Sunday, October 13, 2013

Final Fantasy XIV ARR Account Hacked

Just over a month ago I went out and purchased Final Fantasy XIV - A Realm Reborn. I encountered some very concerning security issues and poor customer service along the way and recommend you think twice before playing this game.  

Let me fill you in on my unfortunate journey with Final Fantasy and their creators, Square Enix.

To start with, there were major issues with servers overloaded for the first week after game launch, resulting in the inability to log into the game. Square Enix obviously had very poor capacity planning and in hindsight, the warning bells should have been ringing for me at this stage.

In any case, after about a week the server overload problem subsided.  I proceeded to play the game for almost two weeks and the stopped playing since it was not the game for me.

About 1 week later, I received a curious, automated email from them:
We are writing to inform you that we have suspended the FINAL FANTASY XIV service account registered to this e-mail because on 9/24/2013 you breached the FINAL FANTASY XIV User Agreement.  
They went on to say that that I had violated two clauses of their agreement - 1. that I was not truthful with my registration information and 2. that I had participated in real money trading, farming or power-leveling.

Being the security guy and strongly expecting this to be a bogus phishing email, I decided not to click on any links in this email.  I went to my game login and tried to login.  To my surprise, my account had indeed been disabled.

So how did I breach their user agreement? I did not play on 9/24/2013 (or any day either side of this), nor was I in anyway dishonest with my registration info.

I could only conclude that my account had been compromised.

To have had my account compromised, the attacker would have had to either got hold of my login and then done a dictionary attack on the password or they would have needed to compromise the Square Enix user database.  You might be surprised to know that MMO's allow multiple password attempts so that you can't purposely deny another player access by locking out their account with failed password attempts. Consequently, a dictionary attack on the password is quite feasible.

If someone had compromised the Square Enix user database then it is very difficult to confirm this unless the company discloses it.

If their systems have a problem then it is likely that more people would have been affected. A google search for "Final Fantasy XIV ARR account suspension" came up with a lot hits.  One great example quotes "it looks like there have been waves of people getting hacked since launch":

http://www.codeweavers.com/compatibility/browse/name/?app_id=7892;forum=1;msg=152733

So it appeared that I was not the only one suffering here.

I then discovered a recent news post from Square Enix warning users that they are seeing accounts compromised:
Currently, we have confirmed that a third party is using account names and passwords, thought to be obtained from security breaches of other companys' online services, in attempts to gain unauthorized access to Square Enix accounts.
If you are using the same account name or password as your Square Enix account on other online services, there is a much greater chance that a security breach at any of the other online services could potentially lead to your Square Enix account being compromised. source
I decided to try and follow the instructions in my breach notification email in the hope that their tech support team may see the error in their ways and provide great customer service and sort this out painlessly for me. How wrong I was.

I started by resetting my Square Enix account password - this was a fairly seamless process.  I then raised a support case.  I received any automated reply to my support case.

Seven days later, I finally received a response from a support person offering to open an investigation for me if I were to send them my date of birth, my email address and a copy of my passport or driver's license. I asked them to re-instate my account without me having to send private information to them just so they can investigate.  I was not comfortable sending my passport info to a company that clearly had issues with their security systems.

I get a reply another four days later saying they cannot help unless I identify myself. Meanwhile my one month of included subscription time has just expired and I was definitely not prepared to invest any more time and money with this organization.  While I understand their need to identify legitimate users, they clearly need to get their support and security systems sorted first.

For the record, my biggest issue here is with the slowness of their customer service team.  My second biggest issue is the fact that I paid money, had my account compromised and then had to wait long periods of time to get any help at all.  MMO accounts get compromised, especially those without a security token - but all I wanted to do was play the game for my first month to decide if I would continue with it - at which point I would have certainly attached a token to it.

I highly recommend you re-consider participating in any online products from Square Enix until they can prove that they have the skills to run a MMO.  Their lack of capacity planning, poor customer service and apparent security issues are the reasons I won't be going back to them in a hurry.  If you must play their games, be sure to add a security token to your account!

PS - Square Enix have been invited to comment