Patch 5.2 interview with Dave Kosak
Inside an old alt's vault
The latest patch 5.2 news
All of the latest Mists of Pandaria newsEmail confirmation added to authenticator setup to foil hackers
by Robin Torres 
Jul 28th 2010 at 1:00PM
Note: Changing the email address on the account requires not only your password (which the account thieves already have at this point) but also the answer to your security question. So make sure the answer to your security question is not guessable or obtainable by any phishing information. As I have suggested before, if you use a password for your security answer rather than an actual answer, you are adding a very thick level of security. Make it a separate password you use just for security questions, like p45sw0rd (don't use that one).
Of course, the best way to prevent someone from stealing your account and then adding an authenticator to it is to put an authenticator on it yourself. There are keyfob and mobile versions available.
[Thanks for the tip, Joel!]
Filed under: Blizzard, News items, Account Security
Reader Comments (Page 3 of 4)
Iirdan Jul 28th 2010 1:54PM
"Make it a separate password you use just for security questions, like p45sw0rd (don't use that one)."
Minutes later...
Blizzad: Are you sure you want to change your security question?
Robin: Yes.
Angus Jul 28th 2010 1:58PM
Heh.
You know what is scary? Looking on Wow.com and seeing your comment password there in plain text...
(I changed it, btw)
Haimdall Jul 28th 2010 7:14PM
How does one send a tip in to the WoW.com staff? I received a very well done e-mail this morning telling me about the cataclysm beta, and I'd like to let them know so they can spread word.
Maulkon Jul 28th 2010 2:05PM
Sad state of affairs.
GDkitty Jul 28th 2010 2:12PM
Here is the blue post about it.
http://forums.worldofwarcraft.com/thread.html?topicId=26262797475&sid=1
Was originaly on the 22nd i beleive, but dath edited his post, so changed to 27th. Was the same day as the authenticator needed for forum change.
tearsofblood317 Jul 28th 2010 2:13PM
uh oh.
eeeeuhm.... now I wish I had written my secret question answer down >.>
(cutaia) Jul 28th 2010 2:13PM
I never understood why there wasn't more involved in adding an authenticator anyway.
Always seemed like there was an element of "authentication" missing from the process.
MisterRik Jul 28th 2010 2:33PM
Remembering the answers to secret questions: The easy solution here, since they allow you to choose the question, is to make sure you choose a question that only has one *unchanging* answer. That means a question like, "What is your mother's maiden name?", "What city were you born in?", etc., and avoid the questions that ask, "What is your favorite...?", because favorites can change over time.
Zhiva Jul 28th 2010 5:58PM
Except that answers to "What is your mother's maiden name?", "What city were you born in?" are NOT so secret.
Kittens Jul 28th 2010 8:53PM
What Zhiva says. Those kind of questions are really not safe at all.
Don't condemn me too hard on this next part lol, but a looooong time ago I used to have some fun with 'hacking' random hotmail accounts. They were really insecure back then, and everyone could just have access to the secret question, and if you knew the answer you were in. You'd be surprised how many people had selected questions like that, with easily google-able answers or easy to guess answers. Questions like 'what is my favorite color' can not only have changeable answers like you say, but are also extra unsafe because the pool of answers is kind of small for these.. people are usually not very imaginative, and 9 times out of 10 they were answered by just typing in 'red'. An astonishing amount of people had also made their own one-worded secret question which turned out to be.. the same as their password.
And in these days of Facebook, it's even easier for anyone to find out what your mother's maiden name is, or your birthday.
My own tip: select questions totally random, but just use the same answer for all, something you will remember. Mine is just some nonsensical fantasy word combined with a random number, but it's just one thing of which I know 'THIS is the answer to all my secret question thingies'.
Kittens Jul 28th 2010 9:01PM
Gah... I was reading the comments on this quite some time after I'd read the article, and now realised my tip was ofc exactly the same as in the article above.. Oh well.. it's late here, you know!! Zzz
But yeah, it's a very good tip! ^_*
dasho.o Jul 28th 2010 2:36PM
The real question is, why the hell did this take so long? The whole authenticator thing has been a HUGE issue since early this year..
Supereuropa Jul 28th 2010 2:41PM
The e-mail confirmation was launched when the new battle.net was launched. I can confirm that.
quasarsglow Jul 28th 2010 2:43PM
You know, I had no idea that the mobile authenticator was free.
I now have an authenticator. I know they are cheap for the fob, but it was enough of a hurdle to keep me from getting one.
Naphtali Jul 28th 2010 3:42PM
I will say I like the extra steps they're taking, but e-mail confirmation wasn't helpful at all in my case. Let me explain....
About a year ago, I had my account canceled (near wedding time and wanted to take a break). A friend called me one afternoon asking why I wasn't responding to him and saying he didn't think I would be playing for awhile. I was surprised and told him I hadn't had an active account in a month or so. I ran to log on, only to find my password changed. "No problem! I'll log onto my account and change it back!" My e-mail wasn't being accepted as a valid e-mail for the account. Confused, I checked my e-mail wondering if they had sent me a confirmation of the account being taken off my e-mail. What did I find? My e-mail password was also changed. Whether it was by a keylogger or a really dedicated hacker, they had hacked both my e-mail and my wow account at the same time. Switched the account to a different e-mail, confirmed it through my e-mail and then deleted all trace of what they had done.
Happened 2-3 times. I finally asked Blizzard if they would just lock my account for a few days until my authenticator would show up. They were nice enough to restore all my lost gold, as well.
My point? E-mail authentication only works if you don't have a keylogger or a hacker who feels like hacking both at the same time. Any time my WoW account was hacked, my gmail would also be hacked.
PistolPeet Jul 28th 2010 3:13PM
Slightly off-topic I know, but I wish they'd let me use the same authenticator serial on both keyfob AND mobile authenticator.
It'd mean I had a backup for if my phone broke/got stolen/crashed and it'd also mean I wouldn't have to take the physical authenticator to work so I can log in and check auctions at lunch.
tigglet Jul 28th 2010 4:02PM
now all they need to do is make an onscreen mouse only number pad for the authenticator typing so that keyloggers won't be able to see what you are doing when you login!
Shadowwind Jul 28th 2010 5:37PM
Sorry, that won't help. Most keyloggers are sophisticated enough that they can and do take screenshots of just such 'onscreen keyboards' or simply register what the clicks map to. That piece of security was outdated years ago.
Drakkenfyre Jul 28th 2010 8:18PM
Years after people thought that would work, and it still doesn't.
Stop getting hung up on the name "keylogger."
SumDuud Jul 28th 2010 4:04PM
Little sympathy for people that get hacked. Most should know better and all should gave an authenticator by now. The password or phrase for answering secret questions is good advice.