Mandatory Authenticators?

[Evildrider]

Figures, one of the guild officers got hacked today.  All his stuff stripped and stuff missing from the guild bank. 

I've played alot of mmo's, but the rate at which this happens in WoW is totally rediculous.

[Merusk]

just curious here: those with teenage kids wouldn't removing their admin privileges cut out installs of keyloggers ?

You're assuming everyone uses a login or even separate logins on their machines.  Power on -> Straight to windows is pretty much the default for home machines of most families and coworkers I've known. The only families I've known with logins had them because it was a work-provided laptop or to control the kids internet access.   Those controlling access only had one login name.

You can auto-login non-admin accounts.

I removed admin privileges from my parents' machines cause my Dad kept getting his machine infected.

Yeah, I know you can.  However, it's not the Windows default  on XP, which AFAIK is still what most machines are running.   It takes some fiddling, which your average user isn't going to do.  The only fiddling I've heard of folks doing involved  Vista/ 7 to find out how to turn the "Damned annoying popups" that were saving their asses off.

[Venkman]

Figures, one of the guild officers got hacked today.  All his stuff stripped and stuff missing from the guild bank. 

I've played alot of mmo's, but the rate at which this happens in WoW is totally rediculous.

It's not the rate. It's just a percentage of a much larger pool of people playing, and a larger pool even still of people who know them.

I'm in favor of mandatory authenticators for everyone. It's not going to drive the hacks down to zero. But it's going to drive it down a lot to minimize the collateral damage, like your example.

[Koyasha]

Well I'd say that if this happens it pretty much conclusively guarantees that I won't be coming back to WoW, ever.  I refuse to go through the nonsensical hassle of typing in a damnable code every time I want to log in, this would only ever be acceptable to me if it was a usb dongle that I can just plug in and forget about, and log in from any machine with it plugged in.

[Ingmar]

But a damnable password is ok?

[Malakili]

Well I'd say that if this happens it pretty much conclusively guarantees that I won't be coming back to WoW, ever.  I refuse to go through the nonsensical hassle of typing in a damnable code every time I want to log in, this would only ever be acceptable to me if it was a usb dongle that I can just plug in and forget about, and log in from any machine with it plugged in.

Yeah man, typing in a six number code every time you log in, I just don't know how you'll manage.  More, I don't think you'll play any blizzard game again if they do this, as I'm sure it'll apply to battle.net 2.0 too.

[Kageh]

I've been playing MMO games for as long as the genre has existed, and with all due respect to everyone in the "I got hacked" thread, I've never ever been fucking hacked because I know how to handle my shit. I'm not going out of my way to buy one of their "Godfuckingdammit we're never gonna get these kids to quit clicking on sex leg forum posts" keychains.

Uh huh. You are kinda mixing dumb script usage/exploiting with actual hacking.

Little insider joke incoming: I'm pretty sure the guru C programmer who coded strcopy in the '70s knew his shit and never thought about buffer overflows and how the internal representation of program commands on the command stack works when checking for '\0' terminators.  (You might want to cross-reference http://en.wikipedia.org/wiki/Stack_buffer_overflow for some primitive historical examples on how knowing your shit is not protecting you if someone else didn't know theirs).

Hacks do not come from clicking on sex links only or anything you can be fully aware of. Primitive ones can come from an advert server posting manipulated dhtml adverts, as they can come from a html mail you receive unsolicited, as they can come from stuff like spoofing, social engineering, man-in-the-middle attacks or whatnot.

Did you know someone could display a manipulated jpeg or pdf, both looking perfectly legit, allowing for code insertion or remote code execution? Or about various bugs in the way java virtual machines handle security that would allow for a not-even-visible applet on a page you are visiting to do stuff to your machine?

You probably have no idea about what pieces of code run on your computer at the moment, and unless you put 100% faith in the QA of software developers worldwide which, of course, put security as one of their top priorities when building software, and are generally very security interested, you run a way higher probability of getting hacked or being attacked than you imagine.

Firewalls will not help you because these things piggyback on allowed protocols and are not discernable by lower levels ISO/OSI packet inspection techniques. Anti-Malware/AV might or not help you, but given the fact that someone managed to install a custom coded trojan on Gabe Nevell's machine, I doubt most Anti-Malware producers bother with anything that is not mainstream.

And let's not even get into Rootkit technology or OS virtualizing which means you'll never even see what hit you. I haven't even touched some of the more advanced stuff.

A primitive two-factor authentication like WoW, which has at least one weak factor (e-mail, tee hee), is probably also a lot simpler to brute force/dictionary guess. All I would need to start would be some educated guesses at the mail address of a few people, which usually can easily be sped up by looking at stuff like forum profiles or googling their nicks since lots of people use the same e-mail at some point. Then you write some neat and quite primitive (or reuse some of the widely available) scripts simulating login either against the WoW server or the WoW homepage and try the passwords with stuff like common last names, first names, english dictionary words, dictionary words + additional letter/a digit, common substitutions like "1" for "i" and so on. I'm sure you'll get plenty of hits in no time.

The keychain helps against this fundamental system flaw by adding a third, one-time factor to the authentication, which is not "guess-able" - at least not without enterprise-class intelligence - and also expires after a set time window (30 secs) and is only usable once (it used to be able to be utilized more than once in the 30 second weakness which was actually a weakness of the WoW implementation), and will make your WoW account actually a lot more secure than your self-assessment. All that for $6.

The thing is that your computer is not secure, you just didn't get hacked yet because no one really knowing his shit at hacking tried his luck at you yet. Most of us aren't secure, we just aren't worth real hacking.

P.S. Good ole EQ actually had more advanced security feedback than WoW by telling you how many failed login attempts against your account had been performed in your absence. So at least you know when you got away or were under attack. With WoW, ignorance is bliss, until one day it is too late.

[Koyasha]

A password that I have memorized and can type in about one second with perfect accuracy?  Sure, that's ok.  Having to fiddle with a little gadget, read a code and then type it in?  Nah, don't think so.

I talked to the people that make those authenticators when I was at Blizzcon, and I posed the question of why they couldn't just be a USB device.  They told me they make USB devices, but Blizzard decided to use the manual version.

Oh and the whole 'blizzard account' thing that I haven't actually used since I haven't played WoW since before it was implemented?  Yeah, not happy with having to use my email address as my username there.  Not exactly a good way of improving security, jackasses.

[WindupAtheist]

Uh huh. You are kinda mixing dumb script usage/exploiting with actual hacking.

So is every single person who uses "hacked" to describe any account that has been compromised. By which I mean everyone. I'm sorry if the common usage annoys you, but why don't you take this six paragraphs of self-satisfied masturbatory blathering and ram it up your ass.

I use Firefox with Ad-Block and No-Script as a first line of defense, with active protection from two different programs running. Nevertheless, I visit only a bare handful of reputable WoW-related sites. My Battlenet email is gibberish, not related to any username, and not used for anything else. My password is also gibberish not found in any dictionary and not used elsewhere. Both are changed on a regular basis, but only after I finish taking every step available to make sure there's nothing on my PC that doesn't belong first. I don't share my account information, even with people I trust, so that if something happens I will know it's all my own fault.

A real honest-to-god sophisticated hacker wouldn't sweat any of that, but who gives a shit? They're not out trawling for individual WoW accounts. And fuck you for acting like there's anyone here who's not perfectly aware of that.

[Malakili]

A password that I have memorized and can type in about one second with perfect accuracy?  Sure, that's ok.  Having to fiddle with a little gadget, read a code and then type it in?  Nah, don't think so.

Alright, If you seriously having that big a problem with looking at a 6 digit number and typing it in, I really guess there is no reasoning with you.

[Samwise]

A password that I have memorized and can type in about one second with perfect accuracy?  Sure, that's ok.  Having to fiddle with a little gadget, read a code and then type it in?  Nah, don't think so.

Wait a minute.  I've only been following this thread loosely, but I assumed this gadget was a USB dongle.  It's just a numeric password on a keychain?   

[schild]

RSA keychain type dealie.



Also available on iPhone for free.

I would assume it'll soon be on Android. Eventually. Maybe.

[Paelos]

If they make anything mandatory it will be free. If they don't they lose account. It's that simple.

[Malakili]

If they make anything mandatory it will be free. If they don't they lose account. It's that simple.

My guess is that if they decide to go with it, they'll package every box of  Cataclysm, Starcraft 2, and Diablo 3 with one inside, and offer to mail a free one to the people who buy digital version of the game.  I think it would be hard to get 100% use, but even if its free well, we've seen even in this thread someone say that they would stop playing period, so they have to wonder if the amount of people lost will be > than the amount of people lost due to the "hacks" they prevent.

[Righ]

The flaw with authenticators is the same flaw with strong passwords - people leave them somewhere convenient where they won't lose them - usually next to the machine they log in from. With most of the account hacking in WoW centred around dimwits at college campuses, I don't see SecurID being a big step forward.

Add the fucked up 'type in your email address in plain view' login now required by WoW and it is fairly clear that the security team at Blizzard are just a bunch of idiots that put hurdles in front of users instead of solutions.

[Trippy]

The flaw with authenticators is the same flaw with strong passwords - people leave them somewhere convenient where they won't lose them - usually next to the machine they log in from. With most of the account hacking in WoW centred around dimwits at college campuses, I don't see SecurID being a big step forward.

Add the fucked up 'type in your email address in plain view' login now required by WoW and it is fairly clear that the security team at Blizzard are just a bunch of idiots that put hurdles in front of users instead of solutions.

The WoW one requires a button push, though. It's not like the really old school versions that had displays on all the time and you could steal the current code by serendipitously peeking at it.

[Righ]

Yeah, laptop bastard in dorm room presses the button when you're on the toilet, compromises account and pops laptop back in bag. Most people aren't going to use the hardware anyhow - they'll install the app on their phone, and presumably once they do so, any other token will be disassociated from their account (or there's more fun). So because Blizzard are too sloppy to run an efficient account reset service for a few million users, they just increased the chances that my phone gets stolen, because they added a new bunch of criminals on the lookout for smart phones. 

The desire to implement token authentication is being driven by an inability to handle the volume of account resets. It's not hard to reset an account in software terms, the difficulty comes in having enough staff trained and trusted to handle the procedures. Since we know Blizzard have the software skills to build a 'select date of reset point and press red button' tool for their staff, we must assume it's a trust issue. I hope they can trust the dozens of IT staff with access to the back-end databases if the value of a single WoW account on the black market is worth $10 these days. When it comes to organised crime, when you close one door you invariably open another. This is going to change the profile of how criminals get their hands on valuable WoW accounts. It won't make the account administration team any more trustworthy, clever or efficient.

[Jayce]

I don't know where you got this college campus thing.  Several people have posted here, and I know several others who've been hacked. No college involved anywhere.  I haven't even read that anywhere.

Anyway,  wow.com is reporting that Blizzard is getting so far behind in the character restoration queue that they are offering "care packages" of some gold and badges in lieu of restoration to try and keep up with the demand.  We're talking weeks, possibly. Also, they just closed a social engineering exploit by which someone sends all their gold off-account and then gets billing to reinstate their cash.  Apparently billing had all the power but none of the training and were doing it without checking for that sort of thing.

[Nebu]

Blizzard should just sell gold at a price that significantly undercuts any competition.  That would seemingly solve a good portion of the problem.

[Roentgen]

I've been playing MMO games for as long as the genre has existed, and with all due respect to everyone in the "I got hacked" thread, I've never ever been fucking hacked because I know how to handle my shit. I'm not going out of my way to buy one of their "Godfuckingdammit we're never gonna get these kids to quit clicking on sex leg forum posts" keychains.

words

Wow, I haven't seen anyone pull an "I know more than you!  Tremble at my apparent knowledge and vocabulary" post of this scale in a while.

[Tarami]

Eh, don't get too worked up. What WUA said. It's pretty much common knowledge.

[Kageh]

I've been playing MMO games for as long as the genre has existed, and with all due respect to everyone in the "I got hacked" thread, I've never ever been fucking hacked because I know how to handle my shit. I'm not going out of my way to buy one of their "Godfuckingdammit we're never gonna get these kids to quit clicking on sex leg forum posts" keychains.

words

Wow, I haven't seen anyone pull an "I know more than you!  Tremble at my apparent knowledge and vocabulary" post of this scale in a while.

Whatever, guy. I'm really sorry that explaining to some internet nobody why opening their big mouths really, really wide about how "they know their shit" is wrong hurt their (and apparently your) feelings. I have no interest in getting in some personal Vendetta because of that though, so enjoy your safe Interwebs.

[WindupAtheist]

Listen chuckles, it's not our fault you're a smug know-it-all fuck who had to open his fat cakehole and tell everyone a bunch of shit everyone knows like you're Mister Fucking Serious Internet giving a clue to the newbies. This is a thread about MMO account security and the threats thereto. Reminding us that actual hackers exist, the kind with better things to do than steal random WoW accounts one at a time, was a huge "Well fucking duh!" moment.

I will now grace you with a simile in regards to the conversation thus far.

WUA: "Man did you see that guy on the news last week who got home invaded? Man that shit isn't going to happen to me. I take fucking precautions."

You: "Well if Al Qaeda decides to blow up your personal house, your little precautions won't matter. Those guys have bombs, trucks they put bombs in, and some of them don't even care if they die. Also, if the Russians decide to launch their nukes then you're totally fucked. Sorry to shake your safe little world, newbie."

WUA: "Huh? I have three dogs, a security guard, and a gun under my pillow. You know, so I don't get home invaded. Like we were talking about. What's all this shit about terrorists and nukes?"

You: "WAAA *BUTTHURT*"

In conclusion, you may feast upon my succulent ballsack. I bid you good day.

[Kageh]

Oh, my.

You are entertaining, both with your understanding of knowing your shit since you use Adblock and never get hacked, and with your righteous rage.

Enlighten me please, do you suffer from a compulsive pathological disfunction requiring you to have some sort of internet funny last word ridiculing people, or is there more to your drivel? Did I touch you in bad places by not being instantly intimidated by your attitude of actually not knowing your shit, yet claiminig that you obviously do, again, Adblock and legt and you?

I don't give a shit about you, dude. However, that don't means I enjoy being randomly insulted in public by you either so I might take the couple minutes to respond and try to show you how much of an ass you actually are. Not that it will do me much good, most likely.

[WindupAtheist]

Oh, my.

You are entertaining, both with your understanding of knowing your shit since you use Adblock and never get hacked, and with your righteous rage.

Au contraire, Senor Fucknut. I said I know how to handle my shit, the shit in question being an MMO account and the handling being the effort to keep it out of the grubby mitts of the bottom-feeding Chinese gold farmers whom we all know prefer to mass-harvest low-hanging fruit. You know, the ones we're TALKING ABOUT. How to defend against every possible internet security risk that could ever possibly exist wasn't anywhere on the table, except in your ever-so-pedantic "DUR GUYS DID YOU KNOW THEY CAN PUT SCRIPTS IN ADS?" mind.

Enlighten me please, do you suffer from a compulsive pathological disfunction requiring you to have some sort of internet funny last word ridiculing people

Yes. Fuck you.

, or is there more to your drivel? Did I touch you in bad places by not being instantly intimidated by your attitude of actually not knowing your shit, yet claiminig that you obviously do, again, Adblock and legt and you?

No, you touched me where I poop from with seven paragraphs of stupid shit like "Someone once gave the Valve guy a custom trojan!" as if that were the least bit germaine to the conversation at hand. One of my old UO guildmates wrote his own keylogger and used to get on people's accounts and move all their shit around without taking it just to fuck with their heads. You're not telling us anything.

I don't give a shit about you, dude. However, that don't means I enjoy being randomly insulted in public by you either

Boy are you in the wrong place!

so I might take the couple minutes to respond and try to show you how much of an ass you actually are. Not that it will do me much good, most likely.

Better than you have tried and failed! 

[Rasix]

 

We have a name for what you just did.  Never again.

[Kageh]

Blah.

I'll try to explain this slowly, so bear with me.

I know you enjoy the sound of your own voice. Or the sight of your own typing, or whatever. I am not trying to educate you of anything. I'm trying to tell you that you don't know your shit, and it has nothing to do with your UO buddy writing his own keylogger (man, ain't that a story to tell to your grand-children when you are old!) which wouldn't have hit anyone even half-knowing their shit.

I really tried to follow your original post, and I tried to explain why you knowing your shit is no defense against you not getting "hacked", and also not some sort of general remedy compared to the increase in WoW account security that upgrading two-factor authentication to a three-factor thing with an RSA token would bring, for a mere $6 expediture - or even free by Blizzard, who knows?

The point is not that Al-Qaeda is attacking you in your remote corner of the world while you are salivating to purple pixels. The point is that there is more to computer security, including WoW accounts, than you obviously understand. I won't go into details why your "gibberish" mail adress is probably not gibberish at all and can be found out by scripts harvesting mail domains for valid addresses, so one of your factors probably is already compromised. It might just not be linked to an active bnet account.

You started the thread claiming that not clicking on porn links while playing WoW is what keeps the world safe. And about how computer savvy you are. Or whatever. I tried to point a few things out to you, to help you understand why you obviously aren't. Which does not equal the world's cyber criminal elite being after you, by far not.

All that comes back is random flaming, intermingled with profanity and a few other anecdotical evidences of the quality of you knowing someone who knows how to write a keylogger from a computer game (w00t, chest bump!). Might have taken you a couple minutes more to write some sort of civilized reply, might even have been worth it. Instead, we're getting me being evil for having tried to scare you poor kid when instead you've seen the equivalent of WWII of cyber crime. Woe is me for telling you stuff you already know that good!

Try again, with reduced swearing density, and there might be some discussion. Or not, your choice.

[El Gallo]

A password that I have memorized and can type in about one second with perfect accuracy?  Sure, that's ok.  Having to fiddle with a little gadget, read a code and then type it in?  Nah, don't think so.

Alright, If you seriously having that big a problem with looking at a 6 digit number and typing it in, I really guess there is no reasoning with you.

It is a pain in the ass. No chance I'm dragging that thing on my actual keychain. That means I'm never going to be able to play wow on any other computer again unless I remember to bring the thing with me, and every time there's the chance to get it lost.  Also, looking up some random code on a dongle to type in is annoying as fuck when WoW decides to kick me off the server every 3 minutes just for fun.  And I have to do the same thing when switching accounts, because there's no way to switch between WoW accounts in the same Battlenet account without logging all the way out of WoW.  That is a massive pain in the ass when I am swapping shit through alst for tradeskill purposes (i.e. auction mule on A buys blue gem, alchemist on account B transmutes it to an epic, jewelcrafter on A cuts it) or when moving shit between alliance and horde for auction purposes.  That's a lot of fucking with the dongle and typing kljd7e 9s0n32 and jjiwu7.  Or leaving both accounts up all the time and taking the performance hit, until you forget to alt tab to the other for 10 mins and it gets autokicked.

Is it the end of the world? No.  Is it going to make me quit? No.  Is it a pain in the ass? Yes.

[bhodi]

Boy, this is a lot of text to summarize what is in effect an economics problem, not a security one.

Is the cost of authenticators, distribution of them, and new authenticator customer support < the cost of customer support on account hacking issues and revenue lost due to frustrated/non-compliant customers?

[Jayce]

Is the cost of authenticators, distribution of them, and new authenticator customer support < the cost of customer support on account hacking issues and revenue lost due to frustrated/non-compliant customers?

Apparently. I think (without any evidence whatsover, just my guess) that the sea change we're seeing is the emergence of account hacking into the realm of script kiddies coupled with the blooming awareness that Blizzard has a total-restoration policy. The kiddies see it as a victimless crime and so have no compunction about it, and apparently learning to phish is easier than learning to fish nowadays (couldn't resist).

[Numtini]

I suspect you are seeing a higher percentage of compromised accounts than other games because the sheer number of players makes it more economical to work out ways to steal accounts in sophisticated ways.

As to the authenticator itself, I've had one for a long time, it's no trouble at all, and it's a great idea.

I don't get all that college compromise stuff. Someone's going to log into my account while I'm in the bathroom and strip all my characters? That's daft. The token expires very quickly.

[Trouble]

Flash is the primary attack vector for MMO keylogger/trojans these days. I got my account compromised a couple years ago. I used Firefox with NoScript and AdBlock. The problem with this is I tend to disable it on sites that I trust that also function much better with NoScript disabled. So what happens is occasionally a compromised flash ad will get through their filters and be served up to hundreds of thousands of visitors. The bigger problem is with Flash itself. There has been multiple occasions of unpatched exploits in the wild in the last few years that went for days or weeks without fixes. More than that, Flash doesn't automatically update and it doesn't tell you when there's a new version or a critical fix. Unless you're constantly checking Flash vulnerability news then you may miss an important update and suddenly find yourself vulnerable, despite taking nearly every precaution available. Unless you refuse to ever enable Flash/Scripts on any site then you are never fully protected and anyone who claims otherwise is talking out their ass. Two factor authentication is the only nearly foolproof security method in this case. I guarantee that if authenticators were required then 95-99% of account compromises would disappear.

I think a viable compromise would be that you can opt out of having an authenticator, but this also requires you opting out of any form of restoration services from Blizzard, or that you be required to pay for restoration. You make your own bed. My assumption is that Blizzard would be eating the cost of authenticators and giving them out for free.

[Kail]

I think a viable compromise would be that you can opt out of having an authenticator, but this also requires you opting out of any form of restoration services from Blizzard, or that you be required to pay for restoration. You make your own bed. My assumption is that Blizzard would be eating the cost of authenticators and giving them out for free.

I don't know that you'd even have to go that far.  Make them free, and I'd grab one myself.  Throw in that pet core hound or whatever the incentive is for adding one to your account now, and you'd have people lining up (and people pissed off that they bought one for twenty bucks a week ago, but whatever).

[Jayce]

I don't know that you'd even have to go that far.  Make them free, and I'd grab one myself.  Throw in that pet core hound or whatever the incentive is for adding one to your account now, and you'd have people lining up (and people pissed off that they bought one for twenty bucks a week ago, but whatever).

I think they are more like $7.  Also they're free if you have a smartphone (list here (it says ringtone and wallpaper but I followed the link from the authenticator FAQ so I guess copy/paste error?))

[WindupAtheist]

All that comes back is random flaming, intermingled with profanity and a few other anecdotical evidences of the quality of you knowing someone who knows how to write a keylogger from a computer game (w00t, chest bump!).

You dipshit, the point of that reference to my UO friend is precisely that it's not special or particularly interesting. I know that being a pedantic wannabe know-it-all fuck who posts mundane bullshit hoping to impress rubes means you think everyone else is the same way, but sadly for you such is not the case.

You blundered in here and saw someone say they knew how to handle shit when it came to protecting a WoW account from keylogging Chinese gold farmers, decided to show off your imaginary geek-cred by imparting a bunch of common knowledge "Did you know they can put scripts in advertisements?" bullshit, then got butthurt when the response was "Of course, dumbass, who are you trying to impress?"

You are not interesting. You have not posted a single piece of information in this thread that was enlightening to anyone in any way. Go fuck yourself.

We have a name for what you just did.  Never again.

In my defense, I wasn't trying to splinter a debate into a million hopeless tangents, I was just inserting random one-liners.

Flash is the primary attack vector for MMO keylogger/trojans these days. I got my account compromised a couple years ago. I used Firefox with NoScript and AdBlock. The problem with this is I tend to disable it on sites that I trust that also function much better with NoScript disabled.

Yeah, I picked up something a while back when I disabled NoScript somewhere I really ought not to have. I don't really know it was a WoW keylogger since one of my programs squawked and I set about making sure it was gone before I did anything else, but I can only assume it was. I don't really keep up on Flash vulnerability, I just run Flashblock and only enable a few things. Youtube yes, third-party WoW sites no. I haven't seen a Flash ad in years, which is nice in itself. It was those annoying punch-the-monkey ads that made me start blocking it.