Discussion: New Security Update on NCsoft Master Accounts
By
aleph_EU,
Posted on: 2011-03-01 17:02 in News, Events and Announcement Discussion
Well, I was able to squeak by on my tries. I didn't opt for the standard Mother's Maiden Name, or Your first Pet, blah blah. Although, Mom was Maiden America and my first pet was a pig named Vittles. I had problems with the Captcha and the capitalization/punctuations.
I hope for the best for everyone out there having issues.
Comic and Hero/Villain Culture
Saturday January 29th, 2005 (12:37 PM) ~ Monday August 9th, 2010
Those Who Lived It Will Remember Long after your Ban Hammer Crumbles and the servers flicker dead.
We Will Remember This One Moment In Time! ~ Shadow Ravenwolf
Quote:
Not...QUITE correct. Not "every" time. While your IP address is still dynamic (randomly assigned), leases tend to be quite long and lease renewals keep you on the same address. You could, conceivably, go for months on the same IP address.|
Originally Posted by Wanted_NA
Plus, I'm on a DSL connection that provides a Dynamic IP address. Which means everytime I connect I get a different IP address. Which means...everytime I want to log in my master account I have to re-verify myself because I'm using a different IP address. Which makes this whole thing even more ridiculous.
|
I do, however, agree that the NCSoft site needs some major work on it's functionality, as the framework they have in place right now could, at best, be charitably described as "***-tastic".
Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.
That non-toll free phone number they provide for billing support is no help either. Who is gonna call long distance just to be put on hold for who knows how long?
Quote:
UPDATE:|
Originally Posted by Zombie Man
UPDATE:
I was asked to provide these: -- What first and last name did you use when you created the account?The only one I didn't have was the original Unique Account ID because, you know, SEVEN YEAR OLD EMAILS. I gave them 10 serial codes for my two accounts. There's more, but, I figured that should be enough. I get the email back: At this time, we would like to assist you with logging into this account as an exception. For future inquiries, you may be required to provide additional information to verify ownership of this account.Thanks? As an exception? Is that a veiled threat you won't help me again unless I pony up everything you asked for? So, they cleared the passphrase question. I go to my Main Account. The challenge page has just Date of Birth and the Captcha. And I keep being told I have the wrong information.   I think I know my DoB. I've entered it into my Master Account at least 50 times with all the purchases I've made. Well, I sent another email back saying I still can't get in. We'll see what happens. BTW: All the information they asked for to verify who I am could be found in a hacked email account. If they're only going to verify ID based on access to an email account, they could have done what is the industry standard: sent a new password to my email account. Tell you what, let me use my credit card information to 'buy' access to my account for $0.00. Then you'll know it's me. At least my credit card company can remember what my date of birth is. Dear Mods: Can you please pass on my feedback to the people who made these changes: "Sheer idiocy and gross incompetence." |
I received by email a link that allowed me to reset my Main Account Password and give the answers to two new challenge questions. I then had access to my account.
Then I tested it: I logged out. Put in my account name and the new password and got this error message:
You cannot login to this account from your current location at this time. If you believe this to be in error, please contact Customer Support.I tried clearing all NCSoft cookies... nope.
I clicked on 'forgot password' and then correctly answered the two challenge questions and a Captcha to get an email with a new password. I cut and paste that password into the login screen... nope.
I believe that when the system locked my IP out for too many attempts previously, that that lock out still continues. I sent support another email about this. We'll see.
And Mods: My feedback on this remains the same.
Speeding Through New DA Repeatables || Spreadsheet o' Enhancements || Zombie Skins: better skins for these forums || Guide to Guides
You know what is sad? Why is it we get a confirmation email saying that someone tried to login to our master account but could not prove their identity "If this was not you please contact NCsoft" blah blah blah....buuuuut how about giving us a IF THIS WAS YOU OPTION also so our ip address could then be unblocked and we could try again. Oh....WAAAAY too logical?
How the hell are we supposed to remember all the serial codes and access keys (other then retail) when that information was stored.....IN THE FREAKING MASTER ACCOUNT!
Can you tell I'm frustrated....
- Bow �o �he Reaper of Souls�
- 68 Unique Characters / Fifteen Level 50s & Counting! Damn you alt-itis!!!!!!!
So... I am completely locked out of my account because I can't remember my answer to my hint question I made, I don't know how long ago. So, now what do I do... to erase my credit card info so NCSOFT doesn't charge me for a game or games I have no control over?
Quote:
You dynamic address is not so dynamic. Carriers assign "blocks" to each region so they can track better. NCSOFT filters on blocks not specific IP addresses. The security will become valuable when someone hacks your accounts and tries be you/or the card owner. |
Originally Posted by Wanted_NA
This is pointless, in no way "secure", and simply stupid. It doesn't increase the security, it's simply a huge pain in the rear everytime I want to log into my master account. I made this account over 5 years ago, and I've no idea what information is entered in there or what security answers are there. I had to bat with the support back and forth for 5 days to finally get my account unlocked.
Their requests to unlock your account for you are simply ridiculous. They're assuming that in all these years I"m still using the same e-mail and the same credit card. Even if I still am using the same e-mail, I'm not going to be keeping e-mails from all that long ago....Just, lol. Plus, I'm on a DSL connection that provides a Dynamic IP address. Which means everytime I connect I get a different IP address. Which means...everytime I want to log in my master account I have to re-verify myself because I'm using a different IP address. Which makes this whole thing even more ridiculous. No, just no. Take this back, I was happy that way it was. "More security" yeah...right. This is just "more pain in the butt". |
I hate to say this but make your challenge questions something you can answer. I put mine in all lower case so I'm not having to be "perfect" 10 years later. I feel bad for people who have someone else paying for their accounts but I don't have a solution....maybe go talk to "Big Papa?" I'd rather this than to have to buy a stupid sync token.
I've spotted a different problem with all of this. In addition to the really bad security change.
It appears that 7 years ago you could enter a Password Hint that I suppose would be sent to you or prompt you for use or something. It wasn't the list of standard questions but just a hint.
I know this because just now when I tried to login the thing gave me a Password hint, my birthdate, and a captcha.
The problem is that the Hint is on the left side and is clearly just that the mnemonic hint to trigger memory of my password. I.E. THERE IS NO CORRECT RESPONSE TO IT BECAUSE THE STUPID THING ISN'T ASKING ME A QUESTION!
Grrrr.
I could probably guess the answer to most things except maybe pet, 7 years ago I can't remember what I might have used, I've changed my standard answer to that question since. What you answer those questions truthfully? What is wrong with you? I have a standard list of false answers I use for those stupid false security questions.
So anyway if your account is old enough you could be screwed on this.
But it's MY sadistic mechanical monster and I'm here to make sure it knows it. - Girl Genius
List of Invention Guides
Quote:
Read the question and answer the security question in front of you if you want to play the game, youngling. Your making this way too hard. Select the corrrect date from the dropdown menus and hit "enter." Can you remember your birthday? If not, go ask the cardholder.
|
Originally Posted by TerraDraconis
I've spotted a different problem with all of this. In addition to the really bad security change.
It appears that 7 years ago you could enter a Password Hint that I suppose would be sent to you or prompt you for use or something. It wasn't the list of standard questions but just a hint. I know this because just now when I tried to login the thing gave me a Password hint, my birthdate, and a captcha. The problem is that the Hint is on the left side and is clearly just that the mnemonic hint to trigger memory of my password. I.E. THERE IS NO CORRECT RESPONSE TO IT BECAUSE THE STUPID THING ISN'T ASKING ME A QUESTION! Grrrr. I could probably guess the answer to most things except maybe pet, 7 years ago I can't remember what I might have used, I've changed my standard answer to that question since. What you answer those questions truthfully? What is wrong with you? I have a standard list of false answers I use for those stupid false security questions. So anyway if your account is old enough you could be screwed on this. |
Quote:
I was curious and I tried this (I to recieved the one-time link to reset my account after being locked out) and also on my laptop (diff location) and in both instances it worked without a hitch. Not sure why this is working for some and not others but I've had my indifferences with support but with this (account security) it seems spot on.
|
Originally Posted by Zombie Man
UPDATE:
I received by email a link that allowed me to reset my Main Account Password and give the answers to two new challenge questions. I then had access to my account. Then I tested it: I logged out. Put in my account name and the new password and got this error message: You cannot login to this account from your current location at this time. If you believe this to be in error, please contact Customer Support.I tried clearing all NCSoft cookies... nope. I clicked on 'forgot password' and then correctly answered the two challenge questions and a Captcha to get an email with a new password. I cut and paste that password into the login screen... nope. I believe that when the system locked my IP out for too many attempts previously, that that lock out still continues. I sent support another email about this. We'll see. And Mods: My feedback on this remains the same. |
www.paragonianknights.com
Prestige Award
My DA page
@Fire Chief
Quote:
You are not understanding me. There is no security question. I am serious about this essentially I have this.|
Originally Posted by Residentx10
Read the question and answer the security question in front of you if you want to play the game, youngling. Your making this way too hard. Select the corrrect date from the dropdown menus and hit "enter." Can you remember your birthday? If not, go ask the cardholder.
|
Tree - Box to type answer into. [and no tree isn't the word]
Birthdate - Boxes to answer in.
Captcha.
It isn't asking me a question. The "Tree" question above would be the correct word to be my password hint. The problem is that the only correct response to "Tree" is my password. Not anything else. Thus the part above where I mention that they must have once had it setup to prompt for a real Password Hint and not one of the fake security questions.
But it's MY sadistic mechanical monster and I'm here to make sure it knows it. - Girl Genius
List of Invention Guides
Quote:
The logic failure is that you didn't authorize before you did the reset. You have to contact NCSOFT now.
|
Originally Posted by Fire_Chief
I was curious and I tried this (I to recieved the one-time link to reset my account after being locked out) and also on my laptop (diff location) and in both instances it worked without a hitch. Not sure why this is working for some and not others but I've had my indifferences with support but with this (account security) it seems spot on.
|
Quote:
I did this yesterday and it worked. This is what you got right?|
Originally Posted by TerraDraconis
You are not understanding me. There is no security question. I am serious about this essentially I have this.
Tree - Box to type answer into. [and no tree isn't the word] Birthdate - Boxes to answer in. Captcha. It isn't asking me a question. The "Tree" question above would be the correct word to be my password hint. The problem is that the only correct response to "Tree" is my password. Not anything else. Thus the part above where I mention that they must have once had it setup to prompt for a real Password Hint and not one of the fake security questions. |
http://jumbofiles.com/1jtkpfe6q73p
http://jumbofiles.com/1jtkpfe6q73p/N...CSOFT.png.html
Hit verify (below) after you key in the answer
Quote:
No as noted I have one more line than you do.|
Originally Posted by Residentx10
I did this yesterday and it worked. This is what you got right?
http://jumbofiles.com/1jtkpfe6q73p http://jumbofiles.com/1jtkpfe6q73p/N...CSOFT.png.html Hit verify (below) after you key in the answer |
I have the line with A WORD and A BOX above the birthdate line.
The problem is that the word is obviously my password hint. It is not a question. So far leaving the box blank and putting the word in it haven't worked. I wonder if maybe I should just type Password Hint in the box? Anyway it clearly is my password hint and not a security question.
The problem I think is that the hint is stored with my security info and the script they are using to generate the check is grabbing it out of the file and then getting confused by it. I.E. this is a bug with their new system not meshing with something they did 7 years ago.
Note:
Just to be clear when I say it is my hint I mean like this. If the word was Tree, and it isn't my password might be something like Silmarillion. which is a tree. And for the record my password isn't that simple but the word still works as a mnemonic to determine what it is. And the word isn't tree.
But it's MY sadistic mechanical monster and I'm here to make sure it knows it. - Girl Genius
List of Invention Guides
Quote:
I state my prior reply, Answer the question(s) in front of you if you want to play the game, Girl Genius...
|
Originally Posted by TerraDraconis
No as noted I have one more line than you do.
I have the line with A WORD and A BOX above the birthdate line. The problem is that the word is obviously my password hint. It is not a question. So far leaving the box blank and putting the word in it haven't worked. I wonder if maybe I should just type Password Hint in the box? Anyway it clearly is my password hint and not a security question. The problem I think is that the hint is stored with my security info and the script they are using to generate the check is grabbing it out of the file and then getting confused by it. I.E. this is a bug with their new system not meshing with something they did 7 years ago. Note: Just to be clear when I say it is my hint I mean like this. If the word was Tree, and it isn't my password might be something like Silmarillion. which is a tree. And for the record my password isn't that simple but the word still works as a mnemonic to determine what it is. And the word isn't tree. |
Quote:
What part of there is no valid question don't you get?|
Originally Posted by Residentx10
I state my prior reply, Answer the question(s) in front of you if you want to play the game, Girl Genius...
|
The stupid thing is asking me A WORD. The only valid answer to the thing is my password. What part of it being A SINGLE WORD are you not understanding?
It is not asking me a question. I'm fairly certain this is a bug because what it is displaying as a question is clearly my password hint from 7 years ago.
But it's MY sadistic mechanical monster and I'm here to make sure it knows it. - Girl Genius
List of Invention Guides
Quote:
I just told you what I did yesterday to successfully be authorized. Key in your birthdate and the captca and hit verify/enter. Is NCSOFT paying you to be a bug tester? You set up the password challenge answer/box, if you can't remember it...then you don't get authorized.
|
Originally Posted by TerraDraconis
What part of there is no valid question don't you get?
The stupid thing is asking me A WORD. The only valid answer to the thing is my password. What part of it being A SINGLE WORD are you not understanding? It is not asking me a question. I'm fairly certain this is a bug because what it is displaying as a question is clearly my password hint from 7 years ago. |
Quote:
I tried what you said and it doesn't work. I've left the box blank.|
Originally Posted by Residentx10
I just told you what I did yesterday to successfully be authorized. Key in your birthdate and the captca and hit verify/enter. Is NCSOFT paying you to be a bug tester? You set up the password challenge answer/box, if you can't remember it...then you don't get authorized.
|
No I didn't setup that as a password/challenge. Why? Because the word is clearly the hint for my password. And the only correct response to the word is my password. I am fairly certain that 7 years ago when I setup my account I did have an option to set a password hint. The problem is that the new system appears to not be handling it correctly. This is I am fairly certain a bug in the way their system is working. Probably because each of the games and game systems used different criteria for setting them up over the years.
But it's MY sadistic mechanical monster and I'm here to make sure it knows it. - Girl Genius
List of Invention Guides
Quote:
I encourage you to go to a different computer and authorize. You don't need the game client installed to do this. Maybe the questions will be differnt. log in here, www.ncsoft.com. |
Originally Posted by TerraDraconis
I tried what you said and it doesn't work. I've left the box blank.
No I didn't setup that as a password/challenge. Why? Because the word is clearly the hint for my password. And the only correct response to the word is my password. I am fairly certain that 7 years ago when I setup my account I did have an option to set a password hint. The problem is that the new system appears to not be handling it correctly. This is I am fairly certain a bug in the way their system is working. Probably because each of the games and game systems used different criteria for setting them up over the years. |
Then go reboot your other computer and try again. Try a different browser if you insist on staying on the same computer. I have to use firefox on cohtitan for things to work correctly.
Quote:
Look at the HBGary Federal attacks. One of the methods they used was social engineering using a trusted e-mail account.|
Originally Posted by Tyranny_NA
You know what is sad? Why is it we get a confirmation email saying that someone tried to login to our master account but could not prove their identity "If this was not you please contact NCsoft" blah blah blah....buuuuut how about giving us a IF THIS WAS YOU OPTION also so our ip address could then be unblocked and we could try again. Oh....WAAAAY too logical?
|
So, if someone breaks into your mail account, browses through your old mail, and decides to take a run at your NCSoft account, you want them to be able to auto-authorize them?
I'm gonna go with a <JRANGER>NO</JRANGER> on that.
Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.
Quote:
|
Originally Posted by Residentx10
The logic failure is that you didn't authorize before you did the reset. You have to contact NCSOFT now.
|
huh? lol I said it worked and yes the only reason I got the link from support was because I did get locked out and yes I did contact support first.
www.paragonianknights.com
Prestige Award
My DA page
@Fire Chief
It's not going well for me either. After finally realizing that I had to create a new email account in order to send in a message to support they send me back a very unhelpful reply asking for more information which I made clear I don't have already and wanted to know if I had access to my other email account that their own system doesn't seem to recognize. I thinks I may be done with NCsoft for good.
Quote:
For the record, I sent them all the info (master account name, real name, postal address, birthday, 16/17 serial codes attached to my account, UID, and the last 4 digits of the credit card used to start the account). I got the reset.|
Originally Posted by Rajani Isa
They want all, but if you send them what you can they can still help.
Also, not sure if it will help, but try including the last four of your current card if you remember when you changed it. |
I promptly copied the information, as well as screenshots of my serial codes, to a secure thumbdrive with a encrypted hidden partition that I don't keep around my computer.
If anyone else manages to find the thumbdrive, extract the password, and find the appropriate files, then I say they deserve the information as there is nothing I can do to protect myself from them.
Quote:
|
Originally Posted by GadgetDon
(1) We're not dealing with military secrets here, we're not dealing with social security numbers or bank accounts or credit cards. For some people, the concern about their characters may be as high as their social security numbers or bank accounts or credit cards, and an option to require high security to enter the master account is. For most people, though, it's just an additional senseless hassle. And so the question is, when does the hassle become more than the value of what we're getting?
|
Black Pebble, Avatea, and Beastyle, please let the management at NCsoft know that the NCsoft brand is now forever tainted in my eyes due to this incident. Instead of inspiring trust, this fiasco has robbed all trust I had towards NCsoft.
The captcha is likely issuing false negatives. While players might actually be entering correct information, the captcha is likely falsely claiming that incorrect information is being sent. This leads me to think that the web programmers are not doing their jobs in making sure of that.
Quote:
|
Originally Posted by GadgetDon
(2) It's still simple text. Vulnerable to phishing attempts, vulnerable to keyloggers, potentially vulnerable to traffic watching. Worse, it's presented as "real world information" for which the right answer could be determined through facebook/twitter/other sources. Yes, really security conscious people could provide false answers, but most people AREN'T really security conscious.
|
Quote:
|
Originally Posted by GadgetDon
(3) You're dealing with humans. Humans really, really, really hate passwords, which is why most passwords are pretty simple and pretty breakable. They have pretty bad memories, and this system is particular finicky (Was it Boston, Boston Parkway, Boston Pkwy, Boston Pkwy.? Did I use caps or not). Barring the minority of people with superior memories, humans respond by writing down passwords giving a single source of failure. One person had them stored in gmail - which doesn't have this level of security.
|
Quote:
|
Originally Posted by GadgetDon
So they're putting paying customers through a lot of hassle that, in the end, will offer little extra security but probably future hassle. There's a term for that. "Bad choice". Particularly since there's always other things people could be doing with their money.
|
Quote:
|
Originally Posted by GadgetDon
BTW, one thing I want to make clear, and I suspect most people in this thread would say the same thing.
Once I got to a real human, the support person was very helpful, acted quickly and professionally in spite of being, I'm sure, under as much stress and frustration as I was. From all the experiences I have NC Soft support, the amount of respect I have for them even exceeds my disapproval and disgust at the brain-dead idiots who pushed this system through without apparently either forethought or concern about the results it has had for the customers. |
Quote:
|
Originally Posted by Residentx10
I encourage you to go to a different computer and authorize. You don't need the game client installed to do this. Maybe the questions will be differnt. log in here, www.ncsoft.com.
Then go reboot your other computer and try again. Try a different browser if you insist on staying on the same computer. I have to use firefox on cohtitan for things to work correctly. |
When he signed up for his account, he put in a password, but didn't put in any security questions. However he did put in a password hint line (not a security question).
It probably looked like this:
Enter a password: [_____________]
Re-enter your password: [_____________]
Enter a password hint: [_____________]
NOT THIS:
Enter a security question: [_____________]
Enter the answer to the security question: [_____________]
And what TerraDraconis is saying has happened is that the site is using the password hint field instead of the security question.
Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters
I wanted this in its own post so it wouldn't get lost:
These security changes have had the opposite effect than intended. I am NOT feeling more secure about my account information, I'm feeling less secure due to the new security.
The reasons are:
- It was done in such a ham-fisted manner.
- It is easier for someone to hack my account with a mobile phone than it was for me to gain legitimate access via my computer.
- It took place during a loyalty drive with little warning.
- It treats paying customers as criminals.
- It uses my IP address, which can change.
- It doesn't give me the choice of security questions.
- It is in plain text.
- It didn't show justification for the need.
- It will lock out LOYAL customers that can't provide the "right" information.
Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters
I'm making sure I am subscribed to this thread so I can reference it later. Hopefully the forum software doesn't magically eat it.