Discussion: New Security Update on NCsoft Master Accounts


aleph_EU

 

Posted

We are increasing our security measures again by setting up additional security questions for all accounts. This enhanced system is part of our ongoing effort to ensure a safe and secure gaming environment for you.

Remember that to keep your account secure you should always use unique passwords that you do not use for email, forums, or websites, and make sure you never provide your personal information on phishing websites. For additional information on security updates, contact Support (North America or Europe).

New Security Feature Added

We will be turning on a new security feature that verifies that you are logging in to your NCsoft® Master Account with a computer authorized by you. To help prevent unauthorized access to your NCsoft Master Account, you will need to confirm your identity when you attempt to log in to a different computer. This new security feature is part of our ongoing effort to ensure a safe and secure gaming environment for you.

How Does This Work?

You correctly answer some additional security questions. Verifying this information authorizes a one-time login. Once your identity is confirmed, you can add a computer to an approved list.

You are trying to log in for a computer that has not been approved by this account. For security purposes, please answer these security questions to verify this computer's use.

Password Hint Questions

Your answers must exactly match those on your account, including the capitalization. These questions must be answered correctly to proceed past the authorization stage and reach your NCsoft Master Account.

What was your first pet's name? [text box] (limit 32 characters)
What is your mother's maiden name? [text box]

If you don't remember what information you entered when you registered your account, please contact Support (North America or Europe).


Support Centre for our English European players
Support Centre for our North American players
Plateforme d'assistance pour les francophones
Support-Center f�r deutschsprachige Spieler

 

Posted

BEAUTIFUL!

Thank you so very much for this!!!!

Big love!

/e sarcasm

Get the number generator thingies instead. I'd love to buy one of those.


Ignoring anyone is a mistake. You might miss something viral to your cause.

 

Posted

I'm not filled with much hope on this as I just accessed my NCsoft account without challenge beyond my username/password. Once there, I searched to no avail for the mentioned settings.

Additionally, no where in my account profile does it have either my pet's name or my mother's maiden name to confirm to.

Even going beyond that, given the frequency that I'm logged out of the forums and the forums rejecting my username/password, how the heck am I supposed to trust this new system to actually work?




Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters

 

Posted

Can we only be recognized on one computer at a time? I have a desktop, a laptop and hopefully an android by the end of the month. Am I going to be challenged everytime I use a different computer to log in to the NCsoft site?


 

Posted

Quote:
Originally Posted by Avatea View Post
What was your first pet's name? [text box] (limit 32 characters)
Hope there's more questions than this. Not a pet owner.


 

Posted

Quote:
Originally Posted by NewScrapper View Post
Hope there's more questions than this. Not a pet owner.
Try an imaginary pet. It doesn't have to be a real thing, y'know!

...Or maybe an in-game pet. Hows about that.


Necrobond - 50 BS/Inv Scrapper made in I1
Rickar - 50 Bots/FF Mastermind
Anti-Muon - 42 Warshade
Ivory Sicarius - 45 Crab Spider

Aber ja, nat�rlich Hans nass ist, er steht unter einem Wasserfall.

 

Posted

Quote:
Originally Posted by Necrotron View Post
Try an imaginary pet. It doesn't have to be a real thing, y'know!
Yeah, I just realized I could use my friend's pet. Must...think...outside...box!


 

Posted

use it as a second password


 

Posted

Quote:
Originally Posted by warden_de_dios View Post
Can we only be recognized on one computer at a time? I have a desktop, a laptop and hopefully an android by the end of the month. Am I going to be challenged everytime I use a different computer to log in to the NCsoft site?
Answer to second question:
Quote:
You correctly answer some additional security questions. Verifying this information authorizes a one-time login. Once your identity is confirmed, you can add a computer to an approved list.
Once you put the laptop, the desktop, and the phone on the approved list, it shouldn't ask you anymore. If it works like the one a bank website would use, for example, it only asks you the first time, because you can tell it to recognize the computer you're using from then on.


Loose --> not tight.
Lose --> Did not win, misplace, cannot find, subtract.
One extra 'o' makes a big difference.

 

Posted

Quote:
Originally Posted by Necrotron View Post
Try an imaginary pet. It doesn't have to be a real thing, y'know!

...Or maybe an in-game pet. Hows about that.
This is actually better than answering truthfully. The harder you can make it for identity thieves, the better. Just make sure that whatever you answer you remember, if it's not the truthful answer.

This goes for other questions like maiden names, birthplaces, etc, as well.


Loose --> not tight.
Lose --> Did not win, misplace, cannot find, subtract.
One extra 'o' makes a big difference.

 

Posted

I hope there'll be more questions, as those are typical of most banks and credit cards. Everyone's using the "good" questions, you know?

Regardless, I've always been pleased with the security NCSoft has offered me to date (particularly my NC master account and game account being able to have different log-ins and passwords), so this is fantastic news. Thank you very much - the safer our accounts are, the better for everyone.


 

Posted

Quick thought: while passwords and challenges are good, they won't necessarily help with keyloggers should someone be unfortunate enough to have acquired one. I heard some games have a virtual keypad where you can enter a 4-digit PIN, and the numbers themselves randomly rearrange themselves after each press.

And, of course, there's that whole physical authenticator thingies (how do those work, anyhow?)... some of the guilds I know for one of those other games require members of a certain rank and above to have one of those (be it the doohicky itself or the app for the iPhone or Android). Not that I'd want that, necessarily (unless a WP7 version was made - I <3 my Focus!).


 

Posted

Why do I recall being asked what street I grew up on and what primary school I went to? In fact, this is definitely what I was asked, because I have it in my password management software as such.

Where can we see these questions and answers in account management?

edit: Found them, they are under the "change password" link.


 

Posted

Quote:
Originally Posted by Psyte View Post
And, of course, there's that whole physical authenticator thingies (how do those work, anyhow?)...
Basically its a little keychain with an lcd screen (or a phone app). The keychain you press a button or the phone you wait 30 seconds and it cycles a long number that is only valid for under a minute. You enter that latest number as a secondary password every time you log in.

When you first enable that security in account management it asks for a serial number from the little device (or one generated and recorded in the phone app) to sort out what the seed will be for numbers to expect (its obviously some complex seed+time formula), then asks you for one or two actual results from the device to confirm you actually have it.

Its only a real pain if you misplace the device somewhere. Among other things it significantly enhances security if you play at a non-home or unsecure location since even if you are keylogged they won't know what number to next expect, so only fast working "man-in-the-middle" attacks are likely to break your account.

Some banks even use these sort of things. I wouldn't mind seeing it done here.


Want better looking NPCs Contacts? Check out this NPC Contact/Trainer/Etc Revision Thread and Index
-
Remember: Guns don't kill people; Meerkats kill people.

 

Posted

Quote:
Originally Posted by Serpine View Post
Some banks even use these sort of things. I wouldn't mind seeing it done here.
I think I heard about that on Clark Howard - even if someone could knab your card numbers (either online or taking a picture of the card), they wouldn't be able to use them without the card itself. I would much rather have that built into my card than that stupid "wave over the sensor instead of swiping!" feature I'm seeing more and more of. Of course, he was also saying the US is quite a bit behind when it comes to credit card security compared to other countries (wish he gave examples of how theirs are better/different).


 

Posted

Quote:
Originally Posted by Psyte View Post

And, of course, there's that whole physical authenticator thingies (how do those work, anyhow?).
Had to use these (well, a variant of them, and not for gaming, no) at Lockheed Martin. Hated doing support there... anyway -

The way I remember it, you had a PIN you created and the key. The key's serial was registered with the server. There's a specific - I hesitate to call it "randomization," really - algorithm that runs in the individual keys, generating a new number every X time frame (30 seconds, 60 seconds, whatever.) The server knows what the number should be, and when it changes (and has a small window of error.) You type in your PIN and the number that shows on the key, the server verifies it and matches the info and either verifies or denies you.

Some did, on occasion, need to be resynchronized, too. Not a hard process, just a bit irritating at LM (play 20 questions, make sure you're asking things they can answer in case they're at a secure facility, etc.)


 

Posted

Quote:
Originally Posted by NewScrapper View Post
Yeah, I just realized I could use my friend's pet. Must...think...outside...box!
Think outside the box, but also think in it - use the name of your first ever MM pet


@Golden Girl

City of Heroes comics and artwork

 

Posted

While this is lovely, I am less worried about someone hacking my NCSoft Master Account, than I am some random NCSoft employee making off with my Credit Card info, or someone hacking NCSoft's database. That's because my CC info Was recently misappropriated and it appears to have been right after re-subscribed at NCSoft.

I am irked at how NCSoft won't let me purchase time when I want to, but insists that They should be in control of when my card is charged. I wanted to take advantage of the Holiday subscription time deal, but the only way I could do so was to essentially 'guarantee' that there would be sufficient money in my account 2-3 months later, when my existing subscription ran out of time. So I missed out on that deal, because I could not actually 'buy' at a time when I had the money to spend.

A keylogger could not have captured my Master Account password, since my password-handling software does that. A trojan on My system could not have captured my CC info, since That is 'on file' at NCSoft. So, the issue is not a lack of security from my end, but a lack of security at NCSoft.

That said, I don't really object to improved security on my NCSoft account - except for the inconvenience factor. I just see this as passing the onus for security to the customer, which allows them to pretend that there isn't a risk and responsibility at their end.

Be Well!
Fireheart


 

Posted

I hope one of the questions isn't "What's your favorite food?"

I'll be hacked in no time!



That blue thing running around saying "Cookies are sometimes food" is Praetorian Cookie Monster!
Shoot on sight, please.

 

Posted

Well... i added two questions/answers...

Lets just hope that this wont start a mess..


** Guardian�s Crazy Catgirl **
************* 22 XxX 10 *************

Yes. I can get lost on a straight-line map.

 

Posted

Quote:
Originally Posted by Ullikummis View Post
I hope one of the questions isn't "What's your favorite food?"

I'll be hacked in no time!
Hahaha...


[center][IMG]http://i1111.photobucket.com/albums/h461/cohroguemagazine/Logos/sig.png[/IMG][/center]
[center][size=1][color=#FF99CC][font=Tahoma] GLOBAL: @Antoinette |[/font][/color][color=#FF99CC][font=Tahoma] MAIN: [/font][/color][url=http://www.virtueverse.net/wiki/Pinkrise][color=#FF99CC][font=tahoma]Pinkrise[/font][/color][/url][color=#FF99CC][font=Tahoma] | SG: [/font][/color][url=http://www.wix.com/netherealist/spitfire][color=#FF99CC][font=Tahoma]The Ethereals [/font][/color][/url][font=Tahoma][color=#FF99CC] | PROJECTS: [/font][/color][url=http://cohrm.wordpress.com][color=#FF99CC][font=tahoma]Rogue Magazine [/font][/color][/url][/size][/center]

 

Posted

Quote:
What is your name?
The Electric-Knight!

Quote:
What is your quest?
To play City Of Heroes!

Quote:
What is your favorite color?
Blue-NO-Yel... AAAAAAAAAAAAHHHHHHHHHHHHHHHHHHH!!!!!!!


@Zethustra
"Now at midnight all the agents and the superhuman crew come out
and round up everyone that knows more than they do"
-Dylan

 

Posted

Quote:
Originally Posted by White Hot Flash View Post
Once you put the laptop, the desktop, and the phone on the approved list, it shouldn't ask you anymore. If it works like the one a bank website would use, for example, it only asks you the first time, because you can tell it to recognize the computer you're using from then on.
My bank has this sytem. I have a Username and a Password that I have to enter. If the computer is not a registered computer, I have to go through the security questions. Once I get through all of that, I click the "Add Computer to Safe List" and enter my Username/Password.

As wonderful as this sounds though, It never remembers both of my computers. Anytime I swicth from desktop to laptop and back again, I have to go through Security Hell for 20 minutes. Eventually, I gave up and dedicated just my laptop to do all my banking on.

If this is how the PlayNC System works, then to hell with it. Like Snow Globe said, I hope it works better than the forums here. We all know what a piece of ... they are.


Comic and Hero/Villain Culture
Saturday January 29th, 2005 (12:37 PM) ~ Monday August 9th, 2010
Those Who Lived It Will Remember Long after your Ban Hammer Crumbles and the servers flicker dead.
We Will Remember This One Moment In Time! ~ Shadow Ravenwolf

 

Posted

No, no, no, no... Geez... where to begin?


As Ullikummis so mercifully points out above, security questions are NO EXTRA SECURITY for determined hackers who have a buck to make -- like those who'd hack an account to steal all your goodies to sell for cash. If you can guess or brute-force someone's password, guessing the answer to their security question is VERY LITTLE EXTRA EFFORT. Once they've read your facebook page to figure out your Dog's maiden name or your grandmother's breed or whatever, they can add their own computer to the 'authorized' list with no effort.

Yeah, a lot of banks use this and NO IT IS NOT ANY MORE SECURE. Some security folks call it 'Wish it was two factor'. It is NOT.

REAL Two Factor Authentication requires A) Something you know, and B) Something you have, or C) Something you are, such as quality biometrics like retina or voice scans. This is a password -- something you know-- and a secret challenge/response-- also something you know.

This change offers very little extra protection for vulnerable accounts. If you want to give us REAL two-factor account protection, pony up for a fob system. This gives you the B) something you have, and is recommended in the federal guidelines for bank security.

The RSA system is, relatively speaking, very cheap to implement, and the fobs cost about $7 each in bulk. I'd buy one in a heartbeat.

Seriously, NCSoft, just like the banks who implement this crap, you are doing your customers a severe disservice. Not only are you making them jump through extra hoops for no benefit whatsoever, but you are also ensuring them that your service is more secure than it really is.