Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Blizzard Introduces One-Time Password Devices For WoW

timothy posted more than 6 years ago | from the status-symbols dept.

PC Games (Games) 271

An anonymous reader writes "Two days ago Blizzard announced that they will be selling keychain tokens to add one-time password support (FAQ) to World of Warcraft. Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?"

Sorry! There are no comments related to the filter you selected.

Not a problem... an opportunity (5, Insightful)

gbulmash (688770) | more than 6 years ago | (#23988799)

Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?


Probably more like Blizzard has decided that people paranoid about having their accounts compromised have become such a serious market segment that it can eke out a few more pennies selling these dongles for 6 euros a pop.

If it was a huge problem, Blizzard would begin requiring them. The fact that they're optional means they're probably just a new way to sap a few more bucks from players who have invested so much of their time and being into this game that six euros seems a very reasonable security blanket.

It's both (4, Informative)

dreamchaser (49529) | more than 6 years ago | (#23988837)

It's both. Password stealing via phishing and other means has hit quite a few MMO's. It boils down to dumb users mainly, and Blizzard surely sees a profit opportunity in their stupidity.

Re:It's both (3, Insightful)

Opportunist (166417) | more than 6 years ago | (#23988981)

That's actually not exaggerated. The average phishing server yields a quite interesting harvest of various passwords for various online games.

It would already kill a lot of those "opportunities" for phishers if online game makers required different PWs for account and board. But appearantly selling one time pads is more profitable.

Re:It's both (3, Informative)

me at werk (836328) | more than 6 years ago | (#23989035)

PayPal sells these keyfobs as well, and I bought one. It broke, started showing 42424242 and 88888888, as well as some diagnostic info (like 25% batt, etc). I contacted PayPal and they weren't very helpful (as expected), and it was basically, buy another one. I just disabled the requirement for it on the account.

I think that the paypal security issue is similar, just phishing. But hey, if my account got fucked while I had a keyfob activated, I'd be at an advantage wouldn't I?

Re:It's both (3, Interesting)

Splab (574204) | more than 6 years ago | (#23989209)

So err, how do you go about getting into your account and disabling the feature if the thing is broken?

Re:It's both (1)

weetabeex (1065032) | more than 6 years ago | (#23989253)

would you?

Re:Not a problem... an opportunity (2, Insightful)

Morlark (814687) | more than 6 years ago | (#23988875)

"Eke out a few more pennies"? These things cost way more than $6 to make, and that's not even counting the cost of the traning all their customer support staff will need. Players whose accounts have been compromised do cost Blizzard a lot in terms of support, and Blizzard are introducing these things under cost in an attempt to lower their expenditures elsewhere.

Re:Not a problem... an opportunity (0)

Anonymous Coward | more than 6 years ago | (#23988923)

Er, No - they don't. Especially if you talk about thausands of pieces. More like $1.99 per piece, including IP-licenses.

If Blizzard really plans to have every subscriber own such a piece, the total price to market per unit would probably drop to half a dollar.
Especially if they are made in china.

Re:Not a problem... an opportunity (5, Informative)

Tridus (79566) | more than 6 years ago | (#23989001)

Depends on who is making them.

http://www.entrust.com/strong-authentication/identityguard/calculator.cfm [entrust.com]

Entrust here likes to advertise they're 1/7th as expensive as the ones RSA sells, and those are still $4/year.

So at $6 until the token dies, Blizzard isn't exactly making a mint on these things. The profit for them comes in reduced account restorations.

Unless you'd care to source me someone who sells them so cheap that Blizzard is making a fortune at these prices, since there's probably also costs for the server end of the setup?

Re:Not a problem... an opportunity (0)

Anonymous Coward | more than 6 years ago | (#23989193)

it was 6 euro a year, considerably more than $6.

Re:Not a problem... an opportunity (5, Funny)

pipatron (966506) | more than 6 years ago | (#23988931)

These things cost way more than $6 to make

Yes, maybe if you handcraft them in Norway from reindeer horns and freshly clubbed seal, but in the rest of the world you can buy a USB memory for less than this.

Re:Not a problem... an opportunity (2, Insightful)

jamesh (87723) | more than 6 years ago | (#23989115)

Yes, maybe if you handcraft them in Norway from reindeer horns and freshly clubbed seal, but in the rest of the world you can buy a USB memory for less than this.


Silliness aside, I think the person you responded to probably meant Blizzard's purchase price. For each device you build you have to compute and program the private key, then you have to record this key on a CD or in some other form to deliver to the customer (Blizzard in this case, not the end user), and additionally Blizzard then have to license the software to run it all and set it all up. It's possible Blizzard may have been able to negotiate a decent price for the token, but I think they would be selling them at a loss on the assumption that at a loss of (say) $20 per token, they'll save that much in sorting out the mess that becomes of 'stolen' accounts.

Re:Not a problem... an opportunity (0)

WK2 (1072560) | more than 6 years ago | (#23989217)

I'm a North Pole Elf you insensitive clod!

Market price for securid fobs (2, Informative)

Colin Smith (2679) | more than 6 years ago | (#23989413)

About $50 each at the moment. They obviously cost $0.10 to make, but you won't be able to buy them for that.

Re:Not a problem... an opportunity (0)

Anonymous Coward | more than 6 years ago | (#23989077)

training all their customer support staff will need.

Training?

Have you ever phoned/emailed tech support? Not just blizzards, anywhere at all.

When was the last time you got somebody who could tell their ass from their elbow? When was the last time you got something other than generic canned responses that had nothing what so ever to do with your problem? Isn't it great fun when you can call up tech support and then have to correct them about a technical issue?

Training for their staff will consist of adding a few more canned responses on how to configure the device, yea that cost them lots.

Re:Not a problem... an opportunity (2, Insightful)

mwilli (725214) | more than 6 years ago | (#23988893)

Blizzard is in a unique position. Due to the success of WoW, they are probably the top company for online gameplay at the moment. Because of this, it gives them the opportunity to be the industry leader in new technologies to protect the integrity of the online gameplay, which they have always marketed as being a great concern of theirs.

Re:Not a problem... an opportunity (4, Funny)

jamesh (87723) | more than 6 years ago | (#23988925)

Hey were you the subject of a Dilbert comic a while back?

Re:Not a problem... an opportunity (1)

plasmacutter (901737) | more than 6 years ago | (#23988955)

This is in no way new. My mother has been a telecommuter for almost a decade and has been using something like this for VPN connections for years.

Re:Not a problem... an opportunity (0)

Anonymous Coward | more than 6 years ago | (#23988897)

Yep. There's no real reason to get it. Whenever an account is hacked, Blizzard will restore all your items and gold to your character in a few days. Unlike with scams that gain access to your bank account, there is no real irreversible damage here. If Blizzard would not restore your items, I could see the appeal of this device, but from what I've read they're pretty good at helping those with hacked accounts. Nonetheless, I think this will sell well. Anyone who frequents the WoW forums knows that "keylogger" is a popular fad, often jokingly posted after a user links to a website. Whenever accounts are hacked, the account will often post spam on the forums linking to keyloggers, used to hack more accounts. While playing in-game, I've met people who have large misconceptions about how hacks are done. I wouldn't call it a "fear", but the threat of being hacked or keylogged is something that many players are concerned about.

Re:Not a problem... an opportunity (4, Insightful)

ZorbaTHut (126196) | more than 6 years ago | (#23988913)

A cancelled account of mine got hacked somehow, and I only discovered it months later when I went to reactivate it. Blizzard basically said "sucks to be you, we won't do anything". My first level 60 character is gone forever, which makes me kind of sad.

Blizzard will, apparently, not fix all problems.

Re:Not a problem... an opportunity (0)

Anonymous Coward | more than 6 years ago | (#23988943)

That's weird, happened to me too. I hadn't been using the account and the game was no longer installed on my machine, I'm not sure what happened. I only found out when I was notified my account had been disabled for cheating.

Re:Not a problem... an opportunity (4, Informative)

ShadowDrgn (114114) | more than 6 years ago | (#23989003)

My account got compromised a year after I quit, and I only discovered it because I got an IM from someone who saw my character log in and wanted to know if I was playing again. My password was good enough that no one was going to randomly guess it, and I certainly never gave it out.

My best theory on how it happened is that I used the same account and password on lots of web forums, many of which have terrible security. Someone probably hacked into one of them and tried all the user/pass combos to see if they were also WoW accounts. I took a look at my old characters on armory and noticed that my lowbie alts had been stripped and my main moved to another server. I figure whoever got access probably sold the account to a clueless buyer because I can't imagine someone paying for a character transfer otherwise. I also wouldn't be surprised if people made a lot of money doing this. Lesson learned: use unique passwords (or usernames) on any accounts you actually care about.

Blizzard reset my password, but refused to transfer my character back to his original server because I "willingly gave out my password." I didn't intend to ever play again anyway, but service like that certainly sealed it. They didn't care one bit about catching the person who did it either, despite having IP addresses and even credit card numbers.

Re:Not a problem... an opportunity (1)

roguetrick (1147853) | more than 6 years ago | (#23989161)

Or the admin of said web forums used the user/pass combo or sold it. Thats why, if you really want a generic password for forums you may never visit again, you always have that SEPARATE from anything else. Very easy security that nobody pays attention to, as they never think that when they sign up for a random website, they are trusting the password to the admin of that website.

Re:Not a problem... an opportunity (1)

Splab (574204) | more than 6 years ago | (#23989235)

I used to be an avid Gnome user, and I still find KDE to have some major annoyances, but one thing that I really love is Kwallet (yes you can use that on gnome as well, but its greatly integrated into KDE).

When you visit a new forum use mkpasswd or anything like it, drop it into kwallet and you don't have to worry about such problems (do remember to keep a backup of kwallet files though :-) )

Re:Not a problem... an opportunity (2, Informative)

leenks (906881) | more than 6 years ago | (#23989363)

Or you could just use Gnome Keyring
http://en.wikipedia.org/wiki/GNOME_Keyring [wikipedia.org]

Re:Not a problem... an opportunity (1)

mrmeval (662166) | more than 6 years ago | (#23989619)

Or just use Firefox which works seamlessly with most websites.

Re:Not a problem... an opportunity (1)

Splab (574204) | more than 6 years ago | (#23989663)

Firefox doesn't per default encrypt your passwords, and you are storing the passwords somewhere else than where everything else is stored compared to kwallet or the gnome thing.

Re:Not a problem... an opportunity (4, Insightful)

vertinox (846076) | more than 6 years ago | (#23989631)

My best theory on how it happened is that I used the same account and password on lots of web forums, many of which have terrible security.

There is your problem.

I know we are all lazy when it comes to passwords, but you really need to keep different passwords for different things. It doesn't mean you have to keep completely different passwords for everyone forums so my personal rule is to have levels on how much I care about it being breached.

Level 1: Random forums I don't trust or places I don't care if hacked.
Level 2: Places I frequent that I trust and have a reputation, but its not going to kill me if my account is breached.
Level 3: Stuff I pay money for. Like Online Games, Steam, utility bills, and cell phone plans.
Level 4: Money. Banks. Credit cards. And/or anything that is serious business. This also includes email accounts attached to them which I keep completely separate passwords between accounts since it would be dumb to have the same password for your bank as your email. Also I tend to keep different passwords between financial institutions because I don't trust competency of employees and their laptops.

The goal is to never use the same password between the levels so if one is breached the others are not.

So if it is that important to you, then don't use the same passwords on untrusted sites or forums that use unpatched vBulletin or PHPbb. I mean... I don't even trust Slashdot.

And it never hurts to paranoid and change your passwords every 6 months or if you just suspect something. Its not going to cost you anything other than mental exercise if your wrong, but it saves you a whole lot of grief if you are right.

Re:Not a problem... an opportunity (1)

Krneki (1192201) | more than 6 years ago | (#23989633)

Hacking into poor protected web sites / forums is one of the best way to get your passwords. Never use the same password for random sites and for stuff you really care.

Re:Not a problem... an opportunity (1)

NightRain (144349) | more than 6 years ago | (#23989299)

I too had my inactive account hacked and re-activated. I found out because I got an email telling me my account had been banned days before I was planning on reactivating it. After many back and forths between me and Blizzard support, I got them to unban the account, but I could not get them to tell me what state my character was in or if they would be willing to restore my stuff if it was gone. They told me to raise an ingame ticket with a GM. I wasn't going to sink money in to re-activing an account that /may/ have been levelled against my will (I was only level 48) and /may/ be able to get my gear back. They wouldn't even look in to it, so I just never bothered re-subscribing.

Re:Not a problem... an opportunity (2, Informative)

Mascot (120795) | more than 6 years ago | (#23989087)

Blizzard will restore all your items and gold to your character in a few days. Unlike with scams that gain access to your bank account, there is no real irreversible damage here

Unless Blizzard has changed policies, they will refund your items, they will not refund your gold.

And even so, it can take Blizzard several weeks to find time to sort you out. A tiny one-time cost of 6 euros is extremely cheap investment. Most make that much while taking a crap at work. Small price to pay to protect hundreds and hundreds of hours worth of in-game effort.

One might argue that with the amount of cash Blizzard makes off of WoW, they should just hire a small country to be able to fix hacked accounts in hours instead of weeks. But, honestly... It's optional. It's 6 euros. My computer is nearly a fortress compared to the average WoW player's security, and I'm still considering getting one of those things.

Re:Not a problem... an opportunity (2, Insightful)

The Snowman (116231) | more than 6 years ago | (#23989587)

Unless Blizzard has changed policies, they will refund your items, they will not refund your gold.

Technically they are not obligated to restore anything, neither legally nor by their own policies. They often do because it is good customer service and keeps the addicts feeding at the trough, which helps their bottom line in the long run. While they have by far the largest market segment in the MMO genre they know the reasons why that is the case and what will hurt that. Not helping customers is shooting themselves in the foot. I know several people who were shit out of luck after being hacked, while most did receive an account restoration. Often they received some, but not all, of their gold back. One guy had unrestricted access to our guild bank, and Blizzard restored the items in the bank the gold farmer took, too. They actually restored duplicates of some of the items, and let us keep the duplicates. That was really cool of them.

And even so, it can take Blizzard several weeks to find time to sort you out. A tiny one-time cost of 6 euros is extremely cheap investment. Most make that much while taking a crap at work. Small price to pay to protect hundreds and hundreds of hours worth of in-game effort.

Yeah, $6 is not a lot of money. With current gas prices this dongle costs 75% of my daily round-trip to work, or just about the same amount as lunch does if I buy a $5 sub at Subway with a drink. Given this is a one-time expense, it is trivial in the grand scheme of things.

One might argue that with the amount of cash Blizzard makes off of WoW, they should just hire a small country to be able to fix hacked accounts in hours instead of weeks. But, honestly... It's optional. It's 6 euros. My computer is nearly a fortress compared to the average WoW player's security, and I'm still considering getting one of those things.

Maybe the dongle costs more than $6 to manufacture, key inject, support on the back-end (authentication systems need some retooling). Maybe it costs less. However, the big picture here is that there are other hidden costs to Blizzard the scope of which we can only speculate. Regardless, it will probably mitigate some of the costs of investigating account issues, the headaches involved, etc. allowing their employees to focus their efforts on more pressing issues such as the gold spammers that stand between the bank and auction house in places like Ironforge or Orgrimmar and constantly peddle their wares (stolen video game gold).

I am considering this product as well. I used to play the game constantly because of marital problems. I needed a place to hide from my wife that did not involve huge bar tabs. So I played WoW. A lot. I have multiple 70s, thousands of gold, epics, blah blah blah. Now that I am divorced I play a fraction of the time. However, whether I keep playing (even if a small amount of time) or cancel my subscription, the thought of someone gaining access and destroying all that hard work would hurt. I spent a lot of time building up the account, made a lot of friends (some of my guild mates live close and we have actually socialized in real life), and anyone hurting those social connections or anything else would really piss me off. I think $6 may be worth it to mitigate that risk.

Re:Not a problem... an opportunity (5, Informative)

Manip (656104) | more than 6 years ago | (#23989047)

Thank you Mr. Conspiracy theory. But the truth is that:
- There is a serious problem in WoW
- It is extremely common for accounts to get compromised
- Sometimes people quit the game after a breakin (-$13/month)
- A 30 second google search found similar devices for between $17 and $23 a go

If I had to guess I would imagine Blizzard breaks even roughly on these devices. I can't imagine there being a huge profit margin on $6 and that they justify it by keeping people playing.

Re:Not a problem... an opportunity (0)

Anonymous Coward | more than 6 years ago | (#23989661)

As a player I'd have to agree completely. I've witnessed a hacker take over my friends account...we "chatted" lets say. My friend was completely distraught. As to the root of the issue I have to say it's a Windows security problem...or lack of security. I'll agree most people aren't that security conscience, but Windows allows for programs to be installed on its platform without administrative level consent or knowledge and that is just plain weird to me. The real issue is the OS not the game which resides in the OS.

Re:Not a problem... an opportunity (1)

rthomanek (889915) | more than 6 years ago | (#23989205)

Probably more like Blizzard has decided [...] it can eke out a few more pennies selling these dongles for 6 euros a pop.

Are you serious? If Blizzard wanted to make money on it, they'd sell it for 60 EUR, not 6 EUR -- you know what the prices are in Europe, you know they could, if they wanted to.

I guess we will see.. as the FAQ page says, the prices is subject to change...

Only 1 time? (0)

Anonymous Coward | more than 6 years ago | (#23988823)

crap.. I hope I don't forget it.

one time passwords are a good idea (0, Offtopic)

Colin Smith (2679) | more than 6 years ago | (#23988829)

Anyway...

 

Bilzzard? (1)

helpfulcorn (668048) | more than 6 years ago | (#23988835)

Bilzzard, huh? Well, they're much better than that company "Blizzard"

Re:Bilzzard? (5, Funny)

plasmacutter (901737) | more than 6 years ago | (#23988879)

I believe they wanted to spell it "Bill-zard"

base client: 25 bucks
bc client: 25 bucks
name changes: 10 bucks
realm chances: 25 bucks (per character, that's 250 bucks if you are transferring off a realm on which you were established)
wrath of the lich king: (unknown, but be prepared to chop up your first born son)

Re:Bilzzard? (4, Funny)

Opportunist (166417) | more than 6 years ago | (#23988993)

wrath of the lich king: (unknown, but be prepared to chop up your first born son)

I'm sure there are a few WoW addicts who wouldn't consider that an unfair deal to be in the WotLK beta...

Re:Bilzzard? (1)

I cant believe its n (1103137) | more than 6 years ago | (#23989239)

wrath of the lich king: (unknown, but be prepared to chop up your first born son)

I'm sure there are a few WoW addicts who wouldn't consider that an unfair deal to be in the WotLK beta...

True WoW addicts wont have the time to produce a first born, which is why only n00bs will ever get to be in the beta.

(I dont play WoW, not even on TV)

Re:Bilzzard? (0)

Anonymous Coward | more than 6 years ago | (#23989629)

Oblig response:
      I'm sure the intersection of the set of WoW addicts mentioned above and the set of WoW addicts with children to chop up is damn near the null set.

can't beat stupidity (5, Insightful)

rewben (202225) | more than 6 years ago | (#23988839)

Its not the system that has a flaw, its the stupidity of people for giving away their usernames/passwords for powerlvling etc.

Re:can't beat stupidity (1, Insightful)

plasmacutter (901737) | more than 6 years ago | (#23988865)

The incidents of hacking on my realm indicate the hacking is happening to their servers, and they, being blizzard, refuse to admit they're at fault.

(The same way every couple months their patches or maintenance cause massive lag spikes and random disconnects, and they blame the routers because blizzard is apparently too special to conform to tcp-ip standards)

Maybe when enough people with this authenticator get screwed, they'll actually be forced to admit and fix it.

Re:can't beat stupidity (1)

Saicho (744644) | more than 6 years ago | (#23989213)

do you think you will ever reach your blue island of perfect connectivity ?

Re:can't beat stupidity (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23988963)

There have been several trojans designed to snag WoW usernames and passwords since WoW began, feel free to Google. Of course in many cases a dose of stupidity or more like just ignorance is required, such as running your browser so it can "properly" render websites such as WoW's homepage or even Slashdot now that it's had the abrasive AJAX added. Not everyone is a user of Firefox with noscript and with the requirements on so many "necessary" websites to allow Javascript and Flash even those that do find at least temporarily enabling some websites necessary, but no website can be guaranteed safe to do this on. Of course the odds would make you a bit safer if you dipped your Wow in WINE before consuming and kept your browsing restricted to *nix.

Security Theatre (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23988855)

This just seems like another money grab by another corporation. In the four years I've had my WoW account I have not had a single problem with a breach in security. I am definitely not security unconscious though, although I do find it hard to imagine that people have problems at all. Users just prove time and again that most people are stupid or ignorant or a mix of the two. Of course corporations want to cash in on that, and who can blame them. "Lets sell them something that they don't really need, but we'll tell them that they really do need it!" Like shooting fish in the barrel.

Re:Security Theatre (2, Insightful)

Tirhakah (1223100) | more than 6 years ago | (#23988867)

I'm not security unconscious either, but my account was compromised. When you have no control over what other uses the computer you play on is put, that's when you run into problems

Re:Security Theatre (3, Insightful)

pipatron (966506) | more than 6 years ago | (#23988957)

I'm not security unconscious either [...] no control over what other uses the computer you play on is put

One might argue that a security-conscious person would not let any random people share his computer, unless it had a very safe multi-user system.

There are those who could learn from this... (5, Funny)

bonhomme_de_neige (711691) | more than 6 years ago | (#23988885)

Wowzers, now I can have more security for my account on some computer game than my online banking (I'm looking at you, Citibank).

Re:There are those who could learn from this... (4, Funny)

Opportunist (166417) | more than 6 years ago | (#23989005)

Hmm... let's see... The average WoW addict is playing 30 hours a day, has most likely no job...

What do you think is worth more, the account of such a person or his bank account?

Re:There are those who could learn from this... (4, Funny)

amRadioHed (463061) | more than 6 years ago | (#23989039)

They both probably are about equally low in worth.

Re:There are those who could learn from this... (1)

Opportunist (166417) | more than 6 years ago | (#23989099)

Well, I didn't check eBay lately. Mostly because I prefer playing a game instead of paying someone to do it for me. But I'd be surprised if there aren't some high level chars for sale.

Re:There are those who could learn from this... (1)

jeffasselin (566598) | more than 6 years ago | (#23989659)

Hmm... let's see... The average WoW addict is playing 30 hours a day, has most likely no job...

What do you think is worth more, the account of such a person or his bank account?

What? Almost everyone I know who plays hardcore (30hrs/wk and +) have a job. Some have a family life. It's not different than watching TV for the same amount of time. I've known one guy who didn't work and played really hardcore, and he was "financially independent".

The first thing that comes to my mind is... (5, Insightful)

Null Nihils (965047) | more than 6 years ago | (#23988901)

Why can I get this feature for a MMORPG account, but not from my bank, or any other banks I know of?

I value my real money far more than imaginary swords, shields and armor that exist as bits in an entertainment company's database.

Maybe some people's priorities are different...

Re:The first thing that comes to my mind is... (0)

Anonymous Coward | more than 6 years ago | (#23988917)

Oh I am sure your bank would love to charge you for that feature, and I am sure it would be at a MUCH higher price for what Blizzard is offering. Perhaps it is not cost effective for them to do it yet. Praise be to ROI.

Re:The first thing that comes to my mind is... (4, Informative)

Nuskrad (740518) | more than 6 years ago | (#23988929)

A lot of banks in the UK now require card reading devices for use with online banking. It's been rolled out across the last couple of years, not sure what the situation is elsewhere in the world though

Re:The first thing that comes to my mind is... (0)

Anonymous Coward | more than 6 years ago | (#23989221)


really ? which banks do you know ? as i have accounts with three of the largest banks in the UK (lloyds, Natwest, Barclays) and none of them offer (or have offered) SecureID hence i dont do my banking online

Re:The first thing that comes to my mind is... (1)

IBBoard (1128019) | more than 6 years ago | (#23989305)

really ? which banks do you know ?


I agree, I've got accounts with Halifax and Lloyds and neither have given me a token. I've never even seen any banks mention anything about one-time passwords for added security (which I'd have thought they'd trumpet as "look, come to us, you're less likely to have your details stolen").

Who are these mysterious "lot" of British banks?

Re:The first thing that comes to my mind is... (4, Informative)

Allicorn (175921) | more than 6 years ago | (#23989307)

Barclays have been providing a device they call PIN Sentry since early 2007:

http://www.barclays.co.uk/pinsentry/ [barclays.co.uk]

NatWest introduced their offering summer 2007:

http://www.natwest.com/microsites/general/card-reader-user-guide/index.asp?cmp=reader [natwest.com]

I believe you're right about Lloyds not having followed suit just yet.

Re:The first thing that comes to my mind is... (1)

Nuskrad (740518) | more than 6 years ago | (#23989323)

Natwest [natwest.com] do, because that's who I bank with. So do Lloyds [channelregister.co.uk] and Barclays [barclays.co.uk] . The rollout of these devices is still in progress, they're trying to do it gradually from what I see - but they'll probably give you one if you ask for it.

Re:The first thing that comes to my mind is... (2, Interesting)

Kidbro (80868) | more than 6 years ago | (#23989231)

I'm using a similar device, seeded (I assume) by my combined Credit/ATM card (issued by my bank) for online banking. I got the device this year "free of charge". Before this, I used scratch cards with one time codes, and I believe that mine was the last major bank in the country to switch from that system.

I live in Sweden.

NL here... cards / codes / cellphone (2, Interesting)

Animaether (411575) | more than 6 years ago | (#23989409)

I'll state up front that I absolutely -hate- the "something you have" part of security when that 'something you have' ends up being a fat card reader that won't fit anywhere convenient, not even in your notebook carrying bag, and you can't just use anywhere as it has to be plugged into a USB port which is not always available/accessible, and/or is prone to mechanical failure (e.g. the non-USB 'calculator' type which might fit in a pocket but if something bangs into your bag, the thing is dead.)

So anyway.. in NL we have both of the above types from some banks.

Then there's the Postbank (largest bank, used to be gov't run, along with postal services, etc.), which works with codes.

Their website requires you to log in via SSL, username/password and then - when making a transaction - provides you with a code. You look that code up in a list and return another code that's associated with that code. The code they choose is random, the code you send back has no correlation to the input code other than what's on their end, done.
Prone to phishing? Perhaps, although all attempts so far have failed miserably. But just in case, they added an additional service - you can enter your cell phone number in your profile and have the code you should be sending back sent to you via text message, along with the amount of money involved in the transaction, etc.

I don't know the exact technical details of how the latter works - I'm sticking to just a list and due diligence when banking as I'd hate to have to rely on my phone working / having signal / not being out of credits (when abroad - besides, I usually get a pay-as-you-go card when I am, as it's cheaper to make and receive calls then) / etc. when I -have- to make some payment.

Re:The first thing that comes to my mind is... (2, Interesting)

ivansanchez (565775) | more than 6 years ago | (#23988939)

I value my real money far more than imaginary swords, shields and armor that exist as bits in an entertainment company's database.

You mean that you value dollars that exist as bits in company A's DB, more than gold coins that exist as bits in company B's DB, don't you?

Re:The first thing that comes to my mind is... (4, Insightful)

maxume (22995) | more than 6 years ago | (#23989133)

The trick is that companies C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y and Z also all value the dollars that exists as bits in company A's DB.

Re:The first thing that comes to my mind is... (0)

Anonymous Coward | more than 6 years ago | (#23989259)

And when you think about it, society in general value those bits in your banks database more than your own life

Re:The first thing that comes to my mind is... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23989053)

A fully levelled character in WoW can easily fetch $4000 or more. Whether you like it or not..

Re:The first thing that comes to my mind is... (0)

Anonymous Coward | more than 6 years ago | (#23989121)

I know Bendigo Bank in Australia does for around $40. I think the National Bank in Australia does too

Re:The first thing that comes to my mind is... (0, Flamebait)

Mascot (120795) | more than 6 years ago | (#23989147)

Sounds like an issue where you live. I don't know a single bank that allows online access without token authentication.

I would seriously question the judgement of a bank that would.

Re:The first thing that comes to my mind is... (1)

Nathonix (843449) | more than 6 years ago | (#23989233)

nearly all american banks, sadly, do not require any sort of hardware authentication for online banking.

Re:The first thing that comes to my mind is... (1)

mattb112885 (1122739) | more than 6 years ago | (#23989153)

If every person in the world needed a unique key every time they logged in, they would need at least 14 digits. It brings back some bad memories from Legacy of the Wizard.

Re:The first thing that comes to my mind is... (1)

Steemers (1031312) | more than 6 years ago | (#23989223)

My bank (ING bank, I know it is Dutch but I don't know if it operates international) has used a (as far as I can tell from the Blizzard press release) similar but more advanced device from almost the beginning of its online banking service. I don't know why other banks don't since it is such a simple yet very useful thing.

Re:The first thing that comes to my mind is... (1)

26199 (577806) | more than 6 years ago | (#23989247)

In Switzerland it seems to be standard. To access my UBS account online I need: my online account card, a card reader, my "agreement number" (which is unrelated to any of my account numbers) and a six digit PIN.

Re:The first thing that comes to my mind is... (1)

Splab (574204) | more than 6 years ago | (#23989249)

Some banks around here (Denmark) supports it - you do however have to specifically ask for the feature. Even the national digital signature is going to get upgraded to one time passes.

Try asking around, they might have the feature, but for a fee.

Re:The first thing that comes to my mind is... (1)

iamdrscience (541136) | more than 6 years ago | (#23989353)

Why can I get this feature for a MMORPG account, but not from my bank, or any other banks I know of?

Many banks don't offer them because it costs money to implement a system which uses them and they're really only cost-effective for customers who keep a lot of money in their accounts, so their attitude towards those customers is "if you want it, go to another bank who can offer it". Likewise, of the banks that do offer them only do so for their larger customers. For example, another poster mentioned Citibank not offering security tokens, but they do, but only to their "Citibusiness" custumers whose accounts surely have relatively high minimum balances and/or fees.

One of the easier banks to get a security token from is ETrade. For investment accounts you can get one for a one-time charge of $25 or for free if you have >$50,000 in assets with them or do more than 10 stocks/options trades per month. If you want one for your checking account, they have checking now too and the same rules apply, but you have to keep a minimum average balance of $5,000 to avoid fees (or have $50K in assets with them). So if you can afford to keep $5K in your checking account or you have $50K to invest with them (maybe your IRA or 401k) then getting one is no problem -- not for everybody obviously, but pretty workable if you care a lot about keeping your online banking secure.

Re:The first thing that comes to my mind is... (0)

Anonymous Coward | more than 6 years ago | (#23989475)

My bank (in Australia) provides its clients with a credit card sized digital one time pad.

Pain it the arse if you get it out of sync, but the service is there none the less.

Will surely only delay the h4x0rz? (1)

Leperous (773048) | more than 6 years ago | (#23988921)

At the moment, passwords being typed in are obviously being intercepted by a number of means (surely not just keyloggers). How long before someone works out how to intercept the one-time password from the keychain? Surely it's transmitted in much the same way as the current password, only its source is a USB device.

Re:Will surely only delay the h4x0rz? (1)

Vapula (14703) | more than 6 years ago | (#23988979)

No, it'll be an OTP token, once the password has been used, it can't be anymore...

and there will be no physical connexion with the computer,only a small LCD display which will show a 6-digit number...

Re:Will surely only delay the h4x0rz? (1)

Opportunist (166417) | more than 6 years ago | (#23989021)

Most accounts that get "hacked" today are a by-product of password sniffers that are targeting webpages (to get bank account information, CC numbers and so on). Since Blizzard, like most online game makers, use the user account information for both, the game and their boards, anyone who logs into the game's board gives away his credentials.

Re:Will surely only delay the h4x0rz? (2, Informative)

pandrijeczko (588093) | more than 6 years ago | (#23989033)

I don't know what mechanism Blizzard are planning to use for WoW but generally the authentication works by generating a random "seed" number which will only accept a single valid number as a response - the ones I see commonly at work (using a proprietary mechanism) give a 7-digit seed that require a 7-digit response.

Essentially the keychain allows you to generate the response (as a one-time password) based on being given a specific seed number.

Incidentally, the problem I have with this system isn't so much the mechanics of it but the fact that if everyone starts using them, it becomes unmanageable for the poor user.

I'm already seeing this over here in the UK where I have online banking with two banks here. Both have now sent me a small calculator-like device that I put my card into, enter my pin number and the seed number in order to get a response number to allow me to authenticate in order to do online transfers.

Although I can view my accounts without needing the "calculator", if I want the facility to transfer money no matter where I go, then I have to take these things with me. (Although, in reality, I've not yet tried to see if I can use both cards in one of them on the basis that although they look slightly different physically, they may have the same circuitry inside.)

Re:Will surely only delay the h4x0rz? (1)

Tony Hoyle (11698) | more than 6 years ago | (#23989085)

Surely all the would-be hacker has to do is buy one of these devices for himself... then it's no more secure than a password.

Re:Will surely only delay the h4x0rz? (3, Informative)

maxume (22995) | more than 6 years ago | (#23989145)

The devices each have a unique key. If I have #1, you can't use #2 to get into my account.

Re:Will surely only delay the h4x0rz? (2, Informative)

Zironic (1112127) | more than 6 years ago | (#23989167)

They're meant to be account specific and brick themselves if you type in the wrong pin 3 times.

Cheap (4, Insightful)

Anonymous Coward | more than 6 years ago | (#23988959)

6 euro protecting 1000s of hours of time spent, it's a no brainer.

Re:Cheap (2, Interesting)

dtml-try MyNick (453562) | more than 6 years ago | (#23989051)

Exactly,
A While ago I read an article that a compromised WoW account is worth more on the market then a stolen cc number. Thus WoW accounts make a excellent target for trojans and keyloggers.
Even if you're a casual player you most likely have invested 100's of hours in your character/account.
The treat of losing this because you have a stupid 8 year old nephew or you just weren't' paying attention with a download is very real. So 6 bucks for some extra protection is well spent money imo

Re:Cheap (1)

FurtiveGlancer (1274746) | more than 6 years ago | (#23989543)

1000s of hours of time spent

Some might claim to have "invested" their time in WoW. Your use of the term "spent" seems more accurate. Wikitionary: Adjective spent 1. Consumed, used up, exhausted, depleted. ~

Other Authentication (4, Interesting)

Anonymous Coward | more than 6 years ago | (#23988969)

I was listening to The Instance, which is a WoW podcast and one of their topics concerned Taiwanese WoW players. They had the option to sign up for a different type of secondary authentication which required them to register 3 different phone numbers. You couldn't completely log in unless Blizzard received a call from one of said phone numbers.

Considering the amount of time people have devoted into these accounts, I don't see this being that big of a deal. As a player, I'm not too sure I'd get one, as I try to avoid random websites, certain browsers and suspiscious addons. The current belief now, however, is that people cracking into wow accounts are using more brute force methods instead of trojan/spyware etc etc (but it's not like those have completely disappeared.)

There's nothing wrong with a little extra security, especially when you've played for 3 years.

Man, I'm glad I never got into WoW! (0)

Anonymous Coward | more than 6 years ago | (#23988999)

I was addicted to Warcraft I and II back in the day, but the magic faded with III and I never even bothered with WoW. Looks like that was a good thing: Either I'd be horribly disappointed with the money-grubbing focus of every aspect of WoW, or I'd be willingly and blindly be burning a whole lot more cash on an old addiction.

Also (5, Interesting)

Konster (252488) | more than 6 years ago | (#23989059)

I can imagine that the problem of hacked accounts is *huge* and primarily a problem on the user's end. I'd wager a guess that Blizzard's largest demographic sometimes also engages in P2P/Warez in conjunction with poor security habits. Trojan-laden warez, account sharing, piss-poor passwords and wide-open PC's; users leave themselves wide open to getting their virtual goodies ransacked and run off with.

I played WoW for 4 months a few years ago and was surprised at the number of trojans packed in the executable installers of some popular UI mods.It wasn't a very clever(but it was effective)way of farming usernames and passwords. Considering the global reach and sheer numbers of people playing WoW, and the virtual goods for real life cash trade, I wouldn't be surprised to learn about WoW-specific trojans running around in the wild. Some people make it easy for the bad guys; using the same login details on WoW related forums as their actual wow account, to purchasing gold and other items from shady websites (good way of farming cc numbers, shady websites also use cc info to pay for their own account time, leading to charge backs and other hassles)to just flat out sharing their details willy-nilly with anyone half trusting.

And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.

I would appreciate separate user names and passwords for account management and character login, too.

Re:Also (5, Insightful)

jamesh (87723) | more than 6 years ago | (#23989269)

And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.


I don't even think they are trying to recoup costs, it's just a token amount so that every single user doesn't click the 'give me a free token' button. People love getting free stuff, even if they don't need it (or is it just my wife that does that? Hi wife, if you are reading this :)

Obviously these keys are VERY powerful. (0)

Anonymous Coward | more than 6 years ago | (#23989069)

I demand that they be nerfed immediately.

Re:Obviously these keys are VERY powerful. (1)

Nathonix (843449) | more than 6 years ago | (#23989257)

never gonna happen, its druidic. now if a rogue keyfob were to become an issue, you can damn well bet it'd get nerfed faster than you can say dual-wield

Long Term evolution... (5, Insightful)

Vapula (14703) | more than 6 years ago | (#23989113)

Phase 1 : OTP is a plus that you may buy
Phase 2 : A free OTPtoken with each WoLK extension sold
Phase 3 : A collector edition with WoW+BC+WoLK+token
Phase 4 : Mandatory token for all accounts

That way, they cut the grass under the feet of the chinese farmers who sell ready to play accounts and to the reselling of accounts on E-Bay and such...

Re:Long Term evolution... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23989229)

Quite the opposite, I'd think... an account is tied to a physical token this way. You actually make it easier to sell accounts. All that is being increased are postage costs. The whole process is safer for buyer and seller too...

Entropia Universe already does this for long time (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23989163)

Entropia Universe already provides a "smart card" + reader for OTP authentication.

It used to be you needed to pay about 15 USD for it, but as of about 4 months ago, they giving it free to anyone who has spent about 500 USD minimum in the game.

Everyone else can still pay the small amount to get the device.

Gameshow (2, Informative)

Anonymous Coward | more than 6 years ago | (#23989435)

For the record get hacked on any MMO other than WoW and know what they tell you? Tough titties. This isn't about fleecing its customer base, it's noticing a growing problem and leading the field in security nipping it in the bud. And name changes and realm changes were only introduced at the crying, demanding and pleading of its customer base. The financial aspect is a hurdle to prevent abuse imho.

Do you pay for customer service? (1)

javajeff (73413) | more than 6 years ago | (#23989503)

Blizzard has people paying for customer service. I did not like the server I was on with my son, so we were required to pay $25 per character to move. We had three characters to move, so that would have been $75. Each of my accounts has spent over $300 up to that point, and we were committed to staying with the game. We have been off of WOW for about a year now, and that would have been $360 of revenue for the past year that they could have received from me. However, I refused to pay for what I consider to be customer support. It is their game design that puts people on servers without knowing how good the connection will be or what the people will be like. Name changing should also be free as well. They find ways to charge people for what should be considered customer service. The game is a service and people do not have to buy it.

Re:Do you pay for customer service? (0)

Anonymous Coward | more than 6 years ago | (#23989539)

Blizzard has people paying for customer service. I did not like the server I was on with my son, so we were required to pay $25 per character to move. We had three characters to move, so that would have been $75. Each of my accounts has spent over $300 up to that point, and we were committed to staying with the game. We have been off of WOW for about a year now, and that would have been $360 of revenue for the past year that they could have received from me. However, I refused to pay for what I consider to be customer support. It is their game design that puts people on servers without knowing how good the connection will be or what the people will be like. Name changing should also be free as well. They find ways to charge people for what should be considered customer service. The game is a service and people do not have to buy it.

You can "consider" customer support to include a hand job ... don't mean squat. Take these expectations to any MMO ...go ahead ...on Age of Conan my petition was answered over a day later. You pay 15 bucks a month bub (thats new content, bug fixes, and basic server maintenance), now think about how much time you deserve from someone getting paid by the hour.

About time.. (0)

Anonymous Coward | more than 6 years ago | (#23989505)

every time I saw yet another blog about how someones account got hacked and Blizzard did nothing to stop it, I'd always drop a comment about OTP and a hardware device/USB token or tying your login/password to your systems hardware in someway.

Nice to see they finally got serious about it. Account stealing is big business. It's by far the easiest way for "Gold Farmers" to farm gold.

What does a recently hacked person do who has no items or money? Yeah they buy gold. So they hack your account, steal your gold and then sell it back to you. Brilliant !

Ever think about other markets? (0)

Anonymous Coward | more than 6 years ago | (#23989529)

Ever think about other markets such as the Korean market where most people use an internet cafe to access the game instead of their own computer? Having an authentication like this could be extreme valuable to those who are not playing on their own computers. And remember these areas have been known to beat and kill each other over this kinda stuff.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?