alt="LotRO Account Security - Keeping Your Freeps Safe from Hacker Creeps"
src="http://www.tentonhammer.com/image/view/98874" />
It needs to be said: Turbine could stand to invest some of
that juicy F2P money into keeping
href="http://www.tentonhammer.com/lotro">the Lord
of
the Rings Online players' accounts safe from
hackers. Over the past few months, several people I know have had their
accounts compromised by thieves - their characters are systematically
logged in and stripped of valuables and, in one case, deleted. Since
the launch of free-to-play, this has become a rather serious problem,
and the more popular the game gets, the more likely it is to
continue... or increase.
WHAT TURBINE COULD DO BETTER
One of the chief weaknesses of the current security is the
fact that every player's account name is shown publicly on the LotRO
forums - indeed, on all of the LotRO Community sites. Your game account
is your forum account. Searching for a particular character shows the
account to which that character is tied. The player profile page - if
the player bothers filling it out, which many forum-users do -
potentially shows the other characters on that account. It also
provides a bit of insight into how much that player's characters might
be worth, money-wise.
Beyond the username/password login, there is really no other
kind of verification or validation to determine whether or not the user
logging in is the owner of the account. All anyone needs to access your
account is your username (which is not hard to get)
and password. You can log into your account from anywhere
without hassle... and so can the hackers.
The way the password system is set up now, you can keep
failing and failing password attempts without getting locked out. This
allows "brute force" hackers to sniff out passwords by a process of
trial-and-error. If the password is, for example, a simple,
all-lower-case word, it can be sniffed out fairly easily.
Say what you will about
href="http://www.tentonhammer.com/wow">World of Warcraft
in general, but Blizzard doesn't screw around with account security.
WoW has that nifty little keychain-dongle thing and a
similiar-functioning app for smartphones. This kind of externalized
additional security is an aegis against remote access from gold-farmers
who don't have the little account-tied code generator. It's like having
a combination lock plus an actual key: you don't get into the safe
without both.
alt="LotRO Authenticator"
src="http://www.tentonhammer.com/image/view/98873" />
This
product does not really exist... but it should.
Rift
introduced a new security measure in March which locks out the affected
character's money and prevents selling of gear when the account is
accessed from a "significantly different location" than usual. Account
holders will be sent an email when such suspicious activity occurs, and
can enter a code in-game to unlock their bankroll.
Locking out accounts after X number of
failed login attempts would prevent "brute force" hackers from sniffing
out passwords. Banks do this with debit cards - enter the wrong PIN
three times and you have to call the bank and explain yourself.
The traditional method of LotRO account thieves seems to be
either trading or mailing stolen money to other accounts. A server-side
currency transfer or in-game mail tracker would help root out habitual
thieves, but at the cost of some measure of privacy. Nobody really
wants "Big Brother" watching over their shoulder when they are doing
nothing wrong. But then again, no one wants to get robbed, either.
WHAT YOU CAN DO TO STAY SECURE
Right now, the onus of account security is on the player -
you, the player, need to take measures to ensure the integrity of your
account. Here are some steps you can take to make sure your heroic
characters do not become victims:
-
Be Cynical - The world wide
web is rife with fraud, so educate yourself on how to avoid being
scammed. Don't click on links in emails (even if they appear to be from
Turbine or other legitimate businesses). Learn more about
network security - firewalls, encryption, etc. - and how to keep your
computer hidden from snoops. Assume that everyone is out to get your
money, because pretty much everyone is and some folks are downright
dishonest about it. -
Use a Strong Password -
Turbine passwords can consist of lower-case and upper-case letters,
numbers, punctuation and symbols. Using a combination of all of these
makes it much more difficult for "brute-force" password hacks.
All-letter or all-number passwords are weak, even if the number is very
long or the word very obscure. The trick of making a strong password is
to combine letters (upper- and lower-case), numbers, punctuation and
symbols in a way that is meaningful to you but difficult for anyone
else to guess. If all else fails, use "l33t-sp33k" - the name "Trixie,"
for example, could be spelled as:
_Tr1}{13_
Something you would remember, but anyone trying random words would fail. -
Use Different Passwords for Different Things
- If you use the same username and password for email, facebook,
Twitter, forums, your blog and game accounts, you're just begging to
have your identity stolen. Use something different for each. -
Change Passwords Regularly -
Keeping things fresh is like hitting a "reset" button. Even if you only
change them every couple of months, that's a step in the right
direction. Extra paranoia points for changing them daily. -
Don't Keep Password Lists On Your Computer
- If you need something to help keep track of all your different
accounts and passwords, write them down the old-fashioned way with a
pen on paper. If your data gets compromised by hackers or other
dishonest creeps, you don't want to supply them with a map. -
Get a Reputable Anti-Virus/Anti-Malware And
Use It - Lots of nasty things are floating around the
intertubes these days. Keyloggers can steal your password as you type
it, rendering all other password-safety methods useless. Keep
definitions up-to-date and run regular scans. -
Make Friends - Not only is
this kind of the point of MMOs in general, but it also helps in the
event of a security breach. Joining a kinship or running with regular
groups means that, hopefully, someone will notice suspiocious activity
on your account and take steps on your behalf when you are unable to.
This won't necessarily prevent a hack, but it may expedite the
reporting process if you are given an early warning. -
Use Alt Accounts and Anonymity
- You want to share your genius with the world on the forums but don't
want to expose sensitive details? Easy. Make a F2P alt account for
forum posts. Go into My Character Settings on your
My.LotRO.com profile page and untick the boxes under Public. Cycle
through all of your characters, open the Social panel and tick the box
that says Anonymous. Be as brash and bold as you like in-game, but keep
the particulars on the down-low. -
Don't Buy Gold - This is the
reason the accounts are getting hacked in the first place. It's
terribly naive to think that gold-sellers come by their supply through
sweat of brow and honest work. And the dodgy websites they use to sell
their ill-gotten coin are a security risk all on their own. Buying
in-game currency is only contributing to the problem.
WHAT TO DO IF YOU GET HACKED
Assuming you have any characters remaining on the compromised
account, your first step should be contacting a GM by means of a
support ticket. Open the Help menu, select New Ticket, and from the
drop-down menus select Cheating and then Acct. Compromise, and fill in
the relevant details.
alt="Submitting a ticket when your account gets hacked"
src="http://www.tentonhammer.com/image/view/98875" />
If you are unable to log into the game or
myaccount.turbine.com because the password has been changed or the
account has been banned for suspicious activity, you will need to
contact Turbine's Account Support department. Follow the steps detailed
on
href="http://forums.lotro.com/showthread.php?285435-Account-Hacked-Stolen-Info-to-Keep-it-From-Happening-amp-What-to-do-if-it-is-Stolen.">The
Official LotRO Forums.
Turbine's reimbursement policy has been much-improved, but it
still
takes several days and possibly several support tickets to get things
restored.
Recently, a friend of mine had his account hacked. The thief cycled
through his high-level toons, cleaning out their vaults and money, and
then deleted the characters when he was done. A few of us saw this
happening and filed support tickets right away, and contacted the real
player via text message. He logged in on a low-level alt and filed a
ticket just minutes
after the thief had left. It took 2 or 3 days and at least 3 support
tickets for him to get all of his characters, money and stuff back.
If you do get hacked, you will want to act fast to get all
your stuff back. According to Turbine's
href="http://support.turbine.com/ics/support/default.asp?deptID=24001&task=knowledge&questionID=2685">Compromised
Account Reimbursement Policy, players must sumbit an in-game
ticket for each affected character within 10 days of the hack. Anything
after 10 days results in a "standard reimbursement package appropriate
to [the character's] level," which means a fistful of gold and/or
skirmish marks.
In Turbine's defense, they have made hacking slightly less
profitable and less of a demoralizing hassle by making raid armor and
certain other high-end gear non-sellable. The stuff that you work for,
that takes days to earn, cannot be sold to Middle Earth's vendors, so
the quick-buck skeevy cretins who hack high-level characters have no
incentive to touch it. A small comfort when everything else is gone,
perhaps, but at least a step in the right direction.
To read the latest guides, news, and features you can visit our Lord of the Rings Online Game Page.
