Update on Hacked Accounts

[Otawo]

We're also working on the addition of two-factor authentication at the login level, which will let you use an app or a cell phone as a way to ensure that you're the one logging on. (You may have heard of this in other products as a SecurID or an Authenticator.) We'll be sharing specifics on that as soon as we can as well.

Thank you Abigale! I am glad for the quick response to this issue, and like the coin lock addition as well. The above quoted feature while I think it's rediculous that it has come to that in any game, I am glad that unlike other game companies Trion is adding this security option for us early on. Thank you so much for this update.

[Otawo]

Coin locked.. great idea!

I think you were the first to implement a chat spam filter, too. Kudos.

I hope that e-mail advises people on how to get rid of the keylogger or whatever before resetting their account.

And I hope people don't use the same password for Rift that they do in their e-mail. Not much you can do about that though.

My only concern is that if they got your login/password from a keylogger, they know your IP address and the region of your ISP. If they have access to a nearby proxy server, they're in.

Don't get me wrong, though. This is a HUGE step in the right direction. It will make a big, big difference.

Easy fix for that, coin lock anyone and everyone with a proxy server connection. From my personal experience, the only reason a gamer would be using a proxy server would be if they where doing stuff that they shouldn't be doing. I have played games before where if a proxy connection was detected you would get a temp ban, followed by a perma ban for repeat offense.

[Blackjackrifts]

AMAZING

Simple yet effective solution!

Being in the IT industry I know the importance of security and will be getting the Authenticator when it gets released

Thanks guys!

[hoodse]

Everyone remember to make your Rift accounts password very different to your email password

[Vengeful_Giblets]

Good first step, though I'll echo the concerns that were mentioned about e-mail accounts. If they've obtained your login details then they probably have the deets for your email as well.

If you use GMail then you probably have access to their 2-step authentication. You can enable it here: https://www.google.com/accounts/b/0/SmsAuthConfig.

If you use FastMail then you can use a YubiKey to sign into that service. Info here: http://www.fastmail.fm/help/login_yubikey.html.

I can find no secure way to sign into Yahoo or Hotmail services. That's not to say that they don't have them, I just can't find them. Yahoo does allow signing in via your Google account.

At this point it seems like Gmail or Fastmail would be the best route to go for a secure email account.

[the_real_seebs]

Okay, please...

Make the login name not be the same as the email address on the account.

Obviously, lots of us don't have the same password on the email account as on our Trion account. But why make it easier for the attackers to use one to get information about the other? The email address should be treated the same way billing information is treated; you can't see it while maintaining the account. And of course, it shouldn't be the login name.

Seriously, give us 8-digit numbers, give us random names, anything but using the email address as the login name. I would rather log in as "seebssucks" than be using the account email as the login name.

[MonoLOL]

yeah im suprised no MMO has htought of this

Probably because at release no other "AAA" MMO has had this problem. Atleast none im aware of.

[Horadrim]

Didn't care to read the countless posts from the 9 pages available. I just wanted to put my vote in for an authenticator. I'd be willing to pay the $0.99 fee to download it to my Android phone.

Thank you.

[happycat]

So, how does item and currency restoration work when your account is reacquired from deletion?

[Shaedence]

Probably because at release no other "AAA" MMO has had this problem. Atleast none im aware of.

Uhm I doubt it matter when the hacking starts. WoW has had problems since ~2005 and it took them till ~2009 to get authenticators, and they have no spam filter, no other real security.

I pay 15$ a month for not JUST content, I pay $15 to a game developer who cares. I'm not gonna give my money to a Dev group will little or no consern to it's gamers privacy when most P2P MMOs that are big now (WoW, Aion, FFXwhateveritisnow) just slap on authenticator (hey pay $15 more!) and call it a day.

Now all we need is email gold spam gone and we're cookin' with fire!

[Skybyrd]

What defines a significantly different location?

I start a new job tomorrow, doing over the road truck driving. I will be logging in from different locations pretty much every day. Usually about 500-600 miles different than the previous day.

While i think its a good idea, and I'm glad Trion is working on this issue, being coin locked every day would get... old.

Thanks!

[Dazzz]

it's a pain in the *** for all the not NA players on NA servers.

I might be an exception playing from china with a VPN , but people from OC with VPN/lowerping services will be coinblocked the whole time.

And it won't slow down hackers one bit.
If your account is hacked, they just need to log into your account page, check your location and use a VPN near your location.

My VPN service alone offers dozen of servers at different location in the US and there is no way for them to check where the login originated from.

So coin blocking might stop some lowlevel hacking, but it's not really as safe as it makes you think.

The best protection is still not using the email as log-in and authenticators.


Cheers
Dazzz

[Partyrock]

Well done, yet again Trion.

[Vengeful_Giblets]

Since apparently there's now a time limit on editing our posts I can't update my previous comment. I apologize for the 2nd post.

Anyway, I just checked FastMail's YubiKey support. It's an alternative login for use at public computers. You can still sign into the account with your master password and leave the YubiKey out of the equation, so it's not quite as secure as I had thought. GMail's 2-step authentication is still better for the purpose of protecting game accounts against key loggers.

It is great for signing on while at school or at a cyber cafe, but not quite so good for the purpose of thwarting key loggers on your home PC. You could avoid ever using your master password after creating the account, but this still leaves your account to depend on whatever defense FastMail has against brute forcing.

/nerd
//slashies

[MACerone]

Guys are we all talking about the same issue here?. Is this in reference to the many(including me) that logged in to see 3 of his 6 characters naked and cleaned out of all items except 1.2 gold and a pair of boots?

If this is what we're all talking about, then this whole thread is a sham, yes I said it, it's a sham!!

This is a Trion Database issue, not a hack. I never visit fan sites, I'm not kelogged, I'm not wormed and have no viruses. Now if someone got a hold of Trions account database then that's another story and well, great, maybe some of these new measures will help. But I seriously doubt that is the what the devs are saying here. Either they actually believed the first moron to post "I was Hacked!", in which case, shame on them for not investigating further, or they know they have a big PR problem and are covering their rears with this interim solution till they can figure out what the hell happened in their Server Database.

Lets just use a little logic here. I logged in Saturday morning on 3 characters and all was fine, then there was a patch, then I logged back in a few hours later and those 3 characters were mostly cleaned out. I was left with about 1 gold each, and some random single piece of gear. My other 3 characters were untouched, one of which had just as much equipment and platnum as the 3 that were cleaned out. What's the logic of the hackers here. They hacked several thousand accounts and left many characters alone on each because they were in a hurry?.

I'm not buying it, this is no hack guys, at least not those that had the issue I described.

By the way, devs, when a spell casting character needs a weapon in hand to even cast a spell, don't make the cheapest 2-dps weapon cost 2+gold, it makes it impossible to rebuild your character without becoming a whiny begger in chat. "can someone buy me a dagger please?"

Another thing, it should be pretty easy to show in someone's account info, a timestamp of the last 3 or 4 times they logged in, including the IP logged in from. Then we might not have all these people screaming I've been hacked. I think it would have shown that there was no unauthorized use, and we all instead would be ranting in a different direction.

Just my 2 cents, hasta