Sealing the Rift: A Look at Account Security Featuring Exclusive Interviews with Scott Hartsman
style="font-style: italic;">Please, give me back my armor. Ten I found this last bit particularly interesting as many users on the "
style="font-style: italic;">Im primarily concerned with While some members of the community questioned Trions commitment to One code to unlock them The reaction from the community, when this was brought to light, was
In all the myriad tasks associated with gaming, none can rival
launching an MMOG in terms of scope and magnitude. As the genre
continues to evolve and grow the difficulty level increases
exponentially. In addition to higher expectation levels and
higher populations, new mechanics and systems keep getting added to the
mix which creates a perfect breeding ground for launch day snafus. When
experienced a remarkably smooth launch that was marred only by server
queues created by higher than expected popularity, it seemed they had
dodged the pitfalls that beseech most of their brethren.
But early on the reports began pouring in of account compromises,
hacked accounts stripped of all their valuables and left like some
stolen Honda on the side of the road. Our very first post-launch
interview, which took place during our trip to GDC, hinted strongly at
just how much of an issue that account security would become.
Our first inklings of the issue were the overabundance of gold spammers
that set up shop within hours of the live launch. We asked Scott
Hartsman about this:
Ton Hammer: Were you surprised by the amount of gold spammers that were
present at launch?
werent. We had a chat filter installed and listening to all
that was going on throughout beta and it was already paying attention
to user reports. After about four days of internally logging
this information and looking at what users were reporting, we turned it
on and began the process of kicking spammers offline and blocking their
access. So the first three days were really loud, we didnt
want to jump the gun on auto kicking and auto banning, but once we knew
it was working properly it got a hell of a lot quieter as we started
Scott then proceeded to show us some pretty amazing integration he had
on his tablet computer that allowed him to remote access any realm,
view spam filters and access detailed information. Color us
impressed. As we viewed the spam filter you could see how it
compiled its own dictionary and flagged words based on how users
reacted to them. Using this info it began to cast a net with which to
catch the offending users and remove them from the game.
Scott style="font-style: italic;">: Its hilarious to see some of
the unique and creative ways the spammers are using to try and get
around the filters, but the users arent fooled and they report it just
as quickly. There were some gold farmers that woke up to a
really bad morning this morning.
Ton Hammer: It seems like this sort of preparedness is a must
You have to
be, the speed with which these attacks come is truly surprising. It
shocked me and I have been doing this a long time. The day we opened
for headstart, the incoming traffic from people trying dictionary
attacks on peoples accounts was unreal.
Ton Hammer: Do they try DDoS attacks on you as well?
Scott: style="font-style: italic;"> We have load balancers and
firewalls to deter that, but one of the neat things we are doing for
people trying to attack us with bad logins is that if you do it enough
times we redirect you to the Chinese Internet Ministry to report
yourself. We do that in the hardware so we dont have to write special
software for that. Fortunately internet security hardware has really
leveled up in the past few years to stop brute-force style attacks.
style="width: 200px; height: 238px;">
assurances to the contrary, this probably isn't safe and secure.
forums began to toss about this notion that Trion had no brute-force
protection. I couldnt understand what was worse though, the users who
pulled this supposed information out of their asses or the others who
jumped on the bandwagon and lashed out in anger that a company could be
so careless. It did illustrate just how passionate of an issue this was
to the playerbase however, and things were only just heating up.
As the second week gave way to the third the number of thread
on the forums related to account hacks and security exploded. While
many users wondered just what the hell was going on, the community
seemed to be divided firmly into two camps; those who had been hacked
but swore they didnt do anything to jeopardize their accounts and
those that ridiculed them. When we caught back up with Scott at PAX
East, it was once again at the forefront of our discussion.
keeping our customers safe. Thats the overriding factor, the fact
that there is active fraud and active theft and active breaking the law against
our community and it pisses me off. "
Ton Hammer: Do you feel using E-mail address for logins is a security
Scott: style="font-style: italic;"> It really isnt. The two main
ways that people will gain access this way is from either an account
that was previously compromised in another game and the same
credentials are used, or from phishing websites . So if you
used the same credentials in both games it wouldnt matter if it were a
unique user name or an email address, they will still have that
information. The newest phishing site we came across was riftgame.net,
which the link said riftgame.com, but you know the nature of links and
how they work it took you to the .net site and they phished out a
bunch of passwords that way. We have been reminding people dont click
on links in emails, always copy and paste it anything that will come
from us will allow you to copy and paste.
Ton Hammer: Do you have a legal department that handles the phishing
style="font-weight: bold;">Scott: Yep, exactly.
Not only that but then we get them added to the search engines as known
malware sites. So we are working with ISPs, search engines and
trademark people to combat these things.
Ton Hammer: Are the brute-force protections still in place?
Scott: style="font-style: italic;"> Yes, if you try and brute force
us, and you come from China, you will be redirected to Chinese Internet
Protection website and you will be submitting a report against
yourself. That being said security is still something we are
working on day by day, improvement by improvement.
Ten Hammer: What are you working on right now?
Scott: style="font-style: italic;"> What we are working on right
now is economy locking your account, such as if you log on from a new
IP address that we dont recognize from you and you havent
authenticated yourself by answering the secret question or some other
form of verification, your character will not be able to give, sell or
destroy anything until you look in your email and get an unlock code.
We are also looking at a two-factor, like an iOS or Android app, which
we are pushing forward on as much as we can.
Ton Hammer: One of the major gold selling sites stated that Rift was
the most requested game at launch in the history of their business;
does this flatter you or frighten you style="font-style: italic;">?
Scott: Flattering, since
you know there is always going to be gold sellers, which is why we
launched with a chat filter. We are currently working on taking the
next step with that chat filter and applying it to in-game mail.
Ton Hammer: How many accounts have you banned since launch?
style="font-weight: bold;">Scott: Off the top
of my head, its multiple thousands. I dont have the hard number in
front of me but we get reports every hour of active hackers. The real
problem is that a lot of them are registering accounts with stolen
credit cards and a lot of them unfortunately recycle credit cards of
people who buy from them. Its really dangerous to give your credit
card to those kinds of places its got to be a hellacious experience
to wake up one morning and find that the company you just bought gold
from used your credit card to charge 250 copies of the game to. Its
best just to stay away from that whole ecosystem.
Ton Hammer: Is there any way to stop it completely?
Scott: style="font-style: italic;"> I think that economy
locking will be interesting. Economy locking and the cell phone based
two factor will be a good place to be. When my cell phone becomes my
account key then Im pretty confident that its only me that is getting
into that account. I know it isnt the cutting edge of technology but
it is extremely effective and among the least inconvenient ways to help
secure an account. Im less concerned about stopping the gold selling
market; its always going to exist some way or another, and Im
primarily concerned with keeping our customers safe. Thats
the overriding factor, the fact that there is active fraud and active
theft and active breaking the law against our community and it pisses
account security and their customers, the reality is that they have
more invested in keeping these accounts secure than anyone. While Mr. Furious-Account-Got-Hacked man may be railing on about his 50
dollars he spent on the game, millions of dollars were at stake for
Trion if the game ultimately failed due to account hacks.
As the epidemic reached its crescendo, the mystery of the pervasive
account compromises was finally solved and it was done by a player
who was doing a bit of ethical hacking in an attempt to help fix the
problem. Known on the forums as ManWitDaPlan, this user was
frustrated by his href="http://forums.riftgame.com/showthread.php?125019-Hacking-spree-or-server-side-data-corruption-or-both&highlight=">
own experience of loss but noticed some discrepancies with a
typical account hack:
With the hacking fiasco
currently raging across the game, I'm seeing enough strangeness to
wonder if Trion isn't facing two simultaneous issues: a wildly
successful large-scale hacking of the game's security and a potentially
catastrophic problem with the game's back-end code. My particular
"hacking" case deviates from the norm for game account hacks - my
inventory is mostly gone, as is my money, but my bank was never
A number of other posts on the forums include behaviors that are
inconsistent with account theft: partial inventory losses, inventories
left alone but banks are emptied, banks left alone but inventories are
emptied, etc. etc. etc. Also, quite a number of victims that report
unorthodox account damage were hard targets to begin with and tested
I suspect, and I know this will probably not be confirmed, that the
hacking was a bruteforce attack against Trion's account management
and/or authentication servers, and/or an active exploit against one or
more weaknesses in Trion's systems, and not any form of client-side
malware. This would certainly explain why people that are more than
savvy enough to not get nailed by keyloggers, etc. still got hit. This
particular concern is a major catastrophe for Trion if it's true, for
it calls into question the entire security side of Trion's operation
and throws loads of obstacles between Trion and making money from game
account subscriptions. Needless to say, Trion is likely desperate to
get the hacks under control, whatever the attack vector may be, before
significant numbers of players withdraw their billing data and opt out
of continued play come April.
I also suspect, and this too will probably not be confirmed, that Trion
is also fighting a back-end data-corruption issue that is the cause of
the stranger "hack" cases where someone that had a reasonably
uncrackable password fell prey to, and I suspect this may relate to
either the hotbar-icon hotfix, or the attacks against Trion, or both. A
corruption issue would certainly cause abnormal-for-a-hacked-account
changes to inventory/bank contents, and could also explain cases where
one of a number of characters on one account was hit and not all of
them, random characters were deleted, etc., which is also deviating
from the norm a bit for hacking cases. Distinguishing such an event
from a hackfest would be tough at best and at worst well nigh
impossible, and it'd be easy for an inventory bug to get lost in the
sea of stolen inventory items during the hacking spree.
Trion is stuck in a no-win situation at this point, as each passing
hour waiting for (surprised and subsequently hideously
overloaded)Trion's customer support adds more frustration to players
waiting for support to fix their destroyed characters (I'm on day three
since posting a GM request on my "hack"), and each new report of
unusual circumstances that don't fit the normal modus operandi for a
hacked account serves to only undermine any faith in Trion's account -
and by extension, billing - security. This came on hard and fast and
Trion is obviously scrambling to stop the ongoing hacks, shore up
security, and perform some semblance of damage control. In the
meantime, victims of the security failure that shouldn't have been
victims under normal circumstances are already looking to divest
themselves of this particular Pandora's Box before it evolves into a
To make matters worse, some folks are reporting being told it may be
several days before their destroyed accounts can be recovered. Many of
them are not going to wait that long, and when they go, the $10-$15 a
month they were planning to spend goes with them. This means even more
pressure for Trion to get a handle on the situation, and fast.
While a post like this may be glossed over by some companies, it seems
that the folks at Trion were noticing something similar and made the
unusual move of directly contacting this user to find out
more and work with his data to craft a solution. The result was a hotfix that was developed and deployed
in just over two hours from the time of that conversation. Scott Hartsman href="http://forums.riftgame.com/showthread.php?131497-Weekend-Security-Update">publicly
thanked ManWitDaPlan for his assistance but also warned that
account security was a multifaceted issue and one that required
constant vigilance on the part of everyone. The total number
of compromised accounts was only 1% of all accounts, but with a game as
popular as Rift,
that can be a significant number indeed.
overwhelmingly positive. The vast majority of them were impressed that
it wasn't covered up or swept under the rug, while many of those
effected by the issue felt vindicated. But as Scott's official post to
the community stated; one vulnerability fix doesn't stop the war on
accounts and those who do participate in risky behavior will always be
the most susceptible to compromises.
We would like to thank Scott for sitting down with us on both occasions
and we look forward to many more interviews with the entire style="font-style: italic;">Rift team in the
style="font-style: italic;">Please, give me back my armor.
I found this last bit particularly interesting as many users on the
style="font-style: italic;">Im primarily concerned with
While some members of the community questioned Trions commitment to
One code to unlock them
The reaction from the community, when this was brought to light, was
To read the latest guides, news, and features you can visit our RIFT Game Page.