Forum post of the day: Rage against the authenticator
by Amanda Dean 
Jun 28th 2008 at 3:58AM
Alright, so the splash screen mystery is dramatic. Whatever the important announcement is, I don't think they could come up with one that makes me happier than the new authenticator. I will be first in line to buy mine once it comes out. It seems that most of us are with me. We've been clamoring for better authentication, and we're going to get it.
A one-time charge of six and a half bucks for an extra layer of security seems like a smoking deal to me. It hasn't occurred to me to be bothered by the price. Tuhrell of Malrone believes that the authenticators should be distributed by Blizzard for free. Vallana of Thaurissan is on a short list of responders in the thread that agreed with the original poster. She believes that her $15/month is enough to spend on WoW and is "not retarded enough to get hacked so I really don't need it."
Some posters fear a "shame on you attitude" on the part of Blizzard for users who do not purchase the device who still get hacked. Zarlhym attempted to cull those fears:
We currently have only the intention of releasing the authenticator to provide an extra layer of end-user security for those interested in purchasing it. The idea is not to punish players who do not purchase this; but rather, to provide additional account protection for those who do.
As I understand it, I will be able to link both of my accounts to the same token. If I had to, I would gladly buy two if I had to. By shopping around for VPN authenticators it looks like Blizzard is making very little mark-up profit on the devices. Even if they made nothing off the sales, Blizzard will most likely profit from introducing the authenticators. They may save money in the long run on the man power that they theoretically won't be using to research compromised accounts. Perhaps that fact alone would encourage them to simply donate them to senders.
Internet and account security is serious business. Do you think Blizzard is charging a fair price for their authenticators?
Filed under: Blizzard, Forums, Hardware, Account Security, Forum Post of the Day
Reader Comments (Page 1 of 3)
Flarglargin Jun 28th 2008 4:04AM
Seems fair in my opinion. I mean, if you can afford 15$ a month, you can afford 6$ ONCE.
Jason Jun 28th 2008 12:51PM
I disagree. A few reasons.
1. Only available at online store. (And probly Blizzcon) Means people without credit cards can't get it.
2. Seems like there are too many "problems" that will lock you out of the account until you contact billing and account services. (Don't know if you ever tried to contact blizzard...not easy...lines closed most of the time and slow for emails.)
3. The account verification process is one that takes a long time. (3 weeks when I got hacked)
4. Even if they quicken it, it will be too late to get in that 9 PM raid when you log in at 8:45.
5. Lich is coming out soon...slap them in as a bonus feature to buying.
6. I am a big beleiver that they will have the "shame on you" attitude if you are hacked.
jrb Jun 28th 2008 2:48PM
well, i kind of agree, and kind of don't.
forcing key-fob two factor authentication would, in the short term at least, cause way more support problems for blizzard than it would solve, and long term, with keyfobs going out of synch with authentication servers, and batteries dying you get an ongoing support burden. so i'm kind of for an opt-in solution, but i agree that asking the end-user to pay for the opt-in is a bit cheeky, considering how much we're paying already to play this game.
but two factor authentication is definitely needed in some form or another. Currently i think there are two issues that are causing accounts to be hacked.
1) keyloggers - fix this with secondary logon authentication, by asking for a click response. e.g. a random set of pictures, placed in a random order which have to be clicked on via mouse for authentication. or fix this with a phone line that the user has to call, or an sms message that the user has to send in to open up the account for logging in to (apparently in use for taiwan WoW users). do something clever with the authentication process. ask microsoft, or ibm, or google, they all have clever off the shelf solutions already.
2) brute force password hacks - my account was hacked this way, or rather, i'm 100% sure my pc is 100% clean, and there's no other explanation, especially considering that over a space of hours i was forced off line again and again, for no other reason than by hackers tripping some mediocre brute force prevention mechanism at blizzard, that obviously didn't work. They guessed my password because a) it was too simple (fix this by adding a password complexity rules (currently there is none), or password expiry / renewals), and b) the authentication process in place doesn't stop people brute force hacking accounts; there's no lock out, there's no slowing of authentication attempts, there's nothing... and there really really needs to be.
hackers have monetised wow. on a daily basis it's tarnishing the reputation of blizzard ability to provide a secure environment. I got some of my characters back, but i lost a heap load of gold, items, and other characters that blizzard could be bothered, or simply couldn't restore.
for me the price of the authentication fob is small, so i will probably end up buying in to it, simply because i don't want to go through the hassle of spending days getting my toons back.
SaintStryfe Jun 28th 2008 4:04AM
I'll absolutely be picking one up. I am honestly fearful of being hacked, despite being a Mac-only player. My Wifi is secure, but if I plug in at a cafe or school, I can't be sure. This would add that extra layer to make it more comfortable for me. This would be an incredible security later and I would be pleased to front a measly 6.50$ one time.
Foxlit Jul 3rd 2008 8:06AM
How you connect to the internet does not affect the security of WoW client's authentication: your password is not sent to the server, so logging your internet communication is not a viable attack vector. The only real factor is the security of your own computer: is it going to send your password to third parties without your knowledge, or are you sure it's secured?
Versai Jun 28th 2008 4:06AM
/agree #1
ermansup Jun 28th 2008 4:09AM
I fear it's only a matter of time before that will be cracked and keyloggers start to log the dongle code aswell. Then it will be only a matter of sending that same code along with the login and voila epix sharded.
Flarglargin Jun 28th 2008 4:15AM
Well, considering many small-frame companies use these security features (my fathers company for example), and they have yet to be hacked by anyone, especially competitors, I doubt that such a quality company like Blizzard would use some "cheap-o" brand of code that can be easy cracked.
kieran Jun 28th 2008 6:41AM
Keyloggers won't defeat these little keyfobs. They give a different code every time you press the button, based on an initial "key" known to Blizzard and the breakdown of an isotope. Without knowing the initial key and the time the sequence started, there's currently no way around them.
These dongles are used in high-security applications including secure network access and internet banking, it's quite surprising to see them rolled out for a computer game.
ermansup Jun 28th 2008 4:24AM
These people are software engineers making their living by stealing accounts. The motivation and skill for cracking these things is something completely different than on small businesses having a look at their competition. The only truly secure login would be a limited amount of codes on a piece of paper that only work once.
popeguilty Jun 28th 2008 4:34AM
Due to the nature of One-Time Pad encryption, even a keylogger would only work if the person running the logger logged in within the couple of minutes before the password expired... and really, if that happened, you'd be able to notice (since you'd get kicked off) and could log in repeatedly until the password changed, thereby preventing the thief from making use of your password.
Grant Jun 28th 2008 4:37AM
This type of security device can't exactly be keylogged. Sure your username and password can be, but as long as you have it and activated within your account, it would be extremely hard to break. Basically every 60 seconds the key dongle will generate a random number. The server will generate the same random number at the same time. So say they keylog your security code, in 60 seconds time, it will no longer be valid. Basically, unless they can come up with a way to brute force out all the possibilities of a 6 digit number in 60 seconds, then they are screwed. And even that can be limited by Blizzard. They can put a login attempt limit on the account. So if more then 5 attempts happen within any 60 second period it freezes the account for an hour.
scrantinax Jun 28th 2008 4:38AM
Errr the whole point of these things is they do generate 1 time only keys, that, even with knowing all the previous keys, you cannot find out the next one. Thats the way they work, key gets generated, lasts 1 minute, can only be used once, once 1 min is gone, key is void, never created again. And knowing all the keys that have come before, you can't know what key is coming up next.
ermansup Jun 28th 2008 4:47AM
Thank you. It's a better system than I thought then. It seems then the only way to break it would be to solve the way the numbers are generated. Will definately be getting me one! :)
Nick S Jun 28th 2008 5:23AM
i don't know if these will be 100% secure... i've worked with encryption a bit and know that most successful attacks aren't against the encryption.
that said, i'll probably buy one... but trust it without reservation? nope.
Feldur Jun 28th 2008 8:51PM
Similar devices have been defeated. One of the attacks is called man in the middle - it amounts to getting into the network flow between user and server, and letting you compromise things for yourself. It can be done, such as by a successful hack of the DNS servers.
Likely? I don't know. Possible? Yes, and without compromising your computer itself. Don't ever think there's going to be uncrackable security.
Pzychotix Jun 29th 2008 10:53AM
You honestly have no idea what you're talking about Feldur. A man in the middle attack would do about the same as a keylogger: You log in to the fake server, pass them your info, and then they would use this info to log into your account.
The problem with this is that they still can't generate your one-time code, which changes every 60 seconds. Unless they were sitting there, logging in THE MOMENT you gave them the info, they'd be SOL.
XilDarkz Jun 28th 2008 4:20AM
I'm shocked that all people weren't happy; I mean, why not?
midir Jun 28th 2008 4:16AM
Looking at the amount of money they make on the game, they should give a authenticator to everyone who asks for it for free as the poster states: "They may save money in the long run on the man power that they theoretically won't be using to research compromised accounts."
Rassia Jun 28th 2008 7:36PM
Here's the problem, midir. The $6 fee does two things for Blizzard, in my opinion. One plainly visible, one less so.
The first thing is it covers their investment in the hardware. It took them time to research, design, and produce it. Like the article says, this probably covers the bare bones cost of the item. It is not Blizzard's responsibility to make sure that their users are not doing things that get their computers compromised. So to have us cover the physical cost of the device, I think, is a fair trade.
Second, it provides a barrier to entry. If it was free, a larger number of people would go through steps to obtain said device, because it was free and it 'helps security'. You have to understand, if you link this device to your account and you lose it or break it or throw it in the washing machine or whatever it? You have to call Blizzard and it's going to take time out of their payroll to fix the situation. They don't WANT everyone to have one because that brings a wider swathe of people who get it without understanding it and the responsibilities it dictates.
This is also, I daresay, the reason they're not 'including it' with the expansion. Aside from the cost issues that would present.
Just my take on it anyway.