by Nicole163 on May 30, 2011
alt="LotRO Account Security - Keeping Your Freeps Safe from Hacker Creeps"
src="http://www.tentonhammer.com/image/view/98874" />
It needs to be said: Turbine could stand to invest some of
that juicy F2P money into keeping
href="http://www.tentonhammer.com/lotro">the Lord
of
the Rings Online players' accounts safe from
hackers. Over the past few months, several people I know have had their
accounts compromised by thieves - their characters are systematically
logged in and stripped of valuables and, in one case, deleted. Since
the launch of free-to-play, this has become a rather serious problem,
and the more popular the game gets, the more likely it is to
continue... or increase.
One of the chief weaknesses of the current security is the
fact that every player's account name is shown publicly on the LotRO
forums - indeed, on all of the LotRO Community sites. Your game account
is your forum account. Searching for a particular character shows the
account to which that character is tied. The player profile page - if
the player bothers filling it out, which many forum-users do -
potentially shows the other characters on that account. It also
provides a bit of insight into how much that player's characters might
be worth, money-wise.
Beyond the username/password login, there is really no other
kind of verification or validation to determine whether or not the user
logging in is the owner of the account. All anyone needs to access your
account is your username (which is not hard to get)
and password. You can log into your account from anywhere
without hassle... and so can the hackers.
The way the password system is set up now, you can keep
failing and failing password attempts without getting locked out. This
allows "brute force" hackers to sniff out passwords by a process of
trial-and-error. If the password is, for example, a simple,
all-lower-case word, it can be sniffed out fairly easily.
Say what you will about
href="http://www.tentonhammer.com/wow">World of Warcraft
in general, but Blizzard doesn't screw around with account security.
WoW has that nifty little keychain-dongle thing and a
similiar-functioning app for smartphones. This kind of externalized
additional security is an aegis against remote access from gold-farmers
who don't have the little account-tied code generator. It's like having
a combination lock plus an actual key: you don't get into the safe
without both.
alt="LotRO Authenticator"
src="http://www.tentonhammer.com/image/view/98873" />
This
product does not really exist... but it should.
Rift
introduced a new security measure in March which locks out the affected
character's money and prevents selling of gear when the account is
accessed from a "significantly different location" than usual. Account
holders will be sent an email when such suspicious activity occurs, and
can enter a code in-game to unlock their bankroll.
Locking out accounts after X number of
failed login attempts would prevent "brute force" hackers from sniffing
out passwords. Banks do this with debit cards - enter the wrong PIN
three times and you have to call the bank and explain yourself.
The traditional method of LotRO account thieves seems to be
either trading or mailing stolen money to other accounts. A server-side
currency transfer or in-game mail tracker would help root out habitual
thieves, but at the cost of some measure of privacy. Nobody really
wants "Big Brother" watching over their shoulder when they are doing
nothing wrong. But then again, no one wants to get robbed, either.
Right now, the onus of account security is on the player -
you, the player, need to take measures to ensure the integrity of your
account. Here are some steps you can take to make sure your heroic
characters do not become victims:
Assuming you have any characters remaining on the compromised
account, your first step should be contacting a GM by means of a
support ticket. Open the Help menu, select New Ticket, and from the
drop-down menus select Cheating and then Acct. Compromise, and fill in
the relevant details.
alt="Submitting a ticket when your account gets hacked"
src="http://www.tentonhammer.com/image/view/98875" />
If you are unable to log into the game or
myaccount.turbine.com because the password has been changed or the
account has been banned for suspicious activity, you will need to
contact Turbine's Account Support department. Follow the steps detailed
on
href="http://forums.lotro.com/showthread.php?285435-Account-Hacked-Stolen-Info-to-Keep-it-From-Happening-amp-What-to-do-if-it-is-Stolen.">The
Official LotRO Forums.
Turbine's reimbursement policy has been much-improved, but it
still
takes several days and possibly several support tickets to get things
restored.
Recently, a friend of mine had his account hacked. The thief cycled
through his high-level toons, cleaning out their vaults and money, and
then deleted the characters when he was done. A few of us saw this
happening and filed support tickets right away, and contacted the real
player via text message. He logged in on a low-level alt and filed a
ticket just minutes
after the thief had left. It took 2 or 3 days and at least 3 support
tickets for him to get all of his characters, money and stuff back.
If you do get hacked, you will want to act fast to get all
your stuff back. According to Turbine's
href="http://support.turbine.com/ics/support/default.asp?deptID=24001&task=knowledge&questionID=2685">Compromised
Account Reimbursement Policy, players must sumbit an in-game
ticket for each affected character within 10 days of the hack. Anything
after 10 days results in a "standard reimbursement package appropriate
to [the character's] level," which means a fistful of gold and/or
skirmish marks.
In Turbine's defense, they have made hacking slightly less
profitable and less of a demoralizing hassle by making raid armor and
certain other high-end gear non-sellable. The stuff that you work for,
that takes days to earn, cannot be sold to Middle Earth's vendors, so
the quick-buck skeevy cretins who hack high-level characters have no
incentive to touch it. A small comfort when everything else is gone,
perhaps, but at least a step in the right direction.