Being an avid traveler of the Character Bazaar, I have bought/sold many’a toon. In doing so I always feel a bit eery giving someone my account name to initiate a transfer for a character that I am purchasing. Feels strange giving out 1/2 of the puzzle to someone who now could start to guess passwords using my account name.
I thought it would be a decent idea to allow you to generate a hash of sorts inside your Account Management area that you can give to people for the purpose of buying/selling. This hash is essentially a link to your account name thats only purpose is for character transfers. Now you no longer have to divulge your account names to strangers.
Yes there are arguments against my concern:
enable 2 factor auth
update your passwords regularly
make them very unique passwords and use a password manager to store them
Aside from the three “solutions” you’ve already admitted exist, the only other reason I dont see CCP doing anything of the sort is that they shouldnt try to Fix Stupid. On either side. If someone’s dumb enough to try brute-forcing into an account someone transferred a character from, those access attempts ARE logged. It’s easy enough for CCP to go “hrm… these access attempts look just like the sources of the account who just bought a character from this guy. DOOMHEIMED.” And if someone’s dumb enough to not have their account secured in the first place…
For those who do not follow the bazaar. There has been a GIANT uptick of hacked accounts being posted for sale on the Bazaar during the last week. I have my own assumptions of why it was done during FF, but I digress.
With this uptick, people who fall for the bait and attempt to purchase these scammed characters are now handing over their account name to hackers.
I’ve just made it 1 step easier for the hacker to try and get into my account by giving them my username.
These are just a few of the many scammed sales in the bazaar in the last ~7 days where players have no handed over their account name to a hacker in thoughts of them making a sale.
We need account name hashes that we can generate for this purpose.
i think you are right with that … giving somone your username is not a good idea at all … you cant change your username so you give out the only thing you cant change …
you can change your mailadress, your password and your 2 factor authentication changes everytime you use it so …
that system has to change i guess
thanks for your thoughts about that security thread
Went through the bazaar and got the complete list of current scams. We’re up to 12. Now 12 may not seem like that many, but most of these characters are going for 50-100b which I assume (never looked) RMT’d to a very nice profit. On top of the isk, they drain the SP and sell the injectors which doubles the isk they can RMT.
In the 7 years I’ve been character trading (with breaks). I’ve never seen more than maybe 1 in a 6 month period if you’re lucky. We’ve seen 12 in ~8 days.
The topic naming convention is all very predictable if you look closely. The description of the sale post is also very similar if not exactly the same format across the majority of them.
Unfortunately our efforts are Reactive not Proactive. We can report these posts and all these things but ISD does not have access to check anything on the backend of these accounts (to my knowledge). So we’re left to waiting for someone to take the bait and fail to receive the character, which then means a ticket and waiting days to weeks which by then all the assets are in the wind.
You’d have to ask them if they enjoy giving them account name to hackers. I know that one of the major Character Traders who is on the bazaar daily hates the fact that he has given accounts to these scams.