Slashdot Mirror
Blizzard Introduces One-Time Password Devices For WoW
An anonymous reader writes "Two days ago Blizzard announced that they will be selling keychain tokens to add one-time password support (FAQ) to World of Warcraft. Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?"
Probably more like Blizzard has decided that people paranoid about having their accounts compromised have become such a serious market segment that it can eke out a few more pennies selling these dongles for 6 euros a pop.
If it was a huge problem, Blizzard would begin requiring them. The fact that they're optional means they're probably just a new way to sap a few more bucks from players who have invested so much of their time and being into this game that six euros seems a very reasonable security blanket.
Start a happiness pandemic
crap.. I hope I don't forget it.
Anyway...
Deleted
Bilzzard, huh? Well, they're much better than that company "Blizzard"
It's both. Password stealing via phishing and other means has hit quite a few MMO's. It boils down to dumb users mainly, and Blizzard surely sees a profit opportunity in their stupidity.
Its not the system that has a flaw, its the stupidity of people for giving away their usernames/passwords for powerlvling etc.
Old programmers never die.. they just can't C as well.
This just seems like another money grab by another corporation. In the four years I've had my WoW account I have not had a single problem with a breach in security. I am definitely not security unconscious though, although I do find it hard to imagine that people have problems at all. Users just prove time and again that most people are stupid or ignorant or a mix of the two. Of course corporations want to cash in on that, and who can blame them. "Lets sell them something that they don't really need, but we'll tell them that they really do need it!" Like shooting fish in the barrel.
Wowzers, now I can have more security for my account on some computer game than my online banking (I'm looking at you, Citibank).
"Why are you watching the washing machine?"
"I love entertainment, as long as it's clean"
Why can I get this feature for a MMORPG account, but not from my bank, or any other banks I know of?
I value my real money far more than imaginary swords, shields and armor that exist as bits in an entertainment company's database.
Maybe some people's priorities are different...
At the moment, passwords being typed in are obviously being intercepted by a number of means (surely not just keyloggers). How long before someone works out how to intercept the one-time password from the keychain? Surely it's transmitted in much the same way as the current password, only its source is a USB device.
6 euro protecting 1000s of hours of time spent, it's a no brainer.
I was listening to The Instance, which is a WoW podcast and one of their topics concerned Taiwanese WoW players. They had the option to sign up for a different type of secondary authentication which required them to register 3 different phone numbers. You couldn't completely log in unless Blizzard received a call from one of said phone numbers.
Considering the amount of time people have devoted into these accounts, I don't see this being that big of a deal. As a player, I'm not too sure I'd get one, as I try to avoid random websites, certain browsers and suspiscious addons. The current belief now, however, is that people cracking into wow accounts are using more brute force methods instead of trojan/spyware etc etc (but it's not like those have completely disappeared.)
There's nothing wrong with a little extra security, especially when you've played for 3 years.
I was addicted to Warcraft I and II back in the day, but the magic faded with III and I never even bothered with WoW. Looks like that was a good thing: Either I'd be horribly disappointed with the money-grubbing focus of every aspect of WoW, or I'd be willingly and blindly be burning a whole lot more cash on an old addiction.
I can imagine that the problem of hacked accounts is *huge* and primarily a problem on the user's end. I'd wager a guess that Blizzard's largest demographic sometimes also engages in P2P/Warez in conjunction with poor security habits. Trojan-laden warez, account sharing, piss-poor passwords and wide-open PC's; users leave themselves wide open to getting their virtual goodies ransacked and run off with.
I played WoW for 4 months a few years ago and was surprised at the number of trojans packed in the executable installers of some popular UI mods.It wasn't a very clever(but it was effective)way of farming usernames and passwords. Considering the global reach and sheer numbers of people playing WoW, and the virtual goods for real life cash trade, I wouldn't be surprised to learn about WoW-specific trojans running around in the wild. Some people make it easy for the bad guys; using the same login details on WoW related forums as their actual wow account, to purchasing gold and other items from shady websites (good way of farming cc numbers, shady websites also use cc info to pay for their own account time, leading to charge backs and other hassles)to just flat out sharing their details willy-nilly with anyone half trusting.
And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.
I would appreciate separate user names and passwords for account management and character login, too.
I demand that they be nerfed immediately.
Phase 1 : OTP is a plus that you may buy
Phase 2 : A free OTPtoken with each WoLK extension sold
Phase 3 : A collector edition with WoW+BC+WoLK+token
Phase 4 : Mandatory token for all accounts
That way, they cut the grass under the feet of the chinese farmers who sell ready to play accounts and to the reselling of accounts on E-Bay and such...
Entropia Universe already provides a "smart card" + reader for OTP authentication.
It used to be you needed to pay about 15 USD for it, but as of about 4 months ago, they giving it free to anyone who has spent about 500 USD minimum in the game.
Everyone else can still pay the small amount to get the device.
I'll state up front that I absolutely -hate- the "something you have" part of security when that 'something you have' ends up being a fat card reader that won't fit anywhere convenient, not even in your notebook carrying bag, and you can't just use anywhere as it has to be plugged into a USB port which is not always available/accessible, and/or is prone to mechanical failure (e.g. the non-USB 'calculator' type which might fit in a pocket but if something bangs into your bag, the thing is dead.)
So anyway.. in NL we have both of the above types from some banks.
Then there's the Postbank (largest bank, used to be gov't run, along with postal services, etc.), which works with codes.
Their website requires you to log in via SSL, username/password and then - when making a transaction - provides you with a code. You look that code up in a list and return another code that's associated with that code. The code they choose is random, the code you send back has no correlation to the input code other than what's on their end, done.
Prone to phishing? Perhaps, although all attempts so far have failed miserably. But just in case, they added an additional service - you can enter your cell phone number in your profile and have the code you should be sending back sent to you via text message, along with the amount of money involved in the transaction, etc.
I don't know the exact technical details of how the latter works - I'm sticking to just a list and due diligence when banking as I'd hate to have to rely on my phone working / having signal / not being out of credits (when abroad - besides, I usually get a pay-as-you-go card when I am, as it's cheaper to make and receive calls then) / etc. when I -have- to make some payment.
About $50 each at the moment. They obviously cost $0.10 to make, but you won't be able to buy them for that.
Deleted
For the record get hacked on any MMO other than WoW and know what they tell you? Tough titties. This isn't about fleecing its customer base, it's noticing a growing problem and leading the field in security nipping it in the bud. And name changes and realm changes were only introduced at the crying, demanding and pleading of its customer base. The financial aspect is a hurdle to prevent abuse imho.
Blizzard has people paying for customer service. I did not like the server I was on with my son, so we were required to pay $25 per character to move. We had three characters to move, so that would have been $75. Each of my accounts has spent over $300 up to that point, and we were committed to staying with the game. We have been off of WOW for about a year now, and that would have been $360 of revenue for the past year that they could have received from me. However, I refused to pay for what I consider to be customer support. It is their game design that puts people on servers without knowing how good the connection will be or what the people will be like. Name changing should also be free as well. They find ways to charge people for what should be considered customer service. The game is a service and people do not have to buy it.
every time I saw yet another blog about how someones account got hacked and Blizzard did nothing to stop it, I'd always drop a comment about OTP and a hardware device/USB token or tying your login/password to your systems hardware in someway.
Nice to see they finally got serious about it. Account stealing is big business. It's by far the easiest way for "Gold Farmers" to farm gold.
What does a recently hacked person do who has no items or money? Yeah they buy gold. So they hack your account, steal your gold and then sell it back to you. Brilliant !
Ever think about other markets such as the Korean market where most people use an internet cafe to access the game instead of their own computer? Having an authentication like this could be extreme valuable to those who are not playing on their own computers. And remember these areas have been known to beat and kill each other over this kinda stuff.
I'd rather get a phone call than have to type in numbers from the pad thing... I think RSA, PhoneFactor, Authentfy all do this.
I googled around earlier to try to determine whether these are VeriSign VIP devices. If so, that'd be great -- they'd interoperate with PayPal and eBay and VeriSign's OpenID provider and anyone else who either supports OpenID or signs up for VeriSign's program.
Making tech-happy people carry around more than one OTP device would be a real shame, so I'll be disappointed if more word on these comes out and it turns out that they don't interoperate.
Nowadays we have dual key cryptography, which is a much better way to identify safely.
Why the hell do so many things even still work with passwords?
I work at a cibercafé, and indeed, several WoW accounts have been stolen the last two weeks, via use of keyloggers. Nothing specially advanced, but we noticed a bit too late.
Anyhow, for me, stealing a WoW account is pretty much like stealing a crack addict's pipe, I don't really feel any compassion for the player. That thing is a digital drug.
Square-Enix has been taking some rather draconian steps to protect Final Fantasy XI accounts as well, where the main culprit is apparently passwords getting stolen through Flash vulnerabilities, usually through websites of questionable character.
The thing is, you know this isn't happening through news aggregator sites or pr0n sites or whatever, these attacks are aimed at players through websites that focus on the game. It seems to me that the easiest way to solve the problem of these attacks is for the game publishers to provide these information and services (which players generally need to get anywhere in these games) themselves. But so far they seem content to let "the community" handle creating and maintaining these sites, and then paying through the nose for the security problems such heavy reliance on third parties bring.
For one ting its not a dongle (my submission was better) - for the other apparently hundreds get hacked each their, their character stripped bare and sold, and their accounts used to spam gold commercials in the game and on the web boards.
As for requiring it, no - the couldn't do that.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
And get a new one.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Nowhere ever have I seen USB keys at such a low price, even the cheapest slowest 512mb one would be 10 dollars more expensive.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I will spend the $6.00 when Blizzard upgrades their password auth system. As it stands now the password system is not case sensitive.
Regardless how you type your password as long as it matches the order you are going to get in.
They are not the police.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I personally know someone who got hacked, she has no idea how it happened (I would guess a virus infection from a hacked third party website).
Blizzard offers this - if the idiots out there can't spare the one time charge of 7 bucks they are free to not do it.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
OTPs are great, I would love to see something like this rolled into OpenID or some other 3rd party service that provides authentication.
wow is for fucking faggots.
Absolutely. Accounts are constantly getting hacked in the game to the point where the GMs can't keep up with the restores (such that it sometimes takes two weeks or more to get some of the items you lost back).
Compared to credit card numbers and bank accounts, WoW accounts are quite valuable. A high end account can be worth several hundred dollars in gold and materials (or you can just sell the account altogether if you can hold onto it long enough), and there's little to no risk in dealing with them. AFAIK, police aren't actively pursuing people hacking WoW accounts, and since Blizzard restores the virtual items and money anyway (eventually... for the most part), there's little reason to.
It's probably a lucrative business, and people are certainly treating it that way.
Game... blouses.
Make these things required to play a game and stop messing with the computer and operating system.
I was looking forward to Spore, but with SecurROM on both Windows and Mac OS X, forget it.
And with Starcraft II and Diablo III coming "soon", who needs EA and their anti-consumers practices anyway?
It's Two Factor Authentication. The token is a standard two factor token, which will be required "in addition to your username and password", therefore, it's two factor. 1st - factor, username/password. 2nd - factor token six digit generated password based on time. And yes it's a big problem. Apparently a "good" credit card number is worth about $5 on the black market, but a WoW account is worth $20. Go figure.
Account is tied permanently to region(IP) and cannot be logged in from any other region.
People who travel internationally with a notebook computer will likely vote with their dollars/euros against such a measure.
Yup, contracting these from China sure makes a lot of sense. One Chinese product has already been found with factory embedded software designed specifically to get WoW account info. Of course, that was probably just a proof of concept for a product with a far more malicious payload (corporate espionage as well as just plain vanilla espionage and larceny).
You either believe in rational thought or you don't
Sorry, I am in a very large guild and not one of the members has been hacked in months. The only two "hacks" that occurred before that were from account sharing to farm BGs.
In other words, the majority of so called hacks can be limited to.
1. Sharing accounts (this is big, I don't understand how you can trust someone you never met in the flesh with your account info)
2. Buying accounts (and subsequent original owner recalling it)
3. Stupid use of the same userid for either in game names or non-blizzard forums. Points for those dumb enough to use the same password.
4. Powerleveling services.
5. Rarely, disgruntled SOs
It might be a serious problem but its not a common one. If it were common every WOW-hater would be shouting it out on competing game forums or wherever such haters gather.
What this does do is give people more assurance that they can't get compromised when they get careless, like not using good virus checkers for windows users and visiting a compromised site or having partaken of any of the items I listed.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Keepass on a USB stick? Although if the problem is phishing, I guess it wouldn't help much. Anyone smart enough to use keepass should be smart enough to see a phishing attempt - yes or no?
Evolution is a state-sponsored, state-protected religion.
The article is from Blizzard Europe. Will the US division also be issuing (err, selling) keytokens?
Chip H
better security than Bank of America
Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?
Oh yes. It really is.
Stolen World of Warcraft accounts are now worth more on the black market than stolen credit card numbers. Bizarre, you might think - but perhaps not. Some people will pay real money for virtual gold (even if it is against the rules to do so); but who ever got arrested for stealing a game account?
A large number of keylogger worms have been commissioned and custom-crafted just for World of Warcraft (and a couple of other MMOs); they're even trying to buy (and succeeding in at least one case) 0day vulnerabilities in Flash to power them. A lot of phishing goes on too, of course.
Blame RMT companies willing to accept shady affiliates, American spammers, and the Chinese spammers working for them. This is a real problem, and organised crime is starting to weigh in on it.
I guess Blizzard are doing the best they can in the circumstances. They're not responsible for the security of the end-user's computer, but this might help.
Why not have the game generate on screen keyboard that has letters in different place every time, and you then have to key in your password using the mouse by clicking on the pictures of the letters. Even if a key logger captured your mouse movements, it still would fail as the keyboard would change.
where can I get six of them?
Are they a boss drop or random?
Blizzard apparently cant export these outside the USA currently, supposedly due to encryption export laws. The Customer service GM's cant get a confirmation from Blizzard's Legal Dept. until sometime this week http://forums.worldofwarcraft.com/thread.html?topicId=7475462573&sid=1
I hope that dongle is not debian based, otherwise all accounts will belong to the one who first enters 4444
If you're tired of grinding mobs, chinese gold farmers, twinks, gankers and knowing that the game is stat boxes duking it out... try PlanetSide. It's an MMFPS (the O is redundant).
In PlanetSide, the fight does not always go to the player who has the most spare time to grind. Skill, understanding of the game and organized teams win. The power curve in PS is very shallow in comparison to D&D like games. After two or three hours you'll have access to the same equipment as someone like me who has played for 5 years. You'll have a tank, and i'll have a tank... i'll just have a plane and a troop carrier as well. In WoW, i often played just to make levels, in PS i play to play (to have fun). WoW often felt like a part time job. The day i seriously considered buying gold with real money was the day i quit. In PS there's no need for that, because anything player A can get B can get as well.
You'll get ganked, but you'll be able to fight back and win (if you're the better player). Better yet, you tell your outfit mates the position of the sniper and call in an air strike. PS is rich in tactical and strategic depth. Sure you can be a brainless foot zerg pretending that you're playing Quake, but you'll get much further if you treat it like Counter Strike. You'll get further still if you treat it like an all out planet spanning war.
In PS, i'm the commander of the spec ops division in an outfit (guild) called Ghosts of the Revolution. My team does surgical strike far behind enemy lines to cut power and benefits to the enemy's front line. Specifically, we target the enemy's ability to spawn large/high tech vehicles and aircraft. When my empire has full size tanks and the enemy has mini-tanks... my empire wins.
If you want to try it out, create a character in the Vanu Sovereignty empire on the Gemini (US) server. Be there on Thursday night at 1930 eastern and look for/send a tell to N1H1L.
gotr.net /no, i don't work for Sony, i just really enjoy this game and think that many others would too if they gave it a chance
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
Yet another reason I'm glad to be moving toward playing under Linux instead of directly under windows. I know I'm not 100% immune but many of the mainstream attacks are eliminated.
Good for Blizzard. I've wished for a while that Gmail would implement an optional OTP system - every now and then you need to access your e-mail from a netcafe or otherwise insecure location, and I really wouldn't want anybody to get access to my mail account.
I asked VeriSign about this, and they said that the Blizzard token isn't part of their VIP service.
That really sucks Blizzard -- why won't you let me use my PayPal token for WoW?