Hello recently I got my account hijacked, I have never shared my account with anyone, not even with the girlfriend I lived with for years. But somehow someone managed to login into my account and steal everything that was valuable in it such as epic gems, gold and even dungeon badges. With that being said is only natural that I feel kind of surprised at the lack of defences this server has. I have been playing here since 2013 and this comes as something hard to believe, one of these times you would say: "I can't believe this has happened to me." But it did. Since the Staff doesn't offer ANY type of compensation to the players that suffer this, I'd like to suggest a few ideas to increase the security of our accounts:
1-Only allow IP to log into an account based on the country where the first log was made, with the possibility of changing your residence country in case is needed. Obviously if you log from Sweden at 4pm, is absolutely impossible that someone can log in the same account from let's say australia at 4:30pm.
2- 1 or 2 hours ban after 3 failed password attempts.
After thinking about it, I can only come to the conclusion that the pieces of **** that sneaked into my account were deliberately trying different pass combinations until they managed to get in, otherwise there's no way they could have made it. This means they could have used up to 8 million different combinations since my account password was 8 digit, and that is not exactly something you do in 10 seconds without any failed attempt.
3- Compensation for the players that got their accounts stolen, yes I know is a lot of work, yes I know it sucks. But atleast I think it would be good if you offer some kind of reparation for the users being affected, the cases are not low, it happens quite often and it's a pain in the *** to start over again and some even quit after it happens, I personally if it wasn't because I'm a guild master I would have quit. I'm not a teenager with free time, therefore I can't find the time to dedicate myself to farm gold, and don't come up with the "hurr durr, donate gold." It wont happen and im telling you 90% of the people think like me in this one.
4- Hide emails from everywhere, fully or partially like: [email protected] make it into NubDistroier69**********@tardmail.com to prevent hackers to use the retrieve account password system to get our account passwords "legitimately" very quote on quote here.
These are all the suggestions I could come with atm, but in case I get more in the future I will post them here.
I would like to remark that if someone wants to come with toxic comments or ****ty remarks im going to say that I feel happy that you never got hijacked and robbed, and if someday it happens think if you would spend 10 minutes of your life writting this message or if you would just quit this server once and forever, so understand that I think im REALLY making a lot more than what I should, since the easy mode would be rant or just quit the server or become one of the eternal haters with the only goal in life of ruin Warmane.
-
Member
More security measures
-
Forum Veteran
The solution you are looking for already exists. It's called Two Factor Authentication and you can find it in Security tab on website.
About your points:
1. It would cause inconvenience to people who travel often and those who choose to share their accounts. Sharing accounts is not forbidden.
2. It should not be possible to make 8 million guesses. They obtain your password in other ways. Probably from other sites that have been hacked if you use the same password on multiple sites. There might be other ways but simply guessing should not be an option.
4. Your email is only visible after you log on your account. It's not available to someone who is trying to log on your account.
-
Member
Seems to be a little of your fault, like it was said the "TFA" send you a pass on your mail to allow you access the game (to allow this ip to connect) and sometimes I even have a password that stop being active in less than 30 seconds so another one is send, also I don't really see how your account can get hijacked from warmane website, except if they got a lot of security issues, but they seems to be aware that security matter
-
Member
About your points:
1. A fallacy.
2.I have specified above the way they make it since they don't have anything to prevent multiple attempts to input passwords, and don't assume things trying to make others believe that im stupid enough to have the same account and password everywhere, is 2018. Is not "guessing" is a password breaker that tries different codes until it matches the right one, and the account name can be taken from in example the forum user name.
4. If they managed to break in using the method I said above, they can login on the web and get my email aswell, and I don't think anyone wants to see his email hacked.
How come is a "little" my fault? Did you read anything of what I've just said? Yes they are aware that they have a huge security issue that's why im trying to bring solutions, could you people stop taking every ****ing post to attack the user that states something instead of bringing solutions? Do you know what the ad hominem fallacy is? If you don't look for it and you'll find out your argument is invalid.
Please, solutions stop the fallacies, stop the crying, stop the bull**** we want SOLUTIONS.
-
Forum Veteran
I know that there is an issue. I have been getting a few login attempts on my accounts, which were all stopped by two factor authentication. And there was one even after I changed the password. I don't know how they do it but sending millions of requests to logon server doesn't seem like a realistic way of guessing passwords. There might also be some protection against it. And it should not be possible to guess passwords on website because it uses google captcha.
All login attempts to my accounts were done on website not in game. I know it because the emails from two factor authentication are different. If someone tried to guess my password in game, I would be getting lots of emails because of that. So they don't just guess the password.
What's wrong with the solution I mentioned?
-
Moderator
To complement what others said, #3: not going to happen. We provide multiple security measures, enough for accounts to be safe if they are used and the owner is responsible. If an account is still lost it's fully because the user let it happen. In your specific case, you have been playing here since 2013 and never activated 2-step authentication? You'll have a tough time claiming you just didn't know about it.
-
Member
So even they try to do it from the webpage. Well in my case I know they didn't because Im sure they would have stolen my whole account since is premium and has coins in it. And besides the google captcha there's no protection, that's why im saying a temporary ban that increases with time would be a good solution, like after 3 failed attempts just ban the IP for 1 hour, 3 more failed attempts ban it for 2 hours then 4 then 8 and until the legitimate user logs in, if this is the method used with phone and credit card pins I don't see why we should be softer in an online game.
What's wrong with your solutions is that you haven't mentioned any besides the TFA, you just dismissed all the ones I brought up.
-
Member
Lol, well it's entirely your fault if you used everywhere the same password and if it's like "chicken123", also like we said there is TFA so if the guy have no access to your mail you can't get hacked -_- it's not "a little your fault" like I say, tried to be polite, it's entirely your fault
-
Member
No one said 3 wont happen in this thread besides you. If you provide multiple security measures how come TFA is something optional, shouldn't it be mandatory?
And yes I have been playing here since 2013 when this was molten, I experienced the wipe just as everybody else and I took a hiatus until recently. So yes I claim that I had no idea that the security measures were so weak to the point that we have to use more than a regular password to protect our accounts. Please, stop the passive-agressive messages, the affected users want solutions or answers to the suggestions; I also speak for the ones with poor english that just get instantly dismissed or mocked for their poor english skills, when they just want to find solutions to the problem.Edited: April 24, 2018 Reason: typpo
-
Moderator
Which is why I said I was complementing on what others said. I assumed you knew what the word meant.
Why should it be mandatory? We offer it, we state that we don't offer support if it isn't used. People are able to make their own choices and take their own risks, as some do out of considering 2-step a "hassle."
Funny how that has nothing to do with what I said - on top of being false.
Solutions? Use the provided security measures.
Answers to the suggestions? Use the provided security measures and nothing suggested is necessary in the first place.
