Blizzard Authenticators May Become Mandatory

An anonymous reader writes "WoW.com is reporting that a trusted source has informed them that Blizzard is giving serious consideration to making authenticators mandatory on all World of Warcraft accounts. The authenticators function the same as ones provided by most banks — in order to log in, you must generate a number on the external device. Blizzard already provides a free iPhone app that functions as an authenticator. The source stated, 'it is a virtually forgone conclusion that it will happen.' This comes after large spates of compromised accounts left Bizzard game masters severely backlogged by restoration requests."

get used to it. this is going to be common

[timmarhy]

it's ironic that 10 years ago many professional applications used dongles for licensing and access. now it's basiclly comming back in.

i think it's a good thing though, if it wasn't for lax security there wouldn't be so many theifing pricks in the world. no we just need to convince credit companies to use the same level of security that a bloody computer game uses and we might all be better off.

Re:

[thenextstevejobs]

Hope it's not flamebait but: You must have some huge balls on you, using 'ironic' on Slashdot and thinking that you're not going to get a firm talking to for your use of the word.

Re:get used to it. this is going to be common

[Bill_the_Engineer]

Dongles were use to curb piracy. Blizzard doesn't have that concern because of the subscription model.

However a large portion of Blizzard's customers access their WoW account from internet cafés and gaming bars. Since some of these public machines have key logging software installed, Blizzard is experiencing a large number of customer service requests complaining about "hacked" accounts. One way to counter the key logger is by requiring an Authenticator.

Currently use of the Authenticator is optional. Blizzard has learned a lesson that if it's optional it won't work because people don't see the need to spend the extra money or download a free app.

Re:

[Chemisor]

Yeah, and where are those apps now? People hated dongles for a reason; they were inconvenient as hell. The same is true of all these ridiculous authenticator fobs; I'd ditch my bank in a second if they required one, and I certainly wouldn't have any qualms about ditching any game that requires one. But, of course, it's not like a large company like Blizzard cares about a few lost customers...

Re:

[Snaller]

No, the world is full of thieving pricks still - they'll just have to find other means of doing it - or attack someone else.

Re:

[omglolbah]

1. Get a rack mounted box.
2. Install usb hub in box
3. ????
4. profit?

Or nag the vendor to allow some other form of licensing... that system sounds horribly old school.

ps, I know how hard it can be to get the crud running.. I battle with such problems at work all the time

Re:get used to it. this is going to be common

[mlts]

I also worked for companies that had this problem. What I did was buy a USB card that had an internal slot, and not just all external ports. I then plugged the dongle into that. This way, if someone wanted to take the licensing controller, they would have to take the machine off the rack (decently secure datacenter, locked rack enclosure, security screws [1],) and crack it open (padlocked and sealed [2] case, intrusion sensors) which would certainly be noticed. [3]

[1]: They are not secure against a determined attacker who would slot the screw with a Dremel tool, but it will slow someone down, and be obvious to the cameras present.

[2]: http://www.americancasting.com/info-padlock-seals-xpc-2.asp [americancasting.com] is what I use on the back of cases. I could use the plastic seals, but with these, there is no excuse of "accidently" snapping one off. Disclaimer: I am not affiliated in any way with either of these products, but these do the job for the security needs.

[3]: Musicians have a similar issue. People know that certain music products have license key dongles and that if it gets stolen, the software vender will not replace them, so thieves will prowl nightclubs to look for the dongles and yank them out of laptops. My solution to this with musicians who have rackmount equipment is a 2-3U locking drawer that has a USB hub in the back and the cable threaded in such a way that a strong pull only will detach the cable, and not bring along any goodies with it.

Waste o'money

[CptChipJew]

Many US banks will text or email you a one-time authentication code. It's certainly a lot cheaper than buying a piece of hardware.

They aren't doing it this way...why?

Re:

[compro01]

You want to have to go through email/text every single time you log in vs. pushing a button on a key fob and typing in 6 numbers?

The hardware in question costs $6.50. This is a game you're already spending $15/month on.

Re:

[neokushan]

No doubt if Blizzard made this mandatory, they'd cover the cost of the devices themselves. Its probably not going to go down well if they suddenly prevent players logging in unless they pay an additional, one-off fee. Many people would see it as a bad precedent.
Furthermore, they'll probably either supply them with new copies of the game, or only "enable" it (and send it out) to accounts that are more than say 3 months old (as they're arguably not going to have much worth stealing and by then the cost of the

Re:

[slyn]

If you have an iPhone you can get the authenticator for free as an app, and they have said they would like to bring it to more platforms in the future (presumably android, blackberry, minmo and the other major smartphone os's).

Re:

[NormalVisual]

They already offer it on a number of platforms, but unfortunately the BlackBerry offerings are for rather ancient devices, and they do charge for them.

This uses the standard Ace / RSA system right?

[AbRASiON]

I wonder if they could give you a soft token, which works for the iphone app.
http://images.google.com/images?q=rsa%20app%20iphone&hl=en [google.com]
A mate showed me this, pretty damn cool. I'm not an encryption guru so I couldn't tell you how or why it's just as good as the real physical dongle but I'm sure it would be or they wouldn't release it. (Someone here will no doubt reply with more info on this)
Shame my crappy Government remote authentication software is a couple of versions out of date for me to make use

Re:

[Jthon]

Blizzard does have several soft token schemes which don't require that you purchase a physical authenticator. There's an iPhone app you can get for free and use to do generate an access code. They also have apps for a few other phones available.

The only thing they don't offer is a PC application and this is intentional. Using a PC app means some virus/trojan could run your pc authenticator and capture the code which makes it decidedly less useful.

The Authenticator is a good idea

[Oxide]

I have been using Blizzard's Authenticator on my iPhone for a quite a while now and I'm very pleased with it. I can't imagine the devastation I would be in if my wow account got hijacked. I've spent days and nights developing my characters and It would be a huge loss if I lost them to some script kiddie.

The iPhone Authenticator is like you holding a physical key to your account. Good idea.

Re:

[Dachannien]

It's not really script kiddies who are doing this anymore. It's all tied to the RMT "industry" - essentially, organized crime.

Re:

[Mascot]

For a while. You can jump through a number of hoops with Blizzard support to get the account unlinked from the authenticator.

I think it took about 48 hours when I had to do it back when my authenticator decided it no longer wanted to turn itself on.

A word of caution to any in a similar boat: CALL Blizzard. They can take a week or two to get to the email, you probably don't want to wait that long.

Re:The Authenticator is a good idea

[cyber-vandal]

The word is lose.

Not going to solve your problems

[selven]

2008: Oh no, I forgot my password! I need to call Blizzard for help!

2011: Oh no, I lost my authenticator! I need to call Blizzard for help!

Re:

[LordLimecat]

Luckily thats not the problem theyre trying to solve, but good job reading the summary.

Blizzfail!

[Naaythann]

I have to admit this is quite funny, in the last few days i had my battlenet/WOW account banned for gold farming. Not played it in about a year, so i went throught the process of trying to establish what happened. Got passwords and so on reset but the git attached the said "Blizzard Activator" to my account and i'm back at square one and locked out of battlenet/WOW.

The bigger view....

[santax]

I think this idea is great in achieving what it is intended for. Less abuse/hacking of accounts. But what if more games take this up. Is it smart to buy a new cabinet to store all those devices now, or should I wait a bit, see if prices of cabinets drop?

The real REASON for authenticators

[ukyoCE]

Let's not forget the real reason authenticators are becoming mandatory. It's because accounts are getting hacked, sure, but why are accounts getting hacked?

Because there are idiots paying real life $$ for in-game money, which they get by hacking accounts and selling off their stuff. The customers of these websites are paying these hackers to take over people's accounts, effectively.

Do away with the monetary incentive, and accounts wouldn't be getting hacked.

When can I put TWO on the SAME account?

[cfalcon]

I want two or more authenticators, and I want them both to be recognized as valid. For instance, if I were to buy an authenticator and then try to log in, it would look at my username, my password, and then do the calculation based on the key- if it matches, it lets me in. If not, it does not. I would like to check my username, my password, and then calculate all the keys I have tied to the account (perhaps there would be a max of five, or ten). If the input matches ANY of them, it lets me in.

Currently, I don't have an authenticator because I travel all the time and I normally wherever I go, I at least remember to include my brain. Currently I could:

1- Lose an authenticator.
2- Bash it into a wall while tripping over anything.
3- Fall into a fountain- probably it wouldn't get too wet in that time, but hey!
4- Have it stolen- it wouldn't be useful to a thief, but they wouldn't know that.
5- Have the battery be bad or rot.

I've gone through a few cellphones, and a few days with no cellphone can really be bad. I would definitely not want to be on travel for two weeks and be unable to use my fancy laptop to play WoW! Especially given that with a cellphone I can go to any mall and be chatting again in a few hours if it becomes important, but for WoW you have to call up some hotline and identify yourself using whatever secret question I thought would be a great idea 4.5 years ago. The few times I've tested this hotline (granted, not in the last year), I eventually hang up because I'm bored and I can't talk to a human. I would sure hate to be doing that dance for real.

I also don't like the loss of user freedom- currently I can call any of four RL friends up and give said friend my login info if there's something that needs to happen in game, and a few guildies would also probably work. A single authenticator would shut that down unless I was on the phone with them. Blizzard might see this as a feature: according to their extensive ToS, not even your *spouse* is allowed to log into your account.

Re:

[Anonymous Coward]

Most of them are not USB devices. Just simple fobs with a push button and cheapo LCD display.

Re:

[bertoelcon]

Agreed. Also, do they plan on putting them out other ways for free if they try this. When I looked into one you had to buy the thing from Blizzard for like $25 or something. I know there is a free Iphone app but what if you don't have an Iphone? Anyone know if they have other authentictor apps for other platforms.

Re:No thanks

[compro01]

They're $6.50.

http://us.blizzard.com/store/details.xml?id=1100000822 [blizzard.com]

Re:No thanks

[MajroMax]

Also, do they plan on putting them out other ways for free if they try this. When I looked into one you had to buy the thing from Blizzard for like $25 or something.

The authenticator is hardly $25. In the US [blizzard.com], it's $6.50 with free shipping, and in the EU [blizzard.com] it's EUR6.99 also with free shipping. The price covers the cost of the physical unit and (obviously) the shipping. Blizzard's hardly making a killing on these.

For mobile authenticators, the Blizzard Website [blizzard.com] has more detail. The short version is that the Mobile Authenticator is available on a wide range of phones, depending on provider. Support isn't universal, though.

That said, the only time Blizzard could make Authenticators mandatory would be at a game-changing event, like the release of the next expansion. If they go ahead and do that, they'd probably throw Authenticators in the box, to automatically have near-total distribution. Their biggest concern is probably whether they can source a few million of them.

The long and short of it is that account theft is a big problem, both for Blizzard and for people who play WoW. Not everyone has a locked-down system, and phishers are using tactics formerly reserved for actual banks to try to get account info. Players have to deal with having their account possibly stolen, Blizzard has to deal with perpetual requests (some possibly fraudulent!) to restore characters/items, and the game as a whole suffers from the RMT that goes on.

I, for one, welcome our Keyfob and Mobile-Authenticating Overlords.

Re:

[Narpak]

Personally when I have to log into my bank account I have to use a generated code from my security token, my personal number (provided by the state at birth), and my BankID [bankid.no] code (site in Norwegian only). And so far I have yet to have my bank account hacked. That being said neither have I had my WoW account hacked, though having used computers since getting my very own 486 back in the day; I have learned (sometimes from very bad experiences) to take my computer security seriously. Over the last three years (

Re:

[Opportunist]

It would already be a huge leap ahead if Blizzard didn't use the same logon credentials for their user forum that is used to log into the game. That alone is certainly the source of many stolen accounts, given how easy it is to sniff passwords out of a browser.

Re:

[dc29A]

It would already be a huge leap ahead if Blizzard didn't use the same logon credentials for their user forum that is used to log into the game. That alone is certainly the source of many stolen accounts, given how easy it is to sniff passwords out of a browser.

https://us.battle.net/login/login.xml ...

Notice the 'https' in front of that url? This 'sniffing' of passwords is not possible over https, if it were, no e-commerce/banking site would be safe.

However, idiot WoW players who go on WoW sites like Thottbot, Wowhead and other less reputable sites for information and they click on random ad banners flashing boobs and whatnot get infected with keyboard sniffers tailored for WoW players. Guess what? They'll lose control of their accounts. There is also a number of

Yeah but they were over $80 at one point...

[Mashiki]

They were ~$80($6.50+shipping and taxes on top) in Canada at one point. That left a very sour and bitter taste in my mouth, I have no want, need or desire to get one when they cost that much. I don't care that they're $6.50 now, if they want me to use one then they can give it to me with the next expansion. My cousin says they're still up over $20(somewhere around $25, aka $6.50+shipping+taxes), still don't care.

And if you live outside of any of those normal shipping zones you can still get them through

Re:

[JoeMerchant]

The long and short of it is that account theft is a big problem, both for Blizzard and for people who play WoW. Not everyone has a locked-down system, and phishers are using tactics formerly reserved for actual banks to try to get account info. Players have to deal with having their account possibly stolen, Blizzard has to deal with perpetual requests (some possibly fraudulent!) to restore characters/items, and the game as a whole suffers from the RMT that goes on.

I have never had a WOW account, but some nefarious character registered one of my e-mail addresses as owning one - not much of a problem for me, but interesting that they managed to link my address to the account without an authentication reply from me... (and, yes, I have since changed my password.)

Re:

[Rakarra]

Do you use Ventrilo or some other voice server? Or even a phone call? The authentication codes the authenticators give are good for 10-15 seconds, so if you still wanted to do it that way..

Re:

[thesandtiger]

His complaint doesn't even make sense - it isn't like cutting gems requires anything other than clicking a button, so if his friend has access to his account to do that, he'd have access to do that to, not needing his friend at all.

And even if it did require his friend to log in, IM would be more than sufficient for this purpose.

Re:

[insufflate10mg]

Right, right, but his complaint does make sense. I believe in WoW one may have multiple characters per account; one his character's has the ability to "cut gems" and the others have different abilities. As of now, both he and his friend know the account password; when his friend isn't around, he logs in to the account using the shared password and uses the gem-cutting character. If WoW was to implement the fobs/mobile authenticators as a default and mandatory security measure, he would no longer be able

Re:

[thesandtiger]

Ah, yes, it makes sense, I see - I thought they were talking about sharing 1 account, not 2 - so the gem cutting character would be on a different account.

I suspect that a lot of the hacked accounts are caused by people sharing, though.

Re:

[MBGMorden]

I'm guessing that it's probably good for up to a 1 minute window. Think about it - if you press the button 2 seconds before the current window closes you're going to get 1 code and the active one will be different by the time you finish typing it.

Though I have no hard evidence, my guess is that Blizzard will accept either the active code or the one immediately preceding it in the sequence.

Either way, the GP answered his own question: you're not supposed to share accounts. Blizzard doesn't care if they make

Re:

[Jarik C-Bol]

webcam. reading it themselves is way easier than telling it over the phone.

Re:No thanks

[grumbel]

but what about if this starts a trend and all online games start to require such?

Maybe secure login will then become a common practice and devices will be standardized and we will live in a bright shiny future where login is no longer done by the most primitive system imaginable.

I mean seriously, passwords are among the weakest chain when it comes to security today and not something that can be fixed by 'educating the user' (last time I counted I had around 100 password), it wouldn't hurt to replace them with something that is more secure and more comfortable to use, even if it might be a bit painful at first.

Re:

[Xugumad]

I would love to see password authentication replaced with using PGP-style signing. Never actually send the private key to the remote system, but instead when you signup you say "This is me" by giving them your public key and they then know the person with the matching private key is you.

Of course, somehow the private key would need to be kept somewhere viruses can't extract it outright, which means a USB dongle or similar that does the signing on request, which is more stuff...

Re:

[Opportunist]

Explain please how you want to keep a virus (trojan, actually) from accessing a USB key that is plugged into the computer. You don't think people would ever remove it and only plug it in when they want to log in, do you?

Not to mention that reading from the USB dongle and transfering the private key elsewhere should be trivial even if they're only plugged in for a rather short amount of time. If certain software installed in the computer can read it, any malware installed in the computer can.

Re:

[grumbel]

The USB stick wouldn't just store the key, it would also handle all the encryption and authentication too, so the private key would never leave the USB stick and there would be no way to access it.

The stick could additionally verify that you are really talking to the server you mean to and not to a man-in-the-middle and on top of that the encryption could be protected by a pin, entered on the USB stick itself, to secure against theft and keyloggers.

Such an encryption scheme could be made pretty much rock so

Arms race

[Snaller]

No, it just means the hackers upgrade their ways of attack.

Re:No thanks

[fm6]

what about if this starts a trend and all online games start to require such?

This business of every application requiring its own password is a problem in itself. (I've got 400 passwords in my Roboform archive!) That's why so many sites are adopting OpenId [openid.net].

Re:

[Mr. Freeman]

400 passwords that you use, or 400 that you've used at one time or another in the past 10 years. There's a little bit of a difference.

I'm going to call bullshit and say that you don't use more than 20 passwords or codes on a weekly basis.

Re:

[sopssa]

What? I also interestingly have about 400 passwords in my keepass. No, I do not frequent ALL of them so often. The point is that every site or service has a different password. It's just stupid to use the same one in several.

Re:

[V50]

Aye. I have about 4 passwords depending on how much I care about the thing in question. Frankly, if someone hacks my /. account, I'll be more amused than angry. My bank account, OTOH...

That said, I have had my WoW account hacked, because I made the mistake of logging on my brother's computer once, and he is a nub who downloaded a keylogger off MSN Messenger. That was the last time I do that.

It'd probably be a good thing if they require the authenticators, less grief all around. Even smart people (my brother

Re:

[fm6]

Twenty is about right. So what? All the passwords represent logins that I had to use at least once. And even 20 is too many for good security.

Re:

[Opportunist]

Considering that some people have troubles remembering their ATM pin, 20 different passwords is quite a feat.

I remember passwords easily. Even arbitrary ones. I even know my credit card number including all relevant details. But I also know that it's hard for some people to remember just 4 digits that ain't part of their birthday.

Re:

[Late Adopter]

OpenID is web-based. That may work for WoW, but it's a non-starter for a long-term SSO solution.

How about Kerberos or something based on it? Is there a real need to reinvent the wheel?

Re:

[Snaller]

"This business of every application requiring its own password is a problem in itself. (I've got 400 passwords in my Roboform archive!) That's why so many sites are adopting OpenId."

And the hackers than you - now they only need one password to hack all your sites.

Re:

[Ckwop]

That's why so many sites are adopting OpenId.

I'm not sure why people are adopting OpenID. It requires all this extra overhead of going to and from an additional authentication server. It's a complicated protocol and complexity breads insecurity.

If I use OpenID I've gone from one point of failure (the compromise of my computer) to two points of failure (compromise of the OpenID provider and compromise of my computer). There's actually a third potential point of failure in that the OpenID protocol could b

Re:

[Mr. Freeman]

Where is "here"? Your list of codes seems like a large pain in the ass. These are not USB devices we're talking about, they're things about the size of a pack of gum (the ones with 5 sticks (that's five, not the brand 5)) with an LCD on them. They display a random number and a little bar that decreases over the course of a minute or so. Every minute, new code.

Re:

[sopssa]

It's the list of codes in scandinavia and probably other european countries too. It's not actually so pain in the ass, you keep your list near your computer in drawer or so. My bank account with my money is something I can do with little inconvenience, because a running two-tier list of codes is unbreakable* with keyloggers or such. But I'm not gonna put up with tens of games requiring the same kind of inconvenience.

* in theory it would still be possible for a trojan to modify your web session in real-time,

Re:

[beelsebob]

I don't get it... Here, we have little card readers. The bank sends a challenge, you put your card in the reader, type in the challenge and your pin, it gives a response which you type back into the web page. Simple.

Re:No thanks

[Jthon]

You seem to have totally misunderstood how the authenticators work. They are decidedly NOT USB dongles.

An authenticator is a changing key generator, which shows you a one time key when you hit a display button. You then type this key in after entering your username and password to log onto the game. This is very similar to the RSA SecurID token my work requires I use to log onto a our VPN.

Basically the keyfob contains a psuedo random number generator which generates a new key every few seconds. The authenticating server knows the original seed, and can figure out the currently "valid" number shown on the key. Since each code is only valid for about 30 seconds, this makes is significantly harder to hack the account.

In fact this system is more secure than any system my bank uses, as very few banks in the US even give you the option of using a system like this.

Re:

[sopssa]

Yeah, I noticed that afterwards, wonder where the USB dongle thingie came from. But the point is still quite same - if all online games start to require such, it's really inconvenient. It would be even more inconvenient if my PS3/360/Wii would require it after I have sit down on sofa to play something. Security is good, you should have the option for people to use it to max, but you shouldn't force it down to people. Make it default option, sure. But have an option to turn off the extra security if user wan

Re:

[Jthon]

I agree it would become inconvenient, but in general 99% of games probably will never require it. The big problem is that WoW items have real world value. People sell game items and gold on the black market, and there's real money to be made by hacking unsuspecting people and taking their stuff. Basically criminals are hacking into peoples accounts, stealing their virtual items and liquidating it all for gold, then stealing their in game gold and selling it to other players via black market sales.

Blizzard c

Re:

[lbbros]

if all online games start to require such, it's really inconvenient.

FWIW, other MMOs have started to use this as well. Final Fantasy XI users can use a token like this (I do, in fact), and the same token will also be used for the upcoming Final Fantasy XIV. It's not mandatory, though.

Re:

[MBGMorden]

The controller is not a good place for it, because the console has access to the controller. The great thing about the Blizzard authenticator is that it's completely disconnected from the computer. You don't plug it in and the computer doesn't read anything off of it. You have to manually press the button and type in the code it shows. That sounds annoying, but keeping it that way ensures that a virus or other malware CANNOT access the information on it.

Re:

[Narpak]

There are a quite a few variations among security tokens [wikipedia.org]. The one I have requires me to type in a 4 digit pin code before it gives me a random number that I have to use in combination with a password and birth code.

Re:

[AlXtreme]

Basically the keyfob contains a psuedo random number generator which generates a new key every few seconds. The authenticating server knows the original seed, and can figure out the currently "valid" number shown on the key.

Wouldn't reverse-engineering the keyfob (or even computing an X number of keys and some background on the algorithm used) reveal the original seed and make the whole process useless?

One of the banks I use provide a cardreader where you have to enter your PIN to generate a key for every l

Re:

[Graff]

Wouldn't reverse-engineering the keyfob (or even computing an X number of keys and some background on the algorithm used) reveal the original seed and make the whole process useless?

Each authenticator has a unique seed and so you'd need to do this for each account you want to hack. The scope of such an activity makes it so tough to do that it's not economical even if it is possible.

Re:

[Snaller]

It also makes it hard for adults to read the fucking small numbers. God I hope blizzard isn't doing this shit.

Re:

[Daswolfen]

I have an authenticator and not the best eyesight and do not have a problem reading the numbers. Of course, I only got the authenticator because they were giving an in-game pet with it and I am such a geek, I had to have it :) I have been playing since launch, and have never been hacked, but when one of the officers of my guild got hacked and the GB cleaned out (and it took weeks to get only 80% restored) I figured that the investment is well worth it.

Re:

[Opportunist]

Just to inform you, our banks dumped the one-time code lists when it became obvious that they are anything but secure. We're now at mobile TANs (basically you get a one time code via text message to a predefined phone). Which is secure as long as your phone doesn't get stolen along with your account credentials.

Re:

[MORB]

I would hate for it to become mandatory. I just don't need it because (and I don't think I'm alone with these reasons):

1. I'm not an idiot and am careful enough that someone stealing my account is unlikely
2. Losing my wow account wouldn't even be a big deal to me, it's not like leveling a character and gearing it up takes ages
3. I don't want to rely on a physical object that I can lose or misplace to log in into a game.

Re:

[Kjella]

1. Most people who have their account stolen probably think the same
2. That probably works both ways, if you don't care much then maybe you won't
3. It's hardly worse than a CD check (a physical object needed to play)

In general, I disagree about the "no big deal" - at least not to Blizzard. I have lost lots of savegames on occasions, particularly one nasty hdd crash, and the result is that I look at it and go "Meh, I'd have to do all that over again" and end up never getting started. You don't need to be an

Re:

[MORB]

1. Most people who have their account stolen probably think the same
Which doesn't really matter.

3. It's hardly worse than a CD check (a physical object needed to play)
And indeed CD checks ARE annoying as hell. The first thing I do when I purchase a game that have a CD check is to grab a cracked binary from the web.

Re:

[thesandtiger]

1) It isn't a matter of idiocy on the end-user's part when you have major companies releasing extremely exploitable software and patches that introduce even more security flaws. I sure hope you don't run any software that you personally haven't looked at the source, compiled yourself, and know is 100% secure, because otherwise you're an idiot, by your own lights.

And, I have to say, does it make me an idiot that I'd rather spend 5 seconds each time I log in (maybe 10 seconds a day) using something like this,

Re:

[MORB]

1) It isn't a matter of idiocy on the end-user's part when you have major companies releasing extremely exploitable software and patches that introduce even more security flaws. I sure hope you don't run any software that you personally haven't looked at the source, compiled yourself, and know is 100% secure, because otherwise you're an idiot, by your own lights.

How do you explain that people seemingly get their wow accounts stolen more often than, say their credit card numbers? Do you really think that hac

Re:

[thesandtiger]

You misunderstand - I'm saying that it is possible (easy, in fact) to get your WoW information stolen without you, personally, being an idiot, not that many people who play WoW are not idiots. I do suspect that a large portion of the accounts that have been compromised belong to people who take less precautions giving that information out than they do with their credit cards - but that's not the only way it can happen.

I was objecting to your seeming "all or nothing" categorization of people as idiots or tha

Re:

[MORB]

I'm not saying that your account can't get hacked if you're no an idiot, but that I'd much rather risk that than have to use an authenticator.

and of course

[Snaller]

Eyesight can be a problem for some of us. As in not being able to read the small dark letters.

Re:

[mlts]

I am not a fan of anything mandatory, but I do like having it as an option for these reasons:

1: An account stolen can mean tens of thousands of dollars to a blackhat organization which can be used to make nastier keyloggers. Usually the account is then botted out with mining hacks until it trips a Blizzard sensor serverside and gets autobanned. Of course, said account has any goods that are on it stripped and the cash bounced from account to account in order to "launder it".

2: My account is an identity.

Re:

[Volante3192]

You can get a mobile authenticator for most models of phones. I think the key requirement is that it needs to support java, but I might be wrong on that. There's a whole list on the mobile.blizzard.com site.

Costs a buck unless you have an iphone.

Re:

[Kalriath]

Square Enix uses Digipass Go 6 devices, same as Blizzard. Annoyingly, the manufacturer was lazy and didn't develop them to be able to be shared across multiple services using the same hardware (so you can't use the Blizzard tag with Square Enix's services)

Re:

[Microlith]

Why not a PC app? Potential for compromise. A keyfob removes all question.

And why not educate users? Because blizzard doesn't have the time or money to deal with angry children who refuse to remember a random 8 character password. Never mind people who do have a good password and log on via their friends compromised system.

Re:

[BikeHelmet]

I like this second layer of defense. Even under a worst-possible-situation where your password gets sniffed, account hijacked, and password changed... (which would itself take extreme dedication, because of the sub-30s window) nobody can log in again without your keyfob.

This should utterly eliminate casual account theft.

Re:

[Snaller]

Heh, I know several people who share their accounts all the time for services from the other character.
They are adults, and wouldn't abuse it (beyond not being "allowed" via the eula) - but if this comes to pass they are all fucked.

Re:

[Opportunist]

1) A PC application would just be hijacked along with the rest of the PC. You either need a second channel to increase the security or, as it is done in this case, two tools at both ends that generate identical tokens for which the generation is not known outside the authorized parties. If that tool would reside on the compromised machine, the generation seed would be compromised as well, rendering the whole system useless.

2) Good passwords mean jack if the attacker knows the password. Those passwords are n

Re:

[neokushan]

I don't know about you, but some banks in the UK do in fact use a similar system. It's not perfect, though.

http://blog.jezmckean.com/why-i-might-leave-my-bank-the-natwest-card-reader/ [jezmckean.com]

Re:

[neokushan]

Because hijacking accounts and stealing gold and items from players to be sold on is actually quite a lucrative market. If you can't farm gold because the bots are detectable or because that little chinese kid costs too much money to pay, why not just steal it?

Re:Umm why?

[thesandtiger]

Is your time worth $0?

Many people playing these games have hundreds or thousands of hours spent playing - a $7 device and 5 seconds each time you log in is a pretty fair price for protecting that time spent.

Even if this were entirely a benefit to Blizzard and completely neutral for the player, it still actually would benefit players: less support staff time spent on "I got my account hacked!" means that players with other problems can get tickets answered more quickly.

Re:

[petermgreen]

Afaict in most MMOs you get ahead by spending more time "grinding" at the game than other people. Skill helps too at least to some extent.

The thing is some people want to get ahead without the effort and/or get further than they reasonablly could on thier merits alone so they bend or break the rules. This phenomenon isn't unique to computer games, look at how many sportsmen over the years have used drugs to get ahead.

Now in MMOs one of the common ways of breaking the rules is to trade real-world money for i

Re:

[Opportunist]

Because people buy gold for real, hard cash (despite breaking the policy of the game, but ... who cares?). And those accounts can be valuable not only because of the gold they contain (and the items that can be sold for gold). They can be useful to launder that gold (so Blizzard has a harder time finding out who actually finally got the gold and who sold it), they can be used to send spam messages (because only paying accounts can send out mail afaik), they have a lot of value to a gold seller who doesn't h

Re:

[jo_ham]

Blizzard knows exactly how to keep people out of the game, and tells you how to do it. It has extensive FAQs on account security and how to prevent it happening. What they cannot do is control whether users read and follow these tips, or keep spyware off their machines.

The simple fact is that all you need to log in the account is the user name and password, which are trivial to acquire from dumb people wither by technical or social engineering methods.

The authenticator prevents this, and is free for many mo

Re:MORE money?

[thesandtiger]

Lest anyone think you're insightful or interesting or informative (because your post indicates you are none of these things):

Blizzard is eating the cost of shipping on these inside the US and Europe. They are charging less than $7 for them, which, in addition to the shipping, has got to be pretty near break even. I sourced tokens a couple of years back and we were quoted $10-25 each depending on the supplier.

They are also offering a free version over the iPhone/iPod and for a variety of other devices like Blackberries.

The end result is about 4-5 seconds added to your time to log in, you don't get your account (that you've spent hundreds/thousands of hours on) stolen, and when you do have a legitimate issue in game that requires support there's a better chance someone will be able to help you sooner rather than 3 days from now.

Of course, I suspect based on your post that you don't actually play this game, and probably came in here just to be smug. Is "I won't pay MORE money to play a game I ALREADY paid for" the new "I don't own/watch tv"?

Re:

[thesandtiger]

You must have missed the part where I pointed out the free version that's being offered, eh, grandpa?

Don't let that get in the way of a good rant, though! Tell me about how you used to have to walk uphill both ways in the snow or about how you beat up Japs in the war!

Re:

[Volante3192]

You don't own the servers the game runs on, and the client's pretty much useless without them.

very wrong

[ccozan]

• I think you have never played WoW. So you don't know how much work is put into building a char and keepup with the challenges. Losing this because your Windows allows malicios code to run equals to a cataclysm ;).
• Blizzard has _nothing_ to do with incompentence of users which allow keyloggers and stuff on their computers. The fact that Blizz allows the recovery of your items/gold on _their_ costs, is a fact that you will never find anywhere else.
• 3. the authenticator is 7 euro. This is two beers. I find it

Re:

[pilot1]

Blizzard has _nothing_ to do with incompentence of users which allow keyloggers and stuff on their computers. The fact that Blizz allows the recovery of your items/gold on _their_ costs, is a fact that you will never find anywhere else.

That's a bit extreme. Plenty of MMOs handle theft the same way. Customers tend to not resubscribe when their stuff is stolen and never returned.

Re:

[omglolbah]

Meh, you can still sell an account. You just have to sell the dongle too :-p

And um... borrowing and selling accounts is already against the TOS and could get the account closed so... why are you upset? :-p

What gives Blizzard the right to do that?... Well.

[Petersko]

If you are a player of WoW, You agree to the terms of service. That means you and Blizzard "agreed" you wouldn't share/sell the account.

So, in essence, if you play the game, you, specifically, gave them the right.

Re:

[BigFire]

It's their game. You are only leasing it from the at $14.99 a month. Read the EUA.

Re:So...

[goodmanj]

So what, a keychain fob is going to suddenly stop working if it gets near a Linux device? Open source is a powerful thing, but if it now has an aura that destroys all non-GPL devices in a ten foot radius, I'm really impressed.

Also, "thousands of you" means there are as many of you as there are level 80 female dwarf subtlety rogues wielding Quel'dalar. You'd be insignificant even if you *did* all quit the game rather than play on another platform... which you won't.

Re:

[jo_ham]

I think I have seen one female dwarf rogue - not sure if she was Sub. I waved to her from my female dwarf holy engineer/tailoring priest. I kid you not.

I once pugged an UB run back at 70 and was asked in all seriousness why my dwarf was smaller than a normal dwarf - I had to point out she was female.

Re:

[Volante3192]

The authenticator code is punched in after the L/P as part of launcher.exe or wow.exe (i forget which). If the game works, I don't see why that shouldn't.

Re:

[JeffL]

So you're going to pay someone to sit there waiting for a 30 second window in which some random compromised account logs in? That just doesn't make sense. Even at Chinese farmer rates.

Why pay somebody to sit in front of a computer? It can all be automated. The receiving program automatically logs in, and then pages, messages, whatever, the person to come clean out the account. Also, there are bots to automatically clear out guild banks, sell things, etc. I don't think that the thieves consider themselves bound by Blizzards ToS. This just makes their lives a bit more difficult, but nobody said gold selling was easy.