Slashdot Mirror
Blizzard Authenticators May Become Mandatory
An anonymous reader writes "WoW.com is reporting that a trusted source has informed them that Blizzard is giving serious consideration to making authenticators mandatory on all World of Warcraft accounts. The authenticators function the same as ones provided by most banks — in order to log in, you must generate a number on the external device. Blizzard already provides a free iPhone app that functions as an authenticator. The source stated, 'it is a virtually forgone conclusion that it will happen.' This comes after large spates of compromised accounts left Bizzard game masters severely backlogged by restoration requests."
Sure it might work with just one game, but what about if this starts a trend and all online games start to require such? No thank you.
We do not use such USB devices with banks here btw, instead everyone has an account number and running list of one-time codes, with a second list of confirm codes. It's a little pain but incredibly secure. However, it's not something to use with games.
Instead of mandatory, please at most make it only the default option so those who want to can turn it off.
i think it's a good thing though, if it wasn't for lax security there wouldn't be so many theifing pricks in the world. no we just need to convince credit companies to use the same level of security that a bloody computer game uses and we might all be better off.
If you mod me down, I will become more powerful than you can imagine....
why not just make it a PC app and get it over with?
Better idea... why not just enforce good password practices and educate your users?
Sounds secure. Why don't they use it for our credit cards instead? (or both)
Does someone really care about their WoW crap that much? Really?
Many US banks will text or email you a one-time authentication code. It's certainly a lot cheaper than buying a piece of hardware.
They aren't doing it this way...why?
Vonal Declosion
I wonder if they could give you a soft token, which works for the iphone app. :/
http://images.google.com/images?q=rsa%20app%20iphone&hl=en
A mate showed me this, pretty damn cool. I'm not an encryption guru so I couldn't tell you how or why it's just as good as the real physical dongle but I'm sure it would be or they wouldn't release it. (Someone here will no doubt reply with more info on this)
Shame my crappy Government remote authentication software is a couple of versions out of date for me to make use of this on my iphone
Of course you have to remove your shoes. What are you, some sort of barbarian?
i may not have the BEST security practices (duplication on more than 1 site), but i have a pretty strong password (8 random alpha-numeric) that i HIGHLY doubt was brute forced. all my systems check clean (except for some demoscene intros), however my account was compromised.
i wasn't bad off at all. just main's bags emptied, but alts untouched and guild bank unmolested. of course forums and blizzard think i had a virus or spyware.
anyone else have even BETTER security practices and STILL get compromised?
I have been using Blizzard's Authenticator on my iPhone for a quite a while now and I'm very pleased with it. I can't imagine the devastation I would be in if my wow account got hijacked. I've spent days and nights developing my characters and It would be a huge loss if I lost them to some script kiddie.
The iPhone Authenticator is like you holding a physical key to your account. Good idea.
I hope other Slashdotters agree in that it would be truly great to be able to browse the Internet with some sort of guarantee-able anonymity. At the same time, sometimes you want to be able to more firmly identify yourself before performing an action online. It seems this sort of authentication could provide much greater, though still penetrable security than the standard password model. I hardly think it will be too long until you're logging into online stores through this sort of system than using a password.
That said, how much incentive to online stores have to counter fraud? The more it benefits them, the more likely we'll see it.
A little off-topic on the anonymity side but perhaps is still something appropriate to discuss here. Is there any way that you can browse for information on the Internet from home in which the traffic couldn't be personally identified to you? It would also seem if that could be offered that it would be very popular. I understand that the Tor network is a step forward, but still not making it easy to browse and interact with the Internet in an anonymous manner.
There are just too many crimes that are too easy to commit these days on the Internet. I don't think we should have to be looking over our shoulders all the time. Also, anonymity just seems like it'd be liberating.
And NOW I have to spend even MORE money to buy some device to keep my account secure because Blizzard has no clue how to keep accounts secure from hackers.
It's not like Blizzard are having the user/pass stolen from their systems, the people who get "hacked" got hacked because they fell for phishing scams or they downloaded something dodgy of their own accord.
Blizzard knows exactly how to keep people out of the game, and tells you how to do it. It has extensive FAQs on account security and how to prevent it happening. What they cannot do is control whether users read and follow these tips, or keep spyware off their machines.
The simple fact is that all you need to log in the account is the user name and password, which are trivial to acquire from dumb people wither by technical or social engineering methods.
The authenticator prevents this, and is free for many mobile phones or costs €6.99 from the store if you don't have a compatible phone. Alternatively you can just use the current system and be smart. I had a WoW account since the original release of the game and have never been compromised: I don't share my account details, I keep my machine up to date, I have no virus/keylogger/spyware issues and I don't go to gold selling websites. I have never needed the authenticator.
I have known people in game who have had their accounts taken - some more than once.
If you think Blizzard "has no clue how to keep accounts secure from hackers" then you are sorely mistaken. The introduction of the optional authenticator immediately dismisses that assertion right off the bat. The fact that people still choose not to use it and then wail about long GM response times for restoration of their stolen accounts is hardly Blizzard's fault.
The fact that accounts could be linked to a battle.net account without providing anything other than the username and password was stupid.
The fact that after making battle.net mandatory, battle.net accounts could be linked to an authenticator in exactly the same way is completely moronic.
You need a TON more info to get back control of your account (CD keys etc.) than to steal one in the first place. Why not require the CD key to add to battle.net/authenticator in the first place? People who willingly give that out anywhere else but to Blizzard themselves deserve what they get.
Send confirmation emails to add to battle.net/authenticator. Send confirmation emails to change your registered email address. Force a call to the CS call center if you have no access to your email. Keep logs of the IPs that have connected to an account, use those to get a rough idea of where in the world people are connecting from, then use that to confirm if it's the actual account owner who's on right now. Etc., etc.
THIS is forcing the people who actually KNOW how not to get hacked to pay for the stupidity of little children who go "OMG, Blzzrx is giving me a free mount for no reason whatsoever!!1!!!1!" I'm sorry, but that's just as stupid as any previous attempt at security.
-=This sig has nothing to do with my comment. Move along now=-
And NOW I have to spend even MORE money to buy some device to keep my account secure because Blizzard has no clue how to keep accounts secure from hackers.
It's not like Blizzard are having the user/pass stolen from their systems, the people who get "hacked" got hacked because they fell for phishing scams or they downloaded something dodgy of their own accord.
^^^^ This. You're not paying because of Blizzard's failing.
You're paying because:
-user stupidity (user fail)
-poor application security (coding error fail*)
-poor library security (coding error fail*)
-Microsoft OS (coding error fail*)
user fail -> haxx0rd
coding error fail -> haxx0rd
haxx0rd -> pwnd account
pwnd account -> PITA for Blizzard
*These refer to the situation where you click a link in your browser and BAM you're the proud new owned of a keylogger because you simply followed a link that led you to some sort of exploit where you don't even have to download and run anything.
2008: Oh no, I forgot my password! I need to call Blizzard for help!
2011: Oh no, I lost my authenticator! I need to call Blizzard for help!
How will this affect Linux WoW players? Don't let Blizzard tell you there aren't any, there are thousands of us.
They better make sure they have their shit together first before fucking people over or they'll lose customers.
You can't take the sky from me.
Lest anyone think you're insightful or interesting or informative (because your post indicates you are none of these things):
Blizzard is eating the cost of shipping on these inside the US and Europe. They are charging less than $7 for them, which, in addition to the shipping, has got to be pretty near break even. I sourced tokens a couple of years back and we were quoted $10-25 each depending on the supplier.
They are also offering a free version over the iPhone/iPod and for a variety of other devices like Blackberries.
The end result is about 4-5 seconds added to your time to log in, you don't get your account (that you've spent hundreds/thousands of hours on) stolen, and when you do have a legitimate issue in game that requires support there's a better chance someone will be able to help you sooner rather than 3 days from now.
Of course, I suspect based on your post that you don't actually play this game, and probably came in here just to be smug. Is "I won't pay MORE money to play a game I ALREADY paid for" the new "I don't own/watch tv"?
Since I can't tell them apart, I treat all ACs as the same person.
I have to admit this is quite funny, in the last few days i had my battlenet/WOW account banned for gold farming. Not played it in about a year, so i went throught the process of trying to establish what happened. Got passwords and so on reset but the git attached the said "Blizzard Activator" to my account and i'm back at square one and locked out of battlenet/WOW.
Click here for gold!
World of Warcraft is running a special promotion! Click here to see if you've won! Note: You will have to log in, in order to see if you are a winner. Please type in the following information:
Username:
Password:
Six-Digit Lottery Code:
Thanks and good luck!
I'll cancel my account before I pay for an aunthenticator. It's only $6.50, but it's an expense I wouldn't pay if I had an iphone. I don't have that luxury.
There's other financial motivation for the authenticator as well. With the authenticator, pretty much nobody else can use the account. No more borrowing accounts, no more selling accounts.
I see this as more the incentive for the authenticator than peoples' accounts getting "hacked". If you log into a website with your account uid and pwd, have a keylogger installed via your addons, or use your main's name and your uid and pwd, you deserve what you get.
Technically no, I don't play. I quit after getting a hunter to level 70. Your assumptions fail.
I still think it's ridiculous to pay more and more and MORE to play a game I, in my mind, own, but I'm probably just an old fogey like that, so get the f*** off my lawn.
-=This sig has nothing to do with my comment. Move along now=-
And again, us intelligent people have to suffer because of the morons who play wow - now what would be good if we could get rid of the morons instead.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
You must have missed the part where I pointed out the free version that's being offered, eh, grandpa?
Don't let that get in the way of a good rant, though! Tell me about how you used to have to walk uphill both ways in the snow or about how you beat up Japs in the war!
Since I can't tell them apart, I treat all ACs as the same person.
No, it just means the hackers upgrade their ways of attack.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I think this idea is great in achieving what it is intended for. Less abuse/hacking of accounts. But what if more games take this up. Is it smart to buy a new cabinet to store all those devices now, or should I wait a bit, see if prices of cabinets drop?
Lastpass, uses a unique generated grid that one can print on paper. It asks for certain points on that grid identified by column and row as an added security measure. Why the heck Blizz did not think of something like this beats me. Watch this youtube vid to see how it works http://www.youtube.com/watch?v=jcgzf1KvZlg
Eyesight can be a problem for some of us. As in not being able to read the small dark letters.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Let's not forget the real reason authenticators are becoming mandatory. It's because accounts are getting hacked, sure, but why are accounts getting hacked?
Because there are idiots paying real life $$ for in-game money, which they get by hacking accounts and selling off their stuff. The customers of these websites are paying these hackers to take over people's accounts, effectively.
Do away with the monetary incentive, and accounts wouldn't be getting hacked.
There are a lot of ways to do this. For example, the ID cards we have here in Finland (You can get one from a police stations) have the public and private keys (one pair for e-mail encryption, other for digital signatures which can be used to sign contracts, etc., though you naturally need a six digit pincode for that in addition to the card). The USB reader for such a smarcard is cheap, the software and drivers you need to install are provided by the government, free and open source. Anyone can design a system to allow authentication with those cards. That or similar system could well be used for WoW auhtentication, too. No need for additional cards, etc.
Yet, Slashdotters tend to complain about any plans to implement similar systems (or any kind of national databases). Too Orwellian, etc..
They were ~$80($6.50+shipping and taxes on top) in Canada at one point. That left a very sour and bitter taste in my mouth, I have no want, need or desire to get one when they cost that much. I don't care that they're $6.50 now, if they want me to use one then they can give it to me with the next expansion. My cousin says they're still up over $20(somewhere around $25, aka $6.50+shipping+taxes), still don't care.
And if you live outside of any of those normal shipping zones you can still get them through 3rd parties. Or Ebay, at 400-4000% the markup.
Om, nomnomnom...
You don't own the servers the game runs on, and the client's pretty much useless without them.
Actually, a certain mobile phone is making insane value on the used market, because it can sufficiently impersonate another cellphone and apparently grab SMS' off the network... MTAN has been essentially broken from the start...
What gives Blizzard the right to do that? It's not a copyright thing and you're allowed to USE the product.
One of MANY reasons I don't play online games, especially one with levelling up. It's all Bullshit.
For those not familiar with wow.com, previously called wowinsider.com, it's basically like a supermarket tabloid for WoW. I mean seriously, an anonymous source says that "serious consideration" is being given to maybe possibly some time in the distant future making authenticators mandatory?
Anyway, having said that, the easiest way to do this would be to use the Cataclysm expansion purchase to subsidize it. Each purchase would give you a coupon for one free authenticator. Putting an authenticator in the box would just be a waste of money (and wouldn't help the people who purchase it online).
Their real problem right now seems to be manufacturing them fast enough to keep up with demand. I know people who ordered one around or shortly after Christmas who still haven't received theirs (despite the confirmation email stating "2-3 business days").
Until they can solve the inventory problem, making them mandatory is still out of the question.
I'm not sure that adding the authenticator will fix the problem of hacked accounts, it will just put things off until the thieves come up with a new system to break in.
If they can install a keylogger on your computer it should be easy enough for them to install a fake WoW login app. Put up the login screen, pass the username, password, and authenticator value to themselves, and give the hacked user a login error, realm is down error, or some such. Take the information and login to the account in the minute or so before the authenticator value expires.
Once the thief is in, it only takes a few minutes to sell gear and mail the gold. Login and realm servers being down occurs frequently enough that most players wouldn't suspect anything was going on if they're locked out for 30 minutes, which is more than enough time to for the thief to wipe out an account.
This is not a new idea, but one that has been floating around for quite some time as a method to access bank accounts, etc. which require some sort of authentication token.
BTW, if you put an authenticator on your WoW account you get a nice in game pet. If you remove the authenticator from your account, Blizzard removes the pet from your characters.
In other words, you have not sunk several hundred dollars into this hobby like so many others. When your investment so far has been that large, an extra $6.50 worth of insurance to save you a potentially big hassle is nothing.
They still cost money - and the users have to pay the money of course, blizzard is not going to eat this.
So we are all being punished by the idiots children who can't figure out how to protect their account
(touch wood!)
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
So you're going to pay someone to sit there waiting for a 30 second window in which some random compromised account logs in? That just doesn't make sense. Even at Chinese farmer rates.
So you're going to pay someone to sit there waiting for a 30 second window in which some random compromised account logs in? That just doesn't make sense. Even at Chinese farmer rates.
Why pay somebody to sit in front of a computer? It can all be automated. The receiving program automatically logs in, and then pages, messages, whatever, the person to come clean out the account. Also, there are bots to automatically clear out guild banks, sell things, etc. I don't think that the thieves consider themselves bound by Blizzards ToS. This just makes their lives a bit more difficult, but nobody said gold selling was easy.
the number of people who share account information in many guilds is very high. Sharing account information with internet friends is just stupid.
Throw in my favorite idiocy, people who use the same account information including password on fan or guild sites.
I wish my Credit Union had one of these Authenticators, as it is they have a pattern/challenge type arrangement which seems pretty good.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
By capitulating to morons who play WoW on unsecure public networks, Blizzard is creating a precedent for sinking to a level just under the lowest of common denominators. Yes, that's right, you're no longer required to be responsible in your computer usage when gaming; Blizzard will be responsible for you. And everyone else pays for your incompetence.
Blizzard fails.
Run along and die now.
I want two or more authenticators, and I want them both to be recognized as valid. For instance, if I were to buy an authenticator and then try to log in, it would look at my username, my password, and then do the calculation based on the key- if it matches, it lets me in. If not, it does not. I would like to check my username, my password, and then calculate all the keys I have tied to the account (perhaps there would be a max of five, or ten). If the input matches ANY of them, it lets me in.
Currently, I don't have an authenticator because I travel all the time and I normally wherever I go, I at least remember to include my brain. Currently I could:
1- Lose an authenticator.
2- Bash it into a wall while tripping over anything.
3- Fall into a fountain- probably it wouldn't get too wet in that time, but hey!
4- Have it stolen- it wouldn't be useful to a thief, but they wouldn't know that.
5- Have the battery be bad or rot.
I've gone through a few cellphones, and a few days with no cellphone can really be bad. I would definitely not want to be on travel for two weeks and be unable to use my fancy laptop to play WoW! Especially given that with a cellphone I can go to any mall and be chatting again in a few hours if it becomes important, but for WoW you have to call up some hotline and identify yourself using whatever secret question I thought would be a great idea 4.5 years ago. The few times I've tested this hotline (granted, not in the last year), I eventually hang up because I'm bored and I can't talk to a human. I would sure hate to be doing that dance for real.
I also don't like the loss of user freedom- currently I can call any of four RL friends up and give said friend my login info if there's something that needs to happen in game, and a few guildies would also probably work. A single authenticator would shut that down unless I was on the phone with them. Blizzard might see this as a feature: according to their extensive ToS, not even your *spouse* is allowed to log into your account.
In New Zealand for instance.
# Subtotal: $6.50
# Sales Tax: $0.00
# Shipping & Handling: $20.68
# Grand Total: $27.18
Where 27.18 USD = 36.87 NZD
They were already mandatory to anyone with more than 3 brain cells. No matter how careful you are, the chances of you logging in on a compromised machine are just too great. An authenticator removes absolutely any chance of a compromised account.
And for anyone who doesn't want the physical fob, it's quite easy to just load the cell phone based authenticator on a cell phone emulator.
I really don't know why so many have a problem with this. If we can start getting people used to using two-factor authentication in a popular online game, maybe it will be easier to convince them to use it for banking or other personal security reasons. The inconvenience is not that much in comparison to the security you get.
The people worried that it will create a killer culture where people are being assassinated left and right to get their personal authenticators is just total paranoia.
As I posted on the WoW forums;
I will NOT pay for an authenticator because OTHER people cannot keep their shit protected. Use Firefox, use a firewall, don't download suspicious files, don't visit suspicious websites and use a decent anti virus.
If Blizzard decides to make us ALL pay for the mistakes of a FEW, then when they try to charge me $5 or 6 or whatever, they can cancel my account to at that point.
I can afford the $6.50, it's a matter of principle and integrity at this point, we shouldn't be punished for the actions of others.
Aw Frell this
The authenticators function the same as ones provided by most banks
What? What banks? I've _never_ heard of a bank using these things. My bank just uses account number, pin, and password...
It will certainly make it easier to identify WOW players in the wild as they will all inevitably wear these proudly attached to their keychains. Still, since the majority of this cohort rarely venture out into "the place with no ceiling," perhaps it will only have a limited relevance as a wow-marker in daily life.
I manage two guilds on one server, one each faction. One of our members got hacked. His account got cleaned out to the tune of over 4,000 gold. Both guild vaults got hit, several items and some 430ish gold.
We got everything back.
The only bad thing was it came in the form of an in-game mail message, so lots of arranging of items needs to be done.
The sad thing? The guy who got hacked has an authenticator, just hadn't activated it yet. The curious thing? He doesn't know how he was compromised.
When you sympathize with stupidity, you start thinking like an idiot.
I previously was hacked. No keylogger no public use. No gold buying. I don't understand the need to buy gold bliZzard has done everything short of click here and get 500 gold a day. It takes an hour tops. Plus play the auction house and your hooked up. Anyways It was more of using an email address now that blizzard requires that is used on other sites and a relatively simple password. Brute force took care of the rest.
I feel I was at fault because of the shared email addy and easy password. But I waited over my week for restoration.
My point is too many people assume it's keyloggers or gold buying (which if someone sends gold to your char how do they know your login?). There is still good old fashion brute force going on.
Also I work for a company that issues rsa securid devices. Granted we don't order the quantity blizzard does but these cost us around us 75 each. Now blizzard is not using rsa (as rsa would require their name on them) but they are customized with software option. I now have the authenticator for iPod touch and it's free. I would argue blizzar makes nothing on them or even takes a loss. It reduces their call center and helps retain customers longer. Easy case to take the loss.
Hardest thing in mandatory is they should wave the fee. To ramp up that kind of production would be difficult but if anyone could do it it is blizzard.
Lest anyone think you're insightful or interesting or informative (because your post indicates you are none of these things):
Blizzard is eating the cost of shipping on these inside the US and Europe. They are charging less than $7 for them, which, in addition to the shipping, has got to be pretty near break even. I sourced tokens a couple of years back and we were quoted $10-25 each depending on the supplier.
They are also offering a free version over the iPhone/iPod and for a variety of other devices like Blackberries.
The end result is about 4-5 seconds added to your time to log in, you don't get your account (that you've spent hundreds/thousands of hours on) stolen, and when you do have a legitimate issue in game that requires support there's a better chance someone will be able to help you sooner rather than 3 days from now.
Of course, I suspect based on your post that you don't actually play this game, and probably came in here just to be smug. Is "I won't pay MORE money to play a game I ALREADY paid for" the new "I don't own/watch tv"?
While I'm not sure about the iPhone version, the other versions of the Mobile Authenticator isn't free, it's $0.99 here in Canada atm ( http://mobile.blizzard.com/shared/blizzard_download.php?cont=401&id=2183&title=Battle.net%20Mobile%20Authenticator&country=ca&lang=en ). While that isn't much, add it to the what? Maybe 9 million players who will want it, turns into an cool $9 million dollars. Or am I to believe that the dollar charge is to pay for all the bandwidth I'm going to use to download it? If they just want to make sure it's only to be downloaded by users make them log into their account before downloading. Till then I'm more leaning that a mandatory need for these is just another way of bumping up their profits.
I have only ever accessed my WoW account from my gaming PC, which has Firefox and a hardware firewall. I don't share my account info, and I'm a stickler for having strong passwords. My account was hacked back in November, and everything cleaned out. The only person who knows my credentials are my best friend, and I'm the only person who knows his credentials. He uses a Mac and the same stringent security lengths, and he was ALSO hacked just two days ago. I'm assuming there's a security breach somewhere that Blizzard can't patch up, so this would be a way to fix it. Way, way too many accounts are being compromised as of late. Out of our 30 or so constant raiders, well over half have had account security breaches in the last year. Something's going down at Blizzard, and I for one welcome the mandatory Authenticator.
2008: Oh no, someone who's not me knows my password! I need to call Blizzard!
2011: Oh no, someone who's not me stole my crypto widget! I need to call Blizzard!
Malware keyloggers can steal WoW passwords. They can't steal your other computer. Not even if that computer is called an authenticator and is rather special-purpose.
It's not like people are going to forget their World of WarCrack passwords, they type it every day </snarky> ;)
What's wrong with entering a entering a username, the site replying with a challenge token? I then sign the token with my PGP key and access is granted.
If I had it my way, I'd point my browser to ~/.gnupg/pubring.gpg or ~/.ssh/id_rsa.pub or somesuch (or ~/.online-identity/pubkey) and use SSL client certificates. You know, where instead of just the server proving to be who it claims, the client does as well. Then I would have zero-typing logins, securely.
Unfortunately, crypto takes a lot of CPU horsepower. For that reason, most server operators will want to do as little as they can get away with (which is less than what is required for good security), and the uninformed public won't know that it should scream about this. The informed public will scream and cry, but will be derided as lunatics or ignored (as is the case here on /.).
But you're going to need an auxiliary computer (smart card or usb fob or something) to plug into computers that aren't your own (or rather that you shouldn't trust). And you need to be sure that the alien computer can talk to and understand your auxiliary computer.
Will most people want to pay for this? Or will they prefer to use passwords, because they are free, and to hell with the second-order effects, we don't want to think about the consequences of our actions!
If you are a player of WoW, You agree to the terms of service. That means you and Blizzard "agreed" you wouldn't share/sell the account.
So, in essence, if you play the game, you, specifically, gave them the right.
Authenticators are not the problem, blizzards password scheme is.
You are limited to 8 characters two of which must be numbers and at least one non alpha numeric character that is limited to !@.
Blizzard could just add a virtual keyboard and make everyone click the letters and characters of their account password.
That with such quantity, there would likely be now, an introduced percentage of support requests regarding faulty / non working devices. Furthermore, the emails will cease to be kindly worded requests for account reclamation aid from Blizzard and take on the air of (in some cases) "addict rage" as the realisation that the account is locked until the authentication device arrives X days after.
I record my sleeptalking
Thank god I quit this game when I did.
Though it is terrifying to see the number of comments here ACTUALLY SUPPORTING this kind of mood. It really shows the level of obsession that your average MMO player experiences.
I can't believe people are willing to pay BLIZZARD because BLIZZARD can't keep their account information secure. They bring in over 150 million MONTHLY on account fees and they can't afford a decent security scheme?
Case insensitive, by the way.
And you're allowed "!" and "@" now? Nice.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
When I bought the game I didn't hand the cashier a signed contract in addition to swiping my credit card as a form of payment.