Slashdot Mirror
Blizzard Sued Over Battle.net Authentication
An anonymous reader writes "A man has initiated a class-action suit against Blizzard over a product used to shore up Battle.net security. Benjamin Bell alleges that Blizzard's sale of Authenticators — devices that enable basic two-tier authentication — represents deceptive and unfair additional costs to their basic games. (Blizzard sells the key fob versions for $6.50, and provides a free mobile app as an alternative. Neither are mandatory.) The complaint accuses Blizzard of making $26 million in Authenticator sales. In response, Blizzard made a statement refuting some of the complaint's claims and voicing their intention to 'vigorously defend' themselves."
Not only does the $6.50 help cover postage and pay for the dongle, its completely optional and Blizzard makes the app available to as many platforms as they can. You can even install the authenticator on a Android simulator on a computer.
I'm in shock as to how entitled this person is. I honestly just can't fathom how he can claim that Blizzard "makes money" off these authenticators.
Question #1 will be : "Did blizzard make you buy one in order to play the game, and are there any consequences to not doing so?"... "No, and No"...."Case dismissed"
Like TFS says, the mobile version is free. Just another moron trying to make a quick buck.
My concern with blizzard's authenticator is that they seem to have rolled their own implementation rather than adhering to an open, defined spec (HOTP/TOTP). And like so many of these services, there's no good way to move it to a new device without disabling 2FA temporarily. People do upgrade their phones, after all.
How are sites slashdotted when nobody reads TFAs?
If they win this suit, I'm going after Google to pay my phone bills since they give me the option of using SMS based authentication to protect my Gmail account.
He seems to be an idiot to me. The authenticators were created to protect a community that is targeted regularly from their own stupidity. Basically, it's to protect from phishing and keylogging. Blizzard is just offering them an additional method to secure them, for a negligible cost. As for the issue with the hack on their servers, they made sure to alert their users via their registered accounts. Any legal requirements, anything else in regards to their quality of security... I can't speak for.
It's not mandatory, and it's a game. A service provided to you, and a limited version that's free to use. The security problem is inherent to all MMOs -- and Blizzard is providing a way for people concerned with hacking to protect their investment in the game, at a reasonable rate. These authenticator tokens often cost a lot more than the cost of a meal at mcdonald's in other industries. The guy doesn't have a leg to stand on. He max-leveled in idiot.
#fuckbeta #iamslashdot #dicemustdie
It is made by Vasco and is sold in large quantity orders for around 6.50$, which is the same as what Blizzard charges for it. The idiot in question is basicly claiming Blizzard sold 400,000 Authenticators at a 100% profit margin.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
This is good, as if you log in to Battle.net from another computer, you need to reset your password. That's completely stupid and practically forces you to get some form of authenticator, if you don't want to jump through hoops every time you switch computer.
Warcraft should be free, and Blizzard should become a charity.
Its been a while since I logged into battle.net, but I am almost POSITIVE the passwords are case sensitive, as case sensitivity has caused incorrect password entry several times.
They allow passwords to be MUCH more complex than many other websites / services. This case is complete BS.
A friend of mine got hacked three times. Blizzard sent him an authenticator for free. It costs them less to send the free authenticator that keep fixing his account.
This is just someone trying to make money on a frivolous law suit.
'vigorously defend' themselves.
Sounds like a Terran turtle.
https://encrypted.google.com/search?complete=0&hl=en&source=hp&q=battle.net%20password%20case%20sensitive&aq=f&aqi=&aql=&oq=&gs_rfai=
It's pretty well-documented, including blue posts from Blizz staff.
No they aren't I just checked my copy of Diablo 3 (which was a total waste of money) and my password worked regardless of what I capitalized.
Funnily enough, I only found out that passwords were case insensitive in 2010.
No sig. Move along - nothing to see here.
The end of the article indicates he is suing to not require a battle.net account just to play a game, which seems reasonable to me.
You know, there are plenty of WoW server emulators that had to reverse engineer the client authentication.
Both the username and the password are converted to uppercase before being SHA-160 hashed and fed into the SRP6 authentication algorithm.
Instead of taking personal responsibility for the security of their own account, they instead sue Blizzard. Blizzard CANNOT control the end user's computer (not as much as they wish they could, at least). Therefore, the security of your login credentials are the sole responsibility of the account holder. Blizzard can't keep your computer from getting infected with malware, falling for a phishing scam, or sharing your credentials with your little brother.
Not true, you can run it in an Android development emulator.
2) Include a "Free Authenticator!" in every box, or mail one to people who opt to download the client.
3) Profit.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Suing over $6.50.... even with a complete victory he would probably end up with something like $.50 after the lawyers get their part. This must be somebody with too much time to waste.
How big is that to download (especially on a capped plan), and how much RAM does it use (in addition to the RAM your game uses)?
The key fob is required to use the RMAH in Diablo 3.
No, it does not tell you this on the physical boxed copy. You think you are getting something when in fact an additional purchase is required.
Also one called WinAuth, no emulator needed. http://code.google.com/p/winauth/
... and yet if i change the case on my password, either in game or on the website, I get an authentication failure. Hell, that was true back when Diablo 2 was around
Fact seems to disagree with you.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Actually no, i'm wrong. What the hell?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
The stupid, it burns
http://xkcd.com/936/
"When I buy a car the dealer doesn't tell me that I have to buy a car alarm with it at extra cost."
You've not bought a car from a dealer lot recently, have you?
Expect to find LoJack (even in markets where the local police have bought zero units), alarms, windshield VIN etching, clear paint protectors, sealants, rust proofing, teflon upholstery protection and a wide variety of exciting floor mats pre installed and added on to the price of every actually available car, taking them way above and beyond the "Starting From..." low, low advertized MSRP on the banners around the lot. Listen to the radio commercials where whichever "mile of cars" with "over X thousand vehicles to choose from!" has "three at this price."
The difference between Blizzard and a car lot is, if Blizzard were a car lot, they'd be telling you, "We're sorry, the only copies we've got on hand today already have their accounts hooked to a validator and we can't remove it. We could order you a copy without a validator in 8-12 weeks or you can pay the premium to take a copy home today."
Clearly they are the stupidest person on earth for not knowing off hand the password mechanics of a shit mmo.
No, gross income is not revenue. It is revenue - cost of goods sold
" (in addition to the RAM your game uses)?"
Who cares? it's not like you have to leave the authenticator running while you are playing
But you still have to have both the game and the Android simulator open while you're running the authenticator to get the code to type into the game. The only way I can see otherwise is if one would start the Android simulator, run the authenticator, close the Android simulator, and then start the game. This is possible only if the authenticator needs no information from the game and the game tolerates a delay of up to a few minutes between running the authenticator and running the game. Is this the case? I can't try it myself because the last Blizzard product I bought was the first StarCraft.
I support it simply for this:
He also seeks to stop Blizzard from requiring players to sign up for a Battle.net account.
And what's more, this article talks about how they don't know the password mechanics of a good MMO either!
2. Periods are standard list delimiters, not parentheses.
3. He isn't 'coming on' as anything other than someone that knows what a syllogism is.
Vasco sells in bulk for 6.50
Blizzard resells for 6.50
Blizzard is reselling at no profit
QED
" Blizzard puts the onus on gamers to buy additional products or tighten security on their devices, rather than making customer accounts more secure, Bell claims."
No vendor will make changes to devices or accounts not part of their service, nor should they be required. This person is upset that he has to spend $6.50 one time, mind you the 2 factor authentication is optional, for use with all their games (World of Warcraft, Starcraft 2, Diablo 3), and likely future games as well, to add an optional 2 factor authentication.
The user is required to provide their own ISP, router equipmenet, computer, Antivirus and related security software, and make sure they are not the source of leaked passwords by reusing weak passwords from other accounts. If this person thinks for one sec that a company regardless of the service they provide should secure (each users ISP, router equipmenet, computer, Antivirus and related security software) they got another thing coming.
With that said could Blizzard increase the security of the account, I am sure they could to a point but it still falls to the user to secure everything else.
Good. Case sensitivity in passwords is stupid.
There, I said it.
Also: if you're going to lock the user out after three bad attempts anyway (and therefore already have a mechanism in place to deal with external dictionary attacks), there's no good reason for that "Oh, you entered it wrong? Here, let me wait for 30 seconds before I tell you" delay that just fucking pisses people off rather than helps. I just thought I'd mention it, it's another pet peeve.
Actually, there's no need to lock after three bad attempts, just make the delay ONE TENTH OF A SECOND. That'll be long enough to foil virtually every dictionary attacker while short enough to not be irritating to end users.
Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.
You are not alone. This is not normal. None of this is normal.
Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.
I use caps lock every day, you insensitive clod! It's cruise control for cool.
Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it
My dad uses it. It's like he's still yelling at me every time he sends me an e-mail. /cry
After having my own account *hacked* twice - both times within 18 months of inactivity, both times with very hardened passwords, even without case sensitivity.
Would get e-mails to an account that is only used for games authentication, indicating that the password was being reset, then e-mails stating that my account was suspended due to nefarious (game world finance manipulation) activities - all within 2 to 3 hours while I slept.
All activity was tracked back to another country, except for the account being unlocked/password reset.
I tried to force Blizzard to investigate, since the e-mail account wasn't hacked, had never been accessed on the same computer that I game with (Virtual Machine on another computer that resets back to initial settings on reboot), so there's no way any kind of key-capture software was installed.
All to no avail.
I know for certain it was a blizzard associate that sold my account info to get them in both times, but how do you prove it?
Seems like Blizzard is trying to get people from both ends.
I hope the lawsuit goes forward - maximum penalties.
My mind is boggling at this.
Is this new? Or has it always been this way? I swear that as of a few years ago caps-lock could cause your auth to fail.
You are an idiot. Seriously.
There are legitimate business reasons for all caps. Only one I know of is tax returns, but wouldn't be surprised for there to be others.
I can't believe people keep passing that around. It's terrible advice, unless of course you happen to live alone and never have anybody in the same room as you when you type in your passwords. By using real words, you greatly increase the ability of an attacker to fill in the gaps if they miss a few characters or pick it up over your shoulder.
It also completely misses the fact that you probably have more than a couple of passwords, at which point, you're going to want to use a password manager anyways, at which point, you might as well go for the one with the most entropy and the least predictability.
Plus it's a bit of a strawman there as you were never supposed to take a real word and substitute 0s and such in, that's never been an accepted practice for as long as I can remember.
People don't get their accounts stolen through brute force password hacks, so who cares about case sensitivity.
And having said it revealed your stolidity.
It's not stupid at all. People are fucking stupid. If you can't type a password correctly, don't choose that password.
Smart peopel keep the stupid well hiden.
Fakedit: DUOH
Plus it's a bit of a strawman there as you were never supposed to take a real word and substitute 0s and such in, that's never been an accepted practice for as long as I can remember.
back in the real world: upon password creation, it is always accepted by the system, and therefore generally what people use so that they can remember it.
actually most people don't bother with substitution they just capitalise the first letter & add the required characters at the end - which is usually just a number. whenever they are required to change password by the system they increase the number by one.
although - if 'correcthorsebatterystaple' were a standard password creation method, a brute force using a decent dictionary would be quite plausible.
i spent five minutes thinking and all i got was this crappy sig
Actually it's likely the exact opposite. Not only do people leave the game after being hacked (or come back from hiatus, see a hacked account and leave for good), but the support costs associated with stolen and hacked accounts constituted a huge amount of support calls and contacts before authenticators. Probably after as well, but as there is not a single account compromise for account with authenticator attached (according to blizzard) their costs must have come crashing down for accounts that have authenticator attached.
Full disclosure: I have two separate accounts on battle.net, one since early 2007 (former WoW currently battle.net account) and one since SC2 release. Neither has authenticator attached, neither has ever been hacked. I've had one guildie actually hacked in WoW during a black temple raid back in TBC for their own stupidity. Literally "sorry guys, I just got hacked right after talking to GM [provides details on being socially engineered in a really silly way]".
So, the company did the right thing in terms of offering two factor authentication (I wish my bank would do that). They made it optional and made free apps available so that people aren't forced to use it. All of that is good.
This lawsuit is frivolous, and the guy should not only lose, but have to pay court and defense costs.
Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.
The purpose of the Caps-Lock key is to remap it to Ctrl.
Not knowing is one thing, claiming to know something and being wrong about it is another.
if 'correcthorsebatterystaple' were a standard password creation method, a brute force using a decent dictionary would be quite plausible.
Would it be though? According to a study by Harvard and Google, there are around 1 million words in the english language. 10^24 possible combinations for a four-word password. Not sure that a brute force dictionary attack would be plausible on that search space.
I had a sig once. It was lost in the great storm of '09.
First off, Blizzard has not forced anyone to use an authenticator unless you wish to use the real money auction house on D3.
Second, they have a free alternatives available for your phone, so there is no financial obligation to purchase one of theirs.
Third, even if by chance blizzard did profit from the authenticators, which i doubt they do...... its their product. They have a right to make money on what they sell, its the American dream.
Fourth, no need for a 4th because the case is that simple!
You are clueless. I know exactly what I'm talking about, and it's all true.
Blizzard is already being investigated due to thousands of these kinds of events being reported.
Their complete lack of anything close to real security ought to be considered criminal negligence. Worse than Sony being hacked because it's Blizzard employees or trustees doing the work.
Totally unrelated to the topic, but I agree that diablo 3 was a TOTAL complete waste of 60 dollars. I haven't played it since about a month after it was released.
Then it's a likely net revenue positive. The price of the "game" is less than the cost of production and you were intended to get that use out of it over time (even in monthly pay schemes). So they close the account and don't have to support you at all.
If you buy 10,000 of a widget you get one price. If you're buying 10,000,000 you can demand a lower price AND GET IT.
You also have the proposition like Starbucks paying their Swiss arm to grind beans in the EU. Pay vastly inflated sum and it goes back to the same parent company but now with a huge tax dedution on profit.
If, as some are saying, that the cost for the hacked account is how they can sell the authenticator for cost and want to, because it reduces the cost of support, then they can give away the device and still save the cost of support of a hacked account AND know that they won't be getting more of the same errors because some aren't buying the authenticator.
And therefore they'd still be better off.
They don't even have case sensitivity on their passwords. Compromised accounts drive additional sales, including the fobs.
Wow (no pun intended). You are absolutely correct. Part of my Battle.Net password was upper-case, I just tried it all upper, all lower, and reversed my core word/suffix case scheme and all signed in. I was fairly sure that in the past it was case-sensitive, so I was either mistaken or something changed in the past.
When you sympathize with stupidity, you start thinking like an idiot.
Almost no one is going to get their battle.net account compromised due to lack of case sensitivity in passwords. It's because they do things like make their password "password1", or (primarily) because their forum account on a completely different gaming related website got compromised and they use the same email and password for WoW that they do for that forum, or their email account got compromised, or they fell for a phishing scam. If someone is lifting your password from another site or from a phishing scam, it literally does not matter what your password is because the attacker is going to have it, mixed case and all.
I would wager almost no one loses their account to brute force attacks. It's almost entirely social engineering or compromised external sites where they use the same passwords or trojans/keyloggers. Guild forums especially often run on very old and/or insecure forum software that's often compromised for years with no one realizing it.
... and claiming you know, and admitting when you discover when you were wrong, is another entirely.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
The biggest issue is having the same password for both Forum and Game access.
Many years ago Blizzard should have made it that you have a "Forum Password" field in your account, and that is used to log into the forums. The number of people I see who use really secure passwords, then log into the Blizzard Forums from work using IE 6 is crazy. They are giving their passwords away.
Even when I have something to say, which isn't often, I rarely do because I don't want to log into the forums with the same password as my game.
You know exactly what you're talking about except for the "I know for certain it was a blizzard associate that sold my account info to get them in both times" part.
Well I just found out now, very surprising. And I thought I was uncrackable with PaSsWoRd too :(
Years ago I had my own home phone service and the phone company offered to charge a monthly fee to keep my number private and out of the phone book. I didn't understand this as I considered it cheaper not to have it in the phone book in the first place because it saves space and ink. I declined the extra charge and ended up getting calls on occasion from people looking for a church. Turns out the number they gave me use to belong to a church and the advertisement for it was still in the new phone books.
I see some claiming that Blizzard loses money on the device than they actually sell it for. Wouldn't it be cheaper if they just implemented extra security into their websites and game clients? Why should people have to download an app or buy a doohickey to have better account security? I'm sure a lot of their players neither want to buy the device , don't want to use the app because they don't have the proper type of cell phone, just plain don't want it, or they don't even know about it. And without that they are left open to their account being hacked. The device/app may not be required but it is needed if you want your account better secured, which is something (in my opinion) that Blizzard should be doing already without forcing the players to risk their accounts.
Maybe the lawsuit is about Blizzard charging people, and profiting (if true), to have better account security when Blizzard should be required to secure your info better in the first place. Isn't there a law about that forcing companies to better secure their user's data?
Imagine the outrage if banks started charging people a fee or or ask them to use an app to keep their bank account numbers and credit card info from being made public online.
What. An. Idiot.
The Blizzard forums use the exact same authentication method as the game. I guess you can argue that people don't realize that logging into the forums on a public computer (like at a library or school computer lab) is dangerous, but I think Blizzard's time would be better spent educating users of that danger than making the user's life more difficult by having to manage two separate logins for the forums and for their account access, and setting up all the required software and hardware on their end to handle that change.
Technically English has a lot of words but the vocabulary of the average person is closer to 50,000, and the average working vocabulary is way, way less (5,000 to 10,000 and certainly not evenly distributed). That is, there are a lot of words we recognise but would never think to use. From memory I believe that Shakespeare's works use 60,000 and the King James Bible 11,000. Most passphrases would be chosen from this smaller space.
Crunching the numbers, a 4-word passphrase (lowercase) would have 6.25e14 to 1e16 combinations. An 8-character password (uppercase, lowercase, numbers) would have 2.18e14. So they're in the same realm, at least with this simplistic analysis.
Hello!! Fashion,low price,the good shopping places, Cheap wholesale and retail Gucci/Shoes , ( Discount UGG/Boots ) LV Shoes , DG Shoes , BURBERRY Shoes , LACOSTE Shoes , Women Boots , handbags(Coach lv fendi d&g/Gucci) , Sunglasses(Oakey,coach/Gucci,Armaini) , free shipping and quantity discount, Accept credit card and PAYPAL ==== http://www.cbssbase.com/ ==== ==== http://www.cbssbase.com/ ====