In defense of care packages and mandatory authenticators
by Alex Ziebart 
Jan 11th 2010 at 11:00AM
First, how many of you have had your accounts stolen, or know someone that had theirs stolen? Chances are good every single person that reads this post will raise their hand to that question. The problem is not a small one. I'm in a rather large guild, and every few weeks someone has their account stolen and the little bits of our guild bank they have access to go with them. My large guild is also just one guild in a larger guild alliance which suffers the same problems. Every two weeks or so, someone I see online on a regular basis gets their account stolen.
This is only a small set of guilds on one server, and the problem is not unique to us. It's a problem you will find anywhere you go in WoW, so you can guarantee that every single day, hundreds of accounts are stolen. Each of these stolen accounts needs to be investigated, retrieved, and if everything turns out right, restored. Much like anything else in the world, this takes time. When you rush these things, you end up with the Martin Fury situation. As hilarious and intriguing as that was, it's not healthy for the game.
Plus, if that person you just restored is especially lacking in computer know-how, there is no guarantee they won't get their account stolen again the very next day after their restoration. Score one for the bad guys. Two stolen accounts for the price of one.
The Care Package
In many cases, after the care package policy was first implemented, Game Masters were offering players the care package and only informing them of the ability to do a full restore after they turned the original offer down. Since we've reported on this situation, the policy has been reiterated and it's been made clear that the intent is to offer both simultaneously, and let the player make their choice. With that clarified and reinforced, the policy is surprising, but not a wretched sleazy thing.
Remember that not all WoW players are people decked out in phat epic loot. WoW has a significant number of players still running around in greens, or even just leveling up for the very first time. Do these people really need full gear restores for their character(s)? This care package, for those players, could potentially be above and beyond what they had to begin with. For a player leveling for the first time, 2500g could easily purchase them a new set of gear on the auction house, pay their various mount/flight costs pre-epic flying, and then some. Not a bad deal for a couple days' worth of inconvenience, is it?
A full restoration for those characters with very little of value likely takes just as long as restoring an Icecrown Citadel geared raid tank that was nearing the gold cap. If those players in greens will accept the care package, that's a smaller number of characters in the restoration queue. With fewer players in the restoration queue, your raid's main tank will be restored faster and you can get back to grinding your face against Professor Putricide.
This care package policy is, overall, a good thing for the game. The problem only came in when it was being pitched incorrectly, making players believe they had to settle for a few badges and some gold instead of getting back the character that they (or their raid/guild) worked so hard on. How your message is communicated is everything.
Mandatory Authenticators
I admit, I am baffled at how divided the community is over this issue. Authenticators are wonderful things, and if Blizzard can get one into the hands of every single player of the game, a lot of the most frequently mentioned problems with WoW's customer service would be repaired. I would be most pleased if every copy of Cataclysm shipped with an authenticator.It is difficult (if not totally impossible) for Blizzard to completely protect a player from being hacked, phished or scammed. There is very little that they can do with the client itself to protect someone from their own mistakes, and that is the root of almost all hacked accounts. Blizzard keeps things secure on their end, and the players need to do the same on theirs. Most do not. In fact, I cannot even count the number of times I've heard someone say, "I don't need an authenticator, I think I know how to keep my computer secure" and then they get hacked not even weeks after. There are a lot of ways to get nailed with a keylogger, and they can be as simple as missing out on a Flash update by a matter of hours.
Accounts are rarely, if ever, hacked via brute force. Any limit Blizzard places on login attempts or any password blacklists they introduce would make people feel more safe, but it wouldn't actually make them safe. The authenticator, being a third party item that does not actually communicate with your computer, is the best possible way to keep your account secure. There's no threat of getting a keylogger in Vasco's authenticator.
I know that many people are concerned about losing their authenticator, and here is my tip to you: If you only use your authenticator in your own home, find a small strip of double sided tape and stick it to the outside edge of your monitor. It will be there forever. If you do use it in multiple places, use a strip of velcro instead of tape. You can put it there when you're at home, and when you're taking it to a friend's house or wherever you might be going, put it on your keychain or a necklace.
As soon as Blizzard can stop worrying about hacked accounts, they can focus on the myriad of other issues players face every day.
Final Thoughts
It's no secret that Blizzard's support department is worked to the bone, and the solution to that problem is not to hire dozens of people and throw more manpower at it. No matter how many game masters they hire to fix players' hacked accounts, those people cannot stop the accounts from being hacked. The game experience won't improve, players will just be inconvenienced for a slightly smaller amount of time. When one problem is dominating your entire staff, you don't simply hire more staff. You find a way to solve the problem.
The care package offer is a band-aid on a gushing wound when what you actually need is stitches. Yes, the band-aid will help a little, but it's not going to make the problem go away. You're still bleeding out. The path to healing is through shaking things up, and getting those authenticators in player hands. If incentives like the Corehound Pup aren't working, a more drastic decision needs to be made. I sincerely hope that the day I open my Cataclysm box, there is an authenticator inside waiting for me. I don't need it personally, being one of the earliest adopters, but it will be good to know Blizzard's support department will be on the road to healing and players won't need to worry about their guild bank disappearing like clockwork.
Filed under: Analysis / Opinion, Blizzard, Account Security
Reader Comments (Page 1 of 17)
Firinfae Jan 11th 2010 11:04AM
Granted I don't know how Blizz handles the entire process, but through some chain of what was sold, who money was sent to, and then where it was sent to after that, shouldn't they be able to pinpoint the "hackers" major accounts?
Hoggersbud Jan 11th 2010 11:14AM
They have no major accounts, they churn through ours.
Ulurjah Jan 11th 2010 12:50PM
That's the whole point. They've made such a great living out of stealing new accounts, they do all their business on stolen accounts. It wouldn't surprise me if they have some accounts they've got access to that they don't mess with, just so they can do their gold deliveries or whatever.
An authenticator on every account will put a screeching halt to account theft. It would still be slightly possible to hijack an account, since the authenticator token is good for one hour. If you could get somebody to go to a site and enter their login/pass, and then take them to a 2nd screen for their authenticator code ... and if the thief was watching the moment they hit enter, it's possible they could get to the account site and remove the authenticator within the time that token was active.
But that even has an easy fix. Once a token is used for a successful login, it's no longer any good. For my wife and I, who share an authenticator, we wouldn't be able to use the same key like we usually do. It would inconvenience us by 60 seconds every login. That's a small price to pay for a world where nobody gets their account hacked.
And finally ... for those who's lame excuse for not wanting an authenticator because of the possible hassle if they lose it ... come on, that's a terribad argument. It's a far greater inconvenience on you(and people who depend on you) if your account gets hacked, than the 30 minutes it would cost you on the phone to get your authenticator removed.
Even if losing your authenticator means two or three days without WoW while Blizzard sends you a new one ... that's less inconvenience than an empty guild bank (if you're an officer, for example) and weeks waiting on a restoration.
Bring on the required authenticators. The sooner we put the scammers out of business, the better for all of us. Imagine what will happen to the auction house once the gold sellers are killed off and they stop jacking with the economies? The benefits are endless.
Ulurjah Jan 11th 2010 12:52PM
The token is good for one minute ... not hour. My bad ;p
Eternauta Jan 11th 2010 12:57PM
I will agree with mandatory authenticators, when they're free. The costs of buying an authenticator in Argentina (and I'm sure other parts of latin america too) is way more than $7 dollars (counting shipping, fed-ex and all that crap).
Rapskallion Jan 11th 2010 1:30PM
Speaking on the length of time the token is "good"... I'm not sure it's even one minute. This may be different depending on if you have the physical keychain or the iPhone app.
I have the iPhone app for the authenticator. It produces a new code every ten seconds. If I enter the code currently visible, wait for a new one to generate, then hit enter on the old code, I'm denied access. So that code is seemingly good for about ten seconds, not one minute.
Is it different on the physical Authenticators?
Ulurjah Jan 11th 2010 1:52PM
Physical authenticator seems to be about 60 seconds. At least, the version I have (Blue Blizzard logo on the face)
wow Jan 11th 2010 1:55PM
@ulurjah - what you described is the one weakness token-based two-factor authentication has: the man-in-the-middle attack. It's theoretically possible, but for all practical purposes can't be executed on any sort of scale to make it worthwhile for the hackers.
I.e., trojans/keyloggers/phishing net them thousands of accounts a day. Attempting to MITM an authenticator would get them about 3 accounts per day, and require MUCH more effort on their part. It's just not worth it to them.
Which is why token-based two-factor authentication is generally seen as one of the most secure methods in use today.
Andy Jan 11th 2010 2:14PM
If you don't want an authenticator you should not be forced to have one. If you get hacked you should have a choice of the care package or paying a fee to have your account fully restored. Guild Bank Restorations should remain free.
Robert Jan 11th 2010 2:48PM
In order to remove the authenticator from an account, you have to enter two codes from the authenticator. At least that's what it had me to do when I removed my iPod Authenticator in order to update it last time an update was available. This would make it impossible for a hacker to be able to remove the authenticator from the account unless they got the user to enter multiple codes, and even then they would probably still run out of time (the codes expiring) before they could get the authenticator removed. Anyone know if it's different for the removal of the physical authenticators?
jason.reagan Jan 11th 2010 2:51PM
The code is good for 15 seconds. Not one minute or 1 hour, and all it takes to kick the hacker off your account is for you to log back into it.
You cannot log into an account sell off all the gear, go though the players bank, sell off those items, and meet up with another compromised account within the time it takes the real owner of the account to log back into the account. Remember only one person can be logged into the account at a time. If i log in, and get disconnected , i log back in, that will then disconnect the "man in the middle". Unlike in banking log ins, the log in is a controlled environment. Your not at a compromised site that will give you false info to keep you from trying to log back in to kick the "man in the middle" out. For this to work with wow, the hackers would need to corrupt the wow.exe or replace it with a fake version that would give you fake error msgs when you try to login, keeping you from ever actually connecting to blizzard servers.
Rapskallion Jan 11th 2010 2:55PM
I disagree with some of what you said, Andy. While I do agree that Blizz should not force a customer to use an Authenticator, they should not be liable for any loss on your part by having an unsecure system/login.
If Blizzard shipped an Authenticator with every Cataclysm retail box (or mail one to you if purchased for digital download) and a customer chooses to not use it, it's not Blizz's responsibility to restore anything if you get compromised.
If a user takes the risk of not running an authenticator, they have to deal with the loss. If a guild chooses to take the risk of having members with unsecured accounts, they will have to deal with the loss. Your computer's security is not Blizz's responsibility and, in my humble opinion, they have gone above and beyond to help users that are compromised by the user's own actions.
nclay Jan 11th 2010 3:37PM
Ulurjah, second paragraph in your post. If I'm not mistaken inorder to remove an authenticator from an account it is tied to the person trying to remove it has to enter the long serial code on the back of the authenticator, no?
If I'm correct, the phisher could log in based on your scenario but they couldn't unauthenticate the account they were logged in to. The damage they could do would merely be limited to that one log in session which would only last until the owner noticed he had been logged out and attempted to log back in.
Joel Jan 11th 2010 3:46PM
@nclay
To remove an authenticator from your account you have to enter two, sequential authenticator codes, not the authenticator serial number.
The only way to remove an authenticator from an account without physical access to the working authenticator would be through account recovery.
Blizzard does recommend that you remove the Mobile Authenticator from your account before upgrading it or replacing your mobile phone, because the seed key (serial number) may change when the software app is installed (it WILL change in the case of a new phone).
Aykwa Jan 11th 2010 4:20PM
I would like to see the option of IP address or MAC address restricting. I do all my playing from the same machine, on the same static IP address. Why not just build in a little software tool to the client that can check MAC address (or use other computer hardware identifiers) and give people the option of turning on and specifying one of those or even both of those instead of an authenticator. If a guy can't log into the account without doing so on YOUR laptop, for example, the chances of getting hacked go down to almost 0. You could add several computers and/or IP addresses to the list if you play at several.
It is very similar to some of the security features on routers, and is something that can be self-administered.
Quentin Jan 11th 2010 5:34PM
Aykwa - the problem with that is that not everyone has a static IP address. Most cable internet services use a dynamic IP system which resets the IP of your house/residence internet every 4-6 hours. Your IP will remain the same on your local network, but your IP according to blizzard and according to the cable company will not always remain the same. This system keeps them from having slow downs... kinda like a soft reset to your internet (ever notice big lag spikes? that's them reseting your DNS).
If they had a way to verify other things, like the serial code of your windows OS, the serial code of your motherboard or even some other random piece of hardware, you could do this. but you would need to, first, have the permission of the user (easy - update the ToS) and second, get the rights to use that information for security purposes. Some companies don't want other companies using their serial numbers for their own purposes. This can and would be a bigger hassle then just giving everyone an Authenticator (it's free already if you have the worlds most popular smartphone or mp3 player).
P.S. The Authenticator is the same concept most large businesses use for their own employees for logging into their servers. If they trust it for secure files that actually mean something... I can trust it for a game.
Butts Jan 11th 2010 5:58PM
@Aykwa Interesting idea, but there is something called IP spoofing. Basically it corrupts your outgoing packets to fake an IP while keeping the "Return IP address" intact. If the password was obtain through keylogging/phishing, they'd obviously have logs of the IP address that was used.
If anything, it would slow down gold sellers for a couple of weeks until they set up their IP spoofing system and things would just resume as usual.
DarkWalker Jan 12th 2010 9:35AM
A few things about authenticators, and more specifically the mobile authenticator:
- It generates one code each 30 seconds, and each code seems to be valid for about 45 seconds.
- You can effectively clone the mobile authenticator if your phone allows you to mess with the java storage (like my cheap Chinese phone). I do find this useful, since I was able to backup my authenticator :)
- The mobile authenticator can be downloaded to/used on unsupported phones, or even used on the computer (using a J2ME stack, such as KEmulator, MicroEmulator, or even the oficial J2ME from Sun). Instructions for getting the .jar archive you bought, and making it work with Android or Windows Mobile, can be fount at http://deathcoil.net/authguide.html .
- There are attack vectors for cracking an authenticator-protected account; don't go lax on your security just because you have an authenticator.
- While it's true you can potentially kick whoever logged into your account by logging yourself, keep in mind that the cracker might put something into his keylogger to make you unable to log; he could corrupt your game data files, add the game to your firewall, or even mess with your boot sector. If he could make you believe that you mistyped one code when the code is about to change (and he knows when the code will change, since all authenticators need to be in sync) he could even remove the authenticator from your account.
Hoggersbud Jan 11th 2010 9:10PM
MAC addresses are so easily fakeable, and even duplicable that they're not worth using as any part of a real security plan.
tutti Jan 12th 2010 2:06AM
"But that even has an easy fix. Once a token is used for a successful login, it's no longer any good. For my wife and I, who share an authenticator, we wouldn't be able to use the same key like we usually do. It would inconvenience us by 60 seconds every login. That's a small price to pay for a world where nobody gets their account hacked."
This is how it works already, though most likely on a per-account basis if you and your wife can use the same code - so each code works only once per account.