We anticipate that even with this update, third parties will continue

[IkaraGreydancer]

You are wrong.
It IS a mistake
You spoke about the 'easiest ti implement solution.
But they took down the shop while working on this solution. Which means they paused the issue to give themselves time.
Hell, In my response to Ikara Greydancer below I will repeat a solution I mentioned earlier in this thread. A solution other game companies have used, and that had better results.
So, other, just as easy to implement, solutions exist, that woulds have had a better impact. They chose a poor one.



A better solution?
Here is one of my earlier posts.


That solution requires less coding ti implement, and would provide superior protections to SE against hacked accounts being used for RMT

Maybe I'm understanding you wrong but how does that put a stop to exciting longstanding accounts from doing this?

[KremlinKOA]

Maybe I'm understanding you wrong but how does that put a stop to exciting longstanding accounts from doing this?

Okay, fair question, as I didn't make that part explicit.

It works in 2 parts.

1: Those RMTers who acquire their dodgy codes through hacked accounts will be stopped immediately, as OTP/2FA accounts don't get hacked readily enough for it to be practical.
2: As for those using stolen Credit Cards on their own account. Being able to track where the gifts went, means as soon as a chargeback occurs, the account gets banned. Which means to get a new account going, they need to
--A: Buy a new copy of FF14.
--B: Buy a new phone SIM card (Yeah we can link phone numbers to accounts, after all)
--C: C buy a month of Subscription time
--D: Wait 30 days before being able to send out new gifts.
These costs, and delays, are designed to move the setup from 'profitable' to 'unprofitable' and encourage the RMT CC faudsters to use another game as their laundry.

In the end, it's all about making friction to discourage people from using FF!$ as their method to clean their stolen money.

But best solutions will putr more friction on the fraudsters than on honest players.

[IkaraGreydancer]

Okay, fair question, as I didn't make that part explicit.

It works in 2 parts.

1: Those RMTers who acquire their dodgy codes through hacked accounts will be stopped immediately, as OTP/2FA accounts don't get hacked readily enough for it to be practical.
2: As for those using stolen Credit Cards on their own account. Being able to track where the gifts went, means as soon as a chargeback occurs, the account gets banned. Which means to get a new account going, they need to
--A: Buy a new copy of FF14.
--B: Buy a new phone SIM card (Yeah we can link phone numbers to accounts, after all)
--C: C buy a month of Subscription time
--D: Wait 30 days before being able to send out new gifts.
These costs, and delays, are designed to move the setup from 'profitable' to 'unprofitable' and encourage the RMT CC faudsters to use another game as their laundry.

In the end, it's all about making friction to discourage people from using FF!$ as their method to clean their stolen money.

But best solutions will putr more friction on the fraudsters than on honest players.

Huh I see. That does sound like a solid choice to make. Ofc we wouldn't know 100% that it'd do the trick but I'd say it's worth a shot. The current move feels more like a placeholder decision til they have a more solid plan. Can't say I'd like to be getting hit with chargebacks like that lol

Also I meant to say existing not exciting xD

[KremlinKOA]

Huh I see. That does sound like a solid choice to make. Ofc we wouldn't know 100% that it'd do the trick but I'd say it's worth a shot. The current move feels more like a placeholder decision til they have a more solid plan. Can't say I'd like to be getting hit with chargebacks like that lol

Also I meant to say existing not exciting xD

Not 100%, but this wasn't me being insightful or original.
I cribbed this idea from things other game companies did that was effective.
So it should be effective here.

[Jojoya]

Okay, fair question, as I didn't make that part explicit.

It works in 2 parts.

1: Those RMTers who acquire their dodgy codes through hacked accounts will be stopped immediately, as OTP/2FA accounts don't get hacked readily enough for it to be practical.
2: As for those using stolen Credit Cards on their own account. Being able to track where the gifts went, means as soon as a chargeback occurs, the account gets banned. Which means to get a new account going, they need to
--A: Buy a new copy of FF14.
--B: Buy a new phone SIM card (Yeah we can link phone numbers to accounts, after all)
--C: C buy a month of Subscription time
--D: Wait 30 days before being able to send out new gifts.
These costs, and delays, are designed to move the setup from 'profitable' to 'unprofitable' and encourage the RMT CC faudsters to use another game as their laundry.

In the end, it's all about making friction to discourage people from using FF!$ as their method to clean their stolen money.

But best solutions will putr more friction on the fraudsters than on honest players.

The phishing scams exist precisely to have a way to get into accounts protected by OTP/2FA. We see players fall victim to those frequently.

I don't know if it's still required but at one time the cash shop was requiring account verification to get entered twice - once to select items to be purchased then again to make the purchase. As annoying as it is to players trying to make a purchase, it does prevent fraudulent purchases from being made on a compromised account with OTP. The thief might get in the first time but the OTP would no longer be valid by the second time it has to be entered.

Without a second verification needed, it's easy for the thief for load up a cart, move to the account verification page and wait for the dumb player to enter their information into the phsihing website to capture and enter into the purchase website.

The credit card and retail industries together need to step back and see what can be done to get compromised payment methods under control. So much gets done online today that it's hard to say if any of them are properly identifying anyone. Should all payment methods themselves now requires OTP/2FA for all online transactions? The 3 digit CVN they tend to rely on for credit card transactions is not truly a form of identification. It's merely confirmation that someone knows the number for that particular credit card number and not that they have possession of the card or are the card's actual account holder.

That brings up the question of how all these fraudulent credit card transactions are occurring in the first place (assuming it's credit card and not other payment types at the root of the problem). While databases are storing the payment information, they should not be storing the CVN. How are payments getting initially approved for online transactions if the correct CVN isn't being submitted?

[KremlinKOA]

The phishing scams exist precisely to have a way to get into accounts protected by OTP/2FA. We see players fall victim to those frequently.

I don't know if it's still required but at one time the cash shop was requiring account verification to get entered twice - once to select items to be purchased then again to make the purchase. As annoying as it is to players trying to make a purchase, it does prevent fraudulent purchases from being made on a compromised account with OTP. The thief might get in the first time but the OTP would no longer be valid by the second time it has to be entered.

Without a second verification needed, it's easy for the thief for load up a cart, move to the account verification page and wait for the dumb player to enter their information into the phsihing website to capture and enter into the purchase website.

The credit card and retail industries together need to step back and see what can be done to get compromised payment methods under control. So much gets done online today that it's hard to say if any of them are properly identifying anyone. Should all payment methods themselves now requires OTP/2FA for all online transactions? The 3 digit CVN they tend to rely on for credit card transactions is not truly a form of identification. It's merely confirmation that someone knows the number for that particular credit card number and not that they have possession of the card or are the card's actual account holder.

That brings up the question of how all these fraudulent credit card transactions are occurring in the first place (assuming it's credit card and not other payment types at the root of the problem). While databases are storing the payment information, they should not be storing the CVN. How are payments getting initially approved for online transactions if the correct CVN isn't being submitted?

Those Phishing sites you mentioned? They can be designed to get CVNs

The scams are usually around falsely claiming debts and guiding the victim to the phishing site to 'pay what you owe' by credit card.
Since such transactions would expect the CVN they can put a request for it in the website. BTW am Providing this level of detail about the scams to help readers defend against them but hopefully not enough detail to let someone run one.

Interestingly, my suggestion provides a defense against that, because it gives the card owner 30 days to realize they were scammed, and report their card stolen.

[Shibi]

I'm curious how gift cards work? I've use time cards and sent the code to a friend and have done that quite a bit but with gift cards it seems they want the persons email to send it directly to them. Are there gift cards where you simply get a code like a time card that you can dm in game or on discord etc. I prefer not to be asking for personal emails and so on.

Paysafecard maybe. You can paste a 16 digit code to someone, and they can redeem the code and get the cash.

I say maybe, as I have to try it and see if the unregistered account can buy on the store.

I don't know if it's still required but at one time the cash shop was requiring account verification to get entered twice - once to select items to be purchased then again to make the purchase. As annoying as it is to players trying to make a purchase, it does prevent fraudulent purchases from being made on a compromised account with OTP. The thief might get in the first time but the OTP would no longer be valid by the second time it has to be entered.

Yes, you are asked for the password again, but it's more...

Unless it's different for NA players, there is no option in the cash shop to save a card number. Every single buy you need to manually enter your credit card, name, expiry date and cvv. This is verified by the payment processor in an Interstitial screen - In my case, I see my own bank's falcon site appear after I enter the details and press continue

[DPZ2]

Unless it's different for NA players, there is no option in the cash shop to save a card number

NA mog store is the same.

[Shibi]

NA mog store is the same.

ty

So, it seems the suggestion "using phished FF accounts to buy codes" and "there was a hack on ff accounts using common passwords" are moot for code buying. (although valid for gil stealing)

Leaves it as stolen credit cards from Gramps Jones in Tennessee who believed the nice man from microsoft was going to fix his computer online - or companies like AT&T being hacked and their payment databases being stolen.

[Jojoya]

ty

So, it seems the suggestion "using phished FF accounts to buy codes" and "there was a hack on ff accounts using common passwords" are moot for code buying. (although valid for gil stealing)

Leaves it as stolen credit cards from Gramps Jones in Tennessee who believed the nice man from microsoft was going to fix his computer online - or companies like AT&T being hacked and their payment databases being stolen.

Not always if those compromising the account have also compromised credit card information from whatever source.

What information is being asked as a form of verification? Name on card. CVN. Just about any piece of information used to verify identity would likely be in that compromised database. All the scammers need to do is find a compromised card with the same name/very similar name and they're good to go. We don't know how close a name match is being required to make a purchase. Those with less common names would be safer than those with common names.