Blizzard Introduces One-Time Password Devices For WoW 271
An anonymous reader writes "Two days ago Blizzard announced that they will be selling keychain tokens to add one-time password support (FAQ) to World of Warcraft. Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?"
Not a problem... an opportunity (Score:5, Insightful)
Probably more like Blizzard has decided that people paranoid about having their accounts compromised have become such a serious market segment that it can eke out a few more pennies selling these dongles for 6 euros a pop.
If it was a huge problem, Blizzard would begin requiring them. The fact that they're optional means they're probably just a new way to sap a few more bucks from players who have invested so much of their time and being into this game that six euros seems a very reasonable security blanket.
can't beat stupidity (Score:5, Insightful)
Its not the system that has a flaw, its the stupidity of people for giving away their usernames/passwords for powerlvling etc.
Security Theatre (Score:1, Insightful)
Re:can't beat stupidity (Score:1, Insightful)
The incidents of hacking on my realm indicate the hacking is happening to their servers, and they, being blizzard, refuse to admit they're at fault.
(The same way every couple months their patches or maintenance cause massive lag spikes and random disconnects, and they blame the routers because blizzard is apparently too special to conform to tcp-ip standards)
Maybe when enough people with this authenticator get screwed, they'll actually be forced to admit and fix it.
Re:Security Theatre (Score:2, Insightful)
Re:Not a problem... an opportunity (Score:2, Insightful)
"Eke out a few more pennies"? These things cost way more than $6 to make, and that's not even counting the cost of the traning all their customer support staff will need. Players whose accounts have been compromised do cost Blizzard a lot in terms of support, and Blizzard are introducing these things under cost in an attempt to lower their expenditures elsewhere.
Re:Not a problem... an opportunity (Score:2, Insightful)
The first thing that comes to my mind is... (Score:5, Insightful)
Why can I get this feature for a MMORPG account, but not from my bank, or any other banks I know of?
I value my real money far more than imaginary swords, shields and armor that exist as bits in an entertainment company's database.
Maybe some people's priorities are different...
Re:Not a problem... an opportunity (Score:5, Insightful)
A cancelled account of mine got hacked somehow, and I only discovered it months later when I went to reactivate it. Blizzard basically said "sucks to be you, we won't do anything". My first level 60 character is gone forever, which makes me kind of sad.
Blizzard will, apparently, not fix all problems.
Re:Security Theatre (Score:4, Insightful)
I'm not security unconscious either [...] no control over what other uses the computer you play on is put
One might argue that a security-conscious person would not let any random people share his computer, unless it had a very safe multi-user system.
Cheap (Score:4, Insightful)
6 euro protecting 1000s of hours of time spent, it's a no brainer.
Re:It's both (Score:4, Insightful)
That's actually not exaggerated. The average phishing server yields a quite interesting harvest of various passwords for various online games.
It would already kill a lot of those "opportunities" for phishers if online game makers required different PWs for account and board. But appearantly selling one time pads is more profitable.
Long Term evolution... (Score:5, Insightful)
Phase 1 : OTP is a plus that you may buy
Phase 2 : A free OTPtoken with each WoLK extension sold
Phase 3 : A collector edition with WoW+BC+WoLK+token
Phase 4 : Mandatory token for all accounts
That way, they cut the grass under the feet of the chinese farmers who sell ready to play accounts and to the reselling of accounts on E-Bay and such...
Re:Not a problem... an opportunity (Score:3, Insightful)
Silliness aside, I think the person you responded to probably meant Blizzard's purchase price. For each device you build you have to compute and program the private key, then you have to record this key on a CD or in some other form to deliver to the customer (Blizzard in this case, not the end user), and additionally Blizzard then have to license the software to run it all and set it all up. It's possible Blizzard may have been able to negotiate a decent price for the token, but I think they would be selling them at a loss on the assumption that at a loss of (say) $20 per token, they'll save that much in sorting out the mess that becomes of 'stolen' accounts.
Re:The first thing that comes to my mind is... (Score:4, Insightful)
The trick is that companies C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y and Z also all value the dollars that exists as bits in company A's DB.
Entropia Universe already does this for long time (Score:1, Insightful)
Entropia Universe already provides a "smart card" + reader for OTP authentication.
It used to be you needed to pay about 15 USD for it, but as of about 4 months ago, they giving it free to anyone who has spent about 500 USD minimum in the game.
Everyone else can still pay the small amount to get the device.
Re:Long Term evolution... (Score:1, Insightful)
Quite the opposite, I'd think... an account is tied to a physical token this way. You actually make it easier to sell accounts. All that is being increased are postage costs. The whole process is safer for buyer and seller too...
Re:Also (Score:5, Insightful)
I don't even think they are trying to recoup costs, it's just a token amount so that every single user doesn't click the 'give me a free token' button. People love getting free stuff, even if they don't need it (or is it just my wife that does that? Hi wife, if you are reading this
Re:Not a problem... an opportunity (Score:3, Insightful)
Technically they are not obligated to restore anything, neither legally nor by their own policies. They often do because it is good customer service and keeps the addicts feeding at the trough, which helps their bottom line in the long run. While they have by far the largest market segment in the MMO genre they know the reasons why that is the case and what will hurt that. Not helping customers is shooting themselves in the foot. I know several people who were shit out of luck after being hacked, while most did receive an account restoration. Often they received some, but not all, of their gold back. One guy had unrestricted access to our guild bank, and Blizzard restored the items in the bank the gold farmer took, too. They actually restored duplicates of some of the items, and let us keep the duplicates. That was really cool of them.
Yeah, $6 is not a lot of money. With current gas prices this dongle costs 75% of my daily round-trip to work, or just about the same amount as lunch does if I buy a $5 sub at Subway with a drink. Given this is a one-time expense, it is trivial in the grand scheme of things.
Maybe the dongle costs more than $6 to manufacture, key inject, support on the back-end (authentication systems need some retooling). Maybe it costs less. However, the big picture here is that there are other hidden costs to Blizzard the scope of which we can only speculate. Regardless, it will probably mitigate some of the costs of investigating account issues, the headaches involved, etc. allowing their employees to focus their efforts on more pressing issues such as the gold spammers that stand between the bank and auction house in places like Ironforge or Orgrimmar and constantly peddle their wares (stolen video game gold).
I am considering this product as well. I used to play the game constantly because of marital problems. I needed a place to hide from my wife that did not involve huge bar tabs. So I played WoW. A lot. I have multiple 70s, thousands of gold, epics, blah blah blah. Now that I am divorced I play a fraction of the time. However, whether I keep playing (even if a small amount of time) or cancel my subscription, the thought of someone gaining access and destroying all that hard work would hurt. I spent a lot of time building up the account, made a lot of friends (some of my guild mates live close and we have actually socialized in real life), and anyone hurting those social connections or anything else would really piss me off. I think $6 may be worth it to mitigate that risk.
Re:Not a problem... an opportunity (Score:5, Insightful)
My best theory on how it happened is that I used the same account and password on lots of web forums, many of which have terrible security.
There is your problem.
I know we are all lazy when it comes to passwords, but you really need to keep different passwords for different things. It doesn't mean you have to keep completely different passwords for everyone forums so my personal rule is to have levels on how much I care about it being breached.
Level 1: Random forums I don't trust or places I don't care if hacked.
Level 2: Places I frequent that I trust and have a reputation, but its not going to kill me if my account is breached.
Level 3: Stuff I pay money for. Like Online Games, Steam, utility bills, and cell phone plans.
Level 4: Money. Banks. Credit cards. And/or anything that is serious business. This also includes email accounts attached to them which I keep completely separate passwords between accounts since it would be dumb to have the same password for your bank as your email. Also I tend to keep different passwords between financial institutions because I don't trust competency of employees and their laptops.
The goal is to never use the same password between the levels so if one is breached the others are not.
So if it is that important to you, then don't use the same passwords on untrusted sites or forums that use unpatched vBulletin or PHPbb. I mean... I don't even trust Slashdot.
And it never hurts to paranoid and change your passwords every 6 months or if you just suspect something. Its not going to cost you anything other than mental exercise if your wrong, but it saves you a whole lot of grief if you are right.
Re:can't beat stupidity (Score:5, Insightful)
...but what *are* they? (Score:2, Insightful)
I googled around earlier to try to determine whether these are VeriSign VIP [verisign.com] devices. If so, that'd be great -- they'd interoperate with PayPal and eBay and VeriSign's OpenID provider [verisignlabs.com] and anyone else who either supports OpenID or signs up for VeriSign's program.
Making tech-happy people carry around more than one OTP device would be a real shame, so I'll be disappointed if more word on these comes out and it turns out that they don't interoperate.
WoW region coding == no WoW for the jet set (Score:2, Insightful)
Account is tied permanently to region(IP) and cannot be logged in from any other region.
People who travel internationally with a notebook computer will likely vote with their dollars/euros against such a measure.
Re:Not a problem... an opportunity (Score:3, Insightful)
Security is a failure if it doesn't take human behavior into effect. The simple fact is that the password system is broken, fundamentally, because *everybody* shares passwords between different services, simply because they don't have the memory for anything else. (And I know, any second now the Slashdot wag who actually does use a different password will chime in.)
Unless the system works for the random man-on-the-street without requiring months of training, or a nasty failure before they learn, it's a failure.
Re:can't beat stupidity (Score:1, Insightful)
Um, let's see. More likely: uneducated users using weak passwords that are easily guessed, the same password on shady or weakly secured forums, buying gold (signing up on the gold buying site to bid and GIVING THEM THEIR CREDIT CARD INFO all probably with the same password and login, buying power leveling (GIVING THEM THEIR PASSWORD AND ACCOUNT INFO), download cracks and cheat programs because they suck at the game which happen to have trojan horses, don't patch their machines, don't run virus or anti-spyware software, and finally share their password and account info to friends who also practice all of the above.
OR
a systemic break in to blizzard's servers that affects some but not all of their customers? If blizzard's servers were really hacked, and blizzard knows about it (as you directly imply), why wouldn't the hackers just break in to EVERYONE's account?
Damn, you're right, clearly it's blizzard hiding the fact that their security is totally non-existant!
Re:Uhm... (Score:1, Insightful)
I see, so you don't sell the drugs, you just sell the glass pipes, vaporizers, freebase kits, and syringes.