Account security mythbusting
by Michael Sacco 
Dec 31st 2008 at 1:00PM
So, you might have noticed the increased number of warnings and advice from Blizzard regarding account security lately. They've even popped up in the game itself, as a server message when you first log in. Needless to say, this has caused no dearth of consternation in the WoW community (read: people be trippin'). So, why the sudden notices? Has something changed? Has Blizzard lost their footing in the war against hackers and gold farmers? Is Blizzard in cahoots with them? What's this itchy pentagram-shaped rash I've developed?
Now, there's a lot I can't talk about regarding this stuff, and certainly not for any sinister reason. It's a selfish reason, though, that being that I really like not getting sued. I can, however, use my experience and knowledge to bust or confirm some common account security myths. Ready?
I'm a trained professional. Don't try this at home!
MYTH: Blizzard's internal security has been compromised, which is why these notices have gone up.
Let me be straight with you here, dear reader. I need to stress this for posterity.
Blizzard's internal security has never been compromised. If your account is compromised, it is your fault.
This isn't an idea that a lot of people are comfortable with. After all, Blizzard has all of our login information. Your computer is secure, right? You've never been to any questionable sites. You have an anti-virus program running all the time. This must mean that Blizzard's internal security has been compromised, since there's no other way it could have happened to you. A hacker must have accessed Blizzard's internal account information database.
You'd think that.
I'll pose a question along these lines. If you, as an unscrupulous individual, had access to Blizzard's internal account database -- containing account names, passwords, billing information, and credit card numbers -- would you even bother compromising accounts to farm gold to sell? Or would you do what any reasonable unscrupulous person would do and just take the credit card numbers?
You're right. You'd take the easiest route to the money. Hacking into Blizzard just to get login information is a completely backward and inefficient way of draining money from you the player. Why sell gold when you can print money?
Straight up, if you're compromised, it happened in one of a few ways.
- You had a keylogger placed on your machine because of a security hole on said machine.
- You gave your login information to a third party, such as a power-leveling service.
- You shared your account with someone else, whose actions led to one of the above.
Your computer's security can never be perfect, but it can be drastically improved where WoW is concerned by being vigilant about the sites you visit and the links you click on and, most importantly, by not sharing your account information with anyone.
Take it from the dude who worked there--it's not Blizzard's fault that your account was compromised.
Myth Status: BUSTED
Filed under: Analysis / Opinion, Account Security
Reader Comments (Page 1 of 3)
Martin Dec 31st 2008 1:07PM
"Hacking into Blizzard just to get login information is a completely backward and inefficient way of draining money from you the player. Why sell gold when you can print money?"
How exactly would that allow you to print money?
Cysgodi Dec 31st 2008 1:14PM
It was a figure of speech. He mentioned in the same paragraph that if a person could hack into Blizzard's databases containing account information, then they would have access to credit card numbers, which gives them access to a virtually unlimited amount of money.
Ed (Sindarin, Hydraxis US) Dec 31st 2008 1:20PM
While I believe the chances of Blizzard's internal security being compromised is extremely low; I suppose it could be possible that the credit card details are held in a different, more secure database, making getting the account information the only way of getting anything.
Again, I agree, practically zero chance, but if we're going to consider all situations.
Have a happy new year everyone!
MoustacheRide Dec 31st 2008 1:24PM
To make things a little easier on your poor little brain, he was basically saying that it wouldn't make sense for some one to steal an account from blizzard when said person could just steal credit card info. Trying to take an account with the intent of selling epics and stealing gold is much more time consuming and less rewarding than getting a hold of someone's credit card.
Cleaved Dec 31st 2008 1:28PM
Simple solution... Make a text file, put your password in there... and COPY it by highlighting and pressing Ctrl + C.
Now, open WoW... type in your USERNAME... then go to the password field and hit Ctrl + V to PASTE the password into the field. You've just thwarted any Keylogger you might have, since they just got a big log of Ctrl + V
If you play at multiple locations... just email your password... to yourself. When you go somewhere else, bring up your email... and do the same things listed above.
I got hacked ONCE... since then i've used this method and never had any issues. Norton, Mcaffee, all the AntiVirus software is crap when it comes to WoW related keyloggers. They just don't find them reliably enough or you need to scan while the WoW client is running to have a hope of finding them running. My computer had every security hole plugged 2 years ago that could be plugged without making me unable to connect to the interweb ;) I still got hacked, and now I use the method listed above... no problems whatsoever.
Waldengel Jan 2nd 2009 1:03PM
The issues came from Internet Explorer having that vulnerability that allowed attackers to compromise a machine.
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
While 'game passwords' were also targeted, the issue was much bigger than just getting access to your WOW account.. people were able to access your entire machine and all the data on it.
The issue was fixed, make sure to patch your Internet Explorer (or use Firefox). Since IE is widely used, a lot of WOW players were affected by it, ergo Blizzard started recommending their way of dealing with the issue..
This is not related to Blizzard being hacked, this is related to users navigating to compromised websites and getting exploited. End of Story.
Envi Dec 31st 2008 2:01PM
Problem with e-mailing it to yourself is what if your e-mail is compromised to? Key logging allows all kinds of information to pass between clients. Speaking from experience, chances are good if you have been key logged, they have more information than just your wow account. My particular nightmare included having my e-mail compromised, and the transfer requests deleted as I tried everything to get control of my account.
Naraki Jan 7th 2009 6:47AM
@ Cleaved
That is a myth..
keyloggers read the Memory and / or Packet stream for user input. Saying that copy/pasting your acount creds twarts keyloggers creates a false sence of security and is therefor more harmfull then helpfull...
A Sys Admin.
AlmtyBob Dec 31st 2008 5:27PM
Seconded. The copy/paste method simply DOES NOT work. Emailing your password to yourself is an awesome way to get hacked though.
Rhode Dec 31st 2008 1:08PM
I have to say, I love this Mythbusting segment.
Liel Dec 31st 2008 1:09PM
Yes and working in the security field and getting many upon many alerts from CERT no and I mean no companies get their security compromised. Its just fantasy that every week a major company has to send out email notifications and financial institutions offer free credit check services for 1 year because account information was illegally accessed.
komamura Dec 31st 2008 1:24PM
I don't think he's saying it can't happen, it's more of a why would you do all that work and only use that info to farm gold and hack accounts when you could just take the credit card info and make off with real money
Vhaine Dec 31st 2008 1:18PM
It's good to know that blizzard is the one place in the world safe from all types of security flaws. My question is this:
If blizz is so adept as to have NEVER had a security breech...then why don't they stop making video games and become network security experts? I can think of a few people that's be really interested in that sort of certainty.
Meanwhile...back in the real world...I call BS for what it is. To make a statement like that is pretty much akin to saying "politicians NEVER lie" in my mind. So if you believe this...I've got an ocean front condo in Arizona to sell you. Dirt cheap.
Worcester Dec 31st 2008 2:22PM
Now for a lesson in reading comprehension.
The article clearly does not say Blizzard CANNOT be hacked, just that it NEVER has. Many, many, many... in fact MOST companies can say the same thing. You've heard of the ones that have been compromised, they are the top story on the nightly news.
If someone did hack Blizzard, they would not bother logging into individual accounts just to shard epics and farm gold. Why? Because they would have access to probably MILLIONS of credit card numbers! That is much more valuable than your epics.
No, really. Millions of credit card numbers is VASTLY more valuable than your epics.
No, I don't care what you have equipped. The credit card stuff is still more valuable.
So the point of the article is, if YOUR account has been compromised, it's YOUR fault for being careless. Someone did not hack Blizzard to get your information. They hacked YOU!
kageneko Dec 31st 2008 1:20PM
Another way to get hacked: have a weak password on the email account attached to the WoW account. :(
Liel Dec 31st 2008 1:29PM
One thing I am amazed about is Blizzard does not support case sensitive passwords. One day I was typing mine in and I got in and I swear I did a typo, come to find out it only supports special characters not upper and lower case.
Matt Dec 31st 2008 6:36PM
That is really surprising -- I was convinced you were wrong till I went and tried it. No case sensitivity in the passwords....crazy!
Paul Dec 31st 2008 1:34PM
So my friends account was hacked and he has canceled his WoW account. This happened right after WoW Insider warned against an exploit in IE being used to hack gamer accounts!
Ok. So his fault was trusting MS.
So the kicker is that Blizzard allowed his main to be transfered with all his alts gold to a new server without a verification email sent to him before the transfer! Salt in the wound. WoW charging him $25 for the transfer. Sorry, that's just lame! A verification of the transfer request through his email would have alerted him! Simple yet effective. Blizzard does have a responsibility here too.
Also, authenticator should be standard issue with the purchase of the game or expansions. At the very least a purchase option to be accepted or declined. Sort of a regular option without or the special edition with the authenticator.
Just my 2 cents.
Envi Dec 31st 2008 2:14PM
I have a couple problems with this story. Blizzard allowed it because they don’t assume every transfer is a hack. His credit card was "stolen" as well; they do not allow you to charge the same credit card the billing is on. You need to manually enter the card number and information again. People change servers all the time, taking all the gold with them from alts. The e-mail is also not a fault of blizzard "not sending one". The e-mail was breeched to. E-mail was deleted to cover the transfer. Only takes 30 min or so to transfer a character.
How do I know? Same story happened to me. All of it. I still play. Blizzard worked it out. I have a BlizzCon authenticator I was not using until this mess. Use it now I do. Say what you will about Blizzard, they are not boosting sales here for Authenticators.
ArtDecoAutomaton Dec 31st 2008 7:55PM
Dude, part of stealing an account is changing the email.