Hard token? Not a bad idea as it has been proven for a while. I can’t find the actual item, does anyone know who’s making them? RSA?

It doesn’t actually appear to be available for sale yet. Hmm.

I’ve handled hundreds of RSA customers and clients. After initial training, rarely ever hear a peep from them. Never heard of people pushing the button jumping past their next login number though… but I only have experience with time synchronized security tokens that are disconnected from any system which is what I’m assuming Blizzard is using here.

This is great news. The only drawback are the increasing number of programs requiring RSA style keys. Eventually you will have a keychain full of fobs.

I don’t like this idea, personally. There have been no real attempts to combat the problem through software at all. Some ideas:

- Actually have the Launcher and scan.dll able to look for keyloggers. Simply allowing parameterized scans for simple hashing could free up the dev team from code changes (and lengthy QA) cycles, allowing a different team to rapidly check and nix keyloggers, with some effort into building the process.

- Police the forums aggressively on the keylogger links. The recent change to stop marking up external links is a good step in that direction.

- Finish development of the security matrix and mouse-based PIN entry. (oops, not many people know about that – wink)

None of these are lead-pipe wins, but they are good steps and a combination of them is very likely to eliminate way more of the trouble than…

- Make the customers pay for it. At least the ones who find out. And bother to.

I think the burden is on them to help defend their customers and this is not the correct answer. Protecting accounts through this method will not put a dent in the flow of keylogged accounts, since the penetration will be so low. Half of the people who buy it will do so after being victimized.

Well, scan.dll already opens every possible processid on your system when it starts (it ignores the task list and just uses brute-force). So I don’t think they’re worried about being any *more* invasive. The problem with using it against keyloggers is that they have to rebuild the DLL every time they add new hashes, which must invoke a pretty serious QA cycle.

My thought was they could build that out to be parameterized, so other teams could add sought hashes. Then police the forums by following the keylog links themselves and updating the definitions quickly. I think with even a fairly small team, they could get the turnaround down to a matter of hours if the process is built right.

Regardless, my contention is still that this is a bizarre first step. How do you go from the “app is naked and keys are being logged” to “let’s sell RSA keys to fix it” without anything in between? Maybe mouse-based PIN entry is cumbersome and is not bulletproof. But it’s a lot better than counting on people to spend *more* money for security.

I guess I’d just expect to see some steps between “good luck out there!” and “here’s a shotgun, save yourself!” in response to the streets being unsafe.

I’m looking forward to the part where the player’s girlfriends/parents/significant others hold their fobs hostage so they can’t play anymore.

I guess they did mention a button. It probably only shows you that minutes # anyway.

So for an additional $6.50 I can not have my account stolen? What a deal.

Mouse based password entry would provide more universal protection, since it would protect every single user. That should be the goal.

Yes, it would be a tiny inconvenience, but keeping track of this fob requires a minor amount of upkeep too. This is going to be third fob, which is a worrisome trend.

It’s great that Blizzard is looking for solutions, but I think a mouse based password entry is cleaner, and far more preferable since it provides protection to every user.

And now we’ll have to contend with “I lost my fob/it was stolen” problems.

@Michael Donnelly

I don’t think it’s up to Blizzard to ensure the safety of customer accounts, beyond a reasonable level (ie making sure that their servers and networks are secure).

It’s completely unreasonable to expect Blizzard to be responsible for peoples PCs which are completely out of their control. The internet is full of stupid people and stupid people run happy looking programs that appear, as if by divine luck, in their email.

Also, there are people who voluntarily give out their account information to others. In some cases, the other parties abuse this and rip the original person off. The original person then goes around saying they were “hacked”.

Blizzard controls neither of these situations and should therefore not be responsible for them. The fact that they are taking this step is an indication that, despite this, they are trying to offer a higher level of protection at the client level.

I think the dongle is a decent idea. Anything that increases security is, by its nature, going to have an impact on user convenience at some level. The two concepts have completely opposite goals, so there will always be a trade off. It’s opt-in, so it’s completely up to you whether or not you require such a system.

Mind you, I’ve never had an account hacked into, stolen, or otherwise misappropriated; I don’t run happy looking programs and I never give my account information out. So while this isn’t particularly useful for people like me, it can be useful for people who want a bit of extra protection (or parents / kids who want to prevent their kids / parents from playing all hours of the day).

The people at highest risk for having their account compromised are the folks who are least likely to buy this. Kids in particular. These are also the same people who are most likely to lose their keyfob.

Security conscious players will probably be very interested, because it’s cool idea and should work like gangbusters. But the overwhelming majority of these players weren’t really at risk for account compromise anyway.

It’s not really solving the bulk of the problem.

Blizzard is by no means obligated to save people from their own negligence, but it might mean more happy customers.

I have read a lot of good things about how the average security aware man will never be hacked.

Now, let me tell you a short story.

I have been playing for years, never got hacked, once (as it happened to me from time to time) I was in a friend’s office (a sysadmin, not a random porn kiddie) and since my guild needed me I logged with my friend’s personal notebook. And got hacked 5 hours later.

Now, where can I buy a couple stack of those?

The best idea I have seen for preventing MMO account hacks is for the game to send not only the user ID/password, but a ‘snapshot’ of the system, including the operating system license number. (example: windows xp license number)

If the login server sees more than two accounts attempting to log in from the same license number it locks all logins attempted from that license number. The user then has to go to the support website and create a list of allowed accounts from that license number, with the support computer calling back on the phone to verify the user’s location (automated).

This would cripple account hacking companies, as a computer would not be able to login dozens or even hundreds of accounts, making it unprofitable for stealing gold and materials from accounts for resale. It would also block a computer from running repeated trial accounts for spaming in game.

Hackers could try to ‘spoof’ the operating system license number, changing it betwrrn logins, but the game could make a hidden encrypted key based on the license number at installation, and refuse to connect if the hidden key didnt match the current license number.

This is a really good idea. Just the proliferation of fobs. Though it would be better if it were a usb dongle then i wouldn’t have to worry about a battery.
I know a few people whose accounts were hacked that run virus protection and are careful. Even I got a virus last week, I basically did not log in wow until I spent about 6 hours trying to get rid of it.

It’s amazing to me the only thing complex and ground-breaking in the entire spectrum of WoW is going to be it’s method of authentication.

It is for an MMO.

This about how most MMOs treat customer accounts. I can understand not trusting the client, but most MMOs treat customer security with contempt. Horror stories about hacked accounts abound.

Any company can tell its customers to engage in better security practices. But that is a bullshit measure taken by companies that don’t know or don’t care about actually providing security for customer accounts. The customer doesn’t own the account, so why should the provider feel responsible?

Actually doing something about keyloggers, even if its something that customers have to pay a premium to use, is a step in the right direction.

[i]You are mistaken, Drakks. There is nothing complex or ground-breaking about this method of authentication. (That is, in fact, one of the reasons it works so well.)[/i]

In the context of an MMO providing account security, it is. I didn’t mean as a technology in general.

(Sorry, only the first two paragraphs should be italicised.)

“I never would have guessed WoW to be the first game to feature two-factor authentication, but it really is a good way to increase security. (With the side effect of increasing tech support to boot.)”

I bet that tech support is a metric fuckton cheaper than what they were spending on customer service. If people are really being hacked at the rate that they complain on the boards, and CS is taking as good of care of them as I hear, it’s not cheap.

Bravo Blizzard. Hopefully this will catch on and other companies will follow suit.