One of our readers, Bill, sent us a tip about a WoW account issue on The Consumerist. It seems that the ownership of Anonymous's friend's account is under dispute and Blizzard won't let him use it in the meantime. The ownership became disputed after the account was allegedly hacked, even though there was allegedly a mobile authenticator on the account. His friend has given up on the account, complete with Val'anyr, and has created a new one.

We can't confirm any of the facts in this case. I am willing to believe that Anonymous is truly upset and believes the story he tells to be true, even though he is posting anonymously. There are some serious red flags, however, that seem to point to Anonymous not having all of the facts:

There are no confirmed cases of an Authenticator being removed from an account by a hacker.

The code from the Authenticator is based off of the serial number of the device or app and a date/time stamp. Because of this, a code is only good for about 30 seconds for a short time and can only be used once. (After a few comments I tested the duration and the codes definitely last longer than 30 seconds. But they don't last hours, nor can they be used in a jumble. For the results of more testing, please see the link on the word Authenticator above.) In order to remove an Authenticator from an account, without actually having the authenticator in-hand, Blizzard requires that you fax or snail-mail documentation proving that you are the owner of the account. Otherwise, following are the steps to remove an Authenticator online:

1. Enter username and password at the account management login screen.
2. Enter the current Authenticator code before it expires.
3. Navigate to the Authenticator removal screen.
4. Enter the new current Authenticator code.
5. Enter the next Authenticator code, approximately 30 seconds later.
6. Press the remove button.

The timing and number of codes required for the above procedure make it impossible to remove an authenticator online without real-time, extended social engineering. It would require slightly less effort to just log on to WoW with account info and an authenticator code acquired within the last minute for a quick cleaning out of the account, but no authenticator removal, password changes or another login would be possible.

Account thieves steal accounts for gold because it is time-efficient.

Goldsellers used to just roll hunters and farm their gold. But stealing accounts, stripping them bare and then using them to steal other accounts is much, much faster. Getting around an Authenticator is far too time consuming to be efficient and there are so many players without them. Rather than spend time that could be spent cleaning out another account, thieves will just skip over any accounts that have the extra protection.

Buying gold and/or accounts and getting hacked is embarrassing.

The other hacked authenticator story in this link ended up being debunked later by Blizzard. The victim in question had removed the authenticator in order to share his or her account. Sharing accounts is not only a big no-no according to the TOS, but also makes your account vulnerable to the practices of the people with whom the account is shared. It just isn't smart, unless you have complete control of the environment of your fellow account holder, such as within a family household. It also isn't smart to open up your account info to power-levelers and account sellers. Falling for scams does nothing to make you feel intelligent either and really, no one likes to be thought dumb. So people you normally would trust may be hiding a not-so-bright move solely due to embarrassment.

Blizzard restores accounts to account owners.

They may offer care packages to make the process easier for them; but if you are the account owner, and haven't done anything to get banned, you will get your account back. Now, you may get banned because you have a trojan, which isn't entirely your fault. (Tips for keeping your account safe are at this link.) But Blizzard will either ban you and tell you the reason or refuse to give you your account back because it wasn't originally your account. If Anonymous's friend purchased his account from someone else or was found to have bought gold, then Blizzard will not restore the account. If the friend is banned due to a program that is against the TOS, Blizzard may restore it after it is removed, but not before. And if the friend is banned for some other reason he would rather not divulge, Blizzard will not restore the account. It is not in their best interests to prevent paying account owners from continuing to pay and play.

You don't own anything on your character.

Amy Schley will be delving into this kind of thing in her new column, The Lawbringer, but the TOS clearly states that we don't actually own anything we have on our character. Even though we spend hours and hours acquiring really cool stuff, we don't have the same rights to it as something we go into a physical store and buy.

I am all for consumer advocacy and calling businesses out when they don't treat their customers as they should. But it would seem more on the side of consumers to encourage Authenticator use rather than post unsubstantiated stories such as this one. I invite Anonymous and his friend to contact me directly at Robin at WoW dot com with more details so that I can investigate further.

---

Tags: account-management, account-security, authenticator, blizzard, debunk, hackers, hacking, law, scams, the-consumerist, TOS, valanyr

Filed under: Analysis / Opinion, Account Security