href="http://www.tentonhammer.com/node/93344"> style="border: 0px solid ; width: 400px; height: 267px;"
alt="Rift Logo"
src="http://www.tentonhammer.com/image/view/93344">

In all the myriad tasks associated with gaming, none can rival
launching an MMOG in terms of scope and magnitude. As the genre
continues to evolve and grow the difficulty level increases
exponentially.  In addition to higher expectation levels and
higher populations, new mechanics and systems keep getting added to the
mix which creates a perfect breeding ground for launch day snafus. When
Rift
experienced a remarkably smooth launch that was marred only by server
queues created by higher than expected popularity, it seemed they had
dodged the pitfalls that beseech most of their brethren.



But early on the reports began pouring in of account compromises,
hacked accounts stripped of all their valuables and left like some
stolen Honda on the side of the road. Our very first post-launch
interview, which took place during our trip to GDC, hinted strongly at
just how much of an issue that account security would become. 
Our first inklings of the issue were the overabundance of gold spammers
that set up shop within hours of the live launch. We asked Scott
Hartsman about this:





Ten
Ton Hammer: Were you surprised by the amount of gold spammers that were
present at launch?



Scott:
We really
weren’t.  We had a chat filter installed and listening to all
that was going on throughout beta and it was already paying attention
to user reports.  After about four days of internally logging
this information and looking at what users were reporting, we turned it
on and began the process of kicking spammers offline and blocking their
access.  So the first three days were really loud, we didn’t
want to jump the gun on auto kicking and auto banning, but once we knew
it was working properly it got a hell of a lot quieter as we started
banning accounts.



Scott then proceeded to show us some pretty amazing integration he had
on his tablet computer that allowed him to remote access any realm,
view spam filters and access detailed information.  Color us
impressed.  As we viewed the spam filter you could see how it
compiled its own dictionary and flagged words based on how users
reacted to them. Using this info it began to cast a net with which to
catch the offending users and remove them from the game.



Scott style="font-style: italic;">: It’s hilarious to see some of
the unique and creative ways the spammers are using to try and get
around the filters, but the users aren’t fooled and they report it just
as quickly.  There were some gold farmers that woke up to a
really bad morning this morning.

href="http://www.tentonhammer.com/node/95871"> style="border: 0px solid ; width: 600px; height: 338px;"
alt="Rift Hacked"
src="http://www.tentonhammer.com/image/view/96769">

style="font-style: italic;">Please, give me back my armor.

Ten
Ton Hammer:  It seems like this sort of preparedness is a must
these days



Scott:
You have to
be, the speed with which these attacks come is truly surprising. It
shocked me and I have been doing this a long time. The day we opened
for headstart, the incoming traffic from people trying dictionary
attacks on people’s accounts was unreal.



Ten
Ton Hammer: Do they try DDoS attacks on you as well?



Scott: style="font-style: italic;"> We have load balancers and
firewalls to deter that, but one of the neat things we are doing for
people trying to attack us with bad logins is that if you do it enough
times we redirect you to the Chinese Internet Ministry to report
yourself. We do that in the hardware so we don’t have to write special
software for that. Fortunately internet security hardware has really
leveled up in the past few years to stop brute-force style attacks.
style="font-style: italic;">

src="http://www.tentonhammer.com/image/view/96765"
style="width: 200px; height: 238px;">

Despite
assurances to the contrary, this probably isn't safe and secure.

I found this last bit particularly interesting as many users on the
official Rift
forums began to toss about this notion that Trion had no brute-force
protection. I couldn’t understand what was worse though, the users who
pulled this supposed information out of their asses or the others who
jumped on the bandwagon and lashed out in anger that a company could be
so careless. It did illustrate just how passionate of an issue this was
to the playerbase however, and things were only just heating up.



 As the second week gave way to the third the number of thread
on the forums related to account hacks and security exploded. While
many users wondered just what the hell was going on, the community
seemed to be divided firmly into two camps; those who had been hacked
but swore they didn’t do anything to jeopardize their accounts and
those that ridiculed them. When we caught back up with Scott at PAX
East, it was once again at the forefront of our discussion.

Ten
Ton Hammer: Do you feel using E-mail address for logins is a security
compromise?



Scott: style="font-style: italic;"> It really isn’t. The two main
ways that people will gain access this way is from either an account
that was previously compromised in another game and the same
credentials are used,  or from phishing websites . So if you
used the same credentials in both games it wouldn’t matter if it were a
unique user name or an email address, they will still have that
information. The newest phishing site we came across was riftgame.net,
which the link said riftgame.com, but you know the nature of links and
how they work – it took you to the .net site and they phished out a
bunch of passwords that way. We have been reminding people “don’t click
on links in emails, always copy and paste it – anything that will come
from us will allow you to copy and paste.” 



Ten
Ton Hammer: Do you have a legal department that handles the phishing
sites?



style="font-weight: bold;">Scott: Yep, exactly.
Not only that but then we get them added to the search engines as known
malware sites. So we are working with ISPs, search engines and
trademark people to combat these things. 





Ten
Ton Hammer: Are the brute-force protections still in place?



Scott: style="font-style: italic;"> Yes, if you try and brute force
us, and you come from China, you will be redirected to Chinese Internet
Protection website and you will be submitting a report against
yourself.  That being said security is still something we are
working on day by day, improvement by improvement.
style="font-style: italic;">

Ton
Ten Hammer: What are you working on right now?



Scott: style="font-style: italic;"> What we are working on right
now is economy locking your account, such as if you log on from a new
IP address that we don’t recognize from you and you haven’t
authenticated yourself by answering the secret question or some other
form of verification, your character will not be able to give, sell or
destroy anything until you look in your email and get an unlock code.
We are also looking at a two-factor, like an iOS or Android app, which
we are pushing forward on as much as we can.



Ten
Ton Hammer: One of the major gold selling sites stated that Rift was
the most requested game at launch in the history of their business;
does this flatter you or frighten you style="font-style: italic;">?



Scott: Flattering, since
you know there is always going to be gold sellers, which is why we
launched with a chat filter. We are currently working on taking the
next step with that chat filter and applying it to in-game mail.
style="font-style: italic;">


Ten
Ton Hammer: How many accounts have you banned since launch?



style="font-weight: bold;">Scott: Off the top
of my head, it’s multiple thousands. I don’t have the hard number in
front of me but we get reports every hour of active hackers. The real
problem is that a lot of them are registering accounts with stolen
credit cards and a lot of them unfortunately recycle credit cards of
people who buy from them. It’s really dangerous to give your credit
card to those kinds of places – it’s got to be a hellacious experience
to wake up one morning and find that the company you just bought gold
from used your credit card to charge 250 copies of the game to. It’s
best just to stay away from that whole ecosystem.
style="font-style: italic;">


Ten
Ton Hammer: Is there any way to stop it completely?



Scott: style="font-style: italic;"> I think that economy
locking will be interesting. Economy locking and the cell phone based
two factor will be a good place to be. When my cell phone becomes my
account key then I’m pretty confident that it’s only me that is getting
into that account. I know it isn’t the cutting edge of technology but
it is extremely effective and among the least inconvenient ways to help
secure an account. I’m less concerned about stopping the gold selling
market; it’s always going to exist some way or another, and I’m
primarily concerned with keeping our customers safe. That’s
the overriding factor, the fact that there is active fraud and active
theft and active breaking the law against our community and it pisses
me off.

href="http://www.tentonhammer.com/96768"> alt="rift coin locked"
src="http://www.tentonhammer.com/image/view/96768"
style="border: 0px solid ; width: 200px; height: 227px;">

While some members of the community questioned Trion’s commitment to
account security and their customers, the reality is that they have
more invested in keeping these accounts secure than anyone. While Mr. Furious-Account-Got-Hacked man may be railing on about his 50
dollars he spent on the game, millions of dollars were at stake for
Trion if the game ultimately failed due to account hacks.



As the epidemic reached its crescendo, the mystery of the pervasive
account compromises was finally solved – and it was done by a player
who was doing a bit of ethical hacking in an attempt to help fix the
problem. Known on the forums as ManWitDaPlan, this user was
frustrated by his href="http://forums.riftgame.com/showthread.php?125019-Hacking-spree-or-server-side-data-corruption-or-both&highlight=">
own experience of loss but noticed some discrepancies with a
typical account hack:



With the hacking fiasco
currently raging across the game, I'm seeing enough strangeness to
wonder if Trion isn't facing two simultaneous issues: a wildly
successful large-scale hacking of the game's security and a potentially
catastrophic problem with the game's back-end code. My particular
"hacking" case deviates from the norm for game account hacks - my
inventory is mostly gone, as is my money, but my bank was never
touched.



A number of other posts on the forums include behaviors that are
inconsistent with account theft: partial inventory losses, inventories
left alone but banks are emptied, banks left alone but inventories are
emptied, etc. etc. etc. Also, quite a number of victims that report
unorthodox account damage were hard targets to begin with and tested
clean after-the-fact.



I suspect, and I know this will probably not be confirmed, that the
hacking was a bruteforce attack against Trion's account management
and/or authentication servers, and/or an active exploit against one or
more weaknesses in Trion's systems, and not any form of client-side
malware. This would certainly explain why people that are more than
savvy enough to not get nailed by keyloggers, etc. still got hit. This
particular concern is a major catastrophe for Trion if it's true, for
it calls into question the entire security side of Trion's operation
and throws loads of obstacles between Trion and making money from game
account subscriptions. Needless to say, Trion is likely desperate to
get the hacks under control, whatever the attack vector may be, before
significant numbers of players withdraw their billing data and opt out
of continued play come April.



I also suspect, and this too will probably not be confirmed, that Trion
is also fighting a back-end data-corruption issue that is the cause of
the stranger "hack" cases where someone that had a reasonably
uncrackable password fell prey to, and I suspect this may relate to
either the hotbar-icon hotfix, or the attacks against Trion, or both. A
corruption issue would certainly cause abnormal-for-a-hacked-account
changes to inventory/bank contents, and could also explain cases where
one of a number of characters on one account was hit and not all of
them, random characters were deleted, etc., which is also deviating
from the norm a bit for hacking cases. Distinguishing such an event
from a hackfest would be tough at best and at worst well nigh
impossible, and it'd be easy for an inventory bug to get lost in the
sea of stolen inventory items during the hacking spree.



Trion is stuck in a no-win situation at this point, as each passing
hour waiting for (surprised and subsequently hideously
overloaded)Trion's customer support adds more frustration to players
waiting for support to fix their destroyed characters (I'm on day three
since posting a GM request on my "hack"), and each new report of
unusual circumstances that don't fit the normal modus operandi for a
hacked account serves to only undermine any faith in Trion's account -
and by extension, billing - security. This came on hard and fast and
Trion is obviously scrambling to stop the ongoing hacks, shore up
security, and perform some semblance of damage control. In the
meantime, victims of the security failure that shouldn't have been
victims under normal circumstances are already looking to divest
themselves of this particular Pandora's Box before it evolves into a
bigger problem.



To make matters worse, some folks are reporting being told it may be
several days before their destroyed accounts can be recovered. Many of
them are not going to wait that long, and when they go, the $10-$15 a
month they were planning to spend goes with them. This means even more
pressure for Trion to get a handle on the situation, and fast.





While a post like this may be glossed over by some companies, it seems
that the folks at Trion were noticing something similar and made the
unusual move of directly contacting this user to find out
more and work with his data to craft a solution. The result was a hotfix that was developed and deployed
in just over two hours from the time of that conversation. Scott Hartsman href="http://forums.riftgame.com/showthread.php?131497-Weekend-Security-Update">publicly
thanked ManWitDaPlan for his assistance but also warned that
account security was “a multifaceted issue” and one that required
constant vigilance on the part of everyone. The total number
of compromised accounts was only 1% of all accounts, but with a game as
popular as Rift,
that can be a significant number indeed.

href="http://www.tentonhammer.com/node/95871"> style="border: 0px solid ; width: 600px; height: 338px;"
alt="Rift secured"
src="http://www.tentonhammer.com/image/view/96767">

One code to unlock them
all. 

The reaction from the community, when this was brought to light, was
overwhelmingly positive. The vast majority of them were impressed that
it wasn't covered up or swept under the rug, while many of those
effected by the issue felt vindicated. But as Scott's official post to
the community stated; one vulnerability fix doesn't stop the war on
accounts and those who do participate in risky behavior will always be
the most susceptible to compromises.



We would like to thank Scott for sitting down with us on both occasions
and we look forward to many more interviews with the entire style="font-style: italic;">Rift team in the
future.