You know, Cryptic is an American based company. You can take their ToS and other Terms of Use to a lawyer. Tell the lawyer your story, then have him read through the ToS and ToU, and whatever else you think is important, then watch as the lawyer laughs in your face and demands you pay him $50,000 for wasting his time.
Sue Cryptic if you are so bent out of shape over it. It seems you can't let it go, and went ahead anyway and made the boneheaded move to use the unsecure site anyway. Matter of fact, I changed my password 6 times and my email 4 times all on the secure site, received every notification that they send. Why you didn't, is because you are obviously blocking something from coming in. In every single instance, I got a notification, I had to verify, all that.
So sue them, waste all your money, get in debt so much that you will never repay it, and your children's children will never be able to repay it; watch as Cryptic simply doesn't care about you. As a company, they do not care what some basement dwelling neckbeard has to complain about.
With all the reports in these forums of accounts being TRIBBLE, I decided it would be a good time to change my account password. There are some major problems here - and it is no wonder accounts are being TRIBBLE. Here is what I had to do....
This is a secure login page - https. Once logged in, the link to change the password is prominently displayed. Clicking that, I could enter my old password and a new password. I was then informed a verification email was sent to my address. I waited and waited and waited............. I never got an email. I tried over the course of several days and multiple attempts and never got a verification email (and yes - the right email address was labeled). So this password change attempt failed.
So trying something different, starting again at the STO forum main page, I pressed the "Support" link at the top. This took me to the page:
Upon logging in, I went through the same process to change my password as before ... and it worked the first time.
So great right? No! Notice that last login link - it is "http". This means that any information sent to the login page is unencrypted. This means that in order for me to successfully change my password, I had to broadcast my login name and password in plaintext to the internet.
No wonder accounts are being TRIBBLE..... Bad Bad Cryptic :mad:
Sorry OP but you did not exhaust every option available to you. You tried ONCE online and failed because the e-mails sent to you were blocked. You then tried once more online and noticed it was unsecure and proceeded anyway.
What I suggested you should have done is NOT proceeded on the unsecured site and instead used e-mail, phone calls or even a letter if needed as they are most likely more secure. Though having said that you may not get a response from e-mail if you've blocked PWE. You were not forced to use the online unsecured page as you didn't even try to phone or e-mail PWE support and they did not say you must use this unsecured website.
Though I would suggest you do still contact support and notify them that the second website is unsecured and express your concerns
Being limited to only 14 characters is annoying enough. PWE is the only company so far that does.
Well, that I have had dealings with anyways....
Even 7 characters is plenty if it does not contain "dictionary" words and has a mix of case, numbers and symbols, at least for an Online attack scenario.
It's not possible to truly know, but generally when passwords are limited in length, it usually means the it is not being hashed where they are being stored because hashing requires a very long byte length to be worth while.
Star Trek Battles Channel - Play Star Trek like they did in the series!Avatar: pinterest-com/pin/14003448816884219Are you sure it isn't time for a "colorful metaphor"? --Spock in 'The Voyage Home' SCE ADVISORY NOTICE: Improper Impulse Engine maintenance can result in REAR THRUSTER LEAKAGE. ALWAYS have your work inspected by another qualified officer.
You know, Cryptic is an American based company. You can take their ToS and other Terms of Use to a lawyer. Tell the lawyer your story, then have him read through the ToS and ToU, and whatever else you think is important, then watch as the lawyer laughs in your face and demands you pay him $50,000 for wasting his time.
For the record, tos and eula agreements aren't worth the paper they're figuratively written on. Any lawyer will tell you that.
but that aside, wtf are you even talking about? who said anything about suing anyone?
watch as Cryptic simply doesn't care about you. As a company, they do not care what some basement dwelling neckbeard has to complain about.
security is of paramount importance to their business, you can be sure they care if people are in fact getting TRIBBLE. especially if there is a problem on their end allowing it. stop insulting people
What I suggested you should have done is NOT proceeded on the unsecured site and instead used e-mail, phone calls or even a letter if needed as they are most likely more secure.
In the process of quoting, I hope you didn't press the quote button to log in. Every quote button on this forum also takes you to the unsecured login page. But just to be safe, you can use email, phone calls, or even a letter to have them quote for you :P
It's not possible to truly know, but generally when passwords are limited in length, it usually means the it is not being hashed where they are being stored because hashing requires a very long byte length to be worth while.
You are completely right. I suspect, but have no proof or way to know, that this is at the root of the account hacks that others are reporting. An unsecure login page just compounds the problem.
Couldn't log in this morning. Tried to reset my password, and I couldn't; email invalid. Logged in with my facebook connect. My account email has been changed. So I had my password and email changed sometime between 2-9 am. Checked my gmail last account activity page. last time accessed was 2 days ago, all my IP address. I received no notification that my email was changed. This is definitely on cryptics back end. I just went gold yesterday. I sent perfect worlds customer service an email but I'm worried about it taking forever to get a response. I did a search of the forum and couldn't find anywhere else to report this issue. Anyone have any advice?
I'm really bummed out. I even got up early to play the game today. Loving the Romulan content.
And for the record, I have separate passwords for everything.
Couldn't log in this morning. Tried to reset my password, and I couldn't; email invalid. Logged in with my facebook connect. My account email has been changed. So I had my password and email changed sometime between 2-9 am. Checked my gmail last account activity page. last time accessed was 2 days ago, all my IP address. I received no notification that my email was changed. This is definitely on cryptics back end. I just went gold yesterday. I sent perfect worlds customer service an email but I'm worried about it taking forever to get a response. I did a search of the forum and couldn't find anywhere else to report this issue. Anyone have any advice?
I'm really bummed out. I even got up early to play the game today. Loving the Romulan content.
If you followed BranFlakes' advice, above, there's nothing else you can do for now but wait.
STO is about my Liberated Borg Federation Captain with his Breen 1st Officer, Jem'Hadar Tactical Officer, Liberated Borg Engineering Officer, Android Ops Officer, Photonic Science Officer, Gorn Science Officer, and Reman Medical Officer jumping into their Jem'Hadar Carrier and flying off to do missions for the new Romulan Empire. But for some players allowing a T5 Connie to be used breaks the canon in the game.
First, it's possible for only PART of a page to be sent via SSL: In such a case the page shows up as unencrypted in most browsers for security reasons. I'm pretty sure that both IE and Firefox have a warning for that...with a 'don't show my again' checkbox.
Second, the chances of someone hacking your account in this manner are pretty remote even if it is actually sent unencrypted(which would still be dumb). The chances that someone will be monitoring your packet stream at the point when you login are fairly small, unless someone's set up to monitor you specifically.
And frankly, calling compromised accounts 'TRIBBLE' is a big time misnomer anyway: It's an attempt by the victim to absolve themself of blame by insisting that their account was mysteriously 'TRIBBLE' by some obscure technical means with no fault or interaction on their part.
In reality, the mostly likely possibilities are: Someone they gave the account info to stole their stuff (a RL friend, a third party program, a website, something that they really shouldn't've put their account info in)... or that they picked up a keylogger somewhere that was monitoring everything they typed and sending it back to whoever.
Social engineering is the key point: Getting the user to do something they shouldn't, or go somewhere they shouldn't, or install something they shouldn't. None of which will HTTPS protect you from.
Most likely, the 'surge' is because of people going to shady 'buy EC!' sites that are installing keyloggers while they're there.
Edit:
I've been peering at the source for the non-SSL Login page you found.
So far I've found that the page is not, in fact, partially encrypted... and not much else.
My instinct from looking it is that it's calling a Javascript to handle the actual login functions, but mostly I've just been reminded of the fact that HTML and Javascript coding are not areas I'm all that knowledgeable in, and I frankly don't have a clue what they're doing with it.
The fact that the page isn't sent to YOU encrypted is not really all that big of a deal. The question is, is what you send BACK encrypted...and I can't tell if it is or not. Not my area of expertise, unfortunately.
First, it's possible for only PART of a page to be sent via SSL: In such a case the page shows up as unencrypted in most browsers for security reasons. I'm pretty sure that both IE and Firefox have a warning for that...with a 'don't show my again' checkbox.
Second, the chances of someone hacking your account in this manner are pretty remote even if it is actually sent unencrypted(which would still be dumb). The chances that someone will be monitoring your packet stream at the point when you login are fairly small, unless someone's set up to monitor you specifically.
And frankly, calling compromised accounts 'TRIBBLE' is a big time misnomer anyway: It's an attempt by the victim to absolve themself of blame by insisting that their account was mysteriously 'TRIBBLE' by some obscure technical means with no fault or interaction on their part.
In reality, the mostly likely possibilities are: Someone they gave the account info to stole their stuff (a RL friend, a third party program, a website, something that they really shouldn't've put their account info in)... or that they picked up a keylogger somewhere that was monitoring everything they typed and sending it back to whoever.
Social engineering is the key point: Getting the user to do something they shouldn't, or go somewhere they shouldn't, or install something they shouldn't. None of which will HTTPS protect you from.
Most likely, the 'surge' is because of people going to shady 'buy EC!' sites that are installing keyloggers while they're there.
While I could say any number of things to convince you I have done no such thing above. Like, I have no need of buying EC, I have over a 100 million in ec, ~3000 zen, plus much more in value in the bank. Or, that I most certainly have never shared an account in any game with anyone ever.
What I can tell you is this: The above attitude is very naive of internet security that is all too common.
People that hack try to throw the widest net possible. Anyone can get caught up in it. That being said, I just went gold on the 21st. That's the first time I've been to the member page in a long time. This thread indicates and my second virus scan corroborates, Perfect World itself is compromised in some way, not my computer or actions.
While I could say any number of things to convince you I have done no such thing above. Like, I have no need of buying EC, I have over a 100 million in ec, ~3000 zen, plus much more in value in the bank. Or, that I most certainly have never shared an account in any game with anyone ever.
What I can tell you is this: The above attitude is very naive of internet security that is all too common.
People that hack try to throw the widest net possible. Anyone can get caught up in it. That being said, I just went gold on the 21st. That's the first time I've been to the member page in a long time. This thread indicates and my second virus scan corroborates, Perfect World itself is compromised in some way, not my computer or actions.
Because the VAST majority of the time, it's caused by a keylogger on the person's client. The VAST majority of the remainder of the time, it's someone the person gave their account info to.
Why? Because these methods are cheaper and easier to implement than some mysterious 'hacking'. And extremely effective.
As for keyloggers, they can potentially even be installed via an advertisement on potentially ANY page. 'Adult Entertainment' sites have an exponentially higher chance of this, but I've seen it happen on Myspace Music before.
And a virusscanner may or not pick it up, either. They mostly pick up major, known Viruses. They DO have heuristics scanners, but that only goes so far and frequently causes more false positives than actual detections. Not to mention that the various scanners vary widely in quality. Also not to mention the first thing most trojans will do these days is try to knock out your virusscanner.
The other thing being, you'd need to check every single computer you'd logged in to your account from anytime since you last changed your password.
And if you'd logged in at work or school, or on a public system? For all you know it's got desktop monitoring software installed, and whoever's computer it was pulled your account info while you were doing it. I know the college I went to, their 'IT Department' consisted almost entirely of student workers...
Edit:
Oh and if PWE itself were compromised, it'd probably have been your credit card that got ripped off, not your account.
Granted, there's a REASON I only buy zen through steam...
Upon logging in, I went through the same process to change my password as before ... and it worked the first time.
So great right? No! Notice that last login link - it is "http". This means that any information sent to the login page is unencrypted. This means that in order for me to successfully change my password, I had to broadcast my login name and password in plaintext to the internet.
Actually, while the login page itself isn't SSL encrypted, the submission of the login information is. If you use some type of web diagnostic tool, like the deverlopers tools in IE10 or Firebug for Firefox, you can watch the what's being sent and retrieved by a page and see that the submission of the login information does indeed go to an SSL URL.
It's not necessary for a form to be on an SSL page in order to submit it via SSL (it's all a matter of action URL of the submission), but it is generally considered to be a best practie as it makes it apparent to the user.
Although there is really no excuse for ALL websites to not be using SSL/TLS by default for ALL content since one certificate can cover all the systems and turning-on SSL on the webservers is little more than making sure hrefs include either HTTPS or relative links in their URLs and then clicking a check box.
Actually, there is a perfectly good reason: processing. By placing everything on a web site under SSL, you are creating unecessary processor load on both the web server and the web client, as all data for the page -- the page itself, stylesheets, scripts, images, everything so as not to generate warnings, or just have it not loaded -- must be encrypted and decrypted. This creates an unneeded load on both sides and also delays page rendering by the time that it takes to process all of the assets.
It is considered to be a best practice to only place under SSL those pages that are necessary to be under SSL. The only times where SSL is generally necessary is when you need to either a) verify the identity of the server or b) submit or retrieve sensitive data that should be encrypted.
As I mentioned above, you don't necessarily need to place a form itself under SSL, as it's the submission URL that matters, but it's generally considered a best practice to put a dedicated form page (like an ecommerce checkout page) under SSL to provide a reassurance to the user.
Because the VAST majority of the time, it's caused by a keylogger on the person's client. The VAST majority of the remainder of the time, it's someone the person gave their account info to.
Why? Because these methods are cheaper and easier to implement than some mysterious 'hacking'. And extremely effective.
When many, many, many people are getting TRIBBLE at the same time across multiple games all run by the same company through the same website. Around the time of the launch of a new game and the launch of an expansion. Odds are much better that the Perfect World servers are under attack or just vulnerable in some way. This isn't Fort Knox, and even then even the government gets compromised sometimes too. There is no such thing as a secure system. That being said, I was reading on the Neverwinter forum, google lead me too, apparently you can just brute force the PWE website. So they haven't taken even basic precautions. Heck, Rift and Diablo 3 were compromised at launch despite the insane measures Blizzard now takes.
As for keyloggers, they can potentially even be installed via an advertisement on potentially ANY page. 'Adult Entertainment' sites have an exponentially higher chance of this, but I've seen it happen on Myspace Music before.
While not impossible, mostly unlikely.
And a virusscanner may or not pick it up, either. They mostly pick up major, known Viruses. They DO have heuristics scanners, but that only goes so far and frequently causes more false positives than actual detections. Not to mention that the various scanners vary widely in quality. Not to mention the first thing most trojans will do these days is try to knock out your virusscanner.
Again just unlikely.
The other thing being, you'd need to check every single computer you'd logged in to your account from anytime since you last changed your password.
And if you'd logged in at work or school, or on a public system? For all you know it's got desktop monitoring software installed, and whoever's computer it was pulled your account info while you were doing it. I know the college I went to, their 'IT Department' consisted almost entirely of student workers...
This is the only computer I game on. It's a desktop that sits in my living room.
Cid, feel free to PM me a hijackthis! scan log which I can go over, and I'd be able to say with pretty high confidence if you had something or not (not 100%, there's ways around that too, but it's harder because it's so generic).
Just for the love of god don't 'Fix this' on anything if you do, because the way it works is by listing EVERYTHING using several common methods of doing TRIBBLE to your system. Including stuff windows needs to work properly.
That *is* in my area of expertise, so that I can actually help with. Unlike monitoring the login page with firefox's dev tools (which I know about, but not really how to use as I'm a hardware/OS tech not a web developer) to find out it's actually using SSL to send back your password as the guy a couple posts up did (thus determining that there's no risk of your password being compromised this way).
Because yes, most of the time when some junk trojan gets installed the first thing it tries to do is cripple any present virusscanners. The second is normally to download a bunch more junk. I've had to clean up systems that had that happen probably close to a half dozen times, and that's just friends and family(and in one case, friend of family). Manually cleaning up a system is no fun, but it's a lot more effective if you do it well.
Also, the third most common method of account compromise, which I forgot to mention, is reused passwords.
When many, many, many people are getting TRIBBLE at the same time across multiple games all run by the same company through the same website. Around the time of the launch of a new game and the launch of an expansion. Odds are much better that the Perfect World servers are under attack or just vulnerable in some way. This isn't Fort Knox, and even then even the government gets compromised sometimes too. There is no such thing as a secure system. That being said, I was reading on the Neverwinter forum, google lead me too, apparently you can just brute force the PWE website. So they haven't taken even basic precautions. Heck, Rift and Diablo 3 were compromised at launch despite the insane measures Blizzard now takes.
Usually new releases and launches are met with a wave of "Goldseller" advertisements so it's just as likely to be one method or the other.
Strange...I also tried to change my password and had to revert back the changes since the email verification confirmation DOES NOT work. I did check my email for correction, spam and my trash and if you dont agree try it for yourself....looks like there might be a systematic error and I also filed a ticket to GM as well.
Strange...I also tried to change my password and had to revert back the changes since the email verification confirmation DOES NOT work. I did check my email for correction, spam and my trash and if you dont agree try it for yourself....looks like there might be a systematic error and I also filed a ticket to GM as well.
Hopefully your ISP doesn't do like mine does and just delete stuff their spam filter catches... They used to have a spam folder, but after awhile realized that the 'false positive' rate was really low, so they just stopped storing them.
Cid, feel free to PM me a hijackthis! scan log which I can go over, and I'd be able to say with pretty high confidence if you had something or not (not 100%, there's ways around that too, but it's harder because it's so generic).
Just for the love of god don't 'Fix this' on anything if you do, because the way it works is by listing EVERYTHING using several common methods of doing TRIBBLE to your system. Including stuff windows needs to work properly.
That *is* in my area of expertise, so that I can actually help with. Unlike monitoring the login page with firefox's dev tools (which I know about, but not really how to use as I'm a hardware/OS tech not a web developer) to find out it's actually using SSL to send back your password as the guy a couple posts up did (thus determining that there's no risk of your password being compromised this way).
Because yes, most of the time when some junk trojan gets installed the first thing it tries to do is cripple any present virusscanners. The second is normally to download a bunch more junk. I've had to clean up systems that had that happen probably close to a half dozen times, and that's just friends and family(and in one case, friend of family). Manually cleaning up a system is no fun, but it's a lot more effective if you do it well.
Also, the third most common method of account compromise, which I forgot to mention, is reused passwords.
Thank you, pm sent, I'm not going to turn down a free look. I appreciate that you are trying to help. I'm just concerned. I am a savvy user, I take more precautions than most. I just feel it's strange that I just went gold. I've lied about nothing. I have used this password elsewhere. That being said I rotate through seven or so passwords, and no other game/website aside from Neverwinter has used it in years. So while not impossible to rule out I think it to be an unlikely culprit as well.
The fact that the Account guard has popped up a couple times when doing routine stuff, like when I re-subbed to gold two days ago or when I started using the Gateway, and I got no notification that my email or password were changed last night leads me to think there is a flaw somewhere that's not on my end.
Thank you, pm sent, I'm not going to turn down a free look. I appreciate that you are trying to help. I'm just concerned. I am a savvy user, I take more precautions than most. I just feel it's strange that I just went gold. I've lied about nothing. I have used this password elsewhere. That being said I rotate through seven or so passwords, and no other game/website aside from Neverwinter has used it in years. So while not impossible to rule out I think it to be an unlikely culprit as well.
The fact that the Account guard has popped up a couple times when doing routine stuff, like when I re-subbed to gold two days ago or when I started using the Gateway, and I got no notification that my email or password were changed last night leads me to think there is a flaw somewhere that's not on my end.
If you've got account guard enabled, it shouldn't've been possible to change your info from another system without going through your e-mail first...
Probably irrelevant anyway. Intercepted communication accounts for a very miniscule fraction of all security breaches.
_________________________________________________ [Kluless][Kold][Steel Heels][Snagtooth] [Louis Cipher][Outta Gum][Thysa Kymbo][Spanner][Frakk] [D'Mented][D'Licious]
Joined October 2009. READ BEFORE POSTING
Couldn't log in this morning. Tried to reset my password, and I couldn't; email invalid.
This reminds me of the same issue my brother had a couple days back when trying to log in.
He goes to the launcher and can't get in, he tried multiple times but I think he could log on the website. I suggested he use the 'Forgot Pasword' function but he didn't. He restarted the computer and he was able to log in on the launcher without having to change anything or request something. I don't know anything else, I just find it really strange from what I've been reading here.
Upon logging in, I went through the same process to change my password as before ... and it worked the first time.
So great right? No! Notice that last login link - it is "http". This means that any information sent to the login page is unencrypted. This means that in order for me to successfully change my password, I had to broadcast my login name and password in plaintext to the internet.
No wonder accounts are being TRIBBLE..... Bad Bad Cryptic :mad:
No Your information is wrong.
The http://... on the login web page does not mean that you are sending information in the clear. What matters is how the Submit button is setup on the login form. In HTML speak, a form submit button defines a URL the browser goes in order to process the login in form. That Submit URL determines how the form is sent.
*dons his web developer hat*
In PWE's case the submit URL is https/... That means the form is submitted using encryption. Nothing is sent in the clear. when you log in. THE URL showing at the top of the displayed page has NOTHING to do with how forms on the page are submitted in a browser.
An update on my account recovery process in case anyone stumbles upon this thread in a search for answers:
Thu, May 23, 2013 at 12:47 AM Recieved this email:
Hello,
We have received a request from you to change your account's registered email address. A confirmation email has been sent to your new email address for verification.
If you did not request your email address to be changed, please contact our customer support department immediately.
I was currently playing game at this time. This ended up in my gmail spam box. I had no
idea I had recieved this email until much later in the week. I think you can already spot a major flaw with this process. Hint: it's in bold.
The next day I had at first only though my password had been reset so I sent an email to customerservice@perfectworld.com. Later I realized my account had been TRIBBLE only because I was still able to log into the website through facebook connect. Later in the day I could no longer do that because my account was banned. I sent another email explaining what had happened as honestly as possible to customerservice@perfectworld.com. Automated responses came back instantly to both emails.
These response emails have a mailback address of: pwe1@mailmw.custhelp.com I have yet to get a response to any email I've sent to that address. My advice, don't use that email. Keep emailing customerservice@perfectworld.com instead.
It took them one day to reset my password, May 24th. I was still banned however. It took them 3 days to unban me, May 27th. To be fair this was over the long holiday weekend. Logging in, of course, I discovered all of my Zen and EC gone. Mailed them back immediately asking for an account rollback. Aside from automated responses I have not heard from PWE or Cryptic. It is now the 31st, 5 days later and I haven't played the game in over a week.
Throughout all of this I am also experiencing a problem with the support web page going into an infinite redirect loop. Branflakes response: email customerservice@perfectworld.com
Comments
Sue Cryptic if you are so bent out of shape over it. It seems you can't let it go, and went ahead anyway and made the boneheaded move to use the unsecure site anyway. Matter of fact, I changed my password 6 times and my email 4 times all on the secure site, received every notification that they send. Why you didn't, is because you are obviously blocking something from coming in. In every single instance, I got a notification, I had to verify, all that.
So sue them, waste all your money, get in debt so much that you will never repay it, and your children's children will never be able to repay it; watch as Cryptic simply doesn't care about you. As a company, they do not care what some basement dwelling neckbeard has to complain about.
Well, that I have had dealings with anyways....
Sorry OP but you did not exhaust every option available to you. You tried ONCE online and failed because the e-mails sent to you were blocked. You then tried once more online and noticed it was unsecure and proceeded anyway.
What I suggested you should have done is NOT proceeded on the unsecured site and instead used e-mail, phone calls or even a letter if needed as they are most likely more secure. Though having said that you may not get a response from e-mail if you've blocked PWE. You were not forced to use the online unsecured page as you didn't even try to phone or e-mail PWE support and they did not say you must use this unsecured website.
Though I would suggest you do still contact support and notify them that the second website is unsecured and express your concerns
It is through repetition that we learn our weakness.
A master with a stone is better than a novice with a sword.
Has damage got out of control?
This is the last thing I will post.
Even 7 characters is plenty if it does not contain "dictionary" words and has a mix of case, numbers and symbols, at least for an Online attack scenario.
It's not possible to truly know, but generally when passwords are limited in length, it usually means the it is not being hashed where they are being stored because hashing requires a very long byte length to be worth while.
SCE ADVISORY NOTICE: Improper Impulse Engine maintenance can result in REAR THRUSTER LEAKAGE. ALWAYS have your work inspected by another qualified officer.
For the record, tos and eula agreements aren't worth the paper they're figuratively written on. Any lawyer will tell you that.
but that aside, wtf are you even talking about? who said anything about suing anyone?
security is of paramount importance to their business, you can be sure they care if people are in fact getting TRIBBLE. especially if there is a problem on their end allowing it. stop insulting people
What part was unclear?
In the process of quoting, I hope you didn't press the quote button to log in. Every quote button on this forum also takes you to the unsecured login page. But just to be safe, you can use email, phone calls, or even a letter to have them quote for you :P
You are completely right. I suspect, but have no proof or way to know, that this is at the root of the account hacks that others are reporting. An unsecure login page just compounds the problem.
I'm really bummed out. I even got up early to play the game today. Loving the Romulan content.
And for the record, I have separate passwords for everything.
First, it's possible for only PART of a page to be sent via SSL: In such a case the page shows up as unencrypted in most browsers for security reasons. I'm pretty sure that both IE and Firefox have a warning for that...with a 'don't show my again' checkbox.
Second, the chances of someone hacking your account in this manner are pretty remote even if it is actually sent unencrypted(which would still be dumb). The chances that someone will be monitoring your packet stream at the point when you login are fairly small, unless someone's set up to monitor you specifically.
And frankly, calling compromised accounts 'TRIBBLE' is a big time misnomer anyway: It's an attempt by the victim to absolve themself of blame by insisting that their account was mysteriously 'TRIBBLE' by some obscure technical means with no fault or interaction on their part.
In reality, the mostly likely possibilities are: Someone they gave the account info to stole their stuff (a RL friend, a third party program, a website, something that they really shouldn't've put their account info in)... or that they picked up a keylogger somewhere that was monitoring everything they typed and sending it back to whoever.
Social engineering is the key point: Getting the user to do something they shouldn't, or go somewhere they shouldn't, or install something they shouldn't. None of which will HTTPS protect you from.
Most likely, the 'surge' is because of people going to shady 'buy EC!' sites that are installing keyloggers while they're there.
Edit:
I've been peering at the source for the non-SSL Login page you found.
So far I've found that the page is not, in fact, partially encrypted... and not much else.
My instinct from looking it is that it's calling a Javascript to handle the actual login functions, but mostly I've just been reminded of the fact that HTML and Javascript coding are not areas I'm all that knowledgeable in, and I frankly don't have a clue what they're doing with it.
The fact that the page isn't sent to YOU encrypted is not really all that big of a deal. The question is, is what you send BACK encrypted...and I can't tell if it is or not. Not my area of expertise, unfortunately.
While I could say any number of things to convince you I have done no such thing above. Like, I have no need of buying EC, I have over a 100 million in ec, ~3000 zen, plus much more in value in the bank. Or, that I most certainly have never shared an account in any game with anyone ever.
What I can tell you is this: The above attitude is very naive of internet security that is all too common.
People that hack try to throw the widest net possible. Anyone can get caught up in it. That being said, I just went gold on the 21st. That's the first time I've been to the member page in a long time. This thread indicates and my second virus scan corroborates, Perfect World itself is compromised in some way, not my computer or actions.
Because the VAST majority of the time, it's caused by a keylogger on the person's client. The VAST majority of the remainder of the time, it's someone the person gave their account info to.
Why? Because these methods are cheaper and easier to implement than some mysterious 'hacking'. And extremely effective.
As for keyloggers, they can potentially even be installed via an advertisement on potentially ANY page. 'Adult Entertainment' sites have an exponentially higher chance of this, but I've seen it happen on Myspace Music before.
And a virusscanner may or not pick it up, either. They mostly pick up major, known Viruses. They DO have heuristics scanners, but that only goes so far and frequently causes more false positives than actual detections. Not to mention that the various scanners vary widely in quality. Also not to mention the first thing most trojans will do these days is try to knock out your virusscanner.
The other thing being, you'd need to check every single computer you'd logged in to your account from anytime since you last changed your password.
And if you'd logged in at work or school, or on a public system? For all you know it's got desktop monitoring software installed, and whoever's computer it was pulled your account info while you were doing it. I know the college I went to, their 'IT Department' consisted almost entirely of student workers...
Edit:
Oh and if PWE itself were compromised, it'd probably have been your credit card that got ripped off, not your account.
Granted, there's a REASON I only buy zen through steam...
Actually, while the login page itself isn't SSL encrypted, the submission of the login information is. If you use some type of web diagnostic tool, like the deverlopers tools in IE10 or Firebug for Firefox, you can watch the what's being sent and retrieved by a page and see that the submission of the login information does indeed go to an SSL URL.
It's not necessary for a form to be on an SSL page in order to submit it via SSL (it's all a matter of action URL of the submission), but it is generally considered to be a best practie as it makes it apparent to the user.
Actually, there is a perfectly good reason: processing. By placing everything on a web site under SSL, you are creating unecessary processor load on both the web server and the web client, as all data for the page -- the page itself, stylesheets, scripts, images, everything so as not to generate warnings, or just have it not loaded -- must be encrypted and decrypted. This creates an unneeded load on both sides and also delays page rendering by the time that it takes to process all of the assets.
It is considered to be a best practice to only place under SSL those pages that are necessary to be under SSL. The only times where SSL is generally necessary is when you need to either a) verify the identity of the server or b) submit or retrieve sensitive data that should be encrypted.
As I mentioned above, you don't necessarily need to place a form itself under SSL, as it's the submission URL that matters, but it's generally considered a best practice to put a dedicated form page (like an ecommerce checkout page) under SSL to provide a reassurance to the user.
While not impossible, mostly unlikely. Again just unlikely.
This is the only computer I game on. It's a desktop that sits in my living room.
Just for the love of god don't 'Fix this' on anything if you do, because the way it works is by listing EVERYTHING using several common methods of doing TRIBBLE to your system. Including stuff windows needs to work properly.
That *is* in my area of expertise, so that I can actually help with. Unlike monitoring the login page with firefox's dev tools (which I know about, but not really how to use as I'm a hardware/OS tech not a web developer) to find out it's actually using SSL to send back your password as the guy a couple posts up did (thus determining that there's no risk of your password being compromised this way).
Because yes, most of the time when some junk trojan gets installed the first thing it tries to do is cripple any present virusscanners. The second is normally to download a bunch more junk. I've had to clean up systems that had that happen probably close to a half dozen times, and that's just friends and family(and in one case, friend of family). Manually cleaning up a system is no fun, but it's a lot more effective if you do it well.
Also, the third most common method of account compromise, which I forgot to mention, is reused passwords.
Usually new releases and launches are met with a wave of "Goldseller" advertisements so it's just as likely to be one method or the other.
I tried changing it from:
https://my.perfectworld.com/sto/?going_to=/account/sto
Chillax. No Ego. No Drama.
Like my alien? Watch THE VIDEO
Need custom graphics for you or your fleet? Click HERE
Hopefully your ISP doesn't do like mine does and just delete stuff their spam filter catches... They used to have a spam folder, but after awhile realized that the 'false positive' rate was really low, so they just stopped storing them.
Ugh.
Thank you, pm sent, I'm not going to turn down a free look. I appreciate that you are trying to help. I'm just concerned. I am a savvy user, I take more precautions than most. I just feel it's strange that I just went gold. I've lied about nothing. I have used this password elsewhere. That being said I rotate through seven or so passwords, and no other game/website aside from Neverwinter has used it in years. So while not impossible to rule out I think it to be an unlikely culprit as well.
The fact that the Account guard has popped up a couple times when doing routine stuff, like when I re-subbed to gold two days ago or when I started using the Gateway, and I got no notification that my email or password were changed last night leads me to think there is a flaw somewhere that's not on my end.
It's actually not.
toanstation determined the login submission is, in fact, secured, using dev tools built into firefox.
It's just normal for the page itself to be encrypted, but purely as a confidence-boosting measure:
You can trivially see if the page was sent to you encrypted, it's very difficult to determine if what you're sending back is ALSO encrypted.
If you've got account guard enabled, it shouldn't've been possible to change your info from another system without going through your e-mail first...
Pulling up the message now, btw.
[Kluless][Kold][Steel Heels][Snagtooth]
[Louis Cipher][Outta Gum][Thysa Kymbo][Spanner][Frakk]
[D'Mented][D'Licious]
Joined October 2009. READ BEFORE POSTING
That's what happened. GMail tracks IPs too and it's mine all the way down. Other people are reporting the same thing here:
Edit 2: I have account guard active. I was harrassing me when I re-subbed. Copy and pasting a 6? didget code to confirm the changes
http://nw-forum.perfectworld.com/showthread.php?256032-All-the-quot-TRIBBLE-quot-account-people
Edit: Oh wow that thread degenerates near the end.
I tried Neverwinter for about a day. Kind of regretting it now. Again, I appreciate what you're doing.
This reminds me of the same issue my brother had a couple days back when trying to log in.
He goes to the launcher and can't get in, he tried multiple times but I think he could log on the website. I suggested he use the 'Forgot Pasword' function but he didn't. He restarted the computer and he was able to log in on the launcher without having to change anything or request something. I don't know anything else, I just find it really strange from what I've been reading here.
It turns out they just don't have the login page set up on SSL, the login info you send back is, so it's not interceptable anyway as it turns out.
No Your information is wrong.
The http://... on the login web page does not mean that you are sending information in the clear. What matters is how the Submit button is setup on the login form. In HTML speak, a form submit button defines a URL the browser goes in order to process the login in form. That Submit URL determines how the form is sent.
*dons his web developer hat*
In PWE's case the submit URL is https
Thu, May 23, 2013 at 12:47 AM Recieved this email:
I was currently playing game at this time. This ended up in my gmail spam box. I had no
idea I had recieved this email until much later in the week. I think you can already spot a major flaw with this process. Hint: it's in bold.
The next day I had at first only though my password had been reset so I sent an email to customerservice@perfectworld.com. Later I realized my account had been TRIBBLE only because I was still able to log into the website through facebook connect. Later in the day I could no longer do that because my account was banned. I sent another email explaining what had happened as honestly as possible to customerservice@perfectworld.com. Automated responses came back instantly to both emails.
These response emails have a mailback address of: pwe1@mailmw.custhelp.com I have yet to get a response to any email I've sent to that address. My advice, don't use that email. Keep emailing customerservice@perfectworld.com instead.
It took them one day to reset my password, May 24th. I was still banned however. It took them 3 days to unban me, May 27th. To be fair this was over the long holiday weekend. Logging in, of course, I discovered all of my Zen and EC gone. Mailed them back immediately asking for an account rollback. Aside from automated responses I have not heard from PWE or Cryptic. It is now the 31st, 5 days later and I haven't played the game in over a week.
Throughout all of this I am also experiencing a problem with the support web page going into an infinite redirect loop. Branflakes response: email customerservice@perfectworld.com