LotRO Account Security: Keeping Your Freeps Safe from Hacker Creeps
It needs to be said: Turbine could stand to invest some of that juicy F2P money into keeping the Lord of the Rings Online players' accounts safe from hackers. Over the past few months, several people I know have had their accounts compromised by thieves - their characters are systematically logged in and stripped of valuables and, in one case, deleted. Since the launch of free-to-play, this has become a rather serious problem, and the more popular the game gets, the more likely it is to continue... or increase.
WHAT TURBINE COULD DO BETTER
One of the chief weaknesses of the current security is the fact that every player's account name is shown publicly on the LotRO forums - indeed, on all of the LotRO Community sites. Your game account is your forum account. Searching for a particular character shows the account to which that character is tied. The player profile page - if the player bothers filling it out, which many forum-users do - potentially shows the other characters on that account. It also provides a bit of insight into how much that player's characters might be worth, money-wise.
Beyond the username/password login, there is really no other kind of verification or validation to determine whether or not the user logging in is the owner of the account. All anyone needs to access your account is your username (which is not hard to get) and password. You can log into your account from anywhere without hassle... and so can the hackers.
The way the password system is set up now, you can keep failing and failing password attempts without getting locked out. This allows "brute force" hackers to sniff out passwords by a process of trial-and-error. If the password is, for example, a simple, all-lower-case word, it can be sniffed out fairly easily.
Say what you will about World of Warcraft in general, but Blizzard doesn't screw around with account security. WoW has that nifty little keychain-dongle thing and a similiar-functioning app for smartphones. This kind of externalized additional security is an aegis against remote access from gold-farmers who don't have the little account-tied code generator. It's like having a combination lock plus an actual key: you don't get into the safe without both.
This product does not really exist... but it should.
Rift introduced a new security measure in March which locks out the affected character's money and prevents selling of gear when the account is accessed from a "significantly different location" than usual. Account holders will be sent an email when such suspicious activity occurs, and can enter a code in-game to unlock their bankroll.
Locking out accounts after X number of failed login attempts would prevent "brute force" hackers from sniffing out passwords. Banks do this with debit cards - enter the wrong PIN three times and you have to call the bank and explain yourself.
The traditional method of LotRO account thieves seems to be either trading or mailing stolen money to other accounts. A server-side currency transfer or in-game mail tracker would help root out habitual thieves, but at the cost of some measure of privacy. Nobody really wants "Big Brother" watching over their shoulder when they are doing nothing wrong. But then again, no one wants to get robbed, either.
WHAT YOU CAN DO TO STAY SECURE
Right now, the onus of account security is on the player - you, the player, need to take measures to ensure the integrity of your account. Here are some steps you can take to make sure your heroic characters do not become victims:
- Be Cynical - The world wide web is rife with fraud, so educate yourself on how to avoid being scammed. Don't click on links in emails (even if they appear to be from Turbine or other legitimate businesses). Learn more about network security - firewalls, encryption, etc. - and how to keep your computer hidden from snoops. Assume that everyone is out to get your money, because pretty much everyone is and some folks are downright dishonest about it.
- Use a Strong Password -
Turbine passwords can consist of lower-case and upper-case letters,
numbers, punctuation and symbols. Using a combination of all of these
makes it much more difficult for "brute-force" password hacks.
All-letter or all-number passwords are weak, even if the number is very
long or the word very obscure. The trick of making a strong password is
to combine letters (upper- and lower-case), numbers, punctuation and
symbols in a way that is meaningful to you but difficult for anyone
else to guess. If all else fails, use "l33t-sp33k" - the name "Trixie,"
for example, could be spelled as:
Something you would remember, but anyone trying random words would fail.
- Use Different Passwords for Different Things - If you use the same username and password for email, facebook, Twitter, forums, your blog and game accounts, you're just begging to have your identity stolen. Use something different for each.
- Change Passwords Regularly - Keeping things fresh is like hitting a "reset" button. Even if you only change them every couple of months, that's a step in the right direction. Extra paranoia points for changing them daily.
- Don't Keep Password Lists On Your Computer - If you need something to help keep track of all your different accounts and passwords, write them down the old-fashioned way with a pen on paper. If your data gets compromised by hackers or other dishonest creeps, you don't want to supply them with a map.
- Get a Reputable Anti-Virus/Anti-Malware And Use It - Lots of nasty things are floating around the intertubes these days. Keyloggers can steal your password as you type it, rendering all other password-safety methods useless. Keep definitions up-to-date and run regular scans.
- Make Friends - Not only is this kind of the point of MMOs in general, but it also helps in the event of a security breach. Joining a kinship or running with regular groups means that, hopefully, someone will notice suspiocious activity on your account and take steps on your behalf when you are unable to. This won't necessarily prevent a hack, but it may expedite the reporting process if you are given an early warning.
- Use Alt Accounts and Anonymity - You want to share your genius with the world on the forums but don't want to expose sensitive details? Easy. Make a F2P alt account for forum posts. Go into My Character Settings on your My.LotRO.com profile page and untick the boxes under Public. Cycle through all of your characters, open the Social panel and tick the box that says Anonymous. Be as brash and bold as you like in-game, but keep the particulars on the down-low.
- Don't Buy Gold - This is the reason the accounts are getting hacked in the first place. It's terribly naive to think that gold-sellers come by their supply through sweat of brow and honest work. And the dodgy websites they use to sell their ill-gotten coin are a security risk all on their own. Buying in-game currency is only contributing to the problem.
WHAT TO DO IF YOU GET HACKED
Assuming you have any characters remaining on the compromised account, your first step should be contacting a GM by means of a support ticket. Open the Help menu, select New Ticket, and from the drop-down menus select Cheating and then Acct. Compromise, and fill in the relevant details.
If you are unable to log into the game or myaccount.turbine.com because the password has been changed or the account has been banned for suspicious activity, you will need to contact Turbine's Account Support department. Follow the steps detailed on The Official LotRO Forums.
Turbine's reimbursement policy has been much-improved, but it still takes several days and possibly several support tickets to get things restored. Recently, a friend of mine had his account hacked. The thief cycled through his high-level toons, cleaning out their vaults and money, and then deleted the characters when he was done. A few of us saw this happening and filed support tickets right away, and contacted the real player via text message. He logged in on a low-level alt and filed a ticket just minutes after the thief had left. It took 2 or 3 days and at least 3 support tickets for him to get all of his characters, money and stuff back.
If you do get hacked, you will want to act fast to get all your stuff back. According to Turbine's Compromised Account Reimbursement Policy, players must sumbit an in-game ticket for each affected character within 10 days of the hack. Anything after 10 days results in a "standard reimbursement package appropriate to [the character's] level," which means a fistful of gold and/or skirmish marks.
In Turbine's defense, they have made hacking slightly less profitable and less of a demoralizing hassle by making raid armor and certain other high-end gear non-sellable. The stuff that you work for, that takes days to earn, cannot be sold to Middle Earth's vendors, so the quick-buck skeevy cretins who hack high-level characters have no incentive to touch it. A small comfort when everything else is gone, perhaps, but at least a step in the right direction.