I’ve read a fair bit about a number of people who have had their accounts compromised recently, and it has actually happened to a friend of mine, yesterday. His password was apparently not all that strong, however it’s not something that could reasonably be guessed or brute-forced, and he doesn’t use it for anything else on the internet. He scanned for a keylogger, and his hotmail account does not have an ip login history.
Like a few other people I know of, he received an email from Arenanet saying that his account email had been changed. Now, there is no option to change your account email on the account website. This means that regardless of what he’d lost, be it his password, his email account, which would be required if the hacker wanted to log in and approve a new IP address – none of this matters, because there is NO option to change email address on the account website at this time. It has not been on there for a few days at least, because someone who made a trial account pointed this out to a guild mate.
Basically, this means the only way someone can change the email address for your account is to make a support ticket and provide enough information to convince customer support that you own the account. I don’t know what information this is, and this is where my theory will hopefully be answered.
My friend, who did get his account back (albeit with no items, as they have no tools to do so yet, I hope they add them asap!), was first asked for his cdkey. If you bought the game online, this was emailed to you, and most people probably kept this email in case they ever needed the key again. I HOPE that this is not sufficient for customer support to decide that the account belongs to the person making the ticket, because if a hacker has got access to your email login, which they often do in such cases, that means they also have your cdkey, as it was mailed to you!
I think that in order to request ownership of an account, Arenanet should demand proof of purchase in the form of the payment details. This may already be the case, in which case this thread is pointless, but they DID ask him for the key, and if all a hacker needs is a key, which can be found inside an email, this is a massive security flaw.
I realise that if they had access to a player’s email account they would be able to steal everything anyhow, but as there is no email change option on the account website, this must be how they are doing it. This other other option is that the link to change email was removed but the functionality remains there and the url was used directly.
To summarise, please consider changing your policy so that a player has to provide some form of payment information (address or ccv number) in order to get control over the account back from customer support.
I hope this does not get deleted, and I hope that people can ask customer support how it happened, because although they were excellent and prompt with regard to giving him his account back, he did get a pasted response afterwards when he asked how it happend with general security advice.
I’d also advise players to keep a record of the cdkey elsewhere and delete the email, if this does prove to be the case.
I did look for a way to contact Mike O’Brien about this, as his article on account security was excellent, but I couldn’t find any contact details.