CCP’s Team Security posted a devblog yesterday, providing key insight into the challenges CCP faces, and the continued work against botting. The blog post focused primarily on two things: botting, and player account security.
On the topic of botting, CCP continues to work on enforcing the prohibition on botting and player account automation. In January, over 1800 player accounts were banned for botting, mostly mining or ratting. This kind of botting is largely frowned upon by both developers and players alike, and so the numbers are encouraging. Nevertheless, alpha accounts continue to be made for the purpose of botting every day.
In order to help facilitate this, players have been encouraged to report botters directly to CCP using the “report bot” selection from the action menu. This will generate a report that will automatically inform CCP of a suspected bot. Abuse of the report feature may result in action against one’s own account, however, so players should be careful about who they report. This is especially true as CCP does not detail (for obvious reasons) how a report is investigated prior to taking action against the account. While botting and automation are something we should frown on, it would be unfortunate for long-time, actual players to be banned because of an errant report.
The policy regarding those bans has also been updated, with players suspected of using macros or a modified client facing a three-day ban on the first offense, followed by a permanent ban. Previously, players faced a 30-day ban on the first report of botting. This has been changed to “streamline the process,” indicating some of the difficulties that may come from long bans resultant from false reports, and the appeals process for players wrongly accused.
Finally, CCP spent a significant amount of time stressing the importance of basic account securities. Team Security writes that the majority of real-money transactions actually occur using legitimate accounts which have been compromised. Most of these account compromises come from compromised email addresses associated with the account. Once an email address associated with an account is compromised, it is trivial for the thieves to sell items on the account as quickly as possible. Team Security emphasizes that players should have different usernames and passwords for their email addresses and game accounts, should never share those passwords, and should use strong passwords on their primary email accounts.
CCP also suggested that players should use websites like Have I Been Pwned? to check if their account details may have been compromised by third parties. In addition, primary email accounts associated with the game should use two-factor authentication when possible, and strong passwords which are not reused elsewhere.
It can be frightening to know that stolen accounts comprise the majority of this illicit market, but by revealing the methods used and the vectors of attack, CCP has made it easier for you to keep your account secure.
The blog post provides reassurance that CCP continues to work on ensuring safe and exciting gameplay for capsuleers. Botters cause problems for all players not only by having an unfair advantage in personal productivity but also by causing economic disturbances, harming the value of in-game assets that actual players expend effort to produce. CCP’s continued focus on preventing these problems is admirable, though it is hoped that in the future new methods can be found that don’t rely on players making decisions or passing judgments on the play-behaviors of others. When well-meaning players cause other well-meaning players to get banned, nobody wins.
“Team Security emphasizes that players should have different usernames and passwords for their email addresses and game accounts”February 13, 2018 at 4:56 PM
This. A thousand times this.
With even gmail offering strong 2FA (TOTP) as well as CCP offering 2FA (TOTP) there is really no intelligent reason to get compromised. It’s trivial to use and backup and provides tons more security than just a password (it is nor perfect security so some care must be taken irrespective of 2FA).February 15, 2018 at 11:09 AM