Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
PC Games (Games) Security Entertainment Games

Blizzard Introduces One-Time Password Devices For WoW 271

An anonymous reader writes "Two days ago Blizzard announced that they will be selling keychain tokens to add one-time password support (FAQ) to World of Warcraft. Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?"
This discussion has been archived. No new comments can be posted.

Blizzard Introduces One-Time Password Devices For WoW

Comments Filter:
  • by gbulmash ( 688770 ) * <semi_famousNO@SPAMyahoo.com> on Sunday June 29, 2008 @04:58AM (#23988799) Homepage Journal

    Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?


    Probably more like Blizzard has decided that people paranoid about having their accounts compromised have become such a serious market segment that it can eke out a few more pennies selling these dongles for 6 euros a pop.

    If it was a huge problem, Blizzard would begin requiring them. The fact that they're optional means they're probably just a new way to sap a few more bucks from players who have invested so much of their time and being into this game that six euros seems a very reasonable security blanket.

    • It's both (Score:5, Informative)

      by dreamchaser ( 49529 ) on Sunday June 29, 2008 @05:09AM (#23988837) Homepage Journal

      It's both. Password stealing via phishing and other means has hit quite a few MMO's. It boils down to dumb users mainly, and Blizzard surely sees a profit opportunity in their stupidity.

      • Re:It's both (Score:4, Insightful)

        by Opportunist ( 166417 ) on Sunday June 29, 2008 @05:40AM (#23988981)

        That's actually not exaggerated. The average phishing server yields a quite interesting harvest of various passwords for various online games.

        It would already kill a lot of those "opportunities" for phishers if online game makers required different PWs for account and board. But appearantly selling one time pads is more profitable.

      • Re:It's both (Score:4, Informative)

        by me at werk ( 836328 ) on Sunday June 29, 2008 @05:50AM (#23989035) Homepage Journal

        PayPal sells these keyfobs as well, and I bought one. It broke, started showing 42424242 and 88888888, as well as some diagnostic info (like 25% batt, etc). I contacted PayPal and they weren't very helpful (as expected), and it was basically, buy another one. I just disabled the requirement for it on the account.

        I think that the paypal security issue is similar, just phishing. But hey, if my account got fucked while I had a keyfob activated, I'd be at an advantage wouldn't I?

      • Re:It's both (Score:4, Informative)

        by Macgrrl ( 762836 ) on Sunday June 29, 2008 @06:48PM (#23994423)

        My account got hacked last year after I downloaded a UI mod from a reputable mod site (worldofwar.ui) that had been hacked.

        I had changed my password after I thought I had cleared all remants of the hack from my machine, but unfortaunetly I must have missed something. After I regained control of my accoutn again, I changed the password on a different machine and did a low level format and a complete reinstall on my windows box. I only ever logged in by pasting in my password from a text file from then until I replaced the windows box with a new Mac.

        I wouldn't characterise myself as a dumb user, have been a tech support monkey and server admin. Even being careful you get caught out sometimes.

    • Re: (Score:2, Insightful)

      by Morlark ( 814687 )

      "Eke out a few more pennies"? These things cost way more than $6 to make, and that's not even counting the cost of the traning all their customer support staff will need. Players whose accounts have been compromised do cost Blizzard a lot in terms of support, and Blizzard are introducing these things under cost in an attempt to lower their expenditures elsewhere.

    • Re: (Score:2, Insightful)

      by mwilli ( 725214 )
      Blizzard is in a unique position. Due to the success of WoW, they are probably the top company for online gameplay at the moment. Because of this, it gives them the opportunity to be the industry leader in new technologies to protect the integrity of the online gameplay, which they have always marketed as being a great concern of theirs.
    • by Manip ( 656104 ) on Sunday June 29, 2008 @05:52AM (#23989047)

      Thank you Mr. Conspiracy theory. But the truth is that:
      - There is a serious problem in WoW
      - It is extremely common for accounts to get compromised
      - Sometimes people quit the game after a breakin (-$13/month)
      - A 30 second google search found similar devices for between $17 and $23 a go

      If I had to guess I would imagine Blizzard breaks even roughly on these devices. I can't imagine there being a huge profit margin on $6 and that they justify it by keeping people playing.

      • Re: (Score:3, Interesting)

        From the years playing MMOs the majority of hacks on accounts relate to the following.
        - A ex-SO or friend upset with you.
        - Sharing your password with your clan.
        - Overly obvious passwords.

        After that the two common ones are.
        - Installing third party programs.
        - Clan phishing.

        Clan phishing by works be joining a clan, getting friendly with them then posting a joke/quiz where the people answer with questions like "Mothers last maiden name, "Date of birth", etc. They use that to hack mail accounts.

      • Sorry, I am in a very large guild and not one of the members has been hacked in months. The only two "hacks" that occurred before that were from account sharing to farm BGs.

        In other words, the majority of so called hacks can be limited to.

        1. Sharing accounts (this is big, I don't understand how you can trust someone you never met in the flesh with your account info)
        2. Buying accounts (and subsequent original owner recalling it)
        3. Stupid use of the same userid for either in game names or non-blizzard forums

    • by Snaller ( 147050 )

      For one ting its not a dongle (my submission was better) - for the other apparently hundreds get hacked each their, their character stripped bare and sold, and their accounts used to spam gold commercials in the game and on the web boards.

      As for requiring it, no - the couldn't do that.

  • by rewben ( 202225 ) on Sunday June 29, 2008 @05:09AM (#23988839) Homepage

    Its not the system that has a flaw, its the stupidity of people for giving away their usernames/passwords for powerlvling etc.

    • When I played, quite a few of my guildies got hacked, and none of them were powerlevelers or engaged in any sort of prohibited activity like gold buying. It took them a couple of weeks to get their stuff back, and was a real nuisance to them and to the guild.

      Interestingly, not one Mac using member of the guild ever got hacked, so I guess malware was responsible.

      I don't know how it is now, but before BC the powerlevelers used to be easy to spot. Just look for the Night Elf Hunter in the PvP reward armour who

  • Wowzers, now I can have more security for my account on some computer game than my online banking (I'm looking at you, Citibank).

    • by Opportunist ( 166417 ) on Sunday June 29, 2008 @05:44AM (#23989005)

      Hmm... let's see... The average WoW addict is playing 30 hours a day, has most likely no job...

      What do you think is worth more, the account of such a person or his bank account?

      • by amRadioHed ( 463061 ) on Sunday June 29, 2008 @05:51AM (#23989039)

        They both probably are about equally low in worth.

        • Well, I didn't check eBay lately. Mostly because I prefer playing a game instead of paying someone to do it for me. But I'd be surprised if there aren't some high level chars for sale.

      • Hmm... let's see... The average WoW addict is playing 30 hours a day, has most likely no job...

        What do you think is worth more, the account of such a person or his bank account?

        What? Almost everyone I know who plays hardcore (30hrs/wk and +) have a job. Some have a family life. It's not different than watching TV for the same amount of time. I've known one guy who didn't work and played really hardcore, and he was "financially independent".

  • by Null Nihils ( 965047 ) on Sunday June 29, 2008 @05:22AM (#23988901) Journal

    Why can I get this feature for a MMORPG account, but not from my bank, or any other banks I know of?

    I value my real money far more than imaginary swords, shields and armor that exist as bits in an entertainment company's database.

    Maybe some people's priorities are different...

    • by Nuskrad ( 740518 ) on Sunday June 29, 2008 @05:31AM (#23988929)
      A lot of banks in the UK now require card reading devices for use with online banking. It's been rolled out across the last couple of years, not sure what the situation is elsewhere in the world though
      • Re: (Score:3, Interesting)

        by Kidbro ( 80868 )

        I'm using a similar device, seeded (I assume) by my combined Credit/ATM card (issued by my bank) for online banking. I got the device this year "free of charge". Before this, I used scratch cards with one time codes, and I believe that mine was the last major bank in the country to switch from that system.

        I live in Sweden.

      • I'll state up front that I absolutely -hate- the "something you have" part of security when that 'something you have' ends up being a fat card reader that won't fit anywhere convenient, not even in your notebook carrying bag, and you can't just use anywhere as it has to be plugged into a USB port which is not always available/accessible, and/or is prone to mechanical failure (e.g. the non-USB 'calculator' type which might fit in a pocket but if something bangs into your bag, the thing is dead.)

        So anyway.. i

    • Re: (Score:2, Interesting)

      by ivansanchez ( 565775 )

      I value my real money far more than imaginary swords, shields and armor that exist as bits in an entertainment company's database.

      You mean that you value dollars that exist as bits in company A's DB, more than gold coins that exist as bits in company B's DB, don't you?

    • by 26199 ( 577806 ) *

      In Switzerland it seems to be standard. To access my UBS account online I need: my online account card, a card reader, my "agreement number" (which is unrelated to any of my account numbers) and a six digit PIN.

    • by Splab ( 574204 )

      Some banks around here (Denmark) supports it - you do however have to specifically ask for the feature. Even the national digital signature is going to get upgraded to one time passes.

      Try asking around, they might have the feature, but for a fee.

    • Why can I get this feature for a MMORPG account, but not from my bank, or any other banks I know of?

      Many banks don't offer them because it costs money to implement a system which uses them and they're really only cost-effective for customers who keep a lot of money in their accounts, so their attitude towards those customers is "if you want it, go to another bank who can offer it". Likewise, of the banks that do offer them only do so for their larger customers. For example, another poster mentioned Citibank

  • Cheap (Score:4, Insightful)

    by Anonymous Coward on Sunday June 29, 2008 @05:36AM (#23988959)

    6 euro protecting 1000s of hours of time spent, it's a no brainer.

    • Re: (Score:2, Interesting)

      Exactly,
      A While ago I read an article that a compromised WoW account is worth more on the market then a stolen cc number. Thus WoW accounts make a excellent target for trojans and keyloggers.
      Even if you're a casual player you most likely have invested 100's of hours in your character/account.
      The treat of losing this because you have a stupid 8 year old nephew or you just weren't' paying attention with a download is very real. So 6 bucks for some extra protection is well spent money imo
    • 1000s of hours of time spent

      Some might claim to have "invested" their time in WoW. Your use of the term "spent" seems more accurate. Wikitionary: Adjective spent 1. Consumed, used up, exhausted, depleted. ~

    • Re: (Score:3, Informative)

      by rob1980 ( 941751 )
      Not giving your password to your guildmates and not downloading keyloggers is also a no brainer too. I lost count how many "OMG I GOT HACKED" stories resulted from somebody clicking on sshot001.jpg.pif on the WOW forum or from somebody giving their account info to a guildmember they barely knew.
  • Other Authentication (Score:4, Interesting)

    by Anonymous Coward on Sunday June 29, 2008 @05:36AM (#23988969)

    I was listening to The Instance, which is a WoW podcast and one of their topics concerned Taiwanese WoW players. They had the option to sign up for a different type of secondary authentication which required them to register 3 different phone numbers. You couldn't completely log in unless Blizzard received a call from one of said phone numbers.

    Considering the amount of time people have devoted into these accounts, I don't see this being that big of a deal. As a player, I'm not too sure I'd get one, as I try to avoid random websites, certain browsers and suspiscious addons. The current belief now, however, is that people cracking into wow accounts are using more brute force methods instead of trojan/spyware etc etc (but it's not like those have completely disappeared.)

    There's nothing wrong with a little extra security, especially when you've played for 3 years.

  • Also (Score:5, Interesting)

    by Konster ( 252488 ) on Sunday June 29, 2008 @05:56AM (#23989059)

    I can imagine that the problem of hacked accounts is *huge* and primarily a problem on the user's end. I'd wager a guess that Blizzard's largest demographic sometimes also engages in P2P/Warez in conjunction with poor security habits. Trojan-laden warez, account sharing, piss-poor passwords and wide-open PC's; users leave themselves wide open to getting their virtual goodies ransacked and run off with.

    I played WoW for 4 months a few years ago and was surprised at the number of trojans packed in the executable installers of some popular UI mods.It wasn't a very clever(but it was effective)way of farming usernames and passwords. Considering the global reach and sheer numbers of people playing WoW, and the virtual goods for real life cash trade, I wouldn't be surprised to learn about WoW-specific trojans running around in the wild. Some people make it easy for the bad guys; using the same login details on WoW related forums as their actual wow account, to purchasing gold and other items from shady websites (good way of farming cc numbers, shady websites also use cc info to pay for their own account time, leading to charge backs and other hassles)to just flat out sharing their details willy-nilly with anyone half trusting.

    And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.

    I would appreciate separate user names and passwords for account management and character login, too.

    • Re:Also (Score:5, Insightful)

      by jamesh ( 87723 ) on Sunday June 29, 2008 @06:41AM (#23989269)

      And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.


      I don't even think they are trying to recoup costs, it's just a token amount so that every single user doesn't click the 'give me a free token' button. People love getting free stuff, even if they don't need it (or is it just my wife that does that? Hi wife, if you are reading this :)

    • by Graff ( 532189 )

      I played WoW for 4 months a few years ago and was surprised at the number of trojans packed in the executable installers of some popular UI mods.

      That has to be the height of laziness, it takes almost no effort to unpack and move a mod into place.

      The only executable that I use is the Ace Updater which is a package manager that will note updated mods and install them for you. The ONLY reason I use that is because it is open source and I've downloaded the source, inspected it, and built it myself. Based on my inspection there's next to no chance that it contains a trojan.

      I agree that you should have the ability to use a different username and passwor

  • by Vapula ( 14703 ) on Sunday June 29, 2008 @06:05AM (#23989113)

    Phase 1 : OTP is a plus that you may buy
    Phase 2 : A free OTPtoken with each WoLK extension sold
    Phase 3 : A collector edition with WoW+BC+WoLK+token
    Phase 4 : Mandatory token for all accounts

    That way, they cut the grass under the feet of the chinese farmers who sell ready to play accounts and to the reselling of accounts on E-Bay and such...

    • Phase 4a: Account is tied permanently to region(IP) and cannot be logged in from any other region. Proxy checking is implemented to ensure compliance.

      Further, tokens are distributed in such a way that auction sites will not accept.

  • Gameshow (Score:2, Informative)

    by Anonymous Coward

    For the record get hacked on any MMO other than WoW and know what they tell you? Tough titties. This isn't about fleecing its customer base, it's noticing a growing problem and leading the field in security nipping it in the bud. And name changes and realm changes were only introduced at the crying, demanding and pleading of its customer base. The financial aspect is a hurdle to prevent abuse imho.

  • by cduffy ( 652 )

    I googled around earlier to try to determine whether these are VeriSign VIP [verisign.com] devices. If so, that'd be great -- they'd interoperate with PayPal and eBay and VeriSign's OpenID provider [verisignlabs.com] and anyone else who either supports OpenID or signs up for VeriSign's program.

    Making tech-happy people carry around more than one OTP device would be a real shame, so I'll be disappointed if more word on these comes out and it turns out that they don't interoperate.

  • Square-Enix has been taking some rather draconian steps to protect Final Fantasy XI accounts as well, where the main culprit is apparently passwords getting stolen through Flash vulnerabilities, usually through websites of questionable character.

    The thing is, you know this isn't happening through news aggregator sites or pr0n sites or whatever, these attacks are aimed at players through websites that focus on the game. It seems to me that the easiest way to solve the problem of these attacks is for the gam

  • OTPs are great, I would love to see something like this rolled into OpenID or some other 3rd party service that provides authentication.

  • by lewp ( 95638 ) on Sunday June 29, 2008 @11:26AM (#23991227) Journal

    Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?


    Absolutely. Accounts are constantly getting hacked in the game to the point where the GMs can't keep up with the restores (such that it sometimes takes two weeks or more to get some of the items you lost back).

    Compared to credit card numbers and bank accounts, WoW accounts are quite valuable. A high end account can be worth several hundred dollars in gold and materials (or you can just sell the account altogether if you can hold onto it long enough), and there's little to no risk in dealing with them. AFAIK, police aren't actively pursuing people hacking WoW accounts, and since Blizzard restores the virtual items and money anyway (eventually... for the most part), there's little reason to.

    It's probably a lucrative business, and people are certainly treating it that way.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...