The Shrine

Saw this the other day:

http://us.blizzard.com/store/details.xml?id=1100000822

Now this item puzzles me. Ignoring question like why you'd need a two-factor authentication just to protect your WoW account, how can this even work as a concept? I assume somewhere you get an option like 'make my account have to use a two factor authentication' because if this isn't mandatory, then clearly your account isn't protected from a keylogger at all. Now these things cost $6.50 so I'm guessing they're not supposed to be something you guard with your life. So what if you go to a different computer and forgot your authenticator? I'm guessing you can't just log on without it because otherwise that defeats the protection. What if you lost your authenticator? That means you'd never be able to log in and now you'll have to call Blizzard saying yep it's really me and I lost my authenticator?

Now I don't think two factor authenticator itself is a bad idea, but it seems to be used on something that you'd consider to be pretty valuable to you, like your bank account. I suppose people could consider their WoW account with the same importance, but I've a hard time seeing that.

Now I don't think two factor authenticator itself is a bad idea, but it seems to be used on something that you'd consider to be pretty valuable to you, like your bank account. I suppose people could consider their WoW account with the same importance, but I've a hard time seeing that.

You have a hard time seeing people who invest their lives and time into MMOs as people who would take an extra security step so that they aren't set back if some douchebag hacks their account and sells their things? Really?

Seems like you could buy a security suite and it'd also do other stuff beyond protecting your WoW account.

Or not using passwords like 'mohawk'

Don wrote:Seems like you could buy a security suite and it'd also do other stuff beyond protecting your WoW account.

Apples/oranges, the 6.50 is mainly for shipping. You can add the authenticator to your cell phone for free.

Quite simple why it exists. There are a ton of people out there who would like nothing more than to hack your account, sell all your stuff, and use your character as long as they can to farm stuff so they can make more in game money they can sell for real money. Now if this happens to you, it can take you some time to get your account back, not to mention longer to get your gear and items back so that you can raid or whatever you do. Not to mention in a larger guild, the officers tend to have many pulls out of the guild bank, so not only do you get screwed, your whole guild does. I actually require officers in my guild to have one, because we have had too many people get hacked in the past and it usually take a week or two to get what we lost back. It really sucks.

Don wrote:how can this even work as a concept?

The same way it works for the people who need these to login remote systems for work.

Speak of the devil, one of my officers who hasnt gotten his authenticator yet got hacked yesterday and the guild bank got ravaged. Probally gonna take a week to get everything back.

And what was his password?

SineSwiper wrote:And what was his password?

People get keylogged mainly. Usuallly has nothing to do with having an easy to guess password.

I'd be more worried about other things than your WoW account if you were keylogged...

As for Kupek, I'm not even sure if you had a point. Of course I know how two factor authentication works. The premise is that it is supposed to be pretty hard to lose the thing you 'have' (or at least hard to not notice it) and when you lose it, you generally have to supply some very strong credentials to get it back because otherwise it's not a strong system, since the part you 'know' is generally considered the weakest part of security. When I forget my securebadge I give them my ID and there's a picture of me, and that's how I get a temporary badge because you can be reasonably sure that while the knowledge of my ID isn't anything special, you're probably not going to find too many people that looks like me on the file so they can trust that.

If you lose your Blizzard Authenticator and call them up, what will they ask you to prove you're indeed who you are? Social security number? Credit card number? Mother's Maiden Name? Well if I got a keylogger on you, I probably know what those are too so I can just call Blizzard and said yeah I'm really Eric and some guy jumped me in the back alley and took my authenticator, and here's my social security/credit card info that I gathered from my keylogger.

That security measures can be bypassed does not mean they are pointless. All security measures can be bypassed. The processes behind are probably not as secure as, say, the processes one of my lab mates had to go through to access DOE machines while at school. I have no idea what processes they have, but I bet it still provides non-trivial extra security beyond just a password.

For the record, banks use most of what you listed in combination. When I lost my debit card two years ago, I had to provide my account number, address, mother's maiden name, social security number, and I also happened to have the receipt from my last transaction (which had date/time and the amount). When you're looking at someone's file, you will have access to a lot of incidental information that can be used to corroborate their claim. Yes, if someone took the time to research me and tell the right lies at the right places, they could find all of this out. But most of the time, that's not going to happen.

I tend to agree with Don. The problem isn't that hackers can get to get into WoW accounts. The problem is that hackers can get into YOUR account. What did you do to get a keylogger on your PC? What spyware did you download? What virus did you catch? What phishing site did you type your password into? All of this shit is easy to avoid.

If you're worried about just your WoW account, you clearly don't have the right priorities. Think about bank records, credit cards, identity theft, etc.

I can see a WoW account as being a juicier target than even someone's bank account.

If someone gets into my bank account, there are both legal and bank policies that protect me. If someone attempts to use my check card in an unusual way, my account will be frozen. The more money they try to spend, the more likely transactions will trigger automatic protections. Credit cards allow item-by-item objections.

As far as I know, Blizzard has no recourse for someone logging into your account and selling off all of your items. There is a ready market for WoW items that could allow someone to turn a WoW account into cash potentially faster and with less risk than someone's bank account.

Kupek wrote:I can see a WoW account as being a juicier target than even someone's bank account.

If someone gets into my bank account, there are both legal and bank policies that protect me. If someone attempts to use my check card in an unusual way, my account will be frozen. The more money they try to spend, the more likely transactions will trigger automatic protections. Credit cards allow item-by-item objections.

As far as I know, Blizzard has no recourse for someone logging into your account and selling off all of your items. There is a ready market for WoW items that could allow someone to turn a WoW account into cash potentially faster and with less risk than someone's bank account.

Not to mention stealing someone's bank account / credit cards is horribly against the law and you'll go to jail a long time if caught... but if I steal your WoW gold and items there's really no penalty and it's incredibly hard to prove who did it too. I don't mean to say that it's not illegal to do so, but it's a LOT harder to prove than it is to prove that someone stole your bank account and drained it.

I really don't see any problem with Blizzard offering this... it's not like they can really offer you security beyond their game so they came up with this instead. And yes, no security system is impenetrable, but it makes you a hell of a lot harder to hack than someone who doesn't have it. Kudos to Blizzard, RSA tokens are a nice touch and it doesn't seem like they're doing it for the money either.