Skip to Content

WoW Insider has the latest on the Mists of Pandaria!
  • GrapeNewport
  • Member Since Mar 18th, 2010

Are you GrapeNewport? If So, Login Here.

BlogComments
WoW2 Comments

Recent Comments:

Win more maintenance day loot {WoW}

Mar 23rd 2010 2:15PM Oh why not.

Man in the middle attacks circumventing authenticators {WoW}

Mar 18th 2010 5:22PM gotemike said: "that wont work. i and a lot of people i know play at LAN centers. how would that work, when you could be playing on 1 of the over 30 computers. you could have it so u need to enter the code 3 times but that would not stop a attack like this as all 3 codes would be sent as the users types them in."

Competitive gaming leagues require(d) Authorized LAN centers to register the unique identifiers of their gaming accounts (steamid/wonid/PB ID), to prevent ringers from playing in place of registered players. I ran a CAL Approved Lan Center in Jacksonville Florida, and provided the steam IDs for all machines so the league players could play their matches from my venue.

A similar thing could be done with MAC addresses for authorization purposes. These MAC addresses would be set up in the system as "wildcard," not being bound to a specific account.

The real question is how to acquire this information, restrict access based on the this policy, as well as allow users to update their information quickly, securely, and realtively hassle free.

One Soultion could be:

Use the blizzard autoupdater to pull "non-personal system data," similar to when a program sends an error report. Using any combination of this unique hardware information, a system ID is generated and added to a list of allowed IDs on your account.

Once a new ID is generated, it must be confirmed via an off network system such as a low ttl confirmation email or text message sent to the user's account email or mobile device. Having a low TTL (or "time to live") would prevent excessive database use for unused SystemIDs, as well as providing the user an oppurtunity to confirm the action of adding this SystemID to his list of authorized Systems.

This would not prevent 100% of account hijacks, as users using non-unique passwords across WOW and their Account email will still be open to the same type of attacks we are currently seeing.

(Protip: If you use the same email address/password for your wow account as other low security systems, these systems become wide open if your wow account is compromised.)