Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsEmail confirmation added to authenticator setup to foil hackers
by Robin Torres 
Jul 28th 2010 at 1:00PM
Note: Changing the email address on the account requires not only your password (which the account thieves already have at this point) but also the answer to your security question. So make sure the answer to your security question is not guessable or obtainable by any phishing information. As I have suggested before, if you use a password for your security answer rather than an actual answer, you are adding a very thick level of security. Make it a separate password you use just for security questions, like p45sw0rd (don't use that one).
Of course, the best way to prevent someone from stealing your account and then adding an authenticator to it is to put an authenticator on it yourself. There are keyfob and mobile versions available.
[Thanks for the tip, Joel!]
Filed under: Blizzard, News items, Account Security
Reader Comments (Page 4 of 4)
Mindy Jul 28th 2010 5:37PM
Uh not really sure this is a totally good idea. What's to deter them from going after a person's email?
I've already been getting random realid requests on a new email I made only for my battlenet account. :( *paranoid*
TTFK Jul 28th 2010 5:55PM
What this article doesn't mention is that Authenticator entry is now required to post on the Blizzard Forums as well.....
So what happens when a hacker illicitly adds an Authenticator to someone's account, and that person comes to the forums for assistance only to find this support option, which Blizzard routinely refers people to, is no longer available?
This will not slow down the rate of people without Authenticators being hacked.
This will not speed up the service time for account recovery.
This WILL force any and all of those recovery requests out of the forums, and therefore, OUT OF PUBLIC VIEW.
Out of sight, out of mind, eh? Nice try. Very Kotickish.
haloxinreverse Jul 28th 2010 7:08PM
I was worried about that when i was hacked but the technical support forum lets you log in and post only there. So even if an authenticator is attached to your account without your consent, you can still post and get blizzard to help you out.
atmb82 Jul 28th 2010 6:44PM
The best way to screw the scammers?
The SNR. signal:noise ratio.
If everyone ANSWERS to the scammers on the server, follow their link PROVIDING FALSE information, made up ones, random stuff, the scammers themselves will lost most of their day finding which information is right and which one is fake, that is the NOISE will go up, a lot upper than the signal itself.
This way, the scammer will lose interest because the time he'll be losing verifiying all the data he's gotten will lower his dollars-for-hour income, to a point where it will become unprofitable completely.
Then, he'll leave the scam because he wouldn't earn anything.
This is how real world works, and it will work in WoW too.
TTFK Jul 28th 2010 7:06PM
You do realize that even going to the sites opens you up to drive-by downloads....
Telling people to even click on the links is a HORRIBLE thing to offer.
Sarsella Jul 28th 2010 7:07PM
Why oh why doesn't Blizzard just give an authenticator to every new account (at least) for free, by default? At this point, it should just be as required as the password.
Philster043 Jul 28th 2010 9:16PM
I'm expecting Blizzard to be more considerate of this in future products. Let's see what comes with the Cataclysm box-set.
Axolotl Jul 29th 2010 4:56AM
I've added an authenticator to both my accounts for the pet only.
And the answer to my security question is in no way related to the chosen security question.
If you're using hotmail (or similar free online mailthingy that isn't from your provider) then use a different password on that mailaccount, make it so that each password is unique.
Say you use "Lasagna" to play that Hello Garfield Island Adventure game, then use "HughHeffner" as password for the mailaddress associated with the gaming account, not Lasagna and not something associated with Garfield in the first place.
Shinhan Jul 29th 2010 5:30AM
Blizzard refuses to ship keyfob authenticators to Serbia, and the mobile authenticator is incompatible with my mobile. Yes I tried.
bui Jul 29th 2010 9:11AM
Buy and authenticator and get a vanity pet to boot, I don't really see a downside. Also its true that longer passwords are better and would take a long time to crack even if it is simple things like dogfrogdogfrog,.. but complex long passwords are better for the person who is super paranoid as the dogfrog will take months, the d()gFr(o)g will take years. But again authenticator solves all these problems. And also not being an idiot and falling for scams helps. Educate yourself on popular scams by reading websites that will keep you abreast of such topics, for example wow.com, just as a for instance. And never give your p45 sword to anyone. As the proc may be awesome having been designed by gnomes when it backfires all it produces is epic fail.
Clbull Jul 29th 2010 12:10PM
Thats gonna reduce all the spam threads on the wow forums about hot teachers with "sex leg"
Andy Jul 29th 2010 1:34PM
It's been active at least since 23rd july: http://pastebin.com/rZKmGvP4
Quigley Jul 29th 2010 8:22PM
Had my account hacked and locked out earlier this year, and a confirmation email for the Authenticator which was placed upon it did not arrive. I had searched expecting such a simple 'Confirmation' practice. Nope, nada, zip, zero.
I am glad to see this implemented, it was a glaring gap in the application of unauthorised Authenticators.
Blizzard GM's were a completely 180, their support service was great.
I am still surprised such a device didn't come with the software originally, I work with professional studio packages and a majority use inbox on use product licensed security dongles, or cards.
Kaza Jul 30th 2010 12:43PM
So I just have to post here because I find my situation all to weird. And the timing of this article and the dates provided make my situation even more weird.
I've been playing without an authenticator for 2+ years now without ever being hacked. Last night I was hacked around 3am or so (according to some of my guildmates who were whispered being told I was hacked, which in itself is kind of weird).
I keep my password to myself almost always. However, last night we were doing the last achievement for our 25 man drakes in ICC and I couldn't make it, so a friend and officer in our guild said he would play my character for me so I could get the achievement. I gave my password to him so he could play it for one night assuming I'd just change my password the next day because I'm so paranoid about giving it out. I've known my friend for years, worked with him, and know him in RL so I know he is trustworthy.
Anway, like I said last night I was hacked and an authenticator was added to my account.
#1 I received no confirmation email about an authenticator being added to my account.
#2 I tried to login to Battle.Net this morning and my password had been changed. I received no confirmation email about my password being changed.
#3 I received an email from Blizzard this morning that there was suspicious activity on my account.
#4 After hearing from guildmates about the possible hackers whispering everyone in my guild that I was being hacked, I changed my password and lo and behold I was sent a confirmation email.
Why is this weird? Well, since my password was obviously changed by the "hacker", how come I was never sent a confirmation email about my password changing? And also, an authenticator was added to my account, but I was never sent an email confirmation about that either? I was under the assumption that this change had been put in before early morning July 30, 2010 (the article says July 27th, a whole 3 days before my incident).
I'm very skeptical about all this because I work as an ecommerce programmer so I know a thing or two about account security. The fact I was sent no confirmation email about either my password changing the first time (by the hacker) and an authenticator being added to my account (by the hacker) makes me question where in fact these hackers are coming from. In my experience in the ecommerce industry, the only way to reset or change a password without a confirmation email being sent is "internally" by changing the database.
These are not accusations, merely observations. Though I am incredibly skeptical about all of this.
Grimm Aug 3rd 2010 10:25AM
Bluntly -
Your friend hacked you, or your friend had a keylogger or equivalent that allowed the hack.
Additionally, there isn't an email confirmation sent to the old email account on changing your email account. A sophisticated hacker for WoW is trying to get into your account and have it for the longest possible time. So! They:
1) Add an authenticator to require you to call in.
2) Change your email address, change your password, then change your email address BACK.
Why?
Well, that way there's no interruption in normal communications. Your renewal notices, blizzard pushes, or whatever - they all come to you normally.
With any luck, you won't notice for some time.
What's suspicious to me is that this hacker was telling your friends you were being hacked; that's not normal, and implies to me rather than a professional job, this is a 'script kiddie' grab. It called attention to the hack.
Tarinae Jul 31st 2010 4:08PM
I just wanted to note that this article says the email is active on July 27 but the blue post quote:
"Since Thursday, 7/22/2010, we now require that you have access to your actual email account in order to add an authenticator."