Runes of Magic US / AU

Quoted from "icishoot;381427"

Which is why I don't by the key logger theory. There are too many hacked accounts.

Now, I did do some research on key loggers - and they are nasty little things. One claims to be able to install it self via a screen shot. I have never played around with one, so I don't know if the claims are true. If so, that means every screen shot posted on here by the non-familiar posters is suspect.

But that doesn't answer for those who are hacked who never get on the forums.


The other thought I have is how many of the "hacked" accounts have tried those programs out there that "claim" to be able to give you free diamonds - there are tons of you tube videos on them....

Guess what, I have "tried" one of those - using false information, but I wanted to test some thing out - using a network analizer, I found out those programs send your info to a third party server.


In order for a key logger to work it has to get on your system some how. Is it embeded in rom it self? Curse's client? - I'm pretty sure addons don't have access to the data (have looked through every single lua file, but that doesn't mean I didn't miss some thing).


Every one is quick to yell keylogger, but until we see the common denominator among those who are hacked, its a suspicious claim, or at least to claim it for every case of accounts being hacked.

You actually said that better than I could have. In any case of an update like this, no matter the changes, there will surely always be some pros and cons as well as those who are for and against.

That being said, I am reluctant to agree that the login process was already lengthy but I am also a person who (despite being well-adversed in computer technology, malware cases, etc.) never takes it lightly about having sufficient security on my system - or anyone which I use...there are just too great of risks nowadays and things can slip in when you think you've had it all prepared and figured out. I say take everything into account...from both sides of the argument. To Frogster, I give a thumbs up for them wanting to improve security. That alone could be given some credit...even if it could have been better implemented or done entirely differently.

Now that they've improved on security, which is a requirement for us to be able to safely play the game, I think it should be declared as a next step to correct the bug issues which are arguments by claim that this whole idea for a security update is bad for business.

why not just have them auto set the secondary password to the year you were born, then have u actually set one once u verify that instead of having to go thru customer support. seems stupid to say your setting it then have thousands of people sending in tickets to get it because they never ask for one when u create an account. just plain stupidity on their part.

So wait... everyone is upset because if they have a key logger they can get your ROM secondary password?

REALLY?

You aren't worried about your bank statements, or emails... just your freaking ROM PASSWORD.

Please think this through...

Quoted from "Temptress4d;381619"

So wait... everyone is upset because if they have a key logger they can get your ROM secondary password?

REALLY?

You aren't worried about your bank statements, or emails... just your freaking ROM PASSWORD.

Please think this through...

unfortunately, unless you're talking politics, change in what people are used to is not always accepted with open arms, whether or not it's good for them.

having to use secondary password though? big deal. so much QQ and exaggeration over a trivial thing...

OK so let me get this straight, Now that we are forced to use the on screen keyboard.. myself and all the other security conscious players out there have to....

A. Suffer because we have good long passwords with mixed cases and numbers

B. Sacrifice our own security for convenience, by choosing a less secure and easier to input password

C. take lots of mind altering substances become stupid and choose our birthdays, dogs names, or the word "password" as our passwords



In the end the user base as a whole is now LESS SECURE than before from everyone "Dumbing down" their passwords....

This is more than just a security patch, it is a sign of laziness on the part of the programmers, and anyone worth their salt knows that security on the BACKEND is the answer not this "Fake" show of force on the front end.

If you can’t handle convenience and security, hire someone who can. (Outsource it) Do your really think making someone use your onscreen keypad is going to make it all go away????



If you want to work on security how about fixing the exploit that allows guilds to register for siege... or better yet no-one would need it if you just added more Slots....

So what im realy saying is,

"plugging a hole only stops the water, it doesent fix the leak."

Think about it~

I've visited just about every free to play game out there and I've seen all the differant security features they all use. Some worked, some, ehhh, not so much. The only practical log in option would be if you have to enter your username and password and at the character select screen or creation screen enter a randomly generated 4 or 5 digit pin number consisting of both upper and lower case letters and numbers. shown in one of those security boxs where the letters are all weird shaped. Like most every forum has whenever you sign up or want to use the search function. That would eleminate the spam boxs that are always in the game lagging up the servers. As far as protection from key loggers, Players could use the on screen keyboard and stop going to gold and diamond selling web sites and mod download web sites so they won't be infected by the key loggers in the first place.

The secondary password, as a concept, is a good idea. It exists as a second layer of security so that, even if your in-game items get compromised, your cash equivalents are not automatically available. The change may have been intended to push in-game things behind the same wall as cash things, but the reverse is true. Instead of having a two step authentication, you just have a one-step where you enter one half 30 seconds after the other. The net effect is not to enhace the security of accounts, but instead to strip cash items of their extra layer of protection.

The secondary password's main protection was that it was relatively rarely used (that is, strictly less often than the account password), and so someone who is logging may not have immediate access to it even if they get the password to the account. The fact that its time of use was variable is more helpful, but, as was pointed out already, it could still be fished for, given patience (waiting for clicks in the item shop area, or the '/' keystroke).

What would really help is this: Move the on-screen keyboard around the screen each time it gets a click. The initial random positioning of the keyboard allows a player to successfully hide a single character from a keylogger, but as more and more of the characters are clicked, the cluster of clicks tends to define the place where the keyboard must reside, making the password more guessable, not less. On the other hand, if the keyboard moves with each click, then nothing short of a video of the clicking will suffice to extract the password from the stream of clicks. With a one-minute lockout after, say, 3 tries, a brute force attack against a 7-click password using a 36-character space (i.e. letters and numbers only with no case) would take about 74,000 years (36^7 minutes, translated to years, and then chopped in half, since a random sampling will on average, get the hit after crawling half the space). This seems an adequate span for an MMO.

Now I am thinking, what's the point of the secondary password? Since the only way honest people get hacked is with keyloggers, now EVERY time I log in I have to put in my pass that gives access to my diamonds!? Who came up with this?

Sincerely, Frogster, *please* rethink this. Furthermore, please let us use more complex passwords... This is a huge step backward.

Edit: So after reading this thread I just realized the horror of having to get back in during siege. Can we at least get a separate diamond password instead....and as far as keyloggers - I guess people don't realize that some families share a computer. And not all keyloggers come from people visiting places that are dishonest, or trying to get "free diamonds". A keylogger is a keylogger - it can be installed through any means, game related or not. Whether that keylogger is programmed to capture *all* data or just some, you will never know; and to whom it's sending info, credit card or game theives, who knows as well. The point is why make the secondary pass go out every single time you login? Now, if someone does get your info, they can not only get into your account, but use it fully. It's not just what one player does that matters on a computer if you share it, it's his or her children, brothers, sisters, parents....and for the person who said that about online banking, I don't do online banking - my main concern is my gaming on my computer and protecting my accounts.

Quoted from "Temptress4d;381619"

So wait... everyone is upset because if they have a key logger they can get your ROM secondary password?

REALLY?

You aren't worried about your bank statements, or emails... just your freaking ROM PASSWORD.

Please think this through...

I think everyone should be legitimately concerned about keyloggers in general, but most of the emphasis here is regarding the recent surge of players being hacked, it's not surprise that players are focused on ROM above other concerns, at least in relation to this topic.

Quoted from "Styki;381684"

A. Suffer because we have good long passwords with mixed cases and numbers

It's a minor inconvenience when logging in, it's only exasperated by the client's habit of crashing. It's not the end of the world. As for your other suggestions that RW is "making" you do, that's your own lookout.

Quoted from "sandipandi;382109"

Since the only way honest people get hacked is with keyloggers, now EVERY time I log in I have to put in my pass that gives access to my diamonds!?

I was hacked, and I'm an honest player. I don't visit gold seller sites, use their services, or even associate with players who have if I'm aware of their activities. The only things that I use that aren't directly related to the client are addons that I get through curse.

If you've been keylogged, chances are they're gonna get your secondary password anyway (presuming the intent of the keylogger is to get at your characters assets and not some other asset), having to use your secondary password to log in as well only makes that task easier, it wasn't impossible before.

If you have a key-logger on your system, and it wasn't detected, then I suggest you go and buy a good AV or buy a good AV and dump that free AVP crap. A key-logger needs to install on your system for it to work correctly. Also I would like to point out to those of you that do not have a good AV, that this game when installing fresh or installing a large update that my AV comes up yellow warning me that a part of this program 'Acts like a key-logger'. That is what my AV says and I run Kaspersky Internet Security Full which has been the best AV that I have found during my stint during my p2p fun. Running a port block works well too and you can grab the ip of anyone who speaks in chat and block them with ease. There are other various programs out there to tell you who and how people are accessing your system outside of the game. Do some research and learn but I warn it is a medium grade of a learning curve but well worth it if you really want to be protected.

This has been gone over many players in another thread.

Please understand the difference between hacking and getting key logged.

A majority of the time, it is the player's fault.

Bruteforcing is only possible method of them "hacking" an account and most likely it was only on accounts that were so old nobody even noticed anything about them (since they haven't logged into the game for a year).

Keylogging is currently the most common way to get your account compromised. Don't give me a crap about "Omgididn'tdownloadanything", at one point, I am sure many of us have downloaded programs for the wrong reasons and as earlier said, some people even tried to download a program that gives you diamonds. (which doesn't work)

People are always greedy enough to download those kind of programs and will get keylogged.

If you want to avoid getting keylogged, ignore Step 2 and read Step 1.

DO NOT DOWNLOAD ANYTHING STUPID.

Don't forget there is a virtual keyboard in-game, take the necessary steps to protect yourself.

when is this going to get fixed... i have logged in like 3 maybe 4 times since the update... less of a hassle to dl a different game and play it.

I find that most of the time, not all it's the Hackers that are doing most of the crying about this being a problem... :p

Well if your the Hacker and you can't get the passwords, then more power to the game, GO TEAM GO...

Now if your one of the true few that see this as a problem, pray they never change it, or you will be starting over and over again because of a Hacker...

Quoted from "Tron74;384210"

I find that most of the time, not all it's the Hackers that are doing most of the crying about this being a problem... :p
Well if your the Hacker and you can't get the passwords, then more power to the game, GO TEAM GO...

if they can get one password what is stopping them from getting 2?
the only difference with the second one is that you have to click on the "confirm" button... you can use the "onscreen" keyboard with the first password too.... so all this is is a pain in the butt that makes it EASIER to get the second password that is MORE important cuz it unlocks deleting chars and using dias.
not to mention it makes it more of a pain to login to the game.... im not even going to login this week since my guild isn't doing siege any more cuz we went from about 24 active members to like 4-5 active members since this crap fake security junk patch.

hackers have no reason to complain... if they can get 1 PW they can get 2... use your damn brain.

I just wish there was an easier way to reset the thing. It's insane that I have to submit a support ticket to have it reset, just because I haven't been able to play in a while and can't remember it. Don't the CS people have more important tickets to deal with?

I applaud the fact that an effort is being made to protect our accounts from hacks, but I so loath the solution. I have a fit every time I crash in Dalanas (which is EVERY TIME I enter Dalanas) and have to go through this new log in shyte.

Princess Peach 1/1

I have only been having to enter the secondary password about once every three times I enter the game.

Hmm, I've been thinking about this a bit and even though it's only a minute annoyance for me I have to admit I don't see how it makes things more secure for us... but that could just be my ignorance.

Quoted from "wolfowl77;382120"

I was hacked, and I'm an honest player. I don't visit gold seller sites, use their services, or even associate with players who have if I'm aware of their activities. The only things that I use that aren't directly related to the client are addons that I get through curse.

If you've been keylogged, chances are they're gonna get your secondary password anyway (presuming the intent of the keylogger is to get at your characters assets and not some other asset), having to use your secondary password to log in as well only makes that task easier, it wasn't impossible before.

Like others have noted, the frequency of this happening is every single logon - I rarely ever bought or used diamonds....a login 8 times a day (okay, more with crashes) vs. a login once every 3 months is less secure for me by far.

The bigger problem, regardless of actually being hacked, is this: I have not heard a lot of positive accounts of people getting their characters/accounts back after being hacked. If it was as easy as them going "oh, look, your IP was this, and obviously someone hacked you from a different IP, took all your stuff...here, let's get you your things back...." like some other game I know, then I would not be paranoid. I don't think that is how it works on this game. I *may* be wrong. But it seems that a F2P game where people spend money should have a recovery team for when things like this happen, instead of having to start all over again - after all, how many people spend hundreds a year on Runes, not even thinking about it....

If I could ultimately feel safe knowing that if my account was ever stolen, I would have people working on recovering it (hell, even for a fee!!!), I would rest a lot easier.

Quoted from "svrStewey;382224"

There are other various programs out there to tell you who and how people are accessing your system outside of the game. Do some research and learn but I warn it is a medium grade of a learning curve but well worth it if you really want to be protected.

Again, if you have *anyone* sharing your system (kids, wife, husband)...all it takes is 2 seconds of them clicking an allow alert, or installing something when you're not there. Not all of us can afford to have computers for everyone, and ultimately, the weakness of the best AV out there lies with the user and what they allow as far as program alerts asking for permission.

Quoted from "Theomach;384543"

I just wish there was an easier way to reset the thing. It's insane that I have to submit a support ticket to have it reset, just because I haven't been able to play in a while and can't remember it. Don't the CS people have more important tickets to deal with?

^ this....we need to have this password be able to reset securely - why not through email verification with the email registered to the account? This works for most other games I've played. They'd have to hijack your email accounts too to get your account.