As many of you are probably aware, Turbine plans to use our game accounts as our Forum logins (http://forums.ddo.com/showthread.php?t=413296)


This april we will be making several big changes and updates to the DDO community websites ahead of the Expansion. In preparation for the changes, please review the following important details regarding each of the website components:

Forums

The forums are going to be upgraded to a newer version of vBulletin. After the upgrade, you will use your DDO game login credentials to log into the forums, and your current forum name will become your display nickname. .

Due to the obvious security implications of having the same account information for both game and forum logins, I have contacted Customer Support, and asked them to remove my credit card information from my account.

If this enormous security hole concerns you as well, I would encourage you to also ask to have your card information removed from your account, and to post a reply here so that Turbine might realise how against this move their players are, and reverse their decision.

You can find the form to contact Customer Support here (http://support.turbine.com/ics/support/ticketnewwizard.asp?style=classic&deptID=24001&)

Wow, this is a terrible idea.
/signed

/signed

/signed
this is a very bad idea.

As many of you are probably aware, Turbine plans to use our game accounts as our Forum logins (http://forums.ddo.com/showthread.php?t=413296)



Due to the obvious security implications of having the same account information for both game and forum logins, I have contacted Customer Support, and asked them to remove my credit card information from my account.

If this enormous security hole concerns you as well, I would encourage you to also ask to have your card information removed from your account, and to post a reply here so that Turbine might realise how against this move their players are, and reverse their decision.

You can find the form to contact Customer Support here (http://support.turbine.com/ics/support/ticketnewwizard.asp?style=classic&deptID=24001&)

I suspect a change in policy if large numbers of customers remove their credit cards from their account. As others have stated, this simply folly on their part. They learned nothing from LOTRO

I will simply make another account and post with that. Don't care about post history and I'll just copy/paste my trade thread.

But yeah, bad decision.

Hi,

Yes, I agree. This is a very bad idea.

Sometimes it seems like the players are being dared to abandon the game.

Thanks.

I will simply make another account and post with that. Don't care about post history and I'll just copy/paste my trade thread.

But yeah, bad decision.

This part from Tolero "You will retain all of your existing posting history, reputation, etc."

Makes me worry the account info would be vulnerable without even logging into the new forum.

I will simply make another account and post with that. Don't care about post history and I'll just copy/paste my trade thread.

But yeah, bad decision.

Yup, I think I'll do the same.

This new idea of Turbine is terribly bad.

So you think someone is going to hack the DDO forums and steal our credit card info? Then use it and your bank is going to say "Sorry, I dont believe you were not in Pakistan last week to make that charge".

:rolleyes:

Seems to me Turbine has done this before with bad results. And they fixed it after a major outcry. Deja vu all over again.

So you think someone is going to hack the DDO forums and steal our credit card info? Then use it and your bank is going to say "Sorry, I dont believe you were not in Pakistan last week to make that charge".

:rolleyes:

Do I believe someone is going to steal my cc info and use it outside of the game, no.

Do I believe someone could steal my login and wreck havoc in game, including store purchases? Yes

You'd be a fool to believe otherwise, Turbine's history of this is quite clear. Regardless, this is a very poor security policy. You can eyeroll at that, but I know you agree

It certainly seems like a step in the wrong direction.

/signed with the absolute most extreme prejudice.

Is Turbine ASKING to become the next industry security punchline? It's not about people stealing CC info for nefarious ends, it's about bored hackers pantsing Turbine and Warner Brothers for the lulz.

I absolutely do not want my forum log in linked to my account log in.

it wasn't that long ago that turbines forums were hacked. At that time turbine said something along the lines of

" please make sure that your game log in and passwords are not the same as your forum log ins"

now they are going to force this very weak security on us.

have Turbine given any reason for this incredibly poor decision ?

Some of the ideas coming out from Turbine HQ beggar belief .

I absolutely do not want my forum log in linked to my account log in.

it wasn't that long ago that turbines forums were hacked. At that time turbine said something along the lines of

" please make sure that your game log in and passwords are not the same as your forum log ins"

now they are going to force this very weak security on us.

have Turbine given any reason for this incredibly poor decision ?

Some of the ideas coming out from Turbine HQ beggar belief .

Some marketing type probably thought it would "enhance the end user experience" and "increase our footprint in social media", and now the IT guys have to implement it.

I agree with the points raised in this thread. Turbine does not have a good track record for security with the forums, and this is a very bad idea. I urge them to reconsider.

So you think someone is going to hack the DDO forums and steal our credit card info? Then use it and your bank is going to say "Sorry, I dont believe you were not in Pakistan last week to make that charge".

:rolleyes:

Yeah, because hackers somehow dont know what IP masking is, and have no social engineering skills whatsoever? Sorry, dont buy it.

This is a terribad idea, from multiple angles. Not to mention the whole LOTRO fiasco should have been a learning tool for this kind of thing.

/signed

/singed

very bad idea indeed, lets not make a hackers paradise out of ddo......... please?

even for the best possible security, someone, somewhere, somehow will find a way though............... it will be ugly when that happens.

So you think someone is going to hack the DDO forums and steal our credit card info? Then use it and your bank is going to say "Sorry, I dont believe you were not in Pakistan last week to make that charge".

:rolleyes:

While I don't know about the Pakistan part, it did happen to LOTRO.

And for me it is not so much the issue of getting a charge reversed, it is the hassle of having to get a whole new card and number. THAT is what ticks me off.

/signed

This would explain why the create forum profile option is gone in our myaccount.turbine.

soo a bad idea i dont think the interns can keep forum passwords safe, now no one wants our forum password but after the password change. someone might want to get our eggos i mean AS (another bad idea interns)

Now we can finally find out who Chai is :p

/signed

I suspect a change in policy if large numbers of customers remove their credit cards from their account. As others have stated, this simply folly on their part. They learned nothing from LOTRO

On the contrary, I think they learned that there is a initial gnashing of teeth and blow back from making this kind of move, but 3 months later, it was if nothing had happened and despite the doom and gloom, game populations didn't change much.

I will simply make another account and post with that. Don't care about post history and I'll just copy/paste my trade thread.

But yeah, bad decision.

Thanks goodness I'm doing that since day one.

/signed nonetheless.

This part from Tolero "You will retain all of your existing posting history, reputation, etc."

Makes me worry the account info would be vulnerable without even logging into the new forum.

Odds are they will in fact just autoconvert/autolink everyone's accounts and your account will be exposed even if you never use the forums again. Frankly it would make no sense to do it "on login" to the forums, that is the kind of things you do behind the scene in a batch.

/signed

Bad idea.

As many of you are probably aware, Turbine plans to use our game accounts as our Forum logins (http://forums.ddo.com/showthread.php?t=413296)



Due to the obvious security implications of having the same account information for both game and forum logins, I have contacted Customer Support, and asked them to remove my credit card information from my account.

If this enormous security hole concerns you as well, I would encourage you to also ask to have your card information removed from your account, and to post a reply here so that Turbine might realise how against this move their players are, and reverse their decision.

You can find the form to contact Customer Support here (http://support.turbine.com/ics/support/ticketnewwizard.asp?style=classic&deptID=24001&)

Thank you for catching this and pointing it out. I don't usually read release notes in advance, this would have left me scrambling at the last minute trying to get my info changed or canceling my debit card. Already got my request to have the info removed from my account submitted.

I seriously doubt my request to have my info removed will convince anyone at turbine that this is a bad idea, or that they will care about the loss of income from the removal. More than likely i will use a prepaid card for future purchases, if any, with turbine. Have to admit this is the first time i ever felt a company was so untrustworthy that i had to remove my card info from them.

I don't see what the problem is. I'm sure that this reduction in security won't be a problem. It's not like Turbine had any security problems in LotRO and LotRO is the first of Turbine's games to do the forum name = account name. Also, they're a big company. That means their security protocols are going to be good. It's not like they would transmit excessive account information in plain text to advertisers in exchange for a small profit. Or forget to even register their own domain name. Their crack team of IT professionals would never let anything bad happen to us.



(Tolero, I can't get the sarcasm font to work. Could you please look into this?)

/signed

Look I may not have any rep (-49) and my join date is wrong but I still think that Ill not be on the forum when it happens nor have or will I give ddo my card number. I still feel for WoW when some one hacked them and killed every one one all the servers that included even the DM's and 2 devs from what was stated. DDO UPPER PEOPLE DON'T DO IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!

Also, I only ever find out about the exploits after they're gone. This would give me the chance to be involved in a potential exploit from the beginning. The fact that I would be the target of someone else trying to hack my account doesn't take away from the fact that it would be my first real opportunity to be involved in an exploit.


VOTE FORUM NAME = ACCOUNT NAME YES!

I agree that this is a VERY BAD idea. I just called Customer Support and had them remove my credit card. This will make any "impulse" purchase less likely which is probably a good thing.

/signed

Also add a mobile authenticator to the account.

/signed

Also add a mobile authenticator to the account.

co-signed

I'm beginning to think that guy they hired away from Zynga is still working for Zynga. Why yes, I am wearing my tinfoil fedora today, why do you ask?

So you think someone is going to hack the DDO forums and steal our credit card info? Then use it and your bank is going to say "Sorry, I dont believe you were not in Pakistan last week to make that charge".

:rolleyes:

When I was 15 I wrote my first phreaking program after learning what 2600hz meant and that quickly connected me with some not so nice people.

Even way back then, when connections of criminals across the world was much tougher, there were a dozen credit card number exchange BBSes that I knew about alone. You could enter a credit card number you had obtained (or a string of them) and then have the right to draw a creditcard number(s) from a location of your choice. You could also receive goods using dead drops.

If we figured out how to do it in the 80s, I'm sure they can figure it out today.

Besides, the real risk is not that they put a charge through your credit card, its that they use the name, address, and credit card number on file at Turbine to steal your identity. With that combination, they can do all sorts of fun things like taking out loans in your name, even mortgaging your house out from under you.

Now we can finally find out who Chai is :p

Not any easier than it would be to do so now gamewise.

I seriously doubt my request to have my info removed will convince anyone at turbine that this is a bad idea, or that they will care about the loss of income from the removal.

The removal causes them a workload issue if it is done in large numbers and consistently by people after every purchase. That's a directly and noticeable increase in overhead costs and that gets noticed. If nothing else, it may at least encourage them to let us remove our own card numbers, as we always should have been able to.

/signed

I also submitted a ticket requesting my card info and billing address to be removed from my account. Better safe than sorry.

The removal causes them a workload issue if it is done in large numbers and consistently by people after every purchase. That's a directly and noticeable increase in overhead costs and that gets noticed. If nothing else, it may at least encourage them to let us remove our own card numbers, as we always should have been able to.

Or stop allowing people to do so, then what are people going to do, log onto the forums to complain using the same log on they use for in game?

Or stop allowing people to do so, then what are people going to do, log onto the forums to complain using the same log on they use for in game?

They can't stop allowing people to ask to have their information removed. :rolleyes:

As for the forum log on, I hate to do it but I can create a new forum account from a new free game account (that has nothing to steal).

I will simply make another account and post with that. Don't care about post history and I'll just copy/paste my trade thread.

But yeah, bad decision.

this. only rational choice really. hope turbine doesn't mind the overhead increase of having to deal with multiple accounts per person just because they did something boneheaded. i seem to recall a few years back their forum login server got hacked, guess they don't learn...

to op, /signed.

Signed and submitted ticket to remove my info. It definitively will help me not make any impulse buys..just in time to save some money before summer.

I can see in the near future they start selling a Authenticator keychain and android app. Kinda like how blizzard does it for Battlenet. Ease up on security to sell keychains with kobolds on em for 10 bucks a pop.. all in the name of "Security for its loyal fanbase"

1. Loosen security.
2. Get players paranoid.
3 Release real money AH
4. Release authenticators.
5. profit!

There has to be some valid reason for doing this and big T does not seem to do anything lately unless there is Cash involved. That is my tinfoil hat theory. :D

So you think someone is going to hack the DDO forums and steal our credit card info? Then use it and your bank is going to say "Sorry, I dont believe you were not in Pakistan last week to make that charge".

:rolleyes:

And then have to go through weeks of hassle and a potential lack of funds because of an unnecessary risk? I'd just as soon not take the chance.

Or stop allowing people to do so, then what are people going to do, log onto the forums to complain using the same log on they use for in game?

I doubt they are that stupid. That would put them in violation of PCI Data Security Standards. Under SAQ-D, part 3 requirements, after the credit card transaction is completed, storage of complete credit card numbers must be kept to a minimum and must be purged at customer request unless there is a legal or statutory requirement for maintaining it.

While you don't break any laws if you don't follow this standard, your credit card merchant account is subject to suspension at the discretion of the processor. In addition, by failing to maintain the industry standards of care, processors will almost certainly will lawsuits making Turbine/WB responsible for all credit card losses due to the fraud that Turbine enabled by failing to follow the minimum industry standards.

In addition, that same negligence tort claim could be used by credit card holders who incurred expenses caused by identity theft due to Turbine's negligence. In the US, this could also include punitive damages which sometimes greatly exceed the loss.

In some jurisdictions (not sure about Turbine's home), maintaining credit card info on file without consent may also violate civil or criminal privacy and customer protection laws. (Which is why many companies just ASK if they can keep it on file, which most people answer yes to)

Overall, I would certainly hope Turbine is not so stupid as to not remove credit card info on request.

/signed

What a terrible idea.

Seems to me Turbine has done this before with bad results. And they fixed it after a major outcry. Deja vu all over again.

This.

Offer Wall, anyone?

Horrible Idea.

Please do not implement this.

/signed

I doubt they are that stupid. That would put them in violation of PCI Data Security Standards. Under SAQ-D, part 3 requirements, after the credit card transaction is completed, storage of complete credit card numbers must be kept to a minimum and must be purged at customer request unless there is a legal or statutory requirement for maintaining it.

While you don't break any laws if you don't follow this standard, your credit card merchant account is subject to suspension at the discretion of the processor. In addition, by failing to maintain the industry standards of care, processors will almost certainly will lawsuits making Turbine/WB responsible for all credit card losses due to the fraud that Turbine enabled by failing to follow the minimum industry standards.

In addition, that same negligence tort claim could be used by credit card holders who incurred expenses caused by identity theft due to Turbine's negligence. In the US, this could also include punitive damages which sometimes greatly exceed the loss.

In some jurisdictions (not sure about Turbine's home), maintaining credit card info on file without consent may also violate civil or criminal privacy and customer protection laws. (Which is why many companies just ASK if they can keep it on file, which most people answer yes to)

Overall, I would certainly hope Turbine is not so stupid as to not remove credit card info on request.

Not talking about saying no to people, Im talking about punitively not allowing it, aka: just have an office with a skelliton crew of CS reps thats open from 10 until 4 monday through thursday EST, and during any attractive sale or expansion time, anyone who calls in will have a 90 min wait time due to the insane logjam of other users calling in to have their info removed. This is what you were talking before, by saying that the demand would be ramped up to the point where it would create a higher demand than they have the employees to service reasonably.

Credit card holders are the ones who put their card on file, while clicking through agreements and such the entire time and thus providing consent - proving they did not want it on file after they have been hacked with nothing else like a written request or an email trail in the system would be difficult. This will also be part of the issue of the user has a history of providing the same CC info, only to take it off file again a short time later, repeatedly.

Personally I agree what they are doing is a terribad idea, but its not as easy as just snapping ones fingers and the weight of the courts just comes crashing down on them.

/signed

and submitted ticket for removal. not sure if it has any weight but... did it anyway.

This is a very bad and scary idea.

It make no sens what so ever.
All our account info, games and stuff will be in danger because of this lack of vision move.
Will they ever learn?

I already signed one of these, but /signed here too.

Devs, if one were to be permanently banned from the forums, what will happen when the accounts are merged? Will they be allowed back in the forums, will they be suddenly banned from the game? Or some other option I hadn't considered.

/signed

/signed.

I intend to create a second game account with characters of no importance and ask that my forum name be associated with that account instead.

Or just use PayPal so that you're not sharing your credit card with a dozen sites/merchants. This is super easy if you're playing DDO through Steam.

Either way, at this point I've played dozens of MMO's at this point and I could count the number that have had additional log in information for their forums on one hand. While it maybe poor security to some, it is what the majority of the industry has done.

I can see in the near future they start selling a Authenticator keychain and android app. Kinda like how blizzard does it for Battlenet.

Of course Blizzard's are free - only pay shipping on the physical one. :rolleyes:

Or just use PayPal so that you're not sharing your credit card with a dozen sites/merchants. This is super easy if you're playing DDO through Steam.

Either way, at this point I've played dozens of MMO's at this point and I could count the number that have had additional log in information for their forums on one hand. While it maybe poor security to some, it is what the majority of the industry has done.

It wasnt that long ago when Turbine put out a PSA about a security compromise and specifically requested for people to make sure their forum log on and their game log on was different. Now they are forcing the issue for them to be the same, with no option to differentiate the two.

Not talking about saying no to people, Im talking about punitively not allowing it, aka: just have an office with a skelliton crew of CS reps thats open from 10 until 4 monday through thursday EST, and during any attractive sale or expansion time, anyone who calls in will have a 90 min wait time due to the insane logjam of other users calling in to have their info removed. This is what you were talking before, by saying that the demand would be ramped up to the point where it would create a higher demand than they have the employees to service reasonably.

Right, that would require them to put on more staff, or lose money because people with other problems that make Turbine money (like putting foreign cards on accounts, manual purchases, etc) will not be able to make their purchases.


Credit card holders are the ones who put their card on file, while clicking through agreements and such the entire time and thus providing consent - proving they did not want it on file after they have been hacked with nothing else like a written request or an email trail in the system would be difficult. This will also be part of the issue of the user has a history of providing the same CC info, only to take it off file again a short time later, repeatedly.

Personally I agree what they are doing is a terribad idea, but its not as easy as just snapping ones fingers and the weight of the courts just comes crashing down on them.

It wouldn't be difficult at all to show Turbine practice. Don't forget, its not John Smith they have to fear, it is the Bank which holds his credit card and the Insurance Company that paid out for costs related to identity theft. Those types of companies are just filled to the brim with lawyers looking to move risk off to others. Also if you fight back sufficiently against the banks you lose your credit card merchant account, and that shuts the game (and possibly others) down.

Even if they successfully defend against such a case, the legal cost would quickly grow into the 6 figure range, and of course as a WB sub, WB might well draw bad publicity, which is also rather expensive to deal with.

No, the Bunny will be very unhappy with them if they are the source of a negligence case.


It wasnt that long ago when Turbine put out a PSA about a security compromise and specifically requested for people to make sure their forum log on and their game log on was different. Now they are forcing the issue for them to be the same, with no option to differentiate the two.

Yup, that won't help their case either since they have already told US that having a unified password/userid was a bad idea.

It is a very bad idea.
One of the "lawsuits are going to follow" kind of bad idea.

Did this already happen? The link to change your forum password in the MyAccount page is gone....

/Signed...this is a very bad idea...

I wish people would cry about stuff that matters before f2p there was just one account and guess what there was no issues so go cry your river where it matters

I wish people would cry about stuff that matters before f2p there was just one account and guess what there was no issues so go cry your river where it matters

Nope. I remember having a separate password for forum and game log on well before f2p, which was 2009.

I wish people would cry about stuff that matters before f2p there was just one account and guess what there was no issues so go cry your river where it matters

Nope from the moment I joined in 2007, it's always been separate for me as well.

It seems like Turbine is working even harder than usual to get people to sign up for extra accounts.

...in this case, it's just to make a forum login ID that's different than your account ID. A few months ago, it was to get a shiny Cube pet (or was it a wolf pet? - I forget).

Is having extra accounts that aren't used for play *that* important to Turbine?

offerwall

There's an interview with someone talking about gold farmers and how they hack accounts. The video is a few years old, but nothing has changed that makes me think this isn't still relevant.

http://www.youtube.com/watch?v=PWvHcoqru7I

Run this forward to 31:39 and watch for a few minutes.

If the guy who deals with the gold farmers think having the same game login and forum login is moronic, then why would we consider going in that direction?

Or will the forums be unhackable? ..... yeah ..... sure .....

ok well when I started they were the same I was forced to change my game password when F2P came out b4 that it was SAME user/pass

After the upgrade, you will use your DDO game login credentials to log into the forums, and your current forum name will become your display nickname. You will retain all of your existing posting history, reputation, etc. If you're new to the forums, you'll be able to select a display nickname the first time you log into the forums with your game credentials.What I see here, it looks like I log on to the forums using your DDO login, but the username that everyone else sees (if this is "display nickname" like I am taking it to be) will be the same. Everyone else will still see me as ZeebaNeighba, but I just log on using my DDO login. I can see how, if my DDO login username is revealed to everyone on the forums, it's easier to get in the game, since a hacker only has to figure out the password. But if the displayed names on the forums don't change, just the way I log in, I don't see the problem.

But judging by the freaking out in this thread, I'm assuming I'm misunderstanding something.

What I see here, it looks like I log on to the forums using your DDO login, but the username that everyone else sees (if this is "display nickname" like I am taking it to be) will be the same. Everyone else will still see me as ZeebaNeighba, but I just log on using my DDO login. I can see how, if my DDO login username is revealed to everyone on the forums, it's easier to get in the game, since a hacker only has to figure out the password. But if the displayed names on the forums don't change, just the way I log in, I don't see the problem.

But judging by the freaking out in this thread, I'm assuming I'm misunderstanding something.

The issue is that unlike the game servers, which are likely to be unique, forum software is a very common target for hackers. People spend a lot of time and effort trying to find cracks in forum security, because it allows them to spread more spam and steal more information.

If anyone exploits a security issue in these forums and gets access to the usernames and passwords, they can do all sorts of nasty stuff with your in-game account and credit cards.

/signed.

/signed.

A relief really given that I have had ongoing grief with my account and using a foreign C/C (happens really when you reside in the far far south of the Nth hemisphere :)

Oh hell - just realised now Im gona have to stop paying to win!! :eek:

/signed

Too many games make this error. Please reconsider this terrible move.

The issue is that unlike the game servers, which are likely to be unique, forum software is a very common target for hackers. People spend a lot of time and effort trying to find cracks in forum security, because it allows them to spread more spam and steal more information.

If anyone exploits a security issue in these forums and gets access to the usernames and passwords, they can do all sorts of nasty stuff with your in-game account and credit cards.Thanks for explaining that, it makes sense. I'll sign.

/signed

This move is beyond stupid, and some boggart at Turbine's should be fired just for thinking about it, let alone implementing.

/signed

Asinine idea.

/signed.

It's an over-confident move, by a company who should have every reason to be cautious about it's ability to deliver.

Just make your password really really long xD (I dont want to, turbine needs to not do this.)


BTW /Signed

Now we can finally find out who Chai is :p

Michelle Obama.

Really Turbine?

I remember you telling us that in the interest of security, we should not make our forum & game logins identical, it wasn't even all that long ago.**

Now you are saying they will be identical.

/signed

** my search-foo is week.
Would anyone who's skills are stronger mind finding & linking/quoting that? Seems like it aught to be included in the thread on the off chance someone who matters (has actual authority) reads it.

b4 that it was SAME user/passMaybe you foolishly used the same, but it wasn't a requirement (and I've been here since way before f2p too).



This is a terrible idea. Time to contact them.

Really Turbine?

I remember you telling us that in the interest of security, we should not make our forum & game logins identical, it wasn't even all that long ago.**

Now you are saying they will be identical.

/signed

** my search-foo is week.
Would anyone who's skills are stronger mind finding & linking/quoting that? Seems like it aught to be included in the thread on the off chance someone who matters (has actual authority) reads it.

Of course it's a bad idea from a security stand point.

What's that got to do with marketing?

The reason for the change is obvious when you think about it.

Turbine wants to have more ads on the Forums (hence the change) and can place things like "Buy Now" buttons on said ads. Being linked to your account means that you can easily impulse buy as opposed to the current method where if you browse the forums while not in game you must wait to log in. That time between can be long enough for you to change your mind and decide not to make the purchase. Turbine doesn't want that.

It's all about money, so it ain't going to change no matter how much we protest.

Fortunately I have two F2P accounts I use for mules, so I'm just going to switch to one of those to use the Forums. It gets hacked, it gets hacked. Won't bother me because I haven't spent any money on those accounts, so there's nothing to hack.

um, my forum account is already linked to my game account..

And well, so is everyone elses. Last I tried you can't get a forum account without a game account.

So I don't see the issue.

I mean your log in changes, but you display name doesn't, so theres no easier way for someone to hack your account.. They still have to figure out your log in name and password.

Far as security goes, personally I'd trust a recent version of vbulletin a lot more then turbines ancient websites and dotnet1.1 launcher.