Account Security

How to Not Get Hacked
OtherBill, Ph.D.
12 Feb 2016

Abstract

In this thread, the author explains how to prevent unauthorized access to your RotMG game account, and what steps you can take to further protect your account.

Introduction

To access your RotMG game account, a third party needs two pieces of information:

  1. The email address associated with your game account, and
  2. Your game account’s password.

Given those, a third party can merrily log right in to your account and wreak all sorts of havoc: delete (or even kill) your characters, release your pets, steal your items, drop your UTs, etc. If you’re an officer/leader/etc. in your guild, they can remove everyone from the guild, vandalize the message board in the Guild Hall, and so on. Support can repair some of these, but Support cannot help for most of this. As a result, it is important to remember that account security is your own responsibility, and any steps you can take now to prevent unauthorized access might save your account later.

Do keep in mind that the following precautions protect from threats of varying degrees. If you want to forgo a precaution, you should think about what doors can open (however small they might be) if you do. You will need to fairly and honestly assess that risk and decide if the benefits outweigh the risk.

Step Zero: Protect Your Computer

There are a number of basic computer security measures that everyone should always do, even if you don’t play RotMG. The risks here are in fact the highest, as there’s probably a ton of stuff on your computers that’s a lot more valuable than access to your RotMG account–stuff with real monetary value (web banking, etc.) or stuff that could be milked for identity theft purposes (school/work, social media, etc.).

So, here’s a list of stuff that we should all be doing anyway:

  • Keep your virus definitions up to date. Don’t have an antivirus package? There are a number of free antivirus/antispyware/etc. packages out there–both Avast! and AVG are good, and there are others as well. Remember to scan often.

  • Keep your firewall up. Most of these free security packages come with a matching firewall to protect against unwanted scans and intrusions by third parties.

  • Watch for suspicious downloads. If you need to download something, verify that you’re getting it from an official site, and not from whatever site the popup ad directed you to.

  • Don’t get phished. Did you receive a suspicious email? Verify all links before following them. Better yet, don’t follow them at all, and look up official sites through your bookmarks or your favorite search engine. (Did you trust those URLs I listed in the first bullet? Gotcha!)

  • Don’t share files. If someone on Skype or IRC says they can’t get some feature to work and wants you to send them a file, think long and hard about what they’re asking for, what it does, and what they can do with it.

Follow these steps, and you might save more than just your RotMG account.

Step One: Protect Your Email Account

If nobody else knows the email address associated with your game account, then nobody else can find your game account. In general, it really is that simple. It’d be like trying to dig for buried treasure without a map–if they don’t know where to dig, they’ll never find anything.

If you’ve already broken some of the guidelines below, or would simply like to secure your account further, feel free to create a new email account and file a Support Ticket to change your account’s email address to this new account. Be ready to provide proof of ownership.

  • Create a new email address that is only used for your RotMG game account. If someone can just look on your forum profile or Skype profile and find an email address, you can bet that’s the first email address they’ll use when they try to access your account. Don’t use the same email address you use on social media, or on Skype, or on the forums.

  • ESPECIALLY don’t use the same email address you use for your school, your banking, or anything more important.

  • Don’t share your RotMG game account email address with anybody. Again, if nobody knows what email address to try, they won’t know where to begin looking. Protect it like a second password.

  • If you post screenshots or videos, be sure to edit out your email address. When you post a big juicy brag video of a vault full of UTs, you’re making yourself an attractive target. ESPECIALLY don’t post your game account’s email address in the reddit, any forums, of the wiki.

  • Don’t use temporary/disposable webmail services. If you registered your game account with a mailinator email address, anybody who knows what email address to use can use RotMG’s “forgot password?” utility, send a password reset email back to that account, and check it–there’s no verification! Other “disposable” email services are only marginally better, but you’re completely out of luck if Support needs to send something to that email address (since it no longer exists, after all).

  • Secure your email account. If someone knows what email address to use, the logical next step is not to brute-force your password. The logical next step is to attempt to get access to your email account, then use the “forgot password?” utility and use the incoming email to reset your password (this attack method is getting more and more common, presumably due to the use of the same password on multiple sites). A few important steps here:

    • Use a hard-to-guess password. “123456” is not a password, it’s a luggage combination. Norton has a very good free online password generator –12 characters is good, 16 characters is better. (Alternately, you could go the “correct horse battery staple” route, if you can type well.) ESPECIALLY don’t use the same password on every site everywhere–that’s a recipe for disaster.

    • If you write your password down, don’t store it anywhere anyone can find it. The use of some sort of password manager would be the best approach here, as they further encrypt your passwords so nobody else can see them. Lastpass (cloud-based) and KeePass (stored locally) are both highly recommended.

    • Don’t leave yourself logged in to your email account on shared computers. If you do, anyone who can access your computer can reset your game account password, since they’ll be able to read the password reset email.

    • Use two-factor authentication. If a third party knows what email address to use but can’t guess either password, their next step is to try to reset the email account’s password–whenever you see a post where someone has lost access to their email account, this is generally what happened. In this social-media era, it’s easy to look up the answers to most common security questions. (Mother’s maiden name? Simple. Birthplace? Puh-leez.) Two-factor authentication will associate a second access method (another email address, text/SMS, etc.) with your email account, and a third party won’t be able to reset your email address blindly.

    All in all, there are a lot of good email security tips here

Step Two: Protect Your Game Account

There are a few ways that a third party can get access to your account in one fell swoop:

  • Don’t use hacked clients. I would suspect that the vast majority of these “hacking” cases are caused by usage of third-party clients. Think about it–if someone is smart enough to add extra functionality to the game client, then they’re smart enough to add code to snoop your email address and password and send those back to them. On top of that, the third-party clients often come with keyloggers or other threats. Always use the official game clients at realmofthemadgod.com or the Steam or Kong clients.

  • If you use the Flash Player, don’t use AGC redirects. By using an AGC redirect, you are putting your faith in the redirect’s author that they’ll direct you to an official client, and not some third-party client that could steal your account data (yes, this has been done). These are not officially hosted or vetted, so it’s a risk. Building the URL to the AGCLoader by hand isn’t that hard–check the version.txt file, copy the number, paste it in to the AssembleeGameClient.swf URL, done. If you must use an AGC redirector, only use redirectors that allow you to inspect the code…then actually inspect the code. Don’t assume that anybody else is going to do that last step for you.

  • Never type your email address and password into any window other than the official game client. Keyloggers do exist. The fewer opportunities you allow for them to succeed, the better.

  • Don’t share accounts. Remember when some players let other people use their accounts to farm fame for them? Remember when all those people got “hacked” a week later? They weren’t hacked, they left their front door wide open and invited the thieves in.

  • If you play on a shared computer, be sure to log off after every play session. If you leave yourself logged in, anyone who uses the computer can access your account without having to log in. This is particularly important if your annoying li’l brother plays, or shows off your account to his snot-nosed friend.

  • If you play on a shared computer, don’t use Muledump. (Caveat: Muledump is a third-party app that is not endorsed, so understand that any risks you take here are yours and yours alone.) The Muledump accounts.js file is little more than an unencrypted list of email addresses and passwords. Simply by searching your hard drive for files named “accounts.js”, anyone who can access your computer can access your game account.

  • Don’t get phished, again. A bot in the nexus is advertising some cool new website? It asks for your account information? WERE YOU BORN YESTERDAY?!?

  • Think long and hard before playing on Kongregate. Kongregate’s account security measures are considerably more lax. In addition, Kongregate’s customer support is considerably worse –their typical response is “Hacked? Your own fault, deal with it.” Kong account linkages are inherently insecure, and numerous players were hacked through these linkages. If your account is on realmofthemadgod.com but linked to your Kongregate account, file a Support Ticket and ask them to remove the linkage . If your account is on kongregate.com, file a Support Ticket, provide an email address, and ask them to migrate your account to the realmofthemadgod.com player database (I am not sure they can do this, but I think they can).

  • Don’t buy gold from third-party vendors. Yes, this actually exists. Yes, it’s a huge ToS violation. Yes, it also leaves your account open to third-party access, and the sellers generally use stolen credit card numbers for the actual purchases (that’s how they offer such ridiculous discounts, after all)…meaning that your account could be hacked almost immediately, then will be BANNED when those charges get disputed.

Step Three: Protect Your Password

Even if someone finds out the email address associated with your game account…and they’ve found that they can’t crack your email password or reset your password to steal your account…then they still have options. Most of the rules for protecting your email account password (above) continue to apply here.

  • Don’t reuse passwords. Other sites/forums get hacked as well. Some other sites/forums are run by disreputable people to begin with. If your game account email address and password are available there because you reuse them, then you’re effectively giving those people access to your game account.

  • Use a hard-to-guess password. Just like your email password (above), “oryxslayer” is not a secure password. Passwords can be brute-forced. Again, Norton’s online password generator (above) is a great tool here as well.

  • If you write your password down, don’t store it anywhere anyone can find it. Again, the use of a password manager (above) is recommended.

  • Think long and hard before using Muledump. I’ll admit, Muledump is an awesome account management tool…but again, Muledump’s accounts.js file is just an unencrypted list of email addresses and passwords. Don’t use Muledump on a shared computer, and restrict access to your Muledump folder if you must use it on a networked computer.