"Solid one-two punch": Trion responds to account hacks

by Justin Olivetti on Mar 19th 2011 11:00PM

Fantasy, Bugs, Game Mechanics, Interviews, RIFT

The saga of RIFT's account security woes continues, as Trion World's Scott Hartsman responded to the hacker attempts, reassuring fans curious about what steps were being taken to secure their accounts.

Citing "constant attacks" since the launch of RIFT that have impacted 1% of accounts, Hartsman said that the team is blocking hackers and botnets as quickly as they are identified, but that this will also be an ongoing process.

"Both the login fix and the Coin Lock addition have been doing their part in signficantly reducing overall incidents over the last 18 hours," Hartsman wrote. "Neither one is a silver bullet, but so far it is looking to be a solid one-two punch for the weekend."

According to his post, Trion will be hiring additional staff to tackle the problem, and is working on a "two-factor authentication" process for the future.

Hartsman also praised the efforts of the player who brought a serious log-in vulnerability to the team's attention. ZAM tracked down the player for an interview, who himself had his account hacked in early March. The player is an "ethical hacker" who owns a security software company and realized that these hacks were not the fault of the player, but an exploit that had been discovered.

Source: RIFT forums, ZAM

Tags: account-security, authenticator, botnets, coin-lock, compromised-accounts, ethical-hacker, hacker, hacking, manwitdaplan, rift, rift-planes-of-telara, scott-hartsman, security, trion, trion-worlds, two-factor-authentication, zam

Reader Comments (44)

We call those ethical hackers "white hats" if you want to jazz it up a little more.

Glad to hear they made progress. Now they need to really push those authenticators, and they seriously SERIOUSLY need to consider a hardware option. Solely relying on apps and text services is a bad idea.

"Neither one is a silver bullet, but so far it is looking to be a solid one-two punch for the weekend."

While it sounds a bit unclear to me, I hope what he means is there will be no more hacked account due to server vulnerbility. Anyway this is a happy ending to both Trion and and their players. And at the end of the day maybe we all could learn something, such as stop automatically assuming if a player's account is hacked, that player must be at fault of using bots/conduct RMT/running keylogger.

@kgptzac

Yep. Thats one my of my biggest MMO pet peeves, people assuming that if someone is hacked they have a keylogger or were stupid with their account info.

@drakon

People assume this because 99% of the time, it is the case that the victim HAS been hit with a keylogger, phished, or been loose with their credentials. (It can be very difficult to avoid all the sources of keyloggers, unfortunately. Especially with things like 0-day Flash vulnerabilities running rampant online.)

Fixing this vulnerability was a must, however, and I'm glad that Trion owned up to it and fixed it ASAP. We do not know how many people with compromised accounts were actually impacted by this. I suspect most breached accounts since launch were the result of "traditional" means rather than this attack, however. (We also don't know how difficult this attack really was to pull off since the details were not disclosed.)

I also am glad to see the coin-lock feature and that two-factor authentication is planned.

Ultimately, whatever the cause of the account breach in a specific user, the true fault lies with the RMT sellers and those that buy from them rather than people who just randomly got their accounts broken into.

Another rift article.............shocking.

@(Unverified) It's really not hard to skip RIFT articles, You just scroll past them.

This has been a public service announcement.

@(Unverified) Get used to it ;)

@(Unverified)
if you don't want to see rift articles then use this link

http://massively.joystiq.com/exclude/rift/

@(Unverified)

Haters gonna hate.

I don't understand how there has been such an outbreak of security issues for games (newer releases). I have held accounts in Ultima Online and EverQuest for about 10 years now and never once have I had any type of security breach. I also have kept the same passwords in both of those games from the day that I created my account(s).
That being said, I have been hacked in both Aion/WoW. The odd thing is, I used a numerical with upper/lower case password which I would change on a monthly basis. Not sure if they have internal security breaches or what is going on, but it seems to be a big problem with a lot of AAA companies.

@Rindon
Oh, and yes, I am also sick of hearing about Rift :-)

@Rindon Because nobody cares about UO or EQ1.

It really sounds like you didn't even read the linked article.

The numbers may be more than the 1% quoted by Hartsman, the foprums are rife with complaints about the customer service or actual non existance of it. WHich leads many to believe they have more problems than they let on.

When a person gets a trouble ticket back stating they are working on hack attempts as primary problems and if you still need your problem answered.......for the third time, tells me the outsourcing they have..........and they do, is filtering and running interference by stuffing tickets and telling folks to resubmit to buy time. This doesnt go over well and what Trion thinks they are getting away with will simply lead to bad word of mouth.

@Graill440 "the numbers may be more than the 1% quoted by Hartsman"

Translation: You have no idea how many accounts have been hacked. Nor do you understand why, how, or care.

"the foprums are rife with complaints about the customer service or actual non existance of it. WHich leads many to believe they have more problems than they let on."

You are simply trolling Rift threads.

There, I fixed it for you.

20 days after the game launched, they release the coin lock system; how is customer service non-existent?

Troll harder please.

@socialenemy2007

People are throwing around the phrase "Troll" too loosely and especially in response to criticism of RIFT.

Holding and expressing an opinion in a forum that is contrary to the forum dedicated to it is not Trolling. Expressing concerns about or raising issue with problems concerning a thing is not Trolling. Doing so to bait people into an argument is Trolling.

For people who have had to wait two weeks or more for restoration of their characters (I know of one personally who has been waiting and is still waiting this long) in light of a backdoor in Trion's security that was about the size of a truck might consider Trion's response time inexcusable and their customer service non-existent. Rightly so, I would say.

This is an issue Trion had tried to sweep under the rug and only recently admitted to and began to fix when it became apparent that the issue was on their end.

And to all the apologist fanboys; for a company who's ad campaign has repeatedly suggested that their world is better than Blizzard's is even now, why would you give them a pass on not having an authenticator?

I can tell you why this happens so much more now.

1. Account Name = Email Address
2. Email Address are used to unlock, to change password to do whatever.
3. Email Address are to be found in any database on the web, every site, every game, everything will contain your email address.

So once a hacker picks up a database of forum members, it's a matter of time before they are able to use email address to get into any game that using it as your account name.

The Coin Lock is only moving the hack "point of entry" from Rift authentication to your Email account.

Anyway, i assume everyone is aware of Google's 2-step Authenticator for gmail? It works via your phone to generate these codes [without going via an email system] . So unless Trion considers "hiding" our email addresses and giving us new account -names- , they will probably have to end up with a full blown authenticator like Blizzard.

...and Blizzard is also making the same mistake with exposing the email address as the "login" . Hence why it's so easy to both get hacked and get spammed in your email.

@silvertemplar

I agree that using the email address is not the wisest choice, and I don't like this trend of everyone wanting to use an email address as a logon. Yes, it makes it easier to remember, but at the same time this means a lot of people use the same login ID for their email, Facebook, Twitter, and all their games. And many likely use the same password because it's hard to remember them all.

This is why I keep a separate logon for each game account I have. I have completely separate email addresses for WoW/Battle.net, RIFT, Steam, PSN, and so forth.

hacker == guy who hacks wildely on his keyboard to produce code, of questonable quality most of the time.

cracker == guy who exploits security holes in software for malicious intend.

there is no such thing as an "ethical hacker" as there is no ethical code.

@Ably

Kudos firstly, for being one of the handful who have some idea on the difference, but a small correction is needed.

Hacking is about the problem solving process, but isn't computer related - a model railway club is widely accredited with being the first hackers, after setting up a remote switching system using old phone parts - no code used. In some cultures, one will use "hack something together" in place of "jury rig it". MacGyver is a great example of a hacker, actually.

Every situation has a set of rules that govern it, from games we play, to social interaction(Etiquette, social conventions, etc) to plain walking down the street(physics). A hacker is just someone who finds a problem, and uses every advantage/method they can in overcoming it, but doesn't follow convention.

Most crackers are hackers, in this sense(but not all hackers are crackers). hackers could also be people developing vaccines, working on new car engines that use lettuce as fuel, or the guys who put a rat brain into a robot(youtube "robot rat brain"). They're also the guys who make the anti-viruses, firewalls, encryption protocols and so forth we use to defend against crackers(along with most of your computer, servers and software, actually).

Updating the article, especially considering you're praising a hacker, would be a pretty respectful move, tbh. Yes, I know most of the audience is ignorant of the difference but that doesn't mean you shouldn't at least try to educate them, since 99% of them aren't idiots.

@Ably

Yay for semantics!

/sarcasm

| 1 | 2 | 3 | Most Recent | Next 20 Comments

"Solid one-two punch": Trion responds to account hacks

Reader Comments (44)

Posted: Mar 19th 2011 11:10PM Apakal said

Posted: Mar 19th 2011 11:16PM kgptzac said

Posted: Mar 19th 2011 11:27PM drakon said

Posted: Mar 20th 2011 2:11PM Rialle said

Posted: Mar 20th 2011 12:42AM (Unverified) said

Posted: Mar 20th 2011 12:47AM exe973 said

Posted: Mar 20th 2011 3:51AM Azules said

Posted: Mar 20th 2011 1:09PM lyons said

Posted: Mar 20th 2011 1:38PM Sorithal said

Posted: Mar 20th 2011 1:00AM Rindon said

Posted: Mar 20th 2011 1:02AM Rindon said

Posted: Mar 20th 2011 5:18AM Averice said

Posted: Mar 20th 2011 1:15AM Graill440 said

Posted: Mar 20th 2011 5:06AM socialenemy2007 said

Posted: Mar 21st 2011 2:19PM KDolo said

Posted: Mar 20th 2011 2:17AM silvertemplar said

Posted: Mar 20th 2011 2:25PM Rialle said

Posted: Mar 20th 2011 6:44AM Ably said

Posted: Mar 20th 2011 9:51AM Seegrey said

Posted: Mar 20th 2011 10:14AM Apakal said

Info

Description

MSRP

Release Date

Genre

Developer

Publisher

Rating

Breaking News

Massively surveys WildStar's Scientist and Settler paths, the Esper class, and the crazy things Jeremy Gaffney says

Featured Stories

A tale of Forgotten Realms: DDO's Update 18 and the Shadowfell Conspiracy

The Art of Wushu: Learning the basics of combat

The Daily Grind: How do you handle a closed MMO still on the shelf?

Engadget

Joystiq

WoW

TUAW