NCsoft’s GSU Team Speaks About Account Security
Today we found this news post aboutAion Onlineconcerning the security of accounts. One of the biggest problems in the gaming industry is the illegal account-hacking, money trading and theft of personal information. Please continue reading below, because it touches upon these very sore subjects, and Scott Jennings (GM Luminary)'s advice.
Greetings, all. I’m Scott Jennings, otherwise known as GM Luminary, working with NCsoft’s Game Surveillance Unit (GSU). I’ve been asked to take some time to speak for a bit on the fallout from the war that we’ve been fighting in our games against real money trading (RMT) companies and others trying to violate your account security, and how you can help in the fight.
Make no mistake—it is a war. One that you, our players, see the effects of whenever you play our games or visit forums related to our games. Many of you have noticed the decrease in bots, farmers, and gold spammers as a result of our efforts.
In the game industry, we have also seen an increase in attacks by third parties in an attempt to steal your account information by any means necessary, including phishing, obtaining passwords from third party sites/systems, and using account information provided by those engaged in power-leveling services and other prohibited activities. Recently, the number of these attacks has risen dramatically.
As a result, our game support queues have drastically increased, with thousands of support tickets from players who have lost access to their game accounts and are suffering extended wait times for help. Our game servers, account databases, and support sites are under constant attack and being probed for any vulnerability. It’s a war that by no means is over.
Our enemies are playing for high stakes—the estimated $2 billion dollars that RMT companies earn off the back of game developers and players like you. And we are playing for high stakes as well—the right that we believe we have as a company, and you as players, to play games that are free from the corruption of in-game currency sales and all that results from that.
It’s a war that we’re committed to winning, but one that we’ll need your help with to achieve a real victory. I’ll describe first our responsibility to you to provide a safe and secure gaming environment, and then what you can do in return to protect yourself.
Our job: Provide a secure environment for your game
With the increase in account compromises that we've been seeing in this past month, I think it’s worth taking a moment to review how seriously we here at NCsoft take your account security.
The news from Google regarding a serious, high-level attack by hackers on the most secure technology companies in the world is sobering. We continue to refine our systems to counter the various attacks that these RMT companies employ. We have a team of security professionals with years of experience in massively multiplayer games and online security in Seoul, Seattle, Austin, and Brighton that is striving to make our servers as secure as they can be. Any vulnerability that is discovered is addressed and fixed.
For example, a thread on a third-party Guild Wars forum this New Year’s attracted a good deal of attention. It detailed a list of security vulnerabilities that supposedly had been discovered on our account website, ending with the alarmist note that “the only responsible thing NCsoft can do is to shut off their website, as soon as possible.”
Despite the fact that this report occurred over the holidays, when the majority of NCsoft employees were home with their families, our security team responded immediately with a point-by-point testing and analysis of the erroneous concerns that were raised. As a result of the point-by-point testing and analysis, our security team concluded no critical vulnerabilities had been demonstrated or identified, but our security team continues to research, to monitor closely, and to implement security improvements to address any potential weaknesses raised.
We’ll continue to audit our systems, and you will see some dramatic changes in the next few months. NCsoft views account security as a very important matter.
Your task: Help protect yourself
So how you can protect yourself from the sort of constant attacks that we’ve been seeing?
Many of you reading this letter are experienced online game players. You’ve heard the “don’t do this” and “don’t click that” and “don’t run that thing” warnings over and again, you’re not dumb, you’d never get your account stolen simply because you know better.
You’re wrong. I know this because I know many people who thought they knew better—people who work in the gaming industry, and have done so for years, and still tried to log in one day and found their password changed and someone else logged into their account cleaning out their inventory.
(If you’re not an experienced online gamer and want the basics in account security, there’s no shame in that. We have a complete guide online.)
The following brief guide in self-protection is going to be a bit different than what you may be used to. It’s going to assume that you know the basic rules of how to protect your account, and it will detail how we’ve seen accounts stolen anyway. Think of it as an advanced class in account security. And don’t think that these guidelines apply to other people who don’t pay attention. If you do any of these, your account is at risk of being stolen.
Don’t share your password with anyone. Don’t let your friends log in to your game account. There are two simple reasons for this. The first, and one you may not want to particularly acknowledge, is that your guildmate or childhood friend or relative may do things on your account that can get you banned, such as using bots. Another is that once you share your account, your security is as vulnerable as theirs—and any mistake that they may make that allows for an account intrusion will compromise your account as well.
Don’t use bots. Ever. If you use “third party applications that control your game play”—which is the literal definition of “bots”—you will lose your account, and nothing you say will get it back. We can detect bots. We have multiple ways of detecting bots. We have banned thousands of accounts and will continue to ban such accounts due to bot usage. Bot usage is one of the key ways that RMT companies use to fund their operations, and removing bots from the game is one of our best attacks against them. The GSU “banhammers” against bot usage will not stop, and if you use a bot, you will be caught. You may not be caught immediately, but it will happen.
Don’t buy in-game money. Aside from the fact that you are funding the very people who are at war with our games—and thus at war with you—many RMT companies use web browser vulnerabilities to attempt to load Trojans onto your system. In some cases, they ask you to create website logins for their system and then check to see if that information is the same user name and password you use to log in to the game with. A few companies simply ask you for your user name and password. In any event, these are not companies that can be trusted. Because your accounts can be compromised as a result of RMT, we specifically prohibit this type of activity in our User Agreements.
Don’t use power-leveling services. Again, these services are run by the same people who are attacking our game, and by using their services, you are funding their attacks (and the money that they earn while power leveling goes to fund in-game currency sales). The same potential attacks that exist with in-game money sellers apply here as well (especially since, obviously, you have to supply your account information for them to log in to your account to level it), but with one important addition: Power-leveling services level your character quickly using bots. We can detect this. It will cause your account to be banned, quickly.
Don’t run programs designed by third parties for use with our games. Aside from the small matter of NCsoft banning you if you use a bot, using third party applications is asking for trouble. You are allowing code someone else wrote to run on your computer. Do you implicitly trust the creator of that program not to add a virus or Trojan horse that is used to steal your account?
Beware of phishing. One of the recent plagues that it is hard to miss of late is that of the “phish” (Wikipedia),or the attempt by RMT companies to get you to simply hand over your account information through crafting a copy of our website and placing it on a web server with an address that is similar, but not identical, to ours. Many of these phishing attempts are laughably obvious because they are created by people who are not fluent in English. However, there are others that are not so obvious. Regardless, NCsoft will never ask you, for any reason, for your password in game, to go to a website to reset your password, to add you to a beta, or to give you a free holiday gift. If we need your password reset, we can do so without asking you to go to a website. If there is a new beta, there will be instructions for how to enter on our official websites and forums. When entering your user name and password, you should always check the address bar of your web browser to ensure you are at https://secure.ncsoft.com/. And if you get an odd error message after logging in to what you think is an official NCsoft site, change your password at the correct NCsoft site immediately. Please carefully check the spelling of the address in your browser. Any misspelling may lead you to a phishing site.
Beware of keylogger links on forums. This is akin to the previous point on phishing. Keylogger links are created as forum spam to get you to go to a website loaded with attacks on your computer through web browser security holes. Some of them are very obvious, such as the recent “Wii sex toy” ads posted everywhere. Some of them appear very innocent, such as links to view a screenshot of someone’s character. Avoid the obvious ones. Protect your browser from the less obvious ones by ensuring that you are using the latest version of your web browser and that it is set to automatically update itself when new security holes are found.
Adobe Flash, a tool used for website animations that comes with every web browser, has historically been an attack vector for loading malware (hostile programs) on your computer. At minimum, be absolutely sure that your version of Flash is up to date by visiting http://www.adobe.com/products/flashplayer/. If you run a browser that supports extensions such as Mozilla Firefox, consider running an add-on such as Flashblock, which only loads Flash movies if you click on them.
Protect your system. There are many viruses and Trojan horses, such as the recent “Aion2010.dll,” that target your account information for our games specifically. Hackers constantly strive to find new ways to load software on your system without your consent or knowledge. It is critical that you run virus protection software and a firewall to protect yourself from these attacks.
Free, effective virus protection software is available. Here are links to some of the more popular solutions. Note that we cannot endorse or recommend any specific program, but we recommend you run something and ensure that it remains updated.
Microsoft: Security Essentials
Having a firewall, or system which protects your computer from unauthorized access, is also important. If you have a router that provides broadband Internet access for your home, it’s likely that a firewall system is included with that. Every version of Windows also ships with a software solution, Windows Firewall. Ensure that one of these is active and protecting your home network.
Don’t use the same password for your game account that you use on Internet forums. There have been instances of forums that have had their security compromised and the user names and passwords from their system were then used to try to gain access to game accounts. To prevent the possibility of this happening, ensure that you use different passwords for each forum that you frequent. This can be managed easily through password managers, such as Lastpass or RoboForm.
This letter has been quite long, and I thank you for your attention, especially during the parts I’m sure you’ve heard many times before. Our fight for the security of the games that you play is neither an easy one, nor a short one. But it is one that we are committed to seeing through, and it is one that we very much appreciate your help with. Your continued patronage as a customer, and the enjoyment of the games that we provide, is what makes this all worthwhile.
Now if you’ll excuse me, I have another gold farmer cartel to ban.