Tobold's Blog
Sunday, January 03, 2010
WoW account security

I had a couple of reader e-mails on World of Warcraft account security. One reader reported scam e-mails telling you that your account has been hacked, giving you a link where to log in to fix that, which of course is a phishing website, and thus a self-fulfilling prophecy. Another reader tells of several guilds on his servers being hard hit by hackers emptying the guild bank, and the guild raid leader quitting over the stress involved.

Nevertheless account security at Blizzard appears to be better than at NCSoft, where Kill Ten Rats reports that logging into your master NCSoft account can through a bug log you into somebody elses account, where you are free to change the other player's password.

Nevertheless it has to be said that the top three reasons to get hacked are stupidity, stupidity, and stupidity. Sharing your account password with your little brother or guild mates is likely to get you hacked. Using a password like "password", "12345678", or "Patricia" will get you hacked too, especially if you are using a publicly known e-mail address as your userID. And the third most common source of hacking is phishing sites, where you were tricked into revealing your password.

The famous Chinese hacker installing a keylogger on your computer to steal your WoW password is if not quite a myth then at least very rare. A decent modem will have a hardware firewall, you should turn on the Windows firewall as well, plus have a (preferably free) anti-virus software running. And with that your computer is safe from hacking by anyone except possibly the CIA, who are unlikely to be interested in your WoW password.

The reason so many people believe in this super-powerful keylogger software is simply shame. Nobody likes to admit that they were stupid choosing or handing out their password. I once talked to a guy complaining loudly about account security, and it turned out that his userID, password, and name of his main character had all been the same word. Duh! At one point, many years in the past, SOE got so fed up with people getting hacked by stupidity, that they declared *being* hacked in Everquest a bannable offence. Yeah, that's right, if you told EQ customer service that your account had been hacked, that account was permanently banned, not handed back to you.

Blizzard, being a little wiser and more politically correct, came up with a much better method, the Blizzard Authenticator. The trick is that the authenticator works *both* against keyloggers and stupidity. Thus you can promise your customers that they'll be safe from advanced keylogging technology, while in fact the main effect is protecting you from having used one of the 100 most common passwords, or your little brother wanting to delete your character out of spite. If you still get hacked, well, maybe you shouldn't have told your little brother where the authenticator was and how to use it. :)

Apart from anecdotal evidence, has anyone of you data on how widespread account hacking in World of Warcraft is?
Guildmates have had their accounts hijacked after visting major (legitimate, but non-blizzard) wow-websites with poisoned banner adds.

A guildmate's son has downloaded and installed something that contained a keylogger and got his father's account caught.

A guildmate's brother has fallen for the 'spectral tiger' code scam and put his details into a phishing site.

FREE powerleveling is being advertised in trade chat. Guess what happens there.

All of the above is not me mind you, but not quite anectotal. =]

On a sidenote - mind that all your characters get the Core Hound Pup if the account has an authenticator attached to it and that when the authenticator is removed, so is the Core Hound Pup. That means the pet is a sure way to tell if someone has an authenticator or not and can come in very handy when considering giving someone higher in-game permissions. =]
Three accounts in our guild were hacked in the space of a week in the run up to Christmas. I have downloaded the authenticator for my iphone, but havent actually linked it yet (more from fear of losing my phone and therefore access than anything else).

My username is different from my character names, and the only person who is likely to be able to work out my password is my wife, and she doesnt have any interest in wow at all
A quick Story - I had a not too simple password (wordNumber), with a username different to my Character name, different to my e-mail name - and was fine for 2 years. I then used my laptop on a 'unsecured' wireless network - in a 4 star hotel - when I was on holidays in the USA, and was hacked the next week. (my online banking was fine - but they use a more complication verification process, with a PIN number, and a password where you enter random letters from you password - eg 1st, 4th, and 6th characters)

Personally, I believe Blizzard should look at the world of online banking, and the different systems they use to prevent Identity theft - as they have a turn over / profit large than many banks.

The authenticator is a good step.

But mostly - IMHO - it will be people sharing accounts & passwords, and general stupidity that leads to account theft.
The keylogger is far from a myth.

The prime victims for key loggers use older PCs. These are running windows XP, IE (probably an older version too), and end up visiting a website they normally trust and later finding out it was hacked.

The hacked website then exploits an IE/PluginX/Flash exploit.

They run an expired AV or no AV at all. Why? The computer is old.

"My computer is old and the antivirus slows my pc down"

This is normally the same reason why auto-anything (including updates to IE, Flash) are turned off.

Since WoW runs on old hardware so well. There is a very large pool that are affected by this.
Firewalls and anti-virus software isn't as useful as you'd think against these things - keyloggers, like a lot of other malware, are often installed by the users (thinking it's something else, obviously) and most firewalls don't block the outgoing connections to send the username/password to the "hacker".
Obvious passwords is of course a no-no but really Blizzard should (and most likely do) have methods of observing and preventing brute-force hacks. A complicate password just slows that process down but can't eliminate it entirely.

I'd imagine that the most common way of getting hacked is through phishing scams and keyloggers. I was surprised to find out how common they were and often it happens. To me, seeing an email from Blizzard or a bank or from eBay or saying click here and go log in etc is an immediate alert but some people just don't recognise it. I know several people in RL who have fallen for scams like that.

Keylogging is also surprisingly common too and far more worrying as someone could gain access to *everything* you do online. Best way to prevent it is to be mindful of what you do online, what you download and get decent anti-virus software. I'd recommend *not* a free one though :) Get a good one like Kaspersky or ESET. If you're too cheap to worry about spending the cash then you really have to readjust your priorities. They are probably the most important piece of software you will need.
To be honest, it surprises me how many people are wanting to cry hacking when, as you say, the vast, vast majority of "hackings" are the result of stupidity. In all my time on the internet (12 years or so) I have had an account hacked twice. One was indeed my WoW account at one point, ultimately seeming like it WAS a case of a keylogger, simply because when I recovered it and changed the pass once it was taken once more, while a virus scan and system restore stopped it from happening again.

The thing is though, I would much rather my "hacking" be due to my own boneheadedness in making a password, using a public computer, or telling someone else it. At least then you can fix the problem easily, smile, and look back on it and laugh. I've prided myself at seeing phishing attempts from miles away, along with avoiding downloads that are clearly trouble. I felt cocksure and bold traversing the internet, even with minimal virus protection, simply because I felt that only a REAL idiot could fall for something so silly. In a sense, I can understand an easy to guess password simply because you create so many damned accounts on the internet, that at some point it is essentially inevitable that you make an easy to guess password simply to save your sanity. But damn...downloading a keylogger? Mind as well write gullible on your forehead and help out all Nigerian princes that happen to ask for your help!

I still have no idea how I got that keylogger on my computer, but it is perhaps the single most shameful mistake I have made in my life.
I got hacked one month ago, it's not fun. Probably because I had a "weak password". Mind you, not "12345678" weak, microsoft security has it as "medium".

In my opinion, Blizzard can improve a few things:

1. It's impossible to stop your account. When I loose my cellphone, bank card or visa card I can call a number and my account is disabled that very minute. Why not do the same for WoW? Take up your phone, type in your account name and your cd key and there, it's locked.

2. There are no protections against a brute force attack. On most websites with a login you get a captcha after five attempts. World of Warcraft does not seem to have of these protection measures.

3. They sell an authenticator but it feels like a ripoff. €8 posting costs for a €6 item? I bought a book flown in from the UK *with shipment* for €2.4 two weeks ago. Still, I'll just go ahead and buy one.

4. They put everything back... in my mailbox with a 90 days timeout. It's forcing people to pay a subscription for at least a month.

Especially point 2 is worrying me. A hacker can just go ahead and try out his dictionary of thousands of keywords on your account. Why not add a captcha system like every website does? Fail to enter your password three times and you get a captcha. It's still possible to get around it but a lot more difficult.
In over a decade of online activity and gaming I had virtually never seen a virus alert on my computer. Then I began playing WoW...

I'd not previously had any problems googling for information on many other MMOs, but it seemed like every other website that came up set bells ringing on my virus checker. I learnt very quickly that there were only a handful of useful sites worth visiting and a vast number that had ulterior motives.

Personally, if any online activity ever becomes so interesting to nefarious third parties that I need to buy a physical security device to protect myself, that's a an activity I am going to do without.

Have you got evidence for that SoE story, by the way? I have had a SoE account since late 1999 and I don't recall ever hearing that. Not that I can't imagine it having been the policy back in 2001-2. It would have been in keeping with the rest of their customer service ethos back then...
Tobold, you are doing a disservice by telling people they have a CIA level of security. You are not a computer security expert and, frankly, your statements are ignorant.

The firewall in your "modem" (you really mean router) is not relevant. Keyloggers are not being installed via open incoming ports and routers are not limiting outgoing traffic on standard ports.

Software firewalls like those built into Windows can restrict outgoing access on a program by program basis. This level of security is usually optional and may or may not be enabled by default depending on the program. These warnings are so noisy and often cryptic to the average user that even a cautious person can make a mistake in choosing to allow access to the wrong program. Further, the firewall can be fooled by a malicious program imitating a legitimate one or the malicious program modifying the firewall's settings.

Anti-virus programs are definitely not a fool proof defense. Of course the malware authors are trying to fool these programs and change their signatures as much as possible. There is a delay between the discovery of a new virus and updating the definition database. There are many vendors of varying quality. Scans are run on a nightly or weekly basis by which time the damage may have been done.

I'm not a security expert either. But I do know that that risk to even cautious users is much higher than you present. The best protection for WoW is to get an Authenticator. In general, keep your browsers, Windows and anti-virus definitions up to date by using whatever options are provided for automatic, nightly updates. If you are using an old version of Internet Explorer upgrade immediately. Make sure you have the latest version of Flash.
If Blizzard was a bank I wouldn't have an on-line account with them. IMHO Blizzard security is a joke and only see the authenticator as a money making stream.

I had my account hacked and I know for a fact it had nothing to do with loggers or me giving silly information out. My account had a very strong password too. One evening returning home, checked my email to discover an email with words to this effect - You have requested a password change, please confirm this is the case. to my Battlenet account email address. Now bare in mind that this email had not even been read, opened or viewed. At all.

Logging to my WoW account right away, I discover I can not log in as my password had been changed. I'm hacked.

I ring Blizzard, get top quality customer service from an Australian lass in Paris and get my account back 4 days later.

Now like many other WoW users, I use sites like this and am active on various forums and threads for class discussion and the like.

The downfall is, the email address that you register with is so damn easy to obtain... and as long as you get an address associated with an account you are as good as hacked.

This is because it is all you need - due to the incredibly low security Battlenet has/had (I don't know if this flaw in the system has been fixed).

Now in essence as long as you send an email with the correct data strings a password change will be sent to a 3rd party after doing the initial request of password change. The internet is a wonderful place, there are plenty of pages explaining how to do this out there.

I would hope this scam has been fixed but I am not convinced due to the numbers of people still being hacked.

My password was changed via a request, despite not confirming this via the official Blizzard email I received to ensure it was me requesting this.

Account security should be tight at all levels, not just for those who get authenticators.

- Changing to an email address system WoW now has in place was a move for the worse. It is too easy to get hold of this.
- With a valid username you can brute force crack the password.
- Or use a flaw in the incredibly poor Battlenet secuirty to have a password changed without confirming the validity of this request.
- And this is plain crazy: WoW passwords are NOT even case sensitive! Try logging in and using a few uppercase variants of your password. You shouldn't be able to log in... or should you?

So if I may suggest T, one of the top three reasons to get WoW hacked is in fact an almost open door policy introduced with Battlenet.
I live alone, have never shared my password with a single soul, and I use random combinations of letters and numbers for a password. Every 60 days my dark overlords at work force me to update all my work passwords. That reminds me to do it at home too.

Then one day I wake up and my WoW characters are naked, my bags and banks are empty, and I have about 6 copper to my name.

To this day I have no clue how it happened. I can't imagine anyone "guessing" my password, because I can't even remember them, they are so random. They aren't words at all, and make no sense. I have it all saved to a document on my computer that I refer to every time I log in.

A buddy turned me on to the magic that is "highlight" C, alt - tab, V.... in other words I cut and past my password in now.

It has worked for two years.

but... something to into my account, and it wasn't through me sharing with anyone.

Get an Authenticator guys. Seriously there is no excuse not to have one. They can't even change your Battle.Net password without having to enter the authenticator code if the account has one attached.
I forgot to add my personal experience to my first message. My account was hacked and I still have no idea how. I'm a software engineer and I'm more knowledgeable than your average person about security. I keep all my software up to date and I'm cautious about what I install. I have good and unique password for WoW that I've never shared. But somehow, soon after creating a account, I was hacked. I ran virus scans from several different programs on my home and office machines. I never found anything though I wiped my home machine to be safe and bought an authenticator.

I can't say for sure that being hacked wasn't because of something I did, but I'm skeptical. I'm more knowledgeable and secure than the vast majority of computer users and I've never had any other computer security issues.
Tobold, the given impression that a firewall protects at all against this sort of thing is false. The attack vectors these guys use are built around methods that bypass the firewall completely.

A keylogger generally requires YOU to click on something somewhere to get it to download and install. Once that has happened, the attacker is BEHIND the firewall.

You may have software like ZONEALARM installed. Very well. The keylogger trys to contact its host. A dialog appears: "BLIZZARD DOWNLOADER IS ATTEMPTING TO CONNECT TO AN EXTERNAL SERVER. ALLOW THIS? [YES / NO]. 9 out of 10 people won't think twice - they'll hit YES. They didn't realize that the name in that dialog is completely arbitrary, and thus they just authorized the keylogger to upload your captured password.

All done behind a firewall.

Truth be told, awareness and caution are the only real weapons.

Never follow a link from any email internal or external. Go DIRECTLY to your account page by typing in the known correct URL, then select the appropriate menu item.

If at all suspicious, do not be afraid of opening a GM ticket to confirm an ingame email.

Use common sense. If it looks too good to be true, it probably is. Chances are high that you're not preselected for the Cataclysm beta, for example, or that you won a Spectral Tiger mount without even entering a contest. Too many people fail to use common sense because of this money-for-nothing get-rich-quick culture that has grown over the last couple of decades. It works as well for security as it did for the economy.
I'm quite glad I have the mobile authenticator.

@The Captain
I'm pretty sure most programs for stealing your password are able to pull your clipboard too.
I'm in a fairly large guild (30-60 online at any given time) and we get account hacks pretty much once/month. Sometimes they are through stupidity I will admit. But some of our guild members have been hacked who are computer experts (IT workers).

The two things that all the hacked players had in common was that they weren't using authenticators and they used a lot of addons. Nobody in the guild has been hacked while using an authenticator but we can't make it mandatory because the WoW store is sold out of the authenticator much of the time *sigh*.
I think you're mistaken about Windows security, Tobold. Here's a May 2008 attack on Flash that specifically targeted Warcraft accounts. There have been others. No strong password will help defend against these attacks and virus scanning programs will be at least 24 hours behind.

People's computers get hacked all the time via security exploits in Internet Explorer, Flash, etc. Warcraft accounts are a primary target because they are easy to strip and there's no risk of being prosecuted for the theft. (This, by the way, is why buying gold is wrong. You're buying from thieves.)

Your best line of defense is regularly running Windows Update to patch security holes. Also, for Warcraft, the Authenticator is really worth having. I wonder if Blizzard will stick them in the retail box for Cataclysm just to reduce their support costs?
It's funny because I already see a lot of advice and back and forth in these comments about what's the best security for your WoW account.

Nothing, not even an Authenticator, can be more secure then simply having a wary person behind the keyboard.

In my 4 years of WoW, and longer history of internet use/gaming, I have NEVER had an account hacked or even gotten a virus.

I don't open emails unless I know where they are coming from. I don't just blindly click any link I find. I don't visit "game guides" or any of those types of suspicious websites.

To be blunt, if you get a keylogger or someone guesses your password IT IS YOUR FAULT PERIOD. People can have all the security they want, but having all that doesn't stop the end user from making poor decisions.
One helpful hint is to set up a new email address for use in logging on to WOW. Don't use it for any other purpose whatsoever - use your regular email address for everything else.

You can do this pretty easily via google mail and it adds an extra level of security.
FUD much, GG?
I agree that the lowercasing of passwords is bad for security, but the rest are either baseless speculation (I am not aware of a way to change your password via email, nor did Google point me in any relevant direction. I'll admit, I'm not so up-to-speed with all the new account 'hacking' methods, but I would imagine such an obvious exploit would become quite famous, and quite abused. For example, my account would've definitely been targeted by now...) or simply not inherent problems with's security.
Being able to brute force the password? Hell, 8 characters, even limited to lowercase, with digits/symbols is probably well outside the realm of possibilities for being bruteforced. Nobody cares enough to invest so much time/bandwidth into doing that, and it would most likely trigger alarms at Blizzard anyway.
On another note, having an authenticator does NOT make you impervious to any and all security issues. There are ways to work around it, by using social engineering and the ability to run software on your computer (which is needed for keyloggers, and something that happens way too often nowadays). So using one is not a replacement for decent security practices.
Since switching to Battlenet I'm getting fake emails supposedly from Blizzard almost every other day. I wish I'd thought of creating a fresh email account before switching to Battlenet. What a damn stupid system!

Wouldn't be suprised if Blizzard's next money making scheme involves making the Authenticator mandatory to "save us".
I wish I'd thought of creating a fresh email account before switching to Battlenet.

You can change your Battlenet account to a different e-mail at any time. I'm sure of that, I did it myself, after creating a special e-mail account used exclusively for that.
For anyone thinking about security on their WoW accounts after reading this, the Blizzard authenticator is available for FREE on the iPhone/iPod Touch or for a marginal cost for most other major phone brands/carriers. You can download or purchase the mobile authenticator here: Do yourself a favor, today, and download the app or order a physical authenticator from Blizzard. I've been happily using mine since the day they were released.
@ Ungulant
- FUD much, GG?

Not at all. Want some links I'll happily post them to you. I'm sensible enough to realise T wouldn't want hacking details posted on his blog.

Using Occam's Razor and the available evidence with my account being hacked suggests it was Battlenets weak security that made the attack possible.

If it was a key logger that was my downfall, then why would I receive an email asking me to confirm that I had requested my forgotten password be reset?

Doing so would immediately change the password and invalidate the information the key logger sent to the hacker in first place.

If my data was minded from a logger, he/she would have the details and change it via the control panel at Battlenet.

So it would seem there must be another reason for asking for a password be reset by a hacker. And on doing a little research I came across this hack.

As for non-case-sensitive passwords, bad? Blizzard are not wet behind the ears here, Battlenet was a recent introduction touted for better security amongst other things. This is such a basic and simple error that should have been fixed the moment they realised it was the case. It hasn't been fixed and honestly don't think they will.

Non-case sensitive passwords are a dream for brute force hackers. Say my account password was 'tobold'. There is now only one variation of that password. However upper-casing various letters like: 'toBoLd' makes for infinitely more variations.

Now you are right to an extent, assuming brute force hackers don't use anything other than random words to force a way through. This would be pointless and a waste of time. However, brute force hackers use a pre-written list of passwords, and simple variations of (many of the lists can be downloaded with a quick search and a little know-how). I'm sure you know, as well as me, how stupid people are with their passwords. Daughters name with a year of birth on the end or other equally stupid passwords for example.

I do a lot of PC building and CMS based web design. When asking people to assign passwords for admin functions or logins I can honestly say I have never known anyone to request 'digits/symbols' in a random fashion.

The Battlenet security is very weak (without an authenticator) and I personally still believe this intentional.

I would be very interested to know if anyone else reading this has been hacked and received an email requesting a confirmation that password be reset because you had forgotten it.
Ive gotten the confirm password change email, but I wasn't hacked. That email itself was a phishing attempt. Its likely that your confirm password email was the same, and perhaps unrelated to you being hacked.
Accounts getting hacked is actually pretty commonplace. There ARE Chinese people out there basically doing it professionally as their job. They target MMO accounts much more often than credit cards or bank accounts for a few reasons, not least amongst those being that financial fraud is aggressively investigated and punished, even across different countries. MMO theft is basically not investigated or punished in any manner, so there is no disincentive to do it.

Now as to attack vectors, the primary vector you'll see is Flash. Flash has had numerous vulnerabilities over the years and continues to have new ones found and exploited. Flash also tends to not be patched by users much because there's no notification that it's out of date or that there is an urgent patch. Flash also infects regardless of browser usage and can even infect with NoScript active unless you make sure it also disables all Flash. Using Flash allows attackers to have placement on highly targeted, popular fan sites because they can pay for an advertisement laced with the hidden keylogger installing payload. These sites do their best to filter advertisements, but occasionally one will slip through and infect a whole bunch of people.

I had an Eve account hacked in this manner recently which resulted in me losing about half my net worth after customer service restored my account and found my items and money. They're not as good as Blizzard is at restoring accounts. Blizzard usually restores 95% or more of your stuff, even if you have a huge amount of stuff (my guild had stuff stolen by a Chinese hacker from it last year that was worth upwards of half a million gold and took up the equivalent of 40 guild bank tabs, 99% of it was restored). They told me the account was banned shortly after it was registered as logging on from an IP address in China, though not before everything was taken. I use Google Chrome, I use passwords that aren't dictionary words and contain numbers, I don't share my accounts with anyone (I have no need to), I don't log on my accounts anywhere but home (I have no need to). I've taken every reasonable precaution. The only thing I don't do is use NoScript or disable Flash. Chrome automatically updates itself and has no known javascript attack vectors so there's no point in dealing with the bother of NoScript. I find too many sites rely on Flash these days, and I'd probably enable it on the sites that have infected ads anyway, so it's pointless to block it.

At the end of the day, sometimes there's nothing you can do besides rely on an authenticator (which sadly is not available for Eve and most games aside from WoW). If there's a zero day unpatched Flash vulnerability and you hit the wrong site then you're screwed. The best thing you can do, aside from all the normal precautions, is regularly check to ensure Flash is up to date. It helps to pay attention to any news regarding newly identified Flash attack vectors, as well.
First of all, you said it was a password change confirmation mail, and those do not exist as far as I know (you've corrected yourself in the second post). Secondly, all decent web mails and both POP and IMAP allow you to mark messages as unread after you read them.
Small caps only doesn't mean infinitely less variations, unless you had an infinity of variations to begin with and even then you'd still have an infinity left. Whoop! :-)
The number of combinations for the simplest of passwords is 1.0633824e37. Assuming it takes .01s to try each combination (and that's being quite on the optimistic side), and assuming you get the correct password after trying .1% of the combinations (again, quite optimistic), it would take you about, oh, 3.36972746e24 years. A couple of hundred of thousand billions times more than the age of the Universe.

While true that from a combination point of view requiring a digit and a letter reduces the 'strength' of the password, from a social point of view it increases it, as most people would use only digits or only letters (names, telephone numbers and what have you).

It is true that bruteforcing will not work and using a dictionary is a much better solution, but at the same time, you cannot blame Blizzard for their customers' stupidity. Or at least, I wouldn't, you might have me believe that it's my fault a customer for my lock gets it picked if he picks 0000 as his code.

Now, back to your account being compromised. While it may be true that there could be a bug in's hash matching algorithm (hai, MySQL password authentication), I'm pretty sure this is neither intended, nor would go unfixed for long if such a vulnerability become common knowledge (i.e. outside 0-day exploit circles). If it was so widespread as you said, it would've 'made the news', as I'm sure more than a handful of people involved in computer security do play WoW (and I have a bit of faith in mankind, silly me :-) ).

You mention something about sending an email with 'correct data strings', I can only assume you mean the confirmation link you get from Blizzard when you request a password reset, link which is sent to your email address (I even looked at how Blizzard handles looking up the email address on the second part of the form, and they are using a server stored session, so that's not exploitable either).

Also, you engage in FUD again, "I personally believe this is intentional". There is absolutely no proof of this.
Two sisters in the guild I run were hacked (one got keylogged or somesuch, and the sister used her computer while it was infected) and the hackers grabbed as much as they could (which admittedly wasn't a whole lot)... They have authenticators now, and I've instituted the policy that I need to see a corehound pup before anyone gets access to the bulk of the guild bank. The 6th tab is still public, and everyone understands that they shouldn't attach any importance to anything in there.
That having been said, I got email from blizzard this morning saying the stuff that got stolen was identified and replaced.
Ugh. I had an account stolen once by someone who knew my password. It was not a fun experience.

Most of the people I know from WoW who got hacked were actually from addons. And yeah, it was mainly their stupidity due to not downloading them from safe sites.

I had a computer completely messed up from one of those flash exploits. It was a site I normally frequented, and one of their ads downloaded one of those fake security software programs onto it. One of the most frustrating things I've ever had to deal with. Didn't result in a hacked WoW accounts however. Personally, I back myself up with both: safe practices and a good security program. Doesn't hurt if the software or my brain decides to take the day off.
For those using an authenticator: Do you need to use the authenticator to login/use the account management system, or it it only used to log into the game?

It is hard to believe that lower case passwords are in use on a website owned by the largest MMO maker in gaming. Especially troubling is that there are no lockouts that occur after a preset number of incorrect password entries, so I can see how dictionary list bruteforce style attacks could be relatively successful and very easy to perform in such a system.

I was one of the ones who e-mailed Tobold about my guild being hit by by a hacker, and what is most troubling about our event is that the hacker somehow over rode the daily withdrawal limits that were in place, as well as being able to remove all the gold that was in our gbank. It has been explained to me that there is some kind of glaring vulnerability in the GBank interface that allows hackers to somehow access all tabs and over ride withdrawal limits. If this is indeed the case, then I can see how this would be a driving force behind the hackings themselves if such a vulnerability exists.

I created a new e-mail address that I planned on using solely for the account registraton. But even after just a few weeks I started getting spam mail to this account, and I have never used the e-mail address for -anything- else, ever. Troubling, indeed.
I've had one experience with 'account security'.

My secret question for my original hotmail/msn address was an innocent honest question 'What is your cats name'. The secret answer was my current cats name - and I told somebody over msn once. They were not who they appeared, their secret question had been their favourite football team in the local league (12 options to guess).

But I've never had any issue since, always using complex passwords for anything I feel needs security and not storing them on my computer, etc.

I dont feel the need to worry about an authenticator, as I'm not the sort to fall for phishing scams and the like (at least not any more).
My advice; if WoW is your only game of choice, use a Mac. Also as Tobold said, don't be stupid.
On your question...maybe you could do a survey of authenticator holders for the reason they got the authenticator (or maybe that already exists). I'm guessing many get it because they experienced a previous hack (like me).

I'm wondering if there's info out on how many authenticators have been sold. If you can find that out, you'd have a rough estimate of how many authenticator holders have been hacked and I suppose there's probably some correlation between the two populations.

my own story===
I got hacked a year ago or so. I was an my backup PC and couldn't get the installer to download an update, so I went to the Blizz tech support site and clicked on one of the recommended download sites.

I'm assuming it was a mouseover banner on that site as I didn't click anything except the download, and didn't go to any other sites.

I think the top 2 reasons for security compromise should be "Stupidity, Stupidity"...but the 3rd one should be "Carelessness".

I wasn't stupid about downloading 3rd party software, or going to bogus websites, or having a weak password. It wasn't my main PC (as in, I don't use it often) so my only big fault was not making sure my definitions were updated before I went out to the good ol' www.

The site was a legite site recommended by Blizz. I was just in a hurry to play and got careless.
Beware of dubious addons or hacked game software. Keyloggers are often loaded this way. A friend of mine was hacked 1 day afte installing a cracked racing game.
There was a statistic on the net some month ago that 60% of all trojans (keyloggers) were written now to catch mmo passwords as account hacking was now more valuable than credit card hacking.

Go figure.
Accounts change hands a lot. It is hard to tell how much it's from keyloggers but it doesn't matter.

My WoW account is my most secure account outside of my bank password (maybe)
Blizzard should:

1. require regular password changes.
2. Require a picture selection at account creation and display this when you get log onto a blizzard site (best way to fight phishing)
3. MORE AUTHENTICATORS!!!! (support for more phones and in all new box copies)
heathisrael, there's nothing careless or stupid about clicking on links on the Web. Particularly one linked to by Blizzard. If there's a new unpatched exploit in a banner ad on the site, you're gonna be screwed. Even Wowhead has been hacked; are you going to stop clicking on Wowhead links?

The #1 people responsible for hacking Blizzard accounts are the criminal hackers themselves. (Again, don't buy gold from them please!). The #2 responsible are the companies that produce buggy insecure code. Way down at #3 is the user, and there your primary responsibility is patching your system and running anti-virus. The idea that you can somehow divine whether any random web page (and its banner ads) is unsafe is ridiculous.
Authenticator is god-like, and it's cheap. It costs just over $6 US, and shipping is free. Any grown adult who still has an excuse not to get one totally deserves to get hacked. Not having a Blizzard Authenticator = stupidity, bar none.
A couple of links that would suggest what happened to me is not just me making this up and a one off occurrence.

Link One

Link Two

To reiterate, no FUD all. I am simply reacting to real events that happened to me and my less than satisfied opinion of Blizzards account security.
I've got an interesting story regarding being hacked. I haven't played WoW in a few months now, but my friends still do, and a while ago one of them messaged me asking if I just logged on. Seeing as how as far as I know, my account was disabled since I hadn't been paying for it for several months, I said "No" and went to work finding out what was going on with my account.

Long story short, after a call to customer support it all got taken care of. I'm still not exactly sure how they got into my account in the first place, but it happened right around the time of the big "Attach your WoW account to your account" changeover, which I never bothered to do since I wasn't playing by that point, so perhaps someone found some kind of exploit where they could attach an inactive account to their own ID (Basically all Customer service had to do to fix the problem was reassign the WoW ID to my rather than the hacker's).

The thing that makes this story so strange is that the hacker actually PAID FOR A MONTH with a credit card just to get into my account, as it was frozen from inactivity like I mentioned earlier. I got it taken care of quickly enough and there hasn't been an incident since then even though I didn't bother to get the authenticator (Since I still wasn't planning on playing). I changed all my passwords on everything and ran a big virus scan to be sure, but I'm still kind of mystified as to how they got into my account. I had a pretty strong password so I'm pretty sure they couldn't have just brute forced it (Well, I suppose if Blizzard has no protection against Brute forcing they could have, but the password I was using was rated "Strong" so it would have taken quite a while).

I guess the point of my whole story is that sometimes this kind of thing can happen even if you are very careful, because of factors that you might not even be aware of.
I should add to my last comment that they paid for the month with THEIR credit card, not MY credit card. I would have been a lot more worried if the latter were the case.
This comes up from time to time, and I'm never entirely sure what I believe.

I've never encountered a keylogger in the wild. Ever. I used to work on computers back in college, and while I saw plenty of viruses of varying nature I never saw anything that was clearly a keylogger.

Even if you do have a keylogger installed, is your WoW account really their target? Why would they not steal your credentials for online banking sites? Or your credit card data?

Keyloggers clearly do exist, but my instinct tells me that Tobold is right that *most* incidents due to horribly bad passwords or account sharing.

Of course, I have no data to back up this belief. I just don't know for sure. And at any rate, no matter the real reason, the authenticator tokens solve the problem.
More than once I found that visiting non blizzard website but anyway very famous ones.. oh well, advertising banners aren't as secure as you could think

Already reported a couple of time to website about their banners but I think that even if they changed the source of advertising is only a matter of time

So I find sometime that some banners on those high profile wow specific websites have some hidden cross-site scripting attacks.

So, suggestion is:
1) good antivirus with ability to check and block malware within javascript and such
2) good web browser that prevent such attacks
3) if you login to you wow account (for managment), after doing your stuff... remember do do logout to invalidate session key
4) if possible use authenticator
Jeremy, the reason thieves go after a Warcraft account instead of your banking or credit card data is simplicity and safety. No one's ever gone to jail for stealing Warcraft gold. And laundering gold through IGE or the like is relatively easy compared to arranging bank transfers. Of course the thieves can take both, there is a lively black market trade in financial data, too. But the easiest way to steal credit card info is at merchants, not individuals.

One more example of banner ads being the source of malware: the New York Times, the leading US newspaper. In this case the ads tried to trick users into installing fake anti-virus software. That requires positive action from the user, rather than just being passive victim to an exploit, but it's notable for how high profile the web sites were.
people who attempt to hack your account are smart...or at least in my case they were.

I was hacked about a year ago after I stupidly (yes I admit my own mistake) logged into my yahoo email account on a Mac laptop at a mac store.

This is where the culprit was smart. The email address I used was not the one associated with my wow account, but only the extension (@yahoo) was different. The core username was the same with a different extension (@hotmail), which was associated with my wow account.

Once again, stupidly me, I had the same password for both the yahoo and hotmail accounts. Therefore they could get into either email accounts, but the hotmail one was the desired one as it was the one linked to my wow account.

How they discovered my hotmail account was linked to a wow account I am not sure, but I then saw a "password change request" had been processed. I didn't even know such a service existed (and don't think it should, when all they ask for is the email address to verify identity to get a new password)

And simple as that, the process went through, they had the password to the email account and were issued the new password for my wow account, leading to my account being compromised.

I got everything back now, use different passwords for each account, and avoid logging into public computers, Macs are no exception.
Post a Comment

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool