Friday, July 11, 2014

Wildstar's Bot War: A New Incentive

Wildstar has had a bit of a problem with botting and hacked accounts since launch.  In a strange twist I'd never heard of in any other game, Wildstar's Executive Producer Jeremy Gaffney told players on 1 July that between 50% and 70% of all accounts Carbine had banned for botting were hacked.1  Apparently, because Carbine has players use their email addresses as their login, hackers can purchase lists of passwords and try those, hoping that users have reused their passwords from other games or websites.

Carbine has pushed 2-factor authentication pretty hard since early access.  Wildstar displays Google Authenticator as the default choice, although I understand the use of WinAuth is also supported.  Personally, unless you make a fresh email account for playing Wildstar, I'd choose to use an authenticator.

Carbine offers an incentive package for players to sign up for 2-factor authentication.  At launch, the package included:
  • A 2% experience boost to Experience, Renown, and Prestige that allows you to out-level those people whose accounts remain hacker bait.
  • A Cybernetic Eyepatch costume item to commemorate your victory over the bad guys. It also improves depth perception.
  • The title Certifiably Certified so you can provide official proof to your guild mates that you have earned access to the bank.
Notice the subtle hint to players to make sure all of your guildmates are using an authenticator?  Almost EVE-like in its attempt to reduce corp guild theft.

On Wednesday, Carbine sweetened the pot by offering a free mount for using an authenticator.

The Retroblade Mount For Using 2-Factor Authentication

I don't have stats on the mount because my main is only level 12 and players cannot use mounts until level 15.  I also don't know how much a mount is.  I heard 10 gold, but I don't know if that is just for the mount or to purchase the skill as well.  But if that reduces the cost of getting a mount, then Carbine with this gift will also remove an incentive for purchasing gold on the secondary RMT market as well as getting players to secure their accounts.  Nicely played, Carbine!

Notes:

1.  I'm not saying Wildstar is the first game this has happened in.  Just that Carbine is the first company I've read state this.  The usual culprit is credit card fraud.

10 comments:

  1. Blizzard did something similar with WoW a while back, offering a pet for people who attached an authenticator to their account. This happened not too long after they switch everybody's login to be their email address. Think there is a lesson to be learned there?

    ReplyDelete
  2. I don't like having to have my cell phone (with the authenticator app on it) to play. I do like, after buying 1 mount already, saving 50g for use in buying talents, or something else. My level 15 character had to rob all his alt bretheren, and sell all his crafting mats, and (horrors) quest, in order to raise 10g. It was worth it though. I'd rather not have to go to such extremes to buy everyone else a mount. UNFORTUNATELY he bought a Uniblade mount. :(

    ReplyDelete
    Replies
    1. I heard you can install WinAuth on your computer. And I sympathize with the cell phone thing. I left mine at work on a Friday and wasn't able to play all weekend.

      Delete
  3. You'd think game companies would have learned not to use email addresses as login identification by now. It's one of the stupidest, least secure things they could do as Blizzard proved with WoW years ago (hacked account problems went way up in WoW when it switched to email login).

    Then they expect us to fix their stupidity by purchasing authenticators or alternatively expensive smartphones to run some silly app.

    ReplyDelete
    Replies
    1. Heh, just had a thought... Authenticator might as well be a dongle, maybe that's what they really are, stealth dongles they want us to think are a good thing.

      Delete
    2. The funny thing is, I remember Blizzard telling people that switching to using e-mail addresses to log in was going to be safer than using user names. As a result I was very confused when Bioware switched from using e-mail addresses to user names, while citing the exact same reason.

      Delete
    3. There's upsides and downsides to both. With usernames the hacker has an obvious list to start with because people use their account name in forums or on their main. Only the password is hidden so that's 50% less difficulty for brute force attacks.

      These days using email as login has an enormous problem with reverse-hashed passwords stolen from insecure sites. Any user who reused a password from some other site that gets hacked is very likely a compromised account. The strength of GPU attacks even against "properly hashed" is a complete end-around to what people used to think about password security.

      http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

      Delete
  4. "Notice the subtle hint to players to make sure all of your guildmates are using an authenticator?"

    Maybe I misremember, but doesn't WoW do a similar thing? I think guild masters can configure bank access to require an attached authenticator?

    ReplyDelete
    Replies
    1. Yup you could designate guild ranks that required the authenticator to have those ranks.

      Delete
  5. This is far from a new problem. Exactly the same thing hit GW2 immediately after launch and was widely reported at the time. There's a very full breakdown of the issues that might interest you here

    https://forum-en.guildwars2.com/forum/support/account/Account-Security-What-you-need-to-know

    I was already using Google Authenticator on my "serious" email addresses well before that and I use it for GW2. I also start new, unique email addresses for most MMOs I plan on sticking with and never use them for anything else (or indeed ever log into them again!).

    Couple of things you might have missed about Google Authenticator:

    You can flag any PC as "trusted" and then you don't need to use the code when you log in on that machine.

    You can generate 10 pre-made log-in codes for use if you don't have your phone for any reason. I use those when I'm traveling. You can produce more of these codes as often as you need them. Solves any problems with leaving your phone at work!

    ReplyDelete