Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Blizzard Authenticators May Become Mandatory

Soulskill posted more than 4 years ago | from the gotta-take-off-your-shoes-too dept.

Security 248

An anonymous reader writes "WoW.com is reporting that a trusted source has informed them that Blizzard is giving serious consideration to making authenticators mandatory on all World of Warcraft accounts. The authenticators function the same as ones provided by most banks — in order to log in, you must generate a number on the external device. Blizzard already provides a free iPhone app that functions as an authenticator. The source stated, 'it is a virtually forgone conclusion that it will happen.' This comes after large spates of compromised accounts left Bizzard game masters severely backlogged by restoration requests."

cancel ×

248 comments

Sorry! There are no comments related to the filter you selected.

No thanks (0, Troll)

sopssa (1498795) | more than 4 years ago | (#30705692)

Sure it might work with just one game, but what about if this starts a trend and all online games start to require such? No thank you.

We do not use such USB devices with banks here btw, instead everyone has an account number and running list of one-time codes, with a second list of confirm codes. It's a little pain but incredibly secure. However, it's not something to use with games.

Instead of mandatory, please at most make it only the default option so those who want to can turn it off.

Re:No thanks (2, Informative)

Anonymous Coward | more than 4 years ago | (#30705712)

Most of them are not USB devices. Just simple fobs with a push button and cheapo LCD display.

Re:No thanks (1, Troll)

bertoelcon (1557907) | more than 4 years ago | (#30705732)

Agreed. Also, do they plan on putting them out other ways for free if they try this. When I looked into one you had to buy the thing from Blizzard for like $25 or something. I know there is a free Iphone app but what if you don't have an Iphone? Anyone know if they have other authentictor apps for other platforms.

Re:No thanks (3, Informative)

compro01 (777531) | more than 4 years ago | (#30705802)

Re:No thanks (0)

Anonymous Coward | more than 4 years ago | (#30706004)

The downloadable authenticator app for the iPhone is free.

Re:No thanks (1)

flimflammer (956759) | more than 4 years ago | (#30706562)

It's not limited to the iPhone either. They have apps for many many phones.

Re:No thanks (4, Informative)

MajroMax (112652) | more than 4 years ago | (#30705826)

Also, do they plan on putting them out other ways for free if they try this. When I looked into one you had to buy the thing from Blizzard for like $25 or something.

The authenticator is hardly $25. In the US [blizzard.com] , it's $6.50 with free shipping, and in the EU [blizzard.com] it's EUR6.99 also with free shipping. The price covers the cost of the physical unit and (obviously) the shipping. Blizzard's hardly making a killing on these.

For mobile authenticators, the Blizzard Website [blizzard.com] has more detail. The short version is that the Mobile Authenticator is available on a wide range of phones, depending on provider. Support isn't universal, though.

That said, the only time Blizzard could make Authenticators mandatory would be at a game-changing event, like the release of the next expansion. If they go ahead and do that, they'd probably throw Authenticators in the box, to automatically have near-total distribution. Their biggest concern is probably whether they can source a few million of them.

The long and short of it is that account theft is a big problem, both for Blizzard and for people who play WoW. Not everyone has a locked-down system, and phishers are using tactics formerly reserved for actual banks to try to get account info. Players have to deal with having their account possibly stolen, Blizzard has to deal with perpetual requests (some possibly fraudulent!) to restore characters/items, and the game as a whole suffers from the RMT that goes on.

I, for one, welcome our Keyfob and Mobile-Authenticating Overlords.

Re:No thanks (1)

Narpak (961733) | more than 4 years ago | (#30706324)

Personally when I have to log into my bank account I have to use a generated code from my security token, my personal number (provided by the state at birth), and my BankID [bankid.no] code (site in Norwegian only). And so far I have yet to have my bank account hacked. That being said neither have I had my WoW account hacked, though having used computers since getting my very own 486 back in the day; I have learned (sometimes from very bad experiences) to take my computer security seriously. Over the last three years (or more) with the exception of tracking cookies my computers have been clean for viruses and spyware at every scan (much like many other slashdoter's I reckon).

Though as the poster above mentioned if Blizzard does introduce security tokens, and I reckon they will especially since accounts are Battle.net now and not WoW specific, it will probably be packed with the next expansion. Personally I think it might be a good thing all in all, especially if it helps lower account theft. Though it would also help if people in general got some more instruction into how to keep their stuff secret and safe beaten into their skulls. I have family members (don't we all) that use their computers for online banking, among other things, yet fail to update spyware/virus scanners, firewall software, browsers and etc. And no amount of additional layers of login security will ever fully compensate for user ignorance.

Re:No thanks (1)

Opportunist (166417) | more than 4 years ago | (#30706340)

It would already be a huge leap ahead if Blizzard didn't use the same logon credentials for their user forum that is used to log into the game. That alone is certainly the source of many stolen accounts, given how easy it is to sniff passwords out of a browser.

Re:No thanks (0)

Anonymous Coward | more than 4 years ago | (#30706378)

The biggest proublem I have with the Authenticator is that it prevents sharing accounts. I know your not "suposed to" but me and a friend have been sharing our WoW accounts with each other since we started, and we shared our Final Fantasy 11 accounts before that. Because my friend lives on the other side of America it will be next to impossible to log him on real quick to cut a few gems for me if Authenticators become mandatory.

Re:No thanks (1)

Rakarra (112805) | more than 4 years ago | (#30706414)

Do you use Ventrilo or some other voice server? Or even a phone call? The authentication codes the authenticators give are good for 10-15 seconds, so if you still wanted to do it that way..

Re:No thanks (1)

PhilHibbs (4537) | more than 4 years ago | (#30706536)

They are valid for a 30 second window, and at that point the new code is generated and the old code expires. So over the phone you would probably want to wait for a new code to be generated and then read it out so you have the full 30 seconds to get it understood and entered accurately.

Re:No thanks (1)

MBGMorden (803437) | more than 4 years ago | (#30706958)

I'm guessing that it's probably good for up to a 1 minute window. Think about it - if you press the button 2 seconds before the current window closes you're going to get 1 code and the active one will be different by the time you finish typing it.

Though I have no hard evidence, my guess is that Blizzard will accept either the active code or the one immediately preceding it in the sequence.

Either way, the GP answered his own question: you're not supposed to share accounts. Blizzard doesn't care if they make that a bigger headache than it's worth.

Re:No thanks (1)

thesandtiger (819476) | more than 4 years ago | (#30706588)

His complaint doesn't even make sense - it isn't like cutting gems requires anything other than clicking a button, so if his friend has access to his account to do that, he'd have access to do that to, not needing his friend at all.

And even if it did require his friend to log in, IM would be more than sufficient for this purpose.

Re:No thanks (2, Insightful)

insufflate10mg (1711356) | more than 4 years ago | (#30706866)

Right, right, but his complaint does make sense. I believe in WoW one may have multiple characters per account; one his character's has the ability to "cut gems" and the others have different abilities. As of now, both he and his friend know the account password; when his friend isn't around, he logs in to the account using the shared password and uses the gem-cutting character. If WoW was to implement the fobs/mobile authenticators as a default and mandatory security measure, he would no longer be able to share the account with his friend and it would become far more difficult to use his friend's abilities on a whim. It's an understandable concern (whether WoW account sharing is encouraged or discouraged) because it is very popular for friends to share accounts.

Re:No thanks (1)

thesandtiger (819476) | more than 4 years ago | (#30706928)

Ah, yes, it makes sense, I see - I thought they were talking about sharing 1 account, not 2 - so the gem cutting character would be on a different account.

I suspect that a lot of the hacked accounts are caused by people sharing, though.

Re:No thanks (0)

Anonymous Coward | more than 4 years ago | (#30705790)

Not sure about the WoW tags (which presumably will go for all of Blizzard's upcoming games, Diablo 3 and Starcraft 2 included), but S-E's FFXI/FFXIV/Front Mission Online/assorted minigames all rely on a single RSA-style tag that hashes a unique salt and the current time and displays a 6-digit key to be checked on the server. This makes it more than convenient enough for game use.
I'd say that having a whole keychain full of these could be inconvenient and overkill, but it's not like you need to carry them in public, and I really doubt even most hardcore gamers would need more than three or four at one time (Steam, Blizzard, Live, PSN?) Likewise, the cost could get annoying, but a one-time $10 charge (including delivery) with an in-game kickback isn't too bad at all.

Re:No thanks (4, Insightful)

grumbel (592662) | more than 4 years ago | (#30705824)

but what about if this starts a trend and all online games start to require such?

Maybe secure login will then become a common practice and devices will be standardized and we will live in a bright shiny future where login is no longer done by the most primitive system imaginable.

I mean seriously, passwords are among the weakest chain when it comes to security today and not something that can be fixed by 'educating the user' (last time I counted I had around 100 password), it wouldn't hurt to replace them with something that is more secure and more comfortable to use, even if it might be a bit painful at first.

Re:No thanks (1)

Xugumad (39311) | more than 4 years ago | (#30706294)

I would love to see password authentication replaced with using PGP-style signing. Never actually send the private key to the remote system, but instead when you signup you say "This is me" by giving them your public key and they then know the person with the matching private key is you.

Of course, somehow the private key would need to be kept somewhere viruses can't extract it outright, which means a USB dongle or similar that does the signing on request, which is more stuff...

Re:No thanks (1)

Opportunist (166417) | more than 4 years ago | (#30706362)

Explain please how you want to keep a virus (trojan, actually) from accessing a USB key that is plugged into the computer. You don't think people would ever remove it and only plug it in when they want to log in, do you?

Not to mention that reading from the USB dongle and transfering the private key elsewhere should be trivial even if they're only plugged in for a rather short amount of time. If certain software installed in the computer can read it, any malware installed in the computer can.

Re:No thanks (1)

grumbel (592662) | more than 4 years ago | (#30706438)

The USB stick wouldn't just store the key, it would also handle all the encryption and authentication too, so the private key would never leave the USB stick and there would be no way to access it.

The stick could additionally verify that you are really talking to the server you mean to and not to a man-in-the-middle and on top of that the encryption could be protected by a pin, entered on the USB stick itself, to secure against theft and keyloggers.

Such an encryption scheme could be made pretty much rock solid.

Re:No thanks (4, Interesting)

fm6 (162816) | more than 4 years ago | (#30705856)

what about if this starts a trend and all online games start to require such?

This business of every application requiring its own password is a problem in itself. (I've got 400 passwords in my Roboform archive!) That's why so many sites are adopting OpenId [openid.net] .

Re:No thanks (1)

Mr. Freeman (933986) | more than 4 years ago | (#30705910)

400 passwords that you use, or 400 that you've used at one time or another in the past 10 years. There's a little bit of a difference.

I'm going to call bullshit and say that you don't use more than 20 passwords or codes on a weekly basis.

Re:No thanks (1)

sopssa (1498795) | more than 4 years ago | (#30705932)

What? I also interestingly have about 400 passwords in my keepass. No, I do not frequent ALL of them so often. The point is that every site or service has a different password. It's just stupid to use the same one in several.

Re:No thanks (1)

Zencyde (850968) | more than 4 years ago | (#30706546)

I'd like to see what you do should you lose your data. :) I keep tiers of passwords depending on how much security I need. I only need 3 or 4 passwords offhand. Decent enough and the passwords increase in strength as security becomes more important.

Re:No thanks (1)

fm6 (162816) | more than 4 years ago | (#30706002)

Twenty is about right. So what? All the passwords represent logins that I had to use at least once. And even 20 is too many for good security.

Re:No thanks (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30706032)

First, every heavy web user has a huge number of logins. Sure, some people use the same passwords for all the web sites they use but that doesn't make them the same logins...

Second, are you implying the passwords we use only bi-weekly (or even once a year) are not important, that remembering them is not required? I use my login at the domain name registry every three years but I consider it fairly important.

Re:No thanks (1)

Opportunist (166417) | more than 4 years ago | (#30706380)

Considering that some people have troubles remembering their ATM pin, 20 different passwords is quite a feat.

I remember passwords easily. Even arbitrary ones. I even know my credit card number including all relevant details. But I also know that it's hard for some people to remember just 4 digits that ain't part of their birthday.

Re:No thanks (1)

Mr. Freeman (933986) | more than 4 years ago | (#30705928)

Where is "here"? Your list of codes seems like a large pain in the ass. These are not USB devices we're talking about, they're things about the size of a pack of gum (the ones with 5 sticks (that's five, not the brand 5)) with an LCD on them. They display a random number and a little bar that decreases over the course of a minute or so. Every minute, new code.

Re:No thanks (1)

sopssa (1498795) | more than 4 years ago | (#30705954)

It's the list of codes in scandinavia and probably other european countries too. It's not actually so pain in the ass, you keep your list near your computer in drawer or so. My bank account with my money is something I can do with little inconvenience, because a running two-tier list of codes is unbreakable* with keyloggers or such. But I'm not gonna put up with tens of games requiring the same kind of inconvenience.

* in theory it would still be possible for a trojan to modify your web session in real-time, but this security model still is the best one available and I cannot understand why US doesn't use it instead of just plain username/password.

Re:No thanks (1)

beelsebob (529313) | more than 4 years ago | (#30706118)

I don't get it... Here, we have little card readers. The bank sends a challenge, you put your card in the reader, type in the challenge and your pin, it gives a response which you type back into the web page. Simple.

Re:No thanks (4, Informative)

Jthon (595383) | more than 4 years ago | (#30705958)

You seem to have totally misunderstood how the authenticators work. They are decidedly NOT USB dongles.

An authenticator is a changing key generator, which shows you a one time key when you hit a display button. You then type this key in after entering your username and password to log onto the game. This is very similar to the RSA SecurID token my work requires I use to log onto a our VPN.

Basically the keyfob contains a psuedo random number generator which generates a new key every few seconds. The authenticating server knows the original seed, and can figure out the currently "valid" number shown on the key. Since each code is only valid for about 30 seconds, this makes is significantly harder to hack the account.

In fact this system is more secure than any system my bank uses, as very few banks in the US even give you the option of using a system like this.

Re:No thanks (1)

sopssa (1498795) | more than 4 years ago | (#30705986)

Yeah, I noticed that afterwards, wonder where the USB dongle thingie came from. But the point is still quite same - if all online games start to require such, it's really inconvenient. It would be even more inconvenient if my PS3/360/Wii would require it after I have sit down on sofa to play something. Security is good, you should have the option for people to use it to max, but you shouldn't force it down to people. Make it default option, sure. But have an option to turn off the extra security if user wants to.

Re:No thanks (1)

Jthon (595383) | more than 4 years ago | (#30706060)

I agree it would become inconvenient, but in general 99% of games probably will never require it. The big problem is that WoW items have real world value. People sell game items and gold on the black market, and there's real money to be made by hacking unsuspecting people and taking their stuff. Basically criminals are hacking into peoples accounts, stealing their virtual items and liquidating it all for gold, then stealing their in game gold and selling it to other players via black market sales.

Blizzard currently attempts to restore items from accounts which have been ransacked, but it takes a large number of man hours to go through all their logs and investigate all these hacking occurrences. They're looking to add this extra security as a way to significantly reduce the number of hacked accounts, and reduce their costs with investigating these issues.

So until other games on the PS3 and XBOX become big targets for hackers who are trying to make real world money, I don't think we'll see these authentication schemes on your console. There's really no value in stealing my PS3 trophies. The problem here is that criminals have found an easy and fairly lucrative target in trading WoW gold.

Re:No thanks (1)

K-Mile (906254) | more than 4 years ago | (#30706068)

I assume if consoles start using this technology, they would integrate the keyfob into your controller. Most consoles have a way of placing an extension into a controller, so if you register your controller or keyfob serial when you buy the game, the system can figure our it's you, unless someone physically steals or uses your controller. Its actually easier for consoles, since there the security system can be provided my Nintendo / Microsoft / Sony, instead of each publisher individually.

Re:No thanks (1)

MBGMorden (803437) | more than 4 years ago | (#30706996)

The controller is not a good place for it, because the console has access to the controller. The great thing about the Blizzard authenticator is that it's completely disconnected from the computer. You don't plug it in and the computer doesn't read anything off of it. You have to manually press the button and type in the code it shows. That sounds annoying, but keeping it that way ensures that a virus or other malware CANNOT access the information on it.

Re:No thanks (1)

K-Mile (906254) | more than 4 years ago | (#30707046)

That's true, although I think (no hard data though) a large portion of account theft happens through social engineering.

Malware on consoles is a lot less common, so this could at least rule out a significant portion of abuse without bothering users too much. To abuse a gamers account, malware would need to be installed on the console, and be able to login to the game and abuse your account data there, all from the console that the (activated) controller is paired with, while it is turned on, possibly without the player noticing. I never heard of such sophisticated malware for consoles, but it could happen, obviously.

Not as secure as the Blizzard Authenticator (which I use and works great!), but perhaps good enough to prevent password theft.

Re:No thanks (1)

lbbros (900904) | more than 4 years ago | (#30706252)

if all online games start to require such, it's really inconvenient.

FWIW, other MMOs have started to use this as well. Final Fantasy XI users can use a token like this (I do, in fact), and the same token will also be used for the upcoming Final Fantasy XIV. It's not mandatory, though.

Re:No thanks (1)

Narpak (961733) | more than 4 years ago | (#30706350)

There are a quite a few variations among security tokens [wikipedia.org] . The one I have requires me to type in a 4 digit pin code before it gives me a random number that I have to use in combination with a password and birth code.

Re:No thanks (1)

AlXtreme (223728) | more than 4 years ago | (#30706674)

Basically the keyfob contains a psuedo random number generator which generates a new key every few seconds. The authenticating server knows the original seed, and can figure out the currently "valid" number shown on the key.

Wouldn't reverse-engineering the keyfob (or even computing an X number of keys and some background on the algorithm used) reveal the original seed and make the whole process useless?

One of the banks I use provide a cardreader where you have to enter your PIN to generate a key for every login / transfer. Even though I've been using it for many years I've always wondered if it really is more secure than a username / password + one-time SMS codes or the like.

Re:No thanks (1)

Graff (532189) | more than 4 years ago | (#30707206)

Wouldn't reverse-engineering the keyfob (or even computing an X number of keys and some background on the algorithm used) reveal the original seed and make the whole process useless?

Each authenticator has a unique seed and so you'd need to do this for each account you want to hack. The scope of such an activity makes it so tough to do that it's not economical even if it is possible.

Re:No thanks (1)

Azzmodan (96691) | more than 4 years ago | (#30706096)

My bank uses a text message that sends you a code, but you can choose for the old fashioned list of codes.

You can even request a couple codes in advance for when you'll be going somewhere and you know you don't have access to your cellphone.

I quite like the text message system over the physical device that some other devices/blizzard's authenticator use because I'll have my cell phone with me everywhere, but the physical device is unlikely to travel with me.

Re:No thanks (0)

Anonymous Coward | more than 4 years ago | (#30706158)

As an aside, the Blizzard authenticator will (does?) function for all battle.net games, not just World of Warcraft.

Re:No thanks (1)

Opportunist (166417) | more than 4 years ago | (#30706336)

Just to inform you, our banks dumped the one-time code lists when it became obvious that they are anything but secure. We're now at mobile TANs (basically you get a one time code via text message to a predefined phone). Which is secure as long as your phone doesn't get stolen along with your account credentials.

Re:No thanks (2, Insightful)

MORB (793798) | more than 4 years ago | (#30706358)

I would hate for it to become mandatory. I just don't need it because (and I don't think I'm alone with these reasons):

1. I'm not an idiot and am careful enough that someone stealing my account is unlikely
2. Losing my wow account wouldn't even be a big deal to me, it's not like leveling a character and gearing it up takes ages
3. I don't want to rely on a physical object that I can lose or misplace to log in into a game.

Re:No thanks (2, Insightful)

Kjella (173770) | more than 4 years ago | (#30706722)

1. Most people who have their account stolen probably think the same
2. That probably works both ways, if you don't care much then maybe you won't
3. It's hardly worse than a CD check (a physical object needed to play)

In general, I disagree about the "no big deal" - at least not to Blizzard. I have lost lots of savegames on occasions, particularly one nasty hdd crash, and the result is that I look at it and go "Meh, I'd have to do all that over again" and end up never getting started. You don't need to be an epic-spec'd god to think it's extremely frustrating going back to fighting lvl 1 creatures with your puny sword of dullness. For a single-player game then who cares, they got their money already and I'll probably find a new one and everyone will tell me I should have taken backups. Lose your WoW account? Straight hit to their revenue, plus other players fear it'll happen to them and there's no easy way to make sure their machine never will be compromised and their login stolen.

Basically, you're not worried because you're not the one taking most of the hurt. Like I don't fear that much that someone will abuse my visa card, unless I've been careless my exposure is quite limited. But visa definitely cares, which is why I got a free new card with chip in addition to the magnet stripe. To be honest, they're probably more worried about losing customers like you that just don't care that much. The wowholics would be back at grinding pretty soon no matter what.

Re:No thanks (1)

MORB (793798) | more than 4 years ago | (#30706760)

1. Most people who have their account stolen probably think the same
Which doesn't really matter.

3. It's hardly worse than a CD check (a physical object needed to play)
And indeed CD checks ARE annoying as hell. The first thing I do when I purchase a game that have a CD check is to grab a cracked binary from the web.

Re:No thanks (2, Interesting)

thesandtiger (819476) | more than 4 years ago | (#30706758)

1) It isn't a matter of idiocy on the end-user's part when you have major companies releasing extremely exploitable software and patches that introduce even more security flaws. I sure hope you don't run any software that you personally haven't looked at the source, compiled yourself, and know is 100% secure, because otherwise you're an idiot, by your own lights.

And, I have to say, does it make me an idiot that I'd rather spend 5 seconds each time I log in (maybe 10 seconds a day) using something like this, instead of spending 5 minutes (or hours, when patches are completely broken) every day keeping my computer secure? Hm... 10 seconds and I get extremely good (as in, it works to protect banking it'll damn sure be enough to protect my ability to slay Internet Dragons) security vs. 5 minutes (or more) and MAYBE my security is good, but maybe whoever distributed the patch screwed it up... Yeah, I guess only idiots would need or want to use this!

2) Is your time really worth so little that having to re-do something to get back to where you were if your account got hacked isn't a bother? Or maybe you just really like redoing stuff? I liked getting my characters to 80 and getting them geared up, too, but now that they are I'd really rather not have to redo it because someone slipped an ad with malware attached through to a site (slashdot) that I'm trying to support by not blocking ads...

3) Double sided tape. I have mine attached to my monitor because that's the only place I'd use it. I've lost my glasses when I was wearing them atop my head; I've not lost this thing yet because it's stuck to my monitor. I even didn't have a hard time reattaching it to the new monitor I just bought.

Re:No thanks (1)

MORB (793798) | more than 4 years ago | (#30706832)

1) It isn't a matter of idiocy on the end-user's part when you have major companies releasing extremely exploitable software and patches that introduce even more security flaws. I sure hope you don't run any software that you personally haven't looked at the source, compiled yourself, and know is 100% secure, because otherwise you're an idiot, by your own lights.

How do you explain that people seemingly get their wow accounts stolen more often than, say their credit card numbers? Do you really think that hackers target WoW more or that those people just tend to be careless with their accounts?
I don't install much of anything on windows anyway, I use it only for gaming. I do everything else in linux.

2) Is your time really worth so little that having to re-do something to get back to where you were if your account got hacked isn't a bother? Or maybe you just really like redoing stuff? I liked getting my characters to 80 and getting them geared up, too, but now that they are I'd really rather not have to redo it because someone slipped an ad with malware attached through to a site (slashdot) that I'm trying to support by not blocking ads...

I guess that I'm not a very typical wow player. The endgame bores me. I used to have fun at endgame by ganking people, but now the game's all about grinding instances for gear and the only difficult part is winning the loot roll when something drops. Leveling is actually more fun than that because you can still have to play hide and seek with people of the opposite faction from times to times. But indeed, I seldom play wow at all nowadays.

3) Double sided tape. I have mine attached to my monitor because that's the only place I'd use it. I've lost my glasses when I was wearing them atop my head; I've not lost this thing yet because it's stuck to my monitor. I even didn't have a hard time reattaching it to the new monitor I just bought.

I'm not going to tape all kind of crap to my monitor. And what if I want to play from somewhere else than home? I often play wow during lunch breaks with some coworkers, for instance.

Essentially, it should be a matter of personal choice. I should be the one deciding how secure I want my account to be. But of course, as usual wow has to cater to the lowest common denominator and people too stupid to keep their account secure.

Re:No thanks (2, Insightful)

thesandtiger (819476) | more than 4 years ago | (#30706910)

You misunderstand - I'm saying that it is possible (easy, in fact) to get your WoW information stolen without you, personally, being an idiot, not that many people who play WoW are not idiots. I do suspect that a large portion of the accounts that have been compromised belong to people who take less precautions giving that information out than they do with their credit cards - but that's not the only way it can happen.

I was objecting to your seeming "all or nothing" categorization of people as idiots or that people who are not idiots cannot get their accounts hacked.

As to the tape - you can get it with velcro, which will let you remove the thing to bring with you. Or get the version for your phone. It isn't like there's "all kinds of crap" taped to my monitor, either. Certainly if your desk is so messy you would be prone to misplace your fob, a thing taped to your monitor will not mess up the space even further!

Re:No thanks (1)

MORB (793798) | more than 4 years ago | (#30707074)

I'm not saying that your account can't get hacked if you're no an idiot, but that I'd much rather risk that than have to use an authenticator.

get used to it. this is going to be common (2, Insightful)

timmarhy (659436) | more than 4 years ago | (#30705728)

it's ironic that 10 years ago many professional applications used dongles for licensing and access. now it's basiclly comming back in.

i think it's a good thing though, if it wasn't for lax security there wouldn't be so many theifing pricks in the world. no we just need to convince credit companies to use the same level of security that a bloody computer game uses and we might all be better off.

Re:get used to it. this is going to be common (1)

munrom (853142) | more than 4 years ago | (#30705846)

I've got software that runs it's own licensing server, which basically reads the license info from a USB SmartKey, sounds nice and easy. How the smeg am I suppose to cluster THAT! You seen how many USB ports a rack mount server have? Not many is the answer. Thats all I need, a fragile USB hub hanging out the back of the server!

Re:get used to it. this is going to be common (1)

omglolbah (731566) | more than 4 years ago | (#30707216)

1. Get a rack mounted box.
2. Install usb hub in box
3. ????
4. profit?

Or nag the vendor to allow some other form of licensing... that system sounds horribly old school.

ps, I know how hard it can be to get the crud running.. I battle with such problems at work all the time

Re:get used to it. this is going to be common (0)

Anonymous Coward | more than 4 years ago | (#30705970)

i don't see the point here, blizzard authenticator is not an USB dongle, it's more like a secureID RSA card.
(yes the blizzard packaging looks like a usb dongle...)

Re:get used to it. this is going to be common (1)

thenextstevejobs (1586847) | more than 4 years ago | (#30706098)

Hope it's not flamebait but: You must have some huge balls on you, using 'ironic' on Slashdot and thinking that you're not going to get a firm talking to for your use of the word.

Re:get used to it. this is going to be common (4, Informative)

Bill_the_Engineer (772575) | more than 4 years ago | (#30707134)

Dongles were use to curb piracy. Blizzard doesn't have that concern because of the subscription model.

However a large portion of Blizzard's customers access their WoW account from internet cafés and gaming bars. Since some of these public machines have key logging software installed, Blizzard is experiencing a large number of customer service requests complaining about "hacked" accounts. One way to counter the key logger is by requiring an Authenticator.

Currently use of the Authenticator is optional. Blizzard has learned a lesson that if it's optional it won't work because people don't see the need to spend the extra money or download a free app.

iphone app? (0)

Anonymous Coward | more than 4 years ago | (#30705744)

why not just make it a PC app and get it over with?

Better idea... why not just enforce good password practices and educate your users?

Re:iphone app? (3, Insightful)

Microlith (54737) | more than 4 years ago | (#30705788)

Why not a PC app? Potential for compromise. A keyfob removes all question.

And why not educate users? Because blizzard doesn't have the time or money to deal with angry children who refuse to remember a random 8 character password. Never mind people who do have a good password and log on via their friends compromised system.

Re:iphone app? (1)

BikeHelmet (1437881) | more than 4 years ago | (#30706454)

I like this second layer of defense. Even under a worst-possible-situation where your password gets sniffed, account hijacked, and password changed... (which would itself take extreme dedication, because of the sub-30s window) nobody can log in again without your keyfob.

This should utterly eliminate casual account theft.

Click here for gold! (1, Funny)

Anonymous Coward | more than 4 years ago | (#30706814)

Click here for gold!

World of Warcraft is running a special promotion! Click here to see if you've won! Note: You will have to log in, in order to see if you are a winner. Please type in the following information:

Username:
Password:
Six-Digit Lottery Code:

Thanks and good luck!

Re:iphone app? (1)

Opportunist (166417) | more than 4 years ago | (#30706406)

1) A PC application would just be hijacked along with the rest of the PC. You either need a second channel to increase the security or, as it is done in this case, two tools at both ends that generate identical tokens for which the generation is not known outside the authorized parties. If that tool would reside on the compromised machine, the generation seed would be compromised as well, rendering the whole system useless.

2) Good passwords mean jack if the attacker knows the password. Those passwords are not guessed, they are phished. You can have a 20 byte random alphanumeric password and it is not worth anything if the attacker knows it.

Awesome security (1)

aldld (1663705) | more than 4 years ago | (#30705792)

Sounds secure. Why don't they use it for our credit cards instead? (or both)

Umm why? (0)

Anonymous Coward | more than 4 years ago | (#30705796)

Does someone really care about their WoW crap that much? Really?

Re:Umm why? (2, Insightful)

neokushan (932374) | more than 4 years ago | (#30705934)

Because hijacking accounts and stealing gold and items from players to be sold on is actually quite a lucrative market. If you can't farm gold because the bots are detectable or because that little chinese kid costs too much money to pay, why not just steal it?

Re:Umm why? (0, Interesting)

Anonymous Coward | more than 4 years ago | (#30706016)

So, this is not for the players, but because making the game work is too hard for Blizzard. Thanks for the heads up.

Re:Umm why? (3, Insightful)

thesandtiger (819476) | more than 4 years ago | (#30706650)

Is your time worth $0?

Many people playing these games have hundreds or thousands of hours spent playing - a $7 device and 5 seconds each time you log in is a pretty fair price for protecting that time spent.

Even if this were entirely a benefit to Blizzard and completely neutral for the player, it still actually would benefit players: less support staff time spent on "I got my account hacked!" means that players with other problems can get tickets answered more quickly.

Re:Umm why? (0)

Anonymous Coward | more than 4 years ago | (#30706154)

I've seen bots run in circles killing the same mobs for weeks at a time. The only way I know of that they get "detected" is if someone reports them. Maybe they do have some automated system for catching them, but it can't be that effective.

I talked to a GM about the bots (lots of them hang out in caves in stormpeaks) and he said it would be investigated by their "bot team." He also said that many of the bots you see are in fact from compromised accounts and that they like the caves because of the high re-spawn rate.

So yeah it's a double return, you get a farming toon and you get all the crap in their bank.

Re:Umm why? (1)

Opportunist (166417) | more than 4 years ago | (#30706434)

Because people buy gold for real, hard cash (despite breaking the policy of the game, but ... who cares?). And those accounts can be valuable not only because of the gold they contain (and the items that can be sold for gold). They can be useful to launder that gold (so Blizzard has a harder time finding out who actually finally got the gold and who sold it), they can be used to send spam messages (because only paying accounts can send out mail afaik), they have a lot of value to a gold seller who doesn't have to spend 10 bucks (or whatever a WoW account costs today) to spam and sell his "service".

Yes, 1000 gold cost like 10 bucks (if that). But it's 10 bucks you didn't have to work for, 10 bucks you didn't have to share with the Chinese farmer that usually makes them for you, it's basically 10 free bucks. Would you take 'em?

Waste o'money (1)

CptChipJew (301983) | more than 4 years ago | (#30705810)

Many US banks will text or email you a one-time authentication code. It's certainly a lot cheaper than buying a piece of hardware.

They aren't doing it this way...why?

Re:Waste o'money (2, Insightful)

compro01 (777531) | more than 4 years ago | (#30705842)

You want to have to go through email/text every single time you log in vs. pushing a button on a key fob and typing in 6 numbers?

The hardware in question costs $6.50. This is a game you're already spending $15/month on.

Re:Waste o'money (2, Interesting)

neokushan (932374) | more than 4 years ago | (#30705948)

No doubt if Blizzard made this mandatory, they'd cover the cost of the devices themselves. Its probably not going to go down well if they suddenly prevent players logging in unless they pay an additional, one-off fee. Many people would see it as a bad precedent.
Furthermore, they'll probably either supply them with new copies of the game, or only "enable" it (and send it out) to accounts that are more than say 3 months old (as they're arguably not going to have much worth stealing and by then the cost of the device will have been covered in the monthly fees).

Re:Waste o'money (2, Informative)

slyn (1111419) | more than 4 years ago | (#30705892)

If you have an iPhone you can get the authenticator for free as an app, and they have said they would like to bring it to more platforms in the future (presumably android, blackberry, minmo and the other major smartphone os's).

Re:Waste o'money (1)

NormalVisual (565491) | more than 4 years ago | (#30706204)

They already offer it on a number of platforms, but unfortunately the BlackBerry offerings are for rather ancient devices, and they do charge for them.

This uses the standard Ace / RSA system right? (1)

AbRASiON (589899) | more than 4 years ago | (#30705894)

I wonder if they could give you a soft token, which works for the iphone app.
http://images.google.com/images?q=rsa%20app%20iphone&hl=en [google.com]
A mate showed me this, pretty damn cool. I'm not an encryption guru so I couldn't tell you how or why it's just as good as the real physical dongle but I'm sure it would be or they wouldn't release it. (Someone here will no doubt reply with more info on this)
Shame my crappy Government remote authentication software is a couple of versions out of date for me to make use of this on my iphone :/

Re:This uses the standard Ace / RSA system right? (2, Insightful)

Jthon (595383) | more than 4 years ago | (#30705984)

Blizzard does have several soft token schemes which don't require that you purchase a physical authenticator. There's an iPhone app you can get for free and use to do generate an access code. They also have apps for a few other phones available.

The only thing they don't offer is a PC application and this is intentional. Using a PC app means some virus/trojan could run your pc authenticator and capture the code which makes it decidedly less useful.

Shoes (0)

Anonymous Coward | more than 4 years ago | (#30705902)

Of course you have to remove your shoes. What are you, some sort of barbarian?

Anyone with good security practices hacked? (0)

Anonymous Coward | more than 4 years ago | (#30705952)

i may not have the BEST security practices (duplication on more than 1 site), but i have a pretty strong password (8 random alpha-numeric) that i HIGHLY doubt was brute forced. all my systems check clean (except for some demoscene intros), however my account was compromised.

i wasn't bad off at all. just main's bags emptied, but alts untouched and guild bank unmolested. of course forums and blizzard think i had a virus or spyware.

anyone else have even BETTER security practices and STILL get compromised?

The Authenticator is a good idea (2, Informative)

Oxide (92607) | more than 4 years ago | (#30706034)

I have been using Blizzard's Authenticator on my iPhone for a quite a while now and I'm very pleased with it. I can't imagine the devastation I would be in if my wow account got hijacked. I've spent days and nights developing my characters and It would be a huge loss if I lost them to some script kiddie.

The iPhone Authenticator is like you holding a physical key to your account. Good idea.

Re:The Authenticator is a good idea (0)

upuv (1201447) | more than 4 years ago | (#30706424)

So you loose your phone and you are screwed?

Re:The Authenticator is a good idea (2, Informative)

Mascot (120795) | more than 4 years ago | (#30706478)

For a while. You can jump through a number of hoops with Blizzard support to get the account unlinked from the authenticator.

I think it took about 48 hours when I had to do it back when my authenticator decided it no longer wanted to turn itself on.

A word of caution to any in a similar boat: CALL Blizzard. They can take a week or two to get to the email, you probably don't want to wait that long.

Re:The Authenticator is a good idea (4, Informative)

cyber-vandal (148830) | more than 4 years ago | (#30706738)

The word is lose.

Re:The Authenticator is a good idea (2, Informative)

Dachannien (617929) | more than 4 years ago | (#30706652)

It's not really script kiddies who are doing this anymore. It's all tied to the RMT "industry" - essentially, organized crime.

Possible application to internet anonymity? (0)

Anonymous Coward | more than 4 years ago | (#30706082)

I hope other Slashdotters agree in that it would be truly great to be able to browse the Internet with some sort of guarantee-able anonymity. At the same time, sometimes you want to be able to more firmly identify yourself before performing an action online. It seems this sort of authentication could provide much greater, though still penetrable security than the standard password model. I hardly think it will be too long until you're logging into online stores through this sort of system than using a password.

That said, how much incentive to online stores have to counter fraud? The more it benefits them, the more likely we'll see it.

A little off-topic on the anonymity side but perhaps is still something appropriate to discuss here. Is there any way that you can browse for information on the Internet from home in which the traffic couldn't be personally identified to you? It would also seem if that could be offered that it would be very popular. I understand that the Tor network is a step forward, but still not making it easy to browse and interact with the Internet in an anonymous manner.

There are just too many crimes that are too easy to commit these days on the Internet. I don't think we should have to be looking over our shoulders all the time. Also, anonymity just seems like it'd be liberating.

MORE money? (-1, Flamebait)

Calydor (739835) | more than 4 years ago | (#30706114)

Okay, let me get this straight.

I buy the game at retail price, the same price I'd pay for any other game I'd want to play.

Then I have to buy the expansion packs at retail price, the same price I'd pay for an expansion to most other games.

Then I have to pay a monthly fee to actually PLAY the game I paid for.

And NOW I have to spend even MORE money to buy some device to keep my account secure because Blizzard has no clue how to keep accounts secure from hackers.

Excuse me, but NO. There is absolutely no reason I should pay for a company's inability to keep out people with no life. No pun intended about WoW players.

Re:MORE money? (0)

Anonymous Coward | more than 4 years ago | (#30706152)

And NOW I have to spend even MORE money to buy some device to keep my account secure because Blizzard has no clue how to keep accounts secure from hackers.

It's not like Blizzard are having the user/pass stolen from their systems, the people who get "hacked" got hacked because they fell for phishing scams or they downloaded something dodgy of their own accord.

Re:MORE money? (0)

Anonymous Coward | more than 4 years ago | (#30706256)

And NOW I have to spend even MORE money to buy some device to keep my account secure because Blizzard has no clue how to keep accounts secure from hackers.

It's not like Blizzard are having the user/pass stolen from their systems, the people who get "hacked" got hacked because they fell for phishing scams or they downloaded something dodgy of their own accord.

^^^^ This. You're not paying because of Blizzard's failing.

You're paying because:
-user stupidity (user fail)
-poor application security (coding error fail*)
-poor library security (coding error fail*)
-Microsoft OS (coding error fail*)

user fail -> haxx0rd
coding error fail -> haxx0rd
haxx0rd -> pwnd account
pwnd account -> PITA for Blizzard

*These refer to the situation where you click a link in your browser and BAM you're the proud new owned of a keylogger because you simply followed a link that led you to some sort of exploit where you don't even have to download and run anything.

Re:MORE money? (1)

jo_ham (604554) | more than 4 years ago | (#30706172)

Blizzard knows exactly how to keep people out of the game, and tells you how to do it. It has extensive FAQs on account security and how to prevent it happening. What they cannot do is control whether users read and follow these tips, or keep spyware off their machines.

The simple fact is that all you need to log in the account is the user name and password, which are trivial to acquire from dumb people wither by technical or social engineering methods.

The authenticator prevents this, and is free for many mobile phones or costs €6.99 from the store if you don't have a compatible phone. Alternatively you can just use the current system and be smart. I had a WoW account since the original release of the game and have never been compromised: I don't share my account details, I keep my machine up to date, I have no virus/keylogger/spyware issues and I don't go to gold selling websites. I have never needed the authenticator.

I have known people in game who have had their accounts taken - some more than once.

If you think Blizzard "has no clue how to keep accounts secure from hackers" then you are sorely mistaken. The introduction of the optional authenticator immediately dismisses that assertion right off the bat. The fact that people still choose not to use it and then wail about long GM response times for restoration of their stolen accounts is hardly Blizzard's fault.

Re:MORE money? (1)

Calydor (739835) | more than 4 years ago | (#30706188)

The fact that accounts could be linked to a battle.net account without providing anything other than the username and password was stupid.

The fact that after making battle.net mandatory, battle.net accounts could be linked to an authenticator in exactly the same way is completely moronic.

You need a TON more info to get back control of your account (CD keys etc.) than to steal one in the first place. Why not require the CD key to add to battle.net/authenticator in the first place? People who willingly give that out anywhere else but to Blizzard themselves deserve what they get.

Send confirmation emails to add to battle.net/authenticator. Send confirmation emails to change your registered email address. Force a call to the CS call center if you have no access to your email. Keep logs of the IPs that have connected to an account, use those to get a rough idea of where in the world people are connecting from, then use that to confirm if it's the actual account owner who's on right now. Etc., etc.

THIS is forcing the people who actually KNOW how not to get hacked to pay for the stupidity of little children who go "OMG, Blzzrx is giving me a free mount for no reason whatsoever!!1!!!1!" I'm sorry, but that's just as stupid as any previous attempt at security.

Re:MORE money? (4, Informative)

thesandtiger (819476) | more than 4 years ago | (#30706708)

Lest anyone think you're insightful or interesting or informative (because your post indicates you are none of these things):

Blizzard is eating the cost of shipping on these inside the US and Europe. They are charging less than $7 for them, which, in addition to the shipping, has got to be pretty near break even. I sourced tokens a couple of years back and we were quoted $10-25 each depending on the supplier.

They are also offering a free version over the iPhone/iPod and for a variety of other devices like Blackberries.

The end result is about 4-5 seconds added to your time to log in, you don't get your account (that you've spent hundreds/thousands of hours on) stolen, and when you do have a legitimate issue in game that requires support there's a better chance someone will be able to help you sooner rather than 3 days from now.

Of course, I suspect based on your post that you don't actually play this game, and probably came in here just to be smug. Is "I won't pay MORE money to play a game I ALREADY paid for" the new "I don't own/watch tv"?

very wrong (2, Insightful)

ccozan (754085) | more than 4 years ago | (#30706732)

  • I think you have never played WoW. So you don't know how much work is put into building a char and keepup with the challenges. Losing this because your Windows allows malicios code to run equals to a cataclysm ;).
  • Blizzard has _nothing_ to do with incompentence of users which allow keyloggers and stuff on their computers. The fact that Blizz allows the recovery of your items/gold on _their_ costs, is a fact that you will never find anywhere else.
  • 3. the authenticator is 7 euro. This is two beers. I find it acceptable if i can keep my account thus protected.

Not going to solve your problems (2, Insightful)

selven (1556643) | more than 4 years ago | (#30706458)

2008: Oh no, I forgot my password! I need to call Blizzard for help!

2011: Oh no, I lost my authenticator! I need to call Blizzard for help!

So... (0, Troll)

stonedcat (80201) | more than 4 years ago | (#30706622)

How will this affect Linux WoW players? Don't let Blizzard tell you there aren't any, there are thousands of us.
They better make sure they have their shit together first before fucking people over or they'll lose customers.

Re:So... (0, Offtopic)

oberondarksoul (723118) | more than 4 years ago | (#30706680)

At present, they don't support playing WoW on Linux. Afterwards, they won't support playing WoW on Linux. If you play, good for you, but they're really not under any obligation to make it work.

Re:So... (0)

Anonymous Coward | more than 4 years ago | (#30706992)

Which part of losing paying customers did you not understand?

Re:So... (0)

Anonymous Coward | more than 4 years ago | (#30707144)

Every linux user quitting over this would be a drop in the bucket, frankly. Blizzard doesn't support Linux; playing WoW on Linux means you accept that they don't support your OS and are willing to deal with it.

By all means, though, stop paying for the game and observe the reaction from Blizzard.

(none)

Blizzfail! (3, Interesting)

Naaythann (1416151) | more than 4 years ago | (#30706790)

I have to admit this is quite funny, in the last few days i had my battlenet/WOW account banned for gold farming. Not played it in about a year, so i went throught the process of trying to establish what happened. Got passwords and so on reset but the git attached the said "Blizzard Activator" to my account and i'm back at square one and locked out of battlenet/WOW.

crap (0)

Anonymous Coward | more than 4 years ago | (#30706886)

I'll cancel my account before I pay for an aunthenticator. It's only $6.50, but it's an expense I wouldn't pay if I had an iphone. I don't have that luxury.

There's other financial motivation for the authenticator as well. With the authenticator, pretty much nobody else can use the account. No more borrowing accounts, no more selling accounts.

I see this as more the incentive for the authenticator than peoples' accounts getting "hacked". If you log into a website with your account uid and pwd, have a keylogger installed via your addons, or use your main's name and your uid and pwd, you deserve what you get.

Re:crap (1)

omglolbah (731566) | more than 4 years ago | (#30707238)

Meh, you can still sell an account. You just have to sell the dongle too :-p

And um... borrowing and selling accounts is already against the TOS and could get the account closed so... why are you upset? :-p

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?