EVE-Mag.com

No, you can’t have my Username and Password!

Published on 19. Nov, 2008 ... written by Jacob Mei, Tags: Articles, Columns

by Jacob Mei … I will be doing a special pair of articles detailing the scourge of the MMO Genre, virtual criminals, for the next few weeks. Not those of us who scam others via legal in game means but actual criminals who seek to gain your username and password to rob you blind. These articles will explain the hows, the whys, and the ways you can protect yourself.

This happens once every couple of months in Eve and likely almost weekly in World of Warcraft (I feel so dirty after saying that name now). Someone gets it in their mind of the brilliant idea of sending out emails to individuals who have their emails in public locations messages claiming to be from CCP or the game Developer stating that due to an internal error that they ask them to log into their accounts with the link provided to see if their accounts were affected. Usually it has something to do with the website only and not the individual’s ability to log into the game itself. To try and not raise any red flags with the actual company, they will even say not to send in any messages for the next 48 hours.

Welcome to the world of phishing attempts

A phishing attempt is where an individual attempts to make themselves appear to be from the company that the game is from, for example CCP, either by in person or by email or other means for the purposes of obtaining your private information. Now to the noob, or 13 year old reading this, you may ask what’s the big deal, all they have is my user name and password right, not my CC info or anything of grave importance.

The How

For those types, do me a favor. Go to EVE-Online.com, click My Account, enter your user name and password and look at the options you have. Account details, subscription details, account services, update sub interval, change password, new CC, cancel Sub, etc. Again, you may be going “Yeah, so?”. Let me direct your attention to the following: Account Services and Change Password.

Account Services: This button has 3 options in it, Transfer Character, Swap Character Portrait and Securely Sell EVE time codes. The thing a plisher would want is to Transfer Character. This is a 20 dollar charge per character but the sticker is that it’s on your dime. Phisher gets your Username and Password, jumps on right before down time, transfers the character, puts a 20-60 dollar charge on your CC and before you know what has happened the character is moved over to a new account, drained of its value, and the materials moved around making it difficult for CCP to track it down.

Change Password: Why move the character when they can just change your password, leaving you out in the cold until you can get a hold of someone at CCP to correct the issue? By the time you have gotten back into your account your ISK and goods are long gone.

Alternatively, they may just jump in and hope you don’t either: Finally we have the case of where the thief just jumps on, hoping you won’t do the same, and steals as much as they can as fast as they can.

As you can see, there is a lot of damage someone can do to you by getting your username and password, both in game and financially and all they need you to do is to sign into their site.

The Why

Now that we have established the how, let’s look at the why. Quite simply, it boils down to the money and in an ironic twist the MMO Community has only itself to blame, or at least a portion of its players to blame. The thing about MMOs is that their premise is that you build your character and to do that you need to make in game money. This of course takes time, with some items in such high demand that the numbers of zeros in your wallet can represent months of work. Naturally this creates a supply and demand situation with certain suppliers willing to go the less than honest route in obtaining their goods to sell. On the flip side of that coin you have the buyers who are willing to look the other way as to where the suppliers came across those goods.

For an example, if I happened to have a T2 BPO of a Hulk that would mean I would have an item highly sought after. There are players willing to pay hundreds of dollars for that BPO no matter what and because of this, you have sellers willing to do things that are not legal to get that buyers money. The irony of this of course is that there are reports of ISK-selling sites that then implant a keystroke logger in their customer’s computers, go in, and take the ISK back after the real money has been transferred to their accounts. So long as there are individuals willing to use real world currency to get goods and in game currency so they don’t have to spend the time themselves, the darker side of capitalism will rear its ugly head in MMOs.

Now that we have covered the how’s and whys, lets look at how to protect oneself.

First, it has been said before and should be said again, CCP, or any other MMO company, will never ask you to do anything regarding your username or password. It just won’t happen. They have that information already so why would they ask you to provide it? This should be the single biggest red flag to be raised for you. If you receive a message asking for your username and password, don’t do it, report it to CCP and inform the community ASAP.

On top of this, you should never use the same email as you used to sign up to the game on a public site, such as forums (community, faction, they are all the same). Why? Well CCP knows what email you used right? If you got an email from someone claiming to be from CCP from an address you didn’t use to sign up for a game, you will know right off the bat it’s a phisher.

What if I made a mistake?

Well we are all human so I will cover this. There are 6 things you need to do to try and save yourself.

1. Change your Password the moment you realize you were dooped. Doing this will buy you time.
2. Run a deep virus scan for any virus or keyloggers. Many plishing sites also install keyloggers just in case they can only get you to the front door. These programs record every keystroke and periodically send the information back to the phisher. These are in many ways worse than just giving them your username and password information as if you have done other things, such as check your bank account online or typed something deeply personal, they will now have that information as well.
3. Re-change your password the moment you remove any virus or keyloggers. Changing it the first time bought you time in case they plisher attempted to get into your account while you were scanning for his keylogger. If the keylogger fired off a data burst before you could find it, and you had used a username and password, then the phisher will have the new info. As soon as the keylogger is removed go back to the real site and change the info yet again.
4. Contact CCP and inform them of the situation. Let them know you were the victim of a plishing and that any strange activity that might occur on your account despite your best efforts should be viewed as if you were not the one doing it. This may not actually help recover anything lost but it will at least establish for CCP that anything you report was done with the pretense of a phishing attack.
5. Contact your bank or CC company and inform them someone may have gotten your information. This should not mean that they need to change your info (though they may insist on it, depending on the bank or CC) but that it will alert them to monitor your spending habits for the next few weeks. If they see anything strange, such as a 60 dollar drain all going to CCP as a result of a character transfer, they will block it and inform you, at which point you will need to change your info.
6. Hope that steps 1-5 were a waste of time. If you’re lucky, you nipped any keyloggers in the butt before they could get your username and password. Just keep the fingers crossed and remember not to be so gullible next time.

Lets wrap this up

Due to a combination of MMO popularity and players not willing to play legitimately the dark underbelly of capitalism has shown itself in our game. It’s sad but it’s a reality that you need to live with. Remember, CCP will never ask for your info and anyone who does, report them. Next week I will talk about Gold/Item Famers.

Tags: attack, fraud, ISK, mistake, password, plishing, username