Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blizzard Sued Over Battle.net Authentication

Posted by Soulskill on from the did-you-try-googling-your-problem-first dept.

An anonymous reader writes "A man has initiated a class-action suit against Blizzard over a product used to shore up Battle.net security. Benjamin Bell alleges that Blizzard's sale of Authenticators — devices that enable basic two-tier authentication — represents deceptive and unfair additional costs to their basic games. (Blizzard sells the key fob versions for $6.50, and provides a free mobile app as an alternative. Neither are mandatory.) The complaint accuses Blizzard of making $26 million in Authenticator sales. In response, Blizzard made a statement refuting some of the complaint's claims and voicing their intention to 'vigorously defend' themselves."

49 of 217 comments (clear)

  1. This is ridiculous by synthparadox · · Score: 5, Insightful

    Not only does the $6.50 help cover postage and pay for the dongle, its completely optional and Blizzard makes the app available to as many platforms as they can. You can even install the authenticator on a Android simulator on a computer.

    I'm in shock as to how entitled this person is. I honestly just can't fathom how he can claim that Blizzard "makes money" off these authenticators.

    1. Re:This is ridiculous by synthparadox · · Score: 5, Insightful

      Right, because the keyfobs and shipping are free to Blizzard.
      How does this guy know that Blizz made $26 mil from them? Does he have access to the sales reports? Remember, "the complaint accuses Blizzard of making $26 million in Authenticator sales." Accusing someone of making money and them -actually- making that much money is two completely different things.

    2. Re:This is ridiculous by Anonymous Coward · · Score: 2, Informative

      Shouldn't the $60 purchase price and (possible) $15 monthly fee "help cover postage and pay for the dongle"?

      It's not "completely" optional, use of Diablo 3 RMAH requires it and/or the mobile app, and if you don't have a phone that can run the mobile app, then the authenticator is the only way to use an advertised feature of the game.

      Blizzard does profit, however little, from the authenticators. Do you really think that they take a loss on them? Or that $6.50 is the magical round number that represents exactly their cost? No, of course not, Blizzard is rounding up to cover their cost (assuming there is no intentional profit margin built in) and they make money from it, period. The real issue though is the fact that they are forcing users to pay for the game's security, profit or no profit. It's a hidden cost of being able to enjoy the product you already paid for.

    3. Re:This is ridiculous by LordLimecat · · Score: 3, Interesting

      Theyre optional, and completely unnecessary if you use a good password. That they offer an ADDITIONAL paid service that competitors do not does not in any way obligate gamers to use the authenticators.

      If they want to sell guides for creating strong passwords at $10 a pop, and they end up making $500 mil on it, who cares? Its a service that apparently people want. The man doesnt even seem to allege that the device was ineffective-- simply that it was unnecessary and he for some inexplicable reason bought it anyways.

    4. Re:This is ridiculous by synthparadox · · Score: 2

      Hacked accounts are a loss for Blizzard. Not only do they have to staff GMs to handles these requests, they have to restore items and more often than not they can't remove the stolen items. I firmly believe the $6.50 pays for the keyfob and the postage, and that's it. If they can break even, its a net gain for them since they can reduce the GM ticket queue and free up these expenses and time for other things. Remember how they laid off 600 employees in April? (http://wow.joystiq.com/2012/04/27/the-lawbringer-autonomous-systems-deal-with-customer-service-pr/) That was a reduction in operating costs for supporting these types of requests.

    5. Re:This is ridiculous by synthparadox · · Score: 2

      You don't need a phone to run the mobile app. The fact that you can run android apps on a SDK on the computer has been known for a while now. See: http://www.mmo-champion.com/threads/713865-How-to-get-Battle-net-Mobile-Authenticator-COMPLETELY-free

    6. Re:This is ridiculous by jklovanc · · Score: 3, Insightful

      Income is not the same as profit. They sold for $6.50 but it cost Blizzard much more to purchase and ship them. From a financial statement point of view making no profit from a sale is bad for the company yet Blizzard is still doing it to support their customers.

    7. Re:This is ridiculous by meerling · · Score: 4, Insightful

      Blizzard already claims to do this at cost. That would mean no profit. Wonder where he's getting his $26 million profit statement from. It might be a cost instead of profit, but either way, his lawsuit is b.s. as the security fob is an optional and non required item, and the software version is free, that guy is an idiot trying to get a payday from Blizzard settling rather than paying to take it to court. I hope Blizzard takes the high road and fights him all the way.

    8. Re:This is ridiculous by jklovanc · · Score: 2

      There are three way to run authenticator;
      $6.50 hardware device
      App on a smart phone
      App on an android simulator on your computer.
      There are three ways to run it; two of which are free. The only reason to buy the dongle is for convenience.

    9. Re:This is ridiculous by synthparadox · · Score: 5, Informative

      If you really want to be correct, income can be either net or gross. Gross income is revenue. Net income is profit. Because he didn't state what kind of income, he's technically still correct. </pedantic>

    10. Re:This is ridiculous by arbiter1 · · Score: 4, Informative

      there is a 4th way, its Called WinAuth. A problem you can run on your computer to generate the code. Its FREE as well. http://code.google.com/p/winauth/

    11. Re:This is ridiculous by kurzweilfreak · · Score: 3, Funny

      Zomg, a company makes money off of sales of something that you don't need to play the game? Travesty! That has to be illegal!

      --

      kurzweil_freak

      5th Kyu Genbukan Ninpo/KJJR student

      Be the darkness that allows the light to shine.

    12. Re:This is ridiculous by mat.power · · Score: 5, Funny

      He's technically correct, the best kind of correct!

    13. Re:This is ridiculous by yndrd1984 · · Score: 5, Funny

      It's the principle of making the customer pay for this after the fact. If the game requires authenticators to use its features, it should come in the box.

      I'm billing Ford for my gas, oil changes, and regular maintainance. I'm also suing because the advertisements showed an attractive woman in the car, and mine didn't come with one - I had to buy one separately from some "RussianBride" company. What a rip-off!

    14. Re:This is ridiculous by stephanruby · · Score: 2

      Not only does the $6.50 help cover postage and pay for the dongle, its completely optional and Blizzard makes the app available to as many platforms as they can.

      Their authentication software is available for the two dominant phone os platforms, Android and iOS. That's it.

      Just to put things in perspective, the Google authenticator, which is open source (Apache license), uses open authentication standards, and which could be used for free by Blizzard, can also be run from the command-line on Linux, Mac OS, and Windows, in addition to iOS, Android, and Blackberry.

      You can even install the authenticator on a Android simulator on a computer.

      How convenient.

      First of all, Android doesn't really have a simulator, it has an emulator. It's slow. It's heavy-weight. It's not much of a solution for the average joe. Speaking as someone who works with it daily, I don't think the Android emulator is something that should be required for a consumer who wants to play a game he supposedly just purchased.

      The only point of contention is whether, or not, this authentication system is really required to play the game. Right now, according to the companys' response, this new authentication is completely optional, but for some reason that consumer believes it was required, or that it will be required even for users that are not on the system right now.

      Either the consumer doing the suing is an idiot, or perhaps Blizzard implied that it would indeed become a requirement, and recently backpedaled as the lawsuit emerged. Either way, this issue seems to be moot right now.

      The only (non-legal) questions remaining are: Why aren't they using open standards for authentication? And why are their passwords not case-sensitive? Are they converting them to all lower-case before doing the hashing? Or are they storing their passwords all in plain text?

    15. Re:This is ridiculous by flimflammer · · Score: 2

      You have to be incredibly dense not to see why they would do this. It costs them less to sell authenticators at cost than it is to constantly have staff fixing hacked accounts and having people quit over hacks.

      One time fee; Consistently recurring subscription
      --or--
      Player hacked, costs CS manhours to fix, player potentially quits.

      Which one do you think a smart business is going to choose?

    16. Re:This is ridiculous by mlts · · Score: 3, Insightful

      A good chunk that (if not almost all) goes for shipping, as well as to Vasco DigiPass GO6 which then is rebranded (adding extra cost).

      If Blizzard wanted to make money from these, they could do very easily [1]. However, they don't.

      I'm normally a critic of Blizzard, but IMHO, this is one area where they are doing something right, because two-factor authentication is a significant improvement in security.

      As far as I know, this lawsuit is pointless. If one doesn't want to give Blizzard cash for an authenticator, the app that does the exact same thing is free on iOS and Android.

      [1]: Phase out the apps, then require the physical authentication token to be attached to the account in order for the user to use the AH or trade with other players.

    17. Re:This is ridiculous by Anubis+IV · · Score: 4, Insightful

      His number is extremely bogus.

      Even if we ignore manufacturing costs, maintenance costs, shipping costs...hell, ALL of the costs...it still means that they would have sold 4M of these dongles at $6.50 each in order to make $26M. Mind you, Blizzard offers free Android and iOS apps that do the exact same thing, and Blizzard caters to the crowd that tends to get these devices, so that would eat into sales of the dongles. Not to mention that 4M sales would represent 1/3 of the WoW players at its peak, which seems like an unreasonably high number. And the numbers only get more ridiculous from there, since even if we were to grant that Blizzard had a hefty 50% profit margin on each dongle, you'd still need to have found 8M people to have bought them.

      Class actions can be useful at times. This is not one of those times. This is lunacy.

    18. Re:This is ridiculous by ildon · · Score: 2

      It doesn't create revenue for Blizzard, but it does greatly reduce their support ticket volume (by directly reducing the number of compromised accounts) which allows them to hire less support staff to handle it which reduces their support overhead. There is no doubt in my mind, that despite the fact that they probably LOSE tons of money on authenticators, they "make it back" in spades saving on support costs. But this is a GOOD THING. Players who get their accounts compromised often just use it as an excuse to quit, and for those who don't quit, no matter how helpful customer support is, it's still a really shitty experience and it still takes time out of your game playing.

      In the end, it's a net positive for both Blizzard and the consumer.

  2. Going nowhere... by Anonymous Coward · · Score: 4, Insightful

    Question #1 will be : "Did blizzard make you buy one in order to play the game, and are there any consequences to not doing so?"... "No, and No"...."Case dismissed"

    1. Re:Going nowhere... by hawguy · · Score: 5, Insightful

      not necessarily, he can always say that it wasn't well indicated on the box or website when he bought the game. So this can be applied under "false advertisement" since it doesn't tell him that he must pay additional money.

      But he doesn't have to buy it -- he can pick a secure password and protect it (and protect his computer against keyloggers and other malware). When I buy a car the dealer doesn't tell me that I have to buy a car alarm with it at extra cost. Because I don't. It might be prudent, depending on where I park the car, but it's not necessary.

    2. Re:Going nowhere... by LordLimecat · · Score: 5, Insightful

      You have to sign into battle.net to order one, which indicates right away that you do not need one to sign into battle.net. That someone could be confused by this is absurd.

    3. Re:Going nowhere... by Rockoon · · Score: 2

      Question #1 will be : "Did blizzard make you buy one in order to play the game, and are there any consequences to not doing so?"... "No, and No"...."Case dismissed"

      No, and Yes. An authenticator is required for some aspects of some of blizzards games, such as the real money auction house in diablo 3. This requirement most certainly was not advertised during initial sales, but the real money auction house feature was advertised during initial sales as a selling point. In fact, you will find slashdot articles about the real money auction house prior to the games release.

      --
      "His name was James Damore."
    4. Re:Going nowhere... by steppin_razor_LA · · Score: 2

      You can also for free have them set it up so that they do phone authentication when you login from a different IP address.

      --
      Evolution: love it or leave it
  3. Free mobile version is free by Firehed · · Score: 2

    Like TFS says, the mobile version is free. Just another moron trying to make a quick buck.

    My concern with blizzard's authenticator is that they seem to have rolled their own implementation rather than adhering to an open, defined spec (HOTP/TOTP). And like so many of these services, there's no good way to move it to a new device without disabling 2FA temporarily. People do upgrade their phones, after all.

    --
    How are sites slashdotted when nobody reads TFAs?
    1. Re:Free mobile version is free by synthparadox · · Score: 4, Informative

      They introduced a "restore" feature a while back that allows you to migrate devices without removing two-factor authentication. Basically, you enter the restoration code into the new phone/device and both devices will continue to generate the same seeded code. This can also be used to extend the authenticator to multiple devices like having a smartphone and a tablet both generate the same code. This is just an ease-of-use feature, especially when sometimes you can't find one of the devices you installed your authenticator on.

  4. Authenticator is not a Blizzard product... by Kenja · · Score: 5, Informative

    It is made by Vasco and is sold in large quantity orders for around 6.50$, which is the same as what Blizzard charges for it. The idiot in question is basicly claiming Blizzard sold 400,000 Authenticators at a 100% profit margin.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Authenticator is not a Blizzard product... by LordLimecat · · Score: 3, Informative

      at $26 million, that would be 4,000,000 at 100% margin, which stretches the bounds of credulity.

  5. Sometimes free by jklovanc · · Score: 4, Interesting

    A friend of mine got hacked three times. Blizzard sent him an authenticator for free. It costs them less to send the free authenticator that keep fixing his account.

    This is just someone trying to make money on a frivolous law suit.

    1. Re:Sometimes free by Rockoon · · Score: 2

      A friend of mine got hacked three times. Blizzard sent him an authenticator for free. It costs them less to send the free authenticator that keep fixing his account.

      What you are saying is that if they got $6.50 out of him instead of giving him the device for free, that it would have been an additional $6.50 in pure profit?

      Think about that for a moment.

      --
      "His name was James Damore."
    2. Re:Sometimes free by realityimpaired · · Score: 2

      No... what they were saying was that fixing the account and ensuring a continued revenue stream of $15/mo was favourable to him cancelling the account for want of a $6.50 one-time cost.

      While this is true for every account, and is an argument in favour of simply giving the things away, most accounts never get hacked, and they *do* simply give the things away to anybody with a smartphone. When they do get hacked, the labour costs for fixing the account are what makes sending the authenticator an option.

      It's not rocket science, people.

  6. Re:Surprised? by Anonymous Coward · · Score: 4, Informative

    https://encrypted.google.com/search?complete=0&hl=en&source=hp&q=battle.net%20password%20case%20sensitive&aq=f&aqi=&aql=&oq=&gs_rfai=

    It's pretty well-documented, including blue posts from Blizz staff.

  7. Re:Surprised? by Dyinobal · · Score: 5, Informative

    No they aren't I just checked my copy of Diablo 3 (which was a total waste of money) and my password worked regardless of what I capitalized.

  8. Re:Surprised? by TuringCheck · · Score: 4, Informative

    You know, there are plenty of WoW server emulators that had to reverse engineer the client authentication.
    Both the username and the password are converted to uppercase before being SHA-160 hashed and fed into the SRP6 authentication algorithm.

  9. Personal Responsibility by cigawoot · · Score: 2

    Instead of taking personal responsibility for the security of their own account, they instead sue Blizzard. Blizzard CANNOT control the end user's computer (not as much as they wish they could, at least). Therefore, the security of your login credentials are the sole responsibility of the account holder. Blizzard can't keep your computer from getting infected with malware, falling for a phishing scam, or sharing your credentials with your little brother.

  10. Re:Surprised? by X0563511 · · Score: 3, Informative

    Actually no, i'm wrong. What the hell?

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  11. Re:Surprised? by Anonymous Coward · · Score: 3, Funny

    The stupid, it burns

  12. Re:Surprised? by tofubeer · · Score: 2

    http://xkcd.com/936/

  13. Re:Surprised? by squiggleslash · · Score: 2

    Good. Case sensitivity in passwords is stupid.

    There, I said it.

    Also: if you're going to lock the user out after three bad attempts anyway (and therefore already have a mechanism in place to deal with external dictionary attacks), there's no good reason for that "Oh, you entered it wrong? Here, let me wait for 30 seconds before I tell you" delay that just fucking pisses people off rather than helps. I just thought I'd mention it, it's another pet peeve.

    Actually, there's no need to lock after three bad attempts, just make the delay ONE TENTH OF A SECOND. That'll be long enough to foil virtually every dictionary attacker while short enough to not be irritating to end users.

    Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.

    --
    You are not alone. This is not normal. None of this is normal.
  14. Re:Surprised? by ynp7 · · Score: 2, Funny

    Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.

    I use caps lock every day, you insensitive clod! It's cruise control for cool.

  15. Re:*STOP BATTLE.NET REQUIREMENT* by black3d · · Score: 2

    Why? How do you expect to play an online game without an account? Or do you seriously expect them to simply open servers up to the world, and rely on IP banning to deal with hackers?

    --
    "The true measure of a person is how they act when they know they won't get caught." - DSRilk
  16. Re:Surprised? by Dachannien · · Score: 2

    Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it

    My dad uses it. It's like he's still yelling at me every time he sends me an e-mail. /cry

  17. Re:Surprised? by magamiako1 · · Score: 2

    You are an idiot. Seriously.

  18. Re:Surprised? by Luckyo · · Score: 2

    Actually it's likely the exact opposite. Not only do people leave the game after being hacked (or come back from hiatus, see a hacked account and leave for good), but the support costs associated with stolen and hacked accounts constituted a huge amount of support calls and contacts before authenticators. Probably after as well, but as there is not a single account compromise for account with authenticator attached (according to blizzard) their costs must have come crashing down for accounts that have authenticator attached.

    Full disclosure: I have two separate accounts on battle.net, one since early 2007 (former WoW currently battle.net account) and one since SC2 release. Neither has authenticator attached, neither has ever been hacked. I've had one guildie actually hacked in WoW during a black temple raid back in TBC for their own stupidity. Literally "sorry guys, I just got hacked right after talking to GM [provides details on being socially engineered in a really silly way]".

  19. two factor authentication is a good thing by kenorland · · Score: 2

    So, the company did the right thing in terms of offering two factor authentication (I wish my bank would do that). They made it optional and made free apps available so that people aren't forced to use it. All of that is good.

    This lawsuit is frivolous, and the guy should not only lose, but have to pay court and defense costs.

  20. Re:Surprised? by cyclohazard · · Score: 2

    Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.

    The purpose of the Caps-Lock key is to remap it to Ctrl.

  21. Re:1. It is a standard tradition on slashdot by Bengie · · Score: 2

    The value of his comment is more than yours. You seem to have no concept of the idea of "wholesale" and seem to have some idea that Blizzard can magically get prices much lower.

    1) Vasco advertises $6.5/unit wholesale for large batches
    2) Blizzard buys large batches, then pays to customize them and then pays again to ship them to Blizzard warehouses
    3) Blizzard incurs administrative overhead for processing and storage
    4) Blizzard sells end-product for $6.5 and covers the cost of shipping 2 day priority mail(I've purchased 5 auths over the many years and all have come within 2 days from across the nation via USPS).

    Really, how much money to you think Blizzard is making?

    To add to it, when I purchased my original auths, it was buy one get one free, so I was able to get 2 for $6.5 and they were shipped from Cali and made it to the Midwest with in 2 days.

  22. Re:Surprised? by X0563511 · · Score: 2

    ... and claiming you know, and admitting when you discover when you were wrong, is another entirely.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  23. Re:Surprised? by TranquilVoid · · Score: 3, Funny

    Well I just found out now, very surprising. And I thought I was uncrackable with PaSsWoRd too :(