Patch 5.2 interview with Dave Kosak
Inside an old alt's vault
The latest patch 5.2 news
All of the latest Mists of Pandaria newsThe Queue: Nuts and bolts
by Allison Robert 
Aug 24th 2009 at 9:00AM
Oh boy. Most of us are the walking dead after BlizzCon, but let's get back to something resembling normalcy with a Queue. We're going to start off today with an important matter concerning authenticators and account security, then move on to a bit of WoW.com business and Onyxia. I'd also like to direct attention to two really good comments from the last column re: technical issues, Shadow's and Logarth's.Zerounit asks...
I recently got an Authenticator in the mail and I noticed something while I was inspecting it: there appears to be no way to open it short of cracking it open with large objects. Is there a battery life on these? If it stops giving me my magic codes, will I have to get a new one?
I got an authenticator for my own use recently and have to admit I hadn't thought to look into the battery life, which is a very good question indeed. A dead authenticator means you have no way of getting into the game (or even into your online account) without official help from Blizzard.
Turns out the little security doodads are manufactured by a company named Vasco, and after poking around their website, I'm reasonably certain that Blizzard authenticators are a variant of Vasco's DIGIPASS GO 6 model. What makes me so sure? The GO 6 model page is the only one accompanied by an article on fraud and hacking in online gaming. They don't come right out and say that Blizzard is a customer, but unless Hello Kitty Online is a bigger hive of scum and villainy than even we gave it credit for, you don't have to be a genius to figure out that World of Warcraft figures prominently in MMORPG account theft.
Vasco says that the GO 6 model, like most of their mobile authentication devices, is supposed to have a minimum battery life of 7 years. Manufacturers' assurances aside, you can find reports from players who have observed malfunctions or unusually early battery deaths, but honestly, this doesn't appear to be a common problem. As you might expect, authenticators are designed to be user-friendly for the purpose of getting your codes quickly and safely, but they're not designed to be so friendly to someone trying to tamper with them. One player who did manage to crack one open reported that it's doable with a jeweler's screwdriver, but the battery case (at least on a 2008 model) was very resistant to player meddling, even if all you wanted to do is replace the battery.
This may sound like a needless annoyance (and frankly it kind of is, if the only thing the authenticator needs is a new battery), but having to get in touch with Blizzard to replace an authenticator is good design. As a player in another authenticator-related thread observed, authenticators aren't there to help Blizzard security, because Blizzard's never been hacked. They're there to deal with the gaping security hole that so frequently exists between the computer and one's desk chair. If removing an authenticator from your account were easy, then it'd be just as easy for a hacker to remove it as well, which rather defeats the purpose of having one in the first place.
If your authenticator goes on the fritz or the battery dies, call Blizzard's Billing and Account Services department, and they'll remove it from your account after verifying that you are the true owner. This involves providing account details and the serial number of the dead authenticator or, as Sacco writes, a "large amount of very personal information." I'd provide numbers here, but they're different for each region; visit your regional World of Warcraft website and go to the options located under the Support bar. If you clicked through the last forum thread linked in the paragraph above, you'll have seen a player who had to replace an authenticator noting that the process took only 2 hours from start to finish (and that was on a patch day). Authenticators are still in stock at the Blizzard Store (go to the More Products tab up at the top right), and unless you are 100% sure of your account's security and your ability never to get keylogged or hacked, you're probably best off getting one.
Tyranas scolds...
Get off the (New Jersey) Turnpike sometime, and stay away from Camden and the whole Newark area, and you'll see we do actually deserve the name "Garden State."
There are parts of New Jersey that aren't the Turnpike? State your sources!
Tatsumasa asks...
Why is the Queue posted so infrequently?
Adam and Alex are the two usual authors, but they have the bad luck to be two of our editors (ha ha! Sucks to be them!). If something else has come up on the site (and not infrequently it's business that never actually appears on the site), the Queue is the inevitable casualty of their having to be elsewhere. Now, if a column author (someone who has a weekly commitment to write a particular feature) can't be here in a given week, it's easy for them to reschedule it or ask someone else to cover it. By contrast, as the Queue is a daily feature, if something comes up it's a lot harder to give it to another writer because there's never much notice.
We've had particular trouble lately due to the release of patch 3.2 and the run-up to BlizzCon, all of which took a lot of time behind the scenes here. Eagle-eyed readers have already noticed that Cataclysm, Goblin, and Worgen categories went up on the site suspiciously fast....which I guess, in a roundabout way, is an oblique answer to Valaro's question.
Nevertheless, the Queue and its predecessor, Ask A Beta Tester (which you'll see reappear on the site when Cataclysm hits beta) are easily among our favorite things to write. Things should settle down in the near future, and it'll resume a normal schedule. We do apologize for the disruption along the way.
RothKeahi asks...
Inquiring Mages want to know! Is the new and improved Ony still resistant to fire?
The reports I've seen from players on the PTR all say that she no longer has any immunity to Fire spells or effects. Wowwiki is reporting the same thing.
Have questions about the World of Warcraft? The WoW.com crew is here with The Queue, our daily Q&A column! Leave your questions in the comments and we'll do our best to answer 'em!Filed under: Analysis / Opinion, Features, Account Security, The Queue
Reader Comments (Page 2 of 8)
dude Aug 24th 2009 9:18AM
Even Authenticators aren't enough anymore, it sounds like.
http://bits.blogs.nytimes.com/2009/08/20/how-hackers-snatch-real-time-security-id-numbers/
BobTGnome Aug 24th 2009 9:32AM
That is worrying but I wouldn't lose sleep over it. The authenticators RNG is tied up with an authentication server and the numbers are in simple terms time stamped. Basically if the number entered doesn't match the number currently on the authentication server then you wont get in. Write a generated number down 10 minutes before you log in and try logging in with that, pretty sure it wont work as the number is no longer in the correct "valid time frame".
If your authenticator number could be plucked out of cyber space then the thief would need to log in at that moment to use it. You'd experience a "You've been disconnected from the server" error and the second you log back in you'd kick them. One way to test this, try logging into the same account from two separate launches of the game, you'll get a nice game of disconnected ping pong going.
Being hacked is for the most part due to lapse in concentration of the user downloading a bad file, not having AV software, giving out secure information. The authenticator is simply a buffer between these lapses and the bad guys out there. They are not the golden cure to being hacked but they really do help.
BobTGnome Aug 24th 2009 9:35AM
Sorry.... RNG random number generator for those of you not speaking acronym.
Another way to show how secure these little things are, enter the number from the photo 778645... aint gonna work :)
Castellan Aug 24th 2009 10:03AM
Actually PRNG for Pseudo Random Number Generator; a true RNG wouldn't work.
Hurgan Aug 24th 2009 10:05AM
To be pedantic, the authenticators probably don't use an RNG, otherwise it would be difficult to check the security code with the server. Instead, the mechanism likely involves a strong password + clock + strong one-way hash.
The man-in-the-middle attack described by the NYT is a bit disturbing, as it relies on automating the process to take advantage of that short time window that the one-time password is viable.
BobTGnome Aug 24th 2009 10:18AM
Fair point, was trying not to slip into geek speak :)
Mathir Aug 24th 2009 11:32AM
The authenticators are more secure for game use than some others. The reason is only one person can be logged in at a time. If a current authenticator code is captured and used to gain access to an account, it will boot the person who is using the account off. The natural instinct of anyone who gets disconnected is to reconnect. So, inside of a minute, the hacker is booted off, and will need to capture another code to regain access.
As a precaution though, if you're an authenticator user and you get disconnected. Don't call it a night. Log back in immediately.
It seems like WoW account hacking is a bulk business. They need a lot of accounts to waste them advertising gold sites on every server around the clock. They're going to go for the easy catch... phishing schemes, forum hacks, keyloggers and the like. I doubt they have the time to waste trying to break into an account with an authenticator.
Beli Aug 24th 2009 11:30AM
Like most of these authenticators, they simply contain a passcode (usually an 8+ digit prime number) and a clock designed within certain drift tolerances (in other words, one that is accurate to the second for the next 10 years or so). They then apply some super-secret hash function using those two pieces of information to create the 6-10 digit pass you type in.
The problem with changing the batteries on these things: You lose your clock information. As soon as you disconnect the battery, the clock either stops until it's plugged in again or (more likely) resets to 0 (January 1, 1970). either way, when you put a new battery in, the token is no longer synched with the server, and thus won't work anymore.
edgesumaria Aug 24th 2009 9:18AM
As someone who lives in NJ and actually has to drive a good 15-30 minutes to even get on the Turnpike. If you had stated the Garden State Parkway on the other hand, that would be much more believable.
Also, I have a question for you - how do you think Blizzard is going to retcon Worgren and Goblin DKs into the fold? And also do you think they will add new NPCs into the DK starting area representing the new races?
snowleopard233 Aug 24th 2009 9:32AM
Third generation New Jerseyan here! My town isn’t exactly a garden but it sure doesn’t look like the land of Mordor that the meadowlands is. If anything, it looks like it’s straight out of Leave it to Beaver. Go by Princeton or Watchung sometime and be blown away at the revelation that New Jersey actually has trees and deer lol. They’re asshole deer, that’s for sure, and they follow the power lines to get from forest to forest, but they’re still deer.
Besides, you’re all just jealous of our jagger bombs and ample supply of nearby malls :P Have fun shopping next time you need to drive an hour to the nearest walmart
Cyanea Aug 24th 2009 3:50PM
PAers and *shudder* New Yorkers may talk shit about our state, but where do they go when they want to go to the shore or gamble and get out of the shitholes they live in?
Thought so.
mattarang Aug 24th 2009 10:51PM
We go to Jones Beach. And the casino boats are alot more fun than AC.
Now where do you New Jerseyans go when you want to stop staring at mini-malls? Or be able to drive on roads where you can actually make lefts? You leave the armpit of America and come to NYC.
Evelinda Aug 25th 2009 8:57AM
I dont know anything about jersey... i live in australia, everything is beautiful here ;)
I really dont think that blizzard needs to retcon in order to bring worgen and goblins into the dk fold. Basically anybody thats died recently at the hands of the scourge has the capacity to be a death knight, which certainly leaves the door open to the new races as far as i can see.
And if you dont buy that, i can at least explain the goblins away... after all, while they didnt take sides in the third war, they were certainly still active in it, if only as shredder and zeppelin pilots. So its certainly possible that they encountered the scourge during the war, same as everyone else, and got all death knightly then.
Worgen on the other hand... well... they cant really be explained the same way. The scourge and the worgen outside gilneas do seem to go hand in hand to some extent, however. Arugal is working for the lich king these days, making worgen to serve him. I suppose they could become death knights from there... i dunno. Theyre a bit of a stretch :)
Kyle Aug 24th 2009 9:19AM
So this is aside from the topic here, and I was looking for a place to submit questions to the Queue, but all I've seen is to post them here. Obviously the instances not being launched is a frustration and a problem, and i'm not really asking if they plan to fix this. What I'm asking is have they announced when they plan to? This seems to have been going on for months, and I didnt see any coverage on Blizzcon about it, except that in 3.3 cross server instances will be available, but how far away is 3.3? Too long. Too be honest what were they thinking? It was bad enough to get into a heroic even before they made conquest badges the drop. Now its just a joke trying to get into anything that isn't the daily or ToC. Anyway I just want to know if anyone has an idea at a time frame for when this gets fixed. Its actually making the game very frustrating and not fun, which is why I started leveling another Death Knight (on a new server now) strictly for pvp, and might even just twink him at 79 for pure boredom. In almost 5 years of playing this game I was never this frustrated at the game.
zweitblom Aug 24th 2009 9:59AM
http://www.wow.com/2009/08/22/blizzcon-2009-blizzard-announces-cross-server-instances/
zweitblom Aug 24th 2009 10:01AM
Eh, scratch that, sorry. Reading comprehension is not my forte.
Haji Aug 24th 2009 10:05AM
The "unable to launch additional instances" question was asked at Blizzcon and apparently they already have a fix in place on a small subset of servers. I don't remember exactly who answered the question, it was either Ghoscrawler or Cory, but they indicated that the fix is actively being rolled out to all of the realms.
To address your frustration regarding getting into heroics in general... in response to the same question they announced that they will be implementing cross-realm LFG as early as patch 3.3 which should make getting PUG groups together much easier as there will be a much larger pool of players to pull from. Incidentally the technology patch that will allow cross-realm LFG is the same one that supposedly fixes the instance server issue.
Haji Aug 24th 2009 10:10AM
@zweitblom nice link, I wish I had looked for that before I started my little write up. :(
Mark Aug 24th 2009 9:21AM
Just an FYI, those Authenticators are built to "self-destruct" if you tamper with them. So don't go looking for a way to open it. If you begin to remove the back from the front, the device will immediately stop working. Forever.
revan Aug 24th 2009 9:30AM
How the queue system for Locked realms works? I mean if the realm is full how people can enter it?