted characters is an option that should be supported for bona fide victims of account hacks. It is a flawed assumption that everyone out there is in breach of the EULA, share their details, has others in house that accesses their account, experiments with items, or that players "asked for" someone to access their accounts, steal their gold and items, or malciously delete their characters. The option for avatar recovery would enhance the game - in fact it might make a nice option for the Turbine Store. It would be even better if Turbine was able to trace that kind of conduct back to source, track where the items have been sent to, and liquidate the avatars at point of receipt.

[Gaylen]

My account was violated on Feb 9th. No trojans. No key loggers. I have professional anti-virus and firewall unavailable to general consumers. No viruses or malware found before or after the intrusion. I have to manually approve all network access. My password was strong. My account name is not any of my characters' names. It's not my forum name. It's not the same username of any of my messenger accounts. I don't use it in any other game. I don't visit gaming websites. It's not my Facebook login. I don't answer those 'RE: Your Battle.net Account' emails. Did I miss any of the accusations often hurled at the victims of account hacks?

In other words, Turbine's presumption that each and every account violation is the customer's fault is inaccurate. And insulting. It's also incredibly poor customer service.

I've been waiting nearly a week for a response that isn't a copied and pasted variation of, "Your ticket has been escalated and an investigation is underway." I fully expect an equally pre-written answer of, "Here's some gold. So sorry. Now shut up about it," as I've seen when friends and kinmates went through this in the past.

And when that happens, I'm gone. In fact, I'm working on pulling other people from this game to join me in another. Because as long as people are willing to continue subbing to this game after Turbine first insults them with the insinuation that they are so stupid that they had it coming and then throws a pittance of pixel money in their face, Turbine will keep the policy in place. It would cost them money in man hours to actually investigate and restore accounts. Until the failure to do so costs them even more, they won't bother. When they start losing subs over it, they'll suddenly deeply, truly care about the experience of their players.


ETA: For what it's worth, the hacker didn't bother stripping all 6 L65's of their raid armour to vendor. (Just their 4 unequipped LIs, their entire inventories, and shared storage leaving only the Map Home intact.) So congrats, apparently your policy to flag them as unvendorable in the future is already seeing results!!! Problem solved!

[Overtone]

Wow this thread is still going?

This thread continues because hacking is a serious problem, and it certainly is not always the fault of the customer. Just last Super Bowl Sunday my brother, who has been playing this game without any trouble since Beta, had his account hacked. We had already been playing the game that day. We took a break to enjoy the Super Bowl. When we went to jump back in game that night, my brother's login no longer worked.

He called me to tell me he couldn't log in. Having been wary of this hacking issue and an aware of an increase in hacked account complaints since F2P and the Forums change, I told my brother not to do anything until he called Turbine Support first thing the next morning. I informed him that I was able to login the Forums using his account info, but for some reason could not access the game or myaccount.turbine.

The next morning, he contacted Turbine. The Turbine rep was very helpful. Apparently, the email address on my brother's account had been changed by a "third-party". The rep changed the email address back. My brother is a computer savvy guy that runs a router/firewall and a-v/firewall at all times. He doesn't play another MMO. He doesn't even participate on the forums, mylotro, or any other satellite sites.

Somehow a hacker had back-doored Turbine and changed the email address on his account. I believe this to be the case because none of my brother's other account information or character data was changed. I believe the strategy was to hack the email address, compromise the account, and wait for a user to give the account access information over when attempting to reset the account password. Had my brother not stopped when I told him to stop, had he attempted to reset his password to regain the account, then the hacker would have scored his account info. Thankfully, he did not and I believe a more extensive hacking of his player account was averted.

Clearly, hackers use multifarious methodologies to compromise accounts. Clearly, all of these methods are not the fault of the customer.

[Saelyth]

http://forums.lotro.com/showthread.p...e-Paid-Service!

nothing left to say

[Sardonyx]

This thread continues because hacking is a serious problem, and it certainly is not always the fault of the customer. Just last Super Bowl Sunday my brother, who has been playing this game without any trouble since Beta, had his account hacked. We had already been playing the game that day. We took a break to enjoy the Super Bowl. When we went to jump back in game that night, my brother's login no longer worked.

He called me to tell me he couldn't log in. Having been wary of this hacking issue and an aware of an increase in hacked account complaints since F2P and the Forums change, I told my brother not to do anything until he called Turbine Support first thing the next morning. I informed him that I was able to login the Forums using his account info, but for some reason could not access the game or myaccount.turbine.

The next morning, he contacted Turbine. The Turbine rep was very helpful. Apparently, the email address on my brother's account had been changed by a "third-party". The rep changed the email address back. My brother is a computer savvy guy that runs a router/firewall and a-v/firewall at all times. He doesn't play another MMO. He doesn't even participate on the forums, mylotro, or any other satellite sites.

Somehow a hacker had back-doored Turbine and changed the email address on his account. I believe this to be the case because none of my brother's other account information or character data was changed. I believe the strategy was to hack the email address, compromise the account, and wait for a user to give the account access information over when attempting to reset the account password. Had my brother not stopped when I told him to stop, had he attempted to reset his password to regain the account, then the hacker would have scored his account info. Thankfully, he did not and I believe a more extensive hacking of his player account was averted.

Clearly, hackers use multifarious methodologies to compromise accounts. Clearly, all of these methods are not the fault of the customer.

There is a problem with this story. If your brother was unable to log into his account, then the credentials were already changed. If the hacker was able to change the log-in credentials, then any tweaking of the email address is moot, because the hacker already had the password.

I'd also point out that the story demonstrates that your brother doesn't handle his account information securely, since you had the information to log in as him. (Yes, I know he's your brother. Doesn't matter. Most homicides are committed by people that know the victim, after all.)

You can't make a statement like "Clearly, all of these methods are not the fault of the customer" on evidence like this. This thread has dozens of cases like this, which boil down to the following argument:

1. Person A got hacked.
2. Person A is computer savvy.
therefore:
3. Turbine is at fault.

The problem is that 2 isn't at all sufficient to prove 3. We're asked to take your word for the fact that 2 is true, but "computer savvy" people get hacked (not just in LOTRO) every day. Computer savvy people do stupid things with their security every day because they get lazy. Computer savvy is not a blanked label that allows one to shift the blame for all issues to other parties.

Now Turbine can't exactly prove the opposite, that all hacking is related to customer faults. For one, I find their assertion that no Turbine data has been compromised to be quite naive. All Turbine can say is that to the best of their knowledge, their data has never been compromised. There's no guarantee that some disgruntled ex-employee didn't walk off with a copy of the database. But perhaps Turbine regards that as too obvious to need restating.

[MrsAngelD]

So Now turbine has instituted a Paid undelete character service(http://forums.lotro.com/showthread.p...e-Paid-Service!), but yet somehow they can't restore hacked accounts???? How in the world does that makes any sense to anybody????