Updated Tue, May 31, 2011 by gunky
It needs to be said: Turbine could stand to invest some of that juicy F2P money into keeping the Lord of the Rings Online players' accounts safe from hackers. Over the past few months, several people I know have had their accounts compromised by thieves - their characters are systematically logged in and stripped of valuables and, in one case, deleted. Since the launch of free-to-play, this has become a rather serious problem, and the more popular the game gets, the more likely it is to continue... or increase.
One of the chief weaknesses of the current security is the fact that every player's account name is shown publicly on the LotRO forums - indeed, on all of the LotRO Community sites. Your game account is your forum account. Searching for a particular character shows the account to which that character is tied. The player profile page - if the player bothers filling it out, which many forum-users do - potentially shows the other characters on that account. It also provides a bit of insight into how much that player's characters might be worth, money-wise.
Beyond the username/password login, there is really no other kind of verification or validation to determine whether or not the user logging in is the owner of the account. All anyone needs to access your account is your username (which is not hard to get) and password. You can log into your account from anywhere without hassle... and so can the hackers.
The way the password system is set up now, you can keep failing and failing password attempts without getting locked out. This allows "brute force" hackers to sniff out passwords by a process of trial-and-error. If the password is, for example, a simple, all-lower-case word, it can be sniffed out fairly easily.
Say what you will about World of Warcraft in general, but Blizzard doesn't screw around with account security. WoW has that nifty little keychain-dongle thing and a similiar-functioning app for smartphones. This kind of externalized additional security is an aegis against remote access from gold-farmers who don't have the little account-tied code generator. It's like having a combination lock plus an actual key: you don't get into the safe without both.
This product does not really exist... but it should.
Rift introduced a new security measure in March which locks out the affected character's money and prevents selling of gear when the account is accessed from a "significantly different location" than usual. Account holders will be sent an email when such suspicious activity occurs, and can enter a code in-game to unlock their bankroll.
Locking out accounts after X number of failed login attempts would prevent "brute force" hackers from sniffing out passwords. Banks do this with debit cards - enter the wrong PIN three times and you have to call the bank and explain yourself.
The traditional method of LotRO account thieves seems to be either trading or mailing stolen money to other accounts. A server-side currency transfer or in-game mail tracker would help root out habitual thieves, but at the cost of some measure of privacy. Nobody really wants "Big Brother" watching over their shoulder when they are doing nothing wrong. But then again, no one wants to get robbed, either.
Right now, the onus of account security is on the player - you, the player, need to take measures to ensure the integrity of your account. Here are some steps you can take to make sure your heroic characters do not become victims:
Assuming you have any characters remaining on the compromised account, your first step should be contacting a GM by means of a support ticket. Open the Help menu, select New Ticket, and from the drop-down menus select Cheating and then Acct. Compromise, and fill in the relevant details.
If you are unable to log into the game or myaccount.turbine.com because the password has been changed or the account has been banned for suspicious activity, you will need to contact Turbine's Account Support department. Follow the steps detailed on The Official LotRO Forums.
Turbine's reimbursement policy has been much-improved, but it still takes several days and possibly several support tickets to get things restored. Recently, a friend of mine had his account hacked. The thief cycled through his high-level toons, cleaning out their vaults and money, and then deleted the characters when he was done. A few of us saw this happening and filed support tickets right away, and contacted the real player via text message. He logged in on a low-level alt and filed a ticket just minutes after the thief had left. It took 2 or 3 days and at least 3 support tickets for him to get all of his characters, money and stuff back.
If you do get hacked, you will want to act fast to get all your stuff back. According to Turbine's Compromised Account Reimbursement Policy, players must sumbit an in-game ticket for each affected character within 10 days of the hack. Anything after 10 days results in a "standard reimbursement package appropriate to [the character's] level," which means a fistful of gold and/or skirmish marks.
In Turbine's defense, they have made hacking slightly less profitable and less of a demoralizing hassle by making raid armor and certain other high-end gear non-sellable. The stuff that you work for, that takes days to earn, cannot be sold to Middle Earth's vendors, so the quick-buck skeevy cretins who hack high-level characters have no incentive to touch it. A small comfort when everything else is gone, perhaps, but at least a step in the right direction.