Account security mythbusting, part 2
by Michael Sacco 
Dec 31st 2008 at 1:00PM
At this moment, the absolute best way of keeping your account secure is by using a Blizzard Authenticator, which happens to be the subject of our next myth.MYTH: Blizzard Authenticators can be hacked, removed, or bypassed by a third party.
This is another pretty straightforward myth. If you have an Authenticator or you've done the research on them, you know that they're small tokens about the size of a keychain. Their single button generates a six-digit security code that you must enter when you log into the game or the Account Management section of the website. There's also a serial number printed on the back of the token, which must be entered when you attach the authenticator to your account.
The encryption on the token is 128-bit, which is a ridiculously hard-to-crack level of security. But don't take my word for it.
To put this into perspective, the level of encryption on an Authenticator is the same level as on a bank website's account database. If someone can brute-force your Authenticator algorithm, they can hack a national bank.
Which would you pick?
Truth be told, the only real threat to your account security is much closer to home--not keeping the physical Authenticator safe. The Authenticator can only be removed from your account by providing an Authenticator-generated code, or by calling Blizzard Billing and giving them the serial number off of the back of the token. In the absence of those two, the caller must be able to provide a large amount of very personal information. There's no reason why anyone should have this kind of information besides you, unless you (for example) replied to a phishing email that asked for that kind of information. Blizzard will never ask for your password.
As usual, your account's security is in your hands. There's not a single case of an Authenticated account being compromised, so just get an Authenticator when you can. You don't even pay shipping if you're in the US.
Myth Status: BUSTED
Reader Comments (Page 1 of 1)
Shefki Dec 31st 2008 1:38PM
"The Authenticator can only be removed from your account by providing an Authenticator-generated code, or by calling Blizzard Billing and giving them the serial number off of the back of the token"
This simply is not true. Nor does it make any sense. If you lose your authenticator or it fails you're obviously going to need to remove it from your account. Since I have actually had to remove one from my account (got a new one at Blizzcon that I switched to) I can say that at no point was I ever asked for either of tehse pieces of information to remove it.
Instead you fill out the form at this URL and fax or mail it to Blizzard:
http://us.blizzard.com/support/article.xml?articleId=21469
They are picky about the ID. I had to fax it a 2nd time because my drivers license was too dark the first time.
So while I agree that it is difficult to remove an authenticator from the account for some random person with limited account access. Them gaining access to your authenticator, even just to look at it and gain the serial number doesn't help.
If you're going to Mythbust please actually make sure what you're saying is 100% accurate. Posting mostly true stuff doesn't help.
Cy Dec 31st 2008 1:56PM
Did you just stop reading at that sentence? Because the very next one proves your point: "In the absence of those two, the caller must be able to provide a large amount of very personal information." That form sure looks like a lot of personal information to me.
Also, the author of this article used to work for Blizzard and handled a rather well-known case involving account hacking and the authenticator. So he can probably myth-bust with much more accuracy than you can.
Shefki Dec 31st 2008 4:49PM
Again, you can only remove the authenticator with that form. The statement I quoted is still incorrect. If you can remove it any other way then even the Blizzard reps don't know about it.
HappyMurloc Dec 31st 2008 2:52PM
With Authenticator I found a very nasty thing that has been overlooked by Blizzard: you can log in to the official forums without entering your authenticator number.
So a password-guesser bot can theoretically abuse that.
It was very sad to learn that, since all other places where you enter your account/password seem to be protected...
So I don't log in to forums anymore!
Daniel Dec 31st 2008 3:10PM
"The encryption on the token is 128-bit, which is a ridiculously hard-to-crack level of security. But don't take my word for it."
This is true but leaves the impression (especially when you click on the link) the 128 bit in uncrackable. The information that link is outdated. It's key sentence is "would take significantly longer than the age of the universe using conventional technology." But technology has progressed rapidly in recent years and 128 bit is no longer uncrackable.
It's fair and honest to say that 128 bit is uncrackable right now for anyone not directly affiliated with western national security agencies; perhaps a dozen people with the administrative and computer power to do it in the entire world. And these people have better things to do than to mess with your WOW account for fake gold. But most cryptologists expect that with three to five years 128 bit will be crackable by most hackers using a home PC due to increases in computational power and storage media.
So I agree with your general point, and I am quite certain that a Blizzard product secured by 128-bit has not YET been hacked by gold thieves. But complacency is not in order on this topic; it will happen and it will happen within a few years.
Chrysoula Dec 31st 2008 4:48PM
You know, I haven't used IE for years. And I've written software that managed hashed-password-protected accounts. So none of this is really news to me (except the expensive idea that account details are kept in the same secure db as billing information-- the LOLz!).
But I still think there could be a little less of this blame-the-victim attitude. I understand how frustrating ignorance can be, but your MythBusters style to remedying it is just as frustrating because the people who most need to know this information are going to be put on the defensive by your approach. As a result, they won't read or retain the information.
Try presenting the bad guys as bad guys, rather than as a divine force of nature punishing idiots, and you might see a more positive and productive a response.
Pzychotix Jan 1st 2009 12:40AM
http://wow.underealm.com/2008/11/06/blizzard-authenticator-flaw/
Authenticators themselves can't be hacked, but that doesn't mean your account is safe.
Todd Jan 1st 2009 5:56PM
Well maybe 1/2 the morons out there should get a life and have only one account ... ya think