HUGE breaches in NCsoft account "security"

[Devianne]

1 hour ago, Takao said:

Sorry but u are poor guy who just want to sweep this under rug and do nothing about it truth is that 1-3 cases of this maybe that what u talking about but there was sadly much more of them and only in cases with NCsoft involved somehow so is no wonderland that people find mistake on NCsoft side. Why is there no phone code confirmation like in bank. Well answer is ncsoft dont want improve and u can see it in everysingle game their publish they just milk title to dead basically . Sadly Blade and Soul was milked much faster than others for some reason....

oh boy u couldnt be more off the actual truth. what gives u the right to accuse NC over the claims of users for false security? u dont even know wtf ur talking about. can u give me ANY actual info on HOW these hacks could have happened? cuz every other suggestion including drown wouldnt work here. phone code confirmation? why? why would they add phone code confirmations on a game where no sensitive data is stored and ontop costs money? XD makes no sense. i wasnt aware of nc being equal to a financial insitute which stores highly private data. but i tell u what i rlly think. ur just another one of these "oh yea must be nc soft fault" ppl that cant actually back up in what was said. but i can assure i a can. im willing to bet my ass that 99% of hacks happened cuz of users fault AND NOT cuz of NC. mentioning phone pin: there is ip validation inplace too which also sends a  pin to the users email address. BY DEFAULT THAT IS ON. how and what hackers can do once they actually do manage to get on the users account is irrelevant at this point as actually getting there is not an easy task and surely doesnt just happen on its own.  That account control is not safe on its own might be but like i said b4: a hacker doesnt just get access to ur account like that. users fault. and users always QQ when sth bad happens.

[Takao]

4 minutes ago, Devianne said:

oh boy u couldnt be more off the actual truth. what gives u the right to accuse NC over the claims of users for false security? u dont even know wtf ur talking about. can u give me ANY actual info on HOW these hacks could have happened? cuz every other suggestion including drown wouldnt work here. phone code confirmation? why? why would they add phone code confirmations on a game where no sensitive data is stored and ontop costs money? XD makes no sense. i wasnt aware of nc being equal to a financial insitute which stores highly private data. but i tell u what i rlly think. ur just another one of these "oh yea must be nc soft fault" ppl that cant actually back up in what was said. but i can assure i a can. im willing to bet my ass that 99% of hacks happened cuz of users fault AND NOT cuz of NC. mentioning phone pin: there is ip validation inplace too which also sends a  pin to the users email address. BY DEFAULT THAT IS ON. how and what hackers can do once they actually do manage to get on the users account is irrelevant at this point as actually getting there is not an easy task and surely doesnt just happen on its own.  That account control is not safe on its own might be but like i said b4: a hacker doesnt just get access to ur account like that. users fault. and users always QQ when sth bad happens.

tooooo long after first sentence stopped reading cause u are on some smarta.. path that u must be the most inteligent person out there then what are you doing on NCsoft forums u got paid for it ? To bore people like suport so they just dont care anymore????  and dont bother with another poor answer that making this thread offtopic cause i will not read your spitefull crap.

PS: if u writing so much for free i will cry for you .

[Devianne]

2 minutes ago, Takao said:

tooooo long after first sentence stopped reading cause u are on some smarta.. path that u must be the most inteligent person out there then what are you doing on NCsoft forums u got paid for it ? To bore people like suport so they just dont care anymore????  and dont bother with another poor answer that making this thread offtopic cause i will not read your spitefull crap.

PS: if u writing so much for free i will cry for you .

i know cuz u cant respond properly. thats the real issue here. u dont know what to say. dont mind me ill care for u: awww u poor poor user awwwwww :(

hey i got a suggestion for u. next time u try to claim sth do so when ur aaaaabsolutely sure u know what ur talking about cuz if u dont then the "smarta" ppl that actually work in that line of field will feel offended cuz some "smarta" user spills some bs that he doesnt know jacksh*t about. trust me. it rlly helps.

[Dlacik]

4 hours ago, Amkatar said:

You are also making a false assumption, that people will choose a title of something, just to prove a point which is wrong. It should be well known that length > complexity when it comes to passwords. Even if you were right and people chose sentences with a meaning, "I love the lord of the rings" is harder to crack than any 10 ascii character password with completely random symbols.

I ve just made the same assumption for the second case as it is made for the first case - that the one choosing password will choose it with worst possible method.

Length > complexity works only if you know nothing about the way the password was created. In your example for 10 random ascii chars -> there are 218 printable characters in ascii, that means cca 2,4E23 combinations.

For "I love the lord of the rings", if you know that there is some basic phrase like "i love", "i like"... (let`s say 1 of 20 phrases) and then name of some movie. There are 3,715,546 titles in imdb) that is only cca 7,4E7 combinations.

Even if you take the first case in the image. They`ve counted that it`s entropy is 2^28 thats cca 2,7E8 so it`s still better than "I love the lord of the rings".

[Naekuh]

3 hours ago, Devianne said:

 why? why would they add phone code confirmations on a game where no sensitive data is stored and ontop costs money? XD 

you call having your credit card info stored and saved is not sensitive data...

 

ok..

 

can i have your CC numbers and address too, since u dont consider it sensitive data?  

And i'll show u have much damage can happen when that goes viral.  

[Saksoy]

Sensitive data is not in game if you use paypal 

[MooseWayne]

6 hours ago, Devianne said:

i find it funny that these sort of topics always get pushed and then blamed on the publisher which in this case is nc. OP how in the world would u know that these linked threads were 100% legit and didnt do anything bad? YOU DONT!. I am almost 100% sure that these ppl used either 3rd party software, visited websites they shouldnt have, bought gold or just simply gave the login details to a "friend". Doing that and then coming here complaining that ncsoft security is a joke is a joke in itself. With that being said im not denying the fact that current security is good. It obviously isnt. However i highly doubt that any of these stolen account owners have any clue about drown or account security in general by getting hacked the way they did. this is just a couple of butthurt ppl that want to get their account back and lie and/or make sth up which in this case is ncsoft false security.

pathetic.

Good job reading none of the links OP posted. You know, the ones where none of them mentioned they were hacked at all. Maybe you got confused because that one guy said he hacked himself and thought that he went to a 3rd party site and gave away his account info. They all show potential threats to account security and highlight how little NCSoft does to protect our accounts. Once someone gets into the account, they just have to change the email and they have all our stuff until our support ticket telling them to get the account back is answered. There's no confirmation for the email change and you can remove the authenticator without even using a code. There's nothing you can do to stop this from happening because the system doesn't warn you until you're already hacked. You can only hope your password doesn't get leaked in some way or another

[VRock]

ah! Now people are bringing this subject, when i already came with this long time ago...

 

 

this was my "recent" post about this and no1 did care, guess now lot people got hacked ;)

https://forums.bladeandsoul.com/topic/189106-two-step-verification/#comment-1748097

[Faline]

Has anybody had any luck after sending a support ticket getting ncsoft to remove the saved cc info from their account when clicking 'buy ncoin' on the website? curious to know if ncsoft can actually do this...or if once you have used a card that info is there for good. Think i'm going to call the bank and get my card blocked and have them send me a new one if this is the case...ive had a ticket open for days now requesting them to remove this info and as yet they havent done it - I stated that I literally just want to use paypal from now on and have the other information removed...how hard can it be?!?!

 

[Mistia]

10 hours ago, GreenBunionSoup said:

It's very hurtful, rude, and unpopular to say, but when someone is hacked it is almost always their own fault. A shoddy password, not using 2 step verification, having the same login and password from somewhere else, or even playing in a public place like a computer shop. The second one, having the same password as another account from some other thing, is one that people just don't realize too. An example would be a modding community for some triple A video games recently has said their database was hacked, and it's possible the users login credentials were taken. They could use that info to try and login on BnS, or any other game I could possibly play. 

 

Don't try to prevent being hacked AFTER it's happened. There's no excuse to not do as much as you can to avoid losing your account. 

Errrr, I agree with most of the things you said of taking extra measures to protect yourself. But this part is like telling a child who was molested that he/she should know better... Should really try to better phrase it.

 

HACKING is wrong, not that stopped anyone from doing it. Let's make that clear and not justify it. But steps can be taken to prevent yourself from suffering the fate of losing your account

[Reyva]

This stuff does indeed happen, but at the same time if I believed everything someone said without proper research, then I would be a fool.  Take it from someone who has been working with people for too long.  People will say or do the craziest things in order to get what they want.

 

This also why I won't believe a **** thing someone says about being hacked on here.  True or not.  Two sides to every story anyways.  

 

Would elaborate further but I'm posting while at work.  However, cry more will ya?

[MooseWayne]

 

5 minutes ago, Reyva said:

This stuff does indeed happen, but at the same time if I believed everything someone said without proper research, then I would be a fool.  Take it from someone who has been working with people for too long.  People will say or do the craziest things in order to get what they want.

 

This also why I won't believe a **** thing someone says about being hacked on here.  True or not.  Two sides to every story anyways.  

 

Would elaborate further but I'm posting while at work.  However, cry more will ya?

Did you read the first post or did you read the title and assume someone was hacked and complaining about the security? And regardless, the security does deserve to get all the flak it's currently getting. What kind of account security sends the email change alert to the new email address? Why on earth can you then remove the authenticator by having the code emailed to the new one? Why is there no grace period where you can revert the email change back to the one you had? Why can you not manually remove stored credit card info to prevent someone using your card if you do get hacked? 

 

The only thing really protecting your account is the password. If that gets out, then your account is just gone. They can change the email without you knowing it ever got changed(because it sends that email to the new email address), change your password, remove the authenticator because there's an option to have it email you a code and then charge as much Ncoins as they want and steal all your gold and items.

[khynnea]

2 hours ago, Faline said:

Has anybody had any luck after sending a support ticket getting ncsoft to remove the saved cc info from their account when clicking 'buy ncoin' on the website? curious to know if ncsoft can actually do this...or if once you have used a card that info is there for good. Think i'm going to call the bank and get my card blocked and have them send me a new one if this is the case...ive had a ticket open for days now requesting them to remove this info and as yet they havent done it - I stated that I literally just want to use paypal from now on and have the other information removed...how hard can it be?!?!

Submitted a ticket (classified as billing) this morning to have my cc info removed referencing the security issues. They responded pretty promptly, within a hour or so, and asked for the last four digits of my cc number while coordinating with their point of sale folks. After providing that, within a few hours it was a done deal; got a note back saying next time I try to buy anything I will have to enter cc info. Did not try to buy anything though I suppose I should to see if it is really gone; but I have a print out of the ticket for future reference in case there *are* any issues.

 

 

edit: yeah they entered garbage in for my cc number, so it's no longer in their system.

[Devianne]

3 hours ago, MooseWayne said:

Once someone gets into the account, they just have to change the email

if u would have read what i wrote u would have gotten it. obviously u did not. tell me where the breach is. tell me how some1 can just "get into my account to change my email". tell me how hackers can just bypass ip validation. and while we r at that tell me how they know which ip i used last incase they wanna spoof. tell me how a hacker can just guess my login email address. yea u didnt understand jackshit. ur just another clueless brainwashed kid that tries to justify bs means. 

3 hours ago, Naekuh said:

you call having your credit card info stored and saved is not sensitive data...

 

ok..

 

can i have your CC numbers and address too, since u dont consider it sensitive data?  

And i'll show u have much damage can happen when that goes viral.  

ur CC data is not stored. they work with a cc provider where u submit ur data to. ur paypal data is not stored either. address is questionable but no means of implementing phone pin. imo only raises costs of running and is not rlly needed.

[MooseWayne]

4 minutes ago, Devianne said:

if u would have read what i wrote u would have gotten it. obviously u did not. tell me where the breach is. tell me how some1 can just "get into my account to change my email". tell me how hackers can just bypass ip validation. and while we r at that tell me how they know which ip i used last incase they wanna spoof. tell me how a hacker can just guess my login email address. yea u didnt understand jackshit. ur just another clueless brainwashed kid that tries to justify bs means. 

ur CC data is not stored. they work with a cc provider where u submit ur data to. ur paypal data is not stored either. address is questionable but no means of implementing phone pin. imo only raises costs of running and is not rlly needed.

It's almost like you think no site has ever been compromised at any point in the past. And if the IP verification is working so amazingly as you claim it is, how are people managing to get hacked still? Hackers are somehow getting past the IP check. I don't know how and if I did, I'd be telling NCSoft about it instead of posting in a forum. Hackers are managing to get into accounts and somehow avoiding the IP check. There are no other steps to protect your account if they get logged on. They can change your email, password and authenticator without any confirmation being sent to your email about it.

[Malign]

They could try what NCSoft Jp has. They randomly generate 32 different pins and each time you log on it has you enter one of them randomly. If you mess up it makes you give a different one. Also it sometimes will randomly make you put 2 different ones in to log in.

[Devianne]

6 minutes ago, MooseWayne said:

It's almost like you think no site has ever been compromised at any point in the past. And if the IP verification is working so amazingly as you claim it is, how are people managing to get hacked still? Hackers are somehow getting past the IP check. I don't know how and if I did, I'd be telling NCSoft about it instead of posting in a forum. Hackers are managing to get into accounts and somehow avoiding the IP check. There are no other steps to protect your account if they get logged on. They can change your email, password and authenticator without any confirmation being sent to your email about it.

ofc sites can get hacked. however doing so is not sth simple as 123 poof. how would u know hackers get past ip verification? because some1 that was hacked said so? never just believe what users say. yes it is possible to bypass ip check but to do it other factors need to be known. and yes it is true. once they can log on ur account they can change almost everything. but that is imo only once they manage to get hold of ur account details.

 

if ncsoft servers would have been hacked there would be a huge load more lost accounts than the ~10 or so threads i can think of now.

[MooseWayne]

3 minutes ago, Devianne said:

ofc sites can get hacked. however doing so is not sth simple as 123 poof. how would u know hackers get past ip verification? because some1 that was hacked said so? never just believe what users say. yes it is possible to bypass ip check but to do it other factors need to be known. and yes it is true. once they can log on ur account they can change almost everything. but that is imo only once they manage to get hold of ur account details.

 

if ncsoft servers would have been hacked there would be a huge load more lost accounts than the ~10 or so threads i can think of now.

I know that hackers are getting past it because people are getting hacked. That or they're magically pulling out the right IP addresses when they go to hack someone. It's one thing to get someone's login because it's a crappy password or it was leaked from a compromised site, it's an entirely different thing to be able to get a hold of someone's IP address and spoof it to get around the verification.

 

And no, at no point did I bring up there being a security leak on NCSoft's part. The point of this post and the others is trying to get NCSoft to realize their 2 step authentication is worthless and that their security is practically zilch if someone manages to login on someone else's account. Imagine if some home security system only worked if someone was trying to break in, and just shut off once they got a door or window opened. No police show up and the guy who is now stealing all your stuff has until you get back home to keep stealing your stuff. That's basically NCSoft. The real kicker is that when your email gets changed, the new email address is the one that gets the usual "Hey your email got changed. If you weren't the one who changed your email, you should probably contact support about your account security." Fat load of good it does sending that email to the hacker

[Devianne]

Just now, MooseWayne said:

I know that hackers are getting past it because people are getting hacked. That or they're magically pulling out the right IP addresses when they go to hack someone. It's one thing to get someone's login because it's a crappy password or it was leaked from a compromised site, it's an entirely different thing to be able to get a hold of someone's IP address and spoof it to get around the verification.

 

And no, at no point did I bring up there being a security leak on NCSoft's part. The point of this post and the others is trying to get NCSoft to realize their 2 step authentication is worthless and that their security is practically zilch if someone manages to login on someone else's account. Imagine if some home security system only worked if someone was trying to break in, and just shut off once they got a door or window opened. No police show up and the guy who is now stealing all your stuff has until you get back home to keep stealing your stuff. That's basically NCSoft. The real kicker is that when your email gets changed, the new email address is the one that gets the usual "Hey your email got changed. If you weren't the one who changed your email, you should probably contact support about your account security." Fat load of good it does sending that email to the hacker

yes while that all is true the issue of hacker obtaining users credentials is questionable. who knows?  maybe these hacked accounts were on sites they shouldnt have gone to. downloaded sth they thought would help them play (ex. bots, hacks, etc) but instead downloaded like in 90% of cases a keylogger. this to me seems the only logical conclusion cuz u dont see that many hacked accounts. ontop it helps gold sellers obtain more "accounts" to obtain gold / trade /spam / etc.

 

another possibility is that some hacked accounts used the same email/password combination used on a less secure site which got compromised.

 

in any way i dont think the owners of the hacked accounts r 100% innocent. but still. having said that and just trying it myself too. being able to just change ur email address without validating that ur the owner of that email address should imo not be possible. this is sth very easy to implement but would boost account security tremendously

[MooseWayne]

Just now, Devianne said:

yes while that all is true the issue of hacker obtaining users credentials is questionable. who knows?  maybe these hacked accounts were on sites they shouldnt have gone to. downloaded sth they thought would help them play (ex. bots, hacks, etc) but instead downloaded like in 90% of cases a keylogger. this to me seems the only logical conclusion cuz u dont see that many hacked accounts. ontop it helps gold sellers obtain more "accounts" to obtain gold / trade /spam / etc.

 

another possibility is that some hacked accounts used the same email/password combination used on a less secure site which got compromised.

 

in any way i dont think the owners of the hacked accounts r 100% innocent. but still. having said that and just trying it myself too. being able to just change ur email address without validating that ur the owner of that email address should imo not be possible. this is sth very easy to implement but would boost account security tremendously

At the very least they should make it so you need the authenticator to be able to change your account info. If you can't get the code for the authenticator, you'd have to contact support and answer questions about your account to prove that you made it. 

[Aviarn]

Better security advice yet; don't click on any strange links or get engaged in "deals" that seem too good to be true.

[Royo May]

so after reading all this i inmediately changed my current used e-mail to a new one. also changed the password on my ncsoft and email acc to an absurd long one being a mix of a bullshit sentence paired with unlogical symbols in-between. i already had two-step auth for my bns acc and my old e-mail. the new one has also two-step auth.

 

the emails are also exclusively used for the game only. nothing else, just like the passwords are not used for anything else.

 

am i gucci now until i can change my e-mail again? or did i miss something?

[AionCheesecake]

Royo, if you do get hacked, and you didn't do anything potato like going to a gold selling/hack site, then I want to know, lol.

[Royo May]

alrighty then :D oh i forgot to add, i have my CC card informations attached for my 1 year sub, BUT it's a prepaid card and can only be charged through a direct transfer initiated at the terminal of my bank or my online banking ;)

 

so for people using credit card: get a prepaid one. charge it with the exact amount you need when the renewal of the sub occurs.

 

you cannot initiate a payment with an uncharged prepaid CC, the provider will automatically reject it.

[orianthi]

 I think it is quite funny that this is yet another major issue in the game that NC are doing nothing about, but yet again as with previous issues the playerbase themselves are working together to to fix/solve the issue instead, so GG NC for the awesome game tech back up you have lmao