Blizzard Introduces One-Time Password Devices For WoW

An anonymous reader writes "Two days ago Blizzard announced that they will be selling keychain tokens to add one-time password support (FAQ) to World of Warcraft. Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?"

Not a problem... an opportunity

[gbulmash]

Have compromised World of Warcraft accounts become such a serious problem, that OTPs are already neccesary for games?

Probably more like Blizzard has decided that people paranoid about having their accounts compromised have become such a serious market segment that it can eke out a few more pennies selling these dongles for 6 euros a pop.

If it was a huge problem, Blizzard would begin requiring them. The fact that they're optional means they're probably just a new way to sap a few more bucks from players who have invested so much of their time and being into this game that six euros seems a very reasonable security blanket.

Re:Not a problem... an opportunity

[ZorbaTHut]

A cancelled account of mine got hacked somehow, and I only discovered it months later when I went to reactivate it. Blizzard basically said "sucks to be you, we won't do anything". My first level 60 character is gone forever, which makes me kind of sad.

Blizzard will, apparently, not fix all problems.

Re:Not a problem... an opportunity

[jamesh]

Hey were you the subject of a Dilbert comic a while back?

Re:Not a problem... an opportunity

[pipatron]

These things cost way more than $6 to make

Yes, maybe if you handcraft them in Norway from reindeer horns and freshly clubbed seal, but in the rest of the world you can buy a USB memory for less than this.

Re:Not a problem... an opportunity

[Tridus]

Depends on who is making them.

http://www.entrust.com/strong-authentication/identityguard/calculator.cfm

Entrust here likes to advertise they're 1/7th as expensive as the ones RSA sells, and those are still $4/year.

So at $6 until the token dies, Blizzard isn't exactly making a mint on these things. The profit for them comes in reduced account restorations.

Unless you'd care to source me someone who sells them so cheap that Blizzard is making a fortune at these prices, since there's probably also costs for the server end of the setup?

Re:Not a problem... an opportunity

[ShadowDrgn]

My account got compromised a year after I quit, and I only discovered it because I got an IM from someone who saw my character log in and wanted to know if I was playing again. My password was good enough that no one was going to randomly guess it, and I certainly never gave it out.

My best theory on how it happened is that I used the same account and password on lots of web forums, many of which have terrible security. Someone probably hacked into one of them and tried all the user/pass combos to see if they were also WoW accounts. I took a look at my old characters on armory and noticed that my lowbie alts had been stripped and my main moved to another server. I figure whoever got access probably sold the account to a clueless buyer because I can't imagine someone paying for a character transfer otherwise. I also wouldn't be surprised if people made a lot of money doing this. Lesson learned: use unique passwords (or usernames) on any accounts you actually care about.

Blizzard reset my password, but refused to transfer my character back to his original server because I "willingly gave out my password." I didn't intend to ever play again anyway, but service like that certainly sealed it. They didn't care one bit about catching the person who did it either, despite having IP addresses and even credit card numbers.

Re:Not a problem... an opportunity

[Manip]

Thank you Mr. Conspiracy theory. But the truth is that:
- There is a serious problem in WoW
- It is extremely common for accounts to get compromised
- Sometimes people quit the game after a breakin (-$13/month)
- A 30 second google search found similar devices for between $17 and $23 a go

If I had to guess I would imagine Blizzard breaks even roughly on these devices. I can't imagine there being a huge profit margin on $6 and that they justify it by keeping people playing.

Re:Not a problem... an opportunity

[vertinox]

My best theory on how it happened is that I used the same account and password on lots of web forums, many of which have terrible security.

There is your problem.

I know we are all lazy when it comes to passwords, but you really need to keep different passwords for different things. It doesn't mean you have to keep completely different passwords for everyone forums so my personal rule is to have levels on how much I care about it being breached.

Level 1: Random forums I don't trust or places I don't care if hacked.
Level 2: Places I frequent that I trust and have a reputation, but its not going to kill me if my account is breached.
Level 3: Stuff I pay money for. Like Online Games, Steam, utility bills, and cell phone plans.
Level 4: Money. Banks. Credit cards. And/or anything that is serious business. This also includes email accounts attached to them which I keep completely separate passwords between accounts since it would be dumb to have the same password for your bank as your email. Also I tend to keep different passwords between financial institutions because I don't trust competency of employees and their laptops.

The goal is to never use the same password between the levels so if one is breached the others are not.

So if it is that important to you, then don't use the same passwords on untrusted sites or forums that use unpatched vBulletin or PHPbb. I mean... I don't even trust Slashdot.

And it never hurts to paranoid and change your passwords every 6 months or if you just suspect something. Its not going to cost you anything other than mental exercise if your wrong, but it saves you a whole lot of grief if you are right.

It's both

[dreamchaser]

It's both. Password stealing via phishing and other means has hit quite a few MMO's. It boils down to dumb users mainly, and Blizzard surely sees a profit opportunity in their stupidity.

Re:It's both

[Opportunist]

That's actually not exaggerated. The average phishing server yields a quite interesting harvest of various passwords for various online games.

It would already kill a lot of those "opportunities" for phishers if online game makers required different PWs for account and board. But appearantly selling one time pads is more profitable.

Re:It's both

[me+at+werk]

PayPal sells these keyfobs as well, and I bought one. It broke, started showing 42424242 and 88888888, as well as some diagnostic info (like 25% batt, etc). I contacted PayPal and they weren't very helpful (as expected), and it was basically, buy another one. I just disabled the requirement for it on the account.

I think that the paypal security issue is similar, just phishing. But hey, if my account got fucked while I had a keyfob activated, I'd be at an advantage wouldn't I?

Re:It's both

[Splab]

So err, how do you go about getting into your account and disabling the feature if the thing is broken?

Re:It's both

In the FAQ, it states that in the event of losing the OTP dongle, you would have to call billing and support and jump through a few hoops to get the OTP removed.

Re:It's both

[Macgrrl]

My account got hacked last year after I downloaded a UI mod from a reputable mod site (worldofwar.ui) that had been hacked.

I had changed my password after I thought I had cleared all remants of the hack from my machine, but unfortaunetly I must have missed something. After I regained control of my accoutn again, I changed the password on a different machine and did a low level format and a complete reinstall on my windows box. I only ever logged in by pasting in my password from a text file from then until I replaced the windows box with a new Mac.

I wouldn't characterise myself as a dumb user, have been a tech support monkey and server admin. Even being careful you get caught out sometimes.

can't beat stupidity

[rewben]

Its not the system that has a flaw, its the stupidity of people for giving away their usernames/passwords for powerlvling etc.

Re:can't beat stupidity

[Akaihiryuu]

Wrong. The WOW servers have never once been compromised. It's not WOW that's being compromised, it's the *player's computers* that are getting trojan'd/keylogged. And the "lag spikes" and "random disconnects" are usually happening to people with wireless-N, which is *not a standard*...it's basically beta and has a ton of problems. And blaming Blizzard for WOW "causing" people's routers to reset? I don't care what kind of data you're sending out, if it causes your modem or router to reset, then the problem is in the device, not the game.

Re:Bilzzard?

[plasmacutter]

I believe they wanted to spell it "Bill-zard"

base client: 25 bucks
bc client: 25 bucks
name changes: 10 bucks
realm chances: 25 bucks (per character, that's 250 bucks if you are transferring off a realm on which you were established)
wrath of the lich king: (unknown, but be prepared to chop up your first born son)

There are those who could learn from this...

[bonhomme_de_neige]

Wowzers, now I can have more security for my account on some computer game than my online banking (I'm looking at you, Citibank).

Re:There are those who could learn from this...

[Opportunist]

Hmm... let's see... The average WoW addict is playing 30 hours a day, has most likely no job...

What do you think is worth more, the account of such a person or his bank account?

Re:There are those who could learn from this...

[amRadioHed]

They both probably are about equally low in worth.

The first thing that comes to my mind is...

[Null+Nihils]

Why can I get this feature for a MMORPG account, but not from my bank, or any other banks I know of?

I value my real money far more than imaginary swords, shields and armor that exist as bits in an entertainment company's database.

Maybe some people's priorities are different...

Re:The first thing that comes to my mind is...

[Nuskrad]

A lot of banks in the UK now require card reading devices for use with online banking. It's been rolled out across the last couple of years, not sure what the situation is elsewhere in the world though

Re:The first thing that comes to my mind is...

[maxume]

The trick is that companies C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y and Z also all value the dollars that exists as bits in company A's DB.

Re:The first thing that comes to my mind is...

[Allicorn]

Barclays have been providing a device they call PIN Sentry since early 2007:

http://www.barclays.co.uk/pinsentry/

NatWest introduced their offering summer 2007:

http://www.natwest.com/microsites/general/card-reader-user-guide/index.asp?cmp=reader

I believe you're right about Lloyds not having followed suit just yet.

Re:Security Theatre

[pipatron]

I'm not security unconscious either [...] no control over what other uses the computer you play on is put

One might argue that a security-conscious person would not let any random people share his computer, unless it had a very safe multi-user system.

Cheap

6 euro protecting 1000s of hours of time spent, it's a no brainer.

Other Authentication

I was listening to The Instance, which is a WoW podcast and one of their topics concerned Taiwanese WoW players. They had the option to sign up for a different type of secondary authentication which required them to register 3 different phone numbers. You couldn't completely log in unless Blizzard received a call from one of said phone numbers.

Considering the amount of time people have devoted into these accounts, I don't see this being that big of a deal. As a player, I'm not too sure I'd get one, as I try to avoid random websites, certain browsers and suspiscious addons. The current belief now, however, is that people cracking into wow accounts are using more brute force methods instead of trojan/spyware etc etc (but it's not like those have completely disappeared.)

There's nothing wrong with a little extra security, especially when you've played for 3 years.

Re:Bilzzard?

[Opportunist]

wrath of the lich king: (unknown, but be prepared to chop up your first born son)

I'm sure there are a few WoW addicts who wouldn't consider that an unfair deal to be in the WotLK beta...

Also

[Konster]

I can imagine that the problem of hacked accounts is *huge* and primarily a problem on the user's end. I'd wager a guess that Blizzard's largest demographic sometimes also engages in P2P/Warez in conjunction with poor security habits. Trojan-laden warez, account sharing, piss-poor passwords and wide-open PC's; users leave themselves wide open to getting their virtual goodies ransacked and run off with.

I played WoW for 4 months a few years ago and was surprised at the number of trojans packed in the executable installers of some popular UI mods.It wasn't a very clever(but it was effective)way of farming usernames and passwords. Considering the global reach and sheer numbers of people playing WoW, and the virtual goods for real life cash trade, I wouldn't be surprised to learn about WoW-specific trojans running around in the wild. Some people make it easy for the bad guys; using the same login details on WoW related forums as their actual wow account, to purchasing gold and other items from shady websites (good way of farming cc numbers, shady websites also use cc info to pay for their own account time, leading to charge backs and other hassles)to just flat out sharing their details willy-nilly with anyone half trusting.

And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.

I would appreciate separate user names and passwords for account management and character login, too.

Re:Also

[jamesh]

And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.

I don't even think they are trying to recoup costs, it's just a token amount so that every single user doesn't click the 'give me a free token' button. People love getting free stuff, even if they don't need it (or is it just my wife that does that? Hi wife, if you are reading this :)

Long Term evolution...

[Vapula]

Phase 1 : OTP is a plus that you may buy
Phase 2 : A free OTPtoken with each WoLK extension sold
Phase 3 : A collector edition with WoW+BC+WoLK+token
Phase 4 : Mandatory token for all accounts

That way, they cut the grass under the feet of the chinese farmers who sell ready to play accounts and to the reselling of accounts on E-Bay and such...

Re:Will surely only delay the h4x0rz?

[maxume]

The devices each have a unique key. If I have #1, you can't use #2 to get into my account.