The Lawbringer: Account security and you
by Mathew McCurley 
Dec 3rd 2010 at 11:00AM
New players will soon be streaming into World of Warcraft come Cataclysm time, as well as old friends and enemies returning from prolonged sojourns. With these new or old accounts becoming active again, as well as a demand for grey market services increasing with a growing player base, account security is going to be on the tip of everyone's tongue again. For good reason, too. World of Warcraft has had one of the most daunting burdens of any MMO to date in dealing with account security, account hacking and a legal nightmare overseas.
Today's Lawbringer deviates into account security, which I personally believe is vital to discuss. This week, I figured it would behoove us to revisit account security and why the grey market is such a nightmare for Blizzard. We'll talk about a few ways you can keep yourself safe, especially with hacking predictably on the rise. Account security begins with the player's habits, and the more you are informed, the easier it is to knock out one more account from the clutches of thieves.
Your relationship with Blizzard, for the most part, is governed by the terms of use and the EULA, two documents you agree to before playing the game. You're paying for the privilege of using a service, an as far as those documents are concerned -- nothing more. Your account security is a combined effort between you and Blizzard, and it helps to be prepared.
Account security issues
Blizzard has its hands full dealing with security issues that crop up in and around World of Warcraft. Just as the aims and goals of computer hacking have changed in the past 20 years, so too have the reasons for hacking online game accounts. With so many hackers in many different nations attempting to steal account information, it is a daunting task to find and stop the attacks. Defense against these malicious attacks, therefore, is the only option.
A lot of people write in to me to ask about account security and hacking, but there is an interesting twist to the question. People want to know the "why" of it all, rather than the "how." Hackers like account information because it is an easy source of gold, items, and sellable items. The old days of hacking for hacking's sake and stealing for the sake of stealing are gone, and a new, profitable motive for account theft is in place. And it's been like this for years.
I enjoy talking about account security because every time my remarks hit new ears, I have potentially saved someone a great deal of heartache and trouble. So that's the aim of all this jazz -- let's save you some time, save Blizzard some phone calls, and make everyone feel a little safer.
It isn't personal, really. Getting hacked can feel like an incredibly personal and invasive thing -- kind of like your house getting robbed. Behind the password is your stuff, your things, and your characters.
So ... why you? You might not have done anything terribly wrong, to be honest. Just visiting a website with executables or Flash content that can run programs through your browser can make you vulnerable. You might have been downloaded an executable file that an addon updater ran without knowing it was malicious. You might have picked up a keylogger from somewhere you visited that was compromised.
Whatever the avenue, you got bitten. The best defense, sadly, is to not get bitten in the first place. Other than that, getting those bugs off of your system and out of your life is a pain in the butt.
How to secure yourself
The best defense, in the case of all these malicious attacks, isn't a good offense. Really, the best way to protect yourself is through knowledge and behavioral changes to the way you experience online content. First, you figure out the way hackers can get your information. Second, you do your best to keep away from those potentially dangerous behaviors. Third, you use the Blizzard-approved and provided account security measures.
We've already discussed some of the ways hackers can make off with your personal information -- malicious Flash content, addons with executables from an unknown source, and spyware keyloggers. The problem arises when you consider most of these issues are sometimes beyond your control. That's where behavior comes in.
Your behavior matters
Two behaviors you can change right now that will reduce your amount of exposure to hackers and thieves are very basic. I have a lot to say about auto updaters, but we'll leave that for a lengthier discussion. For now, I recommend installing and updating addons by hand.
Put down the pitchforks -- I know that most of the time auto-updaters work perfectly fine and are innocuous. However, they have been compromised before and occasionally still have files that sneak into their distributions. Usually, these files are removed after one or two complaints, but these types of auto-update exploits do exist.
Installing addons manually is more time-consuming but has fewer potential risks. You won't be running any programs to update your addons, so no executables will be going off without you knowing. Plus, you can run them through a virus scanner. I wrote about installing addons manually in Addons 101.
Second, don't surf to gold selling or gold farming websites. These sites are notoriously full of potentially harmful Flash content and popups that are there to steal your account information, potentially for the very company that you are looking at. That gold you're looking to buy could have been stolen from someone who just didn't have the knowledge that you do.
In fact, don't buy gold. That's a pretty safe way not to get hacked by going to gold sites and giving people your information.
As a community, we can do a lot to help World of Warcraft deal with the hacking problem. It's not all on our shoulders, though. Blizzard's involvement and responsibility is to assist you with information and means to protect your accounts. It is absolutely recommended to get some type of authenticator -- either the key fob from the online store or the authenticator program for the iPhone and Android operating systems.
Blizzard also recently announced an authenticator by phone service, allowing for a different type of account security for those inconvenienced by authenticators. It's not as secure, but it's something, and something is a whole lot better than nothing.
If you're a new WoW player coming in with Cataclysm or an old-timer continuing your epic journey, account security is still a big deal. Don't be scared or feel like protecting your account is a daunting experience; taking a few precautions will allow you to play fearlessly and save you a lot of time on the phone with great customer service people who have heard the same stories far too many times. You're playing an insanely popular MMO -- sadly, this is one of the things we have to deal with.
Read all about Blizzard's account security options here.
This column is for entertainment only; if you need legal advice, contact a lawyer. For comments or general questions about law or for The Lawbringer, contact Mat at mat@wow.com.Filed under: The Lawbringer
Reader Comments (Page 1 of 6)
netokituco Dec 3rd 2010 11:11AM
Don't ever buy anything with real money, gold, itens, equipments, ever... If you do it you are taking the game one step closer to its end, no game resists this situation if it spreads, no one.
Fierna Dec 3rd 2010 11:49AM
Except adorable Moonkins!
Rob Dec 3rd 2010 1:54PM
So...buying from Blizzard is okay, but not anyone else.
I have a real issue with this double-standard that Blizzard creates. It's okay for them to sell me non-combat pets (6 of them to date) and mounts (Sparkle Pony), and even to intice with with items for referring people (2 mounts), but if I work and struggle and create or get items in-game, I'm not allowed to sell them.
I'm not saying Blizzard shouldn't find other ways to monetize their property, they should, and their shareholders demand it with flattening subscriber numbers, but they shouldn't then punish us for doing the exact same thing and trying to monetize our investment in the game (both time and money).
alteffour Dec 3rd 2010 2:37PM
@ Rob
The flaw in your logic is that you think that because you worked hard to create something in game, you own it. Blizz owns EVERYTHING associated with WoW, they are just letting you use it. Therefore, since it belongs to them, you have no right to sell it for anything out of game.
No matter if you don't like it, you agreed to the terms.
Tinwhisker Dec 3rd 2010 3:03PM
There's a clear difference between Blizzard selling Moonkins which they own and are free to "sell" (although you never actually own them) and gold-selling companies which sell something that is not theirs to begin with and was likely stolen.
"Why is it OK for Walmart to me a stereo but I can't buy one from T-Bone out of the back of his van? That doesn't seem right at all!"
*rolls eyes*
Dok Dec 3rd 2010 3:15PM
A few comments...
Buying Gold and items is basically stealing it from the people who got hacked. Thats why Blizzard is right about it being against the ToS. The other odd thing is that if it were not against the ToS to sell gold for cash then the IRS might be interested in how much Gold you have and tax it. Read quite a few stories about the future of taxing "virtual currency" in real life if they could be exchanged for real money. I think is would be great fun to deduct repair bills from your taxes and get welfare epics for real.
I really dis-like the fact that blizzard says they own my account. More and more of consumer rights are slipping away to scrolling down and clicking accept twice after each patch. I don't like the way this has extended itself in to SC2. I should not need to login to battle.net for a single player mode. I beta-ed SC2 but won't buy it until this is changed (the SC2 part). EULAs you can't even see until you open what you bought and account banning without 3rd party arbitration are examples of the sad state things are coming to.
As for the concern that you bank info/CC info is at risk in the same way a Warcraft account is - I believe this is false. It an almost no risk situation to hack a WoW account. I does violate computer tampering laws but that's about it. I have never heard of any real "bust" of WoW account hacking rings. But start messing with bank accounts and Credit Cards and you may find yourself in jail (in the US at least).
Saisen Dec 3rd 2010 6:33PM
@rob
what? you completely missed his point about not buying gold
LTR
and in all honestly if you need to buy gold its time you stop playing mmos, blizzard showers players in gold, if your too lazy to get it yourself you deserve to get hacked.
virwtkn Dec 3rd 2010 11:27AM
One of security features I've found a lot of people over look is the parental control. Even if your parents aren't limiting your play time you can use it to make sure your account is only playable when you want to play.
If you have a pretty set schedule to play it works really nice. You set it up and don't have to touch it again, plus no new passwords or stuff to remember. If you just play whenever you can, however, you'll have to go to a website and change your hours before you can log in.
One final word of caution it logs you out without warning when your time frame is up, so make sure to add a little padding to the end of any ranges you setup.
Narayana Dec 3rd 2010 12:42PM
I used this feature when I got hacked right before the start of BC- it was very helpful. The key is to ensure that you never log into parental controls from the same PC that you use to log into the game.
It was a headache, but I had it set up so that my account was literally unplayable unless I was home and everything was great.
Of course, having an authenticator and installing No Script for Firefox has eliminated the need for this step.
SINisterWyvern Dec 3rd 2010 12:46PM
That does nothing. If they have your info they can just go change your parental settings and then log you in. 2 more minutes of work won't stop them.
Rabidlemming Dec 3rd 2010 1:40PM
You can setup the parental email as different then your login. And like it was mentioned only login to that email from a different computer from then where you play. You no longer enter a parental email and password you put in the parental email, an email gets sent with a link that you click on to access.
The only way they are getting into your parental controls is if they have enough information to correlate your account info to your parental email and if they have access to log into the parental email. Is it possible? Sure, anything is, but it's not as easy as you make it out to be.
Baba Dec 3rd 2010 11:22AM
If you ever receive an email from Blizzard warning of your account being under investigation or you being entered for a special mount contest or ANYTHING, DO NOT READ/BELIEVE THE EMAIL. Whatever it's titled, mark it as Phishing Scam and go to your Battle.net page, if something truly is up with your account it'll be visible there.
Mutak Dec 3rd 2010 11:53AM
And for dog's sake, don't use a link in the email in question to go to your account page! Bookmark it now and always only use that bookmark!
Julien Dec 3rd 2010 11:22AM
Moving to a PC is making me feel like I'll definitely need an authenticator now...
bob Dec 3rd 2010 11:38AM
I've always played on a Mac. I got an authenticator as soon as they were available. Everyone should have an authenticator, regardless of what system they have.
The authenticator is the first and best line of defense against having your account stolen. An authenticator provides a level of security that even my bank account can't reach.
There is no reason not to have an authenticator.
Get an authenticator!
Black08Mustang Dec 3rd 2010 11:59AM
As soon as the write one for WP7, im there.
Rob Dec 3rd 2010 1:59PM
I've always played on Macintosh.
I've always had an authenticator (since they went mobile for the iPhone).
I know multiple people who were hacked with a Macintosh. Why? Because nothing can protect you from doing something stupid.
They got a phishing email, clicked a link in the email, didn't pay attention, put in their credentials and they were toast.
Get an authenticator, but also realize that an authenticator cannot prevent you from doing something stupid. They hack authenticated accounts all of the time as well, just by asking for the authenticator while you're at their phishing site. Having a Macintosh won't help.
Cambro Dec 3rd 2010 4:22PM
Macs are not immune to malware, they're just not as likely to be targeted because the market share is very small and not worth the time spent developing a Mac keylogger AND a Windows keylogger, for example. But a keylogger or other malware written to run on a Mac is certainly possible.
It's also easier to write malware for Windows than Mac (for various reasons) and easier to infect Windows. Macs require you to enter your computer password before installing an application (you're foolish if you didn't set up a password), Windows does not....maybe? I haven't played with Vista or 7, but up through XP you never have to enter a password, meaning an installer can run without your knowledge or consent.
Do not take all that to mean that you're safe if you're on a Mac. You're just not an obvious target. The market share for Mac is growing and the day is coming. The day may even be here. Flash is written once and runs on both computers without a rewrite, which means it's a step easier to trick you into entering personal data (or finding a loophole that allows them access to your hard drive).
It's best to practice common sense and cautious behavior now BEFORE you get hacked rather than afterward. You don't wait to put a dead bolt on your house until after someone breaks in, do you?
Xano Dec 5th 2010 12:15PM
It's a bit ignorant to think that Mac stops you from getting a key logger. Here is a quick Google search that shows just how easy it is to obtain a Mac virus, which you can then distribute however you please. Go to google, type "Mac keylogger". Done.
What makes me laugh is that those of us on Linux don't ever think we are 100% secure, and neither do those of us on Windows....it's always the Mac users that unreasonably feel 100% secure.
Every system in the world is hackable, it's just a matter of who wants it and how much time they have.
Cyclolink Dec 3rd 2010 11:24AM
I have noticed a new security feature that Blizzard has silently put into place as well. Lately I have been traveling for work, and without fail when I attempt to log into WoW on the road; I get a notification that something has changed with how I am attempting to log in. I then have to change my password and authenticate my account through email. It is kind of a pain, but nice to know that their are additional security features in place.