The WA Manager
25 February 1999
There have been an increasing number of hacks and alleged hacks to customer accounts. We receive reports of accounts being logged in by other than the rightful owner. Therefore it is important that the FSBA position on this issue be reinterated.
There are two sets of issues involved in these alleged hacks. Those involving a breach of the security of your personal computer, and an entirely different set of issues pertaining to a hack into the system in which you operate your computer.
As to a breach of security of your personal computer, which could involve someone stealing your WA password, logging in with or sharing your password with others, or using your WA account for other purposes than you intend. This is a violation of several laws depending upon where you live. FSBA cannot and will not participate in any legal action you might take (or not take) regarding this event. Please be clear that the security breach involves your computer and not the server or system of FSBA. Further, be aware that not only has your WA account been breached but also other files on your computer may be at risk.
According to the Terms of Membership: “You are responsible for maintaining the confidentiality of your password and are solely liable for any harm resulting from disclosing or allowing disclosure of any password or from its resulting use.”
We simply are unable to resolve all of the issues involved in these accounts hacks. Consider this scenario.
We receive an email from a customer telling us that their account has been hacked and someone else has logged in their avatar and:
-used their account;
-stolen their tokens and/or possessions;
-disturbed an event;
-ruined their good name.
I think you can see that we have absolutely no way to verify any of this. Most users of WorldsAway are aware that some of our users try in “highly inventive” ways to scam the system, create rumors, and fake disasters. We are all used to this behavior but such attempts cloud any reasonable way to sort out these reports. The event is over, the connection and all traces of it are gone and we are left with allegations only.
In addition, the Terms of Membership states: “You are entirely liable for all activities conducted in WorldsAway through your Avatar Identity. In cases where you have authorized another individual, including a minor, to use your Avatar Identity you recognize that you are fully responsiblefor the online conduct of such user.”
We have suspended accounts for TOM violations only to receive allegations of hacked accounts. Again we have no way to verify the truth of these events.FSBA does not have an investigative division to police the WA products on a moment to moment basis. We must rely on the Terms of Membership and therefore we must reiterate that everyone must protect the security of their own computers. We try to post prevalent hacks (like the ICQ security issue) on our website, however, we only discover these when customers with already compromised systems report them to us.
To be safe, the simpliest rule is to not download files from sites or individuals you do not know. In addition, when using internet products like ICQ always install the safeguards vailable from these sources to protect your system.
There is more at stake here than simply your WA account, particularly if you bank or do E-commerce from your computer.
As to the second matter: the individual who hacks into the WorldsAway system, server, entry pages, or other code which operates the worlds, or misrepresents themselves in order to gain access to someone else’s account. This is a violation of several laws depending upon where you live. FSBA requires that their affiliates who provide entry into the worlds from their sites must use secure pages to protect members’ information. When this process is compromised, proof is most difficult. However, in at least two cases we have seen undeniable proof of such violations and have suspended these accounts. We will look into all reports of such incidents but please understand that accusations are not proof.
Complaints to FSBA customer service are only for the purpose of informing FSBA of a potential breach of security on your account. Notice to FSBA should not be considered legal recourse if your personal computer system has been compromised.
Finally, when this happens we often receive requests for password changes on the hacked account. There are several issues here. First, we must confirm the request is coming from the actual owner of the account. One way to do this is to verify your email address and in over 50% of such cases the complaint comes from an email address other than the one used to establish the account. If you are making a complaint, please provide all pertinent information on your account and be patient, we must verify that you are in fact the owner of the account. Understand that the cautious position we must take is one that may appear to a customer as suspicious and distrustful of your claims.
One more item. We must at some point reestablish the ability of users to change their password on the account management page. This will mean that if an account is compromised the password can also be changed by the hacker. The final recourse as always is to cancel your compromised account and open a new one. We realize that this involves the lost of valued inworld possessions but as we emphasize: You have been robbed! This is a real world crime and should be treated as such. The security of your computer system has been violated and this has ramifications beyond your WA account.
Please protect your system at all times. Do not accept downloads from avatars and other internet members you do not trust completely. Finally, please fully report all incidents to: (email address removed)