Blizzard Introduces One-Time Password Devices For WoW

An anonymous reader writes "Two days ago Blizzard announced that they will be selling keychain tokens to add one-time password support (FAQ) to World of Warcraft. Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?"

Not a problem... an opportunity

[gbulmash]

Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?

Probably more like Blizzard has decided that people paranoid about having their accounts compromised have become such a serious market segment that it can eke out a few more pennies selling these dongles for 6 euros a pop.

If it was a huge problem, Blizzard would begin requiring them. The fact that they're optional means they're probably just a new way to sap a few more bucks from players who have invested so much of their time and being into this game that six euros seems a very reasonable security blanket.

can't beat stupidity

[rewben]

Its not the system that has a flaw, its the stupidity of people for giving away their usernames/passwords for powerlvling etc.

Security Theatre

[Anonymous Coward]

This just seems like another money grab by another corporation. In the four years I've had my WoW account I have not had a single problem with a breach in security. I am definitely not security unconscious though, although I do find it hard to imagine that people have problems at all. Users just prove time and again that most people are stupid or ignorant or a mix of the two. Of course corporations want to cash in on that, and who can blame them. "Lets sell them something that they don't really need, but we'll tell them that they really do need it!" Like shooting fish in the barrel.

Re:can't beat stupidity

[plasmacutter]

The incidents of hacking on my realm indicate the hacking is happening to their servers, and they, being blizzard, refuse to admit they're at fault.

(The same way every couple months their patches or maintenance cause massive lag spikes and random disconnects, and they blame the routers because blizzard is apparently too special to conform to tcp-ip standards)

Maybe when enough people with this authenticator get screwed, they'll actually be forced to admit and fix it.

Re:Security Theatre

[Tirhakah]

I'm not security unconscious either, but my account was compromised. When you have no control over what other uses the computer you play on is put, that's when you run into problems

Re:Not a problem... an opportunity

[Morlark]

"Eke out a few more pennies"? These things cost way more than $6 to make, and that's not even counting the cost of the traning all their customer support staff will need. Players whose accounts have been compromised do cost Blizzard a lot in terms of support, and Blizzard are introducing these things under cost in an attempt to lower their expenditures elsewhere.

Re:Not a problem... an opportunity

[mwilli]

Blizzard is in a unique position. Due to the success of WoW, they are probably the top company for online gameplay at the moment. Because of this, it gives them the opportunity to be the industry leader in new technologies to protect the integrity of the online gameplay, which they have always marketed as being a great concern of theirs.

The first thing that comes to my mind is...

[Null Nihils]

Why can I get this feature for a MMORPG account, but not from my bank, or any other banks I know of?

I value my real money far more than imaginary swords, shields and armor that exist as bits in an entertainment company's database.

Maybe some people's priorities are different...

Re:Not a problem... an opportunity

[ZorbaTHut]

A cancelled account of mine got hacked somehow, and I only discovered it months later when I went to reactivate it. Blizzard basically said "sucks to be you, we won't do anything". My first level 60 character is gone forever, which makes me kind of sad.

Blizzard will, apparently, not fix all problems.

Re:Security Theatre

[pipatron]

I'm not security unconscious either [...] no control over what other uses the computer you play on is put

One might argue that a security-conscious person would not let any random people share his computer, unless it had a very safe multi-user system.

Cheap

[Anonymous Coward]

6 euro protecting 1000s of hours of time spent, it's a no brainer.

Re:It's both

[Opportunist]

That's actually not exaggerated. The average phishing server yields a quite interesting harvest of various passwords for various online games.

It would already kill a lot of those "opportunities" for phishers if online game makers required different PWs for account and board. But appearantly selling one time pads is more profitable.

Long Term evolution...

[Vapula]

Phase 1 : OTP is a plus that you may buy
Phase 2 : A free OTPtoken with each WoLK extension sold
Phase 3 : A collector edition with WoW+BC+WoLK+token
Phase 4 : Mandatory token for all accounts

That way, they cut the grass under the feet of the chinese farmers who sell ready to play accounts and to the reselling of accounts on E-Bay and such...

Re:Not a problem... an opportunity

[jamesh]

Yes, maybe if you handcraft them in Norway from reindeer horns and freshly clubbed seal, but in the rest of the world you can buy a USB memory for less than this.

Silliness aside, I think the person you responded to probably meant Blizzard's purchase price. For each device you build you have to compute and program the private key, then you have to record this key on a CD or in some other form to deliver to the customer (Blizzard in this case, not the end user), and additionally Blizzard then have to license the software to run it all and set it all up. It's possible Blizzard may have been able to negotiate a decent price for the token, but I think they would be selling them at a loss on the assumption that at a loss of (say) $20 per token, they'll save that much in sorting out the mess that becomes of 'stolen' accounts.

Re:The first thing that comes to my mind is...

[maxume]

The trick is that companies C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y and Z also all value the dollars that exists as bits in company A's DB.

Entropia Universe already does this for long time

[Anonymous Coward]

Entropia Universe already provides a "smart card" + reader for OTP authentication.

It used to be you needed to pay about 15 USD for it, but as of about 4 months ago, they giving it free to anyone who has spent about 500 USD minimum in the game.

Everyone else can still pay the small amount to get the device.

Re:Long Term evolution...

[Anonymous Coward]

Quite the opposite, I'd think... an account is tied to a physical token this way. You actually make it easier to sell accounts. All that is being increased are postage costs. The whole process is safer for buyer and seller too...

Re:Also

[jamesh]

And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.

I don't even think they are trying to recoup costs, it's just a token amount so that every single user doesn't click the 'give me a free token' button. People love getting free stuff, even if they don't need it (or is it just my wife that does that? Hi wife, if you are reading this :)

Re:Not a problem... an opportunity

[The Snowman]

Unless Blizzard has changed policies, they will refund your items, they will not refund your gold.

Technically they are not obligated to restore anything, neither legally nor by their own policies. They often do because it is good customer service and keeps the addicts feeding at the trough, which helps their bottom line in the long run. While they have by far the largest market segment in the MMO genre they know the reasons why that is the case and what will hurt that. Not helping customers is shooting themselves in the foot. I know several people who were shit out of luck after being hacked, while most did receive an account restoration. Often they received some, but not all, of their gold back. One guy had unrestricted access to our guild bank, and Blizzard restored the items in the bank the gold farmer took, too. They actually restored duplicates of some of the items, and let us keep the duplicates. That was really cool of them.

And even so, it can take Blizzard several weeks to find time to sort you out. A tiny one-time cost of 6 euros is extremely cheap investment. Most make that much while taking a crap at work. Small price to pay to protect hundreds and hundreds of hours worth of in-game effort.

Yeah, $6 is not a lot of money. With current gas prices this dongle costs 75% of my daily round-trip to work, or just about the same amount as lunch does if I buy a $5 sub at Subway with a drink. Given this is a one-time expense, it is trivial in the grand scheme of things.

One might argue that with the amount of cash Blizzard makes off of WoW, they should just hire a small country to be able to fix hacked accounts in hours instead of weeks. But, honestly... It's optional. It's 6 euros. My computer is nearly a fortress compared to the average WoW player's security, and I'm still considering getting one of those things.

Maybe the dongle costs more than $6 to manufacture, key inject, support on the back-end (authentication systems need some retooling). Maybe it costs less. However, the big picture here is that there are other hidden costs to Blizzard the scope of which we can only speculate. Regardless, it will probably mitigate some of the costs of investigating account issues, the headaches involved, etc. allowing their employees to focus their efforts on more pressing issues such as the gold spammers that stand between the bank and auction house in places like Ironforge or Orgrimmar and constantly peddle their wares (stolen video game gold).

I am considering this product as well. I used to play the game constantly because of marital problems. I needed a place to hide from my wife that did not involve huge bar tabs. So I played WoW. A lot. I have multiple 70s, thousands of gold, epics, blah blah blah. Now that I am divorced I play a fraction of the time. However, whether I keep playing (even if a small amount of time) or cancel my subscription, the thought of someone gaining access and destroying all that hard work would hurt. I spent a lot of time building up the account, made a lot of friends (some of my guild mates live close and we have actually socialized in real life), and anyone hurting those social connections or anything else would really piss me off. I think $6 may be worth it to mitigate that risk.

Re:Not a problem... an opportunity

[vertinox]

My best theory on how it happened is that I used the same account and password on lots of web forums, many of which have terrible security.

There is your problem.

I know we are all lazy when it comes to passwords, but you really need to keep different passwords for different things. It doesn't mean you have to keep completely different passwords for everyone forums so my personal rule is to have levels on how much I care about it being breached.

Level 1: Random forums I don't trust or places I don't care if hacked.
Level 2: Places I frequent that I trust and have a reputation, but its not going to kill me if my account is breached.
Level 3: Stuff I pay money for. Like Online Games, Steam, utility bills, and cell phone plans.
Level 4: Money. Banks. Credit cards. And/or anything that is serious business. This also includes email accounts attached to them which I keep completely separate passwords between accounts since it would be dumb to have the same password for your bank as your email. Also I tend to keep different passwords between financial institutions because I don't trust competency of employees and their laptops.

The goal is to never use the same password between the levels so if one is breached the others are not.

So if it is that important to you, then don't use the same passwords on untrusted sites or forums that use unpatched vBulletin or PHPbb. I mean... I don't even trust Slashdot.

And it never hurts to paranoid and change your passwords every 6 months or if you just suspect something. Its not going to cost you anything other than mental exercise if your wrong, but it saves you a whole lot of grief if you are right.

Re:can't beat stupidity

[Akaihiryuu]

Wrong. The WOW servers have never once been compromised. It's not WOW that's being compromised, it's the *player's computers* that are getting trojan'd/keylogged. And the "lag spikes" and "random disconnects" are usually happening to people with wireless-N, which is *not a standard*...it's basically beta and has a ton of problems. And blaming Blizzard for WOW "causing" people's routers to reset? I don't care what kind of data you're sending out, if it causes your modem or router to reset, then the problem is in the device, not the game.

...but what *are* they?

[cduffy]

I googled around earlier to try to determine whether these are VeriSign VIP [verisign.com] devices. If so, that'd be great -- they'd interoperate with PayPal and eBay and VeriSign's OpenID provider [verisignlabs.com] and anyone else who either supports OpenID or signs up for VeriSign's program.

Making tech-happy people carry around more than one OTP device would be a real shame, so I'll be disappointed if more word on these comes out and it turns out that they don't interoperate.

WoW region coding == no WoW for the jet set

[tepples]

Account is tied permanently to region(IP) and cannot be logged in from any other region.

People who travel internationally with a notebook computer will likely vote with their dollars/euros against such a measure.

Re:Not a problem... an opportunity

[Blakey Rat]

Security is a failure if it doesn't take human behavior into effect. The simple fact is that the password system is broken, fundamentally, because *everybody* shares passwords between different services, simply because they don't have the memory for anything else. (And I know, any second now the Slashdot wag who actually does use a different password will chime in.)

Unless the system works for the random man-on-the-street without requiring months of training, or a nasty failure before they learn, it's a failure.

Re:can't beat stupidity

[Anonymous Coward]

Um, let's see. More likely: uneducated users using weak passwords that are easily guessed, the same password on shady or weakly secured forums, buying gold (signing up on the gold buying site to bid and GIVING THEM THEIR CREDIT CARD INFO all probably with the same password and login, buying power leveling (GIVING THEM THEIR PASSWORD AND ACCOUNT INFO), download cracks and cheat programs because they suck at the game which happen to have trojan horses, don't patch their machines, don't run virus or anti-spyware software, and finally share their password and account info to friends who also practice all of the above.

OR

a systemic break in to blizzard's servers that affects some but not all of their customers? If blizzard's servers were really hacked, and blizzard knows about it (as you directly imply), why wouldn't the hackers just break in to EVERYONE's account?

Damn, you're right, clearly it's blizzard hiding the fact that their security is totally non-existant!

Re:Uhm...

[Anonymous Coward]

I see, so you don't sell the drugs, you just sell the glass pipes, vaporizers, freebase kits, and syringes.