Blizzard policy changes in reaction to account security concerns
by Adam Holisky 
Jan 8th 2010 at 8:30PM
WoW.com has learned through sources close to the situation that after our series of posts describing some questionable internal policies at Blizzard concerning account administration and security, as well as the likely introduction of mandatory authenticators, a few of these policies have been changed this evening.
First, the abilities of billing representatives to directly roll back characters to previous states has been more or less removed, preventing the onioning exploit we spoke about earlier. Account administrators still have the ability, of course, but it should prevent people from being able to game the system over the phone. We do not know if this ability will be returned when billing representatives obtain the proper training and tools.
Second, the care package deal has been sweetened. We're not exactly sure how, only that it's been improved from what it was this morning. World of Raids was tracking the response to these stories on the Customer Service Forums and found a post by CSF blue Syndri detailing some specifics of the care page as it stood earlier today. We cannot be sure Syndri's post applies to the package now or not (given its changes), however it's probably safe to assume that it does. We have also learned that managers are being directed to ensure everyone is presented this care package as an optional alternative to full restoration, something we understand was not consistently happening before.
Syndri's enumerations after the break.
First, the abilities of billing representatives to directly roll back characters to previous states has been more or less removed, preventing the onioning exploit we spoke about earlier. Account administrators still have the ability, of course, but it should prevent people from being able to game the system over the phone. We do not know if this ability will be returned when billing representatives obtain the proper training and tools.
Second, the care package deal has been sweetened. We're not exactly sure how, only that it's been improved from what it was this morning. World of Raids was tracking the response to these stories on the Customer Service Forums and found a post by CSF blue Syndri detailing some specifics of the care page as it stood earlier today. We cannot be sure Syndri's post applies to the package now or not (given its changes), however it's probably safe to assume that it does. We have also learned that managers are being directed to ensure everyone is presented this care package as an optional alternative to full restoration, something we understand was not consistently happening before.
Syndri's enumerations after the break.
From Syndri:
- The "care package" you're referencing is simply an offer, and its goal is to provide those affected by compromise the opportunity to get back into the game more quickly. For many players, depending on their play style and how greatly their characters were affected, this offer is ideal. For others, it's not. We understand this and so have ensured that this offer is not a mandate; it's simply another option.
- The offer itself can be declined. Should you decline such an offer, your account will be placed back into the restoration queue in its original place, and you will be provided a full restoration afforded to you by our departments. It may take a bit more time before your restoration is complete, however, as a more in depth investigation will be required.
- If you opt to decline this offer, please be sure to reply to the email within 24 hours, as instructed. In addition, do not claim any of the offered gold or Emblems from your in-game mail. We'll recoup those ourselves whenever we process your full restoration.
- This offer is not character-specific. If you accept the offer on one or a few characters, you are effectively accepting the offer in-full and additional restoration may not be provided. Consider this a "deal or no deal" sort of situation.
Filed under: Blizzard, News items, Account Security
Reader Comments (Page 1 of 7)
skyydyver03 Jan 8th 2010 8:34PM
I gotta say, I do like it when they make things more secure, i've known too many people who got hacked, thats why i love my authenticator
Cthulu Jan 8th 2010 8:39PM
I hate that people who get hacked are going to have to wait longer but the straw is about to break the camel's back. Something has to give and even though I have never been hacked I ordered and authenticator today too.
Sadly the QQ posts about IQUIT if I have to buy an authenticator...they make me laugh and cry at the same time...someone spends 150-180 dollars a year plus the cost of the interenet connection (as I think most broadband connections aren't free except maybe school ones but you pay for those indirectly through tuition, taxes, etc.) and the electricity is even paid for by someone..yet they won't pay 6.50 for a authenticator...I call BS and we are probably better off if they do quit..
Go QQ somewhere else where they don't have restores..try aion..or warhammer..or wizards101 I think would suit them...
RedGuard Jan 8th 2010 8:58PM
Gahh! It's Cthulu! Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!
Mr. Tastix Jan 8th 2010 9:16PM
What's $6.50 US for you is $26.50 for me. That's shipping costs. Now times that price by two and you get what I've got to pay to keep my account "secure". A state my account has already been in for my entire WoW lifetime.
I'd happily get it, I just don't want to pay shipping for it. I do think it'd be a nice idea to include them in the Cataclysm box and add the authenticators price to the game.
Pyromelter Jan 8th 2010 9:22PM
Here is the big question I have:
Why are wow accounts so easily hackable? I've been using the internet for over 15 years, and when my own account got hacked, it was the first time I had ever had a compromise like that. I once had my credit card cloned, but that was from a gas station. I have over 20 different accounts on different websites, more email addresses than fingers and toes - and never been hacked, not once. Banks never get hacked this much.
Frankly I put a lot of the blame of this on blizzard. In my entire life I've never seen a login-based application ever be so easily broken as Wow. And also, we now see these long queues for account restoration... after battle.net was made mandatory? Did battle.net make logging onto wow even less secure?
Yes, I have an authenticator, I bought one directly after I was hacked. Incidentally: No spyware, no malware, no viruses, nothing on hijackthis, nothing that I can detect while putting dummy code into my login screen. I can only deduce that there is some extremely fatal flaw with how the login system works that allows hackers to easily access accounts. The authenticator has made my account safe - for now. And I would suggest to everyone who plays wow, if you have a standard password or two for your email/im/banking services, make a very unique one for wow and wow only.
Joel Jan 8th 2010 9:51PM
@Pyromelter
It's not that WoW accounts (without an authenticator) are more or less easily hackable than any other account you may have. It's that there are on the order of 11-15 million WoW accounts and there are financial reasons to hack them. I cannot think of a proven, surefire financial benefit I would gain from compromising your email.
Banks do get hacked. But instead of hearing about specific accounts being compromised you hear about phishing attacks or worse, get a letter informing you that your credit card information was compromised (along with 4.5 million other accounts) due to a breach in a retailer or the bank or whatnot. Frankly it's a testament to how careful Blizzard is with your account information that we have never had to read a story about how the entire username and password database was compromised.
It is not Blizzard's login method that is being compromised. It is the user's computer. The blame lies with the hackers that choose to benefit financially through reselling a user's stolen gold.
The long queues for restoration are most likely tied to the number of people playing increasing over the holidays. Battle.net wouldn't significantly change the method of compromising an account. It might make dictionary and brute force attacks easier by using your email address, but a keylogger doesn't care.
I am sorry that you have been hacked. It sucks.
If you are concerned that an authenticator can be compromised, I would suggest you go to Wikipedia and read the articles on Two-Factor Authentication (your password plus the authenticator code) and One-time password (what the authenticator code actually is).
Ronin Jan 8th 2010 10:03PM
Mr. Tastix
Since they enforced the Battle.net merge, you'll only need one authenticator to cover all your accounts, assuming they're all covered by the same login email address.
Tristan Jan 8th 2010 10:47PM
@Pyromelter
How many other logins have you played with. And do they have 11 million people using it? 9 times out of ten I would put money on PEBKAC error. Using IE, downloading music/movies/software with Kazaa (or whatever is out there now), not using anti-virus, not having a secure wireless network (although that one is the least likely in this scenario) & phishing.
Depending on if a hacker gets access to your email account, he may as well try it in WoW. He's bound to get one eventually.
K Jan 8th 2010 11:07PM
I think it's BS that they send the thing to your ingame mail first.
What about those who are using, say, the Postal addon with it's auto-collect feature? Open your mailbox and bang, say good bye to a full restore?
Butts Jan 8th 2010 11:20PM
@Pyromelter & everyone else who got "hacked".
First off, hacking refers to someone modifying the a software and effectively changing it to his advantage. Can range from increasing his gold to letting him teleport around, something that cannot be done on the WoW servers. This has nothing to do with a stolen account.
Second, I'd say 99% of the time, people who get "hacked" just got keylogged or entered their information on an unsafe side (phishing websites). I remember back in the BC days, there was a fake WOTLK beta invitation page that faked the official wow login page, tens of thousand of people got their account stolen due to ONE website. People even blamed "hackers" for this, some even went as far as REGISTERING AGAIN on the fake WOTLK beta invitation because they had changed their password.
Just using Internet explorer or not scanning files that you download (and I mean every file, it takes 5 seconds, it ensures you don't get a virus), and in the very extreme cases, using a firewall in case someone attempts to directly crack into your computer to attempt to retrieve your password from memory, will make you immune to account theft.
I've known someone who got "hacked" _5_ times! It's not even in the Blizzard's procedure to force the user to scan his computer! I am not even sure if they ask them to change their password.
IMHO, if someone wants his account restored, they need to show some will. Blizzard needs to add some security setup that MUST be run by the user, that will scan the computer for viruses/rootkits/keylogger, try to remove them if it can, and give a general report of the situation of the computer back to blizzard. If the person still has viruses, they should be told to either format or get someone to clean the computer for them because they pose a risk to losing their account again (lost time on both employee and user) and to enrich the gold seller further.
I am tired of people blaming the mysterious "hacker" that can do magical thing such as extracting a password from thin air, and start getting some basic security knowledge.
TIPS: Get avira antivirus, Comodo firewall, use firefox and do a clean install if you suspect that you are infected by a virus.
uncaringbear Jan 9th 2010 12:14AM
@ Mr. Tastix
Yeh, it sucks for us Aussies having to pay a high shipping fee. However, it is still a very, very small price to pay to reduce the chances of unauthorized access to your account.
Ask yourself this: Is saving $26.95 worth waiting 2 weeks to get your account and toons restored?
tutti Jan 9th 2010 1:15AM
K: I assume all you have to do is explain that in the e-mail you send to decline the care package. It's no harder for Blizzard to recuperate the gold and emblems after you've taken them out of the mailbox than before, assuming you haven't spent them. If you've gone that far, though, I'd assume you could wave goodbye to the full restoration.
Nik Jan 9th 2010 1:37AM
@Mr. Tastix
The shipping cost for the Authenticator is free if it is being sent somewhere in the US, so the cost is really only $6.50.
It doesn't say if the shipping is free for other regions as it does not say on their store page.
slartibart Jan 9th 2010 3:13AM
@ pyro
Placing the blame on Blizzard is a little incorrect.
It's not a failure of their security. 99% of the hacked accounts (made up, but most of the compromised accounts I know of fall under this) are simple human engineering attacks.
It's not like Blizzards character data servers are being hacked, and that's causing the problems.
It seems like in almost every case a user has placed his/her account & password at risk, either by falling for social engineering, or using lax security procedures.
....Also Butts is right, it's not hacking, it's simply keylogging or compromising your own password. Almost always done by the user.
slartibart Jan 9th 2010 3:18AM
@ Tristan
Don't bring up PEBKAC! I still use that at work. "So what's wrong with this program?"
"Oh it's a PEBKAC issue, I'll fix it"
"Thanks"
Don't let the secret get out to those not in the know! ;)
Tseran Jan 9th 2010 4:12AM
How do most accounts get hacked? Let's look at the common methods:
Social Engineering: You get an email that states your account is under suspicion of being used to sell gold. Please go to the Blizz page and respond. But it's not the Blizz page, it's the scam page, and they just got your info.
User Stupidity: Two things fall under this category, account sharing or leveling services. Congrats, your account is now forfeit, and you deserve it.
Honest-to-goodness hacking: Rare, but someone hacks your computer and gets the information. Not to be confused with...
Keylogging: Your account information is obtained by some trojan horse keylogger you got of random WoW site, or while downloading music off LimeWire or Kazaa or some other illegal place. Again, this one is your own fault for not having measures against this or going places you shouldn't, but not as much as it is for User Stupidity.
99% of all account hacks are what we refer to as ID ten T errors......ID10T errors. Everyone can make them, but it's the idiots that repeat them.
As to the anti-authenticator stuff....yes, it is expensive, but Blizz does have a MOBILE authenticator (one for your phone, even if it's NOT an iPhone) and that costs only $0.99. No shipping on that. Also, I agree, Blizz needs to make Cataclysm include an authenticator in the box. If you already have an authenticator, then you should be given the option of online purchase of Cataclysm, saving you a little money. This will cut the shipping cost down, and ensure security.
pot Jan 9th 2010 6:53AM
@Tseran
Just a little correction.
Getting an email asking for your password and account info or fake links in game are phishing attempts, not social engineering. Social engineering is generally taking small bits of info, combining them and using them to steal an account.
For instance, someone could scower social network pages to find someones birthdate, pet names, best friends names or some other peice of info that could be used to answer a "secret question" for a password reset. Or they could call customer service a few times and get one bit of info about an account each time until they have enough info to convince the CSR they own the account and then can hijack it. Most companies are privvy to this and should have already trained their CSRs against social engineering but as we all know, some CSRs aren't very bright.
So to anyone who may read this, always be careful with little tidbits of info you put out there. Nowadays the bad guys can find specific stuff like your pets name, a picture of your car or some other simple thing like that and use it against you. Your pets name, best friends name, color of your car are common secret answer questions. Someone could find that info on a social network page for instance. So be extra careful these days because as I have demonstrated with social engineering a couple pieces of seemingly harmless sliver of info can be used against you.
Pyromelter Jan 9th 2010 9:34AM
For everyone blaming me and referring to the myriad of people who got hacked as noobs/idiots/morons:
I don't know how many times I have to say it. No virus. No spyware. Absolutely never been phished. No malware detectable of any kind. I still got hacked.
And to the person saying about financial benefits of hacking wow... I would argue there are far better financial benefits to people hacking bank, credit card, and financial institution type accounts. You want to say I'm placing the blame on WoW as wrong? Well that's just fine. But there are SO MANY account hacks that happened just like my own, that all of your responses completely fail to enlighten the situation. Ever heard of a bank that requires an authenticator? Me either!
"Almost always done by the user."
"99% of all account hacks are what we refer to as ID ten T errors......ID10T errors. Everyone can make them, but it's the idiots that repeat them."
Go read the customer service forum at the myriad of people who never got phished, never found one piece of malware... and still got hacked. And my other question also did not get answered, which is in regard to battle.net - queues for account restoration were never this long, and many people were concerned about the ease of battle.net in terms of it's own security. You want me to not put any blame on blizzard? Fine. Just go ahead and reassure me they are using state of the art protection on their servers... oh wait, you can't. Because did you know someone can just brute force their way onto your account? With no password lockout with repeated attempts, there is no reason for a hacker to not try to hack in.
Butts Jan 9th 2010 9:48AM
@Pyromelter
Again, as I've stated, things don't magically happen. If the Blizzard's server were compromised, you can be sure as hell they'd tell everyone and they'd be shutdown for an extended period of time while they secure everything.
Just so you know, cracking a server over the internet is EXTREMELY difficult and nearly impossible. Most secured banks/website that get cracked is generally done close by, by taping into their routers or their connection directly, taping into their internet service (jacking in, to redirect packet traffic to let themselves in). This is too much effort to steal your account, and too much risk to get traced back.
Something happened, you don't remember it, doesn't mean it's not your fault. Rootkits can go undetected once they have corrupted your anti-virus or can just be undetectable. Certain virus will delete themselves after extracting the passwords, to confuse the victim into thinking it wasn't a virus, and this is a behavior that is becoming more frequent. If you can't know it was a virus, you can't try to guess where you got it from, and this increases the chance you'll repeat the mistake and get the same virus again, and get your account stolen again.
Joel Jan 9th 2010 10:34AM
@Pyromelter
I believe you when you say that you did not detect any malware on your computer. As an IT professional I can assure you that I have scanned many a computer with one tool and had it come up clean, even when it was observable that the computer in question was still trying to send out a stream of spam (proven by looking at the transaction logs in my firewall). Second and third anti-malware tools were employed before finding the offending piece of software.
This is the most likely cause of your account compromise. I would strongly suggest you try a couple other, well known tools. MalwareBytes Anti-Malware is usually the first tool I use (on Windows) if my Anti-Virus did not find a problem.
I do not know for fact, but it is in the realm of possibility that even if your computer was clean the miscreants that compromised your account either directly attacked your password (scripted auto-logons with a dictionary) or poisoned your DNS server.
In a DNS poisoning attack, a miscreant manages to convince the DNS server that you use to accept non-authoritative data about the actual address of a host. Let's say that www.blizzard.com lives at the IP 12.129.242.31. But lets say that your ISP uses a DNS server running bind 9.1.0 which is vulnerable to cache poisoning. The miscreant can inject some other IP into your DNS server's cache so that when you look up www.blizzard.com you instead go to some IP that they control. You log in, they capture your UID and PWD. I find this an unlikely scenario due to the work involved. It relies on what is essentially an active attack against a DNS server rather than a passive "toss out a bunch of keyloggers and wait for UIDs and PWDs to be sent to us".
My bank requires Multi-Factor authentication. Not to the level of an authenticator, but I wish it was. Instead the process is; Enter my account number and a CAPTCHA. Answer one of 15 random questions that I had to set up to even use my account online. Confirm that a generated image of a word matches the one I selected (to ensure I am on my bank's site rather than someplace else - see DNS poisoning). Enter my password. Takes about 3 times longer than entering my WoW's authenticator code and is less secure.
The customer service forum is a collection of anecdotes. While I feel bad for everyone who's account has been compromised, there is no actual evidence in the forum postings that none of those users have keyloggers or other malware that they simply have been unable to detect because it's not known to the tool that they are using.
The long queues for account restoration are most likely a result of either:
a) more people coming back to the game over the holidays - the rate of account compromises remains the same but the number increases
b) better social engineering leading users to be phished - the rate of compromises increases
Either of those two combined with the fact that more people take time off in December (including I am sure Blizzard employees) can result in longer restoration queues.
I find it unlikely that the battle.net transition has resulted in more users being compromised as the only observable difference is that you can bind multiple accounts to the same login. If your login is compromised the miscreants can now clean out 2 or 3 accounts if you have them rather than one. the ability to try logon attempts to brute force a password existed before the battle.net transition.