Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsIn defense of care packages and mandatory authenticators
by Alex Ziebart 
Jan 11th 2010 at 11:00AM
First, how many of you have had your accounts stolen, or know someone that had theirs stolen? Chances are good every single person that reads this post will raise their hand to that question. The problem is not a small one. I'm in a rather large guild, and every few weeks someone has their account stolen and the little bits of our guild bank they have access to go with them. My large guild is also just one guild in a larger guild alliance which suffers the same problems. Every two weeks or so, someone I see online on a regular basis gets their account stolen.
This is only a small set of guilds on one server, and the problem is not unique to us. It's a problem you will find anywhere you go in WoW, so you can guarantee that every single day, hundreds of accounts are stolen. Each of these stolen accounts needs to be investigated, retrieved, and if everything turns out right, restored. Much like anything else in the world, this takes time. When you rush these things, you end up with the Martin Fury situation. As hilarious and intriguing as that was, it's not healthy for the game.
Plus, if that person you just restored is especially lacking in computer know-how, there is no guarantee they won't get their account stolen again the very next day after their restoration. Score one for the bad guys. Two stolen accounts for the price of one.
The Care Package
In many cases, after the care package policy was first implemented, Game Masters were offering players the care package and only informing them of the ability to do a full restore after they turned the original offer down. Since we've reported on this situation, the policy has been reiterated and it's been made clear that the intent is to offer both simultaneously, and let the player make their choice. With that clarified and reinforced, the policy is surprising, but not a wretched sleazy thing.
Remember that not all WoW players are people decked out in phat epic loot. WoW has a significant number of players still running around in greens, or even just leveling up for the very first time. Do these people really need full gear restores for their character(s)? This care package, for those players, could potentially be above and beyond what they had to begin with. For a player leveling for the first time, 2500g could easily purchase them a new set of gear on the auction house, pay their various mount/flight costs pre-epic flying, and then some. Not a bad deal for a couple days' worth of inconvenience, is it?
A full restoration for those characters with very little of value likely takes just as long as restoring an Icecrown Citadel geared raid tank that was nearing the gold cap. If those players in greens will accept the care package, that's a smaller number of characters in the restoration queue. With fewer players in the restoration queue, your raid's main tank will be restored faster and you can get back to grinding your face against Professor Putricide.
This care package policy is, overall, a good thing for the game. The problem only came in when it was being pitched incorrectly, making players believe they had to settle for a few badges and some gold instead of getting back the character that they (or their raid/guild) worked so hard on. How your message is communicated is everything.
Mandatory Authenticators
I admit, I am baffled at how divided the community is over this issue. Authenticators are wonderful things, and if Blizzard can get one into the hands of every single player of the game, a lot of the most frequently mentioned problems with WoW's customer service would be repaired. I would be most pleased if every copy of Cataclysm shipped with an authenticator.It is difficult (if not totally impossible) for Blizzard to completely protect a player from being hacked, phished or scammed. There is very little that they can do with the client itself to protect someone from their own mistakes, and that is the root of almost all hacked accounts. Blizzard keeps things secure on their end, and the players need to do the same on theirs. Most do not. In fact, I cannot even count the number of times I've heard someone say, "I don't need an authenticator, I think I know how to keep my computer secure" and then they get hacked not even weeks after. There are a lot of ways to get nailed with a keylogger, and they can be as simple as missing out on a Flash update by a matter of hours.
Accounts are rarely, if ever, hacked via brute force. Any limit Blizzard places on login attempts or any password blacklists they introduce would make people feel more safe, but it wouldn't actually make them safe. The authenticator, being a third party item that does not actually communicate with your computer, is the best possible way to keep your account secure. There's no threat of getting a keylogger in Vasco's authenticator.
I know that many people are concerned about losing their authenticator, and here is my tip to you: If you only use your authenticator in your own home, find a small strip of double sided tape and stick it to the outside edge of your monitor. It will be there forever. If you do use it in multiple places, use a strip of velcro instead of tape. You can put it there when you're at home, and when you're taking it to a friend's house or wherever you might be going, put it on your keychain or a necklace.
As soon as Blizzard can stop worrying about hacked accounts, they can focus on the myriad of other issues players face every day.
Final Thoughts
It's no secret that Blizzard's support department is worked to the bone, and the solution to that problem is not to hire dozens of people and throw more manpower at it. No matter how many game masters they hire to fix players' hacked accounts, those people cannot stop the accounts from being hacked. The game experience won't improve, players will just be inconvenienced for a slightly smaller amount of time. When one problem is dominating your entire staff, you don't simply hire more staff. You find a way to solve the problem.
The care package offer is a band-aid on a gushing wound when what you actually need is stitches. Yes, the band-aid will help a little, but it's not going to make the problem go away. You're still bleeding out. The path to healing is through shaking things up, and getting those authenticators in player hands. If incentives like the Corehound Pup aren't working, a more drastic decision needs to be made. I sincerely hope that the day I open my Cataclysm box, there is an authenticator inside waiting for me. I don't need it personally, being one of the earliest adopters, but it will be good to know Blizzard's support department will be on the road to healing and players won't need to worry about their guild bank disappearing like clockwork.
Filed under: Analysis / Opinion, Blizzard, Account Security
Reader Comments (Page 17 of 17)
langiszero Jan 12th 2010 2:14AM
Exercises for people with brains:
1. Count how many times the pro-mandatory crowd has resorted to vicious verbal attacks against posts arguing against the supposed benefits and necessity of mandatory authenticators.
2. Same as #1, but only include comments that also claim that the other side "isn't listening."
3. Count how many people honestly believe that hackers are wizards that can do the impossible. Compare to how many people honestly believe in ghosts. The results should amuse you.
Fun times.
I posted a challenge around page 6/7-ish, challenging people to get my account hacked. I provided three character names and the server they're on. Here they are again: Arlia, Homard, and Makubex on Fenris. If it's as easy to get hacked as so many are claiming, that should be MORE than enough.
I'm an honest guy: if I get hacked, I'll not only return and admit it, I'll get a freaking authenticator. As I said before: BRING IT ON.
Joel Jan 12th 2010 9:22AM
I don't believe anyone has said that specific accounts are targeted and "hacked". So your challenge is moot. And a very attractive strawman.
Account are compromised through relatively low effort activities such as the spread of keyloggers and phishing. There are other possible attack vectors, but I think they are all relatively low probability.
Why should a miscreant go to the effort of trying to compromise your account when he can instead spread a keylogging trojan via BitTorrent and get other people's account information sent to him?
langiszero Jan 12th 2010 11:06AM
EXACTLY.
And why do you think those activities work?
No amount of authenticators are going to stop people from falling for web scams. Wow, their WoW account is safe; too bad nothing else on their machine is anymore, thanks to downloading and opening that attachment from their friend's email address in that email that said friend would never write.
Joel Jan 12th 2010 12:31PM
Those activities (phishing, keylogging) work because, like it or not, there are enough people using the internet who are not "computer people". Would you trust your parents to secure their computer? Your neighbor? The clerk at the grocery store? Any one of these people could be playing WoW, and susceptible to account compromise.
In a perfect world, we would all be technically savvy enough to protect our computers and data. However, it's not a perfect world. And we all have to deal with the consequences of that. Blizzard has no way of determine who is and who is not capable of securing their computer.
As this discussion is about Blizzard's authenticators and the security of your WoW account, I am going to choose to ignore your irrelevant conclusion regarding total system security.
I am neither opposed to, nor in favor of mandatory authenticators. On a voluntary basis, I am of the opinion that you are not doing all that you can to protect your data and WoW account if you do not have an authenticator. Even though I was at low risk of compromise I chose to get an authenticator. Prior to getting the authenticator I was already:
1) Running a Juniper Netscreen SSG-5 appliance at the edge of my home network. It has the Anti-Virus, Deep Inspection and Web Filtering features enabled. They are all configured and active. My screening and policy rules are restrictive.
2) My OS and all applications are patched and up to date. My OS choice is irrelevant to this discussion, but I do run Mac OS X. Just because there are presently no known WoW keyloggers for it today does not mean there won't be tomorrow.
3) I run AV on my system daily and against any downloaded file.
4) I do not use BitTorrent/Limewire/the current P2P client du jour for acquiring music/warez/whatever. I do use BitTorrent for downloading LINUX ISO's related to work, but they are AV scanned and I confirm the MD5 and SHA1 checksums before use.
Even with all of that, I chose to get an authenticator.
Ultimately, as things stand today, it's your choice to get an authenticator or not. You pay your $15/month to Blizzard and you accept their TOS. If they change the TOS to require an authenticator, you will get to choose to accept the new terms, or to cancel your account.
langiszero Jan 12th 2010 1:13PM
Thank you, Sherlock, for pointing out the pathetically obvious. "And a bird goes tweet" and whatnot.
Irony: my commenting on total system security is irrelevant... yet you chose to go into wildly explicit detail into the nature of your home network. Pot, kettle, black? I think so.
And yeah, I'm not doing everything I possibly can to secure my WoW account. I could go and actually buy network security appliances (you could have said "router" btw, and yeah that particular comment isn't relevant, so please don't take 5 paragraphs to point that out) and Battle.Net Authenticators.
Similarly I could buy a boot for my car. Without one, I'm not doing everything I possibly can to protect that car.
Joel Jan 12th 2010 2:48PM
The details of my home network were intended to illustrate that even for those who are careful, the addition of an authenticator is not a bad idea. Total system security as it applies to protecting your WoW account is not irrelevant.
"No amount of authenticators are going to stop people from falling for web scams. Wow, their WoW account is safe; too bad nothing else on their machine is anymore, thanks to downloading and opening that attachment from their friend's email address in that email that said friend would never write."
The irrelevancy is in your implied argument that a user should not bother protecting their WoW account by any means available, simply because other things on their computer are compromised. Yes, people will continue to fall victim to web scams. However, an authenticator will help prevent the compromise of their WoW account.
I would never call a Juniper SSG appliance a router. It's an unified threat management appliance which has routing functions. I would never ask a Cisco router (2600, 3600, etc), Juniper J-series or any other dedicated routing platform to handle security functions. IOS and JUNOS are not firewall releases. PIX OS and ScreenOS are.
dan Jan 12th 2010 3:02AM
Alex said:
"I admit, I am baffled at how divided the community is over this issue. Authenticators are wonderful things, and if Blizzard can get one into the hands of every single player of the game, a lot of the most frequently mentioned problems with WoW's customer service would be repaired. I would be most pleased if every copy of Cataclysm shipped with an authenticator."
I'm not baffled in the slightest. Given all the frequent and hyperbolic vitriol Schramm had his posts on the topic I think it's safe to say that wow insider is a big reason for "how divided the community is."
tortured Jan 12th 2010 3:12AM
Over the few years that I've been playing only handful of players I know have been hacked.
I don't use an authenticator and if it is not made mandatory I probably never will. Why?
Some of you say never say never, that there is always is a chance of being hacked. Well that is chance I will take. Unlike most people I can honestly say I've not had a virus, keylogger etc in years.
Don't force this authenticator unto everyone cause of a few thousand people who can't keep their accounts safe. Have you ever noticed how most of the time its the same people who get hacked over and over again? Its hilarious to be honest.
You must be an idiot to run unkown files on your pc anyway, seriously use SANDBOXIE.
Oh thx to the noobs who keep down voting constructive posts. Seriously do you get some kind of rush out of it?
langiszero Jan 12th 2010 11:08AM
Gray comments are the ones usually worth reading on WoW.com, I find. They tend to contain real argument, so naturally the pawns that comprise most of humanity will hate on them.
Tezz Jan 12th 2010 7:37AM
never had my account stolen, never had anyone i know had their account stolen, i must be special
kebosangar Jan 12th 2010 7:59AM
I agree that the authenticator is a really good way to minimize account hacking. But I do not live in the states so if anything happened to the authenticator (Un-Synchronized authenticator, lost, dead battery, broken, etc) can mean, not a few days wait, but could mean 2-4 weeks of wait for a new authenticator to be delivered.
Lazerbyte Jan 12th 2010 10:29AM
I got my account hacked recently and was able to get it back but then a few days later I got an email indicating my account was closed due to a cheat program being used.
I have record that my account was hacked and Blizzard doesn't care. They are not doing anything to stop the hacks that are occurring!
They need to figure out a way to resolve this problem so it is not on such a large scale and give people who were hacked a way to figure out if there was a cheat program used on their account and have it flagged or something!
I feel like a victim now and I am not sure if I will get my account back and it really frustrates me and I will NOT buy in to Blizzards hype anymore meaning I will not be buying anymore of their games including Diabo III the next WoW expansion etc!
Mendin Jan 12th 2010 11:15AM
There is a problem I never saw anyone discussing.
Example, put more zeros if you feel like it.
Let's say server economy has 100 gold running around. Each day 5 ppl get hacked, hacker gets 1 gold from each, sells these 5 gold to someone else. Server economy still have 100 gold running around. But then, Blizz restores the gold from those 5 hacked ppl. Now, server economy has 105 gold. That leads to inflation. AH prices get higher. PPL who don't buy gold suffers from it.
So, don't say your account getting stolen is just your problem, cause it isn't.
With all the hacking that has happened during Christimas, the demand for money the new patch brought and all the jack**ses who bought gold I wonder if primordial saronite and battered hilt prices, just to name 2 examples, would be so high.
Joel Jan 12th 2010 12:36PM
The server economy is false anyway. The flow of gold into the economy through dailies and randoms is significantly greater than the flow of gold out through gold sinks. The increase in the gold supply via the restoration of gold for hacked accounts is likely small relative to the increase in gold supply through questing.
langiszero Jan 12th 2010 1:42PM
Also, I was concise in defining who my challenge targeted. Straw man indeed.
Dif Jan 13th 2010 3:25AM
I have the physical authenticator and I have to admit that it would not be so bad to use (even for one like me who never got a virus/keylogger/etc. in 15 years) if not for a big annoyance (as it is an annoyance and not a problem): it lacks the retro-illumination.
I usually keep my room light off (and the computer is not near the light switch) and it is a pain to stand up and go turn the light on/off every time I log the game (especially those evenings where my ISP is "not very cooperative" in term of connection stability resulting in frequent d/c from the game).
Star Jan 15th 2010 4:55AM
Authenticators are nice but they are not the end all solution to hack prevention.
A bit of background on my experience for those who wish to read it.
I'm a 57 year old WoW player. I've played for 4 years. I live with my wife in a rural area, no children in the home (no other wow players). I share my account with NO ONE, and never have!
I do not visit gold sites, have never gone to any site requiring that I put in a username/password relating to my wow account, and have never recieved a phishing email, i.e. Your account has been cancelled, compromised go to a site and reauthenticate.
I purchased an authenticator last May, and converted to a battlenet account early June. I have used the authenticator that entire time.
A week ago I was on late friday night pvp'n. In order to do a quick character change I used alt f4 to exit the game quickly. I was not in a city at the time and did not want to wait for the countdown exit. I immediately logged back in as I have done 100s of times prior. The login looked just like every other time, I entered my password, authenticator generated number and saw "Success" on the bottom of my screen briefly. Next thing I knew I was at my desktop. I tried logging in several more times and got a popup that I had entered a bad password or usercode. After those tries I logged into vent because I had recently left there and knew there were guildies still on Vent. I asked if my toon was STILL logged in because I thought I might be experiencing a 'wait for timeout' kind of event like we saw in times past.
My guildies said no your toon (druid) just logged out, however your rogue just logged in. I knew at that point I had been hacked. I had one of them contact our Guild leader who was in ICC on a 10 man and kick my toons. Several guildies also put in tickets at that time. I changed my password, through the account management etc.
My druid was/is in fact an officer in our guild and had a good deal of access to 'items' and limited access to any gold in the guild bank. About that quickly, the hackers ripped our raid tab in the guild bank including all raid epics that were boe, shards, orbs, etc as well as 200 flasks. I was able to log in the following day, due to my password change I assume and submit my own ticket. I received a canned response from a GM that it was being forwarded to a specialist. I await restoration at this point, and have heard nothing yet from Blizzard beyond the forward to specialist response.
My point for this post is simply this. I know of nothing I ever did in game or out of game that would have compromised my account security. Thought I did EVERYTHING right in fact, including 'assuming' my password was secure because in fact the authenticator in essence changes my password like every 30 seconds, or if you would ADDS a changing password. You CAN be hacked in spite of an authenticator as my experience shows. And you can be hacked, believing you're doing it all the right way.
I have like I said not received any care package offer from Blizzard and would not accept it if it were offered. I am looking for a full restoration so my guild will also be restored.