They have no major accounts, they churn through ours.

That's the whole point. They've made such a great living out of stealing new accounts, they do all their business on stolen accounts. It wouldn't surprise me if they have some accounts they've got access to that they don't mess with, just so they can do their gold deliveries or whatever.

An authenticator on every account will put a screeching halt to account theft. It would still be slightly possible to hijack an account, since the authenticator token is good for one hour. If you could get somebody to go to a site and enter their login/pass, and then take them to a 2nd screen for their authenticator code ... and if the thief was watching the moment they hit enter, it's possible they could get to the account site and remove the authenticator within the time that token was active.

But that even has an easy fix. Once a token is used for a successful login, it's no longer any good. For my wife and I, who share an authenticator, we wouldn't be able to use the same key like we usually do. It would inconvenience us by 60 seconds every login. That's a small price to pay for a world where nobody gets their account hacked.

And finally ... for those who's lame excuse for not wanting an authenticator because of the possible hassle if they lose it ... come on, that's a terribad argument. It's a far greater inconvenience on you(and people who depend on you) if your account gets hacked, than the 30 minutes it would cost you on the phone to get your authenticator removed.

Even if losing your authenticator means two or three days without WoW while Blizzard sends you a new one ... that's less inconvenience than an empty guild bank (if you're an officer, for example) and weeks waiting on a restoration.

Bring on the required authenticators. The sooner we put the scammers out of business, the better for all of us. Imagine what will happen to the auction house once the gold sellers are killed off and they stop jacking with the economies? The benefits are endless.

The token is good for one minute ... not hour. My bad ;p

I will agree with mandatory authenticators, when they're free. The costs of buying an authenticator in Argentina (and I'm sure other parts of latin america too) is way more than $7 dollars (counting shipping, fed-ex and all that crap).

Speaking on the length of time the token is "good"... I'm not sure it's even one minute. This may be different depending on if you have the physical keychain or the iPhone app.

I have the iPhone app for the authenticator. It produces a new code every ten seconds. If I enter the code currently visible, wait for a new one to generate, then hit enter on the old code, I'm denied access. So that code is seemingly good for about ten seconds, not one minute.

Is it different on the physical Authenticators?

Physical authenticator seems to be about 60 seconds. At least, the version I have (Blue Blizzard logo on the face)

@ulurjah - what you described is the one weakness token-based two-factor authentication has: the man-in-the-middle attack. It's theoretically possible, but for all practical purposes can't be executed on any sort of scale to make it worthwhile for the hackers.

I.e., trojans/keyloggers/phishing net them thousands of accounts a day. Attempting to MITM an authenticator would get them about 3 accounts per day, and require MUCH more effort on their part. It's just not worth it to them.

Which is why token-based two-factor authentication is generally seen as one of the most secure methods in use today.

If you don't want an authenticator you should not be forced to have one. If you get hacked you should have a choice of the care package or paying a fee to have your account fully restored. Guild Bank Restorations should remain free.

In order to remove the authenticator from an account, you have to enter two codes from the authenticator. At least that's what it had me to do when I removed my iPod Authenticator in order to update it last time an update was available. This would make it impossible for a hacker to be able to remove the authenticator from the account unless they got the user to enter multiple codes, and even then they would probably still run out of time (the codes expiring) before they could get the authenticator removed. Anyone know if it's different for the removal of the physical authenticators?

The code is good for 15 seconds. Not one minute or 1 hour, and all it takes to kick the hacker off your account is for you to log back into it.

You cannot log into an account sell off all the gear, go though the players bank, sell off those items, and meet up with another compromised account within the time it takes the real owner of the account to log back into the account. Remember only one person can be logged into the account at a time. If i log in, and get disconnected , i log back in, that will then disconnect the "man in the middle". Unlike in banking log ins, the log in is a controlled environment. Your not at a compromised site that will give you false info to keep you from trying to log back in to kick the "man in the middle" out. For this to work with wow, the hackers would need to corrupt the wow.exe or replace it with a fake version that would give you fake error msgs when you try to login, keeping you from ever actually connecting to blizzard servers.

I disagree with some of what you said, Andy. While I do agree that Blizz should not force a customer to use an Authenticator, they should not be liable for any loss on your part by having an unsecure system/login.

If Blizzard shipped an Authenticator with every Cataclysm retail box (or mail one to you if purchased for digital download) and a customer chooses to not use it, it's not Blizz's responsibility to restore anything if you get compromised.

If a user takes the risk of not running an authenticator, they have to deal with the loss. If a guild chooses to take the risk of having members with unsecured accounts, they will have to deal with the loss. Your computer's security is not Blizz's responsibility and, in my humble opinion, they have gone above and beyond to help users that are compromised by the user's own actions.

Ulurjah, second paragraph in your post. If I'm not mistaken inorder to remove an authenticator from an account it is tied to the person trying to remove it has to enter the long serial code on the back of the authenticator, no?

If I'm correct, the phisher could log in based on your scenario but they couldn't unauthenticate the account they were logged in to. The damage they could do would merely be limited to that one log in session which would only last until the owner noticed he had been logged out and attempted to log back in.

@nclay

To remove an authenticator from your account you have to enter two, sequential authenticator codes, not the authenticator serial number.

The only way to remove an authenticator from an account without physical access to the working authenticator would be through account recovery.

Blizzard does recommend that you remove the Mobile Authenticator from your account before upgrading it or replacing your mobile phone, because the seed key (serial number) may change when the software app is installed (it WILL change in the case of a new phone).

I would like to see the option of IP address or MAC address restricting. I do all my playing from the same machine, on the same static IP address. Why not just build in a little software tool to the client that can check MAC address (or use other computer hardware identifiers) and give people the option of turning on and specifying one of those or even both of those instead of an authenticator. If a guy can't log into the account without doing so on YOUR laptop, for example, the chances of getting hacked go down to almost 0. You could add several computers and/or IP addresses to the list if you play at several.

It is very similar to some of the security features on routers, and is something that can be self-administered.

Aykwa - the problem with that is that not everyone has a static IP address. Most cable internet services use a dynamic IP system which resets the IP of your house/residence internet every 4-6 hours. Your IP will remain the same on your local network, but your IP according to blizzard and according to the cable company will not always remain the same. This system keeps them from having slow downs... kinda like a soft reset to your internet (ever notice big lag spikes? that's them reseting your DNS).

If they had a way to verify other things, like the serial code of your windows OS, the serial code of your motherboard or even some other random piece of hardware, you could do this. but you would need to, first, have the permission of the user (easy - update the ToS) and second, get the rights to use that information for security purposes. Some companies don't want other companies using their serial numbers for their own purposes. This can and would be a bigger hassle then just giving everyone an Authenticator (it's free already if you have the worlds most popular smartphone or mp3 player).

P.S. The Authenticator is the same concept most large businesses use for their own employees for logging into their servers. If they trust it for secure files that actually mean something... I can trust it for a game.

@Aykwa Interesting idea, but there is something called IP spoofing. Basically it corrupts your outgoing packets to fake an IP while keeping the "Return IP address" intact. If the password was obtain through keylogging/phishing, they'd obviously have logs of the IP address that was used.

If anything, it would slow down gold sellers for a couple of weeks until they set up their IP spoofing system and things would just resume as usual.

A few things about authenticators, and more specifically the mobile authenticator:
- It generates one code each 30 seconds, and each code seems to be valid for about 45 seconds.
- You can effectively clone the mobile authenticator if your phone allows you to mess with the java storage (like my cheap Chinese phone). I do find this useful, since I was able to backup my authenticator :)
- The mobile authenticator can be downloaded to/used on unsupported phones, or even used on the computer (using a J2ME stack, such as KEmulator, MicroEmulator, or even the oficial J2ME from Sun). Instructions for getting the .jar archive you bought, and making it work with Android or Windows Mobile, can be fount at http://deathcoil.net/authguide.html .
- There are attack vectors for cracking an authenticator-protected account; don't go lax on your security just because you have an authenticator.
- While it's true you can potentially kick whoever logged into your account by logging yourself, keep in mind that the cracker might put something into his keylogger to make you unable to log; he could corrupt your game data files, add the game to your firewall, or even mess with your boot sector. If he could make you believe that you mistyped one code when the code is about to change (and he knows when the code will change, since all authenticators need to be in sync) he could even remove the authenticator from your account.

MAC addresses are so easily fakeable, and even duplicable that they're not worth using as any part of a real security plan.

"But that even has an easy fix. Once a token is used for a successful login, it's no longer any good. For my wife and I, who share an authenticator, we wouldn't be able to use the same key like we usually do. It would inconvenience us by 60 seconds every login. That's a small price to pay for a world where nobody gets their account hacked."

This is how it works already, though most likely on a per-account basis if you and your wife can use the same code - so each code works only once per account.