MMO Account Security

Blizzard Authenticators. You know you are hooked on WoW when you worry more about loosing one than your wallet or house keys

Blizzard Authenticators. You know you're hooked on WoW when you worry more about losing one than your wallet or house keys

There’s been a lot of concerns over account security in MMOs recently, more so in WoW than any other game and, frankly, it’s always something that’s baffled me. I can understand why accounts get hacked, and I can understand how accounts get hacked but what I find surprising is still how slack security is in most MMOs. For something that causes so much ruckus and, apparently, uses up a huge amount of resources and customer support time, there are some pretty obvious (to me) steps that have never been taken to improve basic security.

Yeah, I know, Blizzard Authenticators. Unfortunately, as much as I commend Blizzard’s efforts, they are far from ideal because, aside from the facts that they’ve still proven to be hackable and have actually been used by hackers to lock off broken accounts so they can pilfer your wares undisturbed, they are not effective solutions for MMO companies that lack the vast resources of Blizzard. Plus they are annoying and mean you end having to carry around a special piece of hardware all of the time just to log in. Petty qualm, I know, but I’m just scared I’d get one, loose it and then have to go through the embarrassing and time consuming pain of getting it all reset through Customer Services. Nah, I’ll stick to the old fashioned concept of passwords, thank you very much.

Still, the whole thing got me thinking. I mean, I use online banking and yet I don’t have an Authenticator for that. Surely my bank takes security a lot more seriously than Blizzard does (or so I’d hope). The information held within my online account is certainly a lot more sensitive and important than a few virtual character items yet I can access it from any computer in the world without needing to carry around a plastic key fob with me.

So, taking a lesson from my bank and other online resources, it seems like there are a few basic tricks that any MMO company could implement to increase their account security without the need to produce Authenticator keys. For instance, why not just ask a random security question like “what’s your mother’s maiden name” or “what was the name of your first pet” every time you log in as second step? That’s going to be very difficult information for a key logger to gather and associate if they can’t match the answer to a question. And how about locking the account after, say, 3 or 5 unsuccessful log in attempts? And what about sending the account owner an email if the account is accessed outside of a 50 mile radius from the previous log in? At least that way someone could respond more quickly to any legitimate breach in security.

A few alterations to the account registration process and game log in functionality and bish, bash, bosh, Bob’s your uncle, account security has been increased dramatically. Is it going to prevent all account breaches? Probably not as I’m sure there’s some Chinese supervillian out there who will find cunning ways to still extract the information from us but, regardless, it would definitely help fight the back against hackers and wouldn’t be incredibly difficult to implement at all.

-Gordon

If you liked this post, why not subscribe to the RSS feed.


Related Posts

  1. WoW Phishing Scams Play On The Insecurities They Caused
  2. The Best Of The Rest: If You Buy Gold You Are Evil, Fact Edition
  3. Online Privacy And Why It’s Important
  4. EVE Online Encourages Dual-Boxing
  5. It’s Not Sony’s Fault

29 Comments

  1. Vinnyj says:

    Although I applaud your effort in trying to increase security matters, the solutions you bring are hardly sufficient. There are a few reasons for this:
    1) The extra security questions are even easier to break then an actual password
    2) Extra security should not be too much of an inconvenience to the average user (else Blizzard will lose more customers due to the annoyance factor then the turnover they lose from having to deal with hacked clients)
    3) Breaking passwords through brute force is a very inefficient way to gain access to an account. Most accounts are compromised due to virusses / keyloggers
    4) Repressive security (when the account is already hacked) does not help Blizzard at all, since most restore work will have to be done anyways (and the one character that the hacker did not get to in time does not matter much for Blizzard once they are restoring the account anyways)

    Online banking security relies on a unique code that has to be entered every time you log in. Wether this comes from a dedicated authenticater, a ‘random reader’ type device that gives you a unique code you have to enter or a plain list of unique codes does not matter much, they all require you to, as you say, lug stuff around with you.

    I for one applaud the authenticator. It’s a bit of a hassle, but your account will not get hacked if you use one. The only alternative I would consider is a text message to your cellphone format, where Blizzard will send you a code you have to enter once you try logging in. Although that would not require me to carry extra stuff around, it’s still not an ideal solution for Blizzard due to two reasons:

    1) Part of the player base does not have a cellphone (kids, poor asians)
    2) Sending millions of tekst messages every day (the data itself and the infrastructure to do this internationally) might be more costly then restoring hacked accounts.

    Just my two cents ;-)

    • Gordon says:

      I was thinking that the randomness of an extra security question would help prevent key logging because it’s harder for them to know what answer you gave to what question. Combine that with lock out after 3 failed attempts and it should hopefully prevent misuse.

  2. Carson says:

    One thing Atlantica does is have a secondary PIN as well as your password: but you only get prompted to enter it if you log in from a different IP address to your previous login.

    So, in normal play, you won’t get prompted for it, and thus won’t give any malware an opportunity to keylog it. But if an account stealer tries to log in with your stolen password, they WILL need it.

    • Gordon says:

      I like that idea A LOT. I’ve never seen anything like it in the UK but it sounds like a very sensible idea and it would definitely screw up any keyloggers that found their way onto your machine.

  3. rowan says:

    This is something I have touched on before on my own blog, having gotten hacked not long after I started the blog despite a thorough knowledge of internet security precautions (because of my profession).

    I think Blizzard’s initial mistake was to tie the battle.net login to an email address, which then made millions of customers vulnerable to spam and phishing attempts. This may have been an attempt by Blizzard to make it easier to remember one’s login, but it backfired because it gave the hackers an easy opening. I personally rarely got WoW related spam, and then only in a general way, before November 2009. Since that time, it has been a daily occurrence.

    I did get an authenticator, and it is a bit of a nuisance, especially when I misplaced it recently. But it is better than the alternative, given the current state of security in the game. The corehound pup is pretty cool, though. :)

  4. Wasdstomp says:

    I am not sure if the picture I saw was real or not, but I found it pretty funny that someone posted a pic of their authenticator, and it’s Made in China. Hmmmm I wonder if they know how to break the code since they make it?

    I also have to agree that making an email address your login was the biggest mistake.

    My bank recently enhanced their security. You enter your login on one page, the next page posts a pic of your choice to show up on your security question page so you know if you are being keylogged, or on a phishing site, and than another page for your password.

    I think locking an account after failed attempts will just piss you off if someone every day just enters your email, and a fake password 5 times just so you have to spend 5 hours a day on the phone with Blizzard.

  5. I follow all the internet security precautions to decrease my chances of compromising my account, but as someone has already mentioned, sometimes you can do all that and still get hacked. Having an authenticator does make me feel a safer.

    With regards to having to carry a special extra piece of hardware around all the time, have you ever considered using the mobile authenticator (I seem to recall you have an iphone, right?) I’ve been thinking about it myself, but the authenticator is simple and straightforward, whereas despite its convenience I’ve heard about problems people have had with the mobile one that if your device or app crashes, it locks you out etc. so I haven’t gone forward with it yet.

    • Gordon says:

      I have thought about getting the iPhone app but I don’t like the idea of needing my phone around just to play WoW. For instance, I screwed up it’s OS upgrade a few months ago and my phone was out of action for a few days. If I had been using an iPhone authenticator then I wouldn’t have been able to play WoW!

  6. Anonymouse says:

    Just to point out, an authenticator does NOT guarantee your account will not get hacked.

    There was a recent exploit on WoW where the user with an authenticator would try to log in, the authenticator code was intercepted by a program on the player’s PC and forwarded to another user who logged in with the authenticator code, then the user’s own login failed. Account compromised.

    http://tobolds.blogspot.com/2010/03/world-of-warcraft-authenticator-hacked.html

  7. Rhii says:

    Nonstandard security questions (not your mother’s maiden name for god’s sakes) that aren’t the same every time can’t be any harder to break than passwords can they? If it’s rotated, then a keylogger’s going to have a hard time picking up whether “Browne” was my favorite teacher or the name of my high school hometown or my first pet or whether Ford is my favorite fictional character or the make of my first car.

    As long as security questions aren’t something that’s commonly googleable about me, I like them. I had a site ask me recently for my favorite fruit… I knew the answer instantly, but I can’t imagine even my closest friends make a study of my fruit preferences.

    • Gordon says:

      It seems to be that the issues with the security aren’t really from brute force hacks but rather from keyloggers and phishing scams. Any sort of extra security question should help with that.

  8. Jeff says:

    PC security is what I do for a living, I have contracted for local, state law enforcement and the department of homeland security. The mobile authenticators are not perfect but they are the best protection for your WoW account, quite frankly I foresee a universal token key being used for for user privacy beyond the hardware keys that we can obtain today.

    Yes an authenticator can be compromised (at least the current versions can, the upcoming version two will have a spoken number option as well as a much shorter verification window.) via a man in the middle attack, however those attacks are very hard to pull off successfully. You basically have the same odds of being hit by a bus while dressed up as Elvis. MitM attacks are a compromise of the SSL layers and are not easy to set up or maintain…it just isn’t worth it for most account hackers especially considering there is so much low hanging fruit (unprotected accounts) available.

    As far as inconvenient with the free Mobil ones its as inconvenient as your cell phone I have the hardware version because I wanted the core hound pup. It’s a cheap to free way to give your account an extra layer of protection and should never be viewed as the impenetrable fortress cause..nothing is.

    • Bootleg says:

      ^^ This.

      There is no perfect security system. Each implementation is a compromise between usability/viability/accessibility and security. The only way to make something entirely secure is to make it entirely unusable.

      The authenticator, which is used in a lot of places outside of WoW, is fantastic low cost solution that handles the vast majority authentication concerns. My bank offers an authenticator and I really should get one. I wish every services that required authentication offered SecureId (authenticator) as an option.

      Authentication security is referred to in factors. 1 factor authentication, 2 factor, 3 factor, etc.

      1 factor authentication: 1 style of security hurdle, most often it’s something you know (like a password, or your mother’s maiden name etc.)

      2 factor authentication: 2 styles of security hurdles – something you have AND something you know. (authenticator AND password)

      Biometrics is a third factor (fingerprints, retina scans, voice etc)

      Banks asking multiple random questions does not increase security, it increase obscurity. A “hacker” could simply track all of your question and answer pairs. It may take a bit longer, but it certainly wont prevent a compromise.

      1 factor authentication is terribly insecure, don’t fool yourself into thinking it’s not because the bank and other services let you get away with it.

      As a side, the WoW automated systems do not/has not been hacked (at least I haven’t heard of a single report.) It’s the customer (and their computer) who has. If you place a key to your flat under the welcome mat, you don’t blame the lock for failing to keep out intruders.

    • Gordon says:

      Is the hardware authenticator compatible with the iPhone one? i.e. can you use both together on the same account?

      • Jeff says:

        No you can only attach one authenticator to an account, because each authenticator has it’s own unique serial number that syncs to the random number it generates.

  9. Michal (Mic) says:

    I signed up for the authenticator last week and found these to be the simple (and shallow) pros & cons

    Pros:
    -Battle.net sends you a cute little vanity pet called Corehound Pup
    -Peace of mind (although I’m a fairly new player and still leveling my main to 80 so there’s not much to steal)
    -Less of a chance you’ll have to deal with being placed on hold or deal with automated Customer Service for hours on end to try and get your account back (which I hear doesn’t successfully happen too often)

    Cons:
    -Gotta have your smart phone handy when you log in if you use the mobile authenticator (and I misplace mine alot)
    -Sometimes the number code regenerates before I have time to punch all the numbers in correctly (I’m mildly dyslexic- heh)
    -You can’t rename the Corehound Pup (I really wanted to name him Frank)

    So there you go. It doesn’t hurt to have a less-hackable account but c’mon Blizzard, let me rename the vanity pet!!!

  10. Bronte says:

    I actually use my own script in AutoIt.

    Double-clicking the script does the following:

    It launches WoW. Then it copies each letter of my password divided up into four separate chunks and enters them in the edit box, but not in sequence, backward, forward, then backward and backward again. Then it logs me in. And after login it logs in my bank character.

    I use another similar script for the Battle.Net.

    I have been using said script for 3+ years. The ONLY time I got hacked was when I shared my account details with a close friend. :D

  11. Numtini says:

    I find the authenticator to be extremely convenient to use. Our household online banking does not require an authenticator either, but the commercial online banking where I work certainly does. I wish more games would use them. I suspect that any hacking of an authenticator has more to do with propaganda to convince people not to get them than it does with any common use of the item. While theoretically possible, you need to have “operators standing by” to loot the account quickly. And the exploit outlined could easily be fixed by simply putting a timer on logins from different ip addresses.

    While the use of an email as a battlenet login was stupid, I get so many phishing emails about WoW on emails unrelated to my account that I don’t really think that’s the source of them.

    • Gordon says:

      One problem with authenticators though is that they aren’t cost effective for smaller MMO companies to produce. If someone would develop a generic one though for use with any game then I could seeing it taking off more.

  12. Epiny says:

    I’ve played MMOs since EQ launched and never been hacked. I’ve shared account info before but don’t anymore.

    Know what you click on when surfing the internet, copy/paste passwords, and use the authenticator if you play WoW. I have ZERO sympahty for people that get hacked. 99.9999% of the time it’s your fault. People don’t forceably hack anymore, as Jeff said their are easier people to get than you.

    It’s the old saying. I don’t have to out run the bear, just the guy next to you. :) You just have to have better security then most to deter people from hacking you.

  13. Amuntoth says:

    I don’t like the idea of personal questions to log in. I can’t remember that stuff for important things like the bank. I didn’t have a first dog, so what did I tell it for that question? Mothers maiden name? Laughelette, Lafallette, Lauphalette? Damnit where is my phone?

  14. Spitt says:

    Gods, all the stupid and misinformed people! I swear so many idiots who think that an authenticator will keep them safe, and that they can’t be hacked. YOU CAN BE HACKED WITH AN AUTHENTICATOR!!!

    Authenticators can be emulated. The safest bet, is to use Avast, and not to give your information away. I have been playing online games for 11 years, and I am a powerleveler! My company handles hundreds of accounts a year, none of them get hacked while on our watch. We don’t get hacked, because we know how not to be hacked. Its not a science, but it does mean you have to have a good AV (Avast), and you need to watch where you put your information in. Above all, change your password every month, but every couple weeks is better! Never use the same password on your account, as any other site. And never ever, use email links, leading to your account. Goto the game site directly to log in.

  15. I’m typically to blogging and i actually respect your content. The article has really peaks my interest. I’m going to bookmark your website and preserve checking for brand new information.

Leave a Reply