Unauthorised Access to ingame accounts

[Clarkey]

Well, as the majority of you will know there have been some recent incidents where people have made unauthorised access to other people's ingame accounts, and stripped them of their resources. The most recent incidents involved Marshall and Celestial Being where both received unauthorised access on their accounts, trades made between both accounts and then accounts ascended. Admin's stance on this seems to be that if game accounts have been hacked that no resources will be returned, but they will give out details of where resources were sent to. viewtopic.php?f=8&t=119588&p=1438135#p1438135

Now I'm sure there will be plenty of you that completely disagree with Admin's desicion, there will be some that agree and some that sit on the fence. Even though I feel people that cheat in this game are complete scum, I do kind of agree with Admin but only under certain circumstances.

You'll notice I titled this thread "Unauthorised Access to ingame accounts" as opposed to "Hacked ingame accounts". The reason for this is because I personally feel that the term "hacked" is used way too often on this forum, and in 99% of the cases it is likely that accounts were NOT hacked. Some people I feel do not understand the concept of being hacked. If SGW were to be hacked, then this means that there is a security flaw within the game that has been breached. If this is the case then it is of no fault of the user that has lost resources and I personally feel in these occasions that resources should be returned.

However, I do understand that it would be very difficult to track resources if they have been sent on to numerous accounts or sold to other account for ingame resources as it becomes too difficult to decide what resources to take away from people, and sometimes would probably require the game to be temporarily shutdown while it is sorted out to prevent those resources moving any further. If that happens then you get people complaining that they can’t access the game and it’s a lose lose situation for Admin.

However, on 99% of these situations where accounts have had unauthorised access, I believe it is of NO fault by the admin because there is no security flaw that has become vulnerable. In majority of cases it is most likely that the victims have fallen victim to a virus or trojan attack on their PC and their login details for SGW have been obtained via that method.

The number of times I have received a message on MSN with a very obvious link that is not genuine, and will either direct me to a website that will automatically attempt to download a virus/Trojan to my PC if I click on the link, or will send me to a website of familiarity such as ebay, my bank or Facebook where it will bring up the login screen is crazy. It happens constantly, and in fact I received a similar only a few days ago. This sort of method would quite clearly be an attempt to get you to login to the relevant accounts and login details would be phished by someone. The person trying to obtain those details could attempt to use them in SGW and try and access your account. Or a Trojan could be installed on your PC with a key logger and obtain your SGW login details that way.

If this is the case then it is of NO fault by Admin because there has been no security flaw identified and abused on the game. Therefore in this type of case the personal responsibility falls down to the individuals playing the game. Even if a user is not aware they have a virus or Trojan on their PC and their SGW login details have been obtained then they are still (in my eyes) not entitled to receiving any lost resources because it is not a fault of the game. However if the person making the unauthorized access happens to delete the account then I feel it is only right for admin to get it back and access given back to the rightful owner.

It is not only virus and trojan attacks on users PCs that could be a cause of Unauthorised Access to ingame accounts. Many of you will be members of various forums. Some of you may use the same login details (which is down right stupid) and some will use different login details. However, these forums are also at risk of “back-door” attacks. I have my own forum, and quite often there are patch updates that need to be installed due to security flaws etc being identified by the company behind the forums etc. If someone gets illegal access to a database of a forum you are on and obtains login details and tries them in SGW and gets access, then again that is of no fault by Admin and no resources lost should be returned.

Admin would quite clearly be able to see whether someone has obtained illegal access to the game database by hacking methods. Therefore in any cases where Admin do not provide lose resources then it is likely that the Account in question was NOT hacked.

As I said earlier, the term “hacked” is used way too often and most of the time it is used incorrectly.

So I personally feel that any loss of resources or accounts due to an abuse of a security flaw INGAME should be returned to the rightful owner. Any loss of resources or accounts due to non-ingame related abuse (i.e. login details obtained elsewhere) should not be returned to their rightful owner.

I’d like to know other thoughts on this?

I'm not using this thread as a platform to launch an attack against the Admin about their decision. Please can you not use this as an attack either, but more to just put views forward. If I see any posts that personally attack any of the Admins on their decision I will be asking for this thread to be closed immediately.

[pianomutt20000]

I myself have gotten these msn msg's.


But i think it far more likely that their passwords and login info are stolen via forums. Not this one, but 3rd party game related ones.

[TacticalCommander]

very well thought out. Though I am interested in what happens to the account the resources ended up in as they have violated

Rule
4) No logging into other people's accounts.


in one way or another depending on if you strictly interpret or loosely.

[Pele]

Yeah if the account(s) involved in the Unauthorised Access aren't deleted then I think we as a community should make a list and make sure these accounts are never played again.

[Thade]

Just because resources were sent to an account doesn't necessarily implicate it as being the wrong doer. Sending resources to another enemy would be a very easy way to take out two enemies at once if that were the case. Just something to think about.

[Azarak]

I agree with Clarkey hacked is not the correct word to be using in this context.

Phishing sites are likely the most logical explanation for this. For those who dont know what that is - a user is directed to a page that is set up identical to a login page of whatever site targeted, but is hosted elsewhere and used to record that users login details which can then be used by the person/s behind the phishing site.

Some of you may consider this hacking but it is very far from it is this is simply obtaining login details due to someone’s misfortune of not checking exactly what they are logging into. There is no specific manipulation of software code to gain access to details either to steal information or make detrimental changes to it. This is most commonly used on social networking sites (myspace, facebook etc), forums/emails and less often banks and other financial institutions.

Another possibility is through the use of keyloggers like Clarkey mentioned but I see this are very unlikely as for it to have been installed on other users computers through transfers of data is unlikely. Writing a keylogger is very simple and requires limited programming knowledge but actually implementing them to be used is somewhat more difficult without direct access to the PC unless people are foolish enough to not have security measures in place to stop the transfer of unauthorised files to their PC.

---

For this to of been “hacking” a security flaw in the software or a programmer with excellent skills who has breached the encryption of the site to gain direct access to the server would have had to occur. Security flaw = possible but unlikely as if this was the case the person/s responsible would not of just done it to a couple of accounts, breaking through the encryption very unlikely in this case as no1 with those skills would bother doing it to an online text based game.

[KnowLedge]

I am NOT reading that
any1 wnat to summerize what the clark is talkinb about?

[GeneralChaos]

A real simple fix would be to make it that your login name is not the same as your ingame name, then it wouldnt matter if they knew your ingame name,

Also just add a simple line when you login saying your last login was at xx time on xx date your IP was this and you are currently logged in from xx IP.

I see some people saying someone might have innocently bought the cheated resources etc etc, hard luck, there stolen goods, if you bought a car that was stolen do you think ud get to keep it, i think not, any resources taken from anyones account without there permission should be tracked and deleted, if you spent $$ on them resources take it up with PayPal or whoever you used, stating the person sold stolen goods, * its still a criminal offense *

Admins approach to this no matter what way you want to justify it, is a we dont care about our players, we have your money from the SS thats all we want, it truly does show very very very poor admin/management of a business ( and thats what this is for admin its a business ), sure there going to come back with but we update the game we put alot of time into it, very good, alot of games get updates and alot of time put into it, they also have a support team that actually supports not just turn there back on there users when it hits the fan.

I am very disappointed in the admin team over this decision....

If i ever wanted a reason not to come back, this was it, and i know there has to be several hundred others who feel the same.

[Iƒrit]

I agree with Clarkey hacked is not the correct word to be using in this context.

Phishing sites are likely the most logical explanation for this. For those who dont know what that is - a user is directed to a page that is set up identical to a login page of whatever site targeted, but is hosted elsewhere and used to record that users login details which can then be used by the person/s behind the phishing site.

Some of you may consider this hacking but it is very far from it is this is simply obtaining login details due to someone’s misfortune of not checking exactly what they are logging into. There is no specific manipulation of software code to gain access to details either to steal information or make detrimental changes to it. This is most commonly used on social networking sites (myspace, facebook etc), forums/emails and less often banks and other financial institutions.

Another possibility is through the use of keyloggers like Clarkey mentioned but I see this are very unlikely as for it to have been installed on other users computers through transfers of data is unlikely. Writing a keylogger is very simple and requires limited programming knowledge but actually implementing them to be used is somewhat more difficult without direct access to the PC unless people are foolish enough to not have security measures in place to stop the transfer of unauthorised files to their PC.

---

For this to of been “hacking” a security flaw in the software or a programmer with excellent skills who has breached the encryption of the site to gain direct access to the server would have had to occur. Security flaw = possible but unlikely as if this was the case the person/s responsible would not of just done it to a couple of accounts, breaking through the encryption very unlikely in this case as no1 with those skills would bother doing it to an online text based game.

acually have a key logger self install is a very easy task, its exactly like any other spyware or adware your computer self-installs from visting sites, or clicking on advertisements, some sites also give you a pop up that says you must instal certain software to view their contents these are 99% of the time spyware of some kind and spyware can have many different ratings of severity a key logger depending on the programer can be very fustrating to remove or very easy. If seen some instances where a key logger was installed into a DLL files that run windows. And you do not need direct access to a PC since you can program the key logger to send log details via email.

These types of breaches are most commonly used by people phishing for login details and it is acually considered hacking since you illegaled obtained information through the access of a program, Its what is known as 'Theft by Deception'.

Hacking is breaking into computer systems, frequently with intentions to alter or modify existing settings. Sometimes malicious in nature, these break-ins may cause damage or disruption to computer systems or networks. People with malevolent intent are often referred to as "crackers"--as in "cracking" into computers.

The above quote is taken from a site about Computer Law.

Definition of: cracker

person who breaks into a computer system without authorization, whose purpose is to do damage (destroy files, steal credit card numbers, plant viruses, etc.). Because a cracker uses low-level hacker skills to do cracking, the terms "cracker" and "hacker" have become synonymous, with the latter becoming the most widely used term.

If a keylogger, virus, spyware, ect. of some form was used to obtain information that was not meant for that person then by defention the tresspasser has 'hacked' that data and has broken several game rules, as well as Laws.

[Lu Bu]

I think Clarkey hit the nail on the head. If it is in fact any way the players fault (such as clicking a link) then it is their loss. I can think of one possible situation that cheaters could take advantage of this:

1. There isnt an efficient way to "track" direct sends
2. If number 1 is true, what is stopping multi's from claiming they were "hacked" and doubling their resources by sending it away to another account by using some sort of proxy. (since admin would restore resources, which is adding more resources into the game)

this new policy stopped this, if in fact any cheaters abused it.
But definitely if it was an in game flaw, like the broker hack that was used, definitely restore it

[Iƒrit]

what many of you are failing to see is Marshal is a victim of cyber theft, goods where stolen from him and the person responsable has broken the law. Typically when someone has something stolen from him it is returned when the perpatraitor is caught, in this case it would be easy enough for the admin team to conduct a investigation and find out who is guilty of this hack and return the goods that were stolen from Marshal, and band the IP(s) and/or ISP involved as well as persue legal actions.

What I do see happening, is the admininstration using a loop-hole to escape their responsiblity to promote a secure and just system for its users. Something of this degree is going to ruin the game we have today, and no doubt in my mind shut it down permentaly.

[weilandsmith]

Hacking:

Any activity related to theft, alteration and destruction of information is called hacking. I can be in your house and watch you type in your password. If I use it to get into your account, then that's hacking.

I could watch you withdraw money from your ATM and use what I know, and that will be hacking.

If you keep your password written in a key book, and I look for it, find it and use it, that is hacking.

If I use any funky adware or software to get your password. That is hacking.

Basically: Any activity related to theft, alteration and destruction of information is called hacking.

[Clarkey]

Basically: Any activity related to theft, alteration and destruction of information is called hacking.

If I ran down the street, grabbed a bag off an elderly person and ran off...... that is theft, but it is not hacking.

[weilandsmith]

Basically: Any activity related to theft, alteration and destruction of information is called hacking.

If I ran down the street, grabbed a bag off an elderly person and ran off...... that is theft, but it is not hacking.

i should have included computers in the related thingy.

[Azarak]

Hacking:

I could watch you withdraw money from your ATM and use what I know, and that will be hacking.

That would require the persons debit/credit card which could only be gained from stealing it from their person. That is not hacking it is theft and fraud.

If you keep your password written in a key book, and I look for it, find it and use it, that is hacking.



Assuming you mean an electronic one hacking only applies if you have gained access to the computer through manipulation of the code or breaking through encryption. If you have just stumbled upon the computer and gone looking it is not as there is no manipulation of code to gain access but merely and invasion of another’s privacy.

Even if you use manipulated a weak spot in the code or broke through encryption which is hacking, hacking of files does not occur till you steal, destroy or alter files in some way – merely looking through files is not its just unauthorised access.

Assuming you mean a hard copy looking through a book without permission is invasion of privacy and if you take anything or copy anything out of it then it is theft not hacking.



If I use any funky adware or software to get your password. That is hacking.

Technically yes but also not entirely.

Basically: Any activity related to theft, alteration and destruction of information is called hacking.

Technically yes but not all the methods you described are hacking. Theft and hacking are 2 different things and do not compliment each other and are not the same. You really need to understand what you are speaking about for you say it.

By your definition of theft of information is hacking. Taking a document off someone’s desk/briefcase or whatever without permission is theft of information however it is not hacking. Hacking can and does exist in other forms other than electronically but it is rare and the majority of the time it is classed as something else because it simply fits the standard of the law better for other crimes than it does with hacking.

Destruction also: if you burn/shed etc documents taken from someone else its theft and destruction of property not hacking.

Basically: Any activity related to theft, alteration and destruction of information is called hacking.

If I ran down the street, grabbed a bag off an elderly person and ran off...... that is theft, but it is not hacking.

i should have included computers in the related thingy.

Maybe but even still, most of what you said will still be wrong. Perhaps go and read a little more about hacking before you make more vague generalisations about what you think hacking is.