Hello everyone,

Given the recent news about a number of popular gaming websites and online games suffering security breaches which left their account details exposed, Turbine would like to discuss account security and some steps you can take to secure your account. Account theft is an ever-present issue in the game industry. It’s also a top priority at Turbine - one that we spend significant time and resources to address every day.

On a continual basis, the Turbine fraud team monitors all player reports, network activity, in-game behavior, and other information that may indicate fraudulent activity or account theft. We then investigate and respond in accordance with our policies. To date, all indications are that most compromised accounts have been the result of account information stolen from other gaming websites and online games.

This is possible because many people use the same credentials to log into multiple sites and games. Additionally, other players share their usernames and passwords with people such as roommates, guild members, etc. A smaller percentage of users appear to have fallen victim to keylogging, phishing, or other technology-based attacks. While it is difficult to get to the root cause of every reported incident, there is no data to suggest that account information stored with Turbine is in any way at risk.

Even though we are satisfied that our account system remains secure, we will continue our ongoing efforts to defend our services against known and emerging security threats. In the meantime there are several steps players can take to help protect their accounts against the most common types of account theft:

Change your password regularly to a new, unique password that you have never used for any other product or website.
Never share your username and password with anyone else or allow them to log into your account.
Use a home network firewall at all times and check the exception list regularly for new entries.
Run antivirus and malware scanning tools on a regular basis with the latest definition files.
Beware of phishing or spoofing scams that you receive in your mailbox, either in-game or out-of-game. In general, you should avoid clicking links in e-mail you have not requested. If you have any questions about an e-mail or chat you’ve received that claimed to come from Turbine, please contact our Customer Service team at support.turbine.com.
Lastly, do not purchase in-game currency from gold sellers. Never encourage your friends to purchase gold. The cash market for in-game gold is the driving force behind most account theft. If players did not buy gold, sellers would not need to steal and strip accounts. We investigate and take action on all players that receive gold from gold sellers, up to and including a permanent account suspension.

Your security is important to all of us at Turbine, and we hope this information will help address concerns and misinformation about why account compromises occur. If you have any questions or suggestions, you may contact our Customer Service team at support.turbine.com.

Sincerely,
Turbine’s Anti-Fraud Supervisor

Good info. I spent some time looking for the area to reset my game password, and could not find it, and honestly dont trust googling it. Anyone wanna help me out?

Good info. I spent some time looking for the area to reset my game password, and could not find it, and honestly dont trust googling it. Anyone wanna help me out?

To change your password, visit our account login website at http://myaccount.turbine.com. Log in with the Username and Password you use to log into the game. Once logged in, you will be able to change your password.

Excellent information. Thank you for sharing!

So... When you gona put a seperate password check on credit card purchases of ddo points. That would be a good measure towards our security that is totaly in your hands.

Always a good thing to be reminded of. Not changed my password in a while, and I'm going to remedy that as soon as I hit Submit Reply here.


+Rep to ya, TurbineCS... since you've still got it turned on. :cool:

All good points, but you forgot one important one regarding passwords :

Don't use a bland password, don't use a name, a noun, a location, a date as your password.

Use at least 1 ( one ) numerical character in your password
Use at least 8 ( eight ) characters in your password
Use at least 1 ( one ) capital character in your password
use at least 1 ( one ) non numerical, non alphabetic character in your password
Try to find a mnemotechnical way to remember your password

For example my password could be ( don't worry it's not, it's someting else ) something like that ( with the mnemotechnical phrase ) :

ZeP4s5w0rd2Flav
( The password to Flavilandile )

Now you can call me paranoïd... it's true... I used to play Paranoïa.... The Computer is your Friend. *grins*

I would like to add some things to the above advice:

1. NEVER use a word in the dictionary. Even if you 1337 it, it is still in a dictionary and is the easiest kind of password to crack.
2. Always include numbers and at least one math symbol as it makes the password that much harder to crack. (Don't just put a 1 at the end. That is just dumb.)
3. Longer is better. Using a phrase that means something to you means that you can remember it better and the length makes it harder it is to crack.

edit: Cross posted Flavilandile's excellent advice.

A former password that I used elsewhere was: K1a5z-kl0on

So... When you gona put a seperate password check on credit card purchases of ddo points. That would be a good measure towards our security that is totaly in your hands.

We take the ability to purchase points with payments methods very seriously, and your store purchases have additional layers of anti-fraud security to prevent abuse.

Does this mean Mr. Wizards issues with the store are going to finally be addressed?

Link --> http://forums.ddo.com/showthread.php?t=274134

We take the ability to purchase points with payments methods very seriously, and your store purchases have additional layers of anti-fraud security to prevent abuse.

Its not fraud, it the teenager buying 5000 point bundles on his dads credit card that is attached to the account to pay the monthly VIP fees:eek:

I've never seen this TurbineCS person.

Is this a phishing attempt to get me to change my password while they have the account IP redirecting some connections??? 3 posts all in this thread eh?

But really Tolero/Cordovan/etc.... if you're gonna tell us about security... do it with a well known identity or at least an introduction from a trusted source. That's security basics.


Ed: Neg repped for this? Srsly? I mean... I realize there's no possible way myDdo or dev account access could ever be hacked...I mean never. But wouldn't someone post exactly this with a new name if say this forum technology did get hacked? Though they'd probably add a misdirecting URL along with it.

I read a good tip for making long passwords easy to remember. Just put it in email format, such as "goodpassword@youwillneverguess.xxx. We are already trained to remember that format, and you can easily customize it for different sites. Here, use [password]@[favorite character].com or something along those lines.

We take the ability to purchase points with payments methods very seriously, and your store purchases have additional layers of anti-fraud security to prevent abuse.

Except perhaps, from Turbine itself, who has yet to deliver a regular statement of TP activity of both using and acquiring said points ... :(

I've always been a fan of the initial letter mnemonic.
We the People of the United States of America = wtpotusoa
when in the course of human events it becomes necessary = witcoheibn
add punctuation where it occurs.
song lyrics work pretty well too.

fairly random, yet easy enough to remember.

I would like to add some things to the above advice:

1. NEVER use a word in the dictionary. Even if you 1337 it, it is still in a dictionary and is the easiest kind of password to crack.
2. Always include numbers and at least one math symbol as it makes the password that much harder to crack. (Don't just put a 1 at the end. That is just dumb.)
3. Longer is better. Using a phrase that means something to you means that you can remember it better and the length makes it harder it is to crack.

edit: Cross posted Flavilandile's excellent advice.

A former password that I used elsewhere was: K1a5z-kl0on

The whole weak/strong password thing is a total red herring. The only person who will break into your PC accounts because you have a weak password is your 15 year old nephew messing around on your PC while your back is turned.
In 99% of cases the bad guys get into your accounts because they already HAVE your password, it doesn't matter how obscure the password is if you get keylogged / give your info to the wrong person / get scammed / get phished / somebody hacks a website with your info on.

Just keep your password unique to each account and change them often.

Just a note, the "My Account" link on ddo.com, MyDDO and The Compendium refers to the standard http site, while the forum one refers to the https site. Think that the ones not referring to the https site should be made to do so.

Just now that we're talking security.

Now you can call me paranoïd... it's true... I used to play Paranoïa.... The Computer is your Friend. *grins*

You commie mutant traitor! (I had to. ;) )

Also, when you make changes to your account, review ALL account data. Make sure your email IS the correct one. My wife's got changed once and she did NOT change it.

The whole weak/strong password thing is a total red herring. The only person who will break into your PC accounts because you have a weak password is your 15 year old nephew messing around on your PC while your back is turned.
In 99% of cases the bad guys get into your accounts because they already HAVE your password, it doesn't matter how obscure the password is if you get keylogged / give your info to the wrong person / get scammed / get phished / somebody hacks a website with your info on.

Just keep your password unique to each account and change them often.

Actually most security experts now state that changing passwords frequently isn't as beneficial as you are lead to believe. It's more of a "It's changing therefore it must be secure" feeling for the users. In all reality, strong passwords that change less frequently are better then weak passwords you change weekly. Alot of companies are moving to passphrases instead of passwords because of this.

Kraahg

Any thought of adding a SecurID type authentication option?

http://en.wikipedia.org/wiki/File:SecureID_token_new.JPG

Vordax

(one of your competitors offers it, would be nice to have)

So... When you gona put a seperate password check on credit card purchases of ddo points. That would be a good measure towards our security that is totaly in your hands.

I recommend not putting a credit card on file and using a paypal verified account to pay for your point purchases. (You can even use paypal to pay with a credit card if you so desire)

Actually most security experts now state that changing passwords frequently isn't as beneficial as you are lead to believe. It's more of a "It's changing therefore it must be secure" feeling for the users. In all reality, strong passwords that change less frequently are better then weak passwords you change weekly. Alot of companies are moving to passphrases instead of passwords because of this.

Kraahg

Sure, keeping a compromised password active for longer is better than changing it asap ;)

The only people that strong passwords protect you from are your friends/family/co-workers. If you can't trust your friends and family then you have bigger problems...and if you are logging into a secure personal account on a work PC you are asking for trouble.

The reason businesses require strong passwords is because they don't want their employees hacking into restricted accounts and into each others accounts... in that case strong passwords are exactly what you need to protect info from curious people who know each other and have a lot of "sitting infront of PC time" to guess a buddys/the bosses password.

When you are talking about criminal identity fraud the VAST majority of the time the crooks already have your password....it doesn't matter how strong/weak it is.

The whole weak/strong password thing is a total red herring.

You should see the number of dictionary attacks I have seen against my servers. We have intrusion detection systems in place to catch this but not everyone does. So yes a dictionary password is a bad idea.

Sure, keeping a compromised password active for longer is better than changing it asap ;)

This is obviously a trollish statement or a bad attempt at a joke. You are probably attempting to joke, but in reality you are deflecting from a very serious problem.


The only people that strong passwords protect you from are your friends/family/co-workers. If you can't trust your friends and family then you have bigger problems...and if you are logging into a secure personal account on a work PC you are asking for trouble.

The reason businesses require strong passwords is because they don't want their employees hacking into restricted accounts and into each others accounts... in that case strong passwords are exactly what you need to protect info from curious people who know each other and have a lot of "sitting infront of PC time" to guess a buddys/the bosses password.

When you are talking about criminal identity fraud the VAST majority of the time the crooks already have your password....it doesn't matter how strong/weak it is.

I don't know where you work but where I work and have worked in the past, social engineering is a serious threat. I have been on the IT side of numerous calls where somebody was attempting to garner a password that wasn't theirs. They didn't already have the password. This is mainly because password security was way behind software/operating system security. This has been changing in the past 5 years or so, but it's still behind. The main reason it's still behind? Because normal computer users don't want complicated passwords because complicated is complicated.

From my 10+ years in IT, social engineering has, BY FAR, been the most prevalent "hack" for getting passwords for corporate workplaces. Personal computers are different, as the onus is on the user themselves to keep their virus/malware software up to date, but this is drastically changing as alot of ISPs are now providing free virus software with their service in an effort to lower tech support calls, lower the user's cost and therefore making it far more likely they have up to date virus/malware software.

Kraahg

I don't know where you work but where I work and have worked in the past, social engineering is a serious threat. I have been on the IT side of numerous calls where somebody was attempting to garner a password that wasn't theirs. They didn't already have the password. This is mainly because password security was way behind software/operating system security. This has been changing in the past 5 years or so, but it's still behind. The main reason it's still behind? Because normal computer users don't want complicated passwords because complicated is complicated.

From my 10+ years in IT, social engineering has, BY FAR, been the most prevalent "hack" for getting passwords for corporate workplaces. Personal computers are different, as the onus is on the user themselves to keep their virus/malware software up to date, but this is drastically changing as alot of ISPs are now providing free virus software with their service in an effort to lower tech support calls, lower the user's cost and therefore making it far more likely they have up to date virus/malware software.

Kraahg

Oh boy...don't you even realise you are agreeing with me? I agree social engineering is by far the most prevalent way to hack accounts (that is what I said in my first post)....and thats exactly why a strong password makes no difference.

For the third time (hopefully it will sink in this time) it makes no difference how strong your password is if it ends up in the hands of the wrong person....and in the vast majority of cases it ends up in the wrong persons hand, not because they guessed a weak password, but because you or somebody else gave it to them (or had it taken).

Except perhaps, from Turbine itself, who has yet to deliver a regular statement of TP activity of both using and acquiring said points ... :(

Hear hear!

Any thought of adding a SecurID type authentication option?

http://en.wikipedia.org/wiki/File:SecureID_token_new.JPG

Vordax

(one of your competitors offers it, would be nice to have)

+1, I'd personally have no problem paying $10 or whatnot for peace of mind.

You should see the number of dictionary attacks I have seen against my servers. We have intrusion detection systems in place to catch this but not everyone does. So yes a dictionary password is a bad idea.

Now that part I agree with...but you would be hard pressed to find a legit website on planet earth that doesn't block dictionary attacks against its account passwords. Its so easy to do it would be criminally negligent not to do so.

Interesting fact though....most "unique" passwords actually contain proper nouns that do not occur in a standard dictionary :)

So... When you gona put a seperate password check on credit card purchases of ddo points. That would be a good measure towards our security that is totaly in your hands.

+1

This is a HUGE failure of security on Turbine's part. It's even a violation of the security standards for visa/mc banks in some countries.

Hello everyone,

Given the recent news about a number of popular gaming websites and online games suffering security breaches which left their account details exposed, Turbine would like to discuss account security and some steps you can take to secure your account. Account theft is an ever-present issue in the game industry. It’s also a top priority at Turbine - one that we spend significant time and resources to address every day.

On a continual basis, the Turbine fraud team monitors all player reports, network activity, in-game behavior, and other information that may indicate fraudulent activity or account theft. We then investigate and respond in accordance with our policies. To date, all indications are that most compromised accounts have been the result of account information stolen from other gaming websites and online games.

This is possible because many people use the same credentials to log into multiple sites and games. Additionally, other players share their usernames and passwords with people such as roommates, guild members, etc. A smaller percentage of users appear to have fallen victim to keylogging, phishing, or other technology-based attacks. While it is difficult to get to the root cause of every reported incident, there is no data to suggest that account information stored with Turbine is in any way at risk.

Even though we are satisfied that our account system remains secure, we will continue our ongoing efforts to defend our services against known and emerging security threats. In the meantime there are several steps players can take to help protect their accounts against the most common types of account theft:

Change your password regularly to a new, unique password that you have never used for any other product or website.
Never share your username and password with anyone else or allow them to log into your account.
Use a home network firewall at all times and check the exception list regularly for new entries.
Run antivirus and malware scanning tools on a regular basis with the latest definition files.
Beware of phishing or spoofing scams that you receive in your mailbox, either in-game or out-of-game. In general, you should avoid clicking links in e-mail you have not requested. If you have any questions about an e-mail or chat you’ve received that claimed to come from Turbine, please contact our Customer Service team at support.turbine.com.
Lastly, do not purchase in-game currency from gold sellers. Never encourage your friends to purchase gold. The cash market for in-game gold is the driving force behind most account theft. If players did not buy gold, sellers would not need to steal and strip accounts. We investigate and take action on all players that receive gold from gold sellers, up to and including a permanent account suspension.

Your security is important to all of us at Turbine, and we hope this information will help address concerns and misinformation about why account compromises occur. If you have any questions or suggestions, you may contact our Customer Service team at support.turbine.com.

Sincerely,
Turbine’s Anti-Fraud Supervisor

tl;dr - don't go to porn sites and don't tell anyone your username and password.

+1

This is a HUGE failure of security on Turbine's part. It's even a violation of the security standards for visa/mc banks in some countries.

But not the USA where ALL the transactions occur. So your point is not applicable.

Thank you and if they passed the PCI DSS compliance then they are good.

...no problem paying $10 or whatnot for peace of mind.
Give it to me. I promise to tell you everything is fine.:D
Like almost all security, it is 90% theater to give you peace of mind.

Technically, thats 509 words.

Interesting, even Tolero doesn't like being the face of these posts anymore. Thought the CUBE could be the generic face of Turbine?

Anyways, good tips for those that don't already follow them.


We take the ability to purchase points with payments methods very seriously, and your store purchases have additional layers of anti-fraud security to prevent abuse.But at the very least you should be able to remove the credit card details once they are placed there.

It's a shame the only method is to cancel the card and leave the incorrect details there.

tl;dr - don't go to porn sites and don't tell anyone your username and password.
There is nothing anymore dangerous about porn than anything else.
Can't tell you how many times, while explaining how to or removing a virus, I hear, "But I don't go to porn sites!"
99.99% of viruses are from clicking email link, not updated plug ins, or severs that are compromised or serving adds that are.

Church lady may wish to claim "porn" as the source for all sins but it is just an attractive avenue, nothing special.

There is nothing anymore dangerous about porn than anything else.
Can't tell you how many times, while explaining how to or removing a virus, I hear, "But I don't go to porn sites!"
99.99% of viruses are from clicking email link, not updated plug ins, or severs that are compromised or serving adds that are.

Church lady may wish to claim "porn" as the source for all sins but it is just an attractive avenue, nothing special.

Download 'something' free sites are some of the worst malware sites (particularly for keyloggers).

The number 2 source of WoW hacked accounts? Malware installed on sites purporting to offer free downloads of WoW-related software. (#1 is former customers of gold-sellers that shared their passwords for power levelling purposes; the gold seller waits three months or more, then clears the account out).

Porn sites, however, are more likely to be looking for credit card information in their keyloggers than game passwords.

But not the USA where ALL the transactions occur. So your point is not applicable.

Thank you and if they passed the PCI DSS compliance then they are good. You should really learn more about such things because it makes you look foolish.

First off what makes you think they passed? (I know its shocking...but not all merchants comply, and some lie on the self eval to pass)

I do not believe they would pass PCI DSS. For example, you may wish to check PCI DSS SAQ D 2.0, section 3.1. They retain untruncated credit card data without due cause.

I have certified online credit card systems, I do know a bit about how they work.

The personal insult was uncalled for and reported.

First off what makes you think they passed? (I know its shocking...but not all merchants comply, and some lie on the self eval to pass)

I do not believe they would pass PCI DSS. For example, you may wish to check PCI DSS SAQ D 2.0, section 3.1. They retain untruncated credit card data without due cause.

I have certified online credit card systems, I do know a bit about how they work.

The personal insult was uncalled for and reported.

On the subject of them not passing these regs, When i first purchased turbine points my credit card company (barclay card) rang me to confirm the purchace and warned me that the company involved 'ie turbine' had been a source for investigations with other customers, they felt it was necessary to contact me due to this fact and the fact it registered as an overseas purchase. At that point i substantialy lowered the limit on my card that i use to make internet transactions, i would encourage others to do the same.

I cant stress this point enough - if barclaycard think turbines security and transaction handling are a problem then its a problem.

Some feedback... I've been working in IT Security for the past ten+ years in a place where usability is frequently overshadowing security ( an edu .) From that perspective I would like to share...

- password suggestions are nearly useless. They *need* to be enforced via the software. We've been yelling into the wind at our constituents for years. It wasn't until we were able to enforce that any traction was seen. We could had been able to see many users with 10-15 year old passwords before we made them change them. Reasonably strong passwords with somewhat frequent enforced changes are a good middle ground between security and ease of use.
- there are numerous ways to enable ip based or attaching computer based restrictions that could heavily dent unauthorized access. Not perfect, but extremely useful for the type of targeting involved here.
- turbine really needs a good go-to contact for security related issues. I, myself, reported a pii issue last month and never even received a response.
- automated and self-remediate-able lockouts can provide some useful coverage for anomalous behavior, and are generally visible enough to send a positive message to the community... If they are not overdone.

I won't speak to the store, as my background isn't ecommerce.

- automated and self-remediate-able lockouts can provide some useful coverage for anomalous behavior, and are generally visible enough to send a positive message to the community... If they are not overdone.

At one point I was trying to help my gf reopen her account after things went F2P. We weren't sure about what email address was used, and we didn't know the password. We must have guessed 20+ times before we got it right. Shocking that there wasn't an auto-lockout.

One thing I strongly suggest to Turbine to prevent keyloggers:

Have the client require, in addition to a username and password, that you select your date of birth (or a 3-4 digit passnumber) from drop-down menus.

That way, someone that installs a keylogger on your system won't be able to steal your password unless they are also screenwatching you. Screenwatching is *very* resource intensive on the computer being observed, and is thus very easy to detect (the computer that is playing DDO while screenwatched will be slowed noticeably). Plus, it's just not worth the effort for hackers.

- password suggestions are nearly useless. They *need* to be enforced via the software. We've been yelling into the wind at our constituents for years. It wasn't until we were able to enforce that any traction was seen. We could had been able to see many users with 10-15 year old passwords before we made them change them. Reasonably strong passwords with somewhat frequent enforced changes are a good middle ground between security and ease of use.


Forcing password changes I think is counter productive. At my work IT has a 90 day password change policy. Me and the other developers were talking about this and everyone did one of 2 things. They either wrote the password down and kept it under their keyboard, or like me kept the same password and alternated which letter in the password was capitalized. Neither of these 2 options make anything any more secure.

Vordax

Forcing password changes I think is counter productive. At my work IT has a 90 day password change policy. Me and the other developers were talking about this and everyone did one of 2 things. They either wrote the password down and kept it under their keyboard, or like me kept the same password and alternated which letter in the password was capitalized. Neither of these 2 options make anything any more secure.

Vordax

I would agree that overly aggressive change schedules are counter productive. And, believe me, that is a conversation we had here in our IT SecCom meetings. Our needs here are different since we have users handling other peoples PII, including things covered by FERPA and HIPAA, but for a system like this this... being a game giving access to CC access (even if the CC info isn't retrievable, just usable) a yearly basis should be more than adequate.

While that won't do a whole lot to lock out an already compromised account it does achieve at least 2 important goals.

1) It will tend to make your DDO account password not sync up with every other password you use, or at least help toward that goal, and
2) It will allow for changes to password policy. Without it you have an issue getting changes into old passwords... since those passwords never have to be changed. We had that problem here for a long time.

I've always been a fan of the initial letter mnemonic.
We the People of the United States of America = wtpotusoa
when in the course of human events it becomes necessary = witcoheibn
add punctuation where it occurs.
song lyrics work pretty well too.

fairly random, yet easy enough to remember.


So "delicious.crab" would be DC. I think I know you from online ;-P

For those wanting an extra password:

https://usa.visa.com/personal/security/vbv/index.jsp?ep=v_sym_verified&symlinkref=http://www.google.com/search?q=visa+secure&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a


Get an extra layer of security when you shop online

In addition to our other ways of preventing, detecting, and resolving fraud, we offer Verified by Visa, a free, simple-to-use service that confirms your identity with an extra password when you make an online transaction.

How it works

1. Activate the Verified by Visa feature
Enroll your credit or debit card in the Verified by Visa program now, on your participating card issuer's website or while shopping online.

2. Shop at participating online merchants
Visit online merchants that display the Verified by Visa symbol for an added layer of protection.

3. Enjoy enhanced security
Enjoy added peace of mind. Activate Verified by Visa on your Visa credit and debit cards.

(4. ???? and 5. Profit) :D

Only thing is, turbine is not a #2 :(

This is obviously a trollish statement or a bad attempt at a joke. You are probably attempting to joke, but in reality you are deflecting from a very serious problem.



I don't know where you work but where I work and have worked in the past, social engineering is a serious threat. I have been on the IT side of numerous calls where somebody was attempting to garner a password that wasn't theirs. They didn't already have the password. This is mainly because password security was way behind software/operating system security. This has been changing in the past 5 years or so, but it's still behind. The main reason it's still behind? Because normal computer users don't want complicated passwords because complicated is complicated.

From my 10+ years in IT, social engineering has, BY FAR, been the most prevalent "hack" for getting passwords for corporate workplaces. Personal computers are different, as the onus is on the user themselves to keep their virus/malware software up to date, but this is drastically changing as alot of ISPs are now providing free virus software with their service in an effort to lower tech support calls, lower the user's cost and therefore making it far more likely they have up to date virus/malware software.

Kraahg

I guess I grossly misunderstood what you were saying then. To me, stating "They already have your password" =/= "They social engineered your password" as there are a ton of ways to get your password. Guess I need to learn to read your mind instead of what you write.

Kraahg

Agreed, and formally seconded.

Really Turbine, there is no reasonable excuse for not implementing this, and it is a proven method.

Like I need another rsa key to hang off my already crowded key chain, it's a great idea.

+1 rep for the op.


Any thought of adding a SecurID type authentication option?

http://en.wikipedia.org/wiki/File:SecureID_token_new.JPG

Vordax

(one of your competitors offers it, would be nice to have)

Agreed, and formally seconded.

Really Turbine, there is no reasonable excuse for not implementing this, and it is a proven method.

Like I need another rsa key to hang off my already crowded key chain, it's a great idea.

+1 rep for the op.

The competitor charges like $8 for the key but they give a new pet to all characters. Since DDO doesn't have pets, they could give TP's instead or a maybe a special cosmetic item like the bunny hat.

Vordax

Be careful on open wifi networks too. This works. Umm, someone told me.

http://en.wikipedia.org/wiki/Firesheep

Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.

Be careful on open wifi networks too. This works. Umm, someone told me.

http://en.wikipedia.org/wiki/Firesheep

Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.

Nice

One thing I strongly suggest to Turbine to prevent keyloggers:

Have the client require, in addition to a username and password, that you select your date of birth (or a 3-4 digit passnumber) from drop-down menus.

That way, someone that installs a keylogger on your system won't be able to steal your password unless they are also screenwatching you. Screenwatching is *very* resource intensive on the computer being observed, and is thus very easy to detect (the computer that is playing DDO while screenwatched will be slowed noticeably). Plus, it's just not worth the effort for hackers.

Visuals are best. Customers should upload their own image or select from one of hundreds. At verification use, a group of images including the proper pre-selected one is display. It is in a random place in the display order every time. You click the one you and you alone know that is correct.

Sure, keeping a compromised password active for longer is better than changing it asap ;)

The only people that strong passwords protect you from are your friends/family/co-workers. If you can't trust your friends and family then you have bigger problems...and if you are logging into a secure personal account on a work PC you are asking for trouble.

The reason businesses require strong passwords is because they don't want their employees hacking into restricted accounts and into each others accounts... in that case strong passwords are exactly what you need to protect info from curious people who know each other and have a lot of "sitting infront of PC time" to guess a buddys/the bosses password.

When you are talking about criminal identity fraud the VAST majority of the time the crooks already have your password....it doesn't matter how strong/weak it is.

I like to know where you are getting your findings about the crooks already having your password. However, I do concur with the point you are making with your last paragraph.

Since Turbine wants to talk security, they would be wise to get rid of those ads that appear on the top of the screen of every page on this forum since Ads can be corrupted by hackers (surely, Turbine can't be THAT hard up to need ads to pay for a simple forum).

This is obviously a trollish statement or a bad attempt at a joke. You are probably attempting to joke, but in reality you are deflecting from a very serious problem.



I don't know where you work but where I work and have worked in the past, social engineering is a serious threat. I have been on the IT side of numerous calls where somebody was attempting to garner a password that wasn't theirs. They didn't already have the password. This is mainly because password security was way behind software/operating system security. This has been changing in the past 5 years or so, but it's still behind. The main reason it's still behind? Because normal computer users don't want complicated passwords because complicated is complicated.

From my 10+ years in IT, social engineering has, BY FAR, been the most prevalent "hack" for getting passwords for corporate workplaces. Personal computers are different, as the onus is on the user themselves to keep their virus/malware software up to date, but this is drastically changing as alot of ISPs are now providing free virus software with their service in an effort to lower tech support calls, lower the user's cost and therefore making it far more likely they have up to date virus/malware software.

Kraahg


I strongly agree with you about social engineering.

Prior to my break from DDO to play other games, I've been noticing supposed "kids" going around on Orien (and most likely other servers) asking if they could play other people's characters. Don't let them as these are social engineers trying to steal your account, the money and items on your character, as well as any personal information tied to the account they are seeking to compromise. If someone asks if they could play your character, discreetly send a ticket reporting them (you can do this by going to "Help, and then look "New Ticket". Once there, you can report the attempted social engineering under the "cheating" category, and file it under "Other" [Account Compromise does not let you name any individual who tries to utilize social engineering to get into your account]. Be sure to remember the name of the person attempting the social engineering).

I tried to change the credit card billed for vip service. I changed all the required fields in change billing options and entered new credit card to system and the old card and new one were charged. True story. Gonna call customer service today. Free to play here I come or just done :(

http://imgs.xkcd.com/comics/password_strength.png

Date: 15/12/2011

Today i becomed a VIP for 1 year and buyed 6200 turbine points.... haved problem with connection to play cuz i use wi fi connection and now trying to fix this problem.... i need to do this 4 steps and i cant find where to send them....
-the last 4 digits of the credit card on file
-the name of the card holder
-the billing address on file
-the email address you want to have on file.

did a ticked and did forgotten password recover but no one sending me nothing.... i think they changed email adress too ;/

PLEASE HELP ME !!!
4hours passed: I click on Forgotten your username? in myaccount.turbine.com and they send me not my main user name... only 1 of 2... i click on Forgotten your password? and they send me nothing.... *** is going on ?

1hour 30minits passed: i just remembered that i have a bad email on my main account, my first email is hacked long time ago 2009year and my main account was with this email.... well i hope i get back hacked email , waiting for answer from msn.net and turbine support

7Hours passed: Got email from hacked email recover that i cant recover my old email.... ofcourse cuz i used it so long time ago.... nothing new from turbine support ;/

1hour 30minits passed: Send again ticked with -the last 4 digits of the credit card on file
-the name of the card holder
-the billing address on file
-the email address you want to have on file. Correct 100% now. and checked my bank account in the mutibank -45.99euro for 6200turbine points and -89.99euro for 1 year VIP membership. Nothing new.....

10Minits passed: omg i was about to laught i clicked on Edit Your Details in this forums and there is Old email that i dont have a password from it but cant change it it says this > The password you have entered does not match your current one. Please press the back button, enter the correct details and try again. Don't forget that the password is case sensitive. Forgotten your password? Click here!
< (((((((((((((((((( cant change email... but can login into forums with this account OMG !! what do i do ! cant wait ! i wanna play !!

......

CALL THEM!! The number can be found here. (http://forums.ddo.com/member.php?u=212425)

Vordax

So... When you gona put a seperate password check on credit card purchases of ddo points. That would be a good measure towards our security that is totaly in your hands.

Hows about you taking responsibility for your own financial security. There is only so much Turbine or anyone you purchase something from online can do to secure your credit card. A fine example is the banking industry hacks, Sony games and Xbox gaming. If you use a full blown CC to purchase anything online, you absorb that risk.

I use a prepaid credit card. I only put on the card what I intend to spend plus $5 to cover any fees for using a prepaid. That way, if it gets hacked, the thief gets squat. Turbine upholds it's end of the security and now you need to uphold yours. If a bank can get hacked, anyone can get hacked. Hell, there was a credit card industry hack where the hackers inserted a program into the card processing computers.

Im not saying Turbine doesn't have to provide security. They do have to and they fulfill that on a continual basis. But you need to shoulder some of the responsibility as well.

I tred and was running misery peak out in korthos island and got a tell from a web site trying to sell my plat and items for hundreds of dollars i sent in a spam report but you never know if any action was tooken it was about 0230 east coast time zone.
mojo

Hows about you taking responsibility for your own financial security. There is only so much Turbine or anyone you purchase something from online can do to secure your credit card. A fine example is the banking industry hacks, Sony games and Xbox gaming. If you use a full blown CC to purchase anything online, you absorb that risk.

I use a prepaid credit card. I only put on the card what I intend to spend plus $5 to cover any fees for using a prepaid. That way, if it gets hacked, the thief gets squat. Turbine upholds it's end of the security and now you need to uphold yours. If a bank can get hacked, anyone can get hacked. Hell, there was a credit card industry hack where the hackers inserted a program into the card processing computers.

Im not saying Turbine doesn't have to provide security. They do have to and they fulfill that on a continual basis. But you need to shoulder some of the responsibility as well.

I do, I use a card with a (artificialy low) max limit of £150 for online purchaes. I still think turbione should be using verified by visa, or somethign similar.

Try using a password manager like Lastpass which integrates directly in to your browser and has it's own password generator. Been using it for years and never had any issues.


lastpass.com

Stoner81.

Hello all! If there is any way that someone can update me today on the Khyber server ordeal as to why it is down I would greatly appreciate it, I have had that issue all day today. If anyone knows anything at all like this similar situation. I have been dealing with Holiday Family Friend issues the past couple of days and have not been on to see what is going on with the situation. Please let me know as to why there is something there regarding this situation. Thank you for all of your help! :D


Serenthiaa, Ciada, Argathiaa, Cyradii

(Khyber Server)

Bonjour,

Depuis quelques jours je désire m'acheter des points turbide afin de les dépenser pour le Otto'S irresistible box, mais j'en suis incapable, il mentionne qu'une erreur est survenu et de réessayer plus tard.

En voyant, J'ai appelé l'institution fiancière de ma carte de crédit et ils m'ont dit que tout était correct de leur côté, que cela venait du site internet.

À quand prévoyez-vous un retour Ã* la normal et j'espère que vous aller prolonger la date d'achat du otto vu que cela se termine le 28 février.

je vous remercie

I would feel that my account was much more secure if you were not planning on implementing the new website changes using our game login with the website.

Hello everyone,
To date, all indications are that most compromised accounts have been the result of account information stolen from other gaming websites and online games.

This is possible because many people use the same credentials to log into multiple sites and games.


Sincerely,
Turbine’s Anti-Fraud Supervisor

So much for keeping forums and game names/logins separate.

Lastly, do not purchase in-game currency from gold sellers. Never encourage your friends to purchase gold. The cash market for in-game gold is the driving force behind most account theft. If players did not buy gold, sellers would not need to steal and strip accounts. We investigate and take action on all players that receive gold from gold sellers, up to and including a permanent account suspension.

It's against the Terms of Service to trade gold and other in-game currencies as well as in-game items to other players for cash.

Do/will you also investigate and take action on players that receive or offer gold/other in-game currencies/in-game items for Turbine Point codes available from the Turbine marketplace?

Hello everyone,

Given the recent news about a number of popular gaming websites and online games suffering security breaches which left their account details exposed, Turbine would like to discuss account security and some steps you can take to secure your account. Account theft is an ever-present issue in the game industry. It’s also a top priority at Turbine - one that we spend significant time and resources to address every day.

On a continual basis, the Turbine fraud team monitors all player reports, network activity, in-game behavior, and other information that may indicate fraudulent activity or account theft. We then investigate and respond in accordance with our policies. To date, all indications are that most compromised accounts have been the result of account information stolen from other gaming websites and online games.

This is possible because many people use the same credentials to log into multiple sites and games.

... ... ...

Your security is important to all of us at Turbine, and we hope this information will help address concerns and misinformation about why account compromises occur. If you have any questions or suggestions, you may contact our Customer Service team at support.turbine.com.

Sincerely,
Turbine’s Anti-Fraud Supervisor

Please, tell us more about this using "the same credentials to log into multiple sites and games".

Steal idea from Cryptic and add IP confermation please... and the possibility to add more Ip than 1. If account is stolen from another country you can refund unlucky players...

Thanks

I can't log in right now. My password isn't working. It is Upper and Lower and Numbered and all the jazz. I tried it about 10 times and found this thread. Is the game down right now? If someone could give me a heads up on what is going on, that would be great. Thanks!

I can't log in right now. My password isn't working. It is Upper and Lower and Numbered and all the jazz. I tried it about 10 times and found this thread. Is the game down right now? If someone could give me a heads up on what is going on, that would be great. Thanks!

Login servers are down. Just a waiting game atm. Great 8 year necro btw. especially since there are at least three newer post started today about it.

Hello everyone,

Given the recent news about a number of popular gaming websites and online games suffering security breaches which left their account details exposed, Turbine would like to discuss account security and some steps you can take to secure your account. Account theft is an ever-present issue in the game industry. It’s also a top priority at Turbine - one that we spend significant time and resources to address every day.

On a continual basis, the Turbine fraud team monitors all player reports, network activity, in-game behavior, and other information that may indicate fraudulent activity or account theft. We then investigate and respond in accordance with our policies. To date, all indications are that most compromised accounts have been the result of account information stolen from other gaming websites and online games.

This is possible because many people use the same credentials to log into multiple sites and games. Additionally, other players share their usernames and passwords with people such as roommates, guild members, etc. A smaller percentage of users appear to have fallen victim to keylogging, phishing, or other technology-based attacks. While it is difficult to get to the root cause of every reported incident, there is no data to suggest that account information stored with Turbine is in any way at risk.

Even though we are satisfied that our account system remains secure, we will continue our ongoing efforts to defend our services against known and emerging security threats. In the meantime there are several steps players can take to help protect their accounts against the most common types of account theft:

Change your password regularly to a new, unique password that you have never used for any other product or website.
Never share your username and password with anyone else or allow them to log into your account.
Use a home network firewall at all times and check the exception list regularly for new entries.
Run antivirus and malware scanning tools on a regular basis with the latest definition files.
Beware of phishing or spoofing scams that you receive in your mailbox, either in-game or out-of-game. In general, you should avoid clicking links in e-mail you have not requested. If you have any questions about an e-mail or chat you’ve received that claimed to come from Turbine, please contact our Customer Service team at support.turbine.com.
Lastly, do not purchase in-game currency from gold sellers. Never encourage your friends to purchase gold. The cash market for in-game gold is the driving force behind most account theft. If players did not buy gold, sellers would not need to steal and strip accounts. We investigate and take action on all players that receive gold from gold sellers, up to and including a permanent account suspension.

Your security is important to all of us at Turbine, and we hope this information will help address concerns and misinformation about why account compromises occur. If you have any questions or suggestions, you may contact our Customer Service team at support.turbine.com.

Sincerely,
Turbine’s Anti-Fraud Supervisor

This would be good information if we hadn't been waiting 11.5 months for account recovery.

Could use a 3 step log-in for added security. I have several accounts that use this and its simply sending a code by either email or text. This would also prevent hackers from gaining access from data obtained by key loggers or other means of information gathering methods. Something to consider for added security.

This would be good information if we hadn't been waiting 11.5 months for account recovery.

Ouch. That's horrendous. Someone posted on Reddit yesterday about finally getting a response to missing all tomes after 3 months, no resolution, just a response. I thought my annoyance of waiting two months and counting for a guild name change was bad.