@ Mike

You are a classic example of my point: your are putting out a blanket statement claiming that 'it can happen to anyone' based off your own personal knowledge and then claiming that the authenticator is the only way to counter this. You. Are. Wrong.

Again. Authenticators can help but they are not the be all and end all of account security - the attitude from many that they are is incredibly annoying.

@ Robin

As I tend to do I've gotten somewhat away from my original point while responding to peoples comments - there was nothing wrong with your article as you did address what people should do IF they have an account compromise and did indeed link to useful resources.

My comment was merely a statement that I wished people would look at these resources instead of only relying on an authenticator. My responses where I discussed that additional knowledge were not intended to say that wow.com didn't cover such resources, thats just me providing examples to back my own statement up, something I prefer instead of linking to someone elses examples.

I've been playing for about 3.5 years now and I have never been hacked. Don't get me wrong, I've surfed the underbelly of the internet, I just like to think I know what I am doing.
Authenticators are a great idea, but I live in Canada and have been holding out on the authenticator for two reasons;
1. I've never been hacked in 3.5 years.
2. They want to charge $10.56 USD for shipping. Nearly double the cost of the authenticator!

About 10 minutes ago after I read this post I went to the Blizzard store and shelled out. $17.06 USD for one if you live in Canada, which is only $17.94 in CAD, but still. People in the US are getting them for almost half off what I have to pay.

Anyway, I'm glad it's on the way.
I've never been in a car accident in nearly 8 years driving my own vehicle, but I still wear my seat belt all the time. Time I take precautions with my WoW account too.
I, for one, support mandatory authenticators for all, even if it does cost 18 bucks up here in Canada.

I work for a major software company (not related to WoW) and help security conscious customers design networks every day. Prior to that I was a consultant who among other things handled antivirus cleanups and prevention for companies. I know a thing or two on how to keep safe but that still didn't stop my account from being hacked.

I fell victim to an Adobe Flash vulnerability about a year ago. I knew the about the vulnerability and I meant to install the patch but it really wasn't on the top of my mind. After all I always have up to date antivirus software, firewall software, some security on my network and know what to click on and what not to click on when web browsing.

Luckily a friend of mine noticed the strange behavior and lack of responses when I was logged in at a time I'm generally at work. I was able to get in and change my password before the damage got to far. Of course now I had inconvenienced my guild (I was an officer and much of the bank needed to be restored) along with myself (I had to wait about 4 days before all my items were restored).

But in addition to that I had to scan through my computer to ensure there was nothing left (I ended up rebuilding it to be safe). I had to change my other passwords reinstall and patch WoW along with all my other programs. All of this because I was too lazy to download and install a less than 1MB Adobe Flash patch that I knew existed.

Had I had an Authenticator than all of that could have been avoided. Is it really that hard to type a short code in along with your password?

I got hacked, and I play WoW on Linux. You know, that operating system that won't run all that nice spyware and stuff?

Oh, and I'm a sysadmin, and put the same security measures in place on my own systems that I would at work. What's that about security conscious again?

TL:DR; Get an authenticator. I don't care who you are or what you know.

@thain

Yes, the current IE exploit required you to go to a compromised website. However, there are several ways to wind up viewing malicious webpages. A bad frame tag (deprecated but still valid) that silently loads a page from elsewhere while your address bar says you are at www.trustedsite.com, a compromised apache or IIS server at a site you should be able to trust, poisoned DNS servers and bogus BGP routing come readily to mind. Thus my comment about the only secure computer on the internet being not on the internet.

I have an authenticator, and entering the 6 (8 for mobile authenticators) digit key takes an extra 3 seconds. Perfectly happy to do it.

@Robin

Though I agree with you that an authenticator is an excellent choice for defending your account, it is not foolproof. As mentioned in the article: http://www.wow.com/2009/06/06/an-interview-with-a-scammer/#continued. The scammer in question can still hack your account once if you enter your info and authenticator ID. Granted you have to be a dult to do this, it is still possible. So as the OP says it is still important to have basic internet security knowledge in addition to the authenticator.

No, seriously, it only takes a little bit of common sense.

A guildie of mine got hacked, he illegally downloaded a program, KNEW there were viruses on his computer, and STILL played wow without removing them!

When he got hacked, it was NOT a surprise.

What everybody keeps forgetting is that loosing your equipment/gold is by far not the worst thing that can happen if you get a keylogger on your PC. The owner of the keylogger gets access to your email accounts your credit card information and many more things. With an authenticator you can get your Wow-Account more secure, but you should still take every precaution to keep your PC secure anyways. And most important if you get a trojan or keylogger you need to take the same precautions you would take if you had no authenticator at all.

"1. Password your root/admin accounts properly and run as a restricted user. OS's are doing this more for you as they progress, but many people turn this off or use an OS that doesn't do it for you.
2. Keep your OS fully up to date
3. Get decent anti-virus/spyware/malware software. Keep them up to date and run them regularly.
4. Run a browser that supports plugins, such as firefox, and download a plugin that lets you selectively load flash elements of a page, or blocks them completely - flash exploits are where a lot of attacks originate because they can be run via adds even on trusted sites.
5. Bookmark sites such as wow.com and worldofwarcraft.com - use these links to visit the pages always - never ever click on a browser link to them.
6. Run a firewall."

Myself and all my real life friends that play WoW, 8 of us in all, do all of this. Two of us still got hacked. Now all of us use authinticators. Doing all of those tips just delays the inevitable if you don't have an authinticator backing you up.

Heres the issue for me, I was just recently hacked however:

I had not visited any new sites in the last two weeks, and the new sites I had visited were reputable and well known (gizmodo etc that I hadn't read for a LONG while)

I have since the hack run anti-virus and anti-spyware programs of 4 different kinds and no hits or threats found at all.

I do not use the same email or password as my wow logins.

I only login from one system.

I have not used my login ANYWHERE except the actual game login on my computer.

Noone else knew my password or the email I used for the account (i always gave out a separate email, I had created the wow account's email separately)

Yet somehow I was hacked also, and whats sadder is I had ordered an authenticator 3 days before it happened (still waiting on it to arrive)

I run my windows updates, I have nightly spyware/AV scans go, I run a software firewall as well.


So please tell me how I did not take the normal basic security precautions? My password was a mix of capital letters and numbers as well and was effectivly a made up word.

"only people who aren't willing to be a little security conscious do."

BS - it is absolutely confirmed that the keyloggers these guys use can be delivered through flash on major websites such as Amazon or CNN and such. Even if you have everything, every little thing on your system up to date to the second, you can still be compromised.

The only way to be absolutely sure you don't get compromised is by not using the internet.

@Sparcrypt

While you missed my original intent, you did actually misstate something.

Authenticators are actually close to the be-all end-all to securing your WoW account (I would go so far as to say 95%). If you have an authenticator fob or authenticator software for your phone, then you have effectively introduced the two-pass authentication system on to your account using both the privately held password and the public/private key system of the authenticator device. This is typically considered the best form of user security for establishing communications between two parties.

The final step to being 100% secure is to only divulge your authentication code on Blizzard controlled sites protected with SSL certificates. Most modern browsers show prominent certificate information in the title bar or address bar.

Everything you recommend is great for general computer security, but the message is simple: You can go from being 100% vulnerable to partially vulnerable by implementing the author and your recommended security steps. You can go from partially vulnerable to 100% secure by introducing the authenticator to your account's security features and following the recommended security steps of only entering your auth code on a verified Blizzard owned site.