I really didn't want to have to talk about this, but every attempt to contact people who could actually do anything about it has basically been ignored. I tried posting it on the reddit, but you can't say bad things about PWE there, so the thread got nuked within a flat minute. This isn't a subject that's very fun to bring up, but it is one that's very game relevant.
A few weeks ago, a player in my fleet dropped off the grid. It happens all the time- people get burned out, and stop playing. People have real world commitments, or concerns that supersede the game. That's not something I blame anyone for, it's just how the cookie crumbles.
Except, as it turns out, that's not what happened with this player. You see, his account got accessed illicitly. Someone co-opted his email account, used that to reset his password and gain access to his account. That whole two-step verification thing doesn't work so well if a hacker gets into your email.
The hacker proceeded to offload everything of value from his account, and I assume- delete the rest. This has happened to a number of users before- and it's probably where the gold sellers get most of their resources.
But if that were the end of it, than this story would end with the player in question contacting reclaiming their email, contacting Customer Support, having their account rolled back and returned to them.
That isn't, unfortunately, how this story ends.
Remember how every month or so we see a post about someone who bought some stuff through steam using a new payment method? How the items are bound to account unless the wait a couple weeks for the zen to turn 'free range'?
We've all hated on it, and yet- if the player in question had their account associated with steam, it might have saved them.
Because the hacker stole a credit card. Not the player's credit card. We actually don't know who it belonged to- it was just 'a credit card'. They logged onto the PWE site using the account's credentials, and bought FIVE HUNDRED DOLLARS worth of zen. Then they logged back into the account, turned that into keys, and mailed them off to themselves.
Customer Support can't track item trades or mail.
Oops.
The owner of the card noticed the fraudulent charge, and canceled the credit card or issued a chargeback. That money vanished from PWE's account, and the player's account was banned as a matter of automatic policy.
Double oops.
Well, who should we blame for this? Obviously there was a hacker involved, someone who logged in from a totally new IP location after gaining control over the email and confirming the fraudulent access. Someone who used new payment information to purchase an ungodly amount of zen, and someone who stripped the account of everything it owned and nuked the rest.
To a rational mind, that seems like the person we should blame.
*Puts on PWE Support Hat*
What you have to remember that our goal here isn't player satisfaction. Our goal here is to make money. And someone just stole five hundred dollars from us and got away. We lack any means to track where those items went, the technology just doesn't exist. So we need to figure out how to get that money back.
Oh. I know! The player in question was a lifetime subscriber. He's been playing since the non-F2P Beta way back in season 1. He's got a lot of rare and expensive stuff in his account data, I can see it right here on the backup copy. You know, I bet you *he* could afford to pay this cost.
Here's what we'll do. He's contacted us and requested that we roll back his account and return access of it to him. Both things are well within our power. But if he wants us to do that, first- and this is the best idea we've ever had- first he needs to pay us the five hundred dollars the hacker stole from us!
Brilliant! There can be no flaw in this plan! Aren't we awesome!
What do you mean he told us to bugger off and isn't going to pay? Isn't his account worth that much to him? It certainly has more than that much invested in it- I've watched some police procedurals, isn't ransom supposed to work?
*Takes off PWE Support Hat*
Look. I get it. Someone took advantage of PWE's system and ran off with a bunch of virtual items purchased with fraudulent money. Those items are now in the system, but they don't have the money any more. That's pretty crummy, especially when they can't track items.
But the solution to this? Expecting a player who has given this game nothing but love and support since its launch to front five hundred dollars as a ransom fee to get his account back?
It's unconscionable. I have never, in my history of gaming, seen worse behavior by a customer support team. There have been games in which customer support doesn't exist, or they just ignore you. There have been games where they're bad at their jobs, or claim they can't help you because they really want to go home early today and can't be arsed to put in the request to have your account rolled back. There have been games in which customer support have actively insulted players for game breaking bugs.
But I have never seen a game in which Customer Support has... ransomed an account that was hijacked in the hopes to recoup money lost from a fraudulent purchase. I mean... what the heck, PWE?
I really just don't know what else I can do, besides posting this experience so that others can be aware of what's going on. The player in question is a great guy, but he doesn't seem to have the most patience for this issue- well gee, I wonder why- or the computer savvy to spent fifteen hours dicking around with PWE's internal case resolution system trying to find a solution that doesn't involve extortion.
Me? When I found out about this, I put together a missive and contacted those I thought might be in a position to actually help. That was four days ago- yeah, I sent a mail out on sunday. But maybe those individuals don't get reddit mail, even if they're active on it. I figured I'd give them extra time to respond, to indicate even that they'd received the messages- but I have nothing.
And I'm nothing- I'm a nobody. I can't do anything to help. I don't have any money, I don't wield any real internet prestige. The people I know that I've tried to contact have been silent, so what am I supposed to do? Just let this travesty happen? Just let it fade from memory and forget that Customer Support is capable of this kind of action?
If it can happen to any of us, it can happen to all of us. If Company Policy is for PWE to extort all fraudulent charges from the players whose stolen accounts were used to make them, ignoring all relevant context in an attempt to recoup a quick buck... then even though most players won't stop playing the game, the least we can do is try to support those royally buggered over by this- in spirit, if through nothing else.
Because asking PWE to fix their busted system? Expecting them to develop a means to track items through trades, or any of the other hundred and fifty sensible solutions?
Those things cost money. And obviously PWE must be so incredibly starved for the green that they have to pull something like this.
I respect the developers for this game, and the community representatives who have put so much work into giving us a better community, encouraging the developers to reach out and interact with the players, and moved this game forward to be better in every way. I don't believe that this is in any way the fault of Cryptic or those who work directly with them, or if it is, that only those involved in perpetrating it actually know about it.
I don't want people to read this post and think 'we should tar and feather Cryptic and put it in our signatures and complain endlessly on the forums about it' because you shouldn't. A thousand excrement flinging monkeys won't make someone take a second look to figure out what's wrong with the- it'll make them want to kill all the monkeys.
The only thing that works is attention, care, and concern. Quite frankly I don't want any attention on me- but I would like attention on this issue. I'd love to see discussion, to see the post sit on the front page for a week, and to maybe see certain individuals post here in an official capacity and explain just what the heck is going on with Customer Support.
Maybe that's too optimistic to expect. Maybe people will just read this, go 'huh.' and quietly file away that they need better security on their email.
And the thing to understand is that if that's all that happens- the that's fine too. As much as I'd like the player who lost his account to get his stuff back, if that's not something we as a community can instigate- then I'd be reasonably happy if we can ensure this sort of thing never happens again. Sure, the forums don't reach the entire game, but it reaches a lot of people, and word of mouth is a powerful thing. If you take nothing else from this post, take that you need better email security, because stuff like this can happen.
And if it happens to you, then you might see your account held hostage to the tune of an exorbitant amount of money.
And that's not okay.
Incoming forum ban in 3...2...
0
Comments
I hope you get it sorted out soon; but I give you little chance.
Incoming thread lock in 3...2...
Yeah, that's what's going on.
If my account were banned under similar circumstances, I can tell you I'd never come back, ever. I can sort of understand why they'd do it... THEY have no way to investigate the veracity of the hacking and all they know is that they lost $500. Not chump change, especially if other people got the idea they could get away with fraud.
But on the other hand, the victim has no choice but to dispute the charges and the credit card company won't eat the cost of it when they can simply recover the money from the merchant. It's a no-win for everybody but the original crook.
HOWEVER. If PWE doesn't have the ability to audit to find out where that $500 in keys went, they'd better figure it out for future incidents, fast. They're essentially stolen assets, not to mention evidence of a crime, and they need to discourage this kind of abuse rather decisively unless they'd like the bottom to fall out of the lockbox market.
It could mean that they will need to go back and make keys bound to account on pickup. No more emailing them and no more putting them up on the exchange. Wouldn't break my heart.
Well, the third party whose credit card was stolen won't have lost anything after the chargeback- the card didn't blong to the guy whose account it was, it was a card belonging to someone else that was fraudulently used to make the purchase. The hijacker just added the card's information on the arc website or whatever, and made a purchase.
Who is to say your friend didn't off load the keys to another account ?
Is PWE able to produce IP#'s on account activity ?
Example, if I log on at work in the morning, and then log in later that night at home, is PWE able to produce data that shows what IP # I logged in with in the morning and then in the evening ?
If they can produce this info it should be fairly simple for them to make a judgement in the plantiffs favor.
Now, if your amigo is really the innocent victim you claim him to be, then that is pretty awful treatment by customer service. I'd even go so far as to file a complaint with the BBB in his/her situation.
If this happened to me, I'd charge it back, game be damned! I do not enjoy this game enough to tolerate any financial attack against me on the part of the acount thief or that of Craptic.
I guarantee you they can do all of that. The refusal to do so is purely a matter of cost vs benefit.
Agreed.
surprised this lasted more than 5min before lock and ban
Again, all the more reason to have some way of auditing or limiting in-game transfers that have a real-world value. Lockbox ships are an uncertain commodity, but lockbox keys are an entirely different matter. This has to effect their other games, too. The lockbox mechanic is used throughout all of their MMO titles, afaik.
Any server worth even half its salt routinely logs in users and their IP addresses. It's just standard on a UNIX server ('last -i username' anyone?). Cryptic/PWE shouldn't even try and pretend they don't have that basic info.
But nobody here can do anything about it. The mods have no powers over accounting. The devs are a different department and the players can do nothing.
They might not track key transfers by in-game mail either. Logging like that doesn't happen for free, it chews up storage space and server time.
Perhaps they do both. If not, it's true that they could do the work to do both if they chose to.
Ignoring all that, holding the hijacked account hostage is poor service.
One question though: how long did it take this person to report the hijacked accounts? If someone took over my email and Arc account I'd have reported it within hours not days or weeks.
They absolutely do track users IP addresses in Arc to some extent, and I can prove it by looking at the email that gets sent when I request access from a new computer:
The 'bad guy' had to have done that in order to hijack the account.
Granted. I'm just saying that it would be a good idea to improve their fraud prevention. Keys aren't the only commodity that can be abused, but they're the most susceptible because they can be reliably acquired with credit, are easily transferred across accounts, and have real-world value if they can turn them into lockbox ships that can be sold offline. Keys can also be used to reliably generate Lobi, which can also be used to generate transferable reward packs.
I wouldn't be terribly surprised if a "gold-spammer" was behind it.
Perhaps I'll sound too much like a "white knight" here, but I don't see where the support team has a great deal of choice. They have no good way to investigate whether the customer is a victim of fraud or a perpetrator of it... that requires a special kind of skill set and tools that an online gaming company probably isn't going to have. And since the credit card that was used to make the purchases doesn't belong to the same person as the game account, the player was not defrauded and has no standing to file a criminal complaint.
Probably all they can do is file a BBB complaint as was suggested and see if it gets any results.
People in this day and age place entirely too much trust and emphasis on the whole "sue them" litigation option. Which for most people is no option at all.
The lawyer and court fees would cost more than anyone would hope to recover, and in the end they'd lose. They'd get off cheaper just paying PWE the $500.
It's not extortion, either. Not in the legal sense. They are withholding service due to non-payment, which is entirely legal even if it may not be entirely ethical in this case.
Try filing a complaint like this at your local PD. They will not appreciate the paperwork and would in any case do absolutely nothing because there's not enough money involved and no crime was committed other than the hacking of an email account that they're not equipped to deal with.
They may count themselves fortunate that they are not the target of the credit company's loss prevention unit and wrongfully accused of credit card fraud. Losing their PWE account would be the least of their worries.
I will agree that it sucks and that it shouldn't happen, but the reality is that this is one of those no-win situations where a lesson is learned and life goes on. It is also reason to wonder if investing heavily in Zen is a very good idea when being the target of cybercrime that costs you everything you ever bought from PWE is a real possibility.
Will it stop me from buying Zen? Probably not, but it makes me nervous about how PWE processes payments through Arc.
The admins over there at Reddit are crazy. Had one account perma banned and one banned for a week. The perma ban was because I called out one of their fleet members who was using an exploit and then reported it when it became a bit too expensive for him to use it. Hope they kicked him to the curb. The one week ban, well, never ever harshly criticize Cryptic or devs over there.
As for the OP, it sucks that a player that stuck with this game for so long and is a lifetime subscriber got treated that badly. Hope someone with power can intervene on their behalf and fix things.
Unfortunately, PWE security practices are very questionable to say the least. I present to you, one of many of there questionable security practices....
Under no circumstances should your financial information be saved. Ever.
My character Tsin'xing
E'Mc2 : Science Reman torp T'Varo, deadly annoyance :P
Kunmal: Tactical fed Klingon, ground specialist, USS Kanewaga
Ka -tet Tier 5 fleet fully completed Starbase and fleet property
If Tredy gets this sorted out, please advice your friend on secure passwords and some basic internet security.