Guild Wars Wars: NCSoft’s Security Scandal

By Alec Meer on January 4th, 2010 at 11:00 pm.

Tip-tap-tippy-tap-tap-tap. That’s me treading carefully so I don’t wake the vicious, slumbering Litigation Beast. Not that it’d necessarily wake up anyway, but some people have accused NCSoft’s response to a recent security scandal (related to MMO player accounts) of having a slight whiff of porky-pie about it. As those accusations aren’t proven, I’m wearing my Ballerina Shoes of +4 vs dangerous sweeping statements.

These are the key facts to this story: 1) There’s been a sudden, large spate of apparently hacked Aion, Guild Wars, City of Heroes et al accounts. 2) there’ve been reports of an apparent security hole in the NCsoft master account (an umbrella login for multiple NCsoft games), which has caused some players to find they’d somehow logged in as other players. Could these two things possibly be related? NCsoft says no. Hmm. Where’s Poirot when you need him?

Back on New Year’s Day, one of their community managers popped up with this:

The account hacks are not likely related to the NCsoft Master Account security concerns. Roughly half of the hacked acounts do NOT have an NCsoft Master Account, and very few account thefts involved a password change at all. The hacker(s) knew the account credentials, and they did not access the hacked accounts through NCsoft Master Accounts. The hackers had a list of passwords, which they used to steal accounts.

So what’s the source of these hacks/stolen passwords, if it’s not the rumoured master account loophole? Some players are convinced it’s a matter of yer everday phishing and keylogging scams/hacks being lumped in with this particular dangerous foul-up. They also point out that it’s a bit odd NCsoft have now stepped in and tightened the security on the master account page if it’s not related to this flood of compromised accounts. Though, frankly, it’s the sensible thing to do regardless.

So who’s right? Who knows? Wherever the blame may lie, it’s an unfortunate thing to happen during the Season Of Holiday – both for players finding their games were all messed up and for the poor NCSoft staffers who had to come sort it out while they were supposed to be doing the miseltoe and wine thing.

Anyway – change yo’ damn password, foo’. That’s the really important thing.

__________________

« | »

, , , .

51 Comments »

  1. Jacques says:

    Me voici.

  2. John Walker says:

    I’m not convinced tap dancing is the ideal way to stay quiet.

    • manveruppd says:

      It’s allright, he’s got ballerina slippers on, so it’ll be quiet unless he’s humming along to the music.

      on topic: just logged into GW just to change my password and they seem to have already put some extra security in place:
      [from guildwars.com]
      Q: Why is ArenaNet changing the log-in process?

      A: As an additional security measure to protect your account, you will now have to provide the name of a character on your account in order to log in to Guild Wars.

      I had my GW account hacked a month or so ago (so probably too long to be related to recent hacks) and my NCsoft account had definitely not been compromised.

  3. Matt W says:

    I’d argue that it’s fairly unlikely that a company of any significant size is going to issue a barefaced lie about this sort of thing, doubly unlikely that they’re going to supply the sort of details mentioned in the above quote if they were to attempt such shenanigans, and triply unlikely that if they were going to engage in shenanigans and then fabricate details, they’d supply at least one factoid that players have a decent chance at disproving were it false (namely, the assertion that a large minority/small majority of affected accounts have no Master Account attached).

  4. postmanX3 says:

    Well, I guess I’d better go check up on my Guild Wars account, then.

  5. Sagan says:

    I don’t know what a master account is, but in general when there is a case of stolen passwords, it’s not the company’s fault. Because the company doesn’t have your password. They only have the so-called hash of your password, from which it is pretty much impossible to retrieve the password.

    So if, for example, someone hacked RPS and looked at their user-table, they wouldn’t see our passwords next to our user-names, but a string of seemingly random numbers and letters. So not even the RPS-guys can see which password you use to login. (at least if their website is programmed according to security-standards) And the guys at NCsoft can’t see either which password their customers use, so it should be impossible that they leaked them.

    That being said I don’t know what a master account is, so maybe there is some possibility for a security leak in there. But very very likely it’s not NCsoft’s fault.

    • manveruppd says:

      You can’t log into the game with your master account (in fact they force you to choose a different sign-in name for each individual game account than your ncsoft login name) but you can reset the passwords of individual game accounts and change the email addies associated with them.

    • Funky Badger says:

      That would be assuming they don’t store the passwords as plain text in the database.

      And we know no one would ever do that, right? Right?

      Umm…

    • Chris says:

      Basically the way Hash’d passwords are stolen is very similar to the way normal accounts are stolen. If you know the sort of ‘salt’ (or random jargon that is added to passwords for greater security during login) you can then create a library of normal words and combinations of words + the salt and then brute force away like a happy little puppy.

    • Blather Blob says:

      It would be nice if that were true more often than it really is. Even banks have been known to store plaintext (or encrypted, but that’s the same thing) passwords, and it seems like a major Web 2.0 web site announces a data breach, including plain text passwords, every other month.

      I wouldn’t be surprised to learn that that NCSoft site isn’t storing hashes. I mean, they’ve only just now realized that requiring a user to reauthenticate with the old password as part of changing to a new password is maybe a good idea…

      People who don’t use a unique password for every website/account really should. I use a password manager + password generator, but there are bookmarklets available which generate unique passwords based on the website address + a master password, though I don’t know what you do then if you need to change the password after a data breach.

    • Chris says:

      n.b. converting those words + the salt into whichever hash encryption they use.

      i.e. 112??!dog in MD5 is always..

      cbbfafbc7ef8e6fe681b17058b944909

      so can be reverse engineered if you know the ’1122??!’ salt combined with a dictionary of words all converted to MD5 hash

    • Sagan says:

      Alright maybe I should have read a little bit before commenting. Now having read what the guy on the forum says, I think it’s an entirely different situation.

      If you can accidentally log in to another person’s master account, then there is probably something very wrong. And everything I said about what should and shouldn’t be possible probably doesn’t apply when something that grave can happen. I tend to believing the people on those forums who claim that a hacker changed their password, even though the hacker couldn’t have known the old password. And once you have done that, the account is pretty much yours.

    • Blather Blob says:

      @Chris: Salting is used to prevent attackers from using Rainbow Tables (pre-computed lists of plain-texthashes). The idea is that each user has a different salt, and so any precomputed rainbow table would have to be custom made just for that user, effectively making it no better than a non-pre-computed brute-force attack. And without pre-computation for a brute-force attack not only do you have to run through a large word list, combinations of multiple words from that large word list, variations of numbers and letters resembling words from the large word list, and combinations of numbers and letters resembling words from the large word list, but you have to start over from scratch for each user.

      Obviously with software able to make 350 million guesses per second, MD5 is easy to brute-force. But that’s why everybody’s been told to avoid MD5 for the last decade. When something more suitable is used, the idea is to make it take longer (or require more expensive hardware) to make a guess to the point where it’s no longer worth the time. After all, the attacker isn’t looking for your password, they’re looking for as many passwords as possible.

      But all these concerns go away if you always use a unique 20 random characters password for each site (like my password manager does), or a hash of the domain name and some master password (like the bookmarklets do) which might as well be random characters to any attacker. No brute-force attack is capable of trying every combination of random characters, not in any reasonable time frame.

    • Xugu Madison says:

      Password hashes are painfully hard to get right, alas. You really want to be using SHA-256 for your hashing algorithm, to start with. Not SHA-1 (which isn’t quite broken yet, but it’s considered a mere matter of time), and certainly not MD5 (which is relatively easy to find collisions for now). Then, to avoid the problem of pre-calculated tables you want to add a per-account salt (a few random characters that go on the end of the password before it’s hashed) – a lot of places get that wrong.

    • kromagg says:

      @xugu: you really want to be using bcrypt, which was designed specifically as a password hashing algorithm.

      SHA-256 is okay, but it’s meant to be a fast hash, not a good property for a password hashing algorithm to have.

  6. Theyos says:

    Just use the “Have I Got News For You” patented method of adding ‘allegedly’ to the end of every sentence. Voila! No legal troubles.

    • Rei Onryou says:

      That’s the “Ian Hislop” patented method. He should know. He is the most sued man in English history. Allegedly. ;)

  7. Leelad says:

    <3 My Iphone authenticator for my wow account.

    A company who runs multiple MMO's hasn't implemented a similar system, why?

    • Psychopomp says:

      Fuck if I know. Despite all the shit that’s wrong with Playonline, even Squeenix has authenticators available now.

    • Gunrun says:

      I like how people think its crazy that I have an authenticator on my account, because its just a game. It’s like people fail to realise that because of addons and things even if my account were empty that’s still like £100 worth of game account there due to time on the account and the addons, plus the amount of time I (and lots of people) have put into the game means the characters have had lots of time put into them. It’s like wondering why you’d leave a matchstick model out in a childrens playground when it’s just matchsticks. Except moreso.

    • manveruppd says:

      @Leelad Cause the iPhone didn’t sell in Asia? What exactly does your authenticator do? Do you get a text message whenever someone logs into your WoW account or something?

    • Xugu Madison says:

      I’m actually tempted to make a generic authenticator toolkit for MMOs. There are similar things out there already from RSA but they’re intended for far more security-critical applications; I believe the authentication tokens cost something like $100-200 each, and are designed to be all but impossible to extract data from (the chips will shatter if you try merely forcing the case open, for example)…

    • Primar says:

      @ manveruppd:

      It’s similar to the little keyfob things you often get with banks or corporate VPNs – you press a button, it generates a number that is valid for the next 10 seconds or so. Type this number in when you log in, the server will check that the number’s correct, then it’ll allow/deny access.

      It’s simply two-stage authentication, so that even if someone should get your username/password, they can’t do anything without physical access to the little dongle. Or vice versa, should the dongle get lost or stolen, whoever has it shouldn’t have your username/password, so it can’t be used to log in.

      From what I remember, I don’t think there was/is a single authenticated WoW account that was compromised since they released them. If they’re used properly, the only way to break their security is to sit between the user and the server, steal their login data when they click the Send button (including the authenticator number), then use that to log in yourself.

  8. Vinraith says:

    I fell victim to this spate of attacks, and it most certainly WAS the NCsoft Master Account that allowed it.

    I got an email about a month ago stating that my Guild Wars password had been changed successfully through said account. I was, not having made any such change, somewhat unpleasantly surprised by this. Mind you, while I was once an avid player, I hadn’t touched my Guild Wars or NCsoft accounts in better than a year at this point. I tried to log in to Guild Wars and found the account password had, indeed, been changed. I tried to log in to my NCsoft account, from which password changes are made, and found that its password had been changed and its security questions altered. For the record, both my master account and GW account had strong passwords, and both were different than any password used elsewhere.

    I made an inquiry to support about this password change within hal an hour of it happening.

    24 hours later I received a note from support that my ticket was being “escalated.”

    And then I heard nothing for 5 days. Five. Days. I wrote an inquiry as to the status of the ticket during that time, no response. I wrote a more strongly worded inquiry. No response.

    Finally I wrote, well, let’s call it a very strongly worded request for support. This, finally, got a reaction: a request to verify that I owned the account. Fine, whatever, I sent my credentials through (carefully verifying this WAS support, the way they asked for it almost looked like a phishing scam). 24 hours after THAT I finally got access back to my account. Needless to say it had been stripped clean of anything salable, and GW has a “no rollbacks” policy so that’s the end of that.

    The sad reality is that my hacking, and from what I’ve read that of many others, was easily preventable with even rudimentary security measures. Why is it even possible to change an account password from the NCsoft account without any kind of verification? Send an email, check the IP, do SOMETHING. I mean, in my case the issuing IP for the password change was Chinese, how cliche can you get?

    But what really sticks in my craw is NCsoft’s continual denial that the master account has anything to do with this, despite the GW forums being flooded with people whose password has been changed from their NCsoft account without their knowledge or consent. I really don’t see what point there could be in buying GW2 if this issue isn’t addressed, and addressed well. As it is there’s little enough point investing myself in Guild Wars again, as it’s obvious anything I do simply becomes a few more cents for Chinese gold sellers.

    • Wulf says:

      @Vinraith

      I feel for you, it’s horrible to have something like that happen.

      I thankfully made it through this Winter’s Lag with my account intact, but I wouldn’t be surprised in all honesty if what happened to you wasn’t NCsoft’s fault. I have huge amounts of love for ArenaNet, and I know that they’re a fantastic developer, but I can’t help but wish that somehow they could go independent. It’s like wishing for the moon, I know, but still…

      It’s a cruel fate being tied with a company like NCsoft, and I know NCsoft is a horrible company for some of the stunts they pulled with City of Heroes. And they have that annoying Profit > Everything attitude that most large companies do, but when it comes to MMOs that attitude is especially hazardous. It can kill games.

      I’ll be getting Guild Wars 2 because I love everything ArenaNet does, but I seethe that any of that money has to go to NCsoft, which has always been a mess of a company.

    • Kadayi says:

      Given the scale of things it’s abundantly clear that they’ve been compromised in some manner (I’d guess a disgruntled former employee was probably involved as they’d undoubtedly have a good awareness of the security systems if nothing more than to plant the seed in someone else’s head) and that the developers should probably make good with, if not a rollback then at least some form of temporary ingame compensation for players (limited period for claim, X amount of Gold per level of character effected sort of thing ) impacted by this situation as a gesture of good faith to their customers. Sure they might not be able to restore your character, but they can at least make the road back to where you were a little easier. I wouldn’t of thought it’s any skin off their nose to instigate such a policy for a temporary period.

    • aldo says:

      I’ve had a similar experience (also not having played for a year+ – I wonder if they’re trawling the player databases for inactive accounts which thus might be taken with less notice), with someone using my account to ask for an account name reminder for Guild Wars.

      It’d be nice if the support person who answered the question “Game Update I forgot the names of characters that did not played for a long time please help me” from liu wei had used their brain – for one thing I have a UK email address (sort of entails basic english understanding), for another my actual name is on the email (and it’s not liu wei).

      I was lucky in the sense that my email address wasn’t changed (although now I have to worry about other usages of that email address, whether just for spam lists or use in brute force attacks on other places), so I got the support request before any password change could be made.

    • Carra says:

      I hadn’t played WoW in half a year but found out my account was hacked a month ago. It sucks.

      But Blizzard has a policy of “our employees will never, ever ask your credentials”. A company asking for your password sounds like amateurism.

    • manveruppd says:

      @Vinraith: I was also a lapsed player when my account was hacked, but I received an email notification that my password was changed immediately! I’m surprised you didn’t! I was able to log into my master account and change the password from what the hackers had changed it to immediately. It took me a couple days more to get access to it back, but that was only because it had been flagged and locked by ANet and I had to go through their support.

      @Aldo Your story is quite scary! It made me log into my NCsoft account and change all its login info! It’s idiotic that they’d reveal information like that! Was this after they introduced the “character name” thing as additional account verification at login?

    • aldo_14 says:

      Your story is quite scary! It made me log into my NCsoft account and change all its login info! It’s idiotic that they’d reveal information like that! Was this after they introduced the “character name” thing as additional account verification at login?</blockquote?

      This was before the character name thing was added… fortunately my email address is different to Guild Wars, otherwise whoever hacked my GW account would have thus been able to access my email and completely screw me.

      Incidentally – about 2 weeks after the initial problem – I have now received this seemingly legit reply;

      “Hello,

      Thank you for updating us on this issue. It does appear that someone has set up a support account in your name, using your email address. I am going to transfer your ticket to have the password changed on the support account to secure it.

      Please call in so that we can set you up with a new password for the support account. It is important that you call in for this process so that the individual who set up the support account will not have access to the new information. When you call, you can reference this ticket number (snippity-snip).

      Our phone support is available Monday through Friday from noon to 5 P.M. Central Time (North America) for Billing and Technical issues only. We can be contacted at the following number: (512) 225-6359. Please let me know if you have any further questions.

      Regards,
      GM Roland”

      Interestingly, it fails to mention that they also had my password (otherwise I wouldn’t have already been able to log into said account), almost as if they’d managed to grab it along with my email off of some NCSoft database.

      To be honest, I can’t be arsed calling some US-time phone number for a game which I haven’t played for a year… the damage was done when someone got my password and email address. Phoning in to change it is not only closing the stable door after the horse has bolted, it’s closing the stable door after the horse has bolted, grabbed a tank of gasoline and 3 matches, burned down the house and kidnapped the farmers wife to be sold in Polithuanialovenakialand to seedy American businessmen.

  9. unacomn says:

    Oh man, I hope they don’t hack my Tabula Rasa account.

  10. Tei says:

    Rumours are that AION has become a toxic waste swamp of bots. So if crackers are breaking to create more bots accounts, theres only one to blame, NCSoft for his lack of anti-bot politic. Implementing a quick way to denounce bots, and have gamemaster dedicated to ban his accounts would have help here.

  11. Matt says:

    I’ve heard from GW foums that the problem really is the NCSoft master accounts. Apparently, I’m lucky for only having a GW account, and never agreeing to integrate my GW accoun with a master NCSoft account (they want me to do this so that I’ll be legible to buy stuff in their online store).

    • Wulf says:

      Having done some research myself around the Guru and Incgamer forums, it would appear that you’re right. No one reporting to have only a Guild Wars account got hacked, and the people who did get hacked had tied their Guild Wars account into their NCsoft Master Account.

      So the problem here seems to be the NCsoft site, therefore it has nothing to do with Guild Wars or any of the games themselves, or the accounts of those games, so the name of the article and the screenshot seem to be somewhat disingenuous, and Alec’s ballerina shoes appear to be made of industrial-grade iron.

  12. wcaypahwat says:

    I was thinking of starting to play again… But it’s been so long I dont remember the names of any of my characters.

  13. seras says:

    My guild has gotten a few player’s account hijacked (I think we’re up to 7 Alliance-wide) including our guild leader, whose account was jacked 3 times!! the last happening a mere 2 hours after getting control of her account back with a fresh password.

    luckily they only took items and gold, which points heavily to gold farmers. Had they wanted to be complete douchebags they could’ve disbanded our guild or deleted ppl’s characters. Losing all my items, I wouldn’t care so much…losing 3 years of title and accomplishments would devastate me and probably mean the end of the game for me.

  14. manveruppd says:

    OK, when I went in to change my NCsoft account password after reading Aldo’s story I stumbled on some new information: NCsoft seem to have changed their authentication systems. I don’t know when, but it can’t be coincidental.

    My current NCsoft account password is 15 characters long. When I tried to change it, it asked that the new password be 8-13 characters long. Obviously, when I set up that NCsoft account they must’ve been using a different authentication system, or it wouldn’t have allowed me to put that password in. I’m not sure when the system changed over, and I don’t know enough about online security to understand how it can be possible for me to still be using a 15-letter long password to log in if their authentication servers can only handle 13-character long passwords.

    When I changed my GW account password yesterday in response to this story, it also asked me for 8-13 letters long. The password I changed it from was already in the new system, however, since my account had been hacked a month back and I had to pick a new one then.

    Somebody should ask them when exactly they changed over their login systems, and whether whatever snafu might have occurred could be related to that.

    I haven’t changed my NCsoft password, and I’m reluctant to do so until someone is able to tell us whether the problem is likely to be with the new system or with the old one.

  15. Red Avatar says:

    I just sent NC Soft a very angry email. I just tried to log in on Guild Wars – first time in over a year – and I was expected to enter the name of one of my characters! Oh fun, I made that character FIVE BLOODY YEARS AGO and they expect me to remember! On top of that, all my usual handles were taken at the time so I ended with something vaguely similar to one of my common names but god knows what it actually was. I got locked out trying different variations I may have used since it’s been FIVE BLOODY YEARS. Good going NCSoft! Lock out people from rightfully using their own account, you pin heads!

    • seras says:

      @Red Avatar: that’s an impressive feat considering the game was released 4 years ago :P

    • CJohnson03 says:

      check your screenshots folder, maybe you screen captured something with a character name in it?

    • Red Avatar says:

      @seras Try again ;) it was released in April 2005 and we’re 2010 now. I had the game on pre-order so it’s 4 years and 8 months. That’s close enough to 5 years for me, don’t you think?

    • Red Avatar says:

      @CJohnson03 I only played the game until I got to level 20 which took a few weeks. I rarely take screenshots so have none to show for during that short period. Ironically, I’ve bought ALL expansions yet never got around to playing them. Why I bought them? I bought the collector’s editions for £10 each :P.

    • seras says:

      fair enough on the approximation.

      but why are you “very angry” if you barely ever played the game at all? you didn’t lose anything you cared about it seems.

  16. jalf says:

    Why do companies insist on storing user account info themselves? Especiallyy when solutions exist that let them outsource all the security headaches to professionals **for free**? They’re just asking for trouble such as this.

    Let me know when they make it possible to log in with OpenID, will you?

  17. Kirrus says:

    @jalf
    1) NCSoft started before OpenID was created / became more popular
    2) It’s a pain in the neck to get working
    3) It’s easier (and therefore cheaper) just to dump your own registration data into your own MySQL database.

    • jalf says:

      1) NCSoft started before OpenID was created / became more popular

      But there’s no reason why they couldn’t switch to it today.

      2) It’s a pain in the neck to get working

      Securely storing users passwords is a pain in the neck to do correctly as well, as NCSoft just found out. But the stakes are a lot higher. Your users can forgive you if they’re just unable to log in because your OpenID integration is wonky. But they get pissed if their accounts get hacked because you failed at security.

      3) It’s easier (and therefore cheaper) just to dump your own registration data into your own MySQL database.

      Is it? Even including debacles such as this?

      Blindly dumping sensitive data into a MySQL db is easy enough.
      Doing it securely, providing support, letting users recover lost passwords, backing up the database, verifying that you’re able to *restore* said backups, handling and recovering from the security issues such as this that occurred because you took the “easy” route all adds up. It’s only “easy” and “cheap” if you ignore all the security. And then it’s only cheap until one day it isn’t. Which is what just happened for them. ;)

      OpenID isn’t rocket science. And it nicely sidesteps these issues by making sure that the company running the game never gets access to customers login information in the first place, so 1) they can’t screw it up, and 2) they can’t be blamed if a user’s OpenID provider screws up.

  18. Janice Gaines says:

    Anyone else here reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has a great chapter on security. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).

  19. Lafinass says:

    Hey look, I can’t log into my master account and password resets aren’t being mailed to my email of record. Gee, wonder what that means.

  20. Billy says:

    I’m pretty sure it’s a NCSoft glitch since I lost access to my ncSoft account but my WoW and FFXI accounts are fine. If it would have been a keylogger, etc I wouldn’t have access to anything since I don’t use authenticators yet..

  21. Adrie says:

    I’m with Red Avatar. I haven’t touched my Guild Wars account in about a year or two years. So far I’m only able to remember one name from my character and couldn’t remember the last name for it.
    Already sent them an email about it since that’s the only damn way to find out your character’s name, it seems.

    Waiting for their response still.

    For them to do this is really a damn pain for maybe a certain population of Guild Wars’ players. Assuming most of them are kids, they would have to request help for retrieving their character names if they forgot it from the GW support team. This would require them to send personal information about themselves which their parents would probably not like. Causing them to lose a game and might be forced to buy a new one.

    They really took one hell of a step to prevent these hackers from getting in. Too bad it also affects players who ACTUALLY OWNS the account. Specially if they can’t remember their character’s names after years of absence.

  22. Ronnie2010 says:

    My main account in guildwars got banned a few months ago.
    They say i used a bot but i didnt do anything.
    And they not doing anything about it its closed and final they say.

    I feel robbed of the 5k hours i spend on it and the money i spend on the game.
    That they just can ban you like that pisses me really of and dont expect support
    from ncsoft they suck.
    I will never touch a ncsoft game again after this good job ncsoft.

    Greetings, Ron