That’s how long its taken for Trion to impress me. Like any major MMO release, where there is popularity, there are those who would seek to profit from RMT. Alongside this comes account hacking – after all, why bot for coin when you can just steal the work of others?
Last week Trion released a security patch with a feature they call CoinLock. If the system detects that your account is being accessed from an ip address significantly different to your own, it will activate the coin locked mode. Whilst coin locked, nothing can be deleted or destroyed on your account – you can’t trade, sell or destroy anything on the account. CoinLock can only be removed through a numerical code that’s emailed to you. Such a simple idea, but so good. Or so we thought.
Except it wasn’t stopping people getting hacked. A previously hacked player, ManWitDaPlan, who works as a white hat for a security firm set about determining how his account got accessed. In the process he discovered the exploit, by which accounts could be accessed without any fault of the users themselves. Within an hour of submitting technical details of the exploit, Trion were on the phone to him discussing their security hole. Within 3 hours, a patch was applied to the entire game that fixed the exploit. It forced everyone who played to get coin locked to verify themselves in the process. On a Friday night. It was a brave move for any MMO (let alone one less than 3 weeks out of release) but just goes to show how seriously Trion take account security.
Compare that to NCSoft’s response to the rash of account compromises in December/January 2009. After several weeks of denying there was a problem relating to the security of the NCSoft Master Account over the holidays, eventually ArenaNet decided to protect its players by forcing users to provide a character name when logging into the game. The result? The rate of compromised accounts dropped to nearly 0. NCSoft added a small fix to their system some time later, but this was silently removed within 6 months. A few weeks ago, they finally beefed up their security through the use of IESnare – 14 months after possible insecurities were highlighted, underscored and pointed to with huge neon arrows.
And still, there is nothing to protect Guild Wars players once their account is compromised.