NCsoft Master Account Security Issues
By
all_hell,
Posted on: 2010-01-02 23:04 in CoH and CoV General Discussions
Great work, thanks for the heads up.
Yeah, there were some accounts taken over by Aion goldspammers that way. It happened to a very good friend of mine a couple weeks back. He changes his master account password regularly and it still got taken over, but Support was able to reset his password and restore it, thankfully.
Unless they change your password they have no way back in after login timeout right?
Quote:
Correct, however the ones taking advantage of this issue change your master account password and the password for the game account they're after right off the bat, as well as the email associated with the account in some cases. That was my friend's first clue that something was wrong...he got home to find an email in his inbox that his Aion account password had been changed, and then when he tried to log in to his Master account he found himself locked out. Luckily, he keeps every email he's gotten regarding his accounts, so it didn't take long for Support to authenticate him and get him back in, but the fact that it's happening at all is rather discouraging.|
Originally Posted by LISAR
Unless they change your password they have no way back in after login timeout right?
|
Support also doesn't seem to acknowledge that it's a security issue on their end. He was given the standard "don't buy from RMT or use third party programs" notice. They hadn't been looking at the account for more than an hour, so there's no way that they could have investigated something like that in the time given. He was told that if it happens again his account will be banned, which is also a standard response. Now, despite it not seeming like something he would do, it's not a comment on whether or not he did do it. I just think it's entirely too easy to change a lot of important information in our Master accounts. Considering how much they control, the security is entirely too light. It kind of makes me wish I'd put my Aion account on a separate Master account, but it's too late for that now.
Edit: Having read through some of the recent stuff on the issue, it appears that NCSoft made some changes to password security this morning that look like a step in the right direction (though there are probably more to be made). I would definitely encourage people to change their Master account passwords ASAP.
Quote:
|
Originally Posted by UnSub
For those who have played Guild Wars, there might be some pretty concerning security issues around NCsoft master accounts.
Might be a good time to change your master account password even if you didn't play GW, just in case. |
Uhm . . . Unsub . . . Did you read what they are saying the actual problem is?
Quote:
| LOGGING INTO YOUR OWN PLAYNC MASTER ACCOUNT CAN RANDOMLY LOG YOU INTO ANOTHER PLAYER'S ACCOUNT. YOU HAVE FULL CONTROL OVER THEIR ACCOUNT FROM THIS POINT. YOU CAN CHANGE THEIR PASSWORDS, AND EVERYTHING ELSE THAT ONE CAN EDIT FROM THE PLAYNC MASTER ACCOUNT CONTROLS. |
Quote:
Changing your password won't solve that part of the problem, no, but that wasn't the only vulnerability that was was being exploited, and it looks like NC made some changes this weekend that will make all of the issues harder to exploit while they look into fixing it (having just changed my own password, I can confirm that there's a new popup that looks to be put in place for that reason). That said, changing your password is still a good idea, and isn't going to hurt. If you look through the posts that the article links to, there is mention that some of the hackers are working off a list of account names and passwords.
|
Originally Posted by Forbin_Project
Uhm . . . Unsub . . . Did you read what they are saying the actual problem is?
Changing your password will not solve the problem. The bug is randomly bypassing your login and password and giving another person access to your account when they enter their login and password. |
Quote:
Oh I know about some of the changes. I had an unpleasant experience just before Christmas with Guild Wars. It seems they decided to add a new security feature but didn't notify anyone they were doing it.|
Originally Posted by Darkfaith
Changing your password won't solve that part of the problem, no, but that wasn't the only vulnerability that was was being exploited, and it looks like NC made some changes this weekend that will make all of the issues harder to exploit while they look into fixing it (having just changed my own password, I can confirm that there's a new popup that looks to be put in place for that reason). That said, changing your password is still a good idea, and isn't going to hurt. If you look through the posts that the article links to, there is mention that some of the hackers are working off a list of account names and passwords.
|
Now GW players need to type in one of their character names in order to log on. Not being a frequent player I don't have my character names memorized. So I ended up having to find a CoH player that plays Guild Wars contact a friend in my GW guild and have them pass along the name of the character that joined their guild.
GW customer support was insisting I only had a demo/trial account that had no characters on it.
Yeesh, this is terrible. So if you get an account hacked and then recovered too many times the account gets banned? That is TERRIBLE.
Playstation 3 - XBox 360 - Wii - PSP
Remember kids, crack is whack!
Samuel_Tow: Your avatar is... I think I like it
Changing my password actually CAN hurt because I'm liable to forget the new one, and I have to get through all of the security questions, which never really fit my needs, anyway. If players are working off a password list, won't I just update their list?
Quote:
|
Originally Posted by Arcanaville
Samuel_Tow is the only poster that makes me want to punch him in the head more often when I'm agreeing with him than when I'm disagreeing with him.
|
After reading the list of vulnerabilities, I'm not too sure that changing my account pwd is all that helpful.
I don't actually see any vulnerability that would be affected by changing my pwd more often than usual.
- 1. Wrong Account Bug. Sometimes simply logging into the NCSoft site takes you to someone else's account instead, with FULL CONTROL over that account. An attacker need only use a bot to log into their own account over and over until the bug occurs, then steal the account the bug gives them.
- 2. Advanced Vulnerabilities Reported by Mung on Aion Forums
- "SQL injection is apparently NOT prevented very well. [Mung] was able to send a basic acknowledge request and instead of "page not found" or "incorrect login" [Mung] received an SQL ack!"
- "The ENTIRE web domain is unprotected from file mirroring (process of copying all files housed at the web host)." Chthon's note: HOLY ****! That's very bad....
- "[T]he majority of the process functions for each page under the "secure.ncsoft.com" domain are scripted in PERL but referencing Javascript multiple times for all sorts of verifying processes. This can easily be manipulated to a users intention."
- 3. Brute Force Vulnerabilities
- Login failure gives different error message for real usernames and non-usernames. An attacker can generate a list of valid usernames by systematically running all character strings against the NCSoft site's username field.
- Security questions for password reset have dangerously small search spaces that can be guessed quickly. The birthday question (which is the default!) is particularly easy. So is the car color question.
- Failed attempt at answering security questions that includes one correctly guessed question returns error message that tells user which question is correct. This vastly reduces search time for a brute force attack.
- Password reset attempts are allowed too frequently. 5 attempts every 12 hours is too many given the small search spaces.
- IP's attempting multiple failed logins or password reset attempts are not blocked, blacklisted, or greylisted.
- Attacker can specify new NCSoft password immediately upon correctly guessing password reset questions. The system should create a random password sent in a confirmation e-mail it to the account's associated address.
- The GW username is displayed from the NCSoft site. It should not be. This gives an attacker 1/3 of the GW login credentials.
- Attacker can specify new GW password immediately upon accessing the NCSite. User should be required to enter old password and/or respond to confirmation e-mail to the account's associated address. [Edit: Apparently this was fixed a few hours ago. Old password is now required.]
- No countermeasures at all against brute forcing NCSoft password.(Gaile states that she has been told there are, but forum members making repeated failed login attempts did not encounter lockout, blacklisting, or increasing delay. Suspect Gaile has been misinformed by NCSoft staff.)
- 4. GW character names are present in old support tickets. This renders the new character name security question useless.
I keep getting this error when I try to login
Quote:
Internal Server Error Quote:
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, you@example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
If you get an internal server error try refreshing the page. Each time I got that I refreshed the page and got the proper page of my account. Hope that helps.
I'm not a security expert, but if your login system has a bug this serious, wouldn't a possible course of action be to lock it down while you try to fix it? (IE, "We've discovered a bug that, if you log into your account, will randomly erase your account. Until we can track this down, we are taking the account system offline to prevent further corruption.") Yes, it would prevent new people from setting up accounts. And that *might* cost them a few new customers. On the other hand, if my account got compromised and all my characters deleted or something, even though I have done *nothing* wrong, I'd have to consider that might also cost NCsoft a customer.
Quote:
|
Originally Posted by ShadowsBetween
On the other hand, if my account got compromised and all my characters deleted or something, even though I have done *nothing* wrong, I'd have to consider that might also cost NCsoft a customer.
|
How would you feel if you found out this bug gave someone else access to your account and when you complained you get told by Customer Support that they are banning your account because they assumed you used an RMT site rather than admit there is something wrong on their end.
After just checking the info that *is* included in my Master account, I'm strongly considering removing my card info and deliberately messing up the contact information *until* this is definitively fixed. And as I said, getting told that I'm being punished for not doing anything wrong would quite likely costs NCSoft a customer and two accounts. I really like this game, but not enough to deal with even the *possibility* of ID theft.
Eh, those are just standard responses for the support staff, pretty much a canned response thing. Really, the 'one warning' thing doesn't so much worry me as how long it's taken for the involved community reps to listen. At this point, I'm just glad that they're finally making the necessary changes. This hasn't impacted the CoH community much because RMT just isn't as big here as it is for GW or Aion, but it's been a little frustrating for people with those types of accounts. As long as NC gets this fixed, banning shouldn't become an issue for people who take the proper precautions.
Quote:
I read it.|
Originally Posted by Forbin_Project
Changing your password will not solve the problem. The bug is randomly bypassing your login and password and giving another person access to your account when they enter their login and password.
|
The first point was to raise awareness of the issue. The second was that, out of all the things you can do, changing your password is probably as good at it gets. If someone has gotten into your account through whatever way, changing your password provides just a bit more protection than leaving everything the same.
What the heck... after reading this, I went to https://secure.ncsoft.com/cgi-bin/pl...pl?language=en and tried to log in. I got:
Quote:
|
We were unable to verify your login. Either your login information was entered incorrectly, or the account system is currently unavailable. Please check the normal downtime schedule and announcements. If you have a LineageĀ® II account, you may need to change your NCsoft password. Please use the "Forgot your password?" link to do so. Click here for additional help |
www.SaveCOH.com: Calls to Action and Events Calendar
This is what 3700 heroes in a single zone looks like.
Thanks to @EnsonsDeath for the GVE code that made me VIP again!
Just tested mine, and apart from page load lag, got in mine just fine.
Michelle
aka
Samuraiko/Dark_Respite
Dark_Respite's Farewell Video: "One Last Day"
THE COURSE OF SUPERHERO ROMANCE CONTINUES!
Book I: A Tale of Nerd Flirting! ~*~ Book II: Courtship and Crime Fighting - Chap Nine live!
MA Arcs - 3430: Hell Hath No Fury / 3515: Positron Gets Some / 6600: Dyne of the Times / 351572: For All the Wrong Reasons
378944: Too Clever by Half / 459581: Kill or Cure / 551680: Clerical Errors (NEW!)
THE COURSE OF SUPERHERO ROMANCE CONTINUES!
Book I: A Tale of Nerd Flirting! ~*~ Book II: Courtship and Crime Fighting - Chap Nine live!
MA Arcs - 3430: Hell Hath No Fury / 3515: Positron Gets Some / 6600: Dyne of the Times / 351572: For All the Wrong Reasons
378944: Too Clever by Half / 459581: Kill or Cure / 551680: Clerical Errors (NEW!)
Try it again. The issue is that logging in is the buggy part. I was trying it earlier, and got three different results in five tries. Three times I logged into my account fine. Once it bounced with an internal server error, and once it gave me the same message.
I *really* hope they fix this. Like, now.
Quote:
It seems to me that if a person or group of people are trying to take advantage of this bug, the first thing they are going to do once they get access to some random customers account is change the password so only they have access.|
Originally Posted by UnSub
I read it.
The first point was to raise awareness of the issue. The second was that, out of all the things you can do, changing your password is probably as good at it gets. If someone has gotten into your account through whatever way, changing your password provides just a bit more protection than leaving everything the same. |
That's going to prevent the real account owner from getting access and give them the time they need to steal whatever info they can. Then there's also the question as to how much time do they need to take a screenshot of your account info? One or two minutes at the most? Once they have it they don't need to come back.
Quote:
I thought the first thing they would do is change out the email addy so you can't use recover password to get back in.
|
Originally Posted by Forbin_Project
It seems to me that if a person or group of people are trying to take advantage of this bug, the first thing they are going to do once they get access to some random customers account is change the password so only they have access.
That's going to prevent the real account owner from getting access and give them the time they need to steal whatever info they can. Then there's also the question as to how much time do they need to take a screenshot of your account info? One or two minutes at the most? Once they have it they don't need to come back. |
Personally the first thing NCSoft should do is terminate access into the master accounts till this is fixed. Granted it will probably be a pain in the butt to some but at least their info will remain intact. Changing the password does nothing since this is a log in bug, although it does make me wonder how long this has been going on.
Paragon Unleashed Forums
Twitter: @Alpha_Ryvius
Quote:
What I just got when I changed my passwords was an email the gave me the IP address of the computer the password change came from and the account name. It also said to notify CS if I didn't change the password.|
Originally Posted by LISAR
I thought the first thing they would do is change out the email addy so you can't use recover password to get back in.
|
But my point is if someone is getting in the backdoor it doesn't matter what I change my password to, he can get all my personal info right then and there. He has no reason to come back unless he wants log into the game itself and mess with my characters.
For those who have played Guild Wars, there might be some pretty concerning security issues around NCsoft master accounts.
Might be a good time to change your master account password even if you didn't play GW, just in case.