Incident: 140410-022225 - is response legit?

Mal_Nourished

After logging a bug report for missing head-slot items I've received a coined support response asking me for enough personal information to hack my account and or steal my identity.

The support response is asking for;

- First and Last Name associated with the account:
- E-mail address associated with the account:
- Mailing address:
- Date of Birth:
- User ID:
- Secret Question and Answer:
- Last 4 digits of the method of payment used:
It was generated (or spoofed from)
ESO_Help@helpmail.elderscrollsonline.com.


Please tell me that this is not a legit request from a Zenimax employee.

Why do you need this information?

Please provide me a better medium to provide this information than an email address presumably accessed by many staff so that I can have some confidence that the information within won't be intercepted.

Lastly why is this not dealt with in game where there should be no requirement for this information?

Given you should be able to pull my personal email from the incident or my credentials on the forums, i'm happy for this conversation to occur offline - just don't ask me for excessive or unnecessary personal information.

Thanks

Squishy

If you reply, without sending the reply, what's the mail address in the TO from? that should tell you if it is legit or not, but I seriously doubt anyone from Zeni/beth will ask you those:)

uglibuggaeb17_ESO

That email address looks dodgy as hell imo. Screams out scam so loudly.

Especially with the amount of detailed information requested.

ZOS_MichelleA

Hello, @Mal_Nourished. We will be pinging you privately about this ticket.

Everyone, rest assured that ESO_Help@helpmail.elderscrollsonline.com is the legitimate email address from which our ticket responses are sent.

Mal_Nourished

Hey Michelle. Thanks for the quick response.

Nigredo

best of luck bud

chipz88b14_ESO

As an experienced web dev, I would like to on record saying: Zenimax, sign your emails! I mean cryptographically, with DKIM. This is the best way to authenticate email. Any joker can spoof a from header (and any email provider worth its salt would send that mail to spam if the SPF record didn't match up), but a good DKIM signature is all but foolproof.

niocwy

Hey wait, I didn't know they asked for this kind of information? So allow me to ask you something too @ZOS_Michelle : why do you need all this info ? Secret question AND answer ? Credit card 4 last digit?

I hope it's a joke right now because, you know, I and of course the majority of us would expect these information NOT to be disclosed to anyone.

chipz88b14_ESO

niocwy wrote: »

Hey wait, I didn't know they asked for this kind of information? So allow me to ask you something too @ZOS_Michelle : why do you need all this info ? Secret question AND answer ? Credit card 4 last digit?

I hope it's a joke right now because, you know, I and of course the majority of us would expect these information NOT to be disclosed to anyone.

This is also a very reasonable response, and would be mine if I didn't know Zenimax was legitimately asking for it. There is simply no good reason to be asking for it. That secret question/answer could be the same as one on someone's bank account. Asking for this at all (especially via email, a protocol that was never designed to be, nor never will be, secure) is really bad form and shows a problem with what appears to be standard procedure.

I don't mean to be a hard-ass, but I work with clients in the financial industry and I wouldn't be caught dead asking for this kind of information. Maybe the last four of an account number if absolutely necessary (and even then only over a secure medium), but NEVER a secret question/answer.

Valethar

ZOS_MichelleA wrote: »

Hello, @Mal_Nourished. We will be pinging you privately about this ticket.

Everyone, rest assured that ESO_Help@helpmail.elderscrollsonline.com is the legitimate email address from which our ticket responses are sent.

Someone should probably revamp your help system. There's no legitimate reason to ask for both the secret question and the answer in an email.

In fact, you're requiring far more information than is needed in an email reply.

- First and Last Name associated with the account: - Acceptable
- E-mail address associated with the account: - Acceptable
- Mailing address: - Not acceptable
- Date of Birth: - Not acceptable
- User ID: - Acceptable
- Secret Question and Answer: - Not acceptable
- Last 4 digits of the method of payment used: - Not acceptable

The whole point of a secret question and answer is so that the CSR can verify identity with a challenge/response system. The CSR asks the question, the customer provides the correct response, which is then screened by the CSR to verify that what the customer provided matches what is on the CSR's screen. In no case is it acceptable to require the customer to provide both items, especially in an email.

Mailing address, date of birth and payment information are also not something you should require via email. All of this information is generally not encrypted or otherwise secure and is easily intercepted via malware or other means. Once obtained in this fashion, they can be used for more than just hacking a game account. If you require verification of this information, it's something you should be handling via a phone conversation or other secure means, not via email.

thegamekittenub17_ESO

Valethar wrote: »

ZOS_MichelleA wrote: »

Hello, @Mal_Nourished. We will be pinging you privately about this ticket.

Everyone, rest assured that ESO_Help@helpmail.elderscrollsonline.com is the legitimate email address from which our ticket responses are sent.

Someone should probably revamp your help system. There's no legitimate reason to ask for both the secret question and the answer in an email.

In fact, you're requiring far more information than is needed in an email reply.

- First and Last Name associated with the account: - Acceptable
- E-mail address associated with the account: - Acceptable
- Mailing address: - Not acceptable
- Date of Birth: - Not acceptable
- User ID: - Acceptable
- Secret Question and Answer: - Not acceptable
- Last 4 digits of the method of payment used: - Not acceptable

The whole point of a secret question and answer is so that the CSR can verify identity with a challenge/response system. The CSR asks the question, the customer provides the correct response, which is then screened by the CSR to verify that what the customer provided matches what is on the CSR's screen. In no case is it acceptable to require the customer to provide both items, especially in an email.

Mailing address, date of birth and payment information are also not something you should require via email. All of this information is generally not encrypted or otherwise secure and is easily intercepted via malware or other means. Once obtained in this fashion, they can be used for more than just hacking a game account. If you require verification of this information, it's something you should be handling via a phone conversation or other secure means, not via email.

Name, Secret Question Answer, ID, and email address are okay. Any other delicate information should not be asked in email form. Only should they be asked if customer calls directly to Zenimax customer service and the number is verified their number.

These questions being asked in email can lead to many problems. Hacked accounts, stolen identity, stolen cards, and etc. With name, address, email, and last 4 digits of a card makes it easy to steal identity and cards (visa, master card, and etc).

This should really be looked into for the sake of your customers.

Mehdizh

So you are saying you are sending all your details when you have an issue to a EMAIL pool that anyone can read, and if you get hacked which sorry will happen at any point in time, you can say good bye to all this data...
Come on does the word security and not putting all your information in 1 communication mean anything to you!

Use an interactive panel with your helpdesk and you can give the answers, plus you only need to give set information not every bit of data you have in your database !!!

Your helpdesk needs to understand the difference between my account has an issue and needs to be fixed to please reset my password and email !
Maybe you need to find someone who speaks their language as English may not be their strong point lol


The support response is asking for;

- First and Last Name associated with the account:
NOT NEEDED ONLY if account changes need to be done or any impact where the account could be stolen yes, agree but for a support problem !

- E-mail address associated with the account:
NOT NEEDED ONLY if account changes need to be done or any impact where the account could be stolen yes, agree but for a support problem !


- Mailing address:
Should be change to please give email address for account if it is different from the one you are sending the email with,, !


- Date of Birth:
NOT NEEDED ONLY if account changes need to be done or any impact where the account could be stolen yes, agree but for a support problem !


- User ID: / YES to know which Account has the issue!
- Character: / YES to know which character has the issue!

- Secret Question and Answer:
NOT NEEDED ONLY if account changes need to be done or any impact where the account could be stolen yes, agree but for a support problem !


- Last 4 digits of the method of payment used:
NOT NEEDED ONLY if account changes need to be done or any impact where the account could be stolen yes, agree but for a support problem !

Its sad reading stuff like this,,,