Slashdot Mirror
Blizzard Introduces One-Time Password Devices For WoW
An anonymous reader writes "Two days ago Blizzard announced that they will be selling keychain tokens to add one-time password support (FAQ) to World of Warcraft. Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?"
It's both. Password stealing via phishing and other means has hit quite a few MMO's. It boils down to dumb users mainly, and Blizzard surely sees a profit opportunity in their stupidity.
A lot of banks in the UK now require card reading devices for use with online banking. It's been rolled out across the last couple of years, not sure what the situation is elsewhere in the world though
Depends on who is making them.
http://www.entrust.com/strong-authentication/identityguard/calculator.cfm
Entrust here likes to advertise they're 1/7th as expensive as the ones RSA sells, and those are still $4/year.
So at $6 until the token dies, Blizzard isn't exactly making a mint on these things. The profit for them comes in reduced account restorations.
Unless you'd care to source me someone who sells them so cheap that Blizzard is making a fortune at these prices, since there's probably also costs for the server end of the setup?
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
My account got compromised a year after I quit, and I only discovered it because I got an IM from someone who saw my character log in and wanted to know if I was playing again. My password was good enough that no one was going to randomly guess it, and I certainly never gave it out.
My best theory on how it happened is that I used the same account and password on lots of web forums, many of which have terrible security. Someone probably hacked into one of them and tried all the user/pass combos to see if they were also WoW accounts. I took a look at my old characters on armory and noticed that my lowbie alts had been stripped and my main moved to another server. I figure whoever got access probably sold the account to a clueless buyer because I can't imagine someone paying for a character transfer otherwise. I also wouldn't be surprised if people made a lot of money doing this. Lesson learned: use unique passwords (or usernames) on any accounts you actually care about.
Blizzard reset my password, but refused to transfer my character back to his original server because I "willingly gave out my password." I didn't intend to ever play again anyway, but service like that certainly sealed it. They didn't care one bit about catching the person who did it either, despite having IP addresses and even credit card numbers.
Essentially the keychain allows you to generate the response (as a one-time password) based on being given a specific seed number.
Incidentally, the problem I have with this system isn't so much the mechanics of it but the fact that if everyone starts using them, it becomes unmanageable for the poor user.
I'm already seeing this over here in the UK where I have online banking with two banks here. Both have now sent me a small calculator-like device that I put my card into, enter my pin number and the seed number in order to get a response number to allow me to authenticate in order to do online transfers.
Although I can view my accounts without needing the "calculator", if I want the facility to transfer money no matter where I go, then I have to take these things with me. (Although, in reality, I've not yet tried to see if I can use both cards in one of them on the basis that although they look slightly different physically, they may have the same circuitry inside.)
Gentoo Linux - another day, another USE flag.
Thank you Mr. Conspiracy theory. But the truth is that:
- There is a serious problem in WoW
- It is extremely common for accounts to get compromised
- Sometimes people quit the game after a breakin (-$13/month)
- A 30 second google search found similar devices for between $17 and $23 a go
If I had to guess I would imagine Blizzard breaks even roughly on these devices. I can't imagine there being a huge profit margin on $6 and that they justify it by keeping people playing.
Blizzard will restore all your items and gold to your character in a few days. Unlike with scams that gain access to your bank account, there is no real irreversible damage here
Unless Blizzard has changed policies, they will refund your items, they will not refund your gold.
And even so, it can take Blizzard several weeks to find time to sort you out. A tiny one-time cost of 6 euros is extremely cheap investment. Most make that much while taking a crap at work. Small price to pay to protect hundreds and hundreds of hours worth of in-game effort.
One might argue that with the amount of cash Blizzard makes off of WoW, they should just hire a small country to be able to fix hacked accounts in hours instead of weeks. But, honestly... It's optional. It's 6 euros. My computer is nearly a fortress compared to the average WoW player's security, and I'm still considering getting one of those things.
The devices each have a unique key. If I have #1, you can't use #2 to get into my account.
Nerd rage is the funniest rage.
They're meant to be account specific and brick themselves if you type in the wrong pin 3 times.
Barclays have been providing a device they call PIN Sentry since early 2007:
http://www.barclays.co.uk/pinsentry/
NatWest introduced their offering summer 2007:
http://www.natwest.com/microsites/general/card-reader-user-guide/index.asp?cmp=reader
I believe you're right about Lloyds not having followed suit just yet.
OMG!!! Ponies!!!
Or you could just use Gnome Keyring
http://en.wikipedia.org/wiki/GNOME_Keyring
About $50 each at the moment. They obviously cost $0.10 to make, but you won't be able to buy them for that.
Deleted
For the record get hacked on any MMO other than WoW and know what they tell you? Tough titties. This isn't about fleecing its customer base, it's noticing a growing problem and leading the field in security nipping it in the bud. And name changes and realm changes were only introduced at the crying, demanding and pleading of its customer base. The financial aspect is a hurdle to prevent abuse imho.
tokenless see www.telesign.com
Not giving your password to your guildmates and not downloading keyloggers is also a no brainer too. I lost count how many "OMG I GOT HACKED" stories resulted from somebody clicking on sshot001.jpg.pif on the WOW forum or from somebody giving their account info to a guildmember they barely knew.
Ok, maybe I exaggerated a little. $7 for 1GB, shipping included: http://www.dealextreme.com/details.dx/sku.12245
c++;
Absolutely. Accounts are constantly getting hacked in the game to the point where the GMs can't keep up with the restores (such that it sometimes takes two weeks or more to get some of the items you lost back).
Compared to credit card numbers and bank accounts, WoW accounts are quite valuable. A high end account can be worth several hundred dollars in gold and materials (or you can just sell the account altogether if you can hold onto it long enough), and there's little to no risk in dealing with them. AFAIK, police aren't actively pursuing people hacking WoW accounts, and since Blizzard restores the virtual items and money anyway (eventually... for the most part), there's little reason to.
It's probably a lucrative business, and people are certainly treating it that way.
Game... blouses.
It's Two Factor Authentication. The token is a standard two factor token, which will be required "in addition to your username and password", therefore, it's two factor. 1st - factor, username/password. 2nd - factor token six digit generated password based on time. And yes it's a big problem. Apparently a "good" credit card number is worth about $5 on the black market, but a WoW account is worth $20. Go figure.