Archive

Sealing the Rift: A Look at Account Security Featuring Exclusive Interviews with Scott Hartsman

Updated Tue, Mar 22, 2011 by Medawky

Rift Logo


In all the myriad tasks associated with gaming, none can rival launching an MMOG in terms of scope and magnitude. As the genre continues to evolve and grow the difficulty level increases exponentially.  In addition to higher expectation levels and higher populations, new mechanics and systems keep getting added to the mix which creates a perfect breeding ground for launch day snafus. When Rift experienced a remarkably smooth launch that was marred only by server queues created by higher than expected popularity, it seemed they had dodged the pitfalls that beseech most of their brethren.

But early on the reports began pouring in of account compromises, hacked accounts stripped of all their valuables and left like some stolen Honda on the side of the road. Our very first post-launch interview, which took place during our trip to GDC, hinted strongly at just how much of an issue that account security would become.  Our first inklings of the issue were the overabundance of gold spammers that set up shop within hours of the live launch. We asked Scott Hartsman about this:


Ten Ton Hammer: Were you surprised by the amount of gold spammers that were present at launch?

Scott: We really weren’t.  We had a chat filter installed and listening to all that was going on throughout beta and it was already paying attention to user reports.  After about four days of internally logging this information and looking at what users were reporting, we turned it on and began the process of kicking spammers offline and blocking their access.  So the first three days were really loud, we didn’t want to jump the gun on auto kicking and auto banning, but once we knew it was working properly it got a hell of a lot quieter as we started banning accounts.

Scott then proceeded to show us some pretty amazing integration he had on his tablet computer that allowed him to remote access any realm, view spam filters and access detailed information.  Color us impressed.  As we viewed the spam filter you could see how it compiled its own dictionary and flagged words based on how users reacted to them. Using this info it began to cast a net with which to catch the offending users and remove them from the game.

Scott: It’s hilarious to see some of the unique and creative ways the spammers are using to try and get around the filters, but the users aren’t fooled and they report it just as quickly.  There were some gold farmers that woke up to a really bad morning this morning.

Rift Hacked

Please, give me back my armor.

Ten Ton Hammer:  It seems like this sort of preparedness is a must these days

Scott: You have to be, the speed with which these attacks come is truly surprising. It shocked me and I have been doing this a long time. The day we opened for headstart, the incoming traffic from people trying dictionary attacks on people’s accounts was unreal.

Ten Ton Hammer: Do they try DDoS attacks on you as well?

Scott: We have load balancers and firewalls to deter that, but one of the neat things we are doing for people trying to attack us with bad logins is that if you do it enough times we redirect you to the Chinese Internet Ministry to report yourself. We do that in the hardware so we don’t have to write special software for that. Fortunately internet security hardware has really leveled up in the past few years to stop brute-force style attacks.



Rift hack
Despite assurances to the contrary, this probably isn't safe and secure.
I found this last bit particularly interesting as many users on the official Rift forums began to toss about this notion that Trion had no brute-force protection. I couldn’t understand what was worse though, the users who pulled this supposed information out of their asses or the others who jumped on the bandwagon and lashed out in anger that a company could be so careless. It did illustrate just how passionate of an issue this was to the playerbase however, and things were only just heating up.

 As the second week gave way to the third the number of thread on the forums related to account hacks and security exploded. While many users wondered just what the hell was going on, the community seemed to be divided firmly into two camps; those who had been hacked but swore they didn’t do anything to jeopardize their accounts and those that ridiculed them. When we caught back up with Scott at PAX East, it was once again at the forefront of our discussion.

"I’m primarily concerned with keeping our customers safe. That’s the overriding factor, the fact that there is active fraud and active theft and active breaking the law against our community and it pisses me off. "

Scott Hartsman

Ten Ton Hammer: Do you feel using E-mail address for logins is a security compromise?

Scott: It really isn’t. The two main ways that people will gain access this way is from either an account that was previously compromised in another game and the same credentials are used,  or from phishing websites . So if you used the same credentials in both games it wouldn’t matter if it were a unique user name or an email address, they will still have that information. The newest phishing site we came across was riftgame.net, which the link said riftgame.com, but you know the nature of links and how they work – it took you to the .net site and they phished out a bunch of passwords that way. We have been reminding people “don’t click on links in emails, always copy and paste it – anything that will come from us will allow you to copy and paste.” 

Ten Ton Hammer: Do you have a legal department that handles the phishing sites?

Scott: Yep, exactly. Not only that but then we get them added to the search engines as known malware sites. So we are working with ISPs, search engines and trademark people to combat these things. 


Ten Ton Hammer: Are the brute-force protections still in place?

Scott: Yes, if you try and brute force us, and you come from China, you will be redirected to Chinese Internet Protection website and you will be submitting a report against yourself.  That being said security is still something we are working on day by day, improvement by improvement.

Wow I can relate fully. Keep it going on!

RIFT-Arbiter.jpg

Trion Worlds reveals more about the new Arbiter Soul coming to RIFT with the 2.7 update.

News, Official Announcements
Mon, Mar 17, 2014
Martuk
Bonus-Weekend-Compile.jpg

Pick your poison. It seems like many games want your attention this weekend and they’re hosting an assortment of events to get it.

Beta, News, Official Announcements
Sat, Mar 15, 2014
Martuk
Trion-Glyph.jpg

Trion Worlds unveils Glyph, its new lightweight hub for digital PC games and other digital goods.

Press Release, News, Official Announcements
Thu, Mar 13, 2014
Martuk
RIFT-Steppes-of-Infinity.jpg

RIFT’s Nightfall, Oathsworn, and Dominion factions now have a new Conquest map to slug it out on with the Steppes of Infinity.

News, Official Announcements
Thu, Mar 13, 2014
Martuk

News from around the 'Net