+ Reply to Thread
Page 1 of 12 1 2 3 11 ... LastLast
Results 1 to 10 of 115

  Click here to go to the first Archeage Team post in this thread.   Thread: Regarding Reports of Unauthorized Transactions

  1.   Click here to go to the next Archeage Team post in this thread.   #1
    Community Manager Scapes's Avatar
    Join Date
    Mar 2014
    Location
    Auroria
    Posts
    4,527

    Regarding Reports of Unauthorized Transactions

    To our Alpha and Beta testers,

    Let us start by saying this very clearly: Trion Worlds' security has not been compromised in any way. There has been absolutely no breach in Trion’s servers.

    What happened in the last few hours is sadly nothing new: every day, bots obtain user credentials from various unprotected sites around the Internet, build lists of login and passwords, and try them on Trion's servers (along with many other sites). If players consistently use simple or repeated passwords across different online services, these bots may get access to their accounts. Because of the current momentum around ArcheAge, hundreds of millions of such attempts were made from well over a million different IP addresses in the last few weeks, only a fraction of which ended up being successful today.

    The team has already started providing refunds and all players affected by fraudulent charges will be automatically refunded within the next few hours today.

    As previously mentioned, this type of issue is recurrent in the online world and Trion has actually been working on a solution to address this particular problem for a while now. Coincidentally, starting Thursday, we are adding a new security feature to Glyph to help keep player accounts safe: when players log in from a new computer or a place that we haven’t seen them log in from before, they’ll be asked to verify that it really is them logging in, by entering a code emailed to their account’s primary email address.

    Trion Worlds encourages all players to update their existing passwords and to make sure to use different, secure passwords for across the Internet. Players can go here to update their account information immediately, including their passwords and login information: https://session.trionworlds.com/login. If you believe that this has happened your account and have any questions, please contact Trion Customer Support as soon as possible: https://support.trionworlds.com/

  2. #2
    Senior Member Bedivere's Avatar
    Join Date
    Aug 2014
    Location
    Nuia
    Posts
    318
    Fantastic. Email authorization was something I was hoping for. Works great with games like GW2. Bravo.

    Also, for those wanting an easy way to make good passwords here's a tip I learned on the net: Think of a song you like and remove the first letter of every word in its title. Then, add some numbers on the end. It looks like gibberish and is surprisingly easy to remember.

  3. #3
    Senior Member
    Join Date
    Mar 2014
    Posts
    1,675
    Quote Originally Posted by Bedivere View Post
    Fantastic. Email authorization was something I was hoping for. Works great with games like GW2. Bravo.

    Also, for those wanting an easy way to make good passwords here's a tip I learned on the net: Think of a song you like and remove the first letter of every word in its title. Then, add some numbers on the end. It looks like gibberish and is surprisingly easy to remember.
    i just smash my keyboard and then i write my password down so i don't forget it .

  4. #4
    Senior Member
    Join Date
    Jul 2014
    Posts
    377
    Quote Originally Posted by Scapes View Post
    To our Alpha and Beta testers,

    Let us start by saying this very clearly: Trion Worlds' security has not been compromised in any way. There has been absolutely no breach in Trion’s servers.

    What happened in the last few hours is sadly nothing new: every day, bots obtain user credentials from various unprotected sites around the Internet, build lists of login and passwords, and try them on Trion's servers (along with many other sites). If players consistently use simple or repeated passwords across different online services, these bots may get access to their accounts. Because of the current momentum around ArcheAge, hundreds of millions of such attempts were made from well over a million different IP addresses in the last few weeks, only a fraction of which ended up being successful today.

    The team has already started providing refunds and all players affected by fraudulent charges will be automatically refunded within the next few hours today.

    As previously mentioned, this type of issue is recurrent in the online world and Trion has actually been working on a solution to address this particular problem for a while now. Coincidentally, starting Thursday, we are adding a new security feature to Glyph to help keep player accounts safe: when players log in from a new computer or a place that we haven’t seen them log in from before, they’ll be asked to verify that it really is them logging in, by entering a code emailed to their account’s primary email address.

    Trion Worlds encourages all players to update their existing passwords and to make sure to use different, secure passwords for across the Internet. Players can go here to update their account information immediately, including their passwords and login information: https://session.trionworlds.com/login. If you believe that this has happened your account and have any questions, please contact Trion Customer Support as soon as possible: https://support.trionworlds.com/
    And this could have been prevented to certain extend if you didnt take Authorization/control of peoples paypal accounts for transactions. Instead you should let the enduser login once more with paypal username and password to finalize that transaction. If he used the same username and password on his paypal account his bankaccount would still be raided, but you can't really counter stupidity too much.

    But right now, you are also punishing people who use paypal and did thought of using different passwords for different things.
    Right now if I want to use Paypal as payment method, I have to authorize TrionWorlds by logging in once with my paypal username and password.
    Once that proces is done, from then on every purchase I make will be directly billed with paypal as medium from my own bankaccount. And I never have to use my paypal username and password again to finalize a transaction making my TRION Account a Single Point of Failure.

    As any IT Specialist would know, SPOF's are BAD and you served eventually. Think about that, you are part of the problem just like the players who use same passwords accross multiple services are.


    Also, your Security sucks in many ways starting with the fact this forum doesnt even use SSL Certificates.
    (Edit Zephirisz: Though when logging in you are redirected to a secure logon site that is encrypted and secure, so I was wrong earlier about
    your login credentials being unencrypted and on a non-secure line)

    I do want to say that I still question if you bind multiple dots together but you don't secure each and every dot. I wonder where the weakest link would be.



    Nice job! Crappy Paypal payment solution where you dont always ask for user paypal login credentials before finalizing a payment.
    No SSL Certificate / encrypted for Archeagegame.com domain.... Why? You use one for the trionworlds.com domain. Why not the forum too?
    I would wonder how vulnerable you are to sequel injections and stuff.... leaves me wondering when from my point of view you didnt invest much in security either.

    Also, doing that IP thing on Glyph is nice, but not impressive. I much rather see a 2nd verification where you need to use your enter the code (with mouseclicks only) that people have selected. Like 8 characters long consisting of only numbers. Though, i'll admit you already have something similar with the Authenticator token thing. You should enforce 2nd verification for additional account security.

    I don't particularly like the Authenticator thing, so I rather like how they do it in AION. You need to enter your 8 digit code before you can actually logon to the world with the character you selected. Even if your password was breached, if the hacker doesnt know your 8 digit code too he still cant do anything with your ingame character cuz he cant login.

    Sorry, I have been ranting a bit but security is your responsibility as a publisher alot more then it is to the enduser. I know the enduser is generally stupid. But its up to you to enforce security upon them. So force a 2nd and/or 3rd layer of security.

    Invest some money in good Security. It is really worth alot especially in MMO's where account theft means a major hassle for both the enduser and customer support. Something that can be prevented or made considerably harder with better enforced security measures.

  5. #5
    Senior Member
    Join Date
    Aug 2014
    Posts
    334
    thanks for the update
    Proud to be an Archeum Founder!
    ArcheAge Wiki

  6. #6
    Senior Member
    Join Date
    Jul 2014
    Location
    New Zealand
    Posts
    904
    dump all payment info and force everyone to re add it securely with the 3(4?) step

    stagnant data is a killer
    Quote Originally Posted by Celestrata Bloodsong View Post
    Roadblocks are annoying (I've been on the receiving end of them)
    Quote Originally Posted by Celestrata Bloodsong View Post
    I've actually never been blockaded on any character.
    While I admire your optimism, I feel the need to draw your attention to reality

  7. #7
    Senior Member
    Join Date
    Jul 2014
    Posts
    109
    Quote Originally Posted by Scapes View Post
    To our Alpha and Beta testers,

    Let us start by saying this very clearly: Trion Worlds' security has not been compromised in any way. There has been absolutely no breach in Trion’s servers.
    and ofcourse you banned 16k bots




  8. #8
    Senior Member
    Join Date
    Aug 2014
    Posts
    295
    Thanks for keeping us updated!

  9. #9
    Senior Member
    Join Date
    Mar 2014
    Posts
    1,675
    Trino pls lol

  10. #10
    Quote Originally Posted by Zephirisz View Post
    And this could have been prevented to certain extend if you didnt take Authorization/control of peoples paypal accounts for transactions. Instead you should let the enduser login once more with paypal username and password to finalize that transaction. If he used the same username and password on his paypal account his bankaccount would still be raided, but you can't really counter stupidity too much.

    But right now, you are also punishing people who use paypal and did thought of using different passwords for different things.
    Right now if I want to use Paypal as payment method, I have to authorize TrionWorlds by logging in once with my paypal username and password.
    Once that proces is done, from then on every purchase I make will be directly billed with paypal as medium from my own bankaccount. And I never have to use my paypal username and password again to finalize a transaction making my TRION Account a Single Point of Failure.

    As any IT Specialist would know, SPOF's are BAD and you served eventually. Think about that, you are part of the problem just like the players who use same passwords accross multiple services are.


    Also, your Security sucks in many ways starting with the fact this forum doesnt even use SSL Certificates so when we login this data is not encrypted. So a hacker with some skills and ill intentions could sniff out login credentials each time we login onto this forum.



    Nice job! Crappy Paypal payment solution where you dont always ask for user paypal login credentials before finalizing a payment.
    No SSL Certificate / encrypted for Archeagegame.com domain.... Why? You use one for the trionworlds.com domain. Why not the forum too?
    I would wonder how vulnerable you are to sequel injections and stuff.... leaves me wondering when from my point of view you didnt invest much in security either.

    Also, doing that IP thing on Glyph is nice, but not impressive. I much rather see a 2nd verification where you need to use your enter the code (with mouseclicks only) that people have selected. Like 8 characters long consisting of only numbers. Though, i'll admit you already have something similar with the Authenticator token thing. You should enforce 2nd verification for additional account security.

    I don't particularly like the Authenticator thing, so I rather like how they do it in AION. You need to enter your 8 digit code before you can actually logon to the world with the character you selected. Even if your password was breached, if the hacker doesnt know your 8 digit code too he still cant do anything with your ingame character cuz he cant login.

    Sorry, I have been ranting a bit but security is your responsibility as a publisher alot more then it is to the enduser. I know the enduser is generally stupid. But its up to you to enforce security upon them. So force a 2nd and/or 3rd layer of security.

    Invest some money in good Security. It is really worth alot especially in MMO's where account theft means a major hassle for both the enduser and customer support. Something that can be prevented or made considerably harder with better enforced security measures.
    Holy christ, I had to login just to reply to how stupid you are. You obviously know *nothing* about security at all, but claim you do.

    For PayPal they *do not have your authentication details at all* they are using the same standard PayPal preauth as tons of websites out there. You click to add a PayPal account, get sent to PayPal, login there and PayPal sends back a token to Trion that they can use to initiate payments, Trion does not have your PayPal login, they have billing info and a token for preauthorized payments with PayPal, that's it.

    And login to the forums is encrypted, just browsing around and replies and such aren't. When you login to the forums you get sent to

    https://session.trionworlds.com/logi...rl%3Dforum.php

    They are using 3rd party auth provided by vBulletin, like many other game forums do, so they can use Glyph accounts instead of requiring separate forum accounts.

    And then the 8 numeric key by mouseclicks is just laughable, if for some reason you think clicking things is more secure than typing you're absolutely foolish. I could very easily make a "mouselogger" that takes a screenshot around the pointer for every click sent. Its just as trivial as a keylogger to write. Hell there is even off the shelf software that exists already and is used for tracking hours worked by freelance developers etc (e.g. oDesk).


    It isn't Trion's fault if you are an idiot and give your password to everyone. You also aren't "hacked" for using the same password on guild forums etc, you are an idiot.

+ Reply to Thread
Page 1 of 12 1 2 3 11 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts