Discussion: New Security Update on NCsoft Master Accounts

I had apparently created my own security questions... One being a rather cryptic riddle!
Fortunately, being the creator of it, that one I answered correctly on the first go (after a moment's pause of consideration)...
However, the birthday question... I got wrong 3 times... Haha...

Thanks for the advice--I'm always of the opinion that jumping right in and getting something done, vs. waiting, is the better decision to make. Here we go!

Well, I can't access my account. The questions I got were: "What town were you born in?" and "What street did you grow up on?"

So I'm pretty sure that I'm right, and PlayNC is really, really wrong.


EDIT: Oooooooookay. I just typed something in randomly, and my account is now verified. I think I'm scared.

I have come to believe that this all must be some preemptive elaborate April Fool's joke that has gotten out of hand. As many other posters have experienced, once I finally got customer support to believe I wasn't a criminal they sent me that link to change my password and security questions but of of course as soon as I do then log out and back in to test it I get the error messages and no matter how carefully I fill out the CAPTCHA form (I know I had the answers to the security questions right!). Feeling suicidal I went ahead and tried it five times but failed each time and got locked out of my account yet again.

There's no way I can remain a customer if they don't roll this back. It's just too much stress and hassle in order to play a silly game.

Probably shouldn't mention that I never had any limit on the number of attempts I made to guess the passwords and capcha information. Though I will say it was waaaaay more than five. Possible in excess of ten.

Zombie Man I want to thank you for having a clue about what is happening. I've just sent your post link about IP blocks to support.

I spent 20 minutes (8th in the queue) on an INTERNATIONAL phone call to get this mess sorted the day it hit and I was locked out of my second account. I got a reset link, I changed my info and I THOUGHT all was sorted. The chap on the phone was lovely and very helpful.

Except, I'm STILL locked out! Presumably because of this IP block.

I've just tried to ring NCSoft; 28th in the queue. So I've just tried to update the support ticket. Now my worry is without speaking to someone they'll get the wrong account and bork my main account as well.

This entire farce of a 'security update' was:
* predictable
* avoidable
* badly planned
* badly implemented
* deserving of an apology to every customer of yours

I honestly cannot believe that anyone with an IQ above their shoe size could possibly have thought this would be either a good idea or a good way to implement this. I sincerely hope someone is getting sharp words in their ear about it. If not I'd be delighted to do so. I'd even willingly pay for that International phone call.

This is not directed at the messenger, but dear messenger, please do pass this sentiment along to those to whom it pertains:

Today I logged into city of heroes, and in the launcher I saw that there was a new costume pack (I'm a sucker for these item mall things). So I go to my account to take a look at it, and in all likelihood buy it.

I log in like normal, and then... ok, there's a new security screen. God I hate these things, but whatever, it all looks like information that I know. So, I enter in the correct information. And then I eye the CAPTCHA icon with disgust... perhaps I'm an oddball, but I find that thing to be nearly unintelligible (and the audio version is actually worse). So, realizing there may be a lockout, I take my time and make very certain that I have my captcha letters entered correctly. I submit...

Wait, wrong information? Ok, I'll try this captcha thing again here... re-enter all my information, be super careful with the captcha letters... submit

And ...wrong again? So I try yet a 3rd time to get this stupid captcha thing right, on my 3rd try I am absolutely certain I got it right... so I submit...

Wrong again. What? How? Ok, maybe there's something wrong with my secret question info? I look carefully at the question... It's not asking for a mother's maiden name or a pet's name, it's a custom question which I recognize as one of my own. I know what the question is, and what it is asking for, and it's deliberately cryptic, yet surprisingly simple. I *KNOW* the answer, but... it's not working. Is there an extra space in there? A capital letter I'm getting wrong? I don't know. So I try a slight variation on my answer... and fight with the captcha thing again.

Yes, it fails. So, I try another slight variation, fight with the captcha thing...

failed again. and now I'm locked out of my NCsoft master account.

Mind you, I am IN CITY OF HEROES, STANDING AT WENTWORTH's, but I am apparently not me, and cannot access my master account. I know what my secret question is asking for, and I have no idea why it's refusing my answer.

OK, fine... I'll go through the customer support nightmare...

Not being the dullest crayon in the box, I check the stickies and such at the support page before trying to contact support. And I find this:
__
Subject:
I know my NCsoft master account password but cannot answer hint questions in order to authorize my location.

Question:
Here is my account information:
NCsoft master account name: ENTER ACCOUNT NAME HERE
First and last name: ENTER FIRST AND LAST NAME HERE
Physical Address: ENTER POSTAL MAILING ADDRESS (not e-mail address) HERE
Date of birth: ENTER DATE OF BIRTH HERE
Serial codes/access keys: ENTER CODES/KEYS HERE
Unique Account ID(s): ENTER UNIQUE ACCOUNT ID(s) HERE
__

I read it.
Then I read it again.
Then I took a deep breath, went and got myself a glass of water, and read it a third time.

- master account name: no problem

- first and last name: not sure actually, whether it was myself or my spouse who set it up originally, i mean this was like 6 years ago... but hey, i can put both names, right?

- physical address: what on earth? I didn't think that NCsoft even had that on file... well I guess they do in their credit card validating information, but if I never selected the option for NCsoft to save that information, then how would they have it? Again, I have two possible answers, an actual address or a PO box, no idea which, maybe I can just list both?

- date of birth: I'm pretty sure I know this one... however, your date of birth is actually a huge security risk, it can be used with other information to generate your social security number, and it is strongly advised that you do not put that information on the internet. So it's possible that I put in a fictitious date of birth... or maybe not... I did mention this was 6 years ago right? I typically only use one fake date of birth though... so again, can I list 2 answers?

- security codes/access keys: I used to be one of those people who saved all of their boxes, receipts, etc. But I've gotten hip to this whole digital age, and I don't actually have my original box with my 25 digit CD Key... for city of heroes, or aion (got that on steam?), or guild wars (haven't played that in years, don't care), and all of the expansions, content packs, etc? That's a list of codes as long as my arm, many of which I never saw the actual code for (online purchased packs don't show them)... But it's no big deal, I can download the patcher/client from nc soft if I build myself a new computer, and I know the account name & password for both the game and the master account, and all my codes are stored happily in there... right? That's how I've been using NCsoft games for YEARS NOW. So frankly, on the issue of access keys, I have no F'ing idea.


ADD to this experience, the fact that I have a dynamic IP address. And NCsoft has gotten some kind of idiotic notion that an IP address is a real place that never changes. So if this security system stays in place, I will likely have to go through this process over, and over, and over, and over, and over, every time my ISP feels like rolling my IP addy to a new one.

*Deep breath*

I have not called customer support yet, because I don't trust myself to avoid biting the head off of whoever answers the phone right now.

I have played city of heroes for a long time. I love the game, I truly do. I have the 57 month badge, I'm not sure how long exactly I've been playing, but somewhere between 57 and 60 months. I "frequently" brag about the design & interface ideas that went into city of heroes, on other sites, even other game sites, and frequently encourage old CoX players to come back and check the game out again, as it's changed a lot over the years. city of heroes is my favorite mmo, ever. And even when I don't play it regularly, I keep the account open, and funnel $30/month into NCsoft coffers.

I am not speaking as a disgruntled kid who is mad because their character class got nerfed or something. I'm speaking as a very loyal paying customer who feels as though they've had their account hijacked BY NCsoft.

I'm playing the game, right now. I am looking at the automated emails from ncsoft about how I'm not really me, in my email inbox, right now. I know the full 16 digits of that credit card which they only show the last 4 digits of, and the security code on the back. But I can't access my master account because: my secret question is messed up somehow, and my IP address is now banned.

And, all I wanted to do, was purchase the the new beast pack.

ARE YOU F'ING KIDDING ME?

I don't have all of the information they're asking for. Sure I can play the game, but if I can't access my own account, then we're not actually having commerce, they're taking my automated payments, and I have no method of adjusting that, except to call my credit card company and tell them to block payment to NCsoft because they are charging my account fraudulently.

And ultimately, what kind of security are we getting for all of this? A second password, really? That and an exercise in frustration with that stupid CAPTCHA thing, and possibly more calls to customer support, every time my IP changes?

This isn't a 'difficult implementation'.
This isn't a 'rough patch'
This isn't a 'need to iron out some bugs'
This isn't a 'hiccup'

This is completely and totally f'd up from concept to implementation. This security implementation is absolute hogwash. My grandmother could implement a security fix better than this, and she's been dead for 15 years.

At my place of work, a screw-up of this magnitude would result in someone being fired. That's not an exaggeration simply because I'm upset, it's the truth. NCsoft as a corporation has 2 (TWO) simple ultimate goals as a company. To retain customers, and entice new ones, to make money. This security implementation does more to harm those basic goals than if someone deliberately set fire to the ncsoft offices. There will be thousands, perhaps tens of thousands of legitimate players, who will be locked out and not have the information they need to get back in. This is a mistake which will deeply affect NCsoft as a viable game company, affecting profits in the short term as people's only means of adjusting accounts is now to blacklist ncsoft at their bank. And affecting long term customer loyalty in the most horrid ways. As corporate mistakes go, this is not an "Oh, did we make an oopsie?". This is a "dear god, what were you thinking!?? clean out your desk! Now!"

god, do you people (ncsoft) even realize that if enough people have to stop payment through their credit card or bank instead of their game account, that financial institutions will start blacklisting NCsoft as a fraudulent corporation?

So yeah, another line of thought... NCsoft makes it difficult to get into your account management on the exact same day that Rift launches... I want to think that's a coincidence. I really do. I sincerely hope that this isn't what they were thinking when they created this mess. Because trying to handcuff people to their game subscriptions will cause people to call their financial institution and stop payment, and never 'ever' buy from ncsoft again. I'd really like to think that this is JUST the stupidest security implementation I have seen in 25 years of computing, and not something more deliberately calculating..

In theory, the customer support line is open right now. But I'm not going to call for two reasons. One, I simply do not have all of the information they apparently will want to have. And two, even though I'm known for having a calm demeanor and a cool head, I don't think I could speak with customer support right now and remain civil.

Honestly I don't know if I will ever call customer support. This security debacle is a such a complete mess, I am really truly tempted to just bail out on NCsoft entirely. This isn't a "omg i got killed in the pvp zone too much, i are nerf, make me better or i quitz!". This is a loyal, long term, calm, adult, ncsoft-friendly consumer, who has been a practical recruiter for ncsoft games, especially city of heroes. And I'm really really unhappy.

I'm going to go away now, and check back in a few days, or weeks. I have way too much stress in my actual life right now to be dealing with this kind of BS in what is supposed to be my escape from the stresses of real life.

NCsoft you need to fix this. "you"
Or I need to stop paying $30 a month for games, since I'm not me after all..

It keeps getting better. When I did finally break down and call the customer support phone number I got a recorded message saying that they won't deal with people getting locked out of their accounts over the phone. I really have stopped being angry at this point and am just admiring the totality of the clusterfrak. Think there's any chance NCsoft will pay for my long distance charges?

Well I've gone ahead and filed a bug report on the password hint showing up as the challenge portion of the challenge/response for the initial verification. It will be interesting to see what actual response if any I get to that.

Clearly it stored the password hint in line with the challenge response and the new system can't tell the difference between the one and the other. ::sigh::

ie.

Password Hint -
mothers maiden name - a name, number of some answer
your highschool - an answer of some kind.
Your pets name - an answer of some kind.

I could be wrong and the Password hint could be after the Challenge/Response info, but its in there on one side or the other and the delightful "security" software can't tell that it isn't a challenge.

Ah well, I obviously didn't need my account. I mean I've only had it unbroken for 7 years.

Was able to ask for a security reset after missing the first one-time 24hour window one.**

This time I sent all but two of my serial codes (couldn't find the Animal pack code, and I bought an Architect Edition box to increase box sales), as well as my Unique Account ID, because thank gawd I never delete emails and have kept the same email account for 6 years now.

Less than an hour later I got another link to reset my security stuff, and it worked. I logged back out, and was able to get back in.... Then again, I stopped at 4 attempts to access my account the other day, so my IP wasn't blocked.


I'm glad to see NCSoft at least attempting to rectify this *tries to think of an appropriate word to call this and not get censored/banned and comes up with nothing*.... Though to be honest, I see very little they can do about the Vanguard Pack reward fiasco they will be having soon enough, outside of straight up giving it to every account that was active from the start date to the day the new security measures started.

Oh, and my account feels -soooooooo- much safer now!

/endsarcasm

My password needed a number added to it, and my security questions would be known to all family and friends of mine, because I have -certainly- learned my lesson of putting fake/hard to remember answers for them.



And because I -have- to be a silver lining person, it is good to see the community, even after all of this, still retains its civility and general niceness.


**Edit to say that this was done completely by email, not once did I foolishly call support and pay money to fix their own *unable to properly name this due to forum rules*

Wait a minute -- all access keys? You've got to be kidding?

With three accounts (myself, wife, daughter), it's unlikely I'll be able to compile all of the access keys for everything we've added to CoH/V over the years should problems arise.

Since these are stored with the account online, I didn't think it was necessary to maintain a library of keys for each account. We have three boxes; I don't know which box/key goes with which account.

I do maintain email archives to search back through for the other codes (a bunch of them, to say the least) for two accounts. I think my wife has archived her's as well. But, wow...

Please tell me I'm misunderstanding here.

Legal Question here.

Our accounts are auto reaccurring. We have to opt out (cancel the subscription).
But we can't log into our master accounts because of the new security. If I wanted to cancel my account today before it gets reactivated, and you wont allow me to get to my account, then isn't this illegal?

Personally I'm tired of jumping through hoops for CoH on account issues. It seems that CoH stance is that we are the ones committing fraud and must prove over and over that we are who we say. That we bought their game, and so on.

They aren't doing this to stop gold farmers or hacked accounts. They are trying to protect themselves from the already made free servers out there of some of their other NCSoft games.

Okay, I'm trying to log into my account. The "hint question" is meaningless. It's part of a name. That's it. No question, no context.

I tried completing the name, both with capitalization and without and it fails every time.

If you're going to give a hint question, give the whole blasted question. Give me some context to work with to know exactly what information you want. A part of a word doesn't cut it.

I tried three times and stopped so as not to lock my account.

[edit]We've run into the exact same issue with my wife's account now: The "hint question" is not a question at all, but part of a name. We've completed the name and it fails. Can someone please tell me how this blasted thing is supposed to work?

If I'm supposed to be filling in the question for the answer (i.e., Jeopardy style), that's stupid. How am I supposed to remember the exact phrasing of a question from five years ago?

The need for security is fine; I understand that. But this implementation is lacking. Also, I canceled an attempt to log in before submitting because I couldn't read the stupid capcha thing (or whatever it's called). No use getting my account locked because I couldn't type in an indecipherable blob (in most cases, I've been able to read them fine; this one was an anomaly. But in the current circumstances, one anomaly can lead to a lot of frustration).