In all the myriad tasks associated with gaming, none can rival
launching an MMOG in terms of scope and magnitude. As the genre
continues to evolve and grow the difficulty level increases
exponentially. In addition to higher expectation levels and
higher populations, new mechanics and systems keep getting added to the
mix which creates a perfect breeding ground for launch day snafus. When
experienced a remarkably smooth launch that was marred only by server
queues created by higher than expected popularity, it seemed they had
dodged the pitfalls that beseech most of their brethren.
But early on the reports began pouring in of account compromises,
hacked accounts stripped of all their valuables and left like some
stolen Honda on the side of the road. Our very first post-launch
interview, which took place during our trip to GDC, hinted strongly at
just how much of an issue that account security would become.
Our first inklings of the issue were the overabundance of gold spammers
that set up shop within hours of the live launch. We asked Scott
Hartsman about this:
Ton Hammer: Were you surprised by the amount of gold spammers that were
present at launch?
weren’t. We had a chat filter installed and listening to all
that was going on throughout beta and it was already paying attention
to user reports. After about four days of internally logging
this information and looking at what users were reporting, we turned it
on and began the process of kicking spammers offline and blocking their
access. So the first three days were really loud, we didn’t
want to jump the gun on auto kicking and auto banning, but once we knew
it was working properly it got a hell of a lot quieter as we started
Scott then proceeded to show us some pretty amazing integration he had
on his tablet computer that allowed him to remote access any realm,
view spam filters and access detailed information. Color us
impressed. As we viewed the spam filter you could see how it
compiled its own dictionary and flagged words based on how users
reacted to them. Using this info it began to cast a net with which to
catch the offending users and remove them from the game.
Scott: It’s hilarious to see some of
the unique and creative ways the spammers are using to try and get
around the filters, but the users aren’t fooled and they report it just
as quickly. There were some gold farmers that woke up to a
really bad morning this morning.
Ton Hammer: It seems like this sort of preparedness is a must
You have to
be, the speed with which these attacks come is truly surprising. It
shocked me and I have been doing this a long time. The day we opened
for headstart, the incoming traffic from people trying dictionary
attacks on people’s accounts was unreal.
Ton Hammer: Do they try DDoS attacks on you as well?
Scott: We have load balancers and
firewalls to deter that, but one of the neat things we are doing for
people trying to attack us with bad logins is that if you do it enough
times we redirect you to the Chinese Internet Ministry to report
yourself. We do that in the hardware so we don’t have to write special
software for that. Fortunately internet security hardware has really
leveled up in the past few years to stop brute-force style attacks.
Please, give me back my armor.
assurances to the contrary, this probably isn't safe and secure.
I found this last bit particularly interesting as many users on the
forums began to toss about this notion that Trion had no brute-force
protection. I couldn’t understand what was worse though, the users who
pulled this supposed information out of their asses or the others who
jumped on the bandwagon and lashed out in anger that a company could be
so careless. It did illustrate just how passionate of an issue this was
to the playerbase however, and things were only just heating up.
As the second week gave way to the third the number of thread
on the forums related to account hacks and security exploded. While
many users wondered just what the hell was going on, the community
seemed to be divided firmly into two camps; those who had been hacked
but swore they didn’t do anything to jeopardize their accounts and
those that ridiculed them. When we caught back up with Scott at PAX
East, it was once again at the forefront of our discussion.
Ton Hammer: Do you feel using E-mail address for logins is a security
Scott: It really isn’t. The two main
ways that people will gain access this way is from either an account
that was previously compromised in another game and the same
credentials are used, or from phishing websites . So if you
used the same credentials in both games it wouldn’t matter if it were a
unique user name or an email address, they will still have that
information. The newest phishing site we came across was riftgame.net,
which the link said riftgame.com, but you know the nature of links and
how they work – it took you to the .net site and they phished out a
bunch of passwords that way. We have been reminding people “don’t click
on links in emails, always copy and paste it – anything that will come
from us will allow you to copy and paste.”
Ton Hammer: Do you have a legal department that handles the phishing
Scott: Yep, exactly.
Not only that but then we get them added to the search engines as known
malware sites. So we are working with ISPs, search engines and
trademark people to combat these things.
Ton Hammer: Are the brute-force protections still in place?
Scott: Yes, if you try and brute force
us, and you come from China, you will be redirected to Chinese Internet
Protection website and you will be submitting a report against
yourself. That being said security is still something we are
working on day by day, improvement by improvement.
"I’m primarily concerned with
keeping our customers safe. That’s the overriding factor, the fact
that there is active fraud and active theft and active breaking the law against
our community and it pisses me off. "