Skip to Content
1-21-2010 @ 7:05PM
Authenticators are handy and all.. but I wish people would just learn a bit about basic internet security.
1-21-2010 @ 7:10PM
And I wish people wouldn't drive like assholes, but some things just never change. Better to at least try and teach them how to reduce the fallout.
1-21-2010 @ 7:16PM
To clarify, I'm not saying only stupid people get hacked - the correct term is that only people who aren't willing to be a little security conscious do.Basically think of it like this: taking basic security precautions on your computer is akin to being a good driver - you know the road rules and you follow them, thus greatly reducing the risk of being in an accident.The authenticator is like putting on your seatbelt and having aribags - you still should be following all the rules but if something bad does happen, or if someone runs into you, your chances of getting through it OK are much higher.What annoys me are the people who think they can skip first first step, learning some stuff that EVERYONE should know if you do anything at all online. Ask any security professional, the most important factor of computer security is the user themselves, regardless of any technology.So yes, get yourself an authenticator if you want one... but please, take the time to learn a little as well.
1-21-2010 @ 7:21PM
Like Robin says at the bottom of this post, you can know all there is to know about internet security and still get hacked. All it takes is one mistake, one click on an evil link and they can have you. And its getting worse and worse. Authenticators are more than just handy, they are becoming pretty much essential.
1-21-2010 @ 7:25PM
Sparcrypt, I'm on the fence about deleting your comments. Here is my issue: "the correct term is that only people who aren't willing to be a little security conscious do"You are skating dangerously close to sounding superior when you say "a little security conscious". Besides, being "a little" security conscious won't protect you from being hacked. Fully security conscious, say by getting the safety net of an Authenticator, will.
See this is exactly what I mean - I in no way said anything bad about authenticators in my original post, just that I thought people should educate themselves AS WELL - and it's being steadily rated down.The single most annoying thing about the release of authenticators is the creation of this annoying attitude where you have to love them completely - anyone who tries to suggest that they might only be a part of an overall security solution is written off as elitist and ignored.
1-21-2010 @ 7:30PM
@ RobinI can see your issue with what I've said.. but I do disagree with the following:"Fully security conscious, say by getting the safety net of an Authenticator, will."That is NOT being fully security conscious - to be fully security conscious you need to educate yourself AS WELL. Surely you must realise this.As for sounding superior.. that is not my intention. My knowledge of computer security is higher then the average reader of this site, because IT is what I do. What I'm trying to do is convey that people need to look further then just putting an authenticator on their account then assuming that's all there is to do.
1-21-2010 @ 7:35PM
You are right that we should do more to keep our accounts safe -- all of our accounts. That's why the lovely swipe at the bottom links to http://www.wow.com/2009/05/06/wow-rookie-keeping-your-account-safe-and-sound/ for a comprehensive list of how to do just that.
1-21-2010 @ 7:37PM
I feel like I shouldn't have to be saying this, but there are and will be zero-day vulnerabilities in browsers, operating systems, etc that allow remote code execution. The current IE issue is severe enough that Microsoft released an out of cycle patch (See Microsoft MS10-002 http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx)And yes, I know you can improve your odds by using a different browser, but then you have to look at the zero-day exploits in Flash player, the cross-site scripting bugs that have popped up in pretty much every browser, etc.The only secure computer on the internet is one that is not connected to the internet.Mac users (including myself) are lower priority targets only because there are fewer of us; not because the OS is inherently more secure. As soon as it becomes financially viable, OS X will be targeted too. Same for the other *NIX users.Basic account security should include getting an authenticator. Blizzard cannot start shipping them in game boxes soon enough.
1-21-2010 @ 7:52PM
I agree with you. While having an authenticator means that your WoW account is (currently) bullet proof it doesn't mean you can't rubbish up your system. Learning to protect yourself online doesn't just mean your account, what about your card details etc are you protecting those fully?Oh and while they can't currently crack open authenticators I wouldn't be surprised if they find a way sooner or later, either through social engineering ("sorry, we think you got a bad authenticator") or coming up with something else. One of the main reasons that authenticators provide protection is that they represent another layer to circumvent, to a scammer there are easier pickings but as more people start using authenticators the scammers will work harder to get round them.The best security is still knowing what your doing: keep your stuff up to date, be careful what you click in emails or on websites and listen to advice carefully (ie listen and check it).
1-21-2010 @ 7:50PM
I'm going to have to agree with Sparcrypt here. Putting all your eggs into one basket is never a good idea. Robin, I approve of what you're trying to do with your post, but threatening to delete comments from people who question you is not doing anything for your credibility. Neither is your lack of research. I linked it below, but i will link it again:http://www.wow.com/2008/07/24/authenticator-fails-removed-from-account-without-users-permiss/A link, on your own site, detailing how a hacker used social engineering to bypass an authenticator.Learn how to protect yourself online, chances are your bank doesn't have an authenticator option.
@joelThe current IE bug with zero day fix, just like 99.99% of all browser faults, rely on you going to a compromised website on the computer that you use for wow.Suggestion : Do not go to compromised websites, this includes thottbot and alakahzam as both are very liberal in what they let advertisers post as ads. Also if you feel you must venture to the wretched underbelly of the internet, do so on a "safe" computer, get a netbook, never put any information you wouldn't want the entire world to know on it.Personally I do not want to have to put in two passwords every time I log into wow because everyone else's account has been hacked.
1-21-2010 @ 7:57PM
ctrl, in no way did I ever suggest or put in practice deleting comments that question me. But every time I post about account security, someone says "only stupid people get hacked" which is... well... stupid. And I just warned that those stupid, inflammatory, incorrect comments would be deleted.About that one case 2 years ago, it was soon after proven to be not accurate:http://www.wow.com/2008/08/05/authenticator-failure-revisited-blizzard-responds/
1-21-2010 @ 8:07PM
@ RobinTrue, but the only thing you list in your article here is 'get an authenticator' - I would gather very few people read the cut after the actual article, but that's irrelevant I suppose as it's there. I did take the time to look through that article though and I would classify what is covered as very basic.Some personal recommendations for a secure (by average user standards) computer are;1. Password your root/admin accounts properly and run as a restricted user. OS's are doing this more for you as they progress, but many people turn this off or use an OS that doesn't do it for you.2. Keep your OS fully up to date3. Get decent anti-virus/spyware/malware software. Keep them up to date and run them regularly.4. Run a browser that supports plugins, such as firefox, and download a plugin that lets you selectively load flash elements of a page, or blocks them completely - flash exploits are where a lot of attacks originate because they can be run via adds even on trusted sites.5. Bookmark sites such as wow.com and worldofwarcraft.com - use these links to visit the pages always - never ever click on a browser link to them.6. Run a firewall.There are of course more and more things you can do, but that will get most people started and reduce the risk of their wow account being stolen to near nothing - basically you'd have to give your account away to lose it.I again feel I need to clarify my position: I'm NOT AGAINST authenticators. As long as some people find them useful, there isn't anything wrong with them. However they are not and never will be a complete solution and those who preach they are annoy me greatly. You personally aren't doing that as you do include links to other resources, but a very large amount of the wow player base do.Tell me.. if you ignore all security precautions minus your authenticator and I have fully compromised your machine and am starting at your screen.. what can you do to stop me? Nothing. Once I get your authenticator code I can just log in within 30 seconds then shut your computer down remotely. By the time you reboot and get back on I've already stolen all your gold. Maybe I'll be really sneaky and instead of shutting you down, I'll jump into your router and change all your ISP settings - far as you can tell all thats happened is your internet has dropped out.. how long will THAT take for you to figure out? As long as I don't log out your account I can do as I please until you're back online.Now thats an extreme example, but technology wise it's certainly possible.Anyway, I think I have my point of view across.
1-21-2010 @ 8:09PM
Your wrong, sparcrypt. I do know a LOT about internet security. I had not even accessed the account for a few months. Suddenly, I get two emails, one that the wrath of the lich king trial had been activated, and one from blizzard saying the account had been locked for improper usage. I have a full version of MacAfee Internet Security. I keep it updated, and the computer scanned. I don't enter my information anywhere, without checking the web address carefully. If I DO get phished, I immediately change the password. (Has happened to me twice, once on Myspace, I forget the other.)As far as Authenticators, I still believe that if 90 percent of WoW users got an Authenticator, then the Authenticator would itself become a target.
1-21-2010 @ 8:11PM
Sparcrypt, I link to a post in the first paragraph about how to avoid scams and to an extensive guide about account security in the final swipe. The scope of this post was to give steps about what to do if you get hacked.
1-21-2010 @ 8:23PM
The funny thing about this whole thread of Sparcrypt's is that it fails to acknowledge the most obvious:Authenticators are a form of security based on public key identification. Anyone who is serious about security will never suggest that you can safely play WoW without fear of compromise unless you use one. Every single post that suggests otherwise is doing a disservice to the author of this article as she is clearly concerned with the reality of compromises and how it can affect anyone.
1-21-2010 @ 8:32PM
I feel that this post + replies are too long already, but I feel there's something I need to say.Pretty much everything you list in your last post is found at http://www.wow.com/2009/05/06/wow-rookie-keeping-your-account-safe-and-sound/On another note... I don't see why so many people are against authenticators. I have mine on my phone (so I guess i'm "lucky" I dont have to spend $6.50). I timed how long it takes to enter my 8 digit code: 8 seconds!!!!! lets say you log in once a day, EVERY DAY for a year. That's a total loss of 48.6 minutes per YEAR. Here are the other options:1) Download/update countless programs to help you protect your actions on the interwebz (I have a feeling that is more like 15 minutes a WEEK, and for you mathematically impaired people, thats 13 hours per year)2) Get your account hacked. Spend the first hour pulling your hair out trying to get your account back only realizing you have to call Billing and it's 10:00 PM and Blizz is closed. Then spend a few hours over the next few days talking with blizz, and getting your account. THEN waiting a few days for gear/items to come back to your mailbox.Long story short: I really don't see the big picture with authenticators. They will prob be mandatory soon anyways, and I don't blame Blizz. If your online bank records get hacked online, is that your banks fault that you let your personal information out? No. Your lucky that blizz has probably spent a LOT of money on setting up countless systems to 1, protect your account, and 2, get it back if it gets hacked."Long story short" short: GET AN AUTHENTICATOR AND DON'T QQ WHEN THEY EITHER BECOME MANDATORY OR BLIZZ STOPS RESTORING ACCOUNTS.-Thank you for your time... and stop picking on Robin ;)
1-21-2010 @ 8:34PM
** "Pretty much everything you list in your last post is found at" **@ Sparcrypt
1-21-2010 @ 8:37PM
Some of these comments have kinda lost their sense of scope I think. Realistically, if someone is dedicated into breaking into your computer, there's not much you can do to stop them. You can certainly slow them down, though. People going after your WoW info are trying to make as much money in as little time as possible. I very much doubt that it is worth it to them to hack their way around your authenticator. Now, if you were the GM of a 300 person guild, had a gbank full of nothing but Primordial Saronite, and the hackers were aware of this, they might expend the extra effort to break into your account, but your average joe gold farmer isn't going to be doing that.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.