Tobold's Blog
Monday, October 12, 2009
Blizzard sabotages WoW account security

Currently you can't possibly know my World of Warcraft account name (Hint: It is *not* Tobold). The WoW account name is something that doesn't appear anywhere in your public information, and so to hack somebody's account you would need to guess *both* his account name and his password. As this is tedious for hackers, Blizzard decided to help them out: Your WoW account name will become invalid on November 12th. You will be forced to merge your WoW account into a account. And the account name, wait for it, will be your e-mail address. I don't know about you, but there are a *lot* of people who have my e-mail address. It is a lot easier to get hold of somebody's e-mail address than to find out his secret WoW account name. Thus in future hackers will only need to guess passwords, a massive decline in account security. I'm pretty sure Blizzard will regret that soon, and then force us all to use authenticators.

If you are worried about account security, I'd recommend creating a new e-mail account on one of the many free webmail services. Don't tell anyone that e-mail address and use it exclusively to create a account to merge your World of Warcraft account with. That's what I will do.

Even if Blizzard hands out penguin pets as reward for merging, I don't think the enforced account is a good idea. Apart from the danger to account security, there will certainly be hundreds of thousands of players, if not millions, who'll fail to notice that they have to merge their accounts, and who'll find themselves locked out on November 12th. Then they'll all bombard Blizzard customer service with "Waaaaagh! My WoW account isn't working any more!" complaints. And then they'll all try to get a account on the same day, which with a 87.3% probability will happen to crash on November 12th.

If you happen to be an employee of Blizzard's customer service, may I recommend taking holiday on the week of November 12th? It'll be hell at work!
And that's what happened to me. I merged with battlenet not realizing my battlenet password was one that I used along with that email to register in other WoW related webpages.

I was promptly hacked in a couple of months and bought an autenticator.

Maybe they'll be able to recoup the PR losses from this move by the rise in interest in autenticators.
I am already over to battlenet authentication as that is needed for the iPhone authenticator client.
Overall I like the added security (and I'm on a Mac that doesn't even have any known trojans for stealing WoW passwords).

There is a problem with this however in that there doesn't seem to be a way to remove the authenticator from your account unless you can enter two consecutive numbers from the authenticator. Not much use then if you've lost your phone so you'll have to revert to phoning in if that ever happens.

Even with that knowledge I still think an authenticator is a very good idea. The truly sad thing is that this makes my WoW account more secure than my online banking.
The problem is that the authenticators are sold out and have been for months. Planning at its' finest.
I just spent half an hour reading Blizzard EU's information on this change and I still can't follow it.

WoW is the only Blizzard game I've ever played and I only started it in June. Is my account a "Blizzard" account? I've had no email, which apparently I would have done had it been a "Blizzard" account, so I suppose it's a "WoW" account and I'll have to change it to a "" one.

Surely they will send some information to people who need to change? Either via login screens or through email? They can't just switch off what will undoubtedly be hundreds of thousands of accounts without any prior notification, can they?

I can't believe any MMO company thinks even a majority of its subscribers read forums or visit websites for information. The figure generally banded about for regular forum readers is around 10%.

Oh well, I plan on doing nothing yet. If and when they send me specific instructions I will decide what to do then. If I can't play WoW for a few days while it gets sorted out, well, frankly, big deal.
Yeah, looks like Blizzard is trying to make you all buy an autenticator yes or yes :P
Quite possibly the worst mistake Blizzard has ever made or maybe it's a corporate decision?

Probably some Vivendi stooge flexing their muscles and meddling in things they don't understand.

= # # =
When I did my merging I used my normal email. Then I went "Hm, I have this email posted all over the place." So I made a new one.
Wow, there is a lot of worry in the air. Blizzard has used the Battlenet system for a while for other games and the move is probaly to help them from a standpoint of managing resources. That does not lesson the worry I am sure for many of you.

I have had a battlenet account tied to my two WoW accounts since they allowed you to merge WoW and Battlenet accounts. I have never had one issue with this. My wife on the other hand had all sorts of issues with her account. One account was hacked. She never provided her ID or anything personal, but a keylogger doesn't care what you are not doing, only logging every key stroke. I only mention that because you can be very efficient in not providing any information and still get hacked.

She finally switched to a Battlenet account and has not had any issues with logging in. I also imagine that many folks are not going to be as negatively impacted by this as one would imagine. For instance the Mountain Dew Warbot promotion was geared towards getting folks to switch to Battlenet. I do not know if this was regional to the US or if it was available around the world. At any rate it was a promotion geared to have people switch over to the Battlenet accounts.

In regards to the authenticators, we purchased some for our accounts because no matter how hard you try to protect yourself, hackers are always working on new ways to get your information. I could understand the outcry that this was a moneymaking scheme if Blizzard announced this and then presented a new product, but authenticators have been our for at least a year or longer.

I am also somewhat surprised by the reaction of some regarding the cost when they will gladly pay money to switch factions, race, or whatever else happens to become available.
You sir get a gold star for being network security aware. All I get when I try to explain why this is a bad move is blank faces.
I see two reasons why they would want to make this change:

1) In preparation for the next MMO title, they want people to have themselves associated to a B.Net account that can be used for "multiple" games.

2) A lot of players have multiple WoW subscriptions. They want to all of these tied to a single user.

Now IMO, niether of these things is a good enough reason to hassle and inconviencance your user base AND make their account security less secure. That's just plain stupid.

And what about those of us that don't have active accounts at the moment? But plan to return to WoW for the expansion?
I actually have more than one email address. Imagine that! So I picked one that I rarely use and pointed at it. It is at least as secure as my old account name, which I had used on a couple of other games.
Very poor.

Thanks for the tip about creating a dummy e-mail. I'll use that if and when I go back to WoW.
I'm sorry, but I think you're overblowing this. Your post is sensationalist, and should probably be titled "Blizzard sabotages my WoW account security because I told the internet my email address and I don't want to use an authenticator". Authenticators are in stock in both stores, as of a few minutes ago, so there's really no excuse not to get one.

Also, most accounts are compromised through phishing attacks or malware, so it doesn't even matter what your email address is at all. Those that aren't are usually because of account sharing or other situation where someone known to the accountholder gains access. The effort versus return of brute-forcing a password from a single account is so much greater than the effort to set up a phishing attack or malware site that I seriously doubt anyone that doesn't have a personal grudge against you or something would bother.

To an extent, you're a WoW celebrity, and celebrities need extra protection from the crazies. Please buy an authenticator and accept the consequences of the choice you made to be in the public eye.
I already had an authenticator, otherwise I would not have been willing to merge my accounts, because the email as login concept is ridiculous from a security perspective. Good tip to create a 'dummy' email account for those who don't have an authenticator.
You think it would have been simplier if we could have just made a account name, rather than an email address. I was a little surprised it had to be an email address. Associating an account name with an email address is just as easy.
"Blizzard sabotages my WoW account security because I told the internet my email address and I don't want to use an authenticator".

Lots of people don't want to use the authenticator -- including myself. And it has nothing to do with cost and everything to do with needing to have an extra gadget to play a game.

Kuroshiro -- you are basically admitting that this move is forcing people to use the authenticator to keep the WoW account secure.

And no -- he's not overblowing it. The general population uses the same e-mail/password combination for 80% of their internet usage.

And for many people, they subscribe to third party sites (Curse, Guild website, etc) where they use that same e-mail. So it's not just that it is "out there" but that it's likely to be "out there" AND easy to find.

Contrast that to my current account name: which not even my wife or mother would be able to guess.

In any event, I shouldn't be forced to buy an authenticator because Blizzard made my account less secure.
Sounds like a plot to boost Authenticator sales :p

Really though, with as much trouble as Blizzard has with account hacking already (back when I played my former guild leader got hacked and we lost everything) it's hard to imagine them doing such a bonehead move as this.

Hopefully they'll change their mind and allow people to change their account name after registering the e-mail account.
Security by obscurity is *not* security and having a "secret" username is a false sense of security at best. If you want your account secure buy an authenticator.
OK, so you don't want to use an authenticator. Then do not use it.

Just make sure that you follow basic security advice. i.e. keep your antivirus updated and change your password regularly.

Blizzard's move into looks like a integration issue more than "hacker's help".

I had my account for over 4 years, most of that time I did not use an authenticator nor I did regular changes to my password. I was never hacked. Why? because I am security aware. The moment the authenticator came into play I bought one.

Back to my original sentence, you do not have to have an authenticator, just make sure your system is clean and that you change your password consistently.
Hopefully they'll change their mind and allow people to change their account name after registering the e-mail account.

I tried, and while you can't change your account name to something other than an e-mail address, you *can* change it to a new e-mail address. So even if you already made a account, my tip to make an obscure free mail account and use that one will still work.
While I can see the annoyance, I also see that the Authenticator just completely solves this (any many other) problems.

I was more than happy to spend 7$US to solidify the security of something I spent over 360$US a year on (two accounts).

Even with just one account (since launch) ... you're paying less than 1% of you overall investment to have an authenticator.
The authenticator is great if either you only play at home, or you have an iPhone. As I often take my laptop on business trips, and wouldn't want to risk losing the authenticator, and have no iPhone, that solution is less practical for me.

Recent studies on the most hacked e-mail accounts found that many of them had passwords which were either first names, or easy number sequences like "12345678". The threat by keyloggers is overstated, as they can be stopped easily enought with firewalls and anti-virus software. Having an easy to guess username and password is far more likely to compromise account security.
For people with Gmail, here's an idea: use the "+" symbol to make your username something different from your actual email address.

Gmail lets you append something after the account name-portion of the email with the "+" sign to make another email address. Everything still comes to your inbox, but they are sent to different addressses. For example, if your Gmail account was "LeetHaxor", you could have a account like "". All the emails would still show up in your "" inbox.

I'll probably try this just to see if it works (disclaimer: haven't tried it yet), but it's not a bad idea for Gmail users.
I agree wholeheartedly that this is a security nightmare and creating a free email account for WOW only is the way to go. My husband wrote Blizzard when this became public pointing out that it was not a standard business practice and violated security protocols but didn't hear anything back. It is a disaster waiting to happen in my opinion.
It is generally a good computer security practice to protect the SECRET password, and not so much the not-secret user or account name.

Yes it is slightly more secure to have the account name also secret, but not by much.

As a practical matter a keylogger will find your password next time you log in. It won't find your account name (assuming you checked off "remember account name") until you fat finger your password and then have to re-enter your account and password. Or until the next time someone else borrows your computer to play and they put their account name in, then next time you put yours in.

I don't know about you, but I fat finger my password about twice a month. So if someone gets a keylogger onto my system I'm sunk in about two weeks.

(which is why I have an authenticator, they were $6 and in stock. They fit on a keychain, so if you can remember your keys you can remember your authenticator...or if you play on a laptop just attach it to your laptop bag. Or you can take your chances, even if you do get hacked you can probably get blizz to restore most of your stuff and it might not take too many days, it isn't like you are losing your bank balance)

So your advice to get another email address to use for your account isn't that hot. It won't hurt (unless you never check that account and important Blizz mail goes there...or if you use your WoW password for it, and they get hacked and someone has the bight idea to check WoW accounts...). It would be a better idea to use a password for WoW that you use for nothing else, that is fairly long, and hard to guess (throw some numbers and punctuation in).

If you can handle the minor inconvenience get an authenticator, but that has less to do with and more to do with keyloggers.
I have a physical authenticator but will also create a dummy email address for my WoW account.
I still firmly believe that no one is going to try and brute force a password if they know the username. So as long as you are being smart about choosing a password and maintaining it, and keep your machine clean, you're fine, if you're unwilling to get an authenticator.

Bottom line: Unless the user has chosen a bad password that's derivable from the username, or uses the same password on random websites, knowing the username won't help an attacker at all. If knowing the username is such an attack vector, why can we still save our account name at all at the login screen?

Wait, weren't there recently a bunch of articles about how thousands of webmail accounts were compromised? Using a unique, unrelated email address for your account is also false security, because that adds another attack vector. Now, if an attacker breaks into your special email account, which presumably you're not maintaining, since all you made it for was to associate with, then all they need to do is successfully get your account password reset and they're good to go. You'll never know it happened because the first thing they'll do is disable any email forwarding that might exist.

As for maintaining the physical authenticator, the question you have to ask yourself is ,"Do I lose my house keys?" It's designed to be put on a keychain, keep it with your keys! :)

So no, I'm not admitting that Blizzard is forcing people to buy authenticators. I'm saying that it's the most secure option for people that are unwilling to take responsibility for maintaining personal internet security.

Smart password management + Authenticator == best.
Stupid password management + Authenticator == good
Smart password management == good
Stupid password management == bad
Wow, this all news to me. I'd better make sure I do something about it soon to avoid the inevitable made rush to their account site come to the 12th.

Really sucks that they are forcing people to merge their accounts.
keylogger will find your password next time you log in. It won't find your account name

So that's a naive understanding of keyloggers. The term itselg is just a generic name for a trojan that captures password information. There is no reason why the "keylogger" can't capture your account name out of memory instead of from keystrokes.

The simple fact is that if your computer is compromised by a trojan, you are already screwed.

@Kuroshiro: My issue are troll websites and/or a site that I "registered" for with my e-mail address and is later hacked.

I'm often asked for my e-mail address and freely provide it. It's really not something I am trying to hide.

Hell, even Wordpress blogs ask for a bloody e-mail address if you plan to comment.

By contrast, there is NEVER a reason for me to type out my account name on anything other than the Blizzard account management page or my WoW login.

Now while I agree that smart password management is important, countless security studies have shown that people repeatedly use the same password.

The net effect is that many people are going to register for B.Net and half a dozen other sites using the same email/password combination.

That's going to happen. Period.

And while it's easy to say that these stupid people deserve to be hacked -- do YOU deserve to be punished when one of those people turns out to be your guild leader?

Because the reality is that a "hacked" account can create chaos not just for the unfortunate player who got "hacked" but everyone else who is associated to that person. Having your guild bank wiped out and your guild disbanded hurts.
How many people force a password reset and then find out that their email is an old, no longer available one? or get a password change done by blizzard because the account was suspended for any reason?

I bet that is a greater number than those that would be hacked by people that "guess" their password once they know the account name.

have you ever checked your wtf folder?, thereis a folder with the name of the account, any script kiddie can know your account name anyway.

I agree this move lowers the security of the account but only for people who already had poor security habits(you can create a new email just for wow), but guess what? those are the ones who get hacked anyway so forcing that people to have an authenticator is actually a good idea from my point of view.
I personally think having an Authenticator now is a must - either the phone version or the physical keyring version. I've had one for over a year now and would never think of playing WoW without an Authenticator. So many people I know have been hacked and they have all had one thing in common - no Authenticator.
The only failing of the evil plan to make us all get authenticators is that the Blizzard authenticators don't currently work with accounts!
This is a great point Tobold! Thanks for making the WoW community aware of this. I think Blizzard should give all account owners a free authenticator to compensate for the weakness in the Battlenet login scheme.
Sean Sullivan, I can confirm that gmail aliases work. I just used one.

Wolfshead, as I blogged, the authenticators _are_ free, essentially.
Actually, be careful about tying your account to a free webmail service. When my account got hacked, I'm pretty sure that the vector of attack was hacking my "throwaway" webmail account I give as an address to people likely to spam me. Some providers are notorious for having terrible security.

(For what it's worth, I am an MMO programmer professionally and I ran every single security tool I could find on my computer after my account was hacked and found nothing. I'm also not stupid about security.)

As for the "security through obscurity isn't security" parrots here, you're repeating a bit of incorrect lore there. Security through obscurity is security, but you should not rely on obscurity alone. That's why you have an "obscured" password that secures your account, but its still recommended to change your password on a regular basis. Anyway, if an attacker knows your account name, then their chances for success go up dramatically compared to knowing nothing. If nothing else, now they know what email service to attack if they want to use the "password reset" vector. So, yeah, making an account name common knowledge isn't increasing security.

As for the Authenticator, I suspect that's not being sold for a large profit, so this move probably isn't motivated by greed directly. It's probably motivated by having it easy for people to get Blizzard's next MMO, or to sign up for Diablo 3 accounts (you already have a WoW account!), etc.

At any rate, glad I'm not playing WoW anymore, and unlikely to go back now given that I've already had my account hacked once and they are just making it easier to happen again.
The only failing of the evil plan to make us all get authenticators is that the Blizzard authenticators don't currently work with accounts!

Can anyone confirm or disprove that?

I still think most people have completely incorrect ideas about how "hacking" works in reality. The threat from Trojans and keyloggers is played up by companies wanting to sell you software to prevent them. But if you have a hardware firewall built into your router, use the software firewall that comes with Windows, and use a free anti-virus programm, you are already completely safe from that front.

Most hacking is based on stupidity. Just look around in World of Warcraft. See that elf hunter who cleverly named his character "Legolass"? What are the chances that he chose something extremely safe and clever as his account password? There is a high probability that if you use a simple list of the 100 most popular passwords, containing classics like "password", "12345678", and a lot of girl's names, you'll be able to "hack" Legolass' account. If only you knew his account name. Which, thanks to, will be a lot easier in the future.
One more thing: a comment to the my post about my account being hacked says that the merging of accounts has opened up another avenue for scamming. At least in the past, people were able to merge WoW accounts into their accounts. So, anyone defending Blizzard's decision and saying it's not a security problem can go ahead and feel stupid now.
But if you have a hardware firewall built into your router, use the software firewall that comes with Windows, and use a free anti-virus programm, you are already completely safe from that front.

Thats good advice provided the word "completely" is removed....nothing...absolutely NOTHING will make you completely safe
"The only failing of the evil plan to make us all get authenticators is that the Blizzard authenticators don't currently work with accounts! "

This is not true.

I have a Battle.Net merged account (merged it way back when they announced them) along side an authenticator and haven't had any problems.
Thanks for the info, JD!
I don't think, that tying an account to an arbitrary email address is a bad thing. Addresses are a dime a dozen, which means using a short one (gmail, gmx, whatnot) instead of the one you use every day is at hand's reach. Forward whatever email arrives there to your main email address and you won't even have to check more than one IMAP/Pop/Webserver.

Blizzard introduced the authenticators to combat a common problem - people using the same username/password combination with WoW they used for WoW-related sites. Does no one remember the guildlaunch fiasko?

Now, as to the security of one's account - Unix had it for decades to have a public username and a rather private password. That didn't make Unix less secure, it simply made security less based on the obscurity of usernames and more on the ingenuity of passwords.
Blizzard wants you on so they can advertise to you. It's that simple. Follow the money.
Best to merge it quick, before someone else merges your account.
I was skeptical about your assessment until I logged in into wow about half an hour ago to find out that our GM was hacked. good thing one of the officers was online and let him know that something was fishy, but not before most of his gear was either disenchated or vendor, all his personal gold gone (and he was capped on one his personal bank alt with nice extra reserves on the rest of his characters) and all the gold in gvault was gone. they didn't have time to auction off the enchanting mats, crusader orbs etc they got off him, but its still a pretty hard blow :/

the only difference? He had JUST switched over to battlenet account :/
Post a Comment

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool