Patch 5.4 patch notes
Virtual Realms feature revealed
The Proving Grounds are coming
The latest patch 5.4 newsAccount security mythbusting
by Michael Sacco 
Dec 31st 2008 at 1:00PM
So, you might have noticed the increased number of warnings and advice from Blizzard regarding account security lately. They've even popped up in the game itself, as a server message when you first log in. Needless to say, this has caused no dearth of consternation in the WoW community (read: people be trippin'). So, why the sudden notices? Has something changed? Has Blizzard lost their footing in the war against hackers and gold farmers? Is Blizzard in cahoots with them? What's this itchy pentagram-shaped rash I've developed?
Now, there's a lot I can't talk about regarding this stuff, and certainly not for any sinister reason. It's a selfish reason, though, that being that I really like not getting sued. I can, however, use my experience and knowledge to bust or confirm some common account security myths. Ready?
I'm a trained professional. Don't try this at home!
MYTH: Blizzard's internal security has been compromised, which is why these notices have gone up.
Let me be straight with you here, dear reader. I need to stress this for posterity.
Blizzard's internal security has never been compromised. If your account is compromised, it is your fault.
This isn't an idea that a lot of people are comfortable with. After all, Blizzard has all of our login information. Your computer is secure, right? You've never been to any questionable sites. You have an anti-virus program running all the time. This must mean that Blizzard's internal security has been compromised, since there's no other way it could have happened to you. A hacker must have accessed Blizzard's internal account information database.
You'd think that.
I'll pose a question along these lines. If you, as an unscrupulous individual, had access to Blizzard's internal account database -- containing account names, passwords, billing information, and credit card numbers -- would you even bother compromising accounts to farm gold to sell? Or would you do what any reasonable unscrupulous person would do and just take the credit card numbers?
You're right. You'd take the easiest route to the money. Hacking into Blizzard just to get login information is a completely backward and inefficient way of draining money from you the player. Why sell gold when you can print money?
Straight up, if you're compromised, it happened in one of a few ways.
- You had a keylogger placed on your machine because of a security hole on said machine.
- You gave your login information to a third party, such as a power-leveling service.
- You shared your account with someone else, whose actions led to one of the above.
Your computer's security can never be perfect, but it can be drastically improved where WoW is concerned by being vigilant about the sites you visit and the links you click on and, most importantly, by not sharing your account information with anyone.
Take it from the dude who worked there--it's not Blizzard's fault that your account was compromised.
Myth Status: BUSTED
Filed under: Analysis / Opinion, Account Security
Reader Comments (Page 2 of 3)
Iuvo Dec 31st 2008 1:33PM
I've been thinking of getting an authenticator for a while now and this article convinced me to get one but they are sold out. They seem to have been sold out for a while now looking at previous articles. Does anyone know when or if they plan on making more available?
Stephen Dec 31st 2008 1:34PM
I deal with credit card transactions and card processors daily. Credit card companies and transaction processors have added many layers of security in the past few years. They can pick up on patterns of unusual transactions and shut them down pretty quickly. They are also pretty quick at tracing cards with common merchant charges to see if a company's database has been hacked, and then watch all cards with transactions from that common merchant.
One of the reasons that WOW keyloggers are so widespread is that accounts and gold are easier to sell than card numbers. The feds look for credit card hacking rings, they don't care as much about WoW hackers.
I also doubt Blizzard's billing database with it's credit card numbers are housed on the authentication server.
I can easily imagine a server where you have to log-in, like the Blizzard forums, getting hacked.
I don't think the "Myth" is busted.
Bigfish Dec 31st 2008 1:38PM
The reason someone who had access to both a WoW account and the corresponding CC information would strip the WoW account and not the credit card is fairly simple: You get arrested and tossed in to prison for Credit Card fraud, while the police will laugh at anyone if they file a report on their compromised WoW account. You think if people are stupid enough to get key loggers that get their WoW passwords, but for some inexplicable reason we don't see more instances of Credit Card fraud from those who have been compromised.?
Consider also that no one needs to HACK in to Blizzard to get account info. They have plenty of staff who have access to that information and the opportunity to mentally jot down account "joebobjim" with password "notapassword". Does Blizzard monitor internet access and bank account information of all their employees even when they are at home/at an internet cafe/the public library/etc?
This isn't a mythbusting, its drivel without any testing. It relies solely on the author's perspective as to what THEY think is possible.
Cy Dec 31st 2008 2:38PM
"They have plenty of staff who have access to that information"
Virtually none of the Blizzard staff has any need to ever have direct access to your account information. Stop spreading misinformation.
Edd Morgan Dec 31st 2008 1:39PM
Very good article, but you missed one important thing:
Let's assume someone DID get into Blizzard's computers, peeked at the database and completely overlooked the more important information such as card information and just went straight for your account's password. They still can't do it.
Let's imagine your password is "kittens". You think if a "hacker" looked at the database they'd see "kittens" next your username? No, they'd most likely see a hashed version of "kittens", which looks like this:
"84169a8d5b3289e8ece00d7735081b53"
No sane database administrator would EVER store plain-text passwords. They are encrypted using a certain algorithm (The above is an example of "kittens" being run through the MD5 algorithm), which turns human-readable stuff into non-human-readable stuff. It's very likely that Blizzard never see your password. If you tried to log in with that hash you see above, you'd actually be trying to log in with the hash of that hash, and thus you wouldn't get anywhere.
To reinforce the point that I am very glad the author made: If someone breaks into your account, ITS YOUR FAULT - nobody else's. At the very least, it's happening on your end, not Blizzard's.
Edd Morgan Dec 31st 2008 1:50PM
Although, to counter my post, at that point the "hacker" could just replace your hashed password with another and log in that way if they happened to have write access.
3drage Dec 31st 2008 1:59PM
"No sane database administrator would EVER store plain-text passwords."
You'd be surprised on this one.
Also with the invention of rainbow tables it wouldn't take long to deencrypt a password. Hacker gets in, rars up the files and then starts attacking the data from the comfort of their own home, or another remote compromised computer. Its simplicity is frightening, and the scope of the problem is low-played when it comes to announcements to the general public. No one is going to freely disclose a compromise unless required by law, and even then it's not always disclosed.
syberghost Jan 1st 2009 11:58PM
And lest anyone be tempted to point out that there is no complete rainbow table for all possible MD5 hashes, let alone SHA etc., consider that a rather large percentage of people, when presented with the requirement to choose a password, pick a single dictionary word. If required to add a number, they put "1" at the end. Generating rainbow tables for the dictionary is child's play.
This is true even in Fortune 500 IT departments, but it's even more true in random collections of unwashed masses, such as, say, 11.5 million WoW players.
Elara Dec 31st 2008 3:15PM
You forgot one big one- brute force hacks. I never gave my account info to anyone, I didn't have any keyloggers, and I still got hacked, with what I thought was a strong password. I caught it within an hour, but it was still a giant pain in my butt. Now my password is not only one I can barely remember, but I've got an authenticator just in case.
syberghost Jan 2nd 2009 12:03AM
I assure you, you weren't hacked by somebody brute-force trying millions of combinations to log into your account until one worked. Blizzard would have locked the account long before they got there.
mensrea Dec 31st 2008 1:54PM
(For reference, I worked in the computer/internet security division for a huge auto insurance company for several years.) The main conclusion is probably right, but this "myth busting" is full of fail for a number of reasons:
1. Odds of Blizzard telling some random CSR that their security had been breached? Zero, unless they absolutely had to.
2. Your example doesn't really work. Even if we assume that Blizzard is storing the credit card numbers (it's more likely that a vendor or bank that Blizzard uses to process the billing is doing the storage), in order to do that, they have to comply with PCI DSS for the systems that do that. This is an expensive and time-consuming thing to do, and it would be unbelievably stupid for them to put ANY data aside from the billing data into this system. For one thing, it provides more attack vectors to the truly valuable information, for another it means weapons-grade security and auditing for data that really doesn't need it. In point of fact: it's entirely likely that the "unscrupulous person" in your example would be unable to get the CC numbers EVEN IF he was able to get to the account database.
3. "Your computer's security can never be perfect." True. now take that axiom and apply it to Blizzard's computers. Equally true there.
sephirah Dec 31st 2008 1:56PM
I find amusing that when logging blizz invite you to go to the forums, that lately are plagued with keylogger links...
Paul Dec 31st 2008 2:09PM
"To reinforce the point that I am very glad the author made: If someone breaks into your account, ITS YOUR FAULT - nobody else's. At the very least, it's happening on your end, not Blizzard's."
@Edd Morgan
Thank god you don't run any banking or store sites. You'd be out of business. Bliz needs to stop taking it's members as a guaranteed money flow regardless of their policy's.
Branwyn Dec 31st 2008 2:09PM
"Blizzard's internal security has never been compromised. If your account is compromised, it is your fault."
Bull. Not always is it your fault. I know several people, myself included, who took all precautions, and still managed to get hacked. And in all these cases they were accounts that had become inactive within a month of the hacking. Nothing found on the computers that could have compromised them, passwords used only for the wow account and nowhere else, and that were changed regularly.
Uh uh. Not ALWAYS is it the hackee's fault. Often, because a lot of people aren't careful, but not always.
Chad Dec 31st 2008 2:37PM
Um, it's always the player's fault. If someone gets access to your info, either you gave it away or your passwords sucked. It's time to take responsibility for your own actions
hold up Dec 31st 2008 2:15PM
@"Blizzard's internal security has never been compromised"
Sounds like someone just issued a challenge to the hackers of the world. While I agree that a reason for an individuals account being hacked has possibly never been Blizzard's fault, I think it would be inaccurate to say security has 'never' been compromised.
Between possible disgruntled employees, developers with a god complex and the immense popularity of the game it is very likely that the internal security of Blizzard has been compromised at some point.
And as far as the "theres no way a hacker can get that information" arguement - there is always a way. I will leave it at that. If you want the information bad enough, it can be achieved.
chad Dec 31st 2008 2:39PM
While it's certainly possible to play trouble-free on a Windows computer, it's inherently safer to play on a Macintosh. There are zero keyloggers that affect OS X. You still aren't guaranteed complete safety due to user error (giving out account info, poor password, etc), however, knowing that keyloggers don't currently affect Mac users is quite nice.
kraar Dec 31st 2008 4:18PM
there are keyloggers for *nix never tried but I'm pretty sure they could be run on a mac
kraar Dec 31st 2008 4:22PM
just googled osx keylogger. there are a ton of Mac keyloggers
Lrdx Dec 31st 2008 2:46PM
"If you, as an unscrupulous individual, had access to Blizzard's internal account database -- containing account names, passwords, billing information, and credit card numbers -- would you even bother compromising accounts to farm gold to sell?"
Sorry Michael, you are thinking wrong.
A Blizzard account worth MORE on the black market than a credit card number.
Also, there are a lot of people out there who pays their account a, with gamecards (no credit card..) b, with a virtual card where the owner just sends just the amount of money (s)he needs for the next transaction, and is empty apart from that. So I guess it's quite an inefficient way of stealing credit card numbers..