backtop

Print E-mail del.icio.us 58 comment(s) - last by eye smite.. on Jul 7 at 4:12 AM
Blizzard introduces new device for WoW gamers

Seemingly tired of having accounts hijacked from customers, Blizzard Entertainment over the weekend introduced a new authenticator token able to generate a six-digit security code that must be entered each time a WoW player logs into their account.


"It's important to us that World of Warcraft offers a safe and enjoyable game environment," Blizzard CEO and cofounder Mike Morhaime said in a press release.  "One aspect of that is helping players avoid account compromise, so we're pleased to make this additional layer of security available to them."

Once activated with Blizzard, the authenticator offers a onetime six-digit code that must be used within 60 seconds on a gamer's WoW account.  It is meant to be used alongside an account name and password.

The added layer of protection will help lower the risk of having their account hacked by an overzealous thief.  Hackers steal gaming accounts so they can pillage the account for items that can be sold online to other WoW players.  

Several incidents since the game's release highlight security issues that faced WoW gamers recently.  The first incident involved a Trojan that was attached to e-mails and sent to WoW players who had high level accounts that could be hijacked.  With a similar goal in mind, hackers sent web site URLs to gamers that would download keylogging software onto the computers through a loophole available in Microsoft Internet Explorer.  Each time the user entered their WoW password it was recorded, allowing hackers to access accounts and steal items.

PayPal, banks, and other financial institutions use similar keys to help protect data, with PayPal charging customers $5 for the PayPal Security Key.  

Blizzard plans to charge $6.50 for the device and did not announce when it will be available.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Eh?
By Spivonious on 7/2/2008 4:49:01 PM , Rating: 3
How does this work? How does Blizzard know what key was generated?




RE: Eh?
By masher2 (blog) on 7/2/2008 4:55:15 PM , Rating: 5
It uses a seeded pseudo-random sequence which is likewise generated and compared at the server.

I have one of these in my pocket as I type this, though not for WoW. My own firm has used this technology for remote access for over 15 years...it essentially results in a password for your account that changes every 60 seconds.


RE: Eh?
By walk2k on 7/2/2008 5:26:13 PM , Rating: 4
Yes this type of device is typically used for VPN access.

Never thought I'd see the day that people needed this level of security for a freekin online game. Sad really.


RE: Eh?
By sweetsauce on 7/2/2008 5:47:17 PM , Rating: 3
... or progress!!! When you invest that much time in to something, doesn't hurt to make sure its secure.


RE: Eh?
By bodar on 7/2/2008 8:43:02 PM , Rating: 2
Well, tell the gorram gold farmers to stop hacking user accounts, selling off all their stuff and shipping off the gold to some mule. Or just get everyone to stop buying gold.

Good luck on that one.


RE: Eh?
By masher2 (blog) on 7/3/2008 12:06:31 AM , Rating: 2
> Or just get everyone to stop buying gold. Good luck on that one. "

It doesn't seem to be that difficult, assuming Blizzard actually had the will to do it. A virtual world isn't real, after all...every single transaction has the capacity to be logged and recorded.


RE: Eh?
By Digimonkey on 7/3/2008 8:42:49 AM , Rating: 2
That would cause way too much stress on the servers to make it justifiable.

Plus I don't want big brother watching over my shoulder as I'm purchasing my Helm of Disintegration that does 1d4 damage, while my half elf mage wields his +5 Holy Avenger.


RE: Eh?
By nunya on 7/4/2008 3:09:50 AM , Rating: 3
Paladins can't use the Helm of Disintegration...


RE: Eh?
By Entropy42 on 7/3/2008 10:26:14 AM , Rating: 2
Blizzard records a very large number of the transactions that go on in the game, and have already canceled thousands of accounts for botting and gold-selling.


RE: Eh?
By Mitch101 on 7/3/2008 10:26:55 AM , Rating: 2
I will state I have never bought or sold gold however the cost of a mount being so high to get to the next level that is just a bit faster then my existing one makes me think about buying gold for the first time since it takes my charachter a very long time to make 500 gold.

It wouldn't be so difficult if nearly every decent item I picked up is bound to me but worthless to my character.

I would also like to see some automated characters that I can get to open a lockbox. Finding a lockpicker is next to impossible most of the time. I know have 10 lockboxes that I cannot find a lockpicker to open for me when I am online.


RE: Eh?
By Reclaimer77 on 7/3/2008 11:19:52 AM , Rating: 1
What level are you ? The new cash cow daily questing makes getting gold a joke. Kudos to Bliz for allowing casual gamers to easily farm gold and NOT patronize the gold sellers.


RE: Eh?
By Jynx980 on 7/6/2008 7:30:00 PM , Rating: 2
I think they take a more active role against these things since it's a subscription based service. Diablo 2 having free online play was, and is, hacked up the ying yang. They have your money and don't expect to get anything more out of you. Since were talking about millions of users for each game, there will always be things compromised. Paying a monthly fee you expect more. Hopefully Diablo 3 will be much more secure than it's predecessors, but I'm not holding my breath.


RE: Eh?
By cane on 7/3/2008 3:16:13 AM , Rating: 2
Secure? I have something a lot safer for my bank account. Just wish it would become more common.
It is a small device that looks like a calculator. This is how it works:

#. Each unit is unique and linked to it's specific costumer.
1. The user logs in with his/hers national identification number.
2. An 8 digit number is generated and you type it in to the device (but first you have to use a PIN number to activate the device).
3. The device generates an 8 digit answer that you type in the browser.
4. If the device generated code was the predicted (remember each unit is unique and generates codes according to a predefined pattern) then you are who you claim to be and you get access.

It may seem cumbersome, but it only takes a few seconds.


RE: Eh?
By cane on 7/3/2008 3:19:43 AM , Rating: 2
Oh, and I forgot... you only have 3 tries both at breaking the PIN for he device and for the 8 digit access code. Then the system locks up and you have to go to the bank in person and identify yourself with your ID/drivers license to get it unlocked.


RE: Eh?
By jtesoro on 7/5/2008 10:55:10 PM , Rating: 2
Yup the device you're referring to is more secure but it's only for those who think they are at risk from those who may have physical access to the device, like your spouse, siblings, co-workers or friends who come over to your place. Blizzard is trying to address the problem of hackers/phishers who hijack your account online. For this problem, the much simpler device they are offering is more than adequate (and more economical too).


RE: Eh?
By Reclaimer77 on 7/3/2008 11:17:13 AM , Rating: 3
Its sad that the connection between the WOW Launcher and Blizzard is STILL not encrypted !!

My account was even hacked and I can tell you 100% that there was no keylogger or trojan used on this system to get it. It was either sniffed en-route or gotten from a brute force attack ( highly unlikely ).

Thank god my best friend called me and asked " Why did you log in and off without saying hi " and I had time to change my password. Or the next time I came back I would have been a broke, naked, Dwarf :P

But hey, why take five minutes to code in an encryption module when you can charge 7 bucks for this handy device ? Lets see, 7 bucks multiplied by 7 MILLION subscribers....


RE: Eh?
By eye smite on 7/7/2008 4:12:28 AM , Rating: 2
Hmm, well..........it's a game that generates millions of dollars every month. It's nice to see a company trying to do something logical when addressing it's problems........


RE: Eh?
By SexyK on 7/2/2008 7:25:29 PM , Rating: 3
RE: Eh?
By EricMartello on 7/2/08, Rating: -1
RE: Eh?
By ebakke on 7/2/2008 10:24:12 PM , Rating: 3
Your statement clearly shows that you have absolutely no idea how the device works.


RE: Eh?
By EricMartello on 7/2/08, Rating: -1
RE: Eh?
By KentState on 7/2/2008 11:48:02 PM , Rating: 2
Considering that you have to know the users 4 digit pin and get it right on the first couple tries before the server makes you wait for the code to reset, I doubt the odds are very high. RSA SecurId fobs have been around for a very long time and are used in many applications. I don't see how all of a sudden you figured out the method to crack them.


RE: Eh?
By pxavierperez on 7/3/2008 12:12:17 AM , Rating: 2
I have one from my Bank for a few years already. One also from work. I'm just amazed that an online game is now utilizing this kind of security level. Better for their users, i suppose.


RE: Eh?
By EricMartello on 7/3/08, Rating: -1
RE: Eh?
By leidegre on 7/3/2008 4:05:57 AM , Rating: 2
I think you should step back and re-think this. The device for once, what does it do? How does it work? Understand that, at the very least.

Then think about it from Blizzard's point of view. They have more than 10 million paying subscribers world wide. That's more paying customers than the entire country of Sweden (where I live). This kind of security peripheral would probably lower the support costs for Blizzard quite a lot, and/or been seen as a way of actually protecting your character. Thinking about how many hours people put in that game I'm quite sure it's worth something for you, if you felt a stronger bond with your digital character, as you and only you have access to that character.

It's a brave new world, like some of us would say and this is just one of those things that makes sense today.

Also, the device it self doesn't seem to require any input as for how it's tied to a specific account I do not know. But it would still require to physically posses such a device before being able to log in on anyone else account.

I think this is a good idea. I won't be needing it, but I have a good understanding of what goes on inside my computer, most people don't.


RE: Eh?
By EricMartello on 7/3/08, Rating: 0
RE: Eh?
By ICE1966 on 7/3/2008 11:13:03 PM , Rating: 3
WOW, they charge you people approximately $14 a month, multiplied by 10 million plus users for this game and now you got to pay $6.95 for this. man talking about getting screwed, and these people are hijacking the people that pay every month. Do the math, they should give this device to everyone who plays world of warcraft. Blizzard is making a kiling every month because people are crazy enough to pay to play this boring ass game. Why not suck more money out of ya.


One Ring to Bind Them All
By DaveLessnau on 7/2/2008 5:10:43 PM , Rating: 5
The problem with these kinds of devices is that you can't have just one to use on ALL your sites (financial, usually, but the gaming aspect just adds to the problem). I'd love to use them, but I've got well over a dozen sites that would each require its own. They won't all fit on a keychain, let alone fit in my pocket. Plus, my keys are normally not near my computer (especially while I'm sitting around it in my underwear).




RE: One Ring to Bind Them All
By Arvendor on 7/2/2008 5:17:43 PM , Rating: 2
Dude! We don't want to know what you're doing in your underwear...


RE: One Ring to Bind Them All
By BladeVenom on 7/2/2008 6:03:41 PM , Rating: 5
Brings new meaning to security briefs.


RE: One Ring to Bind Them All
By bodar on 7/2/2008 8:45:49 PM , Rating: 3
Is that 256-bit AES encryption in your pocket or are you just happy to see me?


RE: One Ring to Bind Them All
By MRwizard on 7/3/2008 1:02:32 AM , Rating: 2
that would be terribly small


RE: One Ring to Bind Them All
By xdrol on 7/2/2008 5:36:33 PM , Rating: 2
You don't want one device to be used on all your sites, that would be an act against the basic principle why they are secure.


RE: One Ring to Bind Them All
By Solandri on 7/2/2008 7:33:16 PM , Rating: 2
Only if each company the keyfob works with has to have its own authenticating server. If there's a 3rd party authenticating server, then it'll be secure (to the extent that communications with the 3rd party is secure). None of the individual companies would know how you were being authenticated, they'd only get a "yes" or "no" answer when they asked the 3rd party if you were authentic.


RE: One Ring to Bind Them All
By PeterA on 7/3/2008 5:55:29 PM , Rating: 2
Yeah, you could through VeriSign's VIP service, which is what PayPal uses. Doesn't look like Blizzard is using VeriSign for this, so that sucks for WoW players. If they used VeriSign then you could use your PayPal Security Key for WoW instead of having to buy another token.


Great idea...
By Vim on 7/2/2008 3:21:52 PM , Rating: 2
If I was playing regularly, I'd definitely get this.




RE: Great idea...
By FaceMaster on 7/2/2008 4:01:23 PM , Rating: 5
If I was playing regularly I'd be happy for somebody to hijack my account and do something else in my life.


RE: Great idea...
By bighairycamel on 7/2/2008 4:10:27 PM , Rating: 2
I have been hearing lately that a lot of accounts have been hijacked. Another loophole involved a security issue with the previous version of Flash player.

I was assume that most good anti-virus'd+firewall'd PCs would not have had that problem.


RE: Great idea...
By bhieb on 7/2/2008 5:05:33 PM , Rating: 2
I do play and I have up to date AV and firewall, but my account was hacked (proly thru the flash exploit). I plan on getting one, but it kinda ticks me off that I have to pay for it (more than shipping). This is basically a tool to save Bliz money, it is frustrating when your account gets hijacked but it is really not that big of a deal. It is blizard support that will see less man hours if this was used. I say ship it out free, with and estimated 10 million or so active accounts @ $15/month I think $1.8 billion your making off of subscriptions per year should cover it.


RE: Great idea...
By Alexstarfire on 7/2/2008 5:46:51 PM , Rating: 2
True, but since not everyone has a high level account it'd be a waste of money and time to many a people.

I think it should be free, but I don't think they should ship it to everyone. I think they should only ship it to people who request one.


RE: Great idea...
By purefat on 7/3/2008 6:14:01 AM , Rating: 2
It's actually much more since in europe it's 15 euros not 9.4 euros= 15$


Err... why a manual code?
By Fox5 on 7/2/2008 6:21:29 PM , Rating: 2
Why not a USB dongle that can be plugged in the computer and probed by the game for the information? Is it any more secure making a person type in the code themselves?




RE: Err... why a manual code?
By trajan on 7/2/2008 6:46:19 PM , Rating: 2
Well the point is that the code is dynamic. So while you could have a USB port that would auto enter the dynamic code, you'd then:

(1) have to worry about security issues with a compromised computer trying to download the seed/algorithm off the drive. I'm sure there's a way to prevent that, but its another headache for the designers

(2) USB interface can't be that expensive but is still probably more expensive than a cheap LED screen

(3) You'd have to get access to the USB port on every computer you play on, which isn't a big deal if you're at home, but could be if you're playing on public computers like in a lab or cafe, if people do that with WoW.

It would certainly be convenient though. I hate having to enter my work RSA all the time. And given that the security concerns here are a lot less than in enterprise situations -- the main concern sounds like its over anonymous internet hackers, not people you'd know in real life, or who get into your apartment -- it would be easier to have a hardware secured USB-interface device that you can just plug in and then forget about.


RE: Err... why a manual code?
By Solandri on 7/2/2008 7:39:36 PM , Rating: 2
Actually, if it had a USB interface, what I'd worry about is some idiot writing a "Use your keyfob remotely!" app. You leave the keyfob plugged in on your home computer. When you want to play on a remote computer, you run his app, which connects to your home computer, queries the keyfob, and provides the current passcode.

Of course this defeats the entire purpose of the keyfob's security. Someone writes a trojan which slips a backdoor into the app, and when they want to access your account they just remotely query your keyfob which is conveniently online now.


RE: Err... why a manual code?
By ebakke on 7/2/2008 10:30:36 PM , Rating: 3
quote:
Actually, if it had a USB interface


Since this is likely a rebadged SecurID 700, if they wanted USB support they could've grabbed the 800:
http://www.rsa.com/node.aspx?id=1311


RSA Token
By ChiefNuts on 7/2/2008 3:46:55 PM , Rating: 3
isn't this just a glorified RSA Token.




RE: RSA Token
By Cusqueno on 7/2/2008 5:33:16 PM , Rating: 2
I have managed RSA ACE/Servers in the past. Yes, in concept it is the same thing as an RSA Key Fob token. Though it appears they are omitting the PIN feature, perhaps relying on the original password instead.

There are several vendors that offer this type of product. RSA charges $50-$75 for a key fob (plus the backend server license fee). Other vendors are cheaper, but Blizzard is definitely not making money off this. As they described, the benefit is preventing loss.

The battery that powers the device will likely die after 1-2 years or suffer some other fault. So a replacement device will be necessary in the future.

We also had users complain about carrying 3-4 different key fobs for disparate secure systems. It is technically possible to link the authentication servers (cross realm authentication) but getting different companies to agree to share user credentials is unlikely.


RE: RSA Token
By emarston on 7/3/2008 9:07:16 AM , Rating: 2
I've had my office RSA Token for nearly 4 years and haven't had any battery issues. The LED is so basic it takes very little power so batteries last for a very long time. It's basically like the super cheap digital watches that were give away prizes back in the day.


Social Considerations...
By EricMartello on 7/2/2008 9:49:19 PM , Rating: 5
[Toggledicks Gnomish Security Keycard]
Binds When Picked Up
+42 Nerd Factor
+26 Account Safety
Equip: Chance to get laid reduced by 90%.

"You may die a virgin, but your Warcraft account will never be violated."

http://www.wowitemcreator.com/view/236008/Toggle!@$&s_Security_Keycard.html




RE: Social Considerations...
By Polynikes on 7/2/2008 11:05:29 PM , Rating: 2
Hahaha! 6!


High Res version of the wolf rider
By totallycool on 7/2/2008 3:26:45 PM , Rating: 2
We demand the high Resolution Wolf rider picture.




By Natfly on 7/2/2008 5:28:31 PM , Rating: 2
Promotion Idea
By kyleb2112 on 7/2/2008 6:04:25 PM , Rating: 2
They should put the Sword of a Thousand Truths on one of these things. Like a Willy Wonka golden ticket.




RE: Promotion Idea
By cparka23 on 7/2/2008 11:49:27 PM , Rating: 2
"We can't trust the sword of a thousand truths to a N00B!"


fitting...
By noxipoo on 7/2/2008 3:48:19 PM , Rating: 3
just like the RSA fob i use for work, people who play WoW like a job can now put "secure VPN technologies" on their resumes.




sold out
By cciesquare on 7/2/2008 3:37:20 PM , Rating: 2
kinda lame that it's sold out.




about time
By GroBemaus on 7/2/2008 3:46:18 PM , Rating: 2
I would love to see this used in steam games also. Basically it is a RSA keygen. Most corporate VPN people have seen them before, they do have a shelf life though.

Someone needs to make a generic one that can be used with any "RSAkey" enabled game. I'd pay $6.50 for that.




Distribution
By Will14 on 7/3/2008 11:01:35 AM , Rating: 2
They should just include one in the retail version of the WotLK expansion. Everyone who plays a ton will probably buy it. Except for those types whom will download it but if I remember correctly the Burning Crusade was not available online until it had been released for a few months.

I think this would allow for a near seamless roll out.
If their authentication servers worked.

If I remember correctly there login servers have always had issues so they better be ready for even more with the token.




“And I don't know why [Apple is] acting like it’s superior. I don't even get it. What are they trying to say?” -- Bill Gates on the Mac ads









botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki