[Suggestion] Account Security

Comment below rating threshold, click here to show it.

IS16d5da5f8759eedf2de31

Junior Member

12-16-2012

Dear Riot,

this is concerning account security.

So my friends account got hacked a while ago. The hacker had gained access to my friends computer through a trojan and had spoofed his LoL login credentials(Username and Password). After he gained access to my friends account he proceded to change the login email and the password. Thankfully my friend got this unfortunate situation resolved with an email to player support and nothing much has happened to his account.

But why was it so easy for him to change the login data? As soon as I heard his story, I checked on my own account and was quite supprised that changing my login credentials required nothing more than typing in the desired new ones! I must confess I was a little shocked about this and wrote a rather lengthy paragraph to player support. Player support then refered me to the forums. AND I promptly forgot about it.

So why bring it up again? The answer is the new gifting mechanic Riot implemented for the holidays.

One part, why I neglected to follow up with a forum post was, that the damage that could then have been caused by the hacker was minimal. Sure the hacker could have gone for an elodive or a raging fit, he could have purchased stuff for the hacked account. But playersupport could have cleared that up or it would have been kinda beneficial to my friend.

With gifting, the whole game changes.

Lets be cynical for a little while: If my friends account posessed rare skins a hacker could sell them for a hefty ammount, he could empty the acount of skins/champions and sell prestocked LoL accounts. He even could attempt to get to get access to whichever payment method for RP my friend uses and put a dent in my friends finances and then sell the RP. That is all I can immagine right now, but there is quite probably more methods to abuse the gifting system on hacked accounts.

As you can see: there suddendly is a reason to hack LoL accounts.

Back to our hacker: Why was he able to reset password and the email address without any confirmation of his identity? Account security is getting more and more important in the internet and there actually are some systems that would be able to enhance security for our LoL accounts. In the first few weeks of it's existance, Guild Wars 2 saw many hacked accounts and the policy arenanet adopted and the promise of email/phone authentication if the login is happening from a different computer is exemplary.

Yes, yes even the best security measures can be hacked, but increased security measures would make LoL less attractive to hackers.

So what do I propose Riot should consider with account security?

First: If Riot want's to make gifting more permanent(and I fully believe Riot does want to), Riot needs to up account security, else an increase in hacking will happen.

Second: Parallel to this Riot should raise awareness on online security. This can be as easy as compiling a little guide on how to set up a secure password for your account. For a lot of people LoL is one of the first contacts they have with major online gaming (except maybe for Farmville on facebook ). Getting hacked can be a case of insufficient security measures that are extending to other areas of their online lives.

I hope Riot (as a company I really admire) will try to enhance account security in the nearby future. I believe people are reading what Riot says on their webpages and in their forums, because Riot has cultivated a climate where the players believe their concerns are heard, acknowledged and most importantly not forgotten but addressed. It may take some time, but when the improvement/adjustment happens it is always amazing. And the players take notice and believe that Riot cares for them. If Riot would raise awareness on account security I believe the players will listen.

Love Ava

P.S.: reddit post here


Comment below rating threshold, click here to show it.

IS16d5da5f8759eedf2de31

Junior Member

02-02-2013

Dear Riot,

this is again concerning Account Securtiy.

This post is a quick follow up on the post I did a while ago concerning account security. Sadly it did not garner the reception I was hoping for. Frankly it got no reception at all.

Just yesterday a friend of mine was quite cross that Guild Wars 2 required a mandatory password change from him. A quote from him was: "Why do they make me do that? What if I run out of passwords?" Now this friend is by far neither dumb nor uneducated. He has a degree in psychology and is a passionate gamer. He is simply doing what a lot of people are doing on the internet. He is reusing his passwords. The other news from yesterday were that around 200,000 accounts on Twitter got hacked. Odds are that some of those accounts have LoL accounts with the same login credentials.

Riot please tighten your security. Millions of players play your game passionately and they deserve their accounts to be secure.

Love Ava


Comment below rating threshold, click here to show it.

FANGpoison

Junior Member

03-07-2013

Hello Riot,

My name is Sic, a couple of days ago I got robbed of my account but thanks to my friend I got it back. I hate how easy it was to have the "hacker" (as we named him) to be able to change the email address to his own in a matter of typings and clicks. I agree with Ava about needing email confirmations to show up at our emails and/or phones. It'll be helpful to lots of fellow Summoners to know they are about to be robbed of their account.

Riot, you have lots of innocent and good people playing your game and I just want them to be safe.

Also, I like to bring a fact that some players are getting scammed or ilegally using RP Generators and stuff related to such- I think it would be nice to have a little board or video to appear on the league main page telling the fellow summoners what some things are legal or not legal.

OH! Also I think a little pin number tab could be helpful to protect accounts.

Thank you very much for reading this, and keep up the good work Riot! x3

-Sic


Comment below rating threshold, click here to show it.

IS16d5da5f8759eedf2de31

Junior Member

03-15-2013

Dear Riot,

having had no response to this thread makes me quite sad.

Just a week after my last post the account of a brief acquaintance seemed to have been hacked. I only suspect this, because I deleted him right after I confirmed that the suspicious behaviour I encountered was not a singular occurrence.

So what happened? Surely you all remember the notice in the chatbox that to NEVER give out your password to anyone? No he didn't ask for my password and login in Chat. He linked me to a website. It was a detailed rebuild of the Riot login screen. Someone must have downloaded the whole leagueoflegends.com page and rebuilt it.
I didn't log in, because the address of the page seemed a little fishy. Some people did as I found out soon after. What tipped me off? First of all a link to leagueoflegends.com generally doesn't send you to the loginpage. Secondly ALL leagueoflegends.com pages follow the same address pattern which is *region*.leagueoflegends.com i.e. na.leagueoflegends.com. This link was a little different.
The way internet addresses work are that the site before the last fullstops is a "parent" of all previous sites so if you encounter a na.leagueoflegends.zzzz.com the site is hosted at zzzz.com na.leagueoflegends is only a subsite. So you can easily check if the site you were linked to is legit. Does it say *.leagueoflegends.com with the * being a region? Then, yes the site is most probably genuine.

This is an example for something called phishing. Phishing is when the hackers lull you into a false sense of security and fish for your credentials. This not only happens through the player chat, though generally it is more successful if the person to be phished trusts the person the phisher uses to distribute his attempts.
I have seen phishing though emails, in forums and in open chat rooms. Most of these phishing emails appear to be from a legit source (the "prince from a Saudi kingdom" also counts as phishing) and they want you to type in your account credentials somewhere.
DO NOT EVER GIVE OUT YOUR CREDENTIALS.
Many a people have been scammed out of their bank accounts that way.

So what to do?
Do not login to a site you were sent a link to. Especially if those sites house important information, like your bank account or email.
ALWAYS surf to the site yourself.
Use different Passwords for the important stuff. NEVER use the same password on a online game that you use on your email or your bank account.
Report attempts of phishing to the sites that got their pages copied.
Change your password immediately after such an attempt.
Also please don't keep your passwords in your browser, where they lie in plain text (not encrypted).
Someone who can phish, can also have the site install a cookie, that gets your password without you doing anything.
Delete your cookies from time to time.
If you want to become a little password security geek, inform yourself about truecrypt or lastpass.

Love Ava,

bringing you your monthly security post.