Tobold's Blog
Thursday, June 24, 2010
 
RealID, privacy, and account security

When Blizzard switched World of Warcraft from using freely chosen account names to using Battle.net e-mail addresses, I was worried that this could compromise account security. Before that change, somebody who wanted to hack my account would have had to guess both my account name and my password. But if I had used Tobold@Gmail.com as Battle.net account name, everybody could have easily guessed that part, and would only have to guess my password to hack me. Thus I used a different e-mail address, one I got from my ISP, which I rarely use for anything else. Account security problem solved.

Now Blizzard introduces RealID, and if I wanted to use it, I would have to reveal that non-public e-mail address to friends, from which it would spread to guild mates, their friends, and ultimately to who knows where. And I'd be back with that account security problem: You can't use RealID without revealing your Battle.net account name, which is half of the information needed to hack you.

Of course you can add another layer of protection to your account by adding an authenticator (I did), but those have been reported to not provide 100% security either. And besides the security concerns, there are the obvious privacy concerns, like me not wanting to publish an e-mail address other than Tobold@GMail.com to be linked with games. Even my Facebook account is using that "fake" identity, because Facebook is the prime example of how you can think you are talking to your "friends" and end up publishing too private information to everybody, including potential employers.

I get "Cataclysm beta invite" and "WoW account banning notification" phishing mails in my blog e-mail every day, and know that they aren't real because that blog e-mail is not the one I told Blizzard about. Our guild bank has been hacked in the past several times, so now only a few people have access to it (which renders it a lot less useful). I am not at all confident that if I reveal my RealID even to real friends, that ID isn't going to leak out, for example through a friend of a friend's account getting hacked, and my real e-mail ending up on the list of potential targets of some professional WoW hacker, or at least on their spam mailing list, making their phishing mails look more real because they have better information about me.

So for reasons of both privacy and account security, I'm opting out of Blizzard's RealID system. The very concept of RealID, which is basically to link your real identity to your virtual identity more visibly, is not a good idea in my opinion.
Comments:
Friends of Friends can only see your name. They can't see your email address/battle.net ID. So the only way your email address can spread is if someone you've told it to actually tells it to someone else. And as far as I can tell, you can't even see your friends' battle.net IDs once you've added them, so if you get hacked, malcontents still won't get useful information. Off the top of my head, I can't remember if the friends list in Starcraft II shows email addresses, but I don't think it does.

Sure, don't use RealID with people you don't know and trust, but the system doesn't make it easier for others to hack your account if you do use it.
 
if you don't trust them to give your email to them, you can always ask them to give you their email address and link that way.

WOW doesn't store the email address and it is not displayed after you link.

Before you jump on the "I'm not going to try it" boat - check it out first with a trusted friend.

For me, Real-ID works great for immediate relatives & colleagues. The type of people that I can actually go wack them on the head physically, and won't give away my email to someone else without asking me first.

Now I "un-friend" the 10 alts that my relatives have, and just keep 2 real-id. And it lets me maintain conversation as I switch alts and jump factions and even servers.

Check it out first. Don't "give away" your email to everybody. Then tell us what you think.
 
This comment has been removed by a blog administrator.
 
I definitely thought they were a bit harsh and over analytical towards you in that previous entry AndruX, but come on, that’s just kinda bitchy. I mean, what should we care what you think about his blog that we optionally choose to visit? It’s not like there’s much to talk about now, so he may as well give his opinion about a brand new feature on a blog that is specifically his.

On Real ID, I love it and I think you’re being a little paranoid about the risks, Tobold. As far as I know, you can’t see your Real ID friend’s email or battle.net account name besides when you first become friends. I guess I don’t really understand your point, since your email shouldn’t spread to others after you give it to a friend that you should already trust in the first place.
 
My problem with RealID is that I was hoping it would be a layer I could use with my online friends. I have 4 real friends that play WoW with, and at no point would the RealID help with playing with them. Instead, it would have been nice with guildmates and good pugging buddies, especially since I knew I'd be playing Diablo 3 a lot when it came out and not always be on WoW.

But with the way it is now, I can just keep up with my friends on Facebook. Why would I even bother with it on RealID? If I'm playing and they're playing, we already know. They are the people as johnliu said, that I can just walk up to and smack on the head.

I mean, for the most part, I could just turn to my wife and say, "Hey, come over to Orgrimmar and trade me that." (she is a mage so its okay). No, what I was originally expecting from RealID and what it is, is two different things.

The thing that bothers me the most is the using of e-mail though. It is exactly like giving your log in to someone else. Why not just make a 3rd layer, like it is in Champions online.

They could have your Display name, your login name (or email address etc), and then your character names etc. Because even though I'm @Pangoria in CO, that is not my log in, and so I can easily and safely share the info with online acquaintances.
 
Umm.

Serious misconceptions, you are having.

Read the FAQ, you must.

http://us.battle.net/realid/faq.html
 
This comment has been removed by a blog administrator.
 
yeah because players won't use it in ways that blizzard never intended. Like they did with the armoury.

It won't become the defacto necessary action to make your guildies or at least all the officers your friend so they can ping you anywhere anytime you are online to keep raids going?

This'll be the most abused feature they've introduced yet. Still more evidence that blizzard needs to hire some Psycholists to help them figure out what people will really do with thier "cool" ideas.
 
AndruX is herewith banned from this blog. I don't need a resident bitchy troll on this blog, who contributes absolutely nothing, and only writes one-liners complaining about the content of the blog.
 
Personally, I would NEVER use this. Reason being, I've completely lost any faith in Blizzard handling my personal information, other than what's necessary to register a game.

I'm currently having an issue with my iPhone Authenticator. I've upgraded, and had to re-install the Authenticator program, and long story short, can no longer access the Authenticator previously associated with my account, therefore, I can't access my account.

Blizzards solution? Call a number that for the past 24 hours (at least 10 calls per hour, sometimes up to 30 calls) I've received a recording saying they are overloaded with calls, and therefore can't take my call or put me on hold. I've emailed, and even faxed a sheet to them, but still with no reply.

So I'm following their instructions to a "T" just to be able to access my account at the very basest of levels, yet I can't even find a representative to give me the time of day aside from recordings or standard form-reply emails.

Yeah, I'm not even going to think about giving my RealID out. I have zero faith in these guys to handle my information out in the public.
 
"Your Battle.net account name (your email address) is not displayed to other players through the Real ID friends list."

From the FAQ.

Tobold?
 
"Your Battle.net account name (your email address) is not displayed to other players through the Real ID friends list."

Don't you have to hand out your Battle.net account name to your friends so that they can hook up your RealID with you? And what name DOES the RealID display? Probably not "Tobold" in my case, which is what I would want it to be.
 
From the FAQ, i'm guessing that, yeah, you'll be able to see the real name. I was thinking in something like Windows Messenger where you can adopt a nickname, as you suggest.

But as for the security, it stays the same, i think.
 
@Tobold

Worse:- it displays your Real name thats associated with your account within your Billing/Accounts information.
 
@LS: That information right there is exactly what I don't want it to display. Bad enough I ganked my boss's rogue when he was trying to level in Wetlands for 3 hours.
 
Sigh...

people watch too much TV.

Make sure you dont click on links that are obviously phishing.

Make sure you have a strong password. At least 8 characters, upper lower case and a few special in there.

use the Authenticator and your fine.
 
You are soooo 2000. We have 2010 now ;)

Joking apart, you can make your account very secure by using a very long and secure password.

Other than that it is a philosophical problem. If you just don't want to join your virtual and real identity, real id isn't for you.

I started some 10 years ago to merge my identities. Has been very useful so far and to those future employers who wouldn't employ me due to some private taste I can only say: I wouldn't want to work for you, either.
 
I wouldn't mind trying this out on someone that I can actually reach out and strangle if I have to, problem is I don't have anyone I know well enough in wow to do that.

I wonder why.
 
Count me in the number of people who are unwilling to go along with this.

However it seems to me you don't actually need to friend anyone to play WoW. You have your guild, you have pugs, you can if you want to note down good players write their names on a pad you keep by the computer or alt tab to wordpad.

I'm more concerned about the trend. A generation of gamers trained to give out their real IDs over the net. Get into this lazy and unsafe habit and sooner or later you'll give your details out somewhere you really wish you hadn't.

I'm just glad I'm not female. Also, wonder how many people will cybersquat celebrities. Having a Real ID of Brad Pitt or Megan Fox should get you a lot of attention!
 
The part of RealID that is the hardest to swallow, is the "Friend of a Friend" functionality.

I have a very distinct name, I don't think there are many people out there with similar names.

If I trust somebody, and join them in RealID. Then I have to trust not only that they, but everyone they have connected with, is trustworthy enough and not a complete psycho.

I'm had at least one bad experience with somebody in game who was very threatening. I don't mean he said he was going to spam trade and tell everyone I was terrible. I mean really threaten. Blizzard handles that just fine, but if that person had my real name instead of an avatar... he might have just showed up instead.

I dislike giving real information to people who only know me in a game context. and even if the people I give my RealID to are real life friends, I have no guarantee that they will do the same.

This is a very strange road that blizzard is going down. I can't see why I can't use a pseudonym for my name, and why I need to even use the email address on my account to link. They know what account I am. They know who the other account is. If we want to be connected, just connect us.
 
For the majority, this will just be good to share with real life friends, room-mates, relatives - I only have my wife as a RealID contact. It is very good for that.

I do however dread that upcoming hardcore raid guilds will insist upon RealID friendship to join as a raider - they wouldn't want you off on another server alt, or Starcraft 2 when you're supposed to be raiding! Big brother is watching you...
 
Tobold, just to clarify, you said you're "opting out of Blizzard's RealID system" but you're not. That is to say you're not "opting out" because that's not actually an option available to you.

When you add someone as a Friend in WoW you can choose to add only that character as opposed to adding the Player using their RealID, but you cannot Opt Out of RealID.

You can use RealID, or not use it, that's your prerogative; You cannot Opt Out of it.
 
I won't use it either. My real first and last name, visible to all my friends' friends? That's just not ok for most grown-ups.
If they used a nick, that would be better.

Even then, it would still leave new options for hackers that haven't existed before.

Plus, if you look at the history of facebook data protection violations, that's what we're going to see with the RealID system.
 
@ Eugene, upper & lower case letters are great for normal password, but Blizzard don't care about them so don't waste your time using them in your WoW password.

Seriously. If you have both upper and lower case letters in your BNet/WoW password try logging into WoW using nothing but lower case letters. Or hit Caps Lock before typing in your password. You'll still get in. Unless they changed something in the latest patch I guarantee you'll get in.

I used to use both upper and lower case letters in my WoW password until the day I logged in and greeted my only online Guildy with: hI bOB (not his real name)

That was when I realized I'd just entered my password with Caps Lock ON.
 
@the Capn

lol..who knew? (after i checked the forums for verification)

oh well, my special characters and authenticator will make it more then secure.
 
This was going to be a post titled "Stop complaining, old people"

I get it, the [current youth generation age range] is destroying privacy and society. It's true! But don't pretend it's something special about them. Kids are stupid. It's just a scientific fact.

You were a stupid kid. You talked about stupid stuff. You had stupid friends. The big difference is that you didn't have a thousand stupid ways to spread your stupid and ruin your own privacy.

Also something about how the parents and schools are bad now, which I'm pretty sure is in your hands.
 
My friends will give me crap if they know I'm playing an alliance alt. I don't care if friends know my real name, its the virtual acquaintances in WoW that I don't want them to know.

So, RealID won't be used by me.

If they change it to a nickname and allow me to "Show offline" mode then I'll use it.
 
Isn't it just as easy to play in windowed mode and just have messenger/AIm etc open if you really need to talk to people playing other games or on other servers. My daughter will be playing wow and have multiple converstations going. It's quite amazing to watch.
 
I just opted out of RealID system on WoW. I setup Parental Controls on my account an unchecked the "Use RealID" feature.

RealID is no longer functioning.
 
"AndruX is herewith banned from this blog. I don't need a resident bitchy troll on this blog, who contributes absolutely nothing, and only writes one-liners complaining about the content of the blog."

Because I've made some impolite and supposedly aggressive remarks yesterday? Why haven't you banned me just then? Why wait one day and in another post?
 
I think it's worth trying before you just turn it off. As others said, your email address isn't shared with friends of friends, just the people you give it to. As someone suggested, if you're really paranoid have them send you their emails and add them that way. Privacy on the internet is pretty much a fiction anyway.
 
If I remember correctly on the "invite" list, you can invite someone either by their email address or a character name, though the latter would presumably only work if you had characters on the same server.
 
Because I've made some impolite and supposedly aggressive remarks yesterday? Why haven't you banned me just then? Why wait one day and in another post?

No. Yesterday, while not optimally formulated, you posed an actual question, which was valid, and contributed to the discussion.

Today you just wrote one-liners bitching about my blog, not being about the subject of the post at all, and not contributing anything to the discussion. In short, you were trolling.
 
Wow, lots o paranoid people in this entry. If I hadn’t already known my friends’ emails, I’d have no idea what they were because it didn’t display it when I got an invitation. I don’t see the big deal if a friend of a friend can see my real name, I mean what are they really going to do with it? Nobody’s gonna hack into your SUV because they know your real name.

And I really doubt this system will be abused. Certain mechanics that pertain to player statistics will always be abused, but not a private social function like this. There is a line drawn, your guild officers do know that not everyone wants to get too involved in their private lives. That’s why you’re never forced to join the guild on Steam.

The only legitimate complaint I’ve seen is from Dink. If you do have some aggravating friends they might pester you for playing a certain way, and you’d probably want some time just to yourself. I personally have a couple real life friends on different servers, and while we could use Steam or AIM to talk, using Real ID is just a slightly more convenient form of communication because you don’t have to leave the window.
 
If the name displayed by RealID is as simple as a lookup to the FirstName and LastName fields stored in the accounts database...

...I may have to investigate changing my account information and have some fun with this.

Who wants to play with Mike Littoris?

(Yes, it's juvenile - but makes the point)
 
I hate that real names are used in this new system, my real life friends I'm fine with having my name since they already know it but I'd rather have a display name for people I like from wow but haven't met in real life.
 
Wow, lots o paranoid people in this entry.

Just because you are paranoid doesn't mean that people AREN'T out to get you.

The nut of it is that it's not paranoia to want to have control over what people know about you on the internet.

If your name is even remotely unique, pretty much anything and everything you do pops up in Google.

As I wrote on my blog yesterday, one of the top results on my real name is a reference to a guide I once wrote on creating WC3 maps. (A guide that I never published under my real name).

Likewise, other Google entries show my name associated to a list server for MTG that I used 15+ years ago.
 
The only legitimate complaint I’ve seen is from Dink.

How long do you think before we read about some article where some girl gets stalked? Or some kid gets his ass kicked in REAL LIFE because of something he did in-game?
 
Paranoid? Are you kidding?

If I can see your real name, there's a good chance I can find your address, both real and online.

Do you really want some guy on your friend's friend list to know your real name? I sure the hell wouldn't.

Blizzard would be wise to make it show a nickname by default instead.
 
I said "paranoid" because there seems to be serious overreactions and misunderstandings. I only plan on using Real ID for real life friends, but some people are assuming that they're gonna need it for more than that.

I get that you don’t wanna divulge information to just anyone, but Real ID only shows your real name to friends of friends. Even Facebook does more than that, and everyone uses Facebook (except me, I’m a rebel). Yeah your name can bring up a lot of weird stuff on Google, but what exactly does that have to do with Blizzard’s new cross server/game chatting function for real life friends? Anyone can get your name from somewhere and Google it.

If a crime goes down because a friend of a friend got your real name, there are some issues and irrelevancies with that. This isn’t the wide open internet where everyone is a suspect, I’ve got a total of six friends of friends on WoW, all of them already know my name and I know theirs (at least enough that I could look them up on Facebook) without needing Real ID. Sure, I guess one could get mad at me for doing something AWFUL to them in WoW, but if someone does get beaten up because of WoW then that’s an issue concerning friends, I wouldn’t go blaming Blizzard.

I honestly don’t think we’ll be seeing any articles about crimes being committed because Real ID lets you see a few people’s names. Names that you already knew anyway.
 
@ Dink, thank you. It's good to know we can actually Opt Out, although I find it odd (& offensive) that we have to do that from outside the game using the Parental Controls.

It's almost as if Blizzard are implying that the only reason you may want to Opt Out of using RealID is if you're a younger player, and thus any reason an adult might not want to use it is irrelevant.

Yes, yes, I know we can just choose to not use RealID, but when I go to add someone as a Friend and the new window pops up asking me to select Friend or RealID, frankly, I'd rather not even have to make that choice.

Still, at least it's not like Wizard101 where people could constantly spam you with Friend Requests.

"Adam Thunderpants wants to be your Friend. Accept?
No. Click.
"Adam Thunderpants wants to be your Friend. Accept?
No. Click.
"Adam Thunderpants wants to be your Friend. Accept?
No! Click.
"Adam Thunderpants wants to be your Friend. Accept?
NO!!! Click.
Turn, find Luke. Right-click to Ignore and...too slow.
"Adam Thunderpants wants to be your Friend. Accept?
 
Apparently you deleted posts from my new and improved doppleganger... He made some dumbass comment over on Gevlon's latest blogpost too.

Not that I really think it's a big deal to be banned from your blog, but as common as this has been recently, you might want to check into it a tiny bit before banning "me".

For the record, I wasn't trying to troll on the other thread, my biggest concern was that given the lack of general "discussion" that goes on in these threads, I tried to get all my points out at once, and it was apparently taken all wrong.
 
Back many years when I was playing Star Wars Galaxies I was part of a very large rebel guild that had our own player city. An opposing empire player managed to infiltrate the guild and obtain officer status and subsequently destroyed half the city before he was stopped. Some of our guild members were able to find out his real name, tracking him down (somewhere in northern california) and roughed him up with baseball bats. I was very ashamed that this was done but it goes to show you what people can do once they find out your real name online.

I probably won't be using the realID system in WoW as I quite like people not knowing what I'm doing all of the time while I'm playing. Sometimes I like to log onto an unguilded alt and just solo play, not wanting to be bothered by people that want me to raid or do heroics.
 
An issue will be guilds kicking people because they are hiding on an alt when the raid leader expects them to raid.
 
How about Blizzard add another system called friendID.
What are the features of friendID you ask? Well they are the exact same features as realID but instead of using real names you create a single gamer tag and instead of exchanging emails you simply send a request to one of their characters and then the server takes care of the rest (still connecting their battlenet account but not revealing the info).

I wonder what would get more use, realID or friendID?
 
Thanks for bringing this to my attention and, for the record, you have misnamed RealID in the headline of the entry.
 
Food for thought, alot of female players play as male characters - and vice versa. They may feel pressure to become 'real ID' buddies with in game friends, thus revealing their real name and gender bending ways.

I support anyones rights to keep their real life and in game personas seperate - after all, isn't the point of it fantasy, to get away from the real world a bit?

I like the technology of RealID, but not the implementation :(
 
Apparently you deleted posts from my new and improved doppleganger... He made some dumbass comment over on Gevlon's latest blogpost too.

Not that I really think it's a big deal to be banned from your blog, but as common as this has been recently, you might want to check into it a tiny bit before banning "me".


Identity is relative on the internet. Of course I banned the AndruX who made the dumbass remarks, not "you". If I ban somebody using name "AndruX", how other than as "AndruX" am I supposed to address him? That is independant from all other possible "AndruX" that might exist on the internet. Especially since you can't ban names on blogger, but only delete comments, and you'll notice that yours haven't been deleted.
 
Am I the only one finding it amusing that we're confronted with a real ID problem (fake AndruX) in a discussion about RealID? :)

I agree wholeheartedly with Hobonicus, by the way. It seems that some of you are saying that you won't be using this feature because you'd like another one.

If you'd really like using this feature with guildies and online acquaintances, then why not change your name to To Bold in the "name" field of your Battle.net account and temporarily change your login email to tobold@gmail.com while adding your friends. Subsequently changing it back shouldn't change anything, and your contacts won't have any idea what your "real" login email address is. I fully agree it's far from convenient, but shoehorning your own feature into somebody else's rarely is.

Of course, I don't have any Real Friends™, so for me this won't be much help! I was thinking about adding my wife, but I realised that we're already using the RealVoice™ communication system. That stuff is wicked, even works offline.
 
When you log into to battle.net you'll find that you can't change your real name. It's greyed out. Thus the anger over Blizzard's tactics.

There are also reports of a guild leader revealing a 16 year old girls real name in trade chat. Soon google results of her address and home phone show up in trade chat. Harrasement ensues, death threats, now the father is looking to file suit. Good job Blizzard.
 
Indeed you're right Dink – I just saw the "edit contact info" button and figured it would work (is it possible to have Blizzard change the name?). That makes it even more awkward to circumvent the system – Tobold would have to register a new account with his virtual name instead of his real one. Expensive, too, transferring all those toons!

But surely, though, the whole outing of names stuff is nothing new? It would appear that the whole 16-year-old-girl demographic is particularly susceptible to this, but perhaps its just that those are the stories that garner the most attention.
 
I wouldn't trust Blizzard's security either.

After not having logged into my account for over a year, and never followed any of the links I kept getting in my spam folder, my account still got hacked.

First I found out about it, was when I got a mail from Blizzard, telling me that my inventory had been restored. Huh? It would seem that they had sent me other messages, but that these got eaten by my spamfilter. How is one to tell the difference these days?

Irony is that I'd always figured that people who got their accounts hacked had to have done something more than share their email adress. Now I know better.

Only a handful of people ever knew my email, and those were people I trusted. How it got out, remains a mystery.

So, I'd be paranoid too ...
 
Post a Comment

Links to this post:

Create a Link



<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool