Dev blog: Security Update - Q1 2018

Check out this dev blog for the latest installment of regular information on security action from Team Security!


Interesting blog and explanation about the advancement of restrictions for botting accounts.

Regarding CCP communications: Why not just have CCP communications ticketed, so that VS someone posting information regarding a dev/ccp communications being taken out of context that they could (like an api) just be simply linked or referenced. The line 18 change of the EULA I can’t help but see as ‘shady’ as if I recall it was implemented shortly after the “T20/BoB” T2 Cheating / lotto rigging fiasco. Why not allow referenceable sources with official communication be allowed to be publicly reference-able ‘in context’ via a link. Then people could misquote CCP all they wanted to with said link it wouldn’t be taken out of context. It’s not like people don’t post it anyway, They usually just censor names/times anyhow. Which still if convincing (like a bad headline) still shines poorly on CCP. (in my opinion) Transparency is key.

2 Likes for example… mis quoted or original replies in this link? who knows? ccp still comes off looking poorly.

Wait, so this whole time until now when people were getting bans they could xfer characters to another account? :psyccp: :

No. That was banned years ago. The new penalty is that they can’t use skill extractors.

1 Like

What is the definition of “bans related to account hijacking” ?

‘hijacking’ could only be account hack / takeover.
E: And I’m stunned by the number… it implies an even larger number of affected accounts. When an email takeover is involved in a hijack, a bunch of eve accounts could be compromised at once. (Go 2FA!)

1 Like

Fact of the matter is CCP still shows an afinity toward certain groups ingame and no matter how you spin it they have no internal security overlooking what their employees do or who they feed intel on future development or company plans.

1 Like

Uh. There is literally a division of ccp called internal affairs. You can email them if you believe a ccp employee is showing bias.


Really appreciate you taking that feedback on the skill injectors and putting it into practice. I remember when I saw it being brought up, and CCP (forgot who) said it was a great idea and try to get that done. That’s a sure way they would avoid the account strikes and ban that you are trying to stop the botting with.

as a normal player from China
i just know lots of players use bots
and other methods against EULA
but finnaly nothing happened…

1 Like

The expanded clarification to section 18 is appreciated, I’ve bumped into a couple R00kies that are so scared of it that they were afraid to link CCP employees’ Twitter handles in chat, thinking that would get them a ban hammer smak.

While hitting bots RMT’ers & account thieves is great & 2FA would help on accounts staying in the hands of their proper owners, I’m still holding out for a authorization codes fob like the Blizzard/BattleNet ones. I’d be willing to plunk down $10-20 bucks for one so my 2FA isn’t 100% tied to an email account to work. Half my accounts are on Yahoo emails, those are admitted to have been compromised in the Billion range now. A method outside repeated email checking for the 2FA blerb would be something I’d want!


1 Like

I welcome the banning and other severe restrictions against bots. Not sure how somebody would let their account get hijacked - just don’t trust anybody enough to hand out your account creds. You might as well give them your credit card details, too…

you can get 2FA in a number of ways on a smart phone. RSA, SafeNet, Google Authenticator are just a few.

I’m glad you guys are taking action against botters. They’re a plague in practically every well-known MMO. Coming from Runescape, I’m accustomed to harsh action being taken against bots and those who run them. But, Jagex’s Botwatch program isn’t perfect and it has permanently banned innocent people in the past.

Do you guys investigate every report of botting or do you have a system in place to monitor this sort of activity? What steps do you guys take to ensure no innocent person is accidentally banned for botting?


Delayed local will stop botting!!!

1 Like

That’s not a bad idea. We’ll think about these things and maybe we’ll end up making some changes down the line. There’s a lot of factors to consider to make such a system safe, even just from accidents, as oftentimes tickets contain personal information that people divulge about themselves or others.

Complete lack of transparency isn’t great for anyone involved. If the information firewall has no holes in it it also means that anyone can make all kinds of wild claims about how they were treated by us and hide behind the fact they’re not allowed to share the communication. We reserve the right to call those people out and if anyone feels slighted by us, it’s fair they get to call us out as well. Any general rules surrounding this just need to be sensible and protect against unintended consequences.

An active conversation about these things is a good start :slight_smile:

1 Like

In almost all cases the “hacked account” is just accessed with valid credentials because someone lost access to their E mail address in a big data leak somewhere. And yes, there are easy steps to protect those E mail accounts like 2FA and general diligence.

1 Like

We have automatic detection methods in place but we manually confirm the ruling before banning someone. False positives are so rare for bot bans that we’ve almost never had actual false positives. We like to be very sure and we won’t allow the machines to make the final decision until we trust them completely. They’re very accurate today but we don’t really accept collateral damage.