Assembly Hall

Our alliance suffered two keylogger attacks this week. While we expected CCP to fix the damage, they told our guys that CCP's policy is to only give players back the isk for which the items were sold, not the items themselves and not their fair market value. CCP's reasoning is that to make proper reparations would negatively affect the server economy.

In reality, CCP's standing policy is a big handout to isk-sellers. All they need to do to take advantage is to place really low buy orders in a handful of places, hack the targeted accounts, and sell off their T2 ships, minerals, and POS fuels to make their billions. The offending account will get banned, but the buyers' accounts will rake in the profit without ever falling under scrutiny. The current policy therefore aids isk-sellers while harming honest, paying customers.

I would like CCP to release data on how many keylogged former customers have quit EVE in disgust over this policy, and I would like to see CCP revise the policy so it no longer benefits people committing felonies in the real world and disrupting our game community. After all, you try telling a police officer who arrests you for grand larceny "I can't help get back the Mercedes I stole because it would negatively affect the black market." Try it, I dare you.In the civilised world, stolen property is confiscated and returned to its owner while those found in possession of stolen property have criminal charges filed against them. Why should CCP policy not reflect thousands of years of law enforcement wisdom?

As far as I can tell, the only reason is that CCP does not want to do the work of fixing these problems. But there are a number of simple steps that CCP could take to make the game more secure from keyloggers. First, we could have the option to anchor our email, that way when a keylogger tries to change an account's email address, he gets blocked and his IP gets banned. Second, in both of our alliance's instances, the keyloggers logged into the account while it was being played actively, this knocking it offline from another IP address. Considering this is a blatant violation of the EULA, CCP could write simple code to auto-ban the account in these instances, and then un-ban it once the customer's computer is secure.

Revising the policy need not drain time and money from CCP, but the current policy is offensive to your dedicated customer base. It's high time the policy was revisited.
-JM

I was about to post the exact same thing but the forum ate my post. Stop buying ISK and visiting illegit sites and you won't get keylogged.

All I did was downloaded the update to Adobe Flash Player. It installed a 3rd-party toolbar without my knowledge. The toolbar then installed the Trojan.

But this is not about me wanting isk back. The policy CCP has for dealing with it encourages isk selling and benefits isk sellers while hurting those of us who play the game honestly. I have bought 2 PLEXs in my entire 5 years, as CCP can confirm.

The policy needs to change so isk sellers are not compensated for committing criminal acts.
-JM

LOL? And from whre did You get a Flash update that instals 3rd party toolbars? Not from Adobe site for sure :P


On a more serious note. I kind off partially agree that more account security should be in place, but You resoning is little off. For example e-mail adress, why should i not be able to change e-mail adress? A legitimate player wantig to change his OWN acc mail get banned?

Or Auto banning for loging from different IP. You know we have those IP changing internet providers right? mine resets connection every 24 hours and gets me new IP in process. Imagine this happening on a laggy cluster where server will not notice me loosing connection before I log back from different IP.

soooo YES for more security in place - things like banks have, or whatever. But not What You are proposing.

And for market orders. Right now I can tell You ow a creative player can make huge billions if CCP will act the way You propose with stollen stuff and money, but I hope You can figure out for Yourself.

Auto-install was hacked.



That's not what I said. I said you should have the "option" to anchor your email. If you don't want, you don't have to.

Nevertheless, there are many solutions CCP could and should look at. Currently they are focusing on game content while a new wave of keylogging attacks is spreading across the game.

CCP can't do anything about keyloggers that YOU let get installed on your system. No matter what, there is nothing they can do about it. A keylogger with sufficient information can also take over your E-Mail account too, so E-Mail verification won't fix the issue either. Nothing beyond a hardware solution, like yubikey, can prevent keyloggers from gaining access to your account.

Keyloggers aren't CCP's fault and they can't do anything about it. Maybe their reimbursement policies aren't all they could be, but there wouldn't be an issue in the first place if you just kept your computer secure.

Why, might I ask?


You mean some kind of verification like Facebook's "someone logged in from this location" system? Not a bad idea, but probably a pain to implement. Remember, you are speaking about a company that won't even build a kill board for it's own game.

Not that I'm bashing CCP, but I'd hazard a guess that the number of people effected by keyloggers is relatively low. I'd also guess the number of people unsatisfied after having been attacked, and who blame CCP, is even lower. The question is, would the resources required to create such a system be better served elsewhere?

I also happen to agree with their current stance on protecting the Eve economy, your computer security is your own concern, unless the attack was server side you are at fault, no matter how unlucky you may have been.

It is not CCP's responsibility to completely reimburse you with in game assets for a security flaw on your own system, especially not at the expense of endangering the game economy.


It sucks that you somehow got a keylogger onto your machine, however it happened, but personally I'd prefer to not see items duplicated on the eve server because of other people's issues with account security.

As for your claim that it benefits ISK sellers, it would strike me as dumb and overly complicated to sell the items to their own accounts and try to spider web the money back to some clean source. A more likely scenario is that they just sold your stuff for as much ISK as they could, as quickly as they could. Then purchased a small number of very expensive items and tried to drop them in space, or otherwise move them to other characters, without any transactions being logged.

Anyway, all of that's blind speculation, at the end of the day your computer was compromised. CCP helped to the best of their ability without completely destroying the Eve economy, and I'm sure they try pretty damn hard to find the people behind this kind of thing too. That seems like enough to me.

No, for all the reasons above.

I'd like to know this too.

Well, I (and most people I guess) am still trying to figure out how you get to ISK sellers and scammers from a keylogger.

If you are correct, why am I posting a proposal that CCP examine its policy and security procedures? If I was wanting my stuff back, that's what this post would be about, and you wouldn't find it here in the CSM forums. The fact is, this is not about me. It's about the game and asking for the same fairness in game that we get under our common law.

I have already accepted what I've lost. Now I'm trying to push for change in CCP so what happened to me doesn't happen to others. I'm not saying "force this on everyone" but rather "give us the option to choose". What is wrong with your head that you are so vehemently against a request for a few simple security options?



According to the EULA Section 2A paragraph 3, "You may not share your Account with anyone, or allow anyone other than you personally (or your minor child, if you have registered an Account on behalf of your minor child) to access or use your Account. Joint or shared ownership or use of an Account by more than one user is prohibited." Logging in from multiple IPs would indicate a violation of the EULA, no?

The concept of flagging accounts that log in from unrelated IPs several times in succession is one OPTION not "the solution". There are many other security options CCP could investigate if the company really wants to stop isk scammers.

Don't you think it's bullcrap that CCP will write complex code to prevent me from choosing whatever password I want and additional code forcing me to type the name of a character on the account; however, they think it's too much work to write code to enable me the option of preventing others from changing the password or changing my email address without further security information?

Please, stop defending CCP's poor customer service record and lackluster security.
-JM