Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsIn defense of care packages and mandatory authenticators
by Alex Ziebart 
Jan 11th 2010 at 11:00AM
First, how many of you have had your accounts stolen, or know someone that had theirs stolen? Chances are good every single person that reads this post will raise their hand to that question. The problem is not a small one. I'm in a rather large guild, and every few weeks someone has their account stolen and the little bits of our guild bank they have access to go with them. My large guild is also just one guild in a larger guild alliance which suffers the same problems. Every two weeks or so, someone I see online on a regular basis gets their account stolen.
This is only a small set of guilds on one server, and the problem is not unique to us. It's a problem you will find anywhere you go in WoW, so you can guarantee that every single day, hundreds of accounts are stolen. Each of these stolen accounts needs to be investigated, retrieved, and if everything turns out right, restored. Much like anything else in the world, this takes time. When you rush these things, you end up with the Martin Fury situation. As hilarious and intriguing as that was, it's not healthy for the game.
Plus, if that person you just restored is especially lacking in computer know-how, there is no guarantee they won't get their account stolen again the very next day after their restoration. Score one for the bad guys. Two stolen accounts for the price of one.
The Care Package
In many cases, after the care package policy was first implemented, Game Masters were offering players the care package and only informing them of the ability to do a full restore after they turned the original offer down. Since we've reported on this situation, the policy has been reiterated and it's been made clear that the intent is to offer both simultaneously, and let the player make their choice. With that clarified and reinforced, the policy is surprising, but not a wretched sleazy thing.
Remember that not all WoW players are people decked out in phat epic loot. WoW has a significant number of players still running around in greens, or even just leveling up for the very first time. Do these people really need full gear restores for their character(s)? This care package, for those players, could potentially be above and beyond what they had to begin with. For a player leveling for the first time, 2500g could easily purchase them a new set of gear on the auction house, pay their various mount/flight costs pre-epic flying, and then some. Not a bad deal for a couple days' worth of inconvenience, is it?
A full restoration for those characters with very little of value likely takes just as long as restoring an Icecrown Citadel geared raid tank that was nearing the gold cap. If those players in greens will accept the care package, that's a smaller number of characters in the restoration queue. With fewer players in the restoration queue, your raid's main tank will be restored faster and you can get back to grinding your face against Professor Putricide.
This care package policy is, overall, a good thing for the game. The problem only came in when it was being pitched incorrectly, making players believe they had to settle for a few badges and some gold instead of getting back the character that they (or their raid/guild) worked so hard on. How your message is communicated is everything.
Mandatory Authenticators
I admit, I am baffled at how divided the community is over this issue. Authenticators are wonderful things, and if Blizzard can get one into the hands of every single player of the game, a lot of the most frequently mentioned problems with WoW's customer service would be repaired. I would be most pleased if every copy of Cataclysm shipped with an authenticator.It is difficult (if not totally impossible) for Blizzard to completely protect a player from being hacked, phished or scammed. There is very little that they can do with the client itself to protect someone from their own mistakes, and that is the root of almost all hacked accounts. Blizzard keeps things secure on their end, and the players need to do the same on theirs. Most do not. In fact, I cannot even count the number of times I've heard someone say, "I don't need an authenticator, I think I know how to keep my computer secure" and then they get hacked not even weeks after. There are a lot of ways to get nailed with a keylogger, and they can be as simple as missing out on a Flash update by a matter of hours.
Accounts are rarely, if ever, hacked via brute force. Any limit Blizzard places on login attempts or any password blacklists they introduce would make people feel more safe, but it wouldn't actually make them safe. The authenticator, being a third party item that does not actually communicate with your computer, is the best possible way to keep your account secure. There's no threat of getting a keylogger in Vasco's authenticator.
I know that many people are concerned about losing their authenticator, and here is my tip to you: If you only use your authenticator in your own home, find a small strip of double sided tape and stick it to the outside edge of your monitor. It will be there forever. If you do use it in multiple places, use a strip of velcro instead of tape. You can put it there when you're at home, and when you're taking it to a friend's house or wherever you might be going, put it on your keychain or a necklace.
As soon as Blizzard can stop worrying about hacked accounts, they can focus on the myriad of other issues players face every day.
Final Thoughts
It's no secret that Blizzard's support department is worked to the bone, and the solution to that problem is not to hire dozens of people and throw more manpower at it. No matter how many game masters they hire to fix players' hacked accounts, those people cannot stop the accounts from being hacked. The game experience won't improve, players will just be inconvenienced for a slightly smaller amount of time. When one problem is dominating your entire staff, you don't simply hire more staff. You find a way to solve the problem.
The care package offer is a band-aid on a gushing wound when what you actually need is stitches. Yes, the band-aid will help a little, but it's not going to make the problem go away. You're still bleeding out. The path to healing is through shaking things up, and getting those authenticators in player hands. If incentives like the Corehound Pup aren't working, a more drastic decision needs to be made. I sincerely hope that the day I open my Cataclysm box, there is an authenticator inside waiting for me. I don't need it personally, being one of the earliest adopters, but it will be good to know Blizzard's support department will be on the road to healing and players won't need to worry about their guild bank disappearing like clockwork.
Filed under: Analysis / Opinion, Blizzard, Account Security
Reader Comments (Page 2 of 17)
Kurdaj Jan 12th 2010 4:45PM
The problem isn't that the accounts are being hacked. Surprise, but thefts occur everywhere, everyday. That there are hackers and thieves in the world is not the fault of the Police or Blizzard Restoration guys - that's why we have them in the first place.
The problem is when Blizzard can't restore all the accounts, timely. If the Police can't handle all the crime, you don't throw your hands in the air, you hire more Police. If Blizzard can't handle all the account restorations, THEN MANPOWER IS THE SOLUTION.
Of course Blizzard can do little to control the actions of hackers - no one implied they could. But what they can control is how fast they process account restorations. That means more people. That means throwing more manpower into the system - more account restoration admins, etc.
"It's no secret that Blizzard's support department is worked to the bone, and the solution to that problem is not to hire dozens of people and throw more manpower at it. No matter how many game masters they hire to fix players' hacked accounts, those people cannot stop the accounts from being hacked. The game experience won't improve, players will just be inconvenienced for a slightly smaller amount of time. When one problem is dominating your entire staff, you don't simply hire more staff. You find a way to solve the problem."
So your solution is to make WoW hack-proof with digital keychains? Wow, alert Microsoft, because they've been trying to combat hacking for YEARS. Your solution is new, original, and perfectly viable.
For fanboys who say, "There's never been a case of an authenticator being hacked!" there never will be; Blizzard doesn't talk about confidential account information - they wouldn't talk about it anyway. And the authenticators are Blizzard's own product - they're not about to compromise their own integrity by admitting to possible faults in their own security.
Melithine Jan 13th 2010 12:51PM
MAC addresses are only seen by the local network, they aren't seen by remote servers.
Babaloo Jan 11th 2010 11:09AM
Strangely enough, I've never got my account hacked or know someone who has. And no, this isn't some stupid troll post either. Am I alone here?
N-train Jan 11th 2010 11:13AM
I've actually only seen it happen once, and that was to someone in my old large guild who I didn't really know.
Despite that, however, this is a problem that trickles its way down to everyone, regardless if you actually get hacked or not, so I'm in favor of some authenticators with Cata, and considering buying one myself fairly soon.
Kilseker Jan 11th 2010 11:38AM
You're not alone. I fall into the same category. I don't have an authenticator yet either but the sooner the better it seems.
Josh Jan 11th 2010 11:43AM
I've never seen it happen either. I still have an authenticator.
Joshua Ochs Jan 11th 2010 11:52AM
I've seen it happen to one person in nearly four years of playing, and only in the last month. During the month a keylogger was on there, he was hacked four times. He was never able to remove the keylogger no matter how many utilities he ran, so he ended up having to blow away the machine and rebuild it. Problem solved.
Oh, and where did the keylogger come from? Downloading pirated software from a torrent. You can be sure he knows not to run random EXE's now.
I have ZERO sympathy for people who get hacked. I've yet to hear of a case where people didn't later admit to doing something monumentally STUPID to get hacked in the first place. Go ahead - show me an example of "drive by" hacking. These aren't the pre-XPSP2 days, where worms and network attacks were prevalent. It's all social engineering, and getting people to click things they shouldn't. Which boils down to stupid end users.
Screw authenticators, and screw restoration. Let them just blow away the account and give you a new password. Get hacked again because you didn't clean up your mess? Three strikes and you're out. That will get you to clean up your computer, and Blizz and the rest of us don't have to subsidize your stupidity.
Thundrcrackr Jan 11th 2010 12:02PM
I've never been hacked either in the few years that i've played, nor have any of my RL friends that i know of.
Still, the more and more time i get invested into my toons the more i worry about it...
Regarding the pet for getting an authenticator - can you use it on all of your toons like the anniversary pets, or is it like the recruit-a-friend zebra where you can only choose one toon to use it on?
AndremedaSC Jan 11th 2010 12:10PM
I'm an officer in a very very large guild (3000+ members) and we have someone getting hacked every couple of weeks. We talk about authenticators to the members constantly, but there are still people who just don't seem to get the message. I must confess I get rather tired of hearing "I didn't think I really needed one!" or "I'm too smart and savvy to get hacked."
There have been cases of people picking up a keylogger that was embedded in an ad on a legitimate, mainstream website, even without clicking on the ad. You can do everything right in terms of browsing practices, and still get hacked. Not everyone who gets hacked is an internet noob, folks. Two-factor authentication is your friend!
inexodus Jan 11th 2010 12:35PM
@Joshua Ochs "Go ahead - show me an example of "drive by" hacking. These aren't the pre-XPSP2 days, where worms and network attacks were prevalent. It's all social engineering, and getting people to click things they shouldn't. Which boils down to stupid end users."
Quite possibly the most pointless and uninformed post about PC security I've seen yet. You really think XP SP2, Vista and Win 7 are immune to flash hacks and browser vulnerabilities? Get a clue. Most keyloggers didn't come in from worms or network attacks either, they were and still are mostly spread through browser exploits. You also can't forget that family PCs are shared, so even with Win 7's enhanced security all it takes is a young sibling or uninformed parent to click "OK" and you've lost your account.
I got hacked during the process of installing Windows XP on my computer (FYI- all those XP CDs didn't magically get updated to SP2). While waiting for drivers, updates and everything else to download and install I figured I'd go to my usual, trusted addon sites and get the latest copies of the few addons I needed. I can tell you the sites- curse, wowwiki, worldofwar.net. None of these are hacker sites, and I don't ever click on banners. But one of them must been targeted with a flash exploit, so before I could get the PC patched up I was infected. My account was taken that weekend. It was absolutely my fault, and I knew the risk at the time, but most PC users wouldn't even think about the security risk. Are they stupid? Certainly not, but they're not security engineers either. It's unfortunate that people like yourself think they need to be in order to use a PC. Instead of treating people like idiots, why not just hand them a $5 authenticator and solve the problem for them?
Bronwyn Jan 11th 2010 12:37PM
Gotta say I agree with AndremedaSC. You can bring your chance of getting hacked close to zero with smart internet browsing practices but when a legit website gets hacked, infected, whatever, or an ad ends up carrying the bad stuff.. you can't control that. You can just hope your anti-virus and whatever other things you have on your computer to protect you catch it.
So, Authenticator = Good Idea. Though I do understand why people are reluctant (especially if they have to buy one separately) so I think that packaging it with a game would be the best bet.
Azradesh Jan 11th 2010 12:40PM
I haven't heard about anyone in my whole server that has been hacked, though I'm sure a few must have.
Joshua Ochs Jan 11th 2010 12:51PM
@inexodus
"You also can't forget that family PCs are shared, so even with Win 7's enhanced security all it takes is a young sibling or uninformed parent to click "OK" and you've lost your account."
And... we're back to dumb users for $200.
"While waiting for drivers, updates and everything else to download and install I figured I'd go to my usual, trusted addon sites and get the latest copies of the few addons I needed."
And... we're back to dumb users for $200. You clearly know enough about Windows and security to know that you DON'T DO THAT until you've updated and gotten your anti-malware of choice set up. Otherwise you're a... dumb user.
"Are they stupid? Certainly not"
I'm on the fence on that one, although the lion's share of this is to be laid at Microsoft's feet. Thankfully with Windows 7 being a reasonable upgrade from XP, we'll slowly see this fade away, much as IE6 will slowly (too slowly!) fade away.
Doma Jan 11th 2010 12:58PM
Ive seen it happen to three people in my time playing.
One was an idiot and went to wowdupe.
Second claimed he "didn't know what happened", but had shared his account info with his brothers and subsequently, a friend of those brothers. He was also known for being the type of person who cannot admit they're at fault.
Third was a botter. After Glider was taken out, he went on a mad search for replacements. His account was compromised a week later, and our guild lost tons of enchanting mats.
So I've seen the whole spectrum of accounts being compromised. There were a few others who used hacking as an excuse for trying to ninja our bank. I'm pretty sure they were not actually hacked. I know some others who bought gold, but I think they got away with it.
I agree it's a problem, even more so after the battle.net merger. But I think the best way to attack the problem is mandating the authenticators WITHOUT charging the customers. If we have to wait until cataclysm, so be it. But even at that point, authenticators should be shipped for free to each account.
If you mandate the authenticators and ship them wit the expansion that's good, but that still effectively locks out everyone else who doesn't buy the expansion. Don't treat your customers poorly blizzard! Ship them for free, take the financial hit, and ship them with each copy sold from here on out! Everyone wins.
inexodus Jan 11th 2010 3:03PM
@Joshua Ochs
You're really asking a lot. "Average PC users" includes a wide range of people, most of whom have had little or no security training. When Windows 7 asks "Can this program do something to your PC?", only a small fraction of them actually understand what's going on. To label them all "stupid" only shows that you don't understand who's playing this game or buying PCs. Feel free to point me to the mandatory security class that comes bundled with every Windows PC purchase though, maybe I just clicked "OK" and skipped it.
Just to provide some perspective, I'm not your average PC user. I've worked in security for almost 10 years, I have multiple certifications and I'm finishing a masters degree in the field. Despite that, I made one mistake by trusting a few websites and was compromised. I've already said it was my own fault, so no need to point that out. But knowing what I do, there's no way I expect an average user to understand every way their PC might be compromised. The only truly guaranteed protection is to not use the computer at all. So I'm absolutely behind anything that gets authenticators into more players' hands, because they provide security that the user doesn't need to understand. It just works.
Now, should it be mandatory? Well that's ultimately up to Blizzard. My suggestion would be to bundle an authenticator with Cataclysm and refuse restoration to any account without one. That would shorten restoration times for players who are actually protecting their accounts, and allow the rest of you who still think you're secure to opt out. Just don't expect much sympathy from your guild when they lose their ICC geared main tank because he thought he was safe.
Draelan Jan 11th 2010 3:10PM
@ Joshua Ochs
So... I flew across country to visit my family for the holidays. I used my old PC there to play WoW, though during the year I was gone it was used mainly by my young niece. If I had gotten hacked because of something my niece had clicked on, that would make me an idiot? Despite the fact that I had no way of knowing or monitoring her actions online? And despite the fact that she's just a child and not some tech-savvy security expert? I would be an idiot if she (or anyone) got the computer infected by a keylogger that the anti-virus software failed to catch? Or are you insinuating that anti-malware software is infallible?
Face it. While there are certainly plenty of people who get hacked for foolish reasons, there are also people who take every precaution and are merely unfortunate enough to get infected either because they are targeted by a new hack that hasn't been caught/anticipated yet, or a brief lapse in judgement. (And, no, a brief lapse in judgement does NOT an idiot make. If that were the case, then there would not be a single person in the world who is not an idiot. We are all prone to mistakes.)
I'm sorry we can not all live up to your obvious perfection.
trendecide Jan 11th 2010 11:09AM
I've had two accounts since the game started over five years ago and have NEVER changed my username or password (other than what was required for the battle.net switch) and have NEVER had my account hacked. So-called "hacked" accounts are the direct result of people sharing their information and that information being leaked through other means or stupid people not screening their e-mail closely enough and failing to recognize phishing. Mandatory authenticators is an absolutely ridiculous measure. It's bad enough people are rewarded with an ingame pet for getting one.
Hoggersbud Jan 11th 2010 11:15AM
Ah, the old "It's never happened to me excuse" which was used for Airbags, seatbelts and grounded outlets.
trendecide Jan 11th 2010 11:20AM
How about the new it'd never happen to you either if you didn't share your information or fall for phishing scams. I know it's tough, but it's called using common sense.
vesty12 Jan 11th 2010 11:32AM
That's simply not true. I have had my wow account since vanilla wow and I was hacked over Christmas.
I have never shared my account information with anyone, I run NoScript with firefox and regularly do rootkit and anti virus scans. It is possible just to be unlucky.