Hacked, Survived: Rift

Here’s a 2011 trend I’d hoped had wound down by now: the hacking of games, game services and game websites. Seems Trion Worlds, makers of Rift, suffered an incursion lately, with hackers finding their way into a database containing “user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards.” Aieee!

However, Trion have declared that “There is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way.” Phew?

Nasty business, but hopefully not too much ill will come of it. Despite this drama, Trion have kept Rift running rather than shut it down in a panic, and seem confident that they’ve closed off the exploited security hole. However, all users are required to change their passwords and security questions.

As apology for the anxiety and inconvenience, all Rift players are getting three days of free play time and a hoojum called the Moneybags’ Purse, which gives you a 10% bonus of money-looting.

Full statement and advice on how to check no-one’s nicked your identity here.


  1. Chalky says:

    It would be slightly more reassuring if my billing address and credit card details were also encrypted, Triton. Didn’t think that would be a good idea?

    Sure, they’ve not compromised full credit card information, but they still have my address and enough credit card information to pretend to be me over the phone!

    I’m not personally all that upset since I never subscribed to Rift beyond my free 30 days so they never had my credit card details in the first place, but if they had I’d be pretty furious. There really isn’t any excuse for storing stuff like that in plain text in their database.

    Also, I sincerely hope they mean “hashed passwords” rather than encrypted passwords in their email.

    • jrodman says:

      It doesn’t do much good to ‘encrypt’ data like billing addresses, emails, and so on, because this database is the system that has to perform the retreival of that data, and so would be able to transparently decrypt that data for anyone asking in the right way. Encryption of data on a live system is only really useful for people doing end-runs around that system (say.. asking the disk system, or looking at backup tapes).

      The reason that passwords are ‘encrypted’, is because they don’t have to be retreived. They’re actually hashed (not encrypted), so the original password is not known at all to the storing system, it is just that if the password is provided again later, it can be hashed again and subsequently compared without ever storing the original. There’s still some crypto tech involved, since strong hashes are the basis of many crypto techniques, and salts are useful to avoid exposing facts like that 10% of your users actually have the same password too easily.

      As for the credit card data, one wonders if they have to retain that data at all. You’d think there would be specialty shops that can handle that sort of retention and use via opaque tokens, but that realy just kicks the can down the road a bit to that other company. Really the whole credit card system is out of date for the way we currently use it, but it’s in the financial interest of those in the best position to fix it to not do so…

    • jrodman says:

      Oh, I guess there is the fair point:
      What about cancelled customers. Can’t we expect companies to drop credit data on cancellation?
      At the very least there should be an explicit “do not retain” setting.

    • KikiJiki says:

      Given that they seem to store the first four digits of the credit card, information they freely disclosed in their email, I wonder whether they’re PCI compliant or not. You have to be PCI compliant to be allowed to process credit card transactions in the UK, and it’s a process designed to make sure you process the transactions securely and hold the bare minimum of data in your databases.

    • James G says:

      Well I think the bits of credit card data that were compromised were solely for displaying to the user to let them know which card was currently registered to their account. The actuall billing details were presumably stored elsewhere, either on a different internal server, or with an external body.

      You are right though, I don’t know why the whole of internet credit/debit card usage doesn’t work on a tokens basis. Given we already have stuff like ‘verified by Visa’ there wouldn’t even need to be a major change in the experience of the end user.

    • Chalky says:

      @jrodman – there’s no reason the database couldn’t store and return the data as encrypted strings and have the system that lies on top of that do the decryption and encryption.

      It is just as simple to retrieve a string that happens to contain encrypted data as it is to retrieve a plain text string. There is no database issue here, and the performance impact of such rarely accessed information should be negligible. I’ve designed systems like this before and I assure you it is possible! :)

      The only time this would be a problem is if you were wanting to perform queries on the data itself, such as returning a list of all accounts who’s last 4 digits contain a number 8. This is not something you would ever do with this information. You just need to retrieve the encrypted string for the current account for display when the user visits the appropriate page, decrypt it and stick it in the output.

      Same with the billing address too. You’re not going to query the database for a list of all users from London, you’re just going to retrieve the address for the current user when it is required by the system, so it can be decrypted there.

      Although you could still decrypt the data if you had access to the source code of the site, the chances of someone getting access to the database AND the source code of the site is significantly lower than a simply sql injection flaw giving them run of the data alone.

      I presume this hack was, as usual, an sql injection of some form. If that is the case, encrypted data would be safe.

    • jrodman says:

      Chalky: sure, you could store encrypted bytes in a database, but then you’re defeating the point of using a database to store information, which is to centralize the management issues. And now you have two places where you have to consider control access instead of one.

      Maybe it’s defense in depth, but realististically it’s just another thign to go wrong.

      Better defense in depth is:

      – retain less
      – retain less in accessible locations
      – retain data for shorter time periods
      – allow users to clear out their data
      – be vigilant about controlling access to your sensitive data
      – don’t allow too many paths to the data

  2. Viserion says:

    I got the email earlier. They have my info from a game I never played. I guess I should know better. Thankfully I never registered a credit card.

  3. jalf says:

    RPS twitter account:

    *Hopefully* the last victim of hacking in 2011: Rift

    Could we please stop calling them “victims”?

    The victims of hacking are the players whose personal information was stolen.

    The game companies who got hacked in 2011 were not victims, they were incompetent. If you want to run a business where you store people’s personal information, passwords and credit card information, then you have to take security seriously. Sadly, the games industry does not understand that.

    They’re not victims. They’re just negligent and irresponsible (which, you could argue, adds up to complicity, if anything. If you collect thousands and thousands of customers’ personal information, and fail to protect it, then you’re doing hackers, not your customers, a service).

    I don’t know about anyone else, but 2011 was the year I got fed up with the games industry’s attitude towards hacking and security, and their obsession with collecting unnecessary information from customers, which they then fail to keep safe.

    • Lobotomist says:

      I fear the truth is much more complicated.

      There is obviously a vulnerability well known to certain hacker groups. And something most companies can do nothing about.

      I mean , if they hacked Steam. After there was previous attempt. And there was a warning.
      If they managed to do that. I doubt anything connected to internet is really safe.

      Which in fact makes me really really worried about my money, and infact future of internet subscriptions in general….

    • jalf says:

      Seriously? Steam has had quite a few known security vulnerabilities from time to time. What makes you think they’re the Fort Knox of the internet?

      For the longest time (I haven’t checked if they still do it) they sent the *same* code to anyone who requested a password reset. In other words, anyone could reset anyone else’s password.

      Please. Steam is a prime example of what I mean.

      If this was some universal problem that no one can do anything about, then please explain to me why hackers would go after something like Rift, when the could go after a bank instead, or at least, a company that dealt with *serious* money.

      No, there is a lot you can do to protect against hacking, and there is a lot you can do to limit the damage if you *do* get hacked (for example by minimizing how much sensitive information you store), and the games industry is really struggling with both of these angles.

    • jrodman says:

      Well if you really want to change this story, you have to introduce liability all the way back to the software vendors, so that THEY will take security seriously as well. And that seems to be a bit of a can of worms at the moment.

    • Lobotomist says:

      Banks have real rigorous ways of connecting and doing online transactions. Often involving multiple passwords that have to be changed every month, coupled with telephone affirmation.

      Obviously online services can not afford to give so much pain to the customer.

      And as for no bank being hacked.

      What abouth MMF hack 6 month ago ?
      Its the bank of all banks.

    • FriendlyFire says:

      I’d say the contrary. Banks have amongst the weakest security schemes I have seen, at least from the banks I’ve seen. Limited-length passwords, not recognizing certain special characters, forcing patterns into passwords and then taking substrings of said passwords as passcodes, using verification questions that can easily be answered by probing Facebook pages, etc.

      If I were to give an example of proper security, I’d point at Google. Two-factor authentication, arbitrary-length password.

    • Grygus says:

      I always find it curious when anyone other than the criminal is blamed for a crime.

      Leaving that aside, there can be no such thing as a computer system that is: (1) usable, and (2) completely secure. This is a fact of the universe in which we live. Claiming that these companies are incompetent is premature at best, and uninformed at worst.

    • jalf says:

      What are you talking about?

      So you’re saying that because you make some unfounded claim that it is impossible to design a secure and usable computer system (you might be right, but it’s certainly not a self-evident “fact”), then there’s no point in even *trying* to improve security, and no point in blaming companies whose security is needlessly lax?

      That makes no sense.

      Have you been living under a rock all year? Just look at the number of game companies that got hacked. Compare this to the number of, well, *anything* else. The games industry is a huge juicy target because they, on the whole, are either careless or incompetent when it comes to security. It may have been premature to say this a year ago, but after a year of goddamn every game getting hacked, you have the balls to call it “premature”? Yeah right, keep living in your little fairy-tale world.

      Out here, the games industry’s approach to security is a joke.

    • jrodman says:

      It’s pretty evident when you consider the phrase “completely secure” as in “unable to be breached via any means.” This of course means that it also cannot be accessed by any means, since the legitimate form of access can always be duplicated, since it can be performed in the first place.

      Thus you can see that you cannot completely secure access to a system that can be used.

      Of course, for the practical purposes of guarding billing tokens, you could really design a system that is plenty good enough….. if you could avoid your system having flaws — ways by which access that you do not intend to be allowed is allowed anyway, due to flaws in workmanship. One need only read the CERT advisories to see how many flaws we have in our software systems.

  4. Bostec says:

    Not this shit again. I’m betting half of the hackers in the world know my e-mail address, where I live, half of my card numbers, what I have from breakfast, whenever I take a dump and how much bogroll I use. For these types of games or websites that I don’t play or go on anymore I don’t bother typing in a password I remember, I just hit my head on the keyboard a couple of times, let them try and crack that one.

  5. Scatterbrainpaul says:

    My Debit Card got cloned this week, luckily my bank managed to spot it and refused the £800 transactions that they tried to make on it, and my card is now cancelled.

    I don’t have a Rift account, but i’m pretty sure they got my details from maybe when Steam got hacked or another games website. I was stupid enough not to think it would be an issue and didn’t change my card on any websites. I got away with it this time, but I think in the future I might be a bit more careful

  6. KikiJiki says:

    Got the email tis morning so I’m off to check whether I need to be worried or not.

    Frankly though I find their idea of compensation pisspoor. 3 free days for a game that I played for about one month, then forgot about and an ingame item for 10% more currency? Really? Never mind that there’s been enough data exposed for identity fraud despite their ‘encrypted’ passwords, here’s ‘compensation’ that costs Trion a grand total of £0 to provide, that doesn’t even apply to a percentage of those affected.

    Other posters are right, the companies aren’t the victims, us folk whose data has been exposed are the victims, and companies need to wake up to what they’ve done that allows this to happen before the general gaming public wakes up to the scale of liabilities the companies are open to.

  7. cafe says:

    honestly, i understand that everybody hates hackers and that hacking some innocent game developer may seem like a bad thing. However, I don’t think the solution to this can be that everybody agrees that hacking game developers is bad and that they don’t need proper protection because there is no reason to hack them in the first place.
    Today, companies try to get every piece of information from you. You need to give away an email adress for every fart on the net and companies are collection informations about their customers that have no link to the product they sell or the field they work in.
    If companies want to contionue this “every piece of information will be collected” madness they will have to make sure that no thief can just come and grab your data. If you want my data you better protect it and you better protect it good.
    I used to be a member on lifehacker.com and during the last year they got hacked and my personal email address was put on the piratebay. I had to change every single password I have, get a new email address and had to unsubscribe from a couple of sites and I still feel that leaked email address affecting my everyday internet use!
    Collecting data is no joke that you do because everyone does it. If you want my credit card info then better take good care of it. And don’t try to blame the hackers, if you give your money to a bank you expect it to be save and you won’t take a “well we didn’t have a save in the first place..” from that bank when it gets robbed!

  8. SolanQ says:

    Some people may call me paranoid, but this is exactly why I prefer to pay by gametime cards. And when I have to use paypal or creditcard to activate my game account for the first 30 days, I cancel the subscription and erase the payment details again as soon as the account is up and running.

    While there is no excuse for what happened, people should realize these things can happen even with the most well-secured systems and adopting a little paranoia when it comes to paying for stuff online and (for the love of god) different login details for every website/service goes a long way…

  9. El_Emmental says:

    I love how people think it’s easy to set up an efficient security system. In reality, it’s a nightmare.

    Too complex, your employees will find an unsecured workaround (because they don’t like complex system, or do not have the skills/time to fix it when it’s broken). Too simple, hackers will rapidly find a way to break in. Now pour some social engineering on top of that, and your system fails.

    Speaking of credit card, YesCards exist for 10 years now (of course, the latest version of credit cards are now much harder to break, but I bet there’s already working prototypes around), while credit cards informations are sold on a specific black market on a daily basis. The banks have enough mechanisms to make that type of illegal activities pretty invisible to the common consumer (since they need consumers to believe credit cards transactions are totally safe), but it’s still there.

    Oh, and the recent drama over the SSL certificates hack: who would have thought companies specialized in online transactions security, providing expensive solutions to other companies, could get hacked like that ? And who would have thought such security solutions would be hacked that “easily” ?

    Maybe security isn’t that easy to do…

    Security includes not having incompetent employees at key spots – it’s impossible to have a “pure” team of fully competent people all the time, dream team don’t grow on trees, what you need is a system tolerating a high rate of incompetent people and several malfunctions at the same time, while still providing a good level of security. Think of the 1961 nuclear bomb accident, where a single switch out of the 6 safety devices worked and prevented the detonation.

    Security includes telling your boss “we need an additional budget of _____ dollars to properly protect our users data, and an addtional budget of _____ dollars to protect our own network”, and him saying “Okay, let me see the details and see if that’s really the right solution” and actually providing the adequate budgets.
    Not “Are you nuts ?! I don’t pay you to throw such crazy demands ! We need that money for marketing the game or we’re not gonna make it !” or “yea yea, put that on my desk, I’ll read that later”.

    Just try setting up a firewall on the computer of one of your relatives: too simple, it’s a plastic colander, too complex they just click “Yes” on everything or uninstall/shutdown it.

    • jalf says:

      I love how people think it’s easy to set up an efficient security system. In reality, it’s a nightmare.

      Ah, hyperbole.

      No one, I believe, said that it was “easy” to set up an efficient security system. But a few of us pointed out that if you want to make a business selling stuff, and collecting personal information, on the internet, then reasonable security, no matter how hard it is, is not an optional extra. I don’t claim that building rockets that can reach orbit is easy either, but that doesn’t mean NASA is blameless when their rockets blow up. They’re trying to do something really really hard, but it’s their business, they’re supposed to succeed at it.

      Likewise, a company who decides that its business is taking money from people in return for access to a game online can whine all they want about security being hard. But they still need to be secure. They chose to make that their business.

      And when you fail to provide the security you promised your customers, you fucked up, and deserve ever bit of criticism you get

  10. Bahoxu says:

    I’m using one-shot electronic credit cards for all my online purchases. They can be used once, pay a defined amount of money and then they are disabled forever.