Changes to account logon information is becoming common for MMOs
With a new year comes new changes, and several MMO gaming companies have felt the need to make changes to logon information for their major games. I for one am not too happy about this change, and there are many other vocal consumers sounding off on game forums. The change is simple - instead of having a separate log on for the forums and the game itself, they are combining these usernames into one master account. While it sounds like just a bit of streamlining, many fear the threat of hackers gaining access to game accounts. Considering many of us were used to and liked the idea of having a separate way to access the official game boards along with our unique log on for the games we play, this change does not make much sense.
When explaining why this change was necessary, forum moderators gave various reasons. Phillip_BW, a moderator for the Star Wars: The Old Republic boards stated:
“Lots of companies do use email address as the username. Lots don't. Both approaches have risks as well as rewards. One of the key risks for using email address is that an attacker who gets a valid email address and password will then know for certain that the account is associated with the website (or game!). For SWTOR this does not mean that the attacker could then take over an account, but it would give them the knowledge of who to craft a phishing attack against and have a higher rate of success in gaining access to information such as Answers to Security Questions. Without the link to email address, they also won't know the needed information in order to target the email account itself for a take-over in order to gain access to SWTOR and anything else linked to that email account.
This change will remove the ability to link (based on knowledge of the correct password) to your SWTOR account.
Even today if an attacker gets the right password they will not be able to gain access to your account, and with this change they will not be able to figure out which email address to send a phishing attack at, or which email account to try and take over. This allows us to place more trust in the ownership of the email account as being validation that we are (electronically) talking to the owner of the account.”
So from this perspective, it seems they believe that not having a person’s email (which was the required log on for SWTOR) will actually help prevent security risks. However, as many frustrated posters in the official form topic stated, this change seems rather suspicious given that they sell security keys..
While some companies have at least a halfway decent explanation some do not
In a similar move, Dungeons and Dragons Online has recently announced plans to change the forum access to your game logon ID. Unlike SWTOR, DDO allowed its player base to create an unique forum ID, with a separate unique user ID to log into the game. While it is understandable to want to avoid revealing a player’s email address, Turbine has not given any official reasoning as to why this logon change will be put into place. Sources say it has something to do with the new account management system that they put in last month, and some of the multitude of issues that has stemmed from the new application. Their other popular MMO, Lord of the Rings Online, has already converted to this system, though unfortunately they experienced a hacking incident as a result of the change. As a drect result of this, many players of Dungeons and Dragons Online are not too happy about this change in events.
How I feel about these sudden log on changes
I for one feel that when it comes to security, the fewer ways a potential hacker has to know how to access my account the better. It's troubling to know that potential hackers already know half of our logon information. We look to our game providers to provide a secure environment for our personal information, and after going through account hacks before, many gamers may become wary of these new changes, especially when it comes to linking information such as Paypal, or credit card information, to our game accounts. While it is too late to change the minds of Bioware or Turbine WB Games, I can only hope that those of us worrying about our account safety truly have nothing to fear. Because I fear the fallout if hacking does occur.
Are we just being paranoid?
Well some may say yes, but many more, especially those who have been the victims of account hacking, say it does not take much to have a hack occur. Sony recently had troubles with hackers gaining access to past accounts, and as I previously stated, Turbine had to deal with their own issues with account hacking after switching the logon protocols for Lord of the Rings Online. Often people’s fears are justified, hackers gaining access to personal and financial information is a real threat that can truly send a person down a spiralling path into debt, or other issues such as identity theft. I have spoken of the dangers of phishing and the importance of avoiding “official emails” from games in the past, but what can be done when hackers now have half of your logon information? What if you are not one of those who can afford to buy security keys to keep your information safe? It seems to me that consumer safety should come before profits, but that is just my take on this.
Sometimes I wonder if the people who brainstorm these account ideas are better off working on other parts of the game. I feel for the ones who will lose out if this new security feature backfires and accounts are compromised. Just saying.