Mike O’Brien on Account Security

by Mike O'Brien on September 21, 2012

I’d like to take some time to talk about account security: how you can help keep your account secure, and what we’re doing to help keep your account secure.

If you take one thing from this blog post, it should be this: in today’s security environment, you must use a unique password for any account you care about. If you currently use the same password for Guild Wars 2 that you use anywhere else, immediately change your Guild Wars 2 password to a new, unique password.

How Hackers Steal Accounts

Most of the security advice we’ve all seen through the years has focused on how to choose a strong password. You might therefore think that the primary way hackers break into accounts is by preying on accounts with weak passwords, perhaps scanning every word in the dictionary looking for matches. That’s rarely the case.

The basic truth is this: hackers steal game accounts because they already know the account name and password. They know them because they stole them (via security breaches or spyware) from another game or site where the person used the same account name and password.

So unfortunately, if the lesson you’ve learned from security advice through the years is to pick a single complicated password, memorize it, and then use it everywhere, that’s exactly the wrong lesson for today’s security environment. To keep accounts on different sites secure in today’s environment, you need to use a unique password for each account.

We have some ability at ArenaNet to watch hacking attempts live, and it tells a fascinating story. We watch as hackers use tens of thousands of different IP addresses to scan through millions of attempted account names and passwords, almost all of which are for accounts that don’t even exist in our database, looking for matches. They’re not guessing or brute-forcing passwords; they’re trying a very specific account name and password for each attempt. For example, account name “joe.user@example.com”, password “alligator101″. If they don’t get a match immediately, they may try a variant like “alligator100″ or “alligator102″, then they quickly move on to the next entry on their list. And it’s interesting to see that the passwords on these lists are mostly quite good passwords. For every one account on the hackers’ lists with a password like “twilight” (real example, ಠ_ಠ), there are dozens of accounts with good strong passwords. So the world at large clearly knows how to pick good passwords; the reason people are still getting hacked is because they use the same passwords on multiple sites.

The security environment has certainly changed. We didn’t see hackers testing these vast lists of stolen account names and passwords when we launched the first Guild Wars. But in recent years, a truly staggering number of game companies and web sites have had their account databases breached. These reports of security breaches — 77 million accounts, 25 million accounts, 24 million accounts, untold millions more — may seem abstract, too big to be real, but they’re obviously not. The information stolen from database breaches is worth a lot of money to hackers, who can take the stolen account credentials and use them to attack each new game that’s released.

So if it ever seemed safe to memorize one strong password and then use it for multiple accounts, it certainly isn’t safe anymore. Today it’s critically important to use a unique password for each account you care about and want to keep.

Email Authentication

We have a feature in place, email authentication, that’s designed to help keep your account secure even if a hacker does know your account name and password.

Here’s how it works. When you first login, we ask you to validate your email address. After that, whenever you attempt to login from a new location, we send email asking you to approve or deny the login attempt.

So keep in mind, if you ever see an unexpected email asking you to validate a login attempt from a location where you’re not playing from, that means a hacker already knows your account name and password! The only thing that’s keeping him from logging in as you is the email authentication system! Change your password immediately.

Unfortunately, even with this system in place, people still get their accounts hacked. Here’s how. First, about a third of players haven’t verified their email address yet. We can’t require email authentication for players with unverified email addresses. Second, in many cases hackers have stolen credentials for the player’s email account too, and thus can access the authentication email message and approve their own login attempt. In particular this happens because people use the same password for their email account as they do for their Guild Wars 2 account and other accounts.

So, to be protected, be sure to verify your email address, and be sure to use a different password for your email account than you use for your game account.

Two-Factor Authentication

With email authentication in place, you can further protect your account by setting up two-factor authentication on your email account. Which, honestly, is a good idea anyway. Using email authentication this way protects your account in a very similar way to typical game implementations of two-factor authentication: the game will challenge any login attempt from a new location in a way that you’ll have to use two-factor authentication to approve.

We know customers also want a native implementation of two-factor authentication, and we want it too. This is an area where we should act faster as a company, and we’re going to. We had our own homegrown implementation of smartphone two-factor authenticator in testing, but we’re going to pull it back and instead integrate Guild Wars 2 with Google Authenticator, which already has robust authenticator implementations on most major smartphone platforms. We expect to roll this out in the next two weeks.

Two-factor authentication is a great tool for security-conscious customers to protect their accounts. But we know it will take time to get a significant portion of our customer base to adopt two-factor authentication, and in the meantime people are getting hacked every day by creating accounts with account names and passwords that hackers already know. So we need a solution that can protect everyone, not just the most security-conscious, and do it quickly. Thus we’re rolling out our next initiative, password blacklisting.

Password Blacklisting

Since we’ve been observing hackers constantly scanning accounts that don’t even exist yet, waiting for someone to create those accounts, we obviously want to make sure that if those new customers do join the game, they don’t use the password that the hackers are waiting for. Thus we’re building a blacklist of all the passwords that hackers are scanning for — it’s already at 20 million passwords and growing — and we’re preventing new customers from choosing any of those passwords. (The blacklist contains passwords only, not account names.)

This system has substantially eliminated hackers’ ability to steal new accounts, as all new accounts now cannot possibly match what the hackers have been scanning for. The rate of account hacking was about 1.5% for accounts created before this blacklist was in place, and is about 0.1% for accounts created after.

Because this has been so successful at protecting new accounts, we want to extend it to protect existing accounts too. But it’s harder for us to know whether passwords of existing accounts are known to hackers: it’s difficult to distinguish between a login attempt by the real customer and a login attempt by a hacker. So we’ll take the safe approach and ask all existing customers to change their passwords, and blacklist everyone’s old password in the process.

This all leads to the following request. All existing customers, please change your password. When you change it, the system won’t allow you to pick your previous password, or any password that we’ve seen tested against any existing or non-existent account. Thus, after changing your password, you’ll be confident that your new password is unique within Guild Wars 2. (However, your password only stays unique if you then don’t use it for other games and web sites, so please don’t!)

In the coming weeks we’ll ramp up this call for players to change their passwords, and may require a password change for those users who haven’t already voluntarily changed their passwords.

By the way, if you have trouble thinking of a new unique password, now that millions of possible passwords are blacklisted, we advise you to build a password out of four random words, as shown in this comic strip. Use a password like “correct horse battery staple”. As the comic strip calculates, even if everyone selects their words from the same 2,000 most common words, that’s still 16 trillion possible passwords. We’ll soon introduce a random password generator to suggest passwords like that.

Database Breaches

We’ve seen some players theorize that hacked accounts were due to a Guild Wars database breach. We have very strict blocks in place to keep network attacks from reaching our customer databases, and a team constantly monitoring for any signs of intrusion, and we’re confident that there has been no such breach.

We take security very seriously. Perhaps you can tell from this blog post. And of all the things we protect at ArenaNet, we protect our customers’ data most of all.

Companies like Blizzard and Valve presumably also had a commitment to security, yet they ultimately suffered breaches of their account databases. One day will we become such a target that a hack attempt will finally overwhelm our defenses?

If that ever were to happen, we’d be up-front with you about it, and we’d take immediate steps to ensure that it didn’t lead to widespread account hacking. And here’s something else to think about. Because we’re requiring all Guild Wars 2 players to use unique passwords for Guild Wars 2, there’s actually nothing a hacker can steal from Guild Wars 2 to help attack other games or web sites. Using unique passwords benefits you both ways. In general, making a commitment to use a unique password for each account you care about is the best way to protect yourself, not only from being hacked today, but also from being hacked as the result of any future security breach of any company you deal with.

Commerce Security

We’ve seen a very few cases where hackers purchased gems on accounts after hacking them. This is an uncommon type of attack because we do have in-game restrictions in place to prevent wealth from being transferred off an account in a case like this.

We’ve deployed new restrictions to prevent hackers from using stored credit cards on stolen accounts in this way, and we also now provide users the option to delete stored credit cards.

Of course, if any customer finds that a hacker has created unauthorized charges against his credit card, that player can contact our support team to get the charges refunded.

Best Practices

This blog post has focused on hackers using stolen credentials to compromise new accounts, because that’s primarily what we’re seeing today. But the more we solve that problem, the more hackers will turn to other tricks, so it’s important for everyone to remain vigilant in other forms of account security.

  • Phishing – If an email links you to a site that asks you to type in your password, don’t type in your password. It could be a fake site. Go to the real account management site by typing “account.guildwars2.com”, or use a bookmark.
  • Social engineering – If someone claims to work for ArenaNet or NCsoft and asks you for your password, don’t tell them your password. Our customer support team doesn’t need your password.
  • Trojan horses and spyware – Don’t download and run software, or open files attached to emails, from a source you aren’t 100% sure about. Malicious software can install a keylogger on your system to record your passwords and transmit them.
  • Email security – Keep the email address associated with your Guild Wars 2 account secure, just like you keep your Guild Wars 2 account itself secure. Use a strong, unique password there too, which you’ve never used anywhere else.

The Root Cause

Why do hackers work so hard to steal accounts? Because they make money from it.

Real-money trading companies want to sell you gold for cash. To do that, they have to collect the gold, and they have to advertise it. They collect gold by looting it off stolen accounts, and by using stolen accounts for botting. They advertise it by using stolen accounts for spamming.

If people wouldn’t buy gold from these real-money trading companies, the cash incentive to steal accounts would disappear. We’d see almost no account hacking, account looting, organized botting, or spamming ads.

We used to think wistfully about that with the original Guild Wars, and posted challenges to our players to stop supporting the real-money trading companies. But we knew that it was ultimately a lost cause. You can’t stop people from buying something they want to buy.

So with Guild Wars 2, we legitimatized buying gold, but did it in a way that puts the power in the hands of the players, not in the hands of the real-money trading companies. Players who want to buy gold can now do it in the game, in an open market with other players, trading gold for gems, which the receiving players can use to buy any microtransactions they want but can’t convert back to cash. As long as players purchase their gold this way, there isn’t a flow of cash back to the real-money trading companies, and thus there isn’t a profit incentive to hack accounts.

So the roots of our protection go deep into the design of Guild Wars 2, and we’ll leverage that design to keep Guild Wars 2 a safer environment than traditional MMOs.

But nothing is black-or-white. No matter how much we remove profit incentive, the fact remains that Guild Wars 2 is a popular game, and any popular game will attract hackers. So we keep security at the forefront of everything we do. We introduce new features, such as email authentication, two-factor authentication, and password blacklisting, to help keep accounts secure. We maintain an open dialog with our players about what the real threats are, so that players know how to protect themselves. And we have a team of GMs standing by to help those who do get hacked.

Security is all about details, so thank you for reading this far. Please change your password and use the other tips in this post to protect your account. And we’ll maintain our focus on account security, and work tirelessly to protect our customers.

-Mike O’Brien