f13.net

I just ran into this, apparently the keylogger and account security problem is so bad that Blizzard is going to introduce a hardware authenticator, I assume a usb dongle of some kind (http://www.blizzard.com/us/press/080626-auth.html) for account authentication. It's an interesting idea. I wonder if this type of thing will become more standard. Should be cheap enough to just stick in a box. Given how much CSR time they use, I'm surprised they don't just include it in the next expansion.

Its all fun and games until somebody steals or you lose your dongle and then you are really up the creek.

No it's not a dongle. I used to use one of those things at a previous company to access certain resources. They are a fricking pain in the ass.

http://en.wikipedia.org/wiki/SecurID

I really hate those things, it's going to be a usability nightmare for Blizzard.  I hope this remains optional (and dies a quick death).

I hate those... token's use to always go outta sync with the software just when you needed to use em. Cool thing was the 6 digit token use to be only active for 30 seconds so if you were entering your username/password/token you had to wait for the digits to roll over which was constantly happening on the token without any user input.

From the press release "Designed to attach to a keychain, the lightweight and waterproof Blizzard® Authenticator is an electronic device that generates a six-digit security code at the press of a button."

Newer one's look a bit better and my god for $7 thats pretty freaking smart as you still require your own user chosen password.

They need *something* to combat keyloggers in internet cafes. The problem is huge, and this is as good a solution as any. I know three people who've had their accounts stolen in that way. Of course it will be optional! This is an additional layer of security (2 factor authentication) for people who desire it.

Just like the SecurID token trippy posted, and the that cevik probably uses, and the one that I use (Aladdin), it's used in addition to your game password. The general method is your normal password and then the numbers that the device spits out on the end. Just having the token does not get you in, any more than just knowing the password would. You'd have to both know the user name, password, AND have the device to get into your account.

Ok, that sounds reasonable as long as its an option. Having also had our company use a dongle in the past, I will attest to what an utter nightmare they can be to support.

They have a decent FAQ (http://us.blizzard.com/support/article.xml?articleId=24660&rhtml=true). This is acually quite good, big kudos to Blizzard!

What is the Blizzard Authenticator?

The Blizzard Authenticator is an optional tool that offers World of Warcraft players an additional layer of security to help prevent unauthorized account access. The Authenticator itself is a physical “token” device that fits easily on a keyring.

Where do I enter the digital code when I log in to World of Warcraft or to Account Management?

After you enter the account name and password, you’ll be prompted to provide the digital code from your Blizzard Authenticator. You must press the button on your Authenticator and enter the code it displays to complete your login.


Can I apply my Blizzard Authenticator to more than one account?

Yes! You’re welcome to associate a single Blizzard Authenticator to as many accounts as you like. Please remember that you must have that Authenticator with you to log in to any of these accounts afterwards.

I'm waiting for the first news report of somebody being beaten up/robbed for one of those things. :oh_i_see:

It's sort of like the rise in carjackings because of the use of encoded car keys. It used to be people would break into the cars when nobody was around to steal them. Now they steal them at gunpoint when the driver is still in it.

We've used these internally at AOL for years - never had a problem with them, unless I let it expire (after 2 years).  They also started offering this to consumers a couple years ago, for logging in to the AOL client - mostly to keep kids from logging in I think, as mom has the securID fob in her purse.

I think they are a good idea for people who desire that level of security.  I used to use one for our work VPN and it wasn't a big deal.  Personally I don't know if I'd get one to secure a game account but when PayPal started offer them for $5 I didn't hesitate on that.

To chime in with more the same.  For $7 and optional? this is certainly going to be a big thing for those who play at cafes, work etc and also more $$$ hats for blizzard

edit: i hope to god they make it murloc shaped

Actually they are probably losing (a little) money on those things given the hardware cost to them for the fobs and the costs on their end to license the software/hardware and modify their accounts system to support the keys.

I used these working 3rd party server repairs at a bank about 10yrs ago.  Personally, I found them easy to use. 

If it works out, and it likely will, I could forsee them being used with a bunch of different games.  It could even give incentive for developers to use game portals (like SOE's all access).  They could even have third party portals that smaller developers sign with... dunno... just spouting here.

My bank in AU used these for internet banking.  It seemed to work well, was easy to keep around and didn't really cause any trouble.

I think it's a good thing they are doing this.

Oh come on. You aren't seriously equating carjackings to keyloggers, are you?

I'd just like to say that 'dongle' is an awesome word.   :grin:

Man I'd fucking love it if somehow WOW caused smartcard readers to become standard equipment.

I'd just love it.

Do you think these things will be used to prevent account sellers from reclaiming their account after the sale by calling Blizzard for a password reset?

Sounds as easy to defeat as the new TSA ID requirements; a seller would just tell Blizzard they lost their SecurID dongle and provide their address, phone number and date of birth.

I've dealt with 2 guildies getting their accounts hacked and in both cases, account recovery was far from that easy.

Both had to provide not only the above information but also had to fax their birth certificates, photo ID and 2 other forms of ID to even get the ball rolling. From there it took a couple weeks for them to even regain account access.

This strikes me as a hell of a deal for WoWers. It's affordable, effective (seemingly), and easy to use security.

Don't have much of a problem with mine -- except when it expired. SecureID actually "looks back" and "looks ahead" at the previous and next numbers in the cycle and synchs you forward or back if you're out of synch. It'll only do this a few times before it locks, though.

Since we're now facing the prospect -- different set of folks entirely -- of using a 12 character password on a "can't reuse for 360 days" cycle, with minimum of 1 special character, one number, and at least one uppercase and one lowercase character, as WELL as having a seriously annoying dictionary/common name/common password mangles check...

SecureID is a hell of a lot less of a PITA than that.

No kidding. Military networks require a new password every 90 days, with the rules above. *And* if you don't login for 28 days, you have to setup a new password the next time you login. (Which means every month a reservist gets on base, they have to create a new password.. that's 12 different passwords that don't resemble any previous passwords or any words or anything you'd ever remember - after a couple of those, you just give up and don't bother to log in ever).

SecurID is way way easier than the stupid draconian password policies some IT departments push on you.

The one I use now is great!!!  I especially love how the shitty display makes 5 indistinguishable from S, 8 indistinguishable from B and 0 indistinguishable from O.

Umm, hmm. Do you have picture of it? All of the RSA SecurIDs I've seen are numeric only and are really easy to read.

No pic it has a sticker advertising www.securecomputing.com (http://www.securecomputing.com) on the back and was issued by the Austin Board of Realtors for MLS access.

No you just write it down and put it in your wallet.

If your really wanna defeat the new unique password restrictions just change your password xyz times in a row then change it to your original.

When I worked at :nda: it worked with the AD policies.

Apparently RSA's new initiative is to integrate their software in mobile devices so people won't have to carry multiple things and companies won't have to pony up for the hardware.

My company right now is awesome, they use basic authentication to connect to resources from the internet to the internal network on a server that is trusted on the domain yet serving all external webpages.  They think changing the password complexity and throwing it on an SSL (yes the logins and passes transmit in plaintext) is going to fix it, they don't even know what SecurID cards are.

I do know they used to have a software client so this would be smart and easy. 

My bank has something similar but instead of me having the software they send a text message to my phone with the code when I need to perform certain functions. 

As far as the 90 day password changes, I used to just do Autumn07, Winter07 or some easy variation.  The more onerous the password policy the more likely people are to cheat.

This really does highlight how bad of an issue all this account stealing is.


I guess they think the support required for dongles will cost less then all the support hours required for account recovery.

Is that what I said?

Me too ... some11thing changed to some22thing, etc. Now I'm heading through qwerty ... somewwthing :)

The other good thing about a SecurID tag is you can allow someone else to log in as you in an emergency (read them the number over the phone) and know they can only do it once.

Good point!

My work account is set so we can't change the password for 24 hours once it's been changed successfully, so it would take 12 days to cycle back to a favorite one.  And passwords expire after 30 days.  And the idiots wont allow passwords over 10 (or 12? I'm not sure) characters, so you can't use a phrase or something memorable either.  And they must be mixed case, alpha and numeric, plus at least one special char, and who knows what else since even passwords within those constraints sometimes fail.  And the password checker WILL NOT TELL YOU why the password you entered is not acceptable!   :angryfist:

I finally gave up and started using my favorite password with the month appended and flip the domain admins a bird every time I log in.  Earthlings make me furious.

favpassword+number of the current month

I would use phrases, but as acronyms.  (FmdIdgad = Frankly my dear, I don't give a damn) and append one of several numbers I prefer depending on the system the password is for.

I am selling a level 70 full T6 blood elf mage account I just cracked for 700 dollars.  Armory data is Bzalthek on Destromath.

I just changed jobs, went indpendent, had to get my own laptop which came with a finger print reader.  I already can't remember how I ever lived without it.  I <3 Biometrics!

With SCII, DIII and WOW II (c'mon, you know it's in the works) coming this sort of investment in technology makes absolutely perfect sense.

It might not make that much sense for anyone other than Blizzard though.

Steam.

Which is why I wouldn't be surprised if Bnet The Next Gen has a lot more attention put on account security. There'd be a level of free play, but a lot more unlocked by paying a monthly fee or something. With dongle.

Hah, actually Bzalthek is on Lightbringer and is still a 60 Troll Shaman.  The password above, however, hasn't been used since 97 when I maintained the local High School computer servers.

It's a great idea, and the costs are finally getting low enough that it's financially reasonable to do it.  There are also some subtle benefits to it - while not impossible, it makes giving out your account info (to a friend, or a powerleveling service) difficult, resulting in less of that behavior.  There's also some IPs (such as Stargate, which I'm working on) where you could make it fit in really well (the GDO device (http://www.gateworld.net/omnipedia/technology/links/g.d.o..shtml)). 

My question on this would basically be, why NOT a USB dongle?  If we're going to make a physical device the user has to have in order to log in, why not something they just plug into their computer?  Seems a lot more user-friendly.  Having to mess with reading a number off the thing and typing it in is enough to discourage me from wanting to use something like that, since for a game, I use easily memorized passwords, and anything that delays my login, especially if it requires me to interact further (even an unneeded CLICK is annoying) is something I'll avoid.

Most likely because the dongles are more prone to breakage than RSA keyfobs. Really, the RSA keyfobs are durable little fuckers; I've left mine in the wash more than a couple times and it always comes out good as new.

Ignoring the endless support issues with dongle drivers (heh) they are fine if you only use one computer and never have to move it. If you are in a situation like in China where people play in Internet cafes, it becomes a big big problem putting them in all the time (especially if the case doesn't have front USB ports), leaving them behind, mixing them up with other people's etc.

Edit: They are also potentially hackable in the same way that dongles used as copy protection can be bypassed if you can hack the code that makes the check.

edit: snipping out stuffy trippy covered...

You would also defeat the purpose of the security measure (atleast with blizzard) because someone could still get into your account management page where the device is physically still attached to your computer and turn the device off from your account management.

Another hope is something like OpenID (http://en.wikipedia.org/wiki/OpenID) gaining more traction...

My password advice for users is to pick a mnemonic system that they can remember, fit a theme to the mnemonic system that lets them associate common words to the place they're logging into, then l33t up the words with letter substitution for numbers and symbols and tack an arbitrary number on there for good measure.  Just as an off the cuff example, basing the mnemonic off of the number of characters in the name, and associating that with the name of a month.  F13 has three characters, so M4rch2008.  Paypal has six, so Jun32008.  If you ran across something with more than twelve characters, you'd need to improvise somehow, but otherwise it should be pretty solid.  By keeping a whole suite of passwords in your brain, even if one password gets found out somehow, whoever has that one password doesn't have the key to everything, unless they can guess the pattern you used to make the passwords.

They're neat until you have fingerprints the readers can't decipher.

Knife beats fingerprint reader every time.

Yeah, electrical burns really mess with your fingerprints over time.  The bigwigs at work have fingerprint readers on their laptops, but us peons get the same laptop with the software for the reader removed "as a security measure."

I've used dongles and parallel port readers for years on CAD and FEA software.  I hate using it for them and I'd hate to use it for a game.  An RFID similar to keyless entry in a car would be nifty though.  No more plugging in devices, just have the device within 2 feet of the computer.

There are plenty of reasons.  Apparently I naturally have really thin skin that makes it hard to get a fingerprint or use an electronic reader.  The FBI rejected my card three times for a routine check until I had an officer take thirty minutes to get my prints and write a letter that it was the best they would ever get.

Of course there are =P  I just tend to burn\damage the tips of my fingers regularly which causes them to change a bit as the scar tissue moves around.  Which is why I don't necessarily like cheap finger print readers - which we shouldn't kid ourselves, the ones available for low prices are very cheap readers.

My aunt is a serious Mahjong player. They don't even bother to look at their tiles -- they just use their thumbs to feel the patterns braille-style. Because of that her thumb prints are so worn down they couldn't get a good print of them when she went to get a driver's license.

Tobold reports that the Paris Blizzard show over the weekend sold out of the dongles on first day.

That means absolutely nothing, Pendan. They would've sold out of MOCK id tags for it simply because it's piece to add to the blizzard collection. Analyzing any sort of success from any sort of sales at WWI is a fallacy.

I hear the self-castration kit only sold 3/4 of the units.

 :oh_i_see:

If they slold self-castration kits, they'd already be fetching thousands on ebay.

Aw god, they really do sell those on eBay.

No one watched the Mythbusters show on fingerprint readers?

Hey, not everyone has access to jello and/or a photocopier.

the gummy bear attack FTW!  Actually I dodn't catch that mythbusters episode and am not sure if they even covered the gummy bear attack but it still rocks.

If they sold Diablo 3 self-castration kits that went PING when the 'loot' dropped, schild would already have one.

Key-logging and hacking is a lot easier to get away with than outright theft or mugging. Robbery is a traditional crime that the police understands; the thief takes a lot of risk doing this since its a lot harder to get away with it. Chances are higher getting caught or getting roughed up if things go wrong, compared to white collar computer crimes (different breed of criminals altogether IMO). Once they are committed to stealing physical stuff - there are far better things to take from you - wallet, purse, cash, credit cards, watches etc. etc. than an esoteric dongle.

BYTW, anyone have a picture of the WoW security device? Its got to attach to a USB port. New computers do not come with  parallel or serial ports anymore. I had a world of trouble fixing my old pre-USB HP laser printer to my new computer.

No it does not.

Right angle image:

(http://www.clisham.com-a.googlepages.com/product.jpg)

and an image to the left:

(http://www.clisham.com-a.googlepages.com/Burdizo_Castrator.jpg)

As a side note that button is actually an interesting security feature. The original SecurID device just had an "always on" display with the numbers changing on a regular basis. This had the advantage of allowing for a totally "sealed" enclosure. I'm guessing Blizzard went with a button to prevent people from stealing codes off the devices in a "public" setting. E.g. the user forgets to put the fob back in his pocket/backpack so it's sitting on the table and somebody nearby can steal the latest code off of it and if they know that person's account info they could steal the account still.

And the downside is if you drop it in the toilet or sink by accident, it no longer works.

My Aladdin token has a button, as well. I assume it also helps to save energy, they probably don't go dead after 2-3 years like the securid ones do.

This reminds me, I killed two SecurIDs in a week once. All I did was put them on my keyring (nothing special, just a standard metal keyring).

SecurID #1
Lived on a clip on my laptop bag. Taken off occasionally to read number. Decided one day that I wanted it on my keyring instead. Three days later it blanked out.

SecurID #2
Replacement for #1. Put it on my keyring right away. Three days later it blanked out.

SecurID #3
Lives on a clip on my laptop bag. Never on my keyring. Using it to this day.

My last SecureID dongle lasted 5 years. It auto-shut down when the token expired. (I got missed, somehow, when they were doing the 5 year replacement). Always-on. I left it on my ID badge (uses a lanyard, lives in a backpack when it's not around my neck).

You do want to keep the thing roughly room temperature. Long periods in extreme heat or cold will nudge the internal clock out of synch with the RSA servers.

It REALLY beats a 12 digit, changes every 30 day, password.

If anyone had been wanting one of these, they're back in stock at the Blizzard store, in case you hadn't read it elsewhere. 

Epic lawl.

Shipping to Canada for the six and a half dollar dongle is fifty-three dollars.

Sled dogs cost a lot to upkeep.