Important notification concerning your Trion Worlds account

[ManWitDaPlan]

A ghost from the past emerges...


There are, generally speaking, about a quarter-million account breaches per month worldwide that involve the release of personal information. In the case of breaches involving MMO/gaming companies it's usually millions of accounts being compromised at a time.

And, as was mentioned already by multiple people on this thread, there is no such thing as "secure," unless you're talking about a maximally locked-down, non-networked machine with physical access controls in place to restrict who can sit down in front of the keyboard.

This stuff happens. No matter who you are or how much protection you employ, sooner or later someone will get in and get their mitts on data. The entire ITSEC world is all about trying to minimize the probability of this happening but there's no way to prevent it entirely without taking systems offline, and even then there are "meatworld" based attacks: social engineering.


Trion's response is welcome and should be the norm, but isn't the norm among tech companies generally and gaming companies specifically. Companies with large customer data repositories should always report breaches as soon as they can do so safely without risk of additional compromises. Sadly, most of the bigger names in the MMO world, for example, won't report breaches unless they absolutely have to.

There's also an argument to be made for encrypting the entire customer database, but the practicalities of this are sometimes an issue as decrypting the data takes time and people (especially gamers) are impatient. Personally, I have zero problem with a 15-or-so-second wait to log in if it means that my info is being decrypted, checked against multiple credentials (e.g., known IPs, password, authenticator code), and verified in a secured environment each time, but there are many folks out there that scream at microwaves for taking too long and they might not appreciate an extra delay.


Since security is not an absolute, what we all have to work with are compromises - we all trade privacy for functionality just to do things on a daily basis, and Trion (like all MMO operators) has to trade additional layers of security for ease of use (since tighter security is harder to use and takes longer to work with), decreased systems complexity, and better reliability/uptime. I'm sure Trion is more than willing to leave no stone unturned in its quest to keep everything secured, and we've seen in the past (and I probably more than anyone else) that Trion is an unstoppable juggernaut when it comes to getting things fixed when a problem appears, but are we as users willing to jump through an extra hoop or two to make beefier out-of-game security possible, if it comes to that?

[Packo]

Please visit www.trionworlds.com/AccountNotification for more information

i haven't subscribed to this game for awhile now... quite awhile
you still retain my credit card info
nowhere in your FAQs/KNOWLEDGE DATABASE do you mention that you retain payment information even for non-paying accounts

its hardly convenient that customers and EX-customers are endangered by this

also what is FULL credit card information?

they have:
-first/last 4 digits of cards
-expiry date of card
-billing information (address/card holder)

what? the 3 digit security code?

thanks for the Christmas inconvenience Trion, the moneybag and play time really makes up for it as I don't even play your game

Merry Christmas

[Sneezer]

Trion,

Thanks for the 3 days play time and free money bag.

Especially since I quit playing your game several months ago.

As someone who has been a victim of credit card theft (curiously not long after I had originally purchased Rift) this is a very touchy subject for me. Especially around the holidays.

Not to mention, I can now expect an immediate rise in fishing spam to my email. My email...which is also my login, thanks to your idiotic username policies.

I can tell you, that because of this, I will never be purchasing/subscribing to another Trion game again. Ever. I just cannot trust your company with my personal information.

BTW, for those who hadn't been around since the launch, this isn't the first time that Trion accounts have been compromised en masse.

Happy Holidays.

[Staith]

Without reading through this massive topic. If I have an authenticator and pay through paypal what are the chances anything except my email address linked to my account were compromised?

[Marikhen]

nowhere in your FAQs/KNOWLEDGE DATABASE do you mention that you retain payment information even for non-paying accounts

With all due respect anyone not functioning under the assumption that companies will never delete account information unless absolutely necessary is making a mistake. You just have to talk with Frogster, the people who run Runes of Magic, to figure that out.

Even when I explicitly told them I wanted them to delete all of my account data and any and all other information related to my abortive attempt at playing RoM they informed me that their policy was never to delete that sort of thing "just in case a player wants to return." You'd think that when you can't answer a customer's simple question in three attempts, the third one resulting in you having to lie to the customer, and they inform you they wish for you to delete all their account data that they have no intention of ever returning. However that runs afoul of what appears to be one of the fundamental laws of MMOs where applying logic to them is a recipe for failure.

[Edit]

[Kithias]

I just got back into my Trion/RIFT account after getting the email this morning, checked, and the Credit Card (really a Visa Check Card) that was locked down for Fraudlent Charges Wednesday evening/Thursday morning IS the same CC # I used to play RIFT 4-5 months ago.

Its not a guarantee they are related... but it's something. My card was fine for purchases Wednesday afternoon, not sure I bought anything in the evening, and then Thursday morning (yesterday) I could not buy my morning coffee. Called the Credit Union, they said suspicious activity, I confirmed it, they locked the CC down and are sending me a new one.

Charges were to Dillards and Belks in Charlotte, NC. A state not far from me, but that I've never been to.

Editing to add: I was advised to get credit reports, possibly a freeze (which sucks as I'm up to move to a new apartment complex at the end of January), and file a police report. Money was refunded (was shy of $300 worth of charges), but I have to turn the police report case # and sign an affidavit for it to remain refunded to my account.

[Flynch]

The lack of common sense in this thread, considering it's nearly 2012, is concerning.

Any concerted effort to hack, with enough experience and knowledge, has a chance to penetrate the security system it's focussed on.

Stop the witch-hunt and let them deal with it their end.

[Nnnxia]

Third time's the charm Trion, keep trying.

[Hellrime]

To deny any risk at all is extremely negligent. The fact that all of this could have been solved by creating a stronger DMZ, and providing user input validation on the database. I mean seriously, every 5 seconds I see someone getting the X month veteran award x 3, and TRION can't afford a better Network IPS??? Also, what is completely amazing is the apology is 3 days game time and an equippable trinket for 10% bonus money looted (You would make more money in less time by not equipping it). Final Fantasy Online gave free play until they got the issues fixed.

The fact that this has happened twice, which I didn't know about the first one, only proves that this can happen again. Saying "Oh well they only got the last four digits off the card" doesn't leave me with much faith; until another attack happens and they get the rest of it. In addition how is it they know they only got the last four digits, yet aren't sure who breached the system? A tip might be to not use a bandaid to fix a hole in the roof.

The people who are downplaying what has occured here are simply ignorant of Internet security. Just keep this in mind when you see people not able to resub because they were cleaned out. 3 days and a really awful trinket isn't going to make up for possibly losing your identity. I guess at least TRION won't be affected, because the people with our identity's will still be able to play with our money, so they're okay. In the mean time here is a trinket for more virtual money.

[pavrizel]

I appreciate the quick response from Trion.

1). Is not anyone else concerned that their security allowed this to happen.

2). Why would Trion, who knows they are a huge security target, keep more information than needed. CC info is huge!

3). What I don't see is any communication for those that might get hit by the information breach. Buying your way out of someone else's nightmare does not rise to reasonable conduct.

4). Now we all get bombarded by spam attempts since they have almost everything they need! I am not satisfied by this breach of. We pay them and now I am at risk. Thnaks!

I for one would appreciate a little more information on how they plan to move forward.

[TrailMyx]

I'm unsure why the additional password requirements are necessary. If they are going to leave the database exposed for all to see, then it really doesn't matter what the quality of my password is.

[Hellrime]

[QUOTE=Marikhen;3485814] Then again can we really expect better from someone who thinks that implementing a fully functional database to pander to the shortcomings of players takes as much time or less than making a new record in a database and running an update query, that key customer support staff members should be awake 24/7 to answer questions on demand, and that it's somehow Trion's responsibility to think of everything their players should already know or be capable of figuring out for themselves? Probably not. [QUOTE]

You make a good point that it is the players responsibility to take some action to protect themselves. On the other hand it is TRION's responsibility to offer protections while the information is in their hands. To say that it's the player's fault their information is in jeopardy is simply not entirely true. Encryption, input validation on the database, and a DMZ protecting important company data could have solved most of this, and it just wasn't in use. The fact these people got anything at all proves that either weak encryption, or no encryption at all was in place.

[the_real_seebs]

i haven't subscribed to this game for awhile now... quite awhile
you still retain my credit card info

Do they? It's not obvious to me that they mean "credit card information for all accounts including those where there was no credit card on file".

[Sargonnas_KoA]

While I don't like what happened here, I have been on the receiving end of having thousands of dollars charged to my credit card fraudulently in the past. It scared the crap out of me at the time. I never had to pay for any of it myself, but it was not a pleasant situation. I still think some of you are out of control with your responses to this. Like one of the posters above me said, this is almost 2012, but you wouldn't know it by how some people are acting.

[the_real_seebs]

1). Is not anyone else concerned that their security allowed this to happen.

Lots of people are, but not people who know anything about security. Big targets like this are under constant attack, every so often something happens.

2). Why would Trion, who knows they are a huge security target, keep more information than needed. CC info is huge!

I would guess they kept CC info because without it they couldn't renew subscriptions.

3). What I don't see is any communication for those that might get hit by the information breach. Buying your way out of someone else's nightmare does not rise to reasonable conduct.

I have no idea what you mean by this. Both my affected email addresses got communications from Trion outlining what was taken and what I might need to do.

4). Now we all get bombarded by spam attempts since they have almost everything they need!

That will indeed be interesting. Thinking to change the address on file to a new one so mail to the old ones is known-bad-actor.