WoW Insider Interview: Blizzard speaks about Authenticator security
by Mike Schramm 
Sep 18th 2008 at 9:00AM
About a month and a half ago, we reported on the story of a player who had apparently gotten their account hacked while they were using the new Blizzard Authenticator key, and it raised a lot of questions in players' minds about the only hardware Blizzard's ever made: just what does the Authenticator do to protect players' accounts? Have Authenticators actually prevented accounts from being hacked? And what would it take to, through social engineering or other methods, actually remove an Authenticator from an account?
At the time we published that first story (which was later disputed by a customer support representative), Blizzard contacted us here at WoW Insider, offering to clear up players' concerns about the new keys. We quickly submitted to them a few questions pulled from our own writers and a few submitted by readers, and they've now returned the answers to us -- you can find Blizzard's answers to our questions about the Authenticator after the break. Thanks to Blizzard for answering our questions about how these keys work, and clarifying some of the issues around their security.
At the time we published that first story (which was later disputed by a customer support representative), Blizzard contacted us here at WoW Insider, offering to clear up players' concerns about the new keys. We quickly submitted to them a few questions pulled from our own writers and a few submitted by readers, and they've now returned the answers to us -- you can find Blizzard's answers to our questions about the Authenticator after the break. Thanks to Blizzard for answering our questions about how these keys work, and clarifying some of the issues around their security.
WoW Insider: Can you, without going into details that would compromise the Authenticators, walk us through exactly how they work? Is the code usable only once, or is it available for a certain period of time after login? And what are the chances that someone could keylog the authenticator code and/or use it without the key?
Blizzard: We've partnered with Vasco, which uses the same security technology as many major banks use to protect transactions that run through their systems and supplies some of the toughest security currently available. The Blizzard Authenticator can be tied to an individual account or multiple accounts. It supplies a random digital code that must be entered at login, providing an additional layer of security to help prevent unauthorized account access. Each code is valid for a limited time and can only be used once, so the Blizzard Authenticator must be in the possession of the account holder to log in to the account.
When we first heard about the person who got their account hacked while using the Authenticator, it appeared that whoever hacked the account had gotten the Authenticator removed from the account (though since then, Belfaire has told us on the forums that's not the case). What exactly is necessary to remove the Authenticator from an account? How easy or hard would it be for a hacker to do that through social engineering?
In the particular case you mention, the Authenticator was indeed never removed from the account, as our customer support representative Belfaire indicated in early August. I can also confirm that we have no verified occurrences of an account being compromised that has a Blizzard Authenticator attached to it.
As for removing the Authenticator from an account, if you have the Authenticator handy, you can log into Account Management with it and disassociate it from your account directly. If the Authenticator is lost or missing, the account holder would be required to contact our support staff and we would assist on a case-by-case basis. Given the security concerns involved, information on the specific steps we follow is not something we publicize. However, our support team is dedicated to helping genuine cases without risking players' accounts.
Since releasing the Authenticator, have you seen a drop in the number of accounts reported hacked? Can you give us any numbers or percentages, either before or after the Authenticator's release, of how many hacked accounts you're seeing reported? Obviously there's no way to tell how many accounts are actually hacked, but from the reports we've seen (and from the fact that you've released the Authenticator in the first place), it seems like it's a widespread problem -- is that the case, according to your data?
We do not reveal compromised account data as a matter of policy, but from the first run of Blizzard Authenticators, we have zero verified cases of an account being compromised while a Blizzard Authenticator was attached to it.
The units are very hard to find -- what's the reason behind the supply problem? [Note: Obviously, at the time these questions were written, Authenticators were not in stock on Blizzard's website.] And is there a way that we could buy non-Blizzard authenticator keys from that same company and have them work?
As mentioned earlier, we've partnered with Vasco to provide the Blizzard Authenticator. The original release of the Blizzard Authenticator was limited, and it was extremely well received. We recently replenished our stock and are making the new batch available through the online Blizzard Store now. In regards to using other authenticators, due to the proprietary nature of the interaction between Blizzard's player accounts and the Authenticator, non-Blizzard Authenticators will not work.
Thank you very much.
Note: We also asked a question of Blizzard about why some GMs are able to restore all the items on hacked accounts and some are not (including what players can do to make sure that, if hacked, they can get their items recovered quickly), but Blizzard declined to answer, apparently because the question was not directly about the Authenticator.
Filed under: Blizzard, Interviews, Hardware, Account Security
Reader Comments (Page 1 of 5)
potasio Sep 18th 2008 9:11AM
woot first i was thinking try the authenticator but i dont have idea where to i thinking the site but if any have would like read the comments
Stephen.Lecheler Sep 18th 2008 9:20AM
I've had the Authenticator for a couple of months now and using what I know about the token it is fairly decent in it's security level.
+ Ensuring that a keylogger/cracker has annother step to guess when hacking your account
+ Having a small window of time where a keylogger could use the same info that was just legitimateley entered
- Plastic film designed to protect the authenticator from scratches peels off after a few months
- Needing to have the authenticator in your posession whenever you want to do /anything/ related to your account on the website (Including PTRs)
dafire Sep 18th 2008 9:35AM
>+ Having a small window of time where a keylogger
>could use the same info that was just legitimateley
>entered
the "hacker" has usually no time since every generated number can only used once to log in .. the authentication server will never grant access with the same number twice.
>- Plastic film designed to protect the authenticator
>from scratches peels off after a few months
that plastic film was only for transport and was never ment to be left on the device.
yazah Sep 18th 2008 9:25AM
The authenticators are very cool, but it seems like an even easier fix would be to have separate passwords for logging into the forum and the game. Most WoW "sexleggers" (IE keyloggers) tend to be cleverly (or not so cleverly) designed links that generally would not be able to keylog you logging into the game - only into the forums.
Or do they already have this, and I'm the only one foolish enough to not have it set up yet?
Dan Sep 18th 2008 11:02AM
The problem is that once the keylogger is installed, it will grab all text you input. That's why it's called a keylogger. It doesn't matter if your forum and game password are different. All it needs to do is register that WoW was started, and grab the next few keypresses and a screenshot or two.
lbizzle Sep 18th 2008 9:34AM
Whatever Blizz rep answered that interview could succeed in politics with question avoidance skill like that. It's a shame that they didn't answer your question about GM restoration, because it's a very valid one which would be useful to the entire community.
npm Sep 18th 2008 2:31PM
Man, I was thinking the same thing.
I don't think there was a single "real" answer for any single question asked. It all sounded like massive evasion.
Oh well, I'm actually pretty well satisfied in my mind that authenticators work quite well.
Andrew Welch Sep 19th 2008 4:10AM
You have to remember though that this is a very sensitive area of Blizzard's Policies and Account Mechanics. They didn't have to say anything.
Tumnus Sep 18th 2008 9:33AM
Now if they could explain why it costs over $50 for someone in Canada to get one. I would love to buy one, but I won't until I can pay what people in the US are paying.
Harmun Sep 18th 2008 10:02AM
50$?? Wow, epic fail...
CallMeIrd Sep 18th 2008 1:03PM
I'm guessing that you're talking about shipping and handling costs? It was the same for me, having it shipped to Iceland was ridiculously expensive. Instead I had it shipped to my sister in London so she could send it to me, but the p+p was STILL more expensive than the authenticator itself. I guess that's how they're making money off of it.
Noobies Sep 18th 2008 1:38PM
You need to ask UPS why they charge 45$ customs brokerage fees on 5$ items.
Sean Riley Sep 18th 2008 3:07PM
It's absolutely true. A whopping $77 dollars to Australia.
Geeze.
Milktub Sep 18th 2008 9:38AM
I prefer a social fix to a tech fix.
Choices:
1. Buy a doohicky that provides a bit more passive security, but may over time lull me into being lax about actively ensuring my own security.
2. Actively secure my account by not being an idiot when it comes to Internet use.
Candina@WH Sep 18th 2008 10:44AM
Fix Behavior first, I agree.
However, safe behavior can be compromised. I like two token authentication as a backstop to sound behavior.
But easy steps can be taken to reduce the likelyhood of getting key logged.
1.) Don't post on the forums. If you don't log in, you can't be key logged.
2.) Don't use ANY auto updater for any UI mods. The UI mods are 'sandboxed', but any code that scans the internet and executes commands on your PC is a threat.
3.) Don't use the same password on guild sites as you use on your WoW account. Do not use the same password for Vent/Team Speak as you use for your WoW account.
4.) Don't download ANY UI mod that is in an executible format.
5.) Always use protection. A virus scanner is a must. Spyware removal software from a respected vendor is also a must.
6.) Run a software firewall on your PC. This is especially important if you use wireless in coffee shops or have a PC on a University campus. And the windows firewall doesn't count.
7.) Stay away from warez, haxx, game cheat code, etc. sites. If you don't want to get mugged, you don't go to the bad part of town, at night, waving $100 bills.
Just my $0.02 worth.
Signed, Long time Security Wonk
Blake Sep 18th 2008 10:48AM
We all would prefer a social fix, but there's always going to be people out there who click anything sent to them and will get hacked. I never got hacked before having the authenticator because I know what I'm doing. Now that I have the authenticator, I haven't changed my habits and have an extra layer of security. For the peace of mind it offers, it's well worth the nominal fee (except if you're in Canada apparently - $50? jeez).
Birdfall Sep 18th 2008 1:34PM
Candina@WH - Your #7 made me grin.
Those are very good tips, thank you!
jbodar Sep 18th 2008 7:42PM
FYI, I would assume at least a few people got hacked due to the recently-fixed Flash vulnerability, and no AV software is 100% effective, so being careful only gets you so far.
http://www.purdue.edu/securepurdue/steam/newsDetail.cfm?NewsID=191
jbodar Sep 18th 2008 7:44PM
P.S. - Multifactor authentication > "I'll just be careful"
matt Sep 24th 2008 2:17PM
is it just me or did they not answer a single question in a meaningful way. Considering they sought out this interview and have had "no verified occurrences of an account being compromised" I would expect more directness. Heck we don't even get the name of the person WoWinsider talked too. I mean they did just ignore this problem even existed for the better part of 4 years they could be more forthcoming.