Veteran MMO players the whole world over can recount at least a second-hand tale of some poor soul opening his or her favourite MMO one day only to find that the account password has changed. It’s at that moment when the “have-I-been-hacked?” cold sweats commence as the panicky player goes through whatever account recovery process is available. These particularly unfortunate MMO enthusiasts have unknowingly lost everything by this stage, and account recovery leads them to find their characters are now naked paupers instead of the rich, well-geared heroes they were before. It’s the stuff of nightmares, dear reader, and I’m happy to say that the security boffins at ArenaNet are now bringing us yet another way to keep our Guild Wars 2 accounts secure in order to safeguard against false account access.
We already had the option to incorporate authenticator-based additional security in our GW2 login process, and now players can opt in for SMS authentication. In this edition of Flameseeker Chronicles, I’m going to explore account security and hopefully convince you all to take a fresh look at your own account, ensuring that our characters continue to rock on in Tyria for a long time to come.
Account hacking is big business
Account security is taken very seriously at ArenaNet: GW2 had plenty of MMO predecessors to use as evidence that hostile account takeovers were not by any means a new thing during its development, so it’s not surprising that ANet’s president Mike O’Brien has been warning us about robust online security since the game’s launch. The ArenaNet website still refers players back to the general security advice given: O’Brien’s post was made as a direct response to over 11,000 stolen accounts being reported during the game’s first week or two on the market, and account security has been a hot topic ever since. Account recovery isn’t a walk in the park either, and the automated system requires the complainant to input in his or her game’s serial code and a name of a character within that account to prevent abuse of the system.
O’Brien is quick to point out the faulty logic in old internet security teachings: I know that Northern Ireland wasn’t exactly a hotbed for IT teaching quality in the late nineties and early naughties, but all I was offered in school was a darling old typist who had been thrown in front of our IT class with no more clue about how a computer worked than we had about how she knew anything without Google. I’m not alone in that boat, and if I had not learned about internet security through a mix of the aforementioned Google use and a heavy dose of trial and error, I would be using one “super-strong” password for absolutely everything I have ever had an online account for, just as my doting IT teacher had taught. Scary thought!
Stealing game accounts means money to hackers, so hundreds of millions of email address and password pairings have been leaked into the inky depths of the internet throughout the years due to the exploitation of the average internet user and various security breaches along the way. ArenaNet has a basic system in place that sends an email to a user who attempts to log in from a new location to reduce the risk of unauthorised account access, but if your details have been exposed, then chances are the very same hacker can grab your email password as well as your GW2 password. Even a strong, unique password for each account can sometimes fall short if you don’t regularly change your passwords and keep up with the overwhelming number of leaks and hacks that happen in both our industry and in general.
Two-factor login authentication
Two-factor login authentication has become much more affordable in terms of implementation, and its use for securing MMO accounts has become increasingly widespread as a result. ArenaNet has a good base layer of passive protection and also offers more hands-on security for those who wish to use it. We have been able to use the Google Authenticator application with our GW2 account for a couple of years now, which no doubt improves the security of the accounts that choose to adopt it. Authenticator apps can be clunky, though, and many people don’t like the thought of tying their accounts to them because of the hassle they’ll face if things go wrong.
Even for those who have opted out, though, the risk of owning a compromised account was reduced significantly by ANet’s decision to blacklist the high-risk passwords hackers frequently scanned for: O’Brien noted a fall from a hacking rate of 1.5% before blacklisting to 0.1% after in his 2012 account security post. Our security options have just been enhanced yet again, and from now on we’ll have the option to add SMS authentication to our accounts. If you dislike app-based authentication or don’t own a smartphone, a handy SMS or call to your cell or landline respectively will keep you apprised of any login attempts from unauthorised locations. Furthermore, the heavy account recovery system can be skipped too: A code can be sent straight to users’ phones to allow a new password to be created. Nifty, eh?
ArenaNet respects that not everyone is a fan of these two-factor login authentication methods, particularly if you play on many different machines or travel frequently. Existing players were not forced to adopt the Google app, and they won’t have to adopt SMS authentication either. This isn’t a grab for your phone number, and if you do opt in, your number won’t be used for any other purpose than to protect your account. Receiving a Mini Mystical Dragon for your time isn’t going to twist the arm of those who dislike authentication, but it is a really nice bonus for those of us who adopt the new system. Nothing is 100% hackproof on the internet, but I definitely rest a little easier knowing that my MMOs have some form of authentication in place to protect my in-game assets.
The announcement also states that newly created accounts will face new restrictions to prevent theft within the next few months: Newbies will not be able to mail items or gold until either the authenticator app or SMS authentication is turned on for that account. I imagine that this will prove to be a hindrance to gold sellers too, since now they’ll no longer be able to create a new account for distributing stolen gold without tying it to some sort of authentication process.
Over to you!
I’m not an internet security expert by any means (remember the granny typist IT teacher and subsequent Google education, people!), but I think two-factor login authentication is a wise decision for the majority of MMO players. If a game offers you a way to make your account more secure with only a little extra effort and inconvenience, I’d say that’s a fair trade. After all, any of us would be devastated to see the results of our hours upon hours of playtime stripped away by someone who doesn’t even care about the game they’re attacking, and recovering the losses can be a complicated and needlessly stressful scenario with even the best customer support help available.
What do you think? Will you be activating SMS authentication, if only for the Mini Mystical Dragon? Do you use the existing authenticator? Do you have any further password advice that could help us keep ahead of the hackers? Share your words of wisdom in the comments below. The announcement urged us all to be account security ambassadors, so go forth and spread the word!