Blizzard Sued Over Battle.net Authentication

An anonymous reader writes "A man has initiated a class-action suit against Blizzard over a product used to shore up Battle.net security. Benjamin Bell alleges that Blizzard's sale of Authenticators — devices that enable basic two-tier authentication — represents deceptive and unfair additional costs to their basic games. (Blizzard sells the key fob versions for $6.50, and provides a free mobile app as an alternative. Neither are mandatory.) The complaint accuses Blizzard of making $26 million in Authenticator sales. In response, Blizzard made a statement refuting some of the complaint's claims and voicing their intention to 'vigorously defend' themselves."

Surprised?

[emkyooess]

They don't even have case sensitivity on their passwords. Compromised accounts drive additional sales, including the fobs.

Re:Surprised?

[LordLimecat]

Its been a while since I logged into battle.net, but I am almost POSITIVE the passwords are case sensitive, as case sensitivity has caused incorrect password entry several times.

They allow passwords to be MUCH more complex than many other websites / services. This case is complete BS.

Re:Surprised?

https://encrypted.google.com/search?complete=0&hl=en&source=hp&q=battle.net%20password%20case%20sensitive&aq=f&aqi=&aql=&oq=&gs_rfai=

It's pretty well-documented, including blue posts from Blizz staff.

Re:Surprised?

[Dyinobal]

No they aren't I just checked my copy of Diablo 3 (which was a total waste of money) and my password worked regardless of what I capitalized.

Re:Surprised?

[Antony+T+Curtis]

Funnily enough, I only found out that passwords were case insensitive in 2010.

Re:Surprised?

[TuringCheck]

You know, there are plenty of WoW server emulators that had to reverse engineer the client authentication.
Both the username and the password are converted to uppercase before being SHA-160 hashed and fed into the SRP6 authentication algorithm.

Re:Surprised?

[X0563511]

... and yet if i change the case on my password, either in game or on the website, I get an authentication failure. Hell, that was true back when Diablo 2 was around

Fact seems to disagree with you.

Re:Surprised?

[X0563511]

Actually no, i'm wrong. What the hell?

Re:Surprised?

The stupid, it burns

Re:Surprised?

[tofubeer]

http://xkcd.com/936/

Re:Surprised?

Clearly they are the stupidest person on earth for not knowing off hand the password mechanics of a shit mmo.

Re:Surprised?

[dohzer]

And what's more, this article talks about how they don't know the password mechanics of a good MMO either!

Re:Surprised?

[squiggleslash]

Good. Case sensitivity in passwords is stupid.

There, I said it.

Also: if you're going to lock the user out after three bad attempts anyway (and therefore already have a mechanism in place to deal with external dictionary attacks), there's no good reason for that "Oh, you entered it wrong? Here, let me wait for 30 seconds before I tell you" delay that just fucking pisses people off rather than helps. I just thought I'd mention it, it's another pet peeve.

Actually, there's no need to lock after three bad attempts, just make the delay ONE TENTH OF A SECOND. That'll be long enough to foil virtually every dictionary attacker while short enough to not be irritating to end users.

Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.

Re:Surprised?

[ynp7]

Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.

I use caps lock every day, you insensitive clod! It's cruise control for cool.

Re:Surprised?

[Dachannien]

Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it

My dad uses it. It's like he's still yelling at me every time he sends me an e-mail. /cry

Re:Surprised?

After having my own account *hacked* twice - both times within 18 months of inactivity, both times with very hardened passwords, even without case sensitivity.
Would get e-mails to an account that is only used for games authentication, indicating that the password was being reset, then e-mails stating that my account was suspended due to nefarious (game world finance manipulation) activities - all within 2 to 3 hours while I slept.
All activity was tracked back to another country, except for the account being unlocked/password reset.
I tried to force Blizzard to investigate, since the e-mail account wasn't hacked, had never been accessed on the same computer that I game with (Virtual Machine on another computer that resets back to initial settings on reboot), so there's no way any kind of key-capture software was installed.
All to no avail.

I know for certain it was a blizzard associate that sold my account info to get them in both times, but how do you prove it?

Seems like Blizzard is trying to get people from both ends.

I hope the lawsuit goes forward - maximum penalties.

Re:Surprised?

[LordLimecat]

My mind is boggling at this.

Is this new? Or has it always been this way? I swear that as of a few years ago caps-lock could cause your auth to fail.

Re:Surprised?

[magamiako1]

You are an idiot. Seriously.

Re:Surprised?

[Xenx]

There are legitimate business reasons for all caps. Only one I know of is tax returns, but wouldn't be surprised for there to be others.

Re:Surprised?

I can't believe people keep passing that around. It's terrible advice, unless of course you happen to live alone and never have anybody in the same room as you when you type in your passwords. By using real words, you greatly increase the ability of an attacker to fill in the gaps if they miss a few characters or pick it up over your shoulder.

It also completely misses the fact that you probably have more than a couple of passwords, at which point, you're going to want to use a password manager anyways, at which point, you might as well go for the one with the most entropy and the least predictability.

Plus it's a bit of a strawman there as you were never supposed to take a real word and substitute 0s and such in, that's never been an accepted practice for as long as I can remember.

Re:Surprised?

[dbet]

People don't get their accounts stolen through brute force password hacks, so who cares about case sensitivity.

Re:Surprised?

Case sensitivity in passwords is stupid.

There, I said it.

And having said it revealed your stolidity.

Re:Surprised?

It's not stupid at all. People are fucking stupid. If you can't type a password correctly, don't choose that password.

Re:Surprised?

[bug1]

Smart peopel keep the stupid well hiden.

Fakedit: DUOH

Re:Surprised?

[psiclops]

Plus it's a bit of a strawman there as you were never supposed to take a real word and substitute 0s and such in, that's never been an accepted practice for as long as I can remember.

back in the real world: upon password creation, it is always accepted by the system, and therefore generally what people use so that they can remember it.

actually most people don't bother with substitution they just capitalise the first letter & add the required characters at the end - which is usually just a number. whenever they are required to change password by the system they increase the number by one.

although - if 'correcthorsebatterystaple' were a standard password creation method, a brute force using a decent dictionary would be quite plausible.

Re:Surprised?

[Luckyo]

Actually it's likely the exact opposite. Not only do people leave the game after being hacked (or come back from hiatus, see a hacked account and leave for good), but the support costs associated with stolen and hacked accounts constituted a huge amount of support calls and contacts before authenticators. Probably after as well, but as there is not a single account compromise for account with authenticator attached (according to blizzard) their costs must have come crashing down for accounts that have authenticator attached.

Full disclosure: I have two separate accounts on battle.net, one since early 2007 (former WoW currently battle.net account) and one since SC2 release. Neither has authenticator attached, neither has ever been hacked. I've had one guildie actually hacked in WoW during a black temple raid back in TBC for their own stupidity. Literally "sorry guys, I just got hacked right after talking to GM [provides details on being socially engineered in a really silly way]".

Re:Surprised?

[cyclohazard]

Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.

The purpose of the Caps-Lock key is to remap it to Ctrl.

Re:Surprised?

Not knowing is one thing, claiming to know something and being wrong about it is another.

Re:Surprised?

[aaron552]

if 'correcthorsebatterystaple' were a standard password creation method, a brute force using a decent dictionary would be quite plausible.

Would it be though? According to a study by Harvard and Google, there are around 1 million words in the english language. 10^24 possible combinations for a four-word password. Not sure that a brute force dictionary attack would be plausible on that search space.

Re:Surprised?

You are clueless. I know exactly what I'm talking about, and it's all true.
Blizzard is already being investigated due to thousands of these kinds of events being reported.
Their complete lack of anything close to real security ought to be considered criminal negligence. Worse than Sony being hacked because it's Blizzard employees or trustees doing the work.

Re:Surprised?

Totally unrelated to the topic, but I agree that diablo 3 was a TOTAL complete waste of 60 dollars. I haven't played it since about a month after it was released.

Re:Surprised?

[wwphx]

They don't even have case sensitivity on their passwords. Compromised accounts drive additional sales, including the fobs.

Wow (no pun intended). You are absolutely correct. Part of my Battle.Net password was upper-case, I just tried it all upper, all lower, and reversed my core word/suffix case scheme and all signed in. I was fairly sure that in the past it was case-sensitive, so I was either mistaken or something changed in the past.

Re:Surprised?

[ildon]

Almost no one is going to get their battle.net account compromised due to lack of case sensitivity in passwords. It's because they do things like make their password "password1", or (primarily) because their forum account on a completely different gaming related website got compromised and they use the same email and password for WoW that they do for that forum, or their email account got compromised, or they fell for a phishing scam. If someone is lifting your password from another site or from a phishing scam, it literally does not matter what your password is because the attacker is going to have it, mixed case and all.

I would wager almost no one loses their account to brute force attacks. It's almost entirely social engineering or compromised external sites where they use the same passwords or trojans/keyloggers. Guild forums especially often run on very old and/or insecure forum software that's often compromised for years with no one realizing it.

Re:Surprised?

[X0563511]

... and claiming you know, and admitting when you discover when you were wrong, is another entirely.

Re:Surprised?

[Bremic]

The biggest issue is having the same password for both Forum and Game access.

Many years ago Blizzard should have made it that you have a "Forum Password" field in your account, and that is used to log into the forums. The number of people I see who use really secure passwords, then log into the Blizzard Forums from work using IE 6 is crazy. They are giving their passwords away.

Even when I have something to say, which isn't often, I rarely do because I don't want to log into the forums with the same password as my game.

Re:Surprised?

[Rakarra]

You know exactly what you're talking about except for the "I know for certain it was a blizzard associate that sold my account info to get them in both times" part.

Re:Surprised?

[TranquilVoid]

Well I just found out now, very surprising. And I thought I was uncrackable with PaSsWoRd too :(

Re:Surprised?

[ildon]

The Blizzard forums use the exact same authentication method as the game. I guess you can argue that people don't realize that logging into the forums on a public computer (like at a library or school computer lab) is dangerous, but I think Blizzard's time would be better spent educating users of that danger than making the user's life more difficult by having to manage two separate logins for the forums and for their account access, and setting up all the required software and hardware on their end to handle that change.

Re:Surprised?

[TranquilVoid]

Technically English has a lot of words but the vocabulary of the average person is closer to 50,000, and the average working vocabulary is way, way less (5,000 to 10,000 and certainly not evenly distributed). That is, there are a lot of words we recognise but would never think to use. From memory I believe that Shakespeare's works use 60,000 and the King James Bible 11,000. Most passphrases would be chosen from this smaller space.

Crunching the numbers, a 4-word passphrase (lowercase) would have 6.25e14 to 1e16 combinations. An 8-character password (uppercase, lowercase, numbers) would have 2.18e14. So they're in the same realm, at least with this simplistic analysis.

This is ridiculous

[synthparadox]

Not only does the $6.50 help cover postage and pay for the dongle, its completely optional and Blizzard makes the app available to as many platforms as they can. You can even install the authenticator on a Android simulator on a computer.

I'm in shock as to how entitled this person is. I honestly just can't fathom how he can claim that Blizzard "makes money" off these authenticators.

Re:This is ridiculous

They made $26 mil so far from these.

Re:This is ridiculous

I'm in shock as to how entitled this person is. I honestly just can't fathom how he can claim that Blizzard "makes money" off these authenticators.

And I'm in shock that you think a business would embark on a project like that, at a loss. Use your head.

One way or another, this creates revenue for Blizzard. If that is the (likely) case, then the man, however entitled he may come off, has a point.

Re:This is ridiculous

[synthparadox]

Right, because the keyfobs and shipping are free to Blizzard.
How does this guy know that Blizz made $26 mil from them? Does he have access to the sales reports? Remember, "the complaint accuses Blizzard of making $26 million in Authenticator sales." Accusing someone of making money and them -actually- making that much money is two completely different things.

Re:This is ridiculous

Shouldn't the $60 purchase price and (possible) $15 monthly fee "help cover postage and pay for the dongle"?

It's not "completely" optional, use of Diablo 3 RMAH requires it and/or the mobile app, and if you don't have a phone that can run the mobile app, then the authenticator is the only way to use an advertised feature of the game.

Blizzard does profit, however little, from the authenticators. Do you really think that they take a loss on them? Or that $6.50 is the magical round number that represents exactly their cost? No, of course not, Blizzard is rounding up to cover their cost (assuming there is no intentional profit margin built in) and they make money from it, period. The real issue though is the fact that they are forcing users to pay for the game's security, profit or no profit. It's a hidden cost of being able to enjoy the product you already paid for.

Re:This is ridiculous

[LordLimecat]

Theyre optional, and completely unnecessary if you use a good password. That they offer an ADDITIONAL paid service that competitors do not does not in any way obligate gamers to use the authenticators.

If they want to sell guides for creating strong passwords at $10 a pop, and they end up making $500 mil on it, who cares? Its a service that apparently people want. The man doesnt even seem to allege that the device was ineffective-- simply that it was unnecessary and he for some inexplicable reason bought it anyways.

Re:This is ridiculous

[synthparadox]

Hacked accounts are a loss for Blizzard. Not only do they have to staff GMs to handles these requests, they have to restore items and more often than not they can't remove the stolen items. I firmly believe the $6.50 pays for the keyfob and the postage, and that's it. If they can break even, its a net gain for them since they can reduce the GM ticket queue and free up these expenses and time for other things. Remember how they laid off 600 employees in April? (http://wow.joystiq.com/2012/04/27/the-lawbringer-autonomous-systems-deal-with-customer-service-pr/) That was a reduction in operating costs for supporting these types of requests.

Re:This is ridiculous

[synthparadox]

You don't need a phone to run the mobile app. The fact that you can run android apps on a SDK on the computer has been known for a while now. See: http://www.mmo-champion.com/threads/713865-How-to-get-Battle-net-Mobile-Authenticator-COMPLETELY-free

Re:This is ridiculous

[jklovanc]

Income is not the same as profit. They sold for $6.50 but it cost Blizzard much more to purchase and ship them. From a financial statement point of view making no profit from a sale is bad for the company yet Blizzard is still doing it to support their customers.

Re:This is ridiculous

[meerling]

Blizzard already claims to do this at cost. That would mean no profit. Wonder where he's getting his $26 million profit statement from. It might be a cost instead of profit, but either way, his lawsuit is b.s. as the security fob is an optional and non required item, and the software version is free, that guy is an idiot trying to get a payday from Blizzard settling rather than paying to take it to court. I hope Blizzard takes the high road and fights him all the way.

Re:This is ridiculous

[jklovanc]

There are three way to run authenticator;
$6.50 hardware device
App on a smart phone
App on an android simulator on your computer.
There are three ways to run it; two of which are free. The only reason to buy the dongle is for convenience.

Re:This is ridiculous

[rgbrenner]

Income is exactly the same as profit. I think you are confusing income with revenue in your post.

Re:This is ridiculous

Theyre optional, and completely unnecessary if you use a good password. That they offer an ADDITIONAL paid service that competitors do not does not in any way obligate gamers to use the authenticators.

If they want to sell guides for creating strong passwords at $10 a pop, and they end up making $500 mil on it, who cares? Its a service that apparently people want. The man doesnt even seem to allege that the device was ineffective-- simply that it was unnecessary and he for some inexplicable reason bought it anyways.

Organization purposely creates a primary authentication system that allows extremely weak passwords (sorry, there's no business excuse you can give me for this. None).

Accounts get hacked as a result of this.

Since two-factor authentication remains "optional" as many have repeatedly pointed out, it tends to lay serious question as to whether consumers really wanted this service, or were coerced into buying it due to ridiculous security policies (or lack thereof) on the primary authentication mechanism.

If Blizzard made a profit on that action, I'd certainly question their motives. Are they really trying to help by continuing to allow weak passwords and optional two-factor authentication, or are they merely perpetuating or creating new revenue streams? I'd say the latter rules almost every time in business.

Re:This is ridiculous

Well, that's a "solution" that only a slashdotter would consider valid. The price of the authenticator is not the issue -- for $6.50 it's probably worth it to not have to install and then run an Android emulator every time you want to login. It's the principle of making the customer pay for this after the fact. If the game requires authenticators to use its features, it should come in the box.

Re:This is ridiculous

[synthparadox]

If you really want to be correct, income can be either net or gross. Gross income is revenue. Net income is profit. Because he didn't state what kind of income, he's technically still correct. </pedantic>

Re:This is ridiculous

[arbiter1]

there is a 4th way, its Called WinAuth. A problem you can run on your computer to generate the code. Its FREE as well. http://code.google.com/p/winauth/

Re:This is ridiculous

The term income by itself is vague.
Depends on if it is Gross income (Revenue) or Net Income (Profit).

Re:This is ridiculous

[kurzweilfreak]

Zomg, a company makes money off of sales of something that you don't need to play the game? Travesty! That has to be illegal!

Re:This is ridiculous

Pedantry is only acceptable when it's used to shove something up the ass of other pedants. Well played.

Re:This is ridiculous

[mat.power]

He's technically correct, the best kind of correct!

Re:This is ridiculous

[yndrd1984]

It's the principle of making the customer pay for this after the fact. If the game requires authenticators to use its features, it should come in the box.

I'm billing Ford for my gas, oil changes, and regular maintainance. I'm also suing because the advertisements showed an attractive woman in the car, and mine didn't come with one - I had to buy one separately from some "RussianBride" company. What a rip-off!

Re:This is ridiculous

[synthparadox]

Thanks for the car analogy. I had this long-winded post written up about the "entitlement" of receiving the authenticator with the game, but I think your post responds in a much better manner. :)

Re:This is ridiculous

[jklovanc]

Ever heard of an Income and expense report the balance of which is either profit or loss? In a number of dictionary entries income and revenue are synonymous.

Re:This is ridiculous

[X0563511]

Technically correct is best correct.

Re:This is ridiculous

[jklovanc]

Net Income (Profit).

Close but not quite. Positive net income is profit. Negative net income is loss. Income is the amount of money coming into the company regardless of how much money is going out of the company (expenses) and is synonymous with revenue. When one qualifies it with "net" then it changes meaning. The terms "negative profit" and "negative loss" are useless as there are much matter terms available.

To me using the term income implies gross income. It is like asking someone how much their wages are. We assume they will talk about before tax wages and not after tax wages.

Re:This is ridiculous

[stephanruby]

Not only does the $6.50 help cover postage and pay for the dongle, its completely optional and Blizzard makes the app available to as many platforms as they can.

Their authentication software is available for the two dominant phone os platforms, Android and iOS. That's it.

Just to put things in perspective, the Google authenticator, which is open source (Apache license), uses open authentication standards, and which could be used for free by Blizzard, can also be run from the command-line on Linux, Mac OS, and Windows, in addition to iOS, Android, and Blackberry.

You can even install the authenticator on a Android simulator on a computer.

How convenient.

First of all, Android doesn't really have a simulator, it has an emulator. It's slow. It's heavy-weight. It's not much of a solution for the average joe. Speaking as someone who works with it daily, I don't think the Android emulator is something that should be required for a consumer who wants to play a game he supposedly just purchased.

The only point of contention is whether, or not, this authentication system is really required to play the game. Right now, according to the companys' response, this new authentication is completely optional, but for some reason that consumer believes it was required, or that it will be required even for users that are not on the system right now.

Either the consumer doing the suing is an idiot, or perhaps Blizzard implied that it would indeed become a requirement, and recently backpedaled as the lawsuit emerged. Either way, this issue seems to be moot right now.

The only (non-legal) questions remaining are: Why aren't they using open standards for authentication? And why are their passwords not case-sensitive? Are they converting them to all lower-case before doing the hashing? Or are they storing their passwords all in plain text?

Re:This is ridiculous

When I got my authenticator years back when they first came out, the package it came in had the postage price of $6.50 stamped on it. I would say that yes, Blizzard actually is selling them at a loss.

Re:This is ridiculous

[rgbrenner]

wow... really? you wrote all that and you couldn't be bothered to look up the definition of gross income?

gross income = revenue - cost of goods sold

Re:This is ridiculous

[rgbrenner]

Yes, I have seen an income statement. Here's blizzards:
http://finance.yahoo.com/q/is?s=ATVI

Notice it has separate lines for
Revenue, gross profit, and net income

That is because they are DIFFERENT

"Different" is when two things are not the same.. like how revenue and gross profit are not the same.

Re:This is ridiculous

[flimflammer]

You have to be incredibly dense not to see why they would do this. It costs them less to sell authenticators at cost than it is to constantly have staff fixing hacked accounts and having people quit over hacks.

One time fee; Consistently recurring subscription
--or--
Player hacked, costs CS manhours to fix, player potentially quits.

Which one do you think a smart business is going to choose?

Re:This is ridiculous

[mlts]

A good chunk that (if not almost all) goes for shipping, as well as to Vasco DigiPass GO6 which then is rebranded (adding extra cost).

If Blizzard wanted to make money from these, they could do very easily [1]. However, they don't.

I'm normally a critic of Blizzard, but IMHO, this is one area where they are doing something right, because two-factor authentication is a significant improvement in security.

As far as I know, this lawsuit is pointless. If one doesn't want to give Blizzard cash for an authenticator, the app that does the exact same thing is free on iOS and Android.

[1]: Phase out the apps, then require the physical authentication token to be attached to the account in order for the user to use the AH or trade with other players.

Re:This is ridiculous

[DrgnDancer]

But there's free options for authenticators. You can use a phone app. If you don't have a smart phone, the phone apps work on the iPod Touch, the iPad, or any Android tablet or "smart" MP3 player; they even work in the phone simulators that Apple and Google provide for free with their developer kits. Granted installing a phone simulator to run an authenticator is a pain in the ass, but it is free.

Re:This is ridiculous

> Their authentication software is available for the two dominant phone os platforms, Android and iOS. That's it.

I'm pretty sure I have it installed on my phone which runs windows phone.
There's also that native windows program you can run (or at least there was, back when I installed this POS).

Re:This is ridiculous

[jklovanc]

Fine, I will rephrase;
"Revenue is not the same a profit".

Re:This is ridiculous

It DOESN'T require authenticators -- they are OPTIONAL

Re:This is ridiculous

[realityimpaired]

No, revenue less costs is net income.
https://en.wiktionary.org/wiki/net_income

Gross income is total income before costs are deducted.
https://en.wiktionary.org/wiki/gross_income

Re:This is ridiculous

[Anubis+IV]

His number is extremely bogus.

Even if we ignore manufacturing costs, maintenance costs, shipping costs...hell, ALL of the costs...it still means that they would have sold 4M of these dongles at $6.50 each in order to make $26M. Mind you, Blizzard offers free Android and iOS apps that do the exact same thing, and Blizzard caters to the crowd that tends to get these devices, so that would eat into sales of the dongles. Not to mention that 4M sales would represent 1/3 of the WoW players at its peak, which seems like an unreasonably high number. And the numbers only get more ridiculous from there, since even if we were to grant that Blizzard had a hefty 50% profit margin on each dongle, you'd still need to have found 8M people to have bought them.

Class actions can be useful at times. This is not one of those times. This is lunacy.

Re:This is ridiculous

[twocows]

But that analogy's just wrong. This isn't Ford making you pay for gas, it's Ford making you pay because they sold you a car without a door lock and a very cheap ignition lock.

Re:This is ridiculous

Your analogy is also wrong. Battle.net has some security features. The authenticator is like having an optional alarm system installed in your car, which might I add also costs extra.

Re:This is ridiculous

[rgbrenner]

gross income for a business is not the same as for your personal income:

here is the business definition of gross income
http://www.investopedia.com/terms/g/grossincome.asp

Re:This is ridiculous

[SydShamino]

I don't think wiki world is a good source for that. They aren't even consistent:
"Gross income in United States tax law is receipts and gains from all sources less cost of goods sold."
per http://en.wikipedia.org/wiki/Gross_income

That's the definition most people on this site would rightfully quote.

Re:This is ridiculous

They are pretty damn cheap compared to rsa secureid

Re:This is ridiculous

God damn, fuck you and entitled dumbasses like you. Users are TOO DAMN STUPID to protect their own accounts. It's not the fault of fucking blizzard that users are majorly retarded and can't keep a password safe, constantly getting caught by primary school grade phishing attacks, or getting their shitty Windows computer exploited. Oh noes, the passwords aren't case sensitive, well guess what just type a longer fucking password and stop giving it to every gold farming chinamen you encounter.

Giving away authenticators for free? are you god damn fucking shitting me? What will they want next too? A motherfucking thumb scanner mailed to their doorstep over night after you buy the game?

Here's what you're paying for when you buy the game: the fucking game, an account, some place on their db and the right to login for a month. Take that and shut the fuck up. Seriously, when you check in at an hotel do you whine because they don't give you a key to a separate set of deadbolts in case you're too damn stupid to not drop your card on the floor?

Jesus christ people.

Re:This is ridiculous

[arth1]

How convenient.

First of all, Android doesn't really have a simulator, it has an emulator. It's slow. It's heavy-weight. It's not much of a solution for the average joe. Speaking as someone who works with it daily, I don't think the Android emulator is something that should be required for a consumer who wants to play a game he supposedly just purchased.

It's also neither offered by nor supported by Blizzard.

The availability of an unsupported third party product[*] does in no way lessen any onus on Blizzard to provide customers who fulfil the requirements on the box with what's otherwise needed to play the game in full. Including the auction house.

[*]: An SDK and an emulator, the set-up of which is so user-unfriendly that I'm sure a majority of Blizzard customers would give up during the initial installation, to say nothing about actually getting software to run under it. It's made for experienced programmers, and not mom playing DIII.

Re:This is ridiculous

[Archimonde]

You are right on. Blizzard locked out my account because I was changing geographical zones too much (I'm a seaman, working on a cruise ship). So they said that I had to change my password. And to do that you have to receive a text message with a code on your mobile phone. This part didn't work even though the phone number stored was completely ok. So I couldn't change the account's password.

Then you have to open support tickets which I did, and the same day I've received a mail that they are not going to unlock my account nor delete/change my mobile phone number because they cannot verify that it is the real person contacting them. And I've sent them my national ID card scan. Basically they didn't even read my support ticket. Then I've opened another ticket and a day later some guy unlocked my account because this guy obviously read my e-mail and it probably helped that I've sent them a scan of my ID and passport.

But of course, the SMS text message functionality was still impossible to disable because I couldn't receive a verification code sent by a text to disable that "feature". Then I had to open another ticket and some guy disabled that shit.

Then couple of days after this events I've received a mail from Blizzard that I should purchase and authenticator to avoid problems like this. Fuck them! I've given them like hundreds of dollars and they give me shit like this and locking me out of my own account which has a very secure password.

Re:This is ridiculous

This is lunacy.

Every time balance changes are made, there are rants on forums about how Blizzard's screwed them out of 6 years of their lives by making their class useless and about how they are going to launch a class-action lawsuit. It boggles the mind that someone's actually done this.

Re:This is ridiculous

[Elbart]

Yeah, because running the authenticator on the same machine you're trying to authenticate from is best practice. Right?

Re:This is ridiculous

Or you can just use the winauth binary.

Re:This is ridiculous

[fa2k]

The reason these car analogies fail is that Blizzard isn't selling a product, they're selling a lifetime membership to a service. It's like buying a lifetime bus pass. Then the bus company installs RFID readers on a few bus routes and you have to buy an RFID chip or use a phone with NFC to go on those buses.

Re:This is ridiculous

It's a matter of negligence in this case. Blizzard quite freely admits that their basic login protection is worthless every time their answer to your account getting hacked is "buy an authenticator". There's a case of fraud, as Blizzard attempts to sell you an optional product rather than fixing what they freely acknowledge is a broken system.

And there's a case of douchebaggery as they tell you that it was your fault for trusting their own account protection systems rather than buying an authenticator because banks totally charge $30 for the same service, so you're really getting a great deal! But wait, there's more douchebaggery! When you buy an authenticator and still get hacked, it's still not Blizzard's fault because the Blizzard rep personally checked just about almost every single account and they all had dirty filesharing software and malware and were all buying gold from gold-farmers!

And the users themselves perpetuate the bullshit because they never got hacked and apparently have no fucking clue about how hacking works, or the problem with using a hotel analogy when it comes to comparing secure systems. For example, I would expect a hotel that admits that its basic locks don't provide protection against a particular hacking practice would CHANGE THE FUCKING LOCKS!!

Re:This is ridiculous

These devices are not only intended to compensate for bad passwords. They also compensate for things like key loggers. If you have the authenticator on your account, it isn't possible to log in with a stolen password unless you also have the device.

Re:This is ridiculous

[cratermoon]

completely unnecessary if you use a good password.

That's a dangerously incorrect assertion to make. People's battle.net accounts don't get compromised because a malicious party cracked a password. Keyloggers, phishing, social engineering, and just plain fraud are all far more common avenues for password leakage, both in battle.net and overall.

The days when a hacker could bang on the front door of a service trying username/password combinations until finding one that worked are long gone. The reason Blizzard introduced authenticators was because their own experience indicated that no matter how tightly locked the servers, or how strong the password requirements, with the client software and hardware out of their control, passwords were still getting out. So they went with the next best convenient security practice: something you know, and something you have.

Re:This is ridiculous

Beggars can't be choosers.

Re:This is ridiculous

Ford's lock and ignition work just as long you don't leave your key in lock (trojan), willingly give your key away (phishing), or use same key for everything you in your life (unique password).

Re:This is ridiculous

No, this Ford selling you a car with industry standard locks, and offering reinforced locks as an option. What company are you thinking of that gives you a free 2FA dongle on signup?

Re:This is ridiculous

These things probably cost Blizzard upwards of $30. If they really shipped 4 million authenticators they actually lost like $100 million (which they undoubtedly recouped in reduced customer support tickets).

Re:This is ridiculous

[ildon]

It doesn't create revenue for Blizzard, but it does greatly reduce their support ticket volume (by directly reducing the number of compromised accounts) which allows them to hire less support staff to handle it which reduces their support overhead. There is no doubt in my mind, that despite the fact that they probably LOSE tons of money on authenticators, they "make it back" in spades saving on support costs. But this is a GOOD THING. Players who get their accounts compromised often just use it as an excuse to quit, and for those who don't quit, no matter how helpful customer support is, it's still a really shitty experience and it still takes time out of your game playing.

In the end, it's a net positive for both Blizzard and the consumer.

Re:This is ridiculous

[ildon]

It's more like they have free wifi on the bus, but you have to pay for your own laptop or smart phone to access the free wifi, and they also offer to sell you a laptop that only browses the internet on their bus wifi for $50. But it's still a fucking laptop that cost the bus company like $400 or more.

Re:This is ridiculous

[antdude]

Was that woman from "RussianBride" company (which one?) worth or a rip-off too? [grin]

Re:This is ridiculous

Yes of course, attack the analogy. Except in this case people are getting hacked due to their own stupidity, not because the system itself is broken.

Re:This is ridiculous

[Bremic]

When I bought the Authenticator's for my wife and I several years ago, it was $6.50 for each Authenticator, and then about $30 for shipping. If you don't live in the US, the cost of these things is really quite high.

Installing an Authenticator on your phone is an acceptable compromise, but people lose their phones a lot, and that is yet another issue.

I still don't feel this man should have a case. Blizzard do not force you to use an Authenticator, though I think they should. They also don't charge for the Mobile Authenticator.

Re:This is ridiculous

[coxymla]

Minor quibble: the IOS mobile authenticator app won't run in the simulator because the IOS sim is not an emulator. You need to compile an app specifically for the sim.

The Android sim is actually a full-fledged emulator and so can run any app, but is obviously much less performant because of that.

Re:This is ridiculous

I'm pretty sure I have it installed on my phone which runs windows phone.
There's also that native windows program you can run (or at least there was, back when I installed this POS).

That may be the case. It's just that according to their page, which if you scroll down, they say they support iOS, Android, phones from some Korean carriers, plus the physical dongle. It's not that I don't believe you. It's just that if they do support Windows phones, they don't make it immediately obvious that they do.

Re:This is ridiculous

It's more like Ford sold you a car,
they charge you an additional 6.50$ for the keys. Which you ofcourse assumed would come with the vehicle in the first place.

Re:This is ridiculous

Zomg, a company makes money off of sales of something that you don't need to play the game? Travesty! That has to be illegal!

I can't say I would go so far as to sue them, but I do think this isn't as black and white as you make out. To take it to the extreme, imagine if Battlenet did not allow you to set a password, and every user had the same password. In this case, you'd be understandably enraged at the offer of paying for an Authenticator over and above the price of the (disappointing) game.

Now imagine Blizzard actually provided an industry-standard, best practices, security mechanism. In this instance, you might actually appreciate the offer of an Authenticator as additional protection for the paranoid.

There is a continuum of scenarios between these lines, and at some point in that continuum your opinion would change from indifference to outrage. I believe offering an Authenticator at a price when their fundamental security mechanism is flawed is a slap in the face. Why should I pay extra to get decent security? What next? Paying for patches to fix bugs?

Re:This is ridiculous

If you don't want to pay, use one of the multiple free applications available for it. People are only whining because they want freebies, nothing more, nothing less. If they really had a reason behind their superfluous bitching, they'd realize there are many ways to add the authenticator for free, and that anyway most people getting hacked are getting keylogged or phished.

Re:This is ridiculous

No, it's Ford selling you a car with a regular door lock and key. And then you demanding they give you a keyless entry fob for free.

Re:This is ridiculous

[void*]

Every time Blizzard's response to an account being hacked is "get an authenticator", the only thing they are admitting that the user hasn't sufficiently secured data (the account password) that blizzard has no control over.

Re:This is ridiculous

Well sure, I could imagine any number of ridiculous hypothetical scenarios that would piss people off, but people are pissed off about this particular actual scenario and have (IMO) no good reason to be other than omg I think some company is making money off something that isnt required, how dare them!

It's really not that difficult to create a long secure password.

Re:This is ridiculous

I'm also suing because the advertisements showed an attractive woman in the car, and mine didn't come with one - I had to buy one separately from some "RussianBride" company. What a rip-off!

Wow, that had to cost you a pretty penny.

I just drove down to the mall and picked up a couple of high school girls.

Re:This is ridiculous

[tlhIngan]

No, this Ford selling you a car with industry standard locks, and offering reinforced locks as an option. What company are you thinking of that gives you a free 2FA dongle on signup?

Except to use the radio, you MUST buy the reinforced locks. Otherwise you can use the car just as you bought it, except the radio won't work. Your car works perfectly fine, the sound system is completely optional, but the ad did say it came with one. It didn't mention you have to buy an OPTION to use it.

Basically if it's required to use a feature on the box, it should've been in the box from the get-go.

Re:This is ridiculous

[twocows]

Except they're not. People in Diablo 3, at least, were getting hacked because session data in public games was being hijacked or something, allowing people to authenticate as someone else using that information (I believe there's a /. article about it, in fact). And as for WoW, I came back after 3 years of not playing and my account had been hijacked a year prior (God knows why, I had a single level 30 character). My password was not something easily breakable and was unique to my battle.net account, and I hadn't had any communication with Blizzard in that three year time period. The only explanation I can come up with is that they had a break-in that they failed to notify their users about or some other security flaw. Both of those are problems on their end.

Blizzard's security is absolute crap. Selling a car with a shitty lock and then handing out dongles to fix it is not an acceptable practice. I wouldn't care if they were free; that's simply not how a professional corporation should do business. They need to fix their shit or I won't buy from them; it's that simple. The customer shouldn't have to deal with that crap.

Re:This is ridiculous

[jwalston]

I think this is all bogus also. I think Blizzard makes some mightly claims. However, we will have to follow up with this one. You can read more about that here: http://www.squidoo.com/best-water-softeners

Re:This is ridiculous

Whether Blizzard's security is broken or not is completely irrelevant to this article, and I'm still right anyway. Most compromises are NOT from exploits but from idiots getting phished, and you can see it -all day- in their customer service forum. Buying gold/powerleveling is what gets people compromised most of the time.

And either way, there's nothing forcing you to buy the authenticator. There's a free app on all relevant phone platforms, and you can get a desktop application if you live in the stone age and don't have a phone.

Going nowhere...

Question #1 will be : "Did blizzard make you buy one in order to play the game, and are there any consequences to not doing so?"... "No, and No"...."Case dismissed"

Re:Going nowhere...

not necessarily, he can always say that it wasn't well indicated on the box or website when he bought the game. So this can be applied under "false advertisement" since it doesn't tell him that he must pay additional money.

Re:Going nowhere...

[hawguy]

not necessarily, he can always say that it wasn't well indicated on the box or website when he bought the game. So this can be applied under "false advertisement" since it doesn't tell him that he must pay additional money.

But he doesn't have to buy it -- he can pick a secure password and protect it (and protect his computer against keyloggers and other malware). When I buy a car the dealer doesn't tell me that I have to buy a car alarm with it at extra cost. Because I don't. It might be prudent, depending on where I park the car, but it's not necessary.

Re:Going nowhere...

[LordLimecat]

You have to sign into battle.net to order one, which indicates right away that you do not need one to sign into battle.net. That someone could be confused by this is absurd.

Re:Going nowhere...

[Rockoon]

Question #1 will be : "Did blizzard make you buy one in order to play the game, and are there any consequences to not doing so?"... "No, and No"...."Case dismissed"

No, and Yes. An authenticator is required for some aspects of some of blizzards games, such as the real money auction house in diablo 3. This requirement most certainly was not advertised during initial sales, but the real money auction house feature was advertised during initial sales as a selling point. In fact, you will find slashdot articles about the real money auction house prior to the games release.

Re:Going nowhere...

[steppin_razor_LA]

You can also for free have them set it up so that they do phone authentication when you login from a different IP address.

Re:Going nowhere...

To use the diablo auction house you NEED to buy one. Or... Have a smartphone that can run the app (yet another aditional cost, not everyone has or wants a smartphone). Or they need to run the auth app on an emulator on their pc. Which has plenty of problems itself. Either way at the very least you can say that it is an extra hoop to jump thru to play a pc game that you paid for that was not really told to you upfront. And that hoop has a sliding scale of costs from actual real money to just yet another hassle that puts some of the onus of securing a GAME on the user because the company that sold you the game is lazy and cheap and greedy and this was the best they could do and didn't wanna throw the damm dongle into the already high cost of the $60-$70 game.

I remember when we used to get full color cloth maps and plenty of stuff in a game.... They really can't just throw the fucking fob in anymore? come on now...

I don't know if its enough to sue over.. But it sure is fucking stupid. And if blizzard is doing it AND making a profit doing it... It's really kinda scummy greedyfuck bullshit too.

I don't like it. How about you?

Re:Going nowhere...

[Iceykitsune]

1. No
2. You cannot use the Real Money Auction House.

Re:Going nowhere...

Hey, cool, for $24,000 I will sell you a device that will give you a more attractive personality. Except it doesn't do anything beside sit in your drawer and funnel money my way. I won't tell you that but it will be true, I'm sure the courts will dismiss your and everyone else's class action suit because it caused you no harm and it did not prevent you from being a nicer person.

Re:Going nowhere...

Not if you use paypal. I've used the RMAH and never used an authenticator. Haven't played D3 in months though.

Re:Going nowhere...

not necessarily, he can always say that it wasn't well indicated on the box or website when he bought the game. So this can be applied under "false advertisement" since it doesn't tell him that he must pay additional money.

But he doesn't have to buy it -- he can pick a secure password and protect it (and protect his computer against keyloggers and other malware). When I buy a car the dealer doesn't tell me that I have to buy a car alarm with it at extra cost. Because I don't. It might be prudent, depending on where I park the car, but it's not necessary.

Actually your car analogy doesn't work here. When I bought my car, the dealership installed another car alarm system for higher revenue on the sale.

Re:Going nowhere...

[hawguy]

not necessarily, he can always say that it wasn't well indicated on the box or website when he bought the game. So this can be applied under "false advertisement" since it doesn't tell him that he must pay additional money.

But he doesn't have to buy it -- he can pick a secure password and protect it (and protect his computer against keyloggers and other malware). When I buy a car the dealer doesn't tell me that I have to buy a car alarm with it at extra cost. Because I don't. It might be prudent, depending on where I park the car, but it's not necessary.

Actually your car analogy doesn't work here. When I bought my car, the dealership installed another car alarm system for higher revenue on the sale.

The analogy still applies - the car dealer installed an alarm system that you wanted, and you paid for it. If you didn't want the alarm system, you wouldn't have paid for it. The dealer may have said "Oh, too late, it's already installed, you have to pay for it", and if you don't want it, you just say "No problem, I'll buy the car at another dealer, and suddenly you'll find that the "non-removable" alarm system can suddenly be removed, or that the $499 alarm system is yours for free. They aren't going to let you walk over an alarm that cost them less than $100 to install.

This is like Blizzard saying "Do you want the $6 token to make your account safer? If you want it, you pay the $6, if you don't, you say "No thanks".

Re:Going nowhere...

[stephanruby]

You have to sign into battle.net to order one, which indicates right away that you do not need one to sign into battle.net.

That's not how authentication usually works. As an admin, I also require my users to use to 2-step verification, but 2-factor authentication requirement doesn't kick in until the second time they log-in.

Re:Going nowhere...

[realityimpaired]

It's a flawed analogy to begin with however, because an alarm with an immobilizer is now required, by law, in enough markets that it's part of the standard kit on just about every car on the market. There's a reason that the market for after-market stereos and alarm systems has pretty much dried up in the last few years: it's because most new cars come with stereos that are good enough for most from the factory, and all new cars come with alarms.

Of course, given that I live in one of the markets where the alarm/immobilizer is required, there may be cars I can't get here which don't come with it, but in the North American and European markets, it's pretty much a given that you'll have one.

Re:Going nowhere...

Wait.. wait.... the consequence is.. no in game pet.. :O

Re:Going nowhere...

HEHE no. Nice try though.

Free mobile version is free

[Firehed]

Like TFS says, the mobile version is free. Just another moron trying to make a quick buck.

My concern with blizzard's authenticator is that they seem to have rolled their own implementation rather than adhering to an open, defined spec (HOTP/TOTP). And like so many of these services, there's no good way to move it to a new device without disabling 2FA temporarily. People do upgrade their phones, after all.

Re:Free mobile version is free

[synthparadox]

They introduced a "restore" feature a while back that allows you to migrate devices without removing two-factor authentication. Basically, you enter the restoration code into the new phone/device and both devices will continue to generate the same seeded code. This can also be used to extend the authenticator to multiple devices like having a smartphone and a tablet both generate the same code. This is just an ease-of-use feature, especially when sometimes you can't find one of the devices you installed your authenticator on.

Re:Free mobile version is free

[Roogna]

Not sure about if it's their own implementation or not, but it IS very easy to move to a new device.

They provide a serial number in the app, and a recover code. Simply entering both on the new mobile device and you've got a clone of the original.

Re:Free mobile version is free

[arbiter1]

I forgot site off hand but there is software based one you can run on your computer as well that is free, no need to buy a keyfab or a phone that can run the app. software has optional lock down to 1 computer and password option's

Re:Free mobile version is free

[Cinder6]

I actually had to use the restore code last night--it didn't work. The restore code itself worked, but battle.net still said the authenticator code was wrong. It was fairly trivial to get them to remove the authenticator (enter a code sent via SMS), but by then I had "too many login attempts" and had to wait a few hours. Frustrating.

Re:Free mobile version is free

[magamiako1]

http://www.wowwiki.com/Battle.net_Mobile_Authenticator_Specification

I'll just leave this here. But feel free to continue thinking you know everything. Also check out RFC 4226 and 6238 and compare it with this wiki article. Enjoy!

Re:Free mobile version is free

[Nyder]

Like TFS says, the mobile version is free. Just another moron trying to make a quick buck.

My concern with blizzard's authenticator is that they seem to have rolled their own implementation rather than adhering to an open, defined spec (HOTP/TOTP). And like so many of these services, there's no good way to move it to a new device without disabling 2FA temporarily. People do upgrade their phones, after all.

How is suing someone a quick buck? Unless they cave and decide to pay you off, you still have to pay filing charges, lawyer fees (providing you got one), and wait for the court date. Seems quite a hassle to be considered 'quick'.

Re:Free mobile version is free

My concern with blizzard's authenticator is that they seem to have rolled their own implementation rather than adhering to an open, defined spec (HOTP/TOTP). And like so many of these services, there's no good way to move it to a new device without disabling 2FA temporarily. People do upgrade their phones, after all.

Their's does follow RFC 6238. It's the key generation which is customised.

And they have built a Restore feature that allows you to move it to any other device.

Re:Free mobile version is free

[Macgrrl]

I upgraded my phone last weekend and migrated my authenticator using the restore code, it worked fine. I checked the keys were in sync before wiping the old phone. I didn't need to disable the authenticator form my old account to do so, it just worked.

Great!

[hawguy]

If they win this suit, I'm going after Google to pay my phone bills since they give me the option of using SMS based authentication to protect my Gmail account.

Idiot?

[Xenx]

He seems to be an idiot to me. The authenticators were created to protect a community that is targeted regularly from their own stupidity. Basically, it's to protect from phishing and keylogging. Blizzard is just offering them an additional method to secure them, for a negligible cost. As for the issue with the hack on their servers, they made sure to alert their users via their registered accounts. Any legal requirements, anything else in regards to their quality of security... I can't speak for.

Idiot.

[girlintraining]

It's not mandatory, and it's a game. A service provided to you, and a limited version that's free to use. The security problem is inherent to all MMOs -- and Blizzard is providing a way for people concerned with hacking to protect their investment in the game, at a reasonable rate. These authenticator tokens often cost a lot more than the cost of a meal at mcdonald's in other industries. The guy doesn't have a leg to stand on. He max-leveled in idiot.

Re:Idiot.

I don't even care at this point. Blizzard is such a shitty pro-DRM company that they deserve to be sued into oblivion.

Not that they will be.

Authenticator is not a Blizzard product...

[Kenja]

It is made by Vasco and is sold in large quantity orders for around 6.50$, which is the same as what Blizzard charges for it. The idiot in question is basicly claiming Blizzard sold 400,000 Authenticators at a 100% profit margin.

Re:Authenticator is not a Blizzard product...

[LordLimecat]

at $26 million, that would be 4,000,000 at 100% margin, which stretches the bounds of credulity.

Re:Authenticator is not a Blizzard product...

[drinkypoo]

Authenticator is not a Blizzard product... It is made by Vasco and is sold in large quantity orders for around 6.50$, which is the same as what Blizzard charges for it

1) The subject line is not part of the comment body...

2) Do you personally know what Blizzard is being charged for what they're reselling? And if not, why are you coming on like you do?

Re:Authenticator is not a Blizzard product...

you mean 50% margin.

margin = profit / sell price.

100% would be the markup = profit / cost.

Your point is valid though: the guy is a clown.

Good for people with multiple computers or friends

This is good, as if you log in to Battle.net from another computer, you need to reset your password. That's completely stupid and practically forces you to get some form of authenticator, if you don't want to jump through hoops every time you switch computer.

Let's shut down these greedy bastards

Warcraft should be free, and Blizzard should become a charity.

Sometimes free

[jklovanc]

A friend of mine got hacked three times. Blizzard sent him an authenticator for free. It costs them less to send the free authenticator that keep fixing his account.

This is just someone trying to make money on a frivolous law suit.

Re:Sometimes free

[Rockoon]

A friend of mine got hacked three times. Blizzard sent him an authenticator for free. It costs them less to send the free authenticator that keep fixing his account.

What you are saying is that if they got $6.50 out of him instead of giving him the device for free, that it would have been an additional $6.50 in pure profit?

Think about that for a moment.

Re:Sometimes free

I thought about it for an entire millisecond, and realized that it is virtually impossible for them to sell a physical product for $6.50 and make $6.50 in "pure profit."

Unless, of course, they have a wizard conjuring the things out of the ether. A wizard who works for free and doesn't eat.

Re:Sometimes free

[maxdread]

A wizard who also happens to have a buddy at the USPS willing to hook him up with free shipping as well.

Re:Sometimes free

[realityimpaired]

No... what they were saying was that fixing the account and ensuring a continued revenue stream of $15/mo was favourable to him cancelling the account for want of a $6.50 one-time cost.

While this is true for every account, and is an argument in favour of simply giving the things away, most accounts never get hacked, and they *do* simply give the things away to anybody with a smartphone. When they do get hacked, the labour costs for fixing the account are what makes sending the authenticator an option.

It's not rocket science, people.

Re:Sometimes free

[jklovanc]

No,what I am saying is that Blizzard decided decrease their losses by spending $6.50 + S&H instead of spending much more every time he was hacked.

The only way it would have been pure profit is if the got $6.50 out of him without sending the device. If the device was sent the profit would be $0 ($6.50 income - $6.50 cost of goods sold).

People really need to understand the terms income, expense, cost of goods sold, and profit. It is a simple equation profit = income - (expenses+cost of goods sold).

Re:Sometimes free

[Rockoon]

People really need to understand the terms income, expense, cost of goods sold, and profit

"People" clearly includes you.

You are buying a car for $20000. Just before you sign the agreement I run in and hand you a 10% off coupon. Thats $2000 is pure profit. It doesnt matter that the car still costs you $18000.

If your friend had given blizzard $6.50 for that authenticator instead of simply accepting it gratis, its exactly equal to a $6.50 coupon that blizzard cashes in. Pure profit. A windfall.

Re:Sometimes free

[jklovanc]

Profit is money you didn't have before, What you described is not profit it is less cost. The only person possibly making profit in the transaction you describe is the person selling the car and only if it cost him less that $18000. The definition of profit deal with the seller and not the buyer. It is a simple equation profit = revenue - expenses.

This is irrelevant to the main conversation anyway. The premise of the suit is that Blizzard if profiting from the sale of authenticators and not that the plaintiff is profiting. Is Blizzard profiting directly from giving away authenticators?

Re:Sometimes free

[antdude]

Why did your friend get hacked so many times? Isn't it his/her fault and not Bizzard's? Did Blizzard get hacked or something to send him/her a free authenticator?

Re:Sometimes free

Actually yes. When I pointed the same thing out on their forums, stating that: "Why should we be obliged to pay to reduce Blizzard support cost from having to deal with hacked accounts," I was emailed shortly afterwards claiming that they put me in some sort of a "pilot program" and that I could get a free authenticator... Now this could be mere coincidence, or they could just be trying to silence me. Regardless, I got a free authenticator which I still use.

Starcraft

'vigorously defend' themselves.

Sounds like a Terran turtle.

Re:Free mobile version costs $500

...if you don't already own a smartphone that can run their app.

Battle.net

The end of the article indicates he is suing to not require a battle.net account just to play a game, which seems reasonable to me.

Re:Battle.net

[cob666]

I hope you're being sarcastic. How are you supposed to play an online game without having an account? That would be like wanting to play Mafia Wars on Facebook without having to log into Facebook. I'm not a big fan of Blizzard but this lawsuit is total bullshit.

Re:Battle.net

I hope you're being sarcastic. How are you supposed to play an online game without having an account? That would be like wanting to play Mafia Wars on Facebook without having to log into Facebook. I'm not a big fan of Blizzard but this lawsuit is total bullshit.

You cant play starcraft or diablo 3 single player? I was under the impression that players must log in to play both single and multiplayer.

Re:Battle.net

[flimflammer]

How is it reasonable to play an MMO without an account?

Going back to the old standalone account system isn't any better than Battle.net. You can also have multiple Battle.net accounts, so it's not like you have to link every Blizzard game you buy to a single account.

Re:Battle.net

I don't know about starcraft, but diablo 3 cannot be played in offline mode.
All the character data is stored on their servers as far as I know.
And it's not as if this was some giant revelation when the game was released.
We knew this was happening more than a year before the game was released.

Re:Battle.net

They require battle.net for non-mmo's too

Personal Responsibility

[cigawoot]

Instead of taking personal responsibility for the security of their own account, they instead sue Blizzard. Blizzard CANNOT control the end user's computer (not as much as they wish they could, at least). Therefore, the security of your login credentials are the sole responsibility of the account holder. Blizzard can't keep your computer from getting infected with malware, falling for a phishing scam, or sharing your credentials with your little brother.

Re:Free mobile version costs $500

[eht]

Not true, you can run it in an Android development emulator.

Easy Solution

[Greyfox]

1) Raise the price of the game client by $6.50.

2) Include a "Free Authenticator!" in every box, or mail one to people who opt to download the client.

3) Profit.

Re:Easy Solution

They literally can't do this. Vasco can't manufacture that many authenticators.

Re:Easy Solution

1) Raise the price of the game client by $6.50.

2) Include a "Free Authenticator!" in every box, or mail one to people who opt to download the client.

3) Profit.

Why would I need three authenticators (and that's just for WoW, SC2 and Diablo 3... Much less any future game from Blizzard)? Why would I want to pay an extra $6.50 to get a fob when I can get the app for free?

Suit is seriously BS.

And in return he expects to get...?

[FaxeTheCat]

Suing over $6.50.... even with a complete victory he would probably end up with something like $.50 after the lawyers get their part. This must be somebody with too much time to waste.

Re:And in return he expects to get...?

[arbiter1]

you forget, its a Class Action suit, so he might not even get that much.

Re:And in return he expects to get...?

[flimflammer]

He's the actual plaintiff. If he wins (he won't) he'll probably get some ridiculously high number while everyone else are the people who gets nothing.

Then again, he's not going to win this so it's irrelevant anyway.

Re:And in return he expects to get...?

Gee, I didn't know you were psychic. Can we stop with the certainty? Yes, it seems UNLIKELY that he would have a chance at winning - but UNLIKELY != certainty tat this is the outcome.

Re:And in return he expects to get...?

[flimflammer]

I might as well be psychic regarding this case.

Re:And in return he expects to get...?

Dont forget about the $30 fee to file the small claims case in Calif....

Re:Free mobile version costs $500

[tepples]

How big is that to download (especially on a capped plan), and how much RAM does it use (in addition to the RAM your game uses)?

Required for the RMAH.

The key fob is required to use the RMAH in Diablo 3.

No, it does not tell you this on the physical boxed copy. You think you are getting something when in fact an additional purchase is required.

Re:Required for the RMAH.

[arbiter1]

Its right to require one on real money auction. Since its real money involved gotta take extra security on that. But with that said this guy apperently is to stupid to realize the 2 other FREE options. The Phone app and program called WinAuth that will this stuff for FREE.

Re:Required for the RMAH.

[flimflammer]

Wrong. It is not required to use the RMAH. It's required to link a PayPal account to the RMAH or keep a RMAH balance. Buying things is easily possible without one.

There are also free alternatives to the actual keyfob.

Re:Required for the RMAH.

[Golden_Rider]

You do not need the keyfob. You need an AUTHENTICATOR. And that can be had for free (on your phone) or even as a free application on your PC : http://code.google.com/p/winbma/

So the extra cost to get the needed authenticator is exactly $0.

Re:Free mobile version costs $500

[arbiter1]

Also one called WinAuth, no emulator needed. http://code.google.com/p/winauth/

They May Be Evil... But No One's Car Lot Evil!

[nick_davison]

"When I buy a car the dealer doesn't tell me that I have to buy a car alarm with it at extra cost."

You've not bought a car from a dealer lot recently, have you?

Expect to find LoJack (even in markets where the local police have bought zero units), alarms, windshield VIN etching, clear paint protectors, sealants, rust proofing, teflon upholstery protection and a wide variety of exciting floor mats pre installed and added on to the price of every actually available car, taking them way above and beyond the "Starting From..." low, low advertized MSRP on the banners around the lot. Listen to the radio commercials where whichever "mile of cars" with "over X thousand vehicles to choose from!" has "three at this price."

The difference between Blizzard and a car lot is, if Blizzard were a car lot, they'd be telling you, "We're sorry, the only copies we've got on hand today already have their accounts hooked to a validator and we can't remove it. We could order you a copy without a validator in 8-12 weeks or you can pay the premium to take a copy home today."

Re:They May Be Evil... But No One's Car Lot Evil!

[hawguy]

"When I buy a car the dealer doesn't tell me that I have to buy a car alarm with it at extra cost."

You've not bought a car from a dealer lot recently, have you?

Expect to find LoJack (even in markets where the local police have bought zero units), alarms, windshield VIN etching, clear paint protectors, sealants, rust proofing, teflon upholstery protection and a wide variety of exciting floor mats pre installed and added on to the price of every actually available car, taking them way above and beyond the "Starting From..." low, low advertized MSRP on the banners around the lot. Listen to the radio commercials where whichever "mile of cars" with "over X thousand vehicles to choose from!" has "three at this price."

"

If you fall for this, then you deserve what you get -- trumped up dealer add-ons have always been a part of the car buying game. Unless you're looking for a hard to find car (in which case you're going to just have to pay whatever the dealer asks), if you don't want a dealer add-on, just tell him you'll get the car elsewhere. He'll either remove them or write them off (since the dealer cost is a small fraction of what they are charging).

I just bought a car a few months ago, and that's exactly what I did -- I told the salesman I wasn't going to pay for his "$199 upgraded floor mats", "$299 auto-dimming compass mirror", "$59 first aid kit", and certainly wasn't going to buy a $299 paint protection package. I was clear that if it's not on the manufacturer's window sheet, I'm not paying for it. After the traditional "I need to approve this with my manager", they took the mats (the same OEM mats are available for $59 online) out of the car and threw in the mirror and first aid kit for "free" and stopped trying to upsell the rustproofing and paint protection package. I still got the car under published invoice price (which of course, is not his real cost for the car).

Shop around, look for cars well outside your area, so you can tell the dealer "I saw this exact car at XXX dealer, if you don't want to sell me the car, I'll get it from him". But above all, be prepared to walk if you don't get the deal you want.

gross income is NOT revenue

[rgbrenner]

No, gross income is not revenue. It is revenue - cost of goods sold

Re:Free mobile version costs $500

[Ultra64]

" (in addition to the RAM your game uses)?"

Who cares? it's not like you have to leave the authenticator running while you are playing

How exactly does it work?

[tepples]

But you still have to have both the game and the Android simulator open while you're running the authenticator to get the code to type into the game. The only way I can see otherwise is if one would start the Android simulator, run the authenticator, close the Android simulator, and then start the game. This is possible only if the authenticator needs no information from the game and the game tolerates a delay of up to a few minutes between running the authenticator and running the game. Is this the case? I can't try it myself because the last Blizzard product I bought was the first StarCraft.

Re:How exactly does it work?

[DrgnDancer]

So your computer is so close to minimum spec that you can't run the login screen for a game and the simulator simultaneously? I mean, sure, a lot of these games are somewhat resource intensive during actual play, especially if you have the settings turned way up, but if you can't run the login screen at the same time as an Android emulator, chances are the game will be unplayable anyway.

Re:How exactly does it work?

You can actually generate a bunch of codes write them down and save them for later use. I did that for the account my wife has when she went back home to see her parents incase her cell phone got lost. That way she could still login to battle.net and remove the authenticator if she had to.

I tested this before just randomly guessing it would work and it does.

-- wmbetts

Posting AC, because I have mod points.

Re:How exactly does it work?

I can run 3 instances of WoW on my computer before there's noticeable lag switching between them, and I only have 4 GB of RAM.

the last Blizzard product I bought was the first StarCraft.

This indicates that you really and truly have no idea what you're talking about, and are trying to create a problem from nothing.

*STOP BATTLE.NET REQUIREMENT*

[the_B0fh]

I support it simply for this:

He also seeks to stop Blizzard from requiring players to sign up for a Battle.net account.

Re:*STOP BATTLE.NET REQUIREMENT*

[black3d]

Why? How do you expect to play an online game without an account? Or do you seriously expect them to simply open servers up to the world, and rely on IP banning to deal with hackers?

Re:*STOP BATTLE.NET REQUIREMENT*

[the_B0fh]

Did I say I expect to play online games without an account?

However, I expect to play single player games *WITHOUT* a fucking online account, such as StarCraft 2 or Diablo 3.

Further more, I expect to be able to play without having to RESET MY FUCKING PASSWORD EVERYTIME MY ISP CHANGES MY IP ADDRESS. This requirement is help push people towards authenticators.

And real IDs.

Make no mistake. This isn't really about authenticators, this is about collecting real IDs.

Re:*STOP BATTLE.NET REQUIREMENT*

[psiclops]

D3 is not a single player game. while some people may choose to not interact with others is is not possible* to create a character that is unable to interact with the online world of D3. they will always have access to the auction house, join other games, & get achievements.

the fact that you think the game should have a single player mode, doesn't mean it does.

*if it were, playing any such character would not require a battle.net account.

Re:*STOP BATTLE.NET REQUIREMENT*

Neither of those are single player games.

THEY ARE MULTIPLAYER GAMES THAT YOU CAN OPTIONALLY CREATE PRIVATE GAMES FOR.

Each of those private games optionally allows you to let other people in. Hardly their fault if you don't have any friends.

Know what you're supposed to do when you don't agree with shit like that? Don't buy or even use their product. Seriously. Knock it off.

Re:*STOP BATTLE.NET REQUIREMENT*

[black3d]

However, I expect to play single player games *WITHOUT* a fucking online account, such as StarCraft 2 or Diablo 3.

Then buy offline games? Nobody forced you to buy games which have an online requirement. Unreasonable people like yourself are exactly why they made Diablo 3 require an internet connection. Because they focus-grouped and discovered that entitled brats felt ripped off if they couldn't take their offline character "online" to play with their friends - they don't expect the general populace to understand why thats bad, so they just make it "online only" instead. Also, that funnels more loot drops into the RMAH - I think you'll find this as a key motivator far ahead of "real IDs".

I expect to be able to play without having to RESET MY FUCKING PASSWORD EVERYTIME MY ISP CHANGES MY IP ADDRESS. This requirement is help push people towards authenticators.

The same happens even if you do have an authenticator. It's got nothing whatsoever with trying to "push people towards authenticators". It's got everything to do with trying to help prevent idiots who use the same password everywhere from getting their account hacked. Seriously - I can't tell you where I got this information, but roughly 20% of registered forum accounts on a semi-popular Warcraft *hacking* site, used the same username/password as their Battle.net account. There's not enough bullets to take care of this level of stupid.

Make no mistake. This isn't really about authenticators, this is about collecting real IDs.

They already have your name from your account - they don't need you to sign up for a RealID which simply puts this same information in-game. If you're referring to the possibility of them making money off selling who your RealID "friends" are, then no. You're a paranoid fool. They're not selling, or even giving away, this information to anyone.

Re:*STOP BATTLE.NET REQUIREMENT*

You don't need to reset your password every time you change your IP address. You can opt-in for the SMS text authentication option instead.

Re:*STOP BATTLE.NET REQUIREMENT*

[the_B0fh]

There's a reason why I bought a boxed copy of D3 - so that I don't have to give Blizzard my credit card #, which then pulls in my real information.

So, you can see why I might not be interested in giving them my phone number.

Re:*STOP BATTLE.NET REQUIREMENT*

[the_B0fh]

what makes you think I used my real name when I was forced to sign in to battle.net for SC2?

And really, you are sucking too hard on the koolaid nipple. SC2 and D3 is obviously a single player game with multi player options. Just because they claim it so doesn't make it so. I've never heard of people wanting to take their offline game character online - any idiot can see that these are two different games.

1. It is a standard tradition on slashdot

2. Periods are standard list delimiters, not parentheses.

3. He isn't 'coming on' as anything other than someone that knows what a syllogism is.

Vasco sells in bulk for 6.50
Blizzard resells for 6.50
Blizzard is reselling at no profit
QED

Re:1. It is a standard tradition on slashdot

[drinkypoo]

Vasco sells in bulk for 6.50

As soon as you provide a citation showing that's what Blizzard is paying Vasco, preferably a receipt or contract, then you will have something useful to say. You don't, QED you should STFU. As usual, anonymous coward is anonymous and cowardly because it knows the value of its comment is zero.

Re:1. It is a standard tradition on slashdot

It doesn't matter what Blizzard is paying for them, Blizzard still has to pay for shipping and the bit you're taking issue with isn't really the point. The point is that it's impossible for Blizzard to make a $26m profit on it, unless they get free shipping and sell 4m units.

Demanding information which is clearly irrelevant just makes you look like a butthurt fanbois. As long as the figure is non-zero, which it is, and the shipping is non-zero, the post you're bitching about is correct.

Re:1. It is a standard tradition on slashdot

[drinkypoo]

Demanding information which is clearly irrelevant just makes you look like a butthurt fanbois

Well if it makes "you" feel any better, Blizzard can choke on my cack. I don't pay for online-only games.

As long as the figure is non-zero, which it is, and the shipping is non-zero, the post you're bitching about is correct.

If the assertion is that they're making zero dollars per sale, then it might or might not be correct. I don't think anyone with a clue thinks Blizzard is getting rich from this practice.

Re:1. It is a standard tradition on slashdot

[Bengie]

The value of his comment is more than yours. You seem to have no concept of the idea of "wholesale" and seem to have some idea that Blizzard can magically get prices much lower.

1) Vasco advertises $6.5/unit wholesale for large batches
2) Blizzard buys large batches, then pays to customize them and then pays again to ship them to Blizzard warehouses
3) Blizzard incurs administrative overhead for processing and storage
4) Blizzard sells end-product for $6.5 and covers the cost of shipping 2 day priority mail(I've purchased 5 auths over the many years and all have come within 2 days from across the nation via USPS).

Really, how much money to you think Blizzard is making?

To add to it, when I purchased my original auths, it was buy one get one free, so I was able to get 2 for $6.5 and they were shipped from Cali and made it to the Midwest with in 2 days.

Re:1. It is a standard tradition on slashdot

I don't pay for online-only games.

You just troll slashdot for free.

Re:1. It is a standard tradition on slashdot

[drinkypoo]

You just troll slashdot for free.

Trolling is saying things you don't believe. I might be some kind of idiot, though. I should be checked. I will tell them how much time I spend here, and they will probably confirm such a suspicion.

Player Responsibility

" Blizzard puts the onus on gamers to buy additional products or tighten security on their devices, rather than making customer accounts more secure, Bell claims."

No vendor will make changes to devices or accounts not part of their service, nor should they be required. This person is upset that he has to spend $6.50 one time, mind you the 2 factor authentication is optional, for use with all their games (World of Warcraft, Starcraft 2, Diablo 3), and likely future games as well, to add an optional 2 factor authentication.

The user is required to provide their own ISP, router equipmenet, computer, Antivirus and related security software, and make sure they are not the source of leaked passwords by reusing weak passwords from other accounts. If this person thinks for one sec that a company regardless of the service they provide should secure (each users ISP, router equipmenet, computer, Antivirus and related security software) they got another thing coming.

With that said could Blizzard increase the security of the account, I am sure they could to a point but it still falls to the user to secure everything else.

two factor authentication is a good thing

[kenorland]

So, the company did the right thing in terms of offering two factor authentication (I wish my bank would do that). They made it optional and made free apps available so that people aren't forced to use it. All of that is good.

This lawsuit is frivolous, and the guy should not only lose, but have to pay court and defense costs.

Another baseless suit....

First off, Blizzard has not forced anyone to use an authenticator unless you wish to use the real money auction house on D3.
Second, they have a free alternatives available for your phone, so there is no financial obligation to purchase one of theirs.
Third, even if by chance blizzard did profit from the authenticators, which i doubt they do...... its their product. They have a right to make money on what they sell, its the American dream.

Fourth, no need for a 4th because the case is that simple!

Not when they close the account.

Then it's a likely net revenue positive. The price of the "game" is less than the cost of production and you were intended to get that use out of it over time (even in monthly pay schemes). So they close the account and don't have to support you at all.

Wholesale and per unit price

If you buy 10,000 of a widget you get one price. If you're buying 10,000,000 you can demand a lower price AND GET IT.

You also have the proposition like Starbucks paying their Swiss arm to grind beans in the EU. Pay vastly inflated sum and it goes back to the same parent company but now with a huge tax dedution on profit.

If, as some are saying, that the cost for the hacked account is how they can sell the authenticator for cost and want to, because it reduces the cost of support, then they can give away the device and still save the cost of support of a hacked account AND know that they won't be getting more of the same errors because some aren't buying the authenticator.

And therefore they'd still be better off.

Douchebag files frivolous lawsuit.

[toddmbloom]

Film at 11.

My thoughts

Years ago I had my own home phone service and the phone company offered to charge a monthly fee to keep my number private and out of the phone book. I didn't understand this as I considered it cheaper not to have it in the phone book in the first place because it saves space and ink. I declined the extra charge and ended up getting calls on occasion from people looking for a church. Turns out the number they gave me use to belong to a church and the advertisement for it was still in the new phone books.

I see some claiming that Blizzard loses money on the device than they actually sell it for. Wouldn't it be cheaper if they just implemented extra security into their websites and game clients? Why should people have to download an app or buy a doohickey to have better account security? I'm sure a lot of their players neither want to buy the device , don't want to use the app because they don't have the proper type of cell phone, just plain don't want it, or they don't even know about it. And without that they are left open to their account being hacked. The device/app may not be required but it is needed if you want your account better secured, which is something (in my opinion) that Blizzard should be doing already without forcing the players to risk their accounts.

Maybe the lawsuit is about Blizzard charging people, and profiting (if true), to have better account security when Blizzard should be required to secure your info better in the first place. Isn't there a law about that forcing companies to better secure their user's data?

Imagine the outrage if banks started charging people a fee or or ask them to use an app to keep their bank account numbers and credit card info from being made public online.

Re:My thoughts

Why should people have to download an app or buy a doohickey to have better account security?

I can't think of a way to make this even simpler so you have a chance to understand this.

You are saying "Why do people need a second item for two factor authentication? that's bullshit." If you want two factor authentication, blizzard is kind enough to provide it in a plethora of ways ranging from cheap to free.

My bank doesn't even give me the option of two factor authentication and you're bitching about a gaming company going out of their way to provide it for a fucking video game account?

The existing account security is fine, but like most systems is vulnerable to the same problems of password re-use and insecure machines. TFA address several of these weaknesses in a clean manner. I just can't believe you're losing your shit about the one company providing it, instead of bitching about just about every website in existence that just uses standard passwords and easily guessed security questions.

It boggles my fucking mind.

move along, nothing to see here.

What. An. Idiot.

Cheap LV shoes,sunglasses,handbags sale

[dsangdhw]

Hello!! Fashion,low price,the good shopping places, Cheap wholesale and retail Gucci/Shoes , ( Discount UGG/Boots ) LV Shoes , DG Shoes , BURBERRY Shoes , LACOSTE Shoes , Women Boots , handbags(Coach lv fendi d&g/Gucci) , Sunglasses(Oakey,coach/Gucci,Armaini) , free shipping and quantity discount, Accept credit card and PAYPAL ==== http://www.cbssbase.com/ ==== ==== http://www.cbssbase.com/ ====