Over the past couple of days we’ve started hearing about a lot of account hacks, phishing scams, and attempted password resets coming from Guild Wars 2 players. This kind of thing isn’t new – any time a new major (and sometimes not-so-major) MMO comes out, you’ll see the gold-sellers start trying to get into accounts to claim their piece of the pie. Of course, some MMOs like WoW and Rift have implemented authentication systems, (and that’s a very good thing!) but at the same time I think we’ve gotten a bit spoiled by the authenticators. You don’t want to be in a position where your only defense against a hacker is an authenticator.
How do gold sellers try to hack your account? Easy: they scrape fansites, guild websites, forums, social media, and in some cases have databases full of known MMO account emails and passwords. Fansites, guild websites, and forums don’t always have the best security – they’re not your bank or your workplace, so the likelihood that your email address and password is encrypted is usually fairly low. I’m not accusing those websites of being corrupted, but they can be easy targets. So if you’re using the same email and password for your game account as you use on game-related websites, Twitter, or Facebook, you’re setting yourself up to be compromised – in fact, you very possibly already are compromised.
Say your email address is firstname.lastname@example.org and your password is 123456. You use that email account for your regular email, but you also have used it to sign up for your guild website and accounts on a few popular gaming sites. You also use this email for your WoW account, your Rift account, and your GW2 account.
It’s not difficult for a hacker to get your email address from one of the gaming websites, or a compromised game database, or from your blog. Then, all they have to do is start sending official-looking emails to your email account telling you that somebody is trying to change your password – and you need to click this link to verify your correct password! Needless to say, all this will do is give or verify your password to the hacker and they are in.
Don’t despair though! There are a few things you can do to strengthen the security on your accounts, courtesy of Mr. Moxie, a cyber-security engineer and ethical hacker:
1. Have a unique, fresh email address for every major game. Do not use these accounts anywhere else.
Quick anecdote: I have one email address I use for regular email, one email address I use for all gaming forums, guild websites, and other website junk, and then a unique email address for each major MMO that I’ve played. The passwords are all different (though I have a system so that I can easily remember them). I have never received a phishing email on the actual game email addresses. I have received plenty of phishing emails on the email address that I use for gaming sites and forums. Sneaky little bastards!
I can’t emphasize this enough – use different emails. Don’t use your game emails for anything else – ever.
2. Pick better passwords.
Some folks will tell you to pick a phrase like “Charlie Went To The Grocery Store For Pickled Herring 2 Go” and then use “CWTTGSFPH2G” for your password. That’s always confusing to me. The absolute best password you can have is at least 14 characters long, the longer the better. You can even use a combination of 4 or more words, such as “sunshinehairslowbrain”, which would take 4 trillion years for a desktop PC to crack. Adding numbers and symbols would be even better. If you want to test your password to see how secure it is, take a look at http://howsecureismypassword.net.
It’s a great resource that Mr. Moxie passed along to me a while back. Just make sure that you don’t pick words that would be easily guessed, like your kid’s names or your pet’s names!
3. If you get emails about your account status, never assume they are real.
Never click a link from an email to sign in to your game account. Always go straight to the game’s website and sign in that way. If you get emails saying that somebody is trying to change your password, don’t panic. Change the email address on the account.
4. Be careful about what gaming websites you visit and sign up for.
There’s a lot of sketchy gaming websites out there. Use Adblock Plus or other adblocking software in your browser. Don’t click advertisements, even if they seem innocuous. Don’t download mods or add-ons unless they come from a trusted and verified source.
5. Get an authenticator.
In the case of Guild Wars 2, we’re still waiting for the authenticator. While you can use the steps above to greatly minimize your chances of being hacked, authenticators ultimately are the best protection you can have. As soon as they are released, get one ASAP.