Thursday, November 03, 2011

Hacked Cabal PH accounts: an inside job?

I cannot recommend any of their (e-Games') online games to any online gamer who values security and the integrity of their accounts.

Last November 1, around 4:00 PM, I was logged in on Cabal Online PH, a Korean MMORPG published locally by E-Games using my PC at home. With my character just idly standing in the vicinity of Bloody Ice (one of the first three towns of the game) and while I was tending to other things, all of a sudden the account logged off. Thinking it was only a network problem, I tried logging on again, only to be given the message that my account was already active. I logged on, only to be disconnected again, with the message that someone else was logging in my account. I tried logging on again, got disconnected, and tried logging again several times in succession. After several minutes I finally got my account logged on. When I selected the character I was online with only a few moments ago, it was stripped naked. Checking the inventory and personal storage, my worst fears have been confirmed. My account has been hacked, and the valuable items were stolen.

As a matter of course I filed a help ticket with Cabal Online PH's support desk, then I called up my girlfriend who's also into playing Cabal Online. Her account was also hacked...only within a half hour or so of my account being hacked. Like mine, her character lost its armor and a number of valuable items. All in all, the lost items represent quite a huge fortune if expressed in in-game currency, and possibly a small one if we're talking real money.

I guess if you've been playing Cabal Online PH yourself, no doubt you've heard of horror stories of other accounts being hacked. Maybe your account has been hacked before. Me? My account has never been hacked before. My girlfriend's account as well. I've been playing Cabal Online PH for more than three years on and off, and the same account and character of mine that was hacked was the same one I've been using during Cabal Online PH's open beta testing three years ago. My girlfriend has been playing it for slightly more than a year.

The clincher is, I don't think either of us fall within the norm for your standard hacking case.

Both of us are in our 30s, degree holders, gainfully employed, and play Cabal Online as a diversion from our daily routines. We play only on our own PCs and own internet connections. I play on my home PC or on my laptop, connecting either through PLDT DSL or through Sun's wireless broadband service. My girlfriend only plays on her laptop, also through Sun Wireless Broadband. We have never played in an internet café, on a public computer, or on any other computers other than the ones we own.

Both of us have IT backgrounds, so we know the importance of regularly scanning our PCs for viruses and malware. Before and after the hacking incident, we have scanned our computers with reputable and up-to-date anti-malware and anti-virus utilities and determined them to be free from any such malicious software.

We have never used any third-party programs, cheats, or hacks. We play the game as it was meant to be played, and enjoy the game that way.

We've never let anyone else use our accounts. Other than ourselves, no one knows our login names, much less our passwords. And our passwords aren't easy to guess for that matter.

We are aware of phishing and scam sites and have never logged on any of them, and we have never entered our login names and passwords on any other site except the official e-Games portal.

We also as a matter of course keep our inventories and storage areas locked and secured.

Yet, despite all these precautions, our accounts were compromised, and our characters' expensive items stolen.

Perhaps worth noting, is that our accounts only got hacked a couple of weeks after our characters started donning Mithril armor (the most expensive armor in the game) and the fact that our characters belong to the same guild...information, that it isn't farfetched to surmise, which can easily be gleaned from a character database using an appropriate search query.

To be honest, I've been racking my brain if there was something else I could have done differently...something I could have done to further secure my account. I can't think of anything else.

Based on this, we've arrived at the hypothesis that our accounts could have only been hacked by those with inside access, meaning either an e-Games employee, or someone with access to login information obtained through an e-Games employee.

There is simply no other explanation.

Check the audit trails...check the backup data...check the logins of your personnel, and the IP addresses for consistency. It is so easy for an authorized employee to get the relevant login information from its database, forward it to an outside accomplice who can then log in the account and steal the valuable items, only to sell it later for real money.

While e-Games maintains the policy, and this we agree with, that it is the player's responsibility to secure the confidentiality of his/her account password, we strongly disagree with the premise that e-Games itself is entirely free from any liability, given that the security of its internal account database and system are its responsibility and not the responsibility of the players themselves. There are only two possible avenues to a security breach, one is through the client side, and the other through the server side. e-Games cannot claim absence of responsibility on its part of maintaining the security and integrity of its server-side data.

In fact, the Game Policies of e-Games itself bear out this inconsistency:

xxx...E-Games does not guarantee that its portal and corresponding game websites are free of any harmful software, and that the same is hack-proof. Account Security is therefore the sole responsibility of the account holder. As such, you are earnestly enjoined to take all security measures reasonably available to safeguard the operating system and accounts when accessing the Games and the websites...xxx

e-Games admits that it cannot guarantee that its portal and websites are free from any harmful software and the same is [sic] hack proof...and yet in the same paragraph it maintains that account security is the sole responsibility of the account holder.

Honestly, I believe this is a lot of bull. Admitting that one cannot guarantee the security of its system, then passing the sole responsibility of account security to the player, who is merely a client/user. And this from a company who profits by selling privileges to players to use on its system.

I can go on a legalistic tirade on why this policies are bull, but that is not the point of this blog post. The point of this blog post is the fact is that e-Games itself, by our own experience, and by its own admission cannot guarantee the security of its own system. This is simply unacceptable for a company which operates that system for profit.

Admittedly, the concept of MMORPGs has very little legislation going for it in terms of client/user protection, but there are tons of general laws which can be invoked in order to protect the rights of the client/user. It cannot be helped I suppose, online gaming being a niche market in itself, that it is for the most part unregulated. Nonetheless, that is not an excuse for not securing the personal information and login passwords of registered users.

From a practical point of view...if you are aware of and diligently follow all of the rules when it comes to account security, who else is there to blame for hacked accounts? To my mind, the blame falls squarely on e-Games' shoulders, and they cannot shirk away from this responsibility on the basis of its game policies and license agreements.

Don't get me wrong, I am not advocating, nor am I planning to take this issue to court. That's a bit extreme for something which is as trivial as an MMORPG. Nor am I or my girlfriend clamoring for the return of the lost in-game items, which may or may not be possible. Thankfully, the items were procured through honest-to-goodness in-game farming and selling and not bought using real money. But still, the effort exerted shouldn't just go to waste...or trashed because of e-Games' inability to provide adequate data security.

For me, e-Games should just do right to those who have been availing of its services, the very players it gets its profits from. Fortunately or unfortunately, I am not one of those pimple-faced teenagers whose (admittedly sometimes exaggerated) claims or allegations e-Games may easily dismiss.

The requisite help tickets have been filed, though there is still no official response at this point. Personally, I am looking at all the possible angles and remedies for this situation, which may include government involvement, media, and possibly, if the circumstances warrant, court intervention, though only as a last resort, if only just to establish a point, never mind if the case is actually lost or won.

Frankly, the loss represents more to me than just the loss of in-game items. The hacking incident has eroded my trust in e-Games' ability to secure its system, and for that reason I cannot recommend any of their online games to any online gamer who values security and the integrity of their accounts. Go to some other online game publisher, one with a better track record when it comes to security, or stick with local network multiplayer gaming or single-player games.

And consequentially, the lack of trust with e-Games has now deprived me of an activity that I once enjoyed and shared with my significant other and even my son before. It's a good thing though, that there are other things to do. But still...

The reason that hacking is so prevalent...and yes, it IS prevalent...just Google up "Cabal PH hacking"...is because it can potentially be a very lucrative endeavor. It is not unheard of for people to spend up to thousands, even tens of thousands of pesos, just to get the most powerful virtual weapons and armor, or the highest level characters. And somehow, in this gray market, hardly any regulation exists, at the expense of those honest players who don't deal in real-money trading and only wish to enjoy a pleasant and secure gaming experience, willing to pay the nominal and legal costs incidental to it and its local publication, but somehow find themselves victimized by unscrupulous hackers. e-Games' indifference to hacking doesn't help either.

This is not the end though. We may no longer be playing Cabal Online with the enthusiasm and zeal we had before...hell, we may even quit entirely given our distrust with e-Games...but personally, I don't want this loss on our part to be in vain. Sooner or later more people will realize the one-sidedness of this entire episode, e-Games' indifference to the plight of its hacked players, the massive hacking that has remained largely unchecked, and local online game publishers, especially e-Games, will be forced to put a higher priority on data security, on data confidentiality, on employee selection. We expect the highest level of data security when it comes to credit cards, bank accounts, ATMs, money transfers and remittances, social services like SSS and PhilHealth, prepaid loads, internet accounts, email accounts, social networking sites, etc. Online games should be no different. And if a company cannot guarantee the security of its data, it has no business holding our personal account information only for them to lose or allowed to be divulged and be misused.

Labels: , , ,





Post a violent reaction

Links to this post:

Create a Link

<< Home