Something interesting to share? Come on in!
User avatar

Mary fromGameloft

Veteran

Posts

2130

Security issues

Tue Oct 25, 2011 3:45 am
Hello!

We are aware of the latest security problems... Happening for the last... Well, let's call it O&C Forum-Debate-Era. (I think it's the 4th? or 5th?) Never mind that.

Anyway. I was asked by Writeratlarge a few questions in regards to this subject.

Here they are:


Q: What is the process to have my data back ?
A: The first step is to send your GameloftLive login, characters’ names and the approximate date when you have lost your data to our Customer Care. You can reach them at: OnlineGames.support@gameloft.com
Don’t hesitate to give as many details as possible on what you have lost :
- GLL account name
- Character names
- Server names (for your characters)
- if you have lost gold/rune, and if you remember +/- how much you had
- If you have lost a character (race, class, gender, name)
- If you have correct characters but have lost items on them (the main lost items)


Any other additional details will accelerate the process of account restoration. Please note that it will take us a couple of days to restore Gold & Runes once we have received all necessary customer details.


Q: How much does GL know about the security breach (i.e. methods, etc.)
A: Well, so far we do know some of the accounts are hacked due to phishing sites and other similar methods, but other than that we can only trust the customer to report the method used to reach that point.
[update] Thanks to our players, we could accelerate the fix that will be live soon. We of course regret to have to deal with people spreading the "how to", it can spoil the game experience for some of our regular customer & it delays the team work to bring new content updates. With time, as for any MMO, the game gets more & more solid, and we can give more tools to the CC to track (phishing) hackers & gold sellers/buyers. We'll be even more severe with them now, to ensure a good experience for our regular users.


Q: What steps has GL already taken to prevent the security breach?
A: As we already stated, with Update #4 we will add SSL to encrypt the packets during login.
Next step, maybe we'll add a Secondary Password, or more encryption methods. At the moment, it's still under discussion.
[update] It's been confirmed that the new update, already submitted to Apple, fixes the known security problem. And security reinforcement will remain a constant priority for the dev team.


Q: What fixes are in the pipeline, and how soon will they actually be in place?
A: As soon as we get U#4 by Apple reviews. That might take a day, that might take a month. (Hopefully closer to the first, than to the latter.)


Q: Are there any plans to change the uncoded packet issue, specifically, that appears to be at the heart of this problem?
A: Yes. So far we're adding SSL encryption. We'll see if we'll add more down the road.
[update] Also, it's confirmed that the packet issue is now fixed. We're currently waiting for the update to come live.


Q: A GL rep made statements to CNET recently about the security breach that many forum members take issue with -- to whit, that the problem was only with the GL Live website; that closing the website solved the problem; and that all accounts had been restored. Would GL like to clarify or correct those statements?
A: That's pretty accurate.
[update] The information presented was correct. An additional vulnerability was found and was also corrected with the new update.


Q: Is there an ETA on fixing/restoring the hacked accounts?
A: We can't be sure we'll recover all the data. Most of it, yes. But in those cases that we cannot recover everything, gold and runes will be used to compensate the losses. We can't promise anything in terms of deadlines, we cannot even estimate on how fast it will go, but we're hoping that by the end of this week, all accounts should be fixed. (Again, underlining hoping, meaning that we're not sure.)
[update] Restoring the data that has been lost is our priority #1. Please contact our CC service with all the details you can provide so that we can speed the process up. For now, fortunately, the affected accounts aren't numerous compared to the total number of players; and we're able to recover data if we have enough details provided.


Q: Are you concerned that this is hurting the long term viability of the game?
A: The security issue is a major concern for the Development Team, and a critical issue for O&C, but with the new security mechanism in the new update, we're looking forward to a smoother experience for our users.
[update] Also, thanks to your support, we'll keep on bringing new content updates to enrich the game experience of our players!

Yeah, so that's it. :)

Hope this will clear some of the issues raised by the security problems. Hope this also proves we are working on fixing it as soon as possible, and keep in mind, I support the idea of talking about it, but please don't curse, slander or troll this thread. I'll delete any replys that are not within the lines of the ToA.

We want to keep this thread informative and decent. Right guys?

Enjoy!

Cheers,
Yours truly, Mary.
Find the answers to most of our known issues using the support website:

http://support.gameloft.com
no avatar
User

Chaix

Re: Hacking issues

Tue Oct 25, 2011 3:52 am
Mary I can't thank you enough for your response. I'm glad we are finally being properly informed!!
User avatar

Mary fromGameloft

Veteran

Posts

2130

Re: Hacking issues

Tue Oct 25, 2011 3:56 am
Your welcome. :P
Find the answers to most of our known issues using the support website:

http://support.gameloft.com
no avatar

Teaweasel

Veteran

Posts

571

Re: Hacking issues

Tue Oct 25, 2011 4:03 am
I don't understand why it took so long to get a proper response like this on the boards.

But that said, I'm thankful that something is up.

The CNET interview is shameless however. And saying it's "pretty accurate", is just as. The issue was the lack of information. The idea that GameLoft obviously knew about the packet issue and didn't mention it at all on the CNET statement. Thus fooling people into thinking that things were safe, and inadvertently helping them get hacked.

I can't stand for that, or the playful response that "it's pretty accuratet."

Despite our history Mary, & you know I do respect you tremendously: I just expect better from both GameLoft and you yourself in the non-address of that issue.

Thanks again for giving players something to refer to, and thanks Massively Portable, and Writeratlarge it's host for asking such questions.
Image
no avatar

OxfordDon

Senior Member

Posts

375

Re: Hacking issues

Tue Oct 25, 2011 4:06 am
Thank you Mary for keeping the community posted.

Mary fromGameloft wrote:
Q: Are there any plans to change the uncoded packet issue, specifically, that appears to be at the heart of this problem?
A: Yes. So far we're adding SSL encryption. We'll see if we'll add more down the road.


AFAIK this is the essential problem. Using SSL on login is a sensible policy but if account data for *other* users is still being passed unencrypted then securing login will make little difference.

Can you please confirm with the dev team whether SSL will be used for *all* game - server communication?

Mary fromGameloft wrote:
Q: Is there an ETA on fixing/restoring the hacked accounts?
A: We can't be sure we'll recover all the data. Most of it, yes. But in those cases that we cannot recover everything, gold and runes will be used to compensate the losses. We can't promise anything in terms of deadlines, we cannot even estimate on how fast it will go, but we're hoping that by the end of this week, all accounts should be fixed. (Again, underlining hoping, meaning that we're not sure.)


Even this rough ETA must be good news to those affected.

May I suggest that considerable effort go into an account management tool that enables CC to recover / fix accounts with relative ease. If such a facility existed then this current meltdown would not nearly be so bad. The need has been painfully obvious since the beginning of the game. I realize that the process, as it stands, is somewhat complex. That is exactly the reason GL needed to spend the (hidden) effort building proper management tools. You'll need them in the future.

p.s. you should also prod the dev team to fix the Venus Flytrap in AF ;)
no avatar

igloo

Senior Member

Posts

293

Re: Hacking issues

Tue Oct 25, 2011 4:19 am
Q: How much does GL know about the hacking (i.e. methods, etc.)
A: Well, so far we do know some of the accounts are hacked due to phishing sites and other similar methods, but other than that we can only trust the customer to report the method used to reach that point.



Need a tester for the new security issues? I was the one who discovered the vulnerabilities in the first place :) and the decency to report them. My friend got repeatedly hacked and hacked :( . I hope his account is recovered soon.
User avatar

Mary fromGameloft

Veteran

Posts

2130

Re: Hacking issues

Tue Oct 25, 2011 4:23 am
OK, so, let's chat. :P

@Teaweasel (I started laughing again when I remembered I called you TeaMweasel for a month or so) :D

Ok, so, first, I know how much you respect and value me, and I thank you for that, and you know that the feeling is mutual. :D Due to me looking you up on FB to ask you why you erased your forum account. :P

It took a lot since I was really worked up with a lot of other stuff. (Unfortunately I don't work with O&C exclusively. And had a my hands full with other issues with the launch of the new GL Live and some leaks about MC3 and Rio.) So, yeah, sorry for that, I feel bad that it had to blow up like this before I got involved. BUT, nevertheless, later is better than never, so here I am. :D

eXeon stated something about numbers on a different thread. Yeah, the issue is major. BUT, it is restricted to a handful of users. Most user don't have a problem hacking wise. Most of them will never have. Now, don't read that as an excuse to say that we're ditching anyone, since we're not. BUT, never the less, if you look at it from a broad point of view, the accounts are rather safe. We are still increasing the security, though.

Back on what you saied. You might find it shamless, for a forum user. But if you crunch the numbers, you'll see that a small number of users were affected by it. (It wouldn't amaze me if we would find out that the saied users live in close proximity of each other.)

@OxfordDon

First, your welcome. :P

Well, I'll confirm it with a e-mail to the devs. We'll have to wait on an answer though.

About tools. We are working on the tools we have and on more tools that will help us track logs for chat, transactions, character history and much more so we can recover lost items and stuff and, of course, use the mighty Hammer of Awesome Ban for the ones that break the in-game laws. :P

About ETA. Don't take it to literal. It's not even an estimation. :( What I can assure you of is that WE ARE working as fast and as hard as we can.

An on the P.S. :P Not now. :) ) After this issue, maybe. :D But, let's try to keep it on-topic. :D

@igloo

Haha, dunno. Can I get back to you on that? :P
Find the answers to most of our known issues using the support website:

http://support.gameloft.com
no avatar

J0ker

Senior Member

Posts

111

Re: Hacking issues

Tue Oct 25, 2011 4:34 am
tnx mary for clearing things up after our mighty debate with deviladvocate (fun debates)
I think after update i will be back to game and my guild :)
Matin
LVL 120
Warrior
no avatar

igloo

Senior Member

Posts

293

Re: Hacking issues

Tue Oct 25, 2011 4:41 am

... we can only trust the customer to report the method used ...

Haha, dunno. Can I get back to you on that? Tongue




I'm going after three new leads on the last hackings and I got some idea it was done. I can't and won't say how it was done since it will cause another scare on the forum. But I will post prevention techniques (for end-users) how to prevent their accounts getting hacked.
no avatar

igloo

Senior Member

Posts

293

Re: Hacking issues

Tue Oct 25, 2011 5:16 am
I'll explain the first exploit. This is an interesting exploit.


1 a) The last 30 or so people who got hacked. They got your Gameloft user id from your email addresses. Which email address? From the forum itself. So,


[x] Hide email address from public. <--- check this box.


1b) If you have registered the same email address to a 3rd party forum, such as a guild forum, you might want to consider a wholly different email address and password from your gameloft login/password. This is because one guild fell (approx 200 people) because someone hosted a forum but did not apply encryption to the login/passwords. So the guy who did this, was slowly picking the players one by one by reading the database for the user/passwords.


If you have this unchecked or use the same login/password on a forum, it is advised to:
a) Setup a wholly new email address (not linked to your work's email address or to your current email addresses).
b) Change the email address that you use to play O&C to the new one, if it is the same as on the forum or guild-forums.
c) Change the password.


Hope that helps someone.