Patch 5.2 interview with Dave Kosak
Inside an old alt's vault
The latest patch 5.2 news
All of the latest Mists of Pandaria newsIn defense of care packages and mandatory authenticators
by Alex Ziebart 
Jan 11th 2010 at 11:00AM
First, how many of you have had your accounts stolen, or know someone that had theirs stolen? Chances are good every single person that reads this post will raise their hand to that question. The problem is not a small one. I'm in a rather large guild, and every few weeks someone has their account stolen and the little bits of our guild bank they have access to go with them. My large guild is also just one guild in a larger guild alliance which suffers the same problems. Every two weeks or so, someone I see online on a regular basis gets their account stolen.
This is only a small set of guilds on one server, and the problem is not unique to us. It's a problem you will find anywhere you go in WoW, so you can guarantee that every single day, hundreds of accounts are stolen. Each of these stolen accounts needs to be investigated, retrieved, and if everything turns out right, restored. Much like anything else in the world, this takes time. When you rush these things, you end up with the Martin Fury situation. As hilarious and intriguing as that was, it's not healthy for the game.
Plus, if that person you just restored is especially lacking in computer know-how, there is no guarantee they won't get their account stolen again the very next day after their restoration. Score one for the bad guys. Two stolen accounts for the price of one.
The Care Package
In many cases, after the care package policy was first implemented, Game Masters were offering players the care package and only informing them of the ability to do a full restore after they turned the original offer down. Since we've reported on this situation, the policy has been reiterated and it's been made clear that the intent is to offer both simultaneously, and let the player make their choice. With that clarified and reinforced, the policy is surprising, but not a wretched sleazy thing.
Remember that not all WoW players are people decked out in phat epic loot. WoW has a significant number of players still running around in greens, or even just leveling up for the very first time. Do these people really need full gear restores for their character(s)? This care package, for those players, could potentially be above and beyond what they had to begin with. For a player leveling for the first time, 2500g could easily purchase them a new set of gear on the auction house, pay their various mount/flight costs pre-epic flying, and then some. Not a bad deal for a couple days' worth of inconvenience, is it?
A full restoration for those characters with very little of value likely takes just as long as restoring an Icecrown Citadel geared raid tank that was nearing the gold cap. If those players in greens will accept the care package, that's a smaller number of characters in the restoration queue. With fewer players in the restoration queue, your raid's main tank will be restored faster and you can get back to grinding your face against Professor Putricide.
This care package policy is, overall, a good thing for the game. The problem only came in when it was being pitched incorrectly, making players believe they had to settle for a few badges and some gold instead of getting back the character that they (or their raid/guild) worked so hard on. How your message is communicated is everything.
Mandatory Authenticators
I admit, I am baffled at how divided the community is over this issue. Authenticators are wonderful things, and if Blizzard can get one into the hands of every single player of the game, a lot of the most frequently mentioned problems with WoW's customer service would be repaired. I would be most pleased if every copy of Cataclysm shipped with an authenticator.It is difficult (if not totally impossible) for Blizzard to completely protect a player from being hacked, phished or scammed. There is very little that they can do with the client itself to protect someone from their own mistakes, and that is the root of almost all hacked accounts. Blizzard keeps things secure on their end, and the players need to do the same on theirs. Most do not. In fact, I cannot even count the number of times I've heard someone say, "I don't need an authenticator, I think I know how to keep my computer secure" and then they get hacked not even weeks after. There are a lot of ways to get nailed with a keylogger, and they can be as simple as missing out on a Flash update by a matter of hours.
Accounts are rarely, if ever, hacked via brute force. Any limit Blizzard places on login attempts or any password blacklists they introduce would make people feel more safe, but it wouldn't actually make them safe. The authenticator, being a third party item that does not actually communicate with your computer, is the best possible way to keep your account secure. There's no threat of getting a keylogger in Vasco's authenticator.
I know that many people are concerned about losing their authenticator, and here is my tip to you: If you only use your authenticator in your own home, find a small strip of double sided tape and stick it to the outside edge of your monitor. It will be there forever. If you do use it in multiple places, use a strip of velcro instead of tape. You can put it there when you're at home, and when you're taking it to a friend's house or wherever you might be going, put it on your keychain or a necklace.
As soon as Blizzard can stop worrying about hacked accounts, they can focus on the myriad of other issues players face every day.
Final Thoughts
It's no secret that Blizzard's support department is worked to the bone, and the solution to that problem is not to hire dozens of people and throw more manpower at it. No matter how many game masters they hire to fix players' hacked accounts, those people cannot stop the accounts from being hacked. The game experience won't improve, players will just be inconvenienced for a slightly smaller amount of time. When one problem is dominating your entire staff, you don't simply hire more staff. You find a way to solve the problem.
The care package offer is a band-aid on a gushing wound when what you actually need is stitches. Yes, the band-aid will help a little, but it's not going to make the problem go away. You're still bleeding out. The path to healing is through shaking things up, and getting those authenticators in player hands. If incentives like the Corehound Pup aren't working, a more drastic decision needs to be made. I sincerely hope that the day I open my Cataclysm box, there is an authenticator inside waiting for me. I don't need it personally, being one of the earliest adopters, but it will be good to know Blizzard's support department will be on the road to healing and players won't need to worry about their guild bank disappearing like clockwork.
Filed under: Analysis / Opinion, Blizzard, Account Security
Reader Comments (Page 16 of 17)
Alms Jan 12th 2010 5:35AM
They're both under the age of 4. So simply saying "no dont touch this little pretty thing that has a button on it" doesn't work. And yes, I have lost a few sets of keys due to evil behaviour.
My point is, many people have restricted time to play, and when they do get time, I'm guessing they'd like to actually be able to do that, not have to wait for another authenticator in the mail. Living in Australia, that would be a bloody long wait too.
Plus, as I'm sure is the case with many other people, paying $40ish aussie dollars, or buying a whole new phone for something I spend maybe 10 hours a week playing, its just absurd.
With the care package changes, I'm sure a lot of more hardcore people will be buying authenticators, but making them compulsory too for the casuals is just greedy and potentially pushing them off to a different game.
Nina Jan 11th 2010 4:51PM
I love the idea of authenticators as they are relatively inexpensive on their own- however living in New Zealand shipping is 20$ US which turns this small purchase into something around 50 bucks for me or more ($NZ)
Hopefully blizzard can maybe make an authenticator only shipping cost as I can't quite justify myself spending that much on this, or even including them in the cataclysm boxes would be awesome.
Kiliani Jan 11th 2010 5:22PM
My late husband was an IT professional as well, and we were both diligent about keeping Windows system patches, Norton AntiVirus with a LiveUpdate subscription, Java/Flash updates, using Firefox with NoScript and AdBlock, not giving out our account info, smart enough to avoid phishing scams, etc.
I had my account compromised once, pre-BC when my main was a fairly new level 60 and still gearing up to apply to a raiding guild. Subsequent scans showed that there were no keyloggers or other viruses on my system, but I was pretty sure I knew how it happened, and sure enough, I've not been compromised since.
It was during the time when Ten Ton Hammer was making a big deal of the fact that Thottbot and Allakhazam were owned by gold sellers and trying to build a quest/npc/item database of their own. It seemed like a worthy cause so I downloaded their app, and ran it for a few days. I wasn't playing a lot back then, but one Saturday I'd quested and run dungeons most of the day, so there was quite a lot of information to upload to their db after I logged off for the day. Halfway through the upload, the program errored out and brought up an option to e-mail a text file with the collected data to TTH instead. Not wanting to lose the opportunity to get so much data to them, I accepted without really paying much attention.
The next day when I went to log in, my password had been changed, my high level characters were stripped of gear and gold, and all my characters had had their bags emptied. I immediately deleted the Ten Ton Hammer program, ran my virus/spyware scans that came up clean, changed my password, et al, and have had no problems since. I've also refused to download any further applications that collect game data and send them to database sites, although there are some sites I do trust (TTH is no longer one of them).
I'm one of those people who haven't bought an authenticator yet - although if Blizzard makes them mandatory, even if they don't give them out for free I wouldn't balk at using one. I've considered buying one even if they're not made mandatory, just because stuff occasionally DOES happen due to minor judgment lapses and bad luck, but haven't felt any sort of urgency.
I've had two friends have their accounts compromised on the same day when they went to download an addon that our class leader was requiring, and Curse.com had the name of it misspelled so they couldn't find it on a trusted site and got an infected version elsewhere. I've had another friend who was a guild master pick up a virus (although he wasn't sure where it came from, probably an infected banner ad), have his account stripped, the guild bank emptied, and the guild disbanded. He and all his officers promptly bought authenticators after that one.
OK, so you're smart and computer savvy and never give out your account info or do anything with any sort of risk, and you don't think you need one, and you don't want the hassle of having to take an extra few seconds to log in. Quit the game if they're made mandatory, nobody's really going to care.
I'd be fine with them being made mandatory, although there are concerns with the player base in other countries, and I do think it would be *most* fair to provide them for free to everyone who is going to be required to use it (i.e. packaged with Catclysm and required only for Cataclysm users). I'd also be fine with them not being made mandatory, but a policy change of refusing restoration to those who don't have an authenticator.
What's not fine IMO is leaving things as they are, with GM ticket times for even simple issues dragging on for days on end because of the massive number of compromised accounts that have to be investigated and restored. The care package option is a fine idea. If there had been such an option when my account was compromised I'd have taken it, because I was not a raider at the time - by the time I received my restored gear and gold, I had actually gotten *better* or equivalent items than I had when I was "hacked" - so long as it's made clear that a full restoration is (for now) still an option, which it seems was previously not the case.
Eturyu Jan 11th 2010 6:05PM
My main issue is this: I live in Australia
to be blunt i can't bring myself to pay 30$ AUD (27.50 USD) to buy an authenticator, when it recent sales i could by the the Vanilla/TBC pack at the store for 32$ AUD .....its just not right when the authenticator costs the same as the 1st two expansions combined...
I would prefer to get hacked, and play Assasins creed 2/ Wii / Empire:Total War for a week while waiting for a restoration
When they
a) have them in actual stores
b) drop shipping costs for internationals
c) put one in the cataclysam box
i will hapily use one.
Primeval Jan 11th 2010 6:20PM
Very nice write-up and thank you for keeping us updated on the processes and procedures of the WoW staff.. I think the authenticators are a wonderful security tool that augments current security features already established.. It's just one additional 3 second step that will help protect your account for a long time.. But it's not the only thing that can help protect your account.. Everyone has to be smart on what they do in or out of game.. Even out of game there are sites completely unrelated to WoW or MMORPGs that will have unsavory programs running in the background.. Just watch where you visit and by all means do not purchase ingame gold or use advertised 'Power Leveling' gimics (but this should all be COMMON SENSE).. I was an 8 year veteran of EverQuest, who does or did not have any security feature like this (as of Dec 2007), and not once did my account get hacked.. Just be smart.. (and RAID NEKKED!)
Sathias Jan 11th 2010 6:22PM
Another good reason to get an authenticator... a friend of mine was telling me that several members of his guild have been hacked, and the HACKER has added an authenticator to their account.
Alex Jan 11th 2010 6:21PM
How does the code from the authenticator transmit to your account? If it has no connection to the computer at all, how does it get sent to your account?
Sathias Jan 11th 2010 6:26PM
The authenticator has a serial number, which is associated with the account. Then the authenticator has an encryption algorythm which makes up an 8 digit code based on this serial number and the current time. The WoW software has the same algorythm, so it can tell if the 8 digit code entered is the right code for that particular time, and serial number.
Well, thats how I believe it works anyway.
Joel Jan 11th 2010 6:38PM
@Sathias
Mostly correct.
The authenticator code is verified not by your WoW client/WoW server but by the Battle.net server.
And the length of your code is dependent on the type of authenticator you have. 6 digits for the physical authenticators and 8 digits for the phone application authenticators.
refresh_daemon Jan 11th 2010 6:31PM
I have very safe practices in terms of avoiding viruses and malware, and in terms of keeping my information safe. I still got hacked and for the life of me, I have no idea how a keylogger got on my computer. But it did and some Chinese gold seller (which I know because of the qq.com address redirect they stuck on my email account and all the Chinese secret question text) got into my account. In one day, they deleted my alt (or transferred off my account) and transferred my main after stripping it. They also opened up two trial accounts under my Battle.net from which I'm guessing they did some gold spamming. Blizz caught the transfer of my main and gave me enough warning to get control of my account.
While it annoys me that my progress is WoW is now halted until I can get a restoration (if possible), it was even worse that the hacker got into my email account and could have done a whole lot worse to my various other internet accounts, including online banking and such by asking for password resets.
Fortunately, when it comes to criminal behavior, this gold seller was only interested in selling gold on WoW and stealing stuff in-game. The degree of identity theft possible could have made the situation a whole lot worse.
I bought an authenticator. Blizz has failed in their first attempt to restore my characters and they're giving it a second shot. Hopefully, they'll be able to do it, but if not, I'll gladly take a care package and level up from scratch again. Between the gold and the new LFG system, it shouldn't be too hard.
Quentin Jan 11th 2010 6:26PM
Here's how they do it:
Package it with Cata - raise the price of Cata to $50 to offset the cost of the Authenticator and give 1 free month of WoW (we haven't had 1 free month of gameplay since buying the original WoW). Really, this is $6 for the Authenticator and $4 for a month of gameplay. Oh, and you only get the one month of gameplay when you activate the Authenticator and you lose the gameplay when you take it off the account.
To make it easy for those who buy online, offer Cata for $40 with no Authenticator and no free gameplay. They can also offer free international shipping if you fore go the free gameplay.
Finally, give 1 additional month of free gameplay to anyone who already had an Authenticator before activating Cata. This would encourage people who don't have it to get it early and you can buy Cata online for the cheaper price if you so choose.
All-in-all, this could give you 2 months of gameplay, a new expansion and a second authenticator for anyone already owning one.
For those that really don't want an Authenticator, we can go 1 of 3 ways. Option 1, you quit WoW (in blizzards least interest, but the money they save by not having to fix your problems may be more than the money they make by keeping you). Option 2, you agree to a second, non-authenticator ToS which says you must accept the Care Package (no account restoration) if you get hacked. Option 3, you agree to a second, non-authenticator ToS and pay a higher monthly fee (maybe $1-2 more). If you really feel that strongly about it, maybe your wallet will back up you up.
Sleutel Jan 11th 2010 6:46PM
"I know that many people are concerned about losing their authenticator, and here is my tip to you: If you only use your authenticator in your own home, find a small strip of double sided tape and stick it to the outside edge of your monitor. It will be there forever. If you do use it in multiple places, use a strip of velcro instead of tape. You can put it there when you're at home, and when you're taking it to a friend's house or wherever you might be going, put it on your keychain or a necklace."
That still doesn't solve the problem of a broken or lost Authenticator: people won't be getting hacked, but now they'll have to call in and verify their identity any time there's an Auth problem.
I reiterate yet again my suggestion and request: MAKE IT POSSIBLE TO TIE MORE THAN ONE AUTHENTICATOR TO A GIVEN ACCOUNT.
If that were possible, there would be very few remaining legitimate objections to requiring Authenticators.
Markluzz Jan 11th 2010 7:00PM
I've seen this happen to about three guild members which ruined our guildbank, one of my RL friends 3-4 times, and one of my best friends in WoW who i didnt know in real life twice, and after the second time he ended up quitting because he had 2 eighties the first time couldnt get them back, and so got a new account made a paladin once it got to about 77 he was hacked again and he basically stopped. Also it was one of our officers in our guild who was hacked, i have an authenticater and actually got one as soon as i could, have never had my WoW account be hacked, even though my old computer got a major virus, I thank my authenticater for keeping me from getting it stolen. Also so you dont lose an authenticater, mine is tied to my keyboard with velcro, and if i want to move it while im going somewhere, i simply un-tie it and take it where i need to go.
dodgeballer2005 Jan 11th 2010 7:15PM
Again, as said before, if they become mandatory, they should be free, as a gift.
We lost a valued guild member around Christmas. He could tank, for sure, as well as DPS. Luckily he got his characters restored which was a relief, because we had our own "care package" of about 1,000 gold should Blizzard be stingy and not give his gold and gear back.
IvanP91 Jan 11th 2010 7:25PM
Sorry about the random-ish offtopic-ish question.
Does anyone know how much shipping is for 2 Authenticators (Im in Canada, Ontario - Toronto if anyone cares :) )
I wanna get a dedicated one for myself and my brother. I have the mobile one but I reset the software often and have to re-setup & re-sync every time.
Thanks.
jfofla Jan 11th 2010 7:45PM
I hope all the stubborn people who refuse to get an Authenticator are reading, and I mean really reading these posts. There are some excellent ones here, and some tragic stories of savvy computer people who were very careful, and still got hacked.
To all of you who say, "I don't need it because I am careful", it seems to me the careful ones would be the first people to use an Authenticator.
Redundancy is the best security, and the Authenticator is another layer on top of all the good things you are doing.
langiszero Jan 12th 2010 2:10AM
Wrong on every level.
Redundancy is not the best security; knowledge is, something soooooooo many computer users lack. In my years and years of fixing people's computers, I have never, post-Blaster, found anyone infected with anything they could not have prevented or stopped beforehand. Never. And it isn't just me.
It's the people arguing against mandatory authenticators that have provided solid evidence backing the argument, and the people arguing for them that have resorted to insults, attacks, and bogus claims to further theirs. You talk of "really reading" but your side has done little of it, hoping that a dark gray background will make a point you're lacking.
Simerguesa Jan 11th 2010 9:13PM
I myself have NEVER had my account hacked or guild hacked at all and I DO NOT own an authenticator (Although obtaining one has been on my mind for a few weeks.) I haven't had to put much effort into my account security at all, and yet I hear about people getting hacked everyday. It's NOT HARD to keep your account secure as a standalone process. Of course, an authenticator will add an extra layer of security.
Blizzard should start charging for ANY restoration of data due to hacks. Maybe that will get people to stop being stupid with their account information. There's a reason that account security is such a big issue and why Blizzard themselves have a whole page DEDICATED to how you can keep your account safe.
If, in order to charge players to restore their characters/banks, Blizzard feels they need to make authenticators mandatory, they should do it.
Wulftracker Jan 11th 2010 11:47PM
Two thumbs up to mandatory authenticators. When i first started my account was stolen 2 weeks into the game thanks to a keylogger. Bought the authenticator. never a problem since.
But if they become mandatory for more than a trial account Blizz should take the loss and upon your first renewal or addition of game card time automatically send you one for free if you don't already have one.
I'm not gonna qq if they do just because mine was paid for, because i consider my cost to be for the benefit of al as the whole experiment of going to the authenticators proved a long term solution for all.
I wont have to see guilds stripped bare by a gm whos acount was hacked, and I wont have to see as many gold spammers either.
neminem Jan 12th 2010 1:38AM
I also have never had my account hacked, have never had anyone I've personally known had theirs hacked, and for that reason, would also only be in favor of mandatory authentication when it's free. Not even really then, as it would be an inconvenience and a hassle for no clear gain (other than, perhaps, the gain of less wait for talking to a GM, when something totally unrelated goes buggy. So I suppose that's not a bad reason.) But at least, if it were free, it would not longer seem vaguely like an extra money-grab on Blizzard's part.