Slashdot Mirror
Blizzard Introduces One-Time Password Devices For WoW
An anonymous reader writes "Two days ago Blizzard announced that they will be selling keychain tokens to add one-time password support (FAQ) to World of Warcraft. Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?"
Probably more like Blizzard has decided that people paranoid about having their accounts compromised have become such a serious market segment that it can eke out a few more pennies selling these dongles for 6 euros a pop.
If it was a huge problem, Blizzard would begin requiring them. The fact that they're optional means they're probably just a new way to sap a few more bucks from players who have invested so much of their time and being into this game that six euros seems a very reasonable security blanket.
Start a happiness pandemic
It's both. Password stealing via phishing and other means has hit quite a few MMO's. It boils down to dumb users mainly, and Blizzard surely sees a profit opportunity in their stupidity.
Its not the system that has a flaw, its the stupidity of people for giving away their usernames/passwords for powerlvling etc.
Old programmers never die.. they just can't C as well.
I'm not security unconscious either, but my account was compromised. When you have no control over what other uses the computer you play on is put, that's when you run into problems
I believe they wanted to spell it "Bill-zard"
base client: 25 bucks
bc client: 25 bucks
name changes: 10 bucks
realm chances: 25 bucks (per character, that's 250 bucks if you are transferring off a realm on which you were established)
wrath of the lich king: (unknown, but be prepared to chop up your first born son)
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Wowzers, now I can have more security for my account on some computer game than my online banking (I'm looking at you, Citibank).
"Why are you watching the washing machine?"
"I love entertainment, as long as it's clean"
Why can I get this feature for a MMORPG account, but not from my bank, or any other banks I know of?
I value my real money far more than imaginary swords, shields and armor that exist as bits in an entertainment company's database.
Maybe some people's priorities are different...
I'm not security unconscious either [...] no control over what other uses the computer you play on is put
One might argue that a security-conscious person would not let any random people share his computer, unless it had a very safe multi-user system.
c++;
6 euro protecting 1000s of hours of time spent, it's a no brainer.
I was listening to The Instance, which is a WoW podcast and one of their topics concerned Taiwanese WoW players. They had the option to sign up for a different type of secondary authentication which required them to register 3 different phone numbers. You couldn't completely log in unless Blizzard received a call from one of said phone numbers.
Considering the amount of time people have devoted into these accounts, I don't see this being that big of a deal. As a player, I'm not too sure I'd get one, as I try to avoid random websites, certain browsers and suspiscious addons. The current belief now, however, is that people cracking into wow accounts are using more brute force methods instead of trojan/spyware etc etc (but it's not like those have completely disappeared.)
There's nothing wrong with a little extra security, especially when you've played for 3 years.
wrath of the lich king: (unknown, but be prepared to chop up your first born son)
I'm sure there are a few WoW addicts who wouldn't consider that an unfair deal to be in the WotLK beta...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Essentially the keychain allows you to generate the response (as a one-time password) based on being given a specific seed number.
Incidentally, the problem I have with this system isn't so much the mechanics of it but the fact that if everyone starts using them, it becomes unmanageable for the poor user.
I'm already seeing this over here in the UK where I have online banking with two banks here. Both have now sent me a small calculator-like device that I put my card into, enter my pin number and the seed number in order to get a response number to allow me to authenticate in order to do online transfers.
Although I can view my accounts without needing the "calculator", if I want the facility to transfer money no matter where I go, then I have to take these things with me. (Although, in reality, I've not yet tried to see if I can use both cards in one of them on the basis that although they look slightly different physically, they may have the same circuitry inside.)
Gentoo Linux - another day, another USE flag.
I can imagine that the problem of hacked accounts is *huge* and primarily a problem on the user's end. I'd wager a guess that Blizzard's largest demographic sometimes also engages in P2P/Warez in conjunction with poor security habits. Trojan-laden warez, account sharing, piss-poor passwords and wide-open PC's; users leave themselves wide open to getting their virtual goodies ransacked and run off with.
I played WoW for 4 months a few years ago and was surprised at the number of trojans packed in the executable installers of some popular UI mods.It wasn't a very clever(but it was effective)way of farming usernames and passwords. Considering the global reach and sheer numbers of people playing WoW, and the virtual goods for real life cash trade, I wouldn't be surprised to learn about WoW-specific trojans running around in the wild. Some people make it easy for the bad guys; using the same login details on WoW related forums as their actual wow account, to purchasing gold and other items from shady websites (good way of farming cc numbers, shady websites also use cc info to pay for their own account time, leading to charge backs and other hassles)to just flat out sharing their details willy-nilly with anyone half trusting.
And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.
I would appreciate separate user names and passwords for account management and character login, too.
Phase 1 : OTP is a plus that you may buy
Phase 2 : A free OTPtoken with each WoLK extension sold
Phase 3 : A collector edition with WoW+BC+WoLK+token
Phase 4 : Mandatory token for all accounts
That way, they cut the grass under the feet of the chinese farmers who sell ready to play accounts and to the reselling of accounts on E-Bay and such...
The devices each have a unique key. If I have #1, you can't use #2 to get into my account.
Nerd rage is the funniest rage.
They're meant to be account specific and brick themselves if you type in the wrong pin 3 times.
I'll state up front that I absolutely -hate- the "something you have" part of security when that 'something you have' ends up being a fat card reader that won't fit anywhere convenient, not even in your notebook carrying bag, and you can't just use anywhere as it has to be plugged into a USB port which is not always available/accessible, and/or is prone to mechanical failure (e.g. the non-USB 'calculator' type which might fit in a pocket but if something bangs into your bag, the thing is dead.)
So anyway.. in NL we have both of the above types from some banks.
Then there's the Postbank (largest bank, used to be gov't run, along with postal services, etc.), which works with codes.
Their website requires you to log in via SSL, username/password and then - when making a transaction - provides you with a code. You look that code up in a list and return another code that's associated with that code. The code they choose is random, the code you send back has no correlation to the input code other than what's on their end, done.
Prone to phishing? Perhaps, although all attempts so far have failed miserably. But just in case, they added an additional service - you can enter your cell phone number in your profile and have the code you should be sending back sent to you via text message, along with the amount of money involved in the transaction, etc.
I don't know the exact technical details of how the latter works - I'm sticking to just a list and due diligence when banking as I'd hate to have to rely on my phone working / having signal / not being out of credits (when abroad - besides, I usually get a pay-as-you-go card when I am, as it's cheaper to make and receive calls then) / etc. when I -have- to make some payment.
About $50 each at the moment. They obviously cost $0.10 to make, but you won't be able to buy them for that.
Deleted
For the record get hacked on any MMO other than WoW and know what they tell you? Tough titties. This isn't about fleecing its customer base, it's noticing a growing problem and leading the field in security nipping it in the bud. And name changes and realm changes were only introduced at the crying, demanding and pleading of its customer base. The financial aspect is a hurdle to prevent abuse imho.
Ok, maybe I exaggerated a little. $7 for 1GB, shipping included: http://www.dealextreme.com/details.dx/sku.12245
c++;
Absolutely. Accounts are constantly getting hacked in the game to the point where the GMs can't keep up with the restores (such that it sometimes takes two weeks or more to get some of the items you lost back).
Compared to credit card numbers and bank accounts, WoW accounts are quite valuable. A high end account can be worth several hundred dollars in gold and materials (or you can just sell the account altogether if you can hold onto it long enough), and there's little to no risk in dealing with them. AFAIK, police aren't actively pursuing people hacking WoW accounts, and since Blizzard restores the virtual items and money anyway (eventually... for the most part), there's little reason to.
It's probably a lucrative business, and people are certainly treating it that way.
Game... blouses.
Account is tied permanently to region(IP) and cannot be logged in from any other region.
People who travel internationally with a notebook computer will likely vote with their dollars/euros against such a measure.
Why not have the game generate on screen keyboard that has letters in different place every time, and you then have to key in your password using the mouse by clicking on the pictures of the letters. Even if a key logger captured your mouse movements, it still would fail as the keyboard would change.