f13.net

http://www.wow.com/2010/01/08/blizzard-giving-serious-consideration-to-mandatory-authenticator/

If they do this, it had better just come with the Cataclysm box. I've been playing MMO games for as long as the genre has existed, and with all due respect to everyone in the "I got hacked" thread, I've never ever been fucking hacked because I know how to handle my shit. I'm not going out of my way to buy one of their "Godfuckingdammit we're never gonna get these kids to quit clicking on sex leg forum posts" keychains.

Someone should make a business out of transferring the innards of these into a leg shaped keychain.

I seriously doubt they'd force you to pay for one if it was mandatory. This is just about cost management by Blizzard - the cost of giving out the authenticators to everyone must be less than the CS costs incurred by dealing with account hackings.

Faulty reasoning...  giving authenticators to everyone will not reduce account hackings to 0. 

Heh. I had one of those when I worked at the ibank and had to log in from home or the road or vacation. That was because stealing people's money was srs bizness. Keeping people from hacking your toons and selling your purps? Notsofuckingmuch.

Of course 100% authenticator use won't reduce hackings to 0. But it will greatly reduce them.


What's the point you're trying to make? That account hacking shouldn't concern Blizzard? Wat?

That's probably exactly what will happen. That's pretty much the only way they could do it, outside of just shipping every active account one via UPS.

Amusingly, wouldn't this pretty much murder account sharing instantly?

I think I have one of these in a bag from blizzcon I still haven't used. I'm actually a little shocked nobody yanked my guild vault access last time I randomly logged in after months of inactivity <3

And that would eliminate at least 1/2 of the account "hacks."

I haven't been hacked but a few in the guild and a "friend of a friend" have.  In each of those cases, it was either:

a.)  Used a computer that wasn't their own or accessed WoW from a hotel room, coffee shop, book store, etc. via wireless
b.) Shared an account with a sibling/cousin/friend, etc. who, at one point, did a. above or stole stuff outright.

In either of those cases an Authenticator will help Blizzard lower their CS costs.

There is always the possibility of you getting a key logger on your own computer, but as stated elsehwere the Authenticator may not prevent theft in those cases if the thief is quick enough.  Right now this is the rare kind of thief.  This begs the question, if everyone has authenticators, will it just force the thieves to be more sophisticated and quick or will they just go on to an easier target?

Overall, it has to significantly lower incident rates.

Some more thoughts:

- Why do these thieves typically delete chars when they wipe them clean?  Why even sell off soulbound stuff either?  For their business model, it would seem prudent to keep their sheep productive so they can come back later again and wipe them again.  If it is an inactive account, by the time the player returns, they may not ever even notice anything is amiss.
- Related to that, by making the theft this destructive they force people to get Blizzard inovlved, plus they make Blizzard's job that much harder to reset everything for the victims.  This only leads them closer and closer to making their thieving more difficult (a la Authenticators.)

I guess they just have enough sadistic nature in them to add insult to injury and they can't help themselves.

There's a limit of 50 characters per account across all servers so they could be deleting characters to make room to make new ones on other servers?  Only practical reason I can think of.

I want to say the vast majority of account thefts are from Gold Selling companies, where they'll sit on a account for months until they need to strip it of resources for a gold sale.


While it's certainly possible to still key-log the authenticator number and grab an account if you are purposefully waiting for it, having the window of opportunity go from months to seconds has to be a huge blow against them.

They sell soulbound stuff because it's gold.  Epics can be worth 20+ gold each.  They know Blizzard will reimburse everything, so may as well take it all now and come back in a few months.

I know how you feel and I was pretty pissed when my account got hacked.  Having a teen at home that uses my computer creates all sorts of problems with keyloggers and security issues.  I'm sure that I'm not the only one in that thread that has multiple users on their home system either. 

I'm fine with the game eliminating account sharing and using authenticators.  If it improves customer service by limiting the number of account theft issues, then we all win in the end. 

I know why they are doing it, for gold.  Is this form of stealing really all that much easier and profittable than gold farming?  A full account of 80's can blow that kind of profit away by purely doing dailies 8-12 hours a day.  Pure gold farming has lower risk, less technology required, and lower skill involved.  There has to be more to it than just making money off of virtual gold or I'm just completely underestimating how wide spread this is.  If it is really that bad, I can see why Blizzard would force Authenticators on everyone.

Dren, they obviously aren't just hacking the account for the gold their epics sell for; they're looking for accounts with thousands of gold, which they will then sell. The extra hundred or so from vendoring the epics is just icing on the cake.

They're probably very, very good at stealing by now.  I'm not very good at making money, but a person getting ahold of my account gets 15k and a guild bank.  Plus they get a miner/herbalist they use for exploit farming and a high level character they can spam with until they get caught.

Only way I get hacked is if there's a keylogger on my machine or someone steals my iphone. I really don't want to get hacked. 

The LCD drags it down for everyone else. Price of hueg sucses.

I know you can't log more than one character in at one time, but can you be logged into the game more than once ie, to the character select screen? Because if you can't, that would make it even more ludicrously hard to grab an authenticator code and actually do anything with it.

The big downside I can see is when someone's widget goes bad or they lose it and hang themselves rather than wait for 2 day shipping.

I know if you're logged into a character, and attempt to log into the character select screen on another machine, it kicks the logged in character off. I've never tried logging two copies both to the character select screen.

I hope so, we have some account sharers in the guild and it makes me pretty nervous.

This is why I asked you to limit my toons access to anything.  My account has been hacked in the past (presumably by keyloggers that my daughter downloaded) and I'd hate to cost someone else a headache.   I'm quite hesitant to even join guilds as I don't want to be blamed for something that happens when my account is under the control of someone else. 

I'm not too keen on that account sharing either.  It won't stop families, since they can leave the authenticator on the desk, but it would cut down on people outside the same household.

I ordered an authenticator on Monday when I started playing again on an every day basis.  It's only $6 and change with shipping.  No sweat off my back.

Right, but to make this feasible against pure gold farming, they'd have to have accounts lined up for none stop account hopping all day every day.  Some accounts will be void of much while others will be jackpots.  Just seems like pure gold farming would be the safe bet to me.  I guess it just comes down to something simple.  One way is more like work.  The other is more like a high energy/risk gamble.  Haxxors like Big money, no whammies!

just curious here: those with teenage kids wouldn't removing their admin privileges cut out installs of keyloggers ?

Well I just ordered my authenticator.  If I was hacked I'd probably not even go through with the whole process of getting my shit back, and just quit the game.

The last two account hacks in my guild both had authenticators added to their accounts after the hacking - it slows down CS and creates ambiguity as to the real owner.  They'll also server transfer, faction transfer, account transfer etc. because: hey, it is your credit card anyway! 

Hacking around an authenticator would be the next natural target if authenticators become mandatory, professionals will just work the Blizzard CS Rep angle and talk their way into targeted accounts.  An authenticator will reduce the number of people who can currently hack your account but new paths to exploitation will suddenly become economically viable when the easy sources are tapped out.   


I use account sharing to work around many limitations in the game's design with respect to limited in-game resources (e.g. specialist crafters and gatherers) and limited available of people IRL.  Forced authenticator use provides only slightly increased security for a vastly more annoying game management experience.  Given the cost associated with my preferred mode of playing, perhaps I'm not the kind of customer Blizzard is interested in anymore.  I guess that's fine, but playing their game within the bounds of their terms of service isn't really sufficient for my needs.  I can't see many guild management teams thinking this is a great idea for themselves.  I think it is great for all the normals who get their accounts compromised with surprising regularity.  Of course, we keep very little of real value in the guild bank due to the nature of guild bank security (only 250-350k in gold and assets) so really from my p.o.v. any authenticator push just moves the problem around again instead of addressing it (guild asset security has always been a problem, authenticators don't protect assets on a guild level, game requires strong guilds to experience all content). 

:awesome_for_real:

You're assuming everyone uses a login or even separate logins on their machines.  Power on -> Straight to windows is pretty much the default for home machines of most families and coworkers I've known. The only families I've known with logins had them because it was a work-provided laptop or to control the kids internet access.   Those controlling access only had one login name.

 

250k is very little value?  :uhrr:

Shut up "normal"!  :awesome_for_real:

You can auto-login non-admin accounts.

I removed admin privileges from my parents' machines cause my Dad kept getting his machine infected.

It depends, but generally speaking no.  Once they have code running on your computer (standard vector is Java via your browser) the next step is usually to elevate their permissions.

Figures, one of the guild officers got hacked today.  All his stuff stripped and stuff missing from the guild bank. 

I've played alot of mmo's, but the rate at which this happens in WoW is totally rediculous.

Yeah, I know you can.  However, it's not the Windows default  on XP, which AFAIK is still what most machines are running.   It takes some fiddling, which your average user isn't going to do.  The only fiddling I've heard of folks doing involved  Vista/ 7 to find out how to turn the "Damned annoying popups" that were saving their asses off.

It's not the rate. It's just a percentage of a much larger pool of people playing, and a larger pool even still of people who know them.

I'm in favor of mandatory authenticators for everyone. It's not going to drive the hacks down to zero. But it's going to drive it down a lot to minimize the collateral damage, like your example.

Well I'd say that if this happens it pretty much conclusively guarantees that I won't be coming back to WoW, ever.  I refuse to go through the nonsensical hassle of typing in a damnable code every time I want to log in, this would only ever be acceptable to me if it was a usb dongle that I can just plug in and forget about, and log in from any machine with it plugged in.

But a damnable password is ok?

Yeah man, typing in a six number code every time you log in, I just don't know how you'll manage.  More, I don't think you'll play any blizzard game again if they do this, as I'm sure it'll apply to battle.net 2.0 too.

Uh huh. You are kinda mixing dumb script usage/exploiting with actual hacking.

Little insider joke incoming: I'm pretty sure the guru C programmer who coded strcopy in the '70s knew his shit and never thought about buffer overflows and how the internal representation of program commands on the command stack works when checking for '\0' terminators.  (You might want to cross-reference http://en.wikipedia.org/wiki/Stack_buffer_overflow for some primitive historical examples on how knowing your shit is not protecting you if someone else didn't know theirs).

Hacks do not come from clicking on sex links only or anything you can be fully aware of. Primitive ones can come from an advert server posting manipulated dhtml adverts, as they can come from a html mail you receive unsolicited, as they can come from stuff like spoofing, social engineering, man-in-the-middle attacks or whatnot.

Did you know someone could display a manipulated jpeg or pdf, both looking perfectly legit, allowing for code insertion or remote code execution? Or about various bugs in the way java virtual machines handle security that would allow for a not-even-visible applet on a page you are visiting to do stuff to your machine?

You probably have no idea about what pieces of code run on your computer at the moment, and unless you put 100% faith in the QA of software developers worldwide which, of course, put security as one of their top priorities when building software, and are generally very security interested, you run a way higher probability of getting hacked or being attacked than you imagine.

Firewalls will not help you because these things piggyback on allowed protocols and are not discernable by lower levels ISO/OSI packet inspection techniques. Anti-Malware/AV might or not help you, but given the fact that someone managed to install a custom coded trojan on Gabe Nevell's machine, I doubt most Anti-Malware producers bother with anything that is not mainstream.

And let's not even get into Rootkit technology or OS virtualizing which means you'll never even see what hit you. I haven't even touched some of the more advanced stuff.

A primitive two-factor authentication like WoW, which has at least one weak factor (e-mail, tee hee), is probably also a lot simpler to brute force/dictionary guess. All I would need to start would be some educated guesses at the mail address of a few people, which usually can easily be sped up by looking at stuff like forum profiles or googling their nicks since lots of people use the same e-mail at some point. Then you write some neat and quite primitive (or reuse some of the widely available) scripts simulating login either against the WoW server or the WoW homepage and try the passwords with stuff like common last names, first names, english dictionary words, dictionary words + additional letter/a digit, common substitutions like "1" for "i" and so on. I'm sure you'll get plenty of hits in no time.

The keychain helps against this fundamental system flaw by adding a third, one-time factor to the authentication, which is not "guess-able" - at least not without enterprise-class intelligence - and also expires after a set time window (30 secs) and is only usable once (it used to be able to be utilized more than once in the 30 second weakness which was actually a weakness of the WoW implementation), and will make your WoW account actually a lot more secure than your self-assessment. All that for $6.

The thing is that your computer is not secure, you just didn't get hacked yet because no one really knowing his shit at hacking tried his luck at you yet. Most of us aren't secure, we just aren't worth real hacking.

P.S. Good ole EQ actually had more advanced security feedback than WoW by telling you how many failed login attempts against your account had been performed in your absence. So at least you know when you got away or were under attack. With WoW, ignorance is bliss, until one day it is too late.

A password that I have memorized and can type in about one second with perfect accuracy?  Sure, that's ok.  Having to fiddle with a little gadget, read a code and then type it in?  Nah, don't think so.

I talked to the people that make those authenticators when I was at Blizzcon, and I posed the question of why they couldn't just be a USB device.  They told me they make USB devices, but Blizzard decided to use the manual version.

Oh and the whole 'blizzard account' thing that I haven't actually used since I haven't played WoW since before it was implemented?  Yeah, not happy with having to use my email address as my username there.  Not exactly a good way of improving security, jackasses.

So is every single person who uses "hacked" to describe any account that has been compromised. By which I mean everyone. I'm sorry if the common usage annoys you, but why don't you take this six paragraphs of self-satisfied masturbatory blathering and ram it up your ass.

I use Firefox with Ad-Block and No-Script as a first line of defense, with active protection from two different programs running. Nevertheless, I visit only a bare handful of reputable WoW-related sites. My Battlenet email is gibberish, not related to any username, and not used for anything else. My password is also gibberish not found in any dictionary and not used elsewhere. Both are changed on a regular basis, but only after I finish taking every step available to make sure there's nothing on my PC that doesn't belong first. I don't share my account information, even with people I trust, so that if something happens I will know it's all my own fault.

A real honest-to-god sophisticated hacker wouldn't sweat any of that, but who gives a shit? They're not out trawling for individual WoW accounts. And fuck you for acting like there's anyone here who's not perfectly aware of that.

Alright, If you seriously having that big a problem with looking at a 6 digit number and typing it in, I really guess there is no reasoning with you.

Wait a minute.  I've only been following this thread loosely, but I assumed this gadget was a USB dongle.  It's just a numeric password on a keychain?   :uhrr:

RSA keychain type dealie.

(http://gweedosplace.files.wordpress.com/2008/11/authenticator1.jpg)

Also available on iPhone for free.

I would assume it'll soon be on Android. Eventually. Maybe.

If they make anything mandatory it will be free. If they don't they lose account. It's that simple.

My guess is that if they decide to go with it, they'll package every box of  Cataclysm, Starcraft 2, and Diablo 3 with one inside, and offer to mail a free one to the people who buy digital version of the game.  I think it would be hard to get 100% use, but even if its free well, we've seen even in this thread someone say that they would stop playing period, so they have to wonder if the amount of people lost will be > than the amount of people lost due to the "hacks" they prevent.

The flaw with authenticators is the same flaw with strong passwords - people leave them somewhere convenient where they won't lose them - usually next to the machine they log in from. With most of the account hacking in WoW centred around dimwits at college campuses, I don't see SecurID being a big step forward.

Add the fucked up 'type in your email address in plain view' login now required by WoW and it is fairly clear that the security team at Blizzard are just a bunch of idiots that put hurdles in front of users instead of solutions.

The WoW one requires a button push, though. It's not like the really old school versions that had displays on all the time and you could steal the current code by serendipitously peeking at it.

Yeah, laptop bastard in dorm room presses the button when you're on the toilet, compromises account and pops laptop back in bag. Most people aren't going to use the hardware anyhow - they'll install the app on their phone, and presumably once they do so, any other token will be disassociated from their account (or there's more fun). So because Blizzard are too sloppy to run an efficient account reset service for a few million users, they just increased the chances that my phone gets stolen, because they added a new bunch of criminals on the lookout for smart phones.  :grin:

The desire to implement token authentication is being driven by an inability to handle the volume of account resets. It's not hard to reset an account in software terms, the difficulty comes in having enough staff trained and trusted to handle the procedures. Since we know Blizzard have the software skills to build a 'select date of reset point and press red button' tool for their staff, we must assume it's a trust issue. I hope they can trust the dozens of IT staff with access to the back-end databases if the value of a single WoW account on the black market is worth $10 these days. When it comes to organised crime, when you close one door you invariably open another. This is going to change the profile of how criminals get their hands on valuable WoW accounts. It won't make the account administration team any more trustworthy, clever or efficient.

I don't know where you got this college campus thing.  Several people have posted here, and I know several others who've been hacked. No college involved anywhere.  I haven't even read that anywhere.

Anyway,  wow.com is reporting that Blizzard is getting so far behind in the character restoration queue that they are offering "care packages" of some gold and badges in lieu of restoration to try and keep up with the demand.  We're talking weeks, possibly. Also, they just closed a social engineering exploit by which someone sends all their gold off-account and then gets billing to reinstate their cash.  Apparently billing had all the power but none of the training and were doing it without checking for that sort of thing.

Blizzard should just sell gold at a price that significantly undercuts any competition.  That would seemingly solve a good portion of the problem.

Wow, I haven't seen anyone pull an "I know more than you!  Tremble at my apparent knowledge and vocabulary" post of this scale in a while.

Eh, don't get too worked up. What WUA said. It's pretty much common knowledge. :oh_i_see:

Whatever, guy. I'm really sorry that explaining to some internet nobody why opening their big mouths really, really wide about how "they know their shit" is wrong hurt their (and apparently your) feelings. I have no interest in getting in some personal Vendetta because of that though, so enjoy your safe Interwebs.

Listen chuckles, it's not our fault you're a smug know-it-all fuck who had to open his fat cakehole and tell everyone a bunch of shit everyone knows like you're Mister Fucking Serious Internet giving a clue to the newbies. This is a thread about MMO account security and the threats thereto. Reminding us that actual hackers exist, the kind with better things to do than steal random WoW accounts one at a time, was a huge "Well fucking duh!" moment.

I will now grace you with a simile in regards to the conversation thus far.

WUA: "Man did you see that guy on the news last week who got home invaded? Man that shit isn't going to happen to me. I take fucking precautions."

You: "Well if Al Qaeda decides to blow up your personal house, your little precautions won't matter. Those guys have bombs, trucks they put bombs in, and some of them don't even care if they die. Also, if the Russians decide to launch their nukes then you're totally fucked. Sorry to shake your safe little world, newbie."

WUA: "Huh? I have three dogs, a security guard, and a gun under my pillow. You know, so I don't get home invaded. Like we were talking about. What's all this shit about terrorists and nukes?"

You: "WAAA *BUTTHURT*"

In conclusion, you may feast upon my succulent ballsack. I bid you good day.

Oh, my.

You are entertaining, both with your understanding of knowing your shit since you use Adblock and never get hacked, and with your righteous rage.

Enlighten me please, do you suffer from a compulsive pathological disfunction requiring you to have some sort of internet funny last word ridiculing people, or is there more to your drivel? Did I touch you in bad places by not being instantly intimidated by your attitude of actually not knowing your shit, yet claiminig that you obviously do, again, Adblock and legt and you?

I don't give a shit about you, dude. However, that don't means I enjoy being randomly insulted in public by you either so I might take the couple minutes to respond and try to show you how much of an ass you actually are. Not that it will do me much good, most likely.

Au contraire, Senor Fucknut. I said I know how to handle my shit, the shit in question being an MMO account and the handling being the effort to keep it out of the grubby mitts of the bottom-feeding Chinese gold farmers whom we all know prefer to mass-harvest low-hanging fruit. You know, the ones we're TALKING ABOUT. How to defend against every possible internet security risk that could ever possibly exist wasn't anywhere on the table, except in your ever-so-pedantic "DUR GUYS DID YOU KNOW THEY CAN PUT SCRIPTS IN ADS?" mind.


Yes. Fuck you.


No, you touched me where I poop from with seven paragraphs of stupid shit like "Someone once gave the Valve guy a custom trojan!" as if that were the least bit germaine to the conversation at hand. One of my old UO guildmates wrote his own keylogger and used to get on people's accounts and move all their shit around without taking it just to fuck with their heads. You're not telling us anything.


Boy are you in the wrong place!


Better than you have tried and failed!  :why_so_serious:

 :oh_i_see:

We have a name for what you just did.  Never again.

I'll try to explain this slowly, so bear with me.

I know you enjoy the sound of your own voice. Or the sight of your own typing, or whatever. I am not trying to educate you of anything. I'm trying to tell you that you don't know your shit, and it has nothing to do with your UO buddy writing his own keylogger (man, ain't that a story to tell to your grand-children when you are old!) which wouldn't have hit anyone even half-knowing their shit.

I really tried to follow your original post, and I tried to explain why you knowing your shit is no defense against you not getting "hacked", and also not some sort of general remedy compared to the increase in WoW account security that upgrading two-factor authentication to a three-factor thing with an RSA token would bring, for a mere $6 expediture - or even free by Blizzard, who knows?

The point is not that Al-Qaeda is attacking you in your remote corner of the world while you are salivating to purple pixels. The point is that there is more to computer security, including WoW accounts, than you obviously understand. I won't go into details why your "gibberish" mail adress is probably not gibberish at all and can be found out by scripts harvesting mail domains for valid addresses, so one of your factors probably is already compromised. It might just not be linked to an active bnet account.

You started the thread claiming that not clicking on porn links while playing WoW is what keeps the world safe. And about how computer savvy you are. Or whatever. I tried to point a few things out to you, to help you understand why you obviously aren't. Which does not equal the world's cyber criminal elite being after you, by far not.

All that comes back is random flaming, intermingled with profanity and a few other anecdotical evidences of the quality of you knowing someone who knows how to write a keylogger from a computer game (w00t, chest bump!). Might have taken you a couple minutes more to write some sort of civilized reply, might even have been worth it. Instead, we're getting me being evil for having tried to scare you poor kid when instead you've seen the equivalent of WWII of cyber crime. Woe is me for telling you stuff you already know that good!

Try again, with reduced swearing density, and there might be some discussion. Or not, your choice.

It is a pain in the ass. No chance I'm dragging that thing on my actual keychain. That means I'm never going to be able to play wow on any other computer again unless I remember to bring the thing with me, and every time there's the chance to get it lost.  Also, looking up some random code on a dongle to type in is annoying as fuck when WoW decides to kick me off the server every 3 minutes just for fun.  And I have to do the same thing when switching accounts, because there's no way to switch between WoW accounts in the same Battlenet account without logging all the way out of WoW.  That is a massive pain in the ass when I am swapping shit through alst for tradeskill purposes (i.e. auction mule on A buys blue gem, alchemist on account B transmutes it to an epic, jewelcrafter on A cuts it) or when moving shit between alliance and horde for auction purposes.  That's a lot of fucking with the dongle and typing kljd7e 9s0n32 and jjiwu7.  Or leaving both accounts up all the time and taking the performance hit, until you forget to alt tab to the other for 10 mins and it gets autokicked.

Is it the end of the world? No.  Is it going to make me quit? No.  Is it a pain in the ass? Yes.

Boy, this is a lot of text to summarize what is in effect an economics problem, not a security one.

Is the cost of authenticators, distribution of them, and new authenticator customer support < the cost of customer support on account hacking issues and revenue lost due to frustrated/non-compliant customers?

Apparently. I think (without any evidence whatsover, just my guess) that the sea change we're seeing is the emergence of account hacking into the realm of script kiddies coupled with the blooming awareness that Blizzard has a total-restoration policy. The kiddies see it as a victimless crime and so have no compunction about it, and apparently learning to phish is easier than learning to fish nowadays (couldn't resist).

I suspect you are seeing a higher percentage of compromised accounts than other games because the sheer number of players makes it more economical to work out ways to steal accounts in sophisticated ways.

As to the authenticator itself, I've had one for a long time, it's no trouble at all, and it's a great idea.

I don't get all that college compromise stuff. Someone's going to log into my account while I'm in the bathroom and strip all my characters? That's daft. The token expires very quickly.

Flash is the primary attack vector for MMO keylogger/trojans these days. I got my account compromised a couple years ago. I used Firefox with NoScript and AdBlock. The problem with this is I tend to disable it on sites that I trust that also function much better with NoScript disabled. So what happens is occasionally a compromised flash ad will get through their filters and be served up to hundreds of thousands of visitors. The bigger problem is with Flash itself. There has been multiple occasions of unpatched exploits in the wild in the last few years that went for days or weeks without fixes. More than that, Flash doesn't automatically update and it doesn't tell you when there's a new version or a critical fix. Unless you're constantly checking Flash vulnerability news then you may miss an important update and suddenly find yourself vulnerable, despite taking nearly every precaution available. Unless you refuse to ever enable Flash/Scripts on any site then you are never fully protected and anyone who claims otherwise is talking out their ass. Two factor authentication is the only nearly foolproof security method in this case. I guarantee that if authenticators were required then 95-99% of account compromises would disappear.

I think a viable compromise would be that you can opt out of having an authenticator, but this also requires you opting out of any form of restoration services from Blizzard, or that you be required to pay for restoration. You make your own bed. My assumption is that Blizzard would be eating the cost of authenticators and giving them out for free.

I don't know that you'd even have to go that far.  Make them free, and I'd grab one myself.  Throw in that pet core hound or whatever the incentive is for adding one to your account now, and you'd have people lining up (and people pissed off that they bought one for twenty bucks a week ago, but whatever).

I think they are more like $7.  Also they're free if you have a smartphone (list here (http://mobile.blizzard.com/support-compat.html/) (it says ringtone and wallpaper but I followed the link from the authenticator FAQ so I guess copy/paste error?))

You dipshit, the point of that reference to my UO friend is precisely that it's not special or particularly interesting. I know that being a pedantic wannabe know-it-all fuck who posts mundane bullshit hoping to impress rubes means you think everyone else is the same way, but sadly for you such is not the case.

You blundered in here and saw someone say they knew how to handle shit when it came to protecting a WoW account from keylogging Chinese gold farmers, decided to show off your imaginary geek-cred by imparting a bunch of common knowledge "Did you know they can put scripts in advertisements?" bullshit, then got butthurt when the response was "Of course, dumbass, who are you trying to impress?"

You are not interesting. You have not posted a single piece of information in this thread that was enlightening to anyone in any way. Go fuck yourself.


In my defense, I wasn't trying to splinter a debate into a million hopeless tangents, I was just inserting random one-liners.


Yeah, I picked up something a while back when I disabled NoScript somewhere I really ought not to have. I don't really know it was a WoW keylogger since one of my programs squawked and I set about making sure it was gone before I did anything else, but I can only assume it was. I don't really keep up on Flash vulnerability, I just run Flashblock and only enable a few things. Youtube yes, third-party WoW sites no. I haven't seen a Flash ad in years, which is nice in itself. It was those annoying punch-the-monkey ads that made me start blocking it.

Cut it out you two.

No, dude.  You just perfectly painted yourself as a douchebag.  That's all I was saying.

Incidentally, there's an image kicking about of a "Cataclysm" branded authenticator - buy expansion box & get auth keyring included in the price, perhaps?

My Authenticator has only ever given me numbers, if that helps any.

This is where Lantyssa is supposed to come in and ramble about it being insecure now because it uses a reduced set of characters. :grin:

I figured I had two sitting around from Blizzcons, so I might as well hitch my wagon to it now instead of later. BLIZZCON 2008 VERSION BABY I AM TOTALLY SPECIAL.

I even put it on my keychain so everyone can see I am a dork.  :drillf:

Sounds good, I hope they do it. Putting one as a "bonus" in the cataclysm box will also neatly address the fact that postage to Australia is apparently in the 20$ region. Then they can tie installing the expansion to setting up the authenticator.

And of course it's not perfect security, but it's a lot better than a user selected password on an internet connected windows machine.

Been using the authenticator for as long as they've been around now with zero hassle. It's 6 numbers, you seriously don't even notice pressing the button and typing it in. You can use the same authenticator on multiple accounts. It's not large, it's not heavy, it's really, really, REALLY fucking easy.

Whinging about having to use one is incredibly retarded in my opinion. It's already semi-mandatory in our guild - get an authenticator and you get access to the guild bank. Nobody has complained once. Plus, core-hound pup  :awesome_for_real:

No, it's where I tell you to bugger off.

Killjoy.

I ordered one last Tuesday and it still hasn't shipped yet.  Slow fucks.

Yeah now that I've actually gotten around to activating mine, it is pretty trivial to use. It adds perhaps 15 seconds to the login process. It isn't exactly going to weigh down a keychain, either, it is no bigger than the RSA one I have on there for my corporate VPN.

The iPhone version is pretty slick, visually, and up for free on the AppStore. If you're not afraid of losing it to a system restore, although apparently that would restore the app once backed up, but I'm not sure about the serial number.

It displays a progress bar that shows you how long til the current token expires, which is handy for logging in multiple accounts.

Ordered a couple days before New Year's - same thing.   :headscratch:

Their order fulfillment server got hacked  :awesome_for_real:

Authenticator was sitting in the mailbox today - shows mailed yesterday.  Guess they have a backlog going on or something.

They sometimes run out of the little things completely and it takes a bit for them to get the new supply or whatever goes on.

I have two sitting around from the past two BlizzCons. I suppose I should probably use one.

Then again, I suppose I should probably have a reason to use one.

EDIT: Totally forgot why I was even reading this thread - apparently at one point, a WoW account was worth more than a stolen credit card number, and was less risky. That is scary.

If anybody ever has trouble with their authenticators here's what to do. I had to reinstall my iPhone today, which meant that the authenticator had to be reinstalled and was no longer in sync with my account.

Step 1: Use the Tech Support form to send Blizzard a copy of your Passport or ID
Step 2: Call Tech Support and ask them to remove the Authenticator from your account (They need your ID to verify)

Takes about half an hour tops and you can play again.

Well, gee, there's a good reason not to get one! 

Well on the contrary, there's another reason why you should get one.

Most people I talked to aren't getting one because they don't know what happens when they lose the authenticator, the battery is dead etc. They are afraid that they might not be able to play the game for days or even weeks if this happens.

The tech support guys need to verify your ID because without that the authenticators themselves wouldn't be secure (everybody would be able to remove the authenticator from your account)

Waiting about half an hour before you can game again vs. the possibility of losing your toon you spent years on. I know what I'd choose.

Oh, I've had one for ages.  I'm just saying what people will say.  If typing in six digits is pissing them off, having to call support and wait half an hour will drive them right off the edge of sanity!   :why_so_serious:

If being kept from playing WoW for half an hour is such an issue with those guys they have bigger problems than a broken authenticator  :why_so_serious:

Maybe you haven't seen the forums during maintenance...

I think at this point it's just a ritual that during Tuesday maintenence, somebody has got to post a 'WHY AREN'T THE SERVER'S UP YET??' thread, or it just wouldn't be Tuesday maintenence.

Have they moved past the required "I work in computers, and if _I_ designed this system it wouldn't need downtime!" threads? Those are my favorite. Complete with insisting that WoW really doesn't have that many transactions/second because it's just a game.

I just got an authenticator.  It works fine.  It's easy.

It was not. Doom. DOOM! DOOM!

I got an autheticator and it punched me in the balls. True story.

More like my current precautions are sufficient and aren't going to change just because I get an authenticator, so why bother? Let all those "I use the same password for everything and have actually looked at a Flash ad in the last five years!" people screw with it. If they want to mail me a free one and require me to use it, well okay, whatever.

But you know, a lot of this shit is people who buy gold or powerleveling services getting their shit stolen by said services, and then not wanting to admit it. I know NOT YOU, but someone is clearly buying all that shit (and lots of it) or they wouldn't go to such lengths to spam us.

Honestly, from what I can tell in our guild of very-much non-teenagers, the worst danger is account sharing.

I've played since release and I've busted people in the back alleys of major cities trading with characters named Xjhagoejogjo. Shockingly enough, they were the same people who had hacker issues and wanted to cry on the forums about it.

I trade with shady chinese farmers all the time; they sell the cheapest mats!

People seriously do that?  That's awesome.  I assumed they'd just mail it to them, or something.  This "You are to go to the World's End Tavern in Shattrath.  Your contact will be a man named fhqwhgads.  Offer him a cigarette and he'll reply with the code phrase 'the black wolf howls at dawn'.  Come alone, or the deal is off." kind of stuff is way cooler.

Oh yeah, I work at a library and at one point I had probably disabled half the library cards of the local youth because they'd shared their computer logins (tied to the library card) with just about anyone who asked for it.