How flaws in Blizzard's billing department are being exploited
by Adam Holisky 
Jan 8th 2010 at 3:00PM
Please see the update to this original post.
In our continuing series on account security issues present within Blizzard's offices, we bring you news that lax training in Blizzard's billing department is being exploited by those attempting to game the system and illegitimately acquire more gold and high value in-game items.
The critical flaw in Blizzard's system is that billing support personnel are currently given the ability to "roll back" characters to previous versions more or less on the spot, with the customer on the phone. Because of this, there is a high degree of flexibility and personal accountability on the part of the billing representative. The flexibility extended here is vitally important to customer service, however the training that comes with the flexibility, we are told by multiple sources, is inadequate and leads to this exploit being practiced by a growing number of individuals.
The exploit involves human interaction (aka social engineering), which in security systems is the notoriously weak point. The exploit is often referred to internally as "onioning," which involves the player repeatedly claiming the account was compromised to the Blizzard billing support representatives. There are obviously more details to doing this, but we don't want to provide a how-to. Blizzard is aware of how this is done, and they are currently not implementing checks to combat this.
More alarming is the fact that this vulnerability exists, to a large extent, only in Blizzard's billing department. The training to combat this exploit is available and indeed given to account administrators and game masters, however Blizzard for some reason sees fit not to train their customer contacts in the billing department -- yet allows them much of the same powers (in this case) as an account administrator would have. Some of these concerns may be alleviated when the department rolls out its all-in-one customer service tool instead of the wide variety of separate tools that are currently in use.
This becomes a larger issue when looked at from the perspective of time and effort put into correcting such exploitative action. Blizzard has a limited number of support personnel, and the time it takes to correct actions by exploitative players detracts from the time Blizzard has to help lower long restoration queues and help out the customer elsewhere. The prevalence of these exploits is directly affecting the well-being of the game, and leads to things like requiring mandatory authenticators.
Finally, we want to make it clear that we are publishing this article not to encourage exploitation, but to report policies and practices which allow these exploits to happen.
Filed under: Blizzard, News items, Account Security
Reader Comments (Page 1 of 5)
Chad Jan 8th 2010 3:05PM
Wow, you guys are really taking the anti-fanboi stance today. Who pissed in your grape-nuts?
(cutaia) Jan 8th 2010 3:16PM
Haha...when wow.com defends an action by Blizzard someone always has something to say about that, too.
You can't please all the people, all the time...but you can sure as hell always piss off at least one of 'em. :)
Chad Jan 8th 2010 3:23PM
You are correct sir. Just seems like today they really have it out for blizzard. I'm not a die hard fanboi, so I don't really have an issue with it. Just WoW.com *usually* defends every one of blizzard's decisions, right or wrong.
(cutaia) Jan 8th 2010 3:29PM
The only issue I see with that theory is that every time wow.com defends a Blizzard action, people come along to accuse them of being too chummy or butt-kissy with Ghostcrawler and friends. In those instances wow.com never fails to say, "Look...we're obviously not biased. We report on negative things, too."
Why then is it taken as Adam Holisky just having a bad day when they DO post about a Blizzard problem?
It is funny that several posts like this went up all at once, but I assume it has more to do with receiving a lot of on-record information from their sources today. The blog format just lends itself more to splitting the whole interview up into smaller topics like this.
Eamara Jan 8th 2010 3:33PM
They'll defend Blizzard's actions most of the time because most of the time, Blizzard take the right course of action. Nobody is infallible however, not even such a hugely successful games company. Sometimes they make mistakes, and it's the job of WoW.com and other such websites to report on them.
I am a little worried about these recent developments, but I'm still 100% certain Blizzard will sort them out promptly. Just a matter of time.
Adam Holisky Jan 8th 2010 3:37PM
There's really nothing special about today. Today was just the day we decided to publish this material. It all fits together nicely, and makes a good series of post. We could have published it on Smarch 30th (damn that Smarch weather, for reals).
As far as everyone liking me... well, whatever I post is going to get 50% negative reaction and 50% positive reaction. Two years of writing here and I've learned that's one of the few truths.
Eudeyrn Jan 8th 2010 3:41PM
"Two years of writing hear..."
Come on, Adam - that one's just too easy.
Adam Holisky Jan 8th 2010 3:45PM
/facepalm @ myself. It's been a long day...
Zanathos Jan 8th 2010 3:53PM
Almost as if they agree with most of blizzards actions but not these ones about account security. What a strange concept.
Zachery Egan Jan 8th 2010 4:25PM
Based on the number of articles that seem to be jumping to hostile conclusions about minor issues, I'm making my own wild assumptions about wow.com
One - They recently hired a former blizzard employee who is giving them all the spicy gossip about blizzard HQ. Because former employees who have a gripe about their former employer are always very reliable an un-biased
Two - This employee also informed them that not only has Cata been in closed Alpha, but that it is actually currently in a VERY secretive closed Beta at this point, and that Blizzard INTENTIONALY did not invite people from the bloggin community because of their track record of releasing spoiler info about patches and information from data-mining that they know blizzard wanted to keep as secret as possible.
LASTLY - They really do think that ghostcrawler promised them a pony, and don't realize that it is just a joke that wasn't very funny in the first place and has lost ALL of the relatively minor humour it had by them running it into the ground.
talkingmike Jan 8th 2010 4:29PM
So it looks like YOU have an edit button; when do we get ours!??
SithLlenniuq Jan 8th 2010 5:40PM
@Adam Holisky
Marge: [voice over] It all started on the thirteenth hour, of the
thirteenth day, of the thirteenth month. We were there to
discuss the misprinted calendars the school had purchased.
Homer: [shivering, looking at the calendar] Oh, lousy Smarch weather.
[spies the thermostat with a note from Willy over it]
[reads] "Do not touch Willy." Good advice! [cranks it]
-- Punctuation and you, for Homer Simpson, "Treehouse of Horror VI"
Stephen Jan 8th 2010 5:42PM
Ghostcrawler nerfs rogues. -> Wow.com slams Blizzard.
Obviously all the Wow.com writers play rogues.
Kevin Jan 8th 2010 9:35PM
+5 for the The Simpsons quote Adam!
Mike Jan 8th 2010 3:08PM
Quote: Finally, we want to make it clear that we are publishing this article not to encourage exploitation, but to report policies and practices which allow these exploits to happen.
Sadly, it may have the opposite effect. And may increase the use of this exploit.
tatsumasa Jan 8th 2010 3:16PM
and by making it more widely known, blizzard would be a lot quicker to remedy the situation. how long had hunters been getting the worgen pet from hf before wow.com posted an article about it? how long after they posted the article did it take for the hotfix to be implemented? case and point.
Mike Jan 8th 2010 3:25PM
That was a hotfix. You're talking about retraining all their billing reps not to just give out rollbacks, That will take time.
Kylenne Jan 8th 2010 3:48PM
You must not work in the corporate world if you think Blizzard management doesn't know this article exists and is not, as we speak, scrambling to have meetings on the subject. There will be a memo by the end of the day, mark my words. Especially considering how large a site wow.com is, and given that this is the third article in 24 hours about account security policy at Blizzard.
I used to work for an extremely large and well-known bank's credit card division, and any time there was so much as a minor news article about the bank's practices, there were meetings and memos. Even when I worked for a much smaller company (a for-profit technical school), there was a minor incident involving some disgruntled students falsely accusing the school of various nefarious acts on a feedback site (similar to Yelp!), and we were issued memos from management as to how to address the situation on the off chance a concerned parent found out and brought it up. This is just standard CYA.
Also, a lot of fair-sized companies even employ people whose jobs it is to scour the internet for things like this. When you have people at Blizzard like Ghostcrawler whose job it is to communicate directly with the community, you can't tell me *someone* at the company isn't monitoring things like this as part of their job description. How quickly this info will trickle down to the front line people on the phones is another story, but don't doubt for a second that it won't.
Glaras Jan 8th 2010 3:52PM
It doesn't take much time to say "Effective immediately, no character rollbacks are to be done by billing personnel."
And for good measure, remove the system permission from their accounts, to guarantee compliance. Then start phasing in a decent training program (it doesn't need to be extensive to be thorough) to teach personnel the correct and safe procedure, before you slowly start to re-grant the permissions.
Happens alla time in corporate America. Of course, it doesn't happen enough, as we can see here.
Andrew R. Jan 8th 2010 3:08PM
I don't think it's so much that as it is they have all the information to back up what they have to say. Why go into a gun fight without a loaded gun?