Prevent Account Hacking

Many hackers make their living by hacking game accounts ( needless to say this makes them very good at what they do and how they do it ), they make money by converting everything you have into the games virtual money and then selling that virtual money to companies who then re-sell it to those who would rather pay cash for the in-game money instead of having to farm it themselves.

Follow these rules and you will significantly reduce if not completely eliminate the chances of your account being hacked.
 

• NEVER use any information on a website which correlates to your game account information ( that includes the email, username or password )
• Get a virus scanner and use it. (Avira, MS SE, Avast, Panda, AVG )
• Never install any program from a website which is related to a game you play, this includes calulators, DPS meters, or custom game patches.
• Never enter account information on a suspicious screen or popup, if you ever question where it came from,  it's probably an XSS attack.
• Use different passwords for everything & Change your game passwords regularly ( It's not that hard if you develop a habit/method for storing the info for easy access )

If you have never had your game account hacked consider yourself lucky (or smart). Account hacking is a very real problem that players & game manufactuers deal with on a daily basis. As an internet developer I deal with hackers daily, I would like to share with you "some" of the methods black-hat hackers will use in order to get your account information and how you can prevent them from getting it as well as some of what we do to prevent hackers from accessing our site.

First of all most people hear the term key logger and assume this is one of the main methods used to get your information, suprisingly it's not as prominent a problem as you'd think (you'll understand why at the end of this explanation).

A keylogger is simply a program that runs on your computer and records everything you type as it relates to what your doing. These loggers will either store a file on the computer with the logged information or send it through the internet to someone who monitors the information.

There are many keyloggers commercially available (try doing a search on keylogger in Google) as they can be used for more than just stealing account information. Detectives use them to get information on cheating spouses, schools can use them to monitor student activity and employers can use them to monitor employees just to name a few uses.

The problem with keyloggers is that most A-grade virus detectors and spam-ware scanners will detect and deativate them as well as notify the user of their use, so when detectives and employers use keyloggers they will often have to either disable the virus scanner or go into the settings and tell it not to notify or disable the keylogger, this usually requires someone to physically make these adjustments to the computer (which if you are the primary user of your computer probably won't happen ).

Being that a keylogger is a program it also has to be installed which is not an easy thing to do remotely unless you fall for a well played trick (such as installing a DPS meter or game calculator). 

To prevent key loggers from being installed on your computer get a good antivirus program running on your computer and make sure to keep it up to date. Once you have a good scanner in place learn how to use it, most of them will stay active in memory scanning all active programs as well as everything you download.

Some scanners will also give you an option on your right mouse click to scan programs individually incase you are ever suspicious of something, to do that go into the folder where files show up that you download from the internet (you should always know where your browsers put downloaded files, this is usually a setting which can be easy changed or set) right click on a newly downloaded program and click the scan with AVG or scan with avast option. The scanner will then look at the prgramming for known or suspicous code and let you know if it's clean or not.

Never open or run a program from the internet unless you know for sure what it is. If you must use a tool for your game that needs to be installed on a computer, try installing it on a separate computer such as a laptop where you wont ever play the game. Just because you were't hacked immediately in the past when you installed your fancy crafting calculator doesn't mean you won't be in the future, it's possible your account isn't worth cleaning yet, typically onced hacked, users get saavy about it, making them hard to hack a 2nd time (typically). 

It's a safe bet that if any website related to your game wants you to download and install something it's a keylogger, in fact you should assume that it is and never download it to your gaming machine.

A lot of hackers are also programmers so it's not beyond reason to assume that a DPS meter which runs on your computer could contain a keylogger, if it was recently written some scanners may be slow to catch it. A good rule of thumb is not to install any game related tools to your computer until they've been around for a while and other savvy programmers have looked at their code and verified that they are safe to use.

More often than not, this is not the primary method hackers use to get your game account information, loggers are too easy to detect and prevent from working to be worth the time and effort of making a kick ass tool and embedding a logger into it. There are much easier methods to get your account information than using a keylogger.

You may have heard the term Phising before, this is when someone tries to trick you into giving them sensitive information, if you follow the 5 basic rules above, you will limit the impact phising has on you, the best offense is a good defense , good internet habits will help to keep you safe, so use different passwords, store them safely where only you can access them and change the "highly prized" passwords often.

A highly prized password is one which would cause you the most harm, email passwords and account passwords. Personally I never use any related passwords or emails when signing up at websites. If I don't care to get information such as newletters or notifications from a website I'll use a mailinator.com email and if I do need notifications like you'd expect from riftsocial.com when someone sends you a group invite or Private message, then I use a junk email from gmail,  which simply forwards all mail to my actual email, this gives me a buffer and makes it so I never have to give our my actual email to anyone.

Iframe hacking is a term not often heard but it poses a very real threat to those people who do not run any type of antivirus software. An Iframe attack is a form of XSS hacking where malicous code is executed in your browser which may compromise your computers security. The iframe hacking threat often origniates from website administrators who use weak and common passwords on their servers, hackers will often farm the information needed to access a websites server in order to plug that information into a network of bots which will routinely install iframes which compromise the security of the visitors computer.

Website administrators can easily prevent this with strong passwords which change often and visitors can defend against this by having a virus scanner installed as most A-grade scanners will detect iframe attacks. I think it's also important to note that websites using iframes to to wrap other websites into their site pose a threat as well. With so many web based fansite tools this happens quite often. In fact here at RIFTsocial we have wrapped the forum watcher tool into one of our pages, along with that we've post a warning at the top of the page with advice on the security and suspicous behavior to be aware of by using the tool.

Another way (probably the most common way) black hat hackers will try to get your account information is by hacking the database of a website (usually the Guild,  Community or Fan sites). Too often amature web developers throw up a site for their guilds without doing the ground work needed to secure the information it will gather.

Hacking a website is not as hard as you'd think, a little research will tell you everything you need to know in order to take advantage of a security flaw.  Many of the easy to setup website frameworks have security teams which publish the vulnerabilities of old versions when they fix them, all a hacker has to do is identify your website framework, look up vulnerabilities and retrace the steps needed to compromise it. it can be as simple as adding " or '1'='1 " to the username field at login.

Hacking fansites usually effect those people who use the same usernames and  passwords for everything (which is a lot of people). I worked for an alarm company a while back and was suprised to learn that more than 50% of it's customers use the alarm code 1234 to arm and disarm their systems.

The information from a database is only a real problem if the website does not encrypt what it stores. If a website encrypts your password then even if their database is compromised the information is virtually useless. A good lesson is to never use the same email or password which is associated with your game account, simply having your email gives a hacker 50% of what they need to hack your account, if you don't have an extra email account (and don't want to sign up for a free gmail or ymail account) try using the mailinator.com email service, it's very handy for signing up at sites where your information could be hacked.

Getting to a websites database is not the only method of getting infromtation from you. If the connection between you and a website is not encrypted someone can intercept form information which could contain non-encrypted passwords or they can fake a page which resembles the site asking you to verify your account information.

One of the methods used to hack a website is called SQL injection (mentioned above when referring to the simple code you could enter into a username input box), Our firewall detects SQL injection as does other software on our site. Also our code has been tested and is actively re-viewed for potential SQL injection vulnerabilities everything which goes into our database is verified in several ways to make sure it's not going to backfire and leak anything.

Another (and probably the most common) method of stealing information is XSS Cross Site Scripting This is when someone injects client side code (like javascript which is a programming langauge which is processed and run in your browser) which will ask for account information. RIFT social's fire wall scans and prevents XSS from happening. Also the framework which powers RIFT social is tested by massive groups of very smart people looking for ways someone could inject code and fixes it. Most of our software is custom but the parts which are based on other frameworks are updating regularly.

I'm sure there are other methods used by hackers to get your information but these are really the main methods. We've done a lot of work to prevent hackers from getting information from our site but no one can ever really guarantee it's 100% hacker safe as a new vulnerability could be found at any time, we have done more than a lot of other websites do in order to protect your information. If you follow the 5 steps we listed above you will eliminate your account from the cue of hackers, waiting to clean it and sell for their profit.

hopefully you now understand a little more about how to keep your information safer than others who just don't know. If you find this information to be useful please tweet it and share it with others who may not know.

Free Antivirus Recommendation List:

Avira AntiVir Personal Edition

Top pick for best free antivirus program, outstanding detection of malware
License: Private Freeware (not free for commercial use)
Size: ~56mb
OS: windows 2000 - windows 7 - Hybrid 32/64 Bit version available
 

Microsoft Security Essentials

Very low rate of false positives, easy to use
Detection rates slightly lower than AntiVir, slow scanning
License: Unrestricted Freeware
Size: ~9mb
OS: Windows XP -  Windows 7
 

Avast! Free Antivirus

Full real-time capabilities, low rate of false positives, boot-time scanning
Detection rates slightly lower than AntiVir
License: Private Freeware (not free for commercial use)
Size: ~56mb
OS: windows 2000 - windows 7 - Hybrid 32/64 Bit version available
 

Panda Cloud Antivirus

High detection rate of malware, web protection, some behavioural blocker features
Detection rates of real-world malware is slightly lower
License: Private Freeware (not free for commercial use)
SIze: ~32mb
OS: Windows XP -  Windows 7
 

AVG Anti-Virus Free

Behavioural blocker
Slightly lower signature detection rates
License: Private Freeware (not free for commercial use)
Size: ~142mb
OS: windows 2000 - windows 7 -  32/64 Bit version available