A New Way to Protect Your Account

by Mike O'Brien on 28th July, 2015

As some of you will remember, I wrote to you about account security just after the launch of Guild Wars 2. At that time, I explained how hackers were stealing accounts because of passwords reused on different sites. I asked you to use a unique password for your Guild Wars 2 account and to help spread the word to your friends and guildmates.

The stakes get higher as Guild Wars 2 continues to grow. With Guild Wars 2: Heart of Thorns™ on the horizon, more players are joining the game every day, and we need to remain vigilant to protect every player in our community.

Today I’ll review security advice, tell you about a new tool we’re providing to help keep your account secure, and ask you again to be our advocate and spread the word about account security.

A Quick Security Background

Game accounts are worth money to hackers. If they can steal one, they’ll strip it of gold and items, sell those, and then use the stripped account for botting or spamming. You don’t want that to happen to you, and neither do we.

How do they steal the accounts? They start by buying lists of hundreds of millions of possible e‑mail address and password combinations, mostly gathered through the many security breaches of websites and game platforms you may have read about in the news, and also collected from malware. Armed with these lists, and with access to many computers and Internet addresses to test from, they make constant log-in attempts to see whether anyone has created a Guild Wars 2 account using an e‑mail address and password that’s already on one of the lists.

Just finding a matching e-mail address and password generally isn’t good enough though. When the hacker tries to log in to the account, Guild Wars 2 recognizes that they’re logging in from a new location, and it sends an e-mail to the account holder to verify. But if the hacker can get someone’s Guild Wars 2 password from a list of known passwords, he can usually also get their e-mail account password from that list. Then he can just log in to the e-mail account and click through the verification email.

Using Unique Passwords

The simplest thing you can do to keep your Guild Wars 2 account secure—and all your other accounts too—is to pick a unique password for each account. Choose a password for Guild Wars 2 that you’ve never used anywhere else. And once you’ve started using it for Guild Wars 2, don’t subsequently use it elsewhere.

Over the past few years, we’ve tried to ensure that players pick unique passwords for Guild Wars 2 by building our own list of the hundreds of millions of passwords that hackers know and then not allowing new accounts to use any of those passwords. It has worked well, and Guild Wars 2 has had a pretty low incidence of account hacking since we started that.

It’s not a perfect system. One problem with forcing everyone to pick a new password for Guild Wars 2 is that a lot of people later forget those passwords. This year, hundreds of thousands of you will contact our customer-support team to ask for help recovering a password. We know it’s difficult and frustrating for you to have to contact customer support just to get back into your own account, and frankly it’s hard on us too. We do have an automated account-recovery system, but we set a high standard of proof for automated recovery, which many players returning to the game after a long absence can’t satisfy. And we can’t lower that standard of proof, because then hackers would steal accounts through automated account recovery. There has to be a better way.

Introducing SMS

There is a better way. You’re probably already used to it from other sites like Google and Yahoo!

Starting in the next couple weeks, we’re going to ask you to associate a phone number with your account. Don’t worry, we won’t spam you; we’ll use your phone number solely for the purpose of keeping your account secure.

Once you associate a phone number with your account, if someone tries to log in to your account from a new location, we’ll send an SMS to your cell phone or call your landline to verify that it’s you. And if you ever forget your password or lose access to your account, you’ll be able to ask us to send an SMS to your cell phone or call your landline to provide a code that you can use to reset your password. With one system, we can substantially improve both account security and account recovery.

SMS versus Authenticators

Some of you have already secured your accounts using traditional two-factor authentication, connecting an app like Google Authenticator to your account. In that case, you can keep using two-factor authentication and we won’t ask for your phone number.

We think SMS will be a better solution than authenticators for most people. The two solutions are almost identical for security: we challenge you whenever you log in from a new location, and you respond to the challenge either by typing a code you got from an SMS message or by typing a code you got from Google Authenticator. For account recovery, though, SMS is the clear winner. When you return to the game after not playing for a while, you’re pretty likely to still have your same phone number, but not as likely to still have Google Authenticator configured for your account.

There’s one other thing we like about SMS versus authenticators. When a hacker steals an unsecured account, it’s easy for the hacker to add an authenticator to the account, which makes it difficult for the original owner to later recover the account (we may someday have to restrict how authenticators are added to new accounts to prevent them from being abused this way). Conversely, it’s not as easy for a hacker to add a phone number to the account. We require a legitimate cell phone or landline phone number, not something like Google Voice, and we verify the phone number. Hackers don’t have an unlimited supply of cell phones and landlines they can use.

While we’re happy to be introducing SMS, and we think it offers some clear advantages over authenticators, both systems are great for account security. Choose whichever one you’re most comfortable with.

Protection from Looting

We strongly recommend that you use one of these two systems to protect your account. But for you, our long-term Guild Wars 2 players, we won’t force the issue. You’ve had your account for a while and it hasn’t been stolen. Your existing account security has stood the test of time.

The accounts that are at high risk of being stolen are newly created accounts. And in particular, the accounts at the highest risk of being stolen are newly created accounts from players who don’t know about blog posts like this and haven’t ever been given good security advice. Yet it’s our responsibility to protect them, whether they know a lot about account security or not.

As a player, the worst thing about having your account stolen is losing your gold and items. And to a hacker, that’s the primary motivation to steal an account. So, while we can’t prevent everything, at least we can try to prevent that looting.

So sometime in the coming months we’ll add a restriction to newly created accounts, preventing gold and items from being mailed off the account (thus being potentially looted off the account) until the account is first secured with either a phone number or an authenticator. We’ll let you know when we’re ready to start that, and again, this will apply only to new accounts created after that date.

Rollout

Having talked about the importance of this new phone-based security option, let’s talk about how we’ll roll it out.

We’ll start immediately, but with a staged rollout. Today we’ll offer the new option to a small number of accounts chosen at random, to help test the system. Then we’ll keep adding new accounts in waves, with the goal of completing the rollout in about two weeks. You’ll know when the option is available to you because you’ll get a prompt after login asking you to associate a phone number with your account.

To thank our players for keeping their accounts secure, we’re offering a Mini Mystical Dragon to everyone who applies either a phone number or an authenticator to their account. If you want the mini dragon today, you can of course sign up for two-factor authentication immediately. If you prefer to use phone-based security, you should have no more than two weeks to wait until it’s available for your account.

Thank you for reading this far. You’re obviously someone who takes account security seriously, and you’re more informed on the subject than most players. Please be our ambassador. Get the word out to your friends and fellow players. Help them keep their accounts secure.

Mike O’Brien