Tobold's Blog
Saturday, December 24, 2011
Rift hacked

As I was in the Rift beta, my name is in Trion's database. So I got a mail from them this week saying: "We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards." Fortunately I never bought Rift, so my credit card data aren't on file with them. And I use different passwords for different games.

This is just the latest of a string of similar database hacks. Pretty much every MMORPG company except Blizzard has sent me similar e-mails in the last year or two. And I don't suppose this is going to get better in the future. MMORPGs are increasingly monetized, virtual goods increasingly have real money value, and trends like the Diablo III real money auction house are only going to increase that real money value. And apparently databases of game companies are a lot less protected than those of banks. If hacking the accounts of individual players makes sense, hacking the whole database makes even more sense. Be very careful with your data out there!
Yeah, crazy! Now a days even the banks get hacked. If you have a social security number and a bank account, you're at risk. So yeah everyone is a vulnerable these days.

It's important to know how to cancel cards, change all your passwords, and use really secretive questions for password retrieval.
"Be very careful with your data out there!"

Easier said than done. At least ten companies must have my credit card info by now. Gamestop, impulse, direct2drive, steam, gamersgate and for starters.

And then the mmorpgs that I've played for at least for a month: Age of Conan, war, wow, swtor, rift.

They're all reputable firms but if one of them screws up I've got a problem. The alternative is putting all your trust in one company like Paypal but not everyone accepts it.
I got this email too as I was subscribed to RIFT for a while...I am SO going to create an "online only CC" in 2012!!!
I got the email too. It's worrying and it's hard to know what the hackers will be able to do with that information. Users getting phished is one thing, but it's more than careless to leave unencrypted information in an accessible database.
Hypothetical: Blizzard are one of the few big game companies not to have sent such an email because they're not admitting they've been hacked.

Purely hypothetical, of course, because they're required by Federal legislation to report a security breach to all their potentially affected customers.
The safest credit card to use in a world of hacking is someone else's. It's a bit of a vicious cycle.
I now have a positively ridiculous number of email addresses, passwords and even online identities. It's getting out of hand. I can protect myself to some degree against losing my game accounts by keeping every game discrete from every other in this way but there's a limit to how many payment sources I can use and I'm not happy about the increasing number of security breaches.

I discovered somewhere recently where I can buy over-the-counter prepaid Visa cards that apparently can be used anywhere that Visa is accepted. In future I am probably going to focus on F2P MMOs, since there are now so many good ones available, and fund any necessary purchases through these non-recurring, paid cards.
Can we start doing retina scans please?

I think we need more Blade Runner all the way around actually.
Depending on how much you value your risk / how much creating and maintaining another CC might cost you, you might be interested in e.g.:

Create one or more virtual Visa cards to pay for stuff. The fee is 5% of whatever you spend.

This is for the cases when PayPal is not accepted -- and suprisingly enough SWTOR DOES accept PayPal!
Let's be clear about what's actually compromised, here.

Assuming they're telling the truth, and that's all that was released, credit card numbers are not compromised. The last four digits of your credit card number, as you may have noticed, get displayed a bunch of places (the final digit, incidentally, is also used as a check digit to prevent errors, not for security, anyway). The first four digits are not private information, but part of Issuer Identification Number, that identifies what institution issued the card. Access to only those digits will not substantially compromise the card, which is why those digits (rather than the whole number) are stored.

Encrypted (presumably hashed) passwords are partially compromised. The hackers don't have direct access to the passwords. But they CAN bypass other security features like the multiple attempt lockouts. So, unless you have a highly secure password, you should probably change it. But it will at least take time and effort, for moderately secure passwords anyway (people using "asdfg" are out of luck). Which, again, is why the passwords are stored encrypted.

The rest of it, well, compromised. You may get a bit more spam for while. Access to you address and date of birth, while nominally public information, isn't something you want spread indiscriminately. But that's the sort of thing that can happen with any company; personal but non-private information of that sort was stolen from dozens of companies, including banks, in April with the Epsilon hack.
Post a Comment

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool