MetaMessiah

HUGE breaches in NCsoft account "security"

Recommended Posts

https://www.reddit.com/r/bladeandsoul/comments/4dp48l/i_tried_hacking_my_own_account/

https://www.reddit.com/r/bladeandsoul/comments/4dn59l/2step_verification_will_not_help_solve_your/

https://www.reddit.com/r/bladeandsoul/comments/4djepj/major_flaw_in_ncsofts_account_management_system/

https://www.reddit.com/r/bladeandsoul/comments/4dp3q0/pretty_sure_i_figured_out_why_so_many_people_are/

 

You may have seen frequent posts about accounts being hacked and many of you would accuse them of using 3rd party programs or gold buying etc. However I would just like to point out that it isn't really that hard to access someone's account. First of all, your 2-step verification is useless as according to the links above, if a hacker can access your account, they can change YOUR email to THEIRS without verification from the previous email. Following that, they can also disable your 2-step verification as it now asks for confirmation from your new email. There is also something called a DROWN attack but you should read it yourself as I'm bad at explaining.

 

The only thing stopping hackers is your password and ip verification. Passwords can be brute forced or spoofed. The only thing stopping these hackers is the IP verification. But if hackers do get inside your account they can even disable the ip-verification and see all your details including address and phone numbers.

 

So what did we learn today? Set up a good password and enable IP verification, ordinary hackers cannot bypass the latter. Also don't download 3rd party software or try to buy gold, these are still contributors to accounts being hacked.

 

 

Share this post


Link to post
Share on other sites
IHARVEY   

I have IP verification on my account. Either they are spoofing every single account they hack, or they have a way to bypass it altogether.

Share this post


Link to post
Share on other sites

Guess what? I tried to access my account from a location and it doesn't even ask for ip verification unless it's my BnS client. I would like to edit my original topic but changing my email to improve security ALSO forces you to pick a NEW display name since the old one is taken by your old email address. I have no idea why or how it works.

Share this post


Link to post
Share on other sites
Unicorns   

The ip verification is a joke and can be just bypassed by bypassing the launcher which im not gona link on how to do it, but its on this very same forums since it was posted as a solution for the launcher not working properly. You log in on the client itself so no ip verification happens.
Theres really not much you can do. 

Share this post


Link to post
Share on other sites
Isharin   

It seems like they locked the change email feature(multiple reports on reddit that nothing happens if you try to change email), so you are probably safe if you enable 2 factor authentication on your BNS account and your email account.

This is if the change email feature is locked, if it is not i suggest to change the email and enable 2 factor authentication so you are safe for 90 days.

 

However according to ssllabs.com online test feature; account.ncsoft.com ranks F in security

 

 

Edited by Isharin

Share this post


Link to post
Share on other sites
Nema   

Why even have the option of two factor authentication if they don't enforce it when logging into account management? NCSoft really never learns...

Share this post


Link to post
Share on other sites
Xellos87   

1.Change your passwords to something long and complicated using a lot of different symbols big letters / small letters / numbers / #$%@ stuff like this.
2.Don't use public computers to access your sensitive data or any other than your personal one even in home if you have more than one.
3.Don't use your phone as a login device phones are much more vulnerable than computers for sensitive data since there are adds and spam basically everywhere.
4.Do not enter suspicious sites or places which you do not know. Same goes for your inbox in e-mail.
5.Do not save passwords for accounts at your browser/phone/tablets or whatever.
6.Don't use the same passwords for everything doesn't matter that it makes things easier.
7.Don't accept files from people which you do not trust (not even that is safe sometimes) LOL. Trojans/Worms can be injected into everything even a simple jpeg.

 

This I wrote may seem obvious, but not many people think what they are doing actually and their mentallity is like "Meh this will never happen to me",
untill the moment it does and they are even suprised. It is your own fault 90% of the time. NCSoft has been using this type of system from years and it's not safe i agree. Still have my Aion account from 6 years not even once it's been breached. Yes it's sad and very frustrating to lose something like this, but help yourself first. I'm sorry if this sounds rude but its the truth. Stay safe =)

 

Edited by Xellos87

Share this post


Link to post
Share on other sites
7 minutes ago, Xellos87 said:

1.Change your passwords to something long and complicated using a lot of different symbols big letters / small letters / numbers / #$%@ stuff like this.
2.Don't use public computers to access your sensitive data or any other than your personal one even in home if you have more than one.
3.Don't use your phone as a login device phones are much more vulnerable than computers for sensitive data since there are adds and spam basically everywhere.
4.Do not enter suspicious sites or places which you do not know. Same goes for your inbox in e-mail.
5.Do not save passwords for accounts at your browser/phone/tablets or whatever.
6.Don't use the same passwords for everything doesn't matter that it makes things easier.
7.Don't accept files from people which you do not trust (not even that is safe sometimes) LOL. Trojans/Worms can be injected into everything even a simple jpeg.

 

This I wrote may seem obvious, but not many people think what they are doing actually and their mentallity is like "Meh this will never happen to me",
untill the moment it does and they are even suprised. It is your own fault 90% of the time. NCSoft has been using this type of system from years and it's not safe i agree. Still have my Aion account from 6 years not even once it's been breached. Yes it's sad and very frustrating to lose something like this, but help yourself first. I'm sorry if this sounds rude but its the truth. Stay safe =)

 

Don't forget to mention people need to actually ENABLE 2 step verification. Having to put in your pin code with your mouse seems like a hassle, but so is having to get everything back when you lose your entire account. I'd rather spend an extra 5 seconds every time I login than lose my account. From what I know, keyloggers can't detect mouse movement.

 

Passwords should definitely be more complicated, but they should also be as long as you can possibly make them. I recall one of the methods hackers use is to obtain the logins of people, which is easy considering it's your email, and then having a program continuously try every combination of words and numbers it possibly can. The odds of it working are much MUCH smaller the longer your password is, compared to making the password more complicated. This isn't an excuse to make a crappy password, like passwordpassword or 123456789ncsoft. 

 

It's very hurtful, rude, and unpopular to say, but when someone is hacked it is almost always their own fault. A shoddy password, not using 2 step verification, having the same login and password from somewhere else, or even playing in a public place like a computer shop. The second one, having the same password as another account from some other thing, is one that people just don't realize too. An example would be a modding community for some triple A video games recently has said their database was hacked, and it's possible the users login credentials were taken. They could use that info to try and login on BnS, or any other game I could possibly play. 

 

Don't try to prevent being hacked AFTER it's happened. There's no excuse to not do as much as you can to avoid losing your account. 

Share this post


Link to post
Share on other sites

Only real protection is what Xellos wrote. Have a strong password that uses special letters or stuff lik +-*/*`?=)(/ whatever you name it.

If a hacker gets beyond your unsafe password that you might also have used for your Email then you are pretty much fked.

 

And since the reddit posts mentions that 2 step verification is useless anyway (*) don't even bother with it (*which i thought it was from the first day i saw that there is this google auth. methode. FFXIV does it right, giving you an authentificator physically! that only you receive and that creates basicly a code everytime you push the button and that you actually need to enable and also to disable the 2 step verification)

Share this post


Link to post
Share on other sites
Nema   

There's nothing wrong with Google two factor authentication if it's used correctly. The only difference between the app and the physical authentication dongle is that malware on your phone could steal the token seed.

 

The problem is in how they use two factor authentication. If the account management on the website was secured by two factor, someone with access to your username and password wouldn't be able to change the email, remove two factor auth and strip you of your stuff. 

 

The way they handle email change is also bad security practice, since they send no confirmation to your previous email.

Share this post


Link to post
Share on other sites
38 minutes ago, MinaTakashi said:

Have a strong password that uses special letters or stuff lik +-*/*`?=)(/ whatever you name it.

1 hour ago, Xellos87 said:

complicated using a lot of different symbols big letters / small letters / numbers / #$%@ stuff like this.

password_strength.png

Share this post


Link to post
Share on other sites
khynnea   

I would also add the following:

 

Don't save financial information with NCSoft. You cannot manually control this through account management, you have to send a support ticket in to get it removed. Doing so now might make it easier in the future to document that you took this action if you ever need to contest charges, also -- especially in light of this gaping security hole.

 

And geez... Don't download workarounds for gameguard from the internet (it's a root kit, people). I know gameguard is the devil, but ... why you would replace it with something that could be any old other root kit with or without keyloggers...

Share this post


Link to post
Share on other sites
Shadovvv   
3 hours ago, Isharin said:

It seems like they locked the change email feature(multiple reports on reddit that nothing happens if you try to change email), so you are probably safe if you enable 2 factor authentication on your BNS account and your email account.

 

It's probably because their registered account hasn't been active for more than 90 days. On the other hand, my email has "Change" but trying to change it just stays on the same page and does nothing...

Share this post


Link to post
Share on other sites
Devianne   

i find it funny that these sort of topics always get pushed and then blamed on the publisher which in this case is nc. OP how in the world would u know that these linked threads were 100% legit and didnt do anything bad? YOU DONT!. I am almost 100% sure that these ppl used either 3rd party software, visited websites they shouldnt have, bought gold or just simply gave the login details to a "friend". Doing that and then coming here complaining that ncsoft security is a joke is a joke in itself. With that being said im not denying the fact that current security is good. It obviously isnt. However i highly doubt that any of these stolen account owners have any clue about drown or account security in general by getting hacked the way they did. this is just a couple of butthurt ppl that want to get their account back and lie and/or make sth up which in this case is ncsoft false security.

pathetic.

Share this post


Link to post
Share on other sites
Takao   
46 minutes ago, Devianne said:

i find it funny that these sort of topics always get pushed and then blamed on the publisher which in this case is nc. OP how in the world would u know that these linked threads were 100% legit and didnt do anything bad? YOU DONT!. I am almost 100% sure that these ppl used either 3rd party software, visited websites they shouldnt have, bought gold or just simply gave the login details to a "friend". Doing that and then coming here complaining that ncsoft security is a joke is a joke in itself. With that being said im not denying the fact that current security is good. It obviously isnt. However i highly doubt that any of these stolen account owners have any clue about drown or account security in general by getting hacked the way they did. this is just a couple of butthurt ppl that want to get their account back and lie and/or make sth up which in this case is ncsoft false security.

pathetic.

Sorry but u are poor guy who just want to sweep this under rug and do nothing about it truth is that 1-3 cases of this maybe that what u talking about but there was sadly much more of them and only in cases with NCsoft involved somehow so is no wonderland that people find mistake on NCsoft side. Why is there no phone code confirmation like in bank. Well answer is ncsoft dont want improve and u can see it in everysingle game their publish they just milk title to dead basically . Sadly Blade and Soul was milked much faster than others for some reason....

Edited by Takao

Share this post


Link to post
Share on other sites
Dlacik   
2 hours ago, Finsternis said:

password_strength.png

It`s sad how many ppl actualy believe this. The problem with this img is that while in first case it suggests: If you force people to use numbers, caps and special symbols they will do it the worst possible way.

While in second case it suggest: if you let them choose long enough password with words only, they will choose some completely random words (one of the best possible ways).

To make it same as in first case, you should except people to choose some name of song/book they like or similar thing. That will reduce the entropy to the level even lower than in first case.

Share this post


Link to post
Share on other sites
Faline   

We need better security, simple as that really. Never played a game before where this was as much of a concern. And if it gets too out of control I will quit without hesitation. 

 

 

Share this post


Link to post
Share on other sites
khynnea   
1 hour ago, Faline said:

We need better security, simple as that really. Never played a game before where this was as much of a concern. And if it gets too out of control I will quit without hesitation. 

 

Better security, and better atmosphere around what we're seeing as a result of security breeches. I realize people do cheat and come to the forums to complain about losing their accounts after they get banned for it, but when you consistently see things in the forums that amount to "I got hacked and didn't get restored at all" it doesn't leave much confidence.

 

Yes, I can do everything I can to ensure my account's security. I can and do use strong passwords and good internet hygiene habits. But even when the company doesn't leave a backdoor this glaring as a means of access, systems still get hacked, and this is why good customer service typically has means in place to get players back on their feet afterwards. Now, maybe they are helping people who are honestly hacked and stolen from -- and we're just not seeing it, but on other games I've played the level of transparency exists where you understand where you stand and you know if you invest hundreds of hours and/or dollars in something it's protected.

Share this post


Link to post
Share on other sites
Amkatar   
59 minutes ago, Dlacik said:

It`s sad how many ppl actualy believe this. The problem with this img is that while in first case it suggests: If you force people to use numbers, caps and special symbols they will do it the worst possible way.

While in second case it suggest: if you let them choose long enough password with words only, they will choose some completely random words (one of the best possible ways).

To make it same as in first case, you should except people to choose some name of song/book they like or similar thing. That will reduce the entropy to the level even lower than in first case.

You are also making a false assumption, that people will choose a title of something, just to prove a point which is wrong. It should be well known that length > complexity when it comes to passwords. Even if you were right and people chose sentences with a meaning, "I love the lord of the rings" is harder to crack than any 10 ascii character password with completely random symbols.

Edited by Amkatar

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now