The scammer said he could get around the Authenticator.

Yes, he did. He said he could get around it once by obtaining a code through his phishing site and then he would have to use it to change the password or as a one time login to get your valuables and leave. He also said that he hadn't tested this as of yet, because after hacking into 50 accounts, none of them had Authenticators. His theory is that people have stopped using them because the hacking rate has gone down.

But you don't need Captain Obvious to tell you that the scammer wasn't being completely forthcoming here. First of all, he would have to know whether or not you have an Authenticator on your account before sending you the link. When you log into Blizzard Account Management, you have to enter an authenticator code only if you have one attached to your account. So the standard phishing link doesn't ask for one. But let's say he did know and sent you the appropriate code-stealing phishing link and he got a code from you. If he spent that one code on changing your password, he wouldn't be able to use it to login to the game. Also, he would need two consecutive codes to remove the Authenticator from your account for a total of 3 codes, since he would need to spend one code on logging into Account Management. Therefore, one code would allow him one game login only and he'd have to get his "business" done quickly before you tried to log in again, kicking him off.

Update: Some commenters have said things that made me do further testing on the one use claim by Blizzard. Here are the results:

• It is one use per account, so if you have the same authenticator on multiple accounts, you can use the same code on each account before it expires.
• It is one use per kind of login, so if you use the same code before it expires when you try to login to WoW, it will not work the second time.
• It is not one use per account per different type of login. This will allow the scammer to use the password to login to your account management and your account at the same time, if he does it quick enough. Once there, however, he will still not be able to remove the authenticator from your account for the reasons stated above.

Why would someone stop using an Authenticator?

I really, really don't want to discourage anyone from getting an Authenticator, but I must admit, they are a pain to use. You have to have it with you when you login. If you forget it at home, then your laptop is useless for playing WoW while you are traveling. If you keep it on your keychain or it's a phone app, then you have to have those nearby before you get comfy for your gaming session. I am also constantly entering in my code as my password and then having to start all over again with the login. But I still won't stop using it. It really is a minor inconvenience compared to the hassle involved with getting my account hacked. Yes, I practice safe computing, but I also make mistakes. We all do. Most of us have to use multiple keys to get into our homes and this is really similar. The added ickiness is well worth the peace of mind.

OK, I'm sold. Where can I get one?

Well, I have bad news if you are in the U.S. and don't have an iPhone or iPod Touch: they are currently sold out... again. And when they are in stock, they go quickly. But they are working on getting apps for other cellphones and they do get more Authenticators in periodically. Here are the appropriate links:

• U.S. Authenticator
• Canada, Australia, New Zealand and Latin America
• Europe
• iTunes App Store (this link launches iTunes)

Regardless of whether you have an Authenticator or not, you should always get to Account Management through trusted links only. But, again, we all make mistakes and having an Authenticator is a nice safety net.

Be careful out there!

Tags: authenticator, hack, hacker, scammer, security, world-of-warcraft-security, wow-authenticator, wow-hack, wow-security

Filed under: Analysis / Opinion, Account Security