Blizzard Introduces One-Time Password Devices For WoW 271
An anonymous reader writes "Two days ago Blizzard announced that they will be selling keychain tokens to add one-time password support (FAQ) to World of Warcraft. Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?"
Re:The first thing that comes to my mind is... (Score:2, Interesting)
You mean that you value dollars that exist as bits in company A's DB, more than gold coins that exist as bits in company B's DB, don't you?
Re:can't beat stupidity (Score:1, Interesting)
There have been several trojans designed to snag WoW usernames and passwords since WoW began, feel free to Google. Of course in many cases a dose of stupidity or more like just ignorance is required, such as running your browser so it can "properly" render websites such as WoW's homepage or even Slashdot now that it's had the abrasive AJAX added. Not everyone is a user of Firefox with noscript and with the requirements on so many "necessary" websites to allow Javascript and Flash even those that do find at least temporarily enabling some websites necessary, but no website can be guaranteed safe to do this on. Of course the odds would make you a bit safer if you dipped your Wow in WINE before consuming and kept your browsing restricted to *nix.
Other Authentication (Score:4, Interesting)
I was listening to The Instance, which is a WoW podcast and one of their topics concerned Taiwanese WoW players. They had the option to sign up for a different type of secondary authentication which required them to register 3 different phone numbers. You couldn't completely log in unless Blizzard received a call from one of said phone numbers.
Considering the amount of time people have devoted into these accounts, I don't see this being that big of a deal. As a player, I'm not too sure I'd get one, as I try to avoid random websites, certain browsers and suspiscious addons. The current belief now, however, is that people cracking into wow accounts are using more brute force methods instead of trojan/spyware etc etc (but it's not like those have completely disappeared.)
There's nothing wrong with a little extra security, especially when you've played for 3 years.
Re:Cheap (Score:2, Interesting)
A While ago I read an article that a compromised WoW account is worth more on the market then a stolen cc number. Thus WoW accounts make a excellent target for trojans and keyloggers.
Even if you're a casual player you most likely have invested 100's of hours in your character/account.
The treat of losing this because you have a stupid 8 year old nephew or you just weren't' paying attention with a download is very real. So 6 bucks for some extra protection is well spent money imo
Re:The first thing that comes to my mind is... (Score:1, Interesting)
A fully levelled character in WoW can easily fetch $4000 or more. Whether you like it or not..
Also (Score:5, Interesting)
I can imagine that the problem of hacked accounts is *huge* and primarily a problem on the user's end. I'd wager a guess that Blizzard's largest demographic sometimes also engages in P2P/Warez in conjunction with poor security habits. Trojan-laden warez, account sharing, piss-poor passwords and wide-open PC's; users leave themselves wide open to getting their virtual goodies ransacked and run off with.
I played WoW for 4 months a few years ago and was surprised at the number of trojans packed in the executable installers of some popular UI mods.It wasn't a very clever(but it was effective)way of farming usernames and passwords. Considering the global reach and sheer numbers of people playing WoW, and the virtual goods for real life cash trade, I wouldn't be surprised to learn about WoW-specific trojans running around in the wild. Some people make it easy for the bad guys; using the same login details on WoW related forums as their actual wow account, to purchasing gold and other items from shady websites (good way of farming cc numbers, shady websites also use cc info to pay for their own account time, leading to charge backs and other hassles)to just flat out sharing their details willy-nilly with anyone half trusting.
And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.
I would appreciate separate user names and passwords for account management and character login, too.
Re:It's both (Score:4, Interesting)
So err, how do you go about getting into your account and disabling the feature if the thing is broken?
Re:The first thing that comes to my mind is... (Score:3, Interesting)
I'm using a similar device, seeded (I assume) by my combined Credit/ATM card (issued by my bank) for online banking. I got the device this year "free of charge". Before this, I used scratch cards with one time codes, and I believe that mine was the last major bank in the country to switch from that system.
I live in Sweden.
NL here... cards / codes / cellphone (Score:3, Interesting)
I'll state up front that I absolutely -hate- the "something you have" part of security when that 'something you have' ends up being a fat card reader that won't fit anywhere convenient, not even in your notebook carrying bag, and you can't just use anywhere as it has to be plugged into a USB port which is not always available/accessible, and/or is prone to mechanical failure (e.g. the non-USB 'calculator' type which might fit in a pocket but if something bangs into your bag, the thing is dead.)
So anyway.. in NL we have both of the above types from some banks.
Then there's the Postbank (largest bank, used to be gov't run, along with postal services, etc.), which works with codes.
Their website requires you to log in via SSL, username/password and then - when making a transaction - provides you with a code. You look that code up in a list and return another code that's associated with that code. The code they choose is random, the code you send back has no correlation to the input code other than what's on their end, done.
Prone to phishing? Perhaps, although all attempts so far have failed miserably. But just in case, they added an additional service - you can enter your cell phone number in your profile and have the code you should be sending back sent to you via text message, along with the amount of money involved in the transaction, etc.
I don't know the exact technical details of how the latter works - I'm sticking to just a list and due diligence when banking as I'd hate to have to rely on my phone working / having signal / not being out of credits (when abroad - besides, I usually get a pay-as-you-go card when I am, as it's cheaper to make and receive calls then) / etc. when I -have- to make some payment.
Re:Not a problem... an opportunity (Score:3, Interesting)
From the years playing MMOs the majority of hacks on accounts relate to the following.
- A ex-SO or friend upset with you.
- Sharing your password with your clan.
- Overly obvious passwords.
After that the two common ones are.
- Installing third party programs.
- Clan phishing.
Clan phishing by works be joining a clan, getting friendly with them then posting a joke/quiz where the people answer with questions like "Mothers last maiden name, "Date of birth", etc. They use that to hack mail accounts.
Re:Not a problem... an opportunity (Score:3, Interesting)
http://passwordsafe.sourceforge.net/ [sourceforge.net]
It can autogenerate relatively strong passwords for you, and has an "autotype" feature where you can just press Ctrl+T on any login screen and it'll automatically log you in (assuming it follows the usual format of: username <tab> password <enter>).
Easier solution (Score:2, Interesting)