Yes, but these banks are... real... involving real money, and aren't in the fantasy land which this game provides....

Oops, I mean......

These depositories are IRL, and not for currency bartering in the WoW.

Why does it matter where it's being used? It's to stop hackers from going into your account regardless of the use being a bank or a game. Nobody wants their account being hacked.

@Bohsocks

With a monthly subscirption fee, when you can spend moths getting a level 70 with epic gear, its actually quite an investment of time and actual, real, earnt money.

Its to protect that investment. And I for one think its a great idea.

ima lootz all ur SOJs n Wirts legses!!

Question: What's to stop someone from buying one of these, lifting the code from the chip, and then emulating the code on a computer? Maybe I don't understand how it works, but it looks like it just spits out some random number (or worse, a static number that could also easily be phished). Sure, it's another layer of security, but it seems just as easily broken (the code isn't even alphanumeric).

@maty

Touche. Excellent point.

John:

The code isn't random, or static. Both the token and Blizzard's server mash up a unique ID on the passcode (which you initially link to your account) along with the current time to give the code, which changes every 30 seconds.

@John:
RSA Key Fobs have 2 seeds for each number that is generated. #1 is the current time (it has an internal clock) #2 is a serial number or some other random key that is associated with that key fob. These keys are 1-time use and are only active for 60 seconds. So you login with your normal Username/Password, at which point WoW will say "Please press the key fob button now", and you do, then you enter the 6-digit code on it.

Blizzard then has the same key generator algorithm on their end, and since they know the time and serial number of your key, they generate the same code on their end and compare it with what you input.

Cool, but it still seems like you could reverse-engineer it rather easily. If enough people with WoW had a keylogging trojan on their computer (it seems like many probably do), then hackers could find patterns in the numbers, given that the keylogger could also log timestamps along with the number it spits out. That's 2 of the three variables right there. The third is the serial number, which, after the algorithm is figured out, would be simple to pop into a software program and spit out a number much like the key chain does.

@ John

Most companies with any sort of information worth keeping locked up have been using this for years. If anyone wanted to reverse engineer it, I doubt the fact that people using them to secure WoW accounts will be what finally inspires someone to break the system.

It's not impossible John, but it's not likely either. Banks have been using this technology for quite some time and if you do some calculations to see what the chances are of finding a pattern it will be really next to impossible to find anything. Remember, a user may only input the key-fob numbers once or twice a day, they don't have to enter it every 30 seconds.

So even if you have 1,000 results finding the seed will be very difficult. If you can invest enough time into discovering a pattern you're probably better of stealing from something that's going to provide better returns.

However, the way banks use it is a different story. You have to physically have the bank card, enter your pin, and it'll then generate a random unique (i assume) code which you put in online. I've got a Natwest one, so i'm not just spouting here.

Presumably they work on the principle that the code will simply take an unreasonable amount of time to break. It could use prime numbers, like the banks do to generate PINs or some other "unbreakable" system.

To be honest, i'd rather see this as a replacement for normal game keys, rather than all this SecuROM bollocks. It's a lot more secure, and provided you get a unique key generator that's linked to your game (say you have to "register" it with the serial with your game then it would work pretty well.

RSA and the likes keyfobs generates the numbers with an algorithm which uses prime numbers and that algorithm is not closed source at all. While it is easy to create a prime number, it's really too hard to find the factors of a big prime number. So you to reverse engineer and create a new code you only have 60 seconds and for now and likely in the near future, you cannot calculate that in 60 seconds even with the fastest supercomputers.

@maty

It's not an investment unless you get a return. Fake items in a virtual world isn't exactly a return on your investment.

@ Murfy

Who says ROI has to be measured in dollar and cents? If you go on vacation you are investing in rest and relaxation; you are essentially investing in your well being. The return on your investment is hardly in dollars and cents, but does that make it non-existent?

Anyone who has taken a basic economics class know that costs don't always imply a dollar amount.

yeah but it will go the same way.

User1: My account got hacked!

Support: Do you have the SucureID Dongle?

User1: yes!

Support: Sorry, can't help you. Thank you for playing WoW.

Yes, I believe you have to press Ctrl-Shift-Alt-F4 for your World Of World Of Warcraft avatar to cuss when he can't find his keychain.

That seems to be what some open-source software providers are doing.

Here, we'll give you our product for free, but it's really complex and hard to setup and use and there's no documentation. But if you need help, we will gladly charge you a fortune for our support services.

I'm sure you are using many user/password based programs/websites/etc. In fact, since you are posting to Engadget it's likely you are doing so now. Flawed? I call it human engineering.

Solution: Destroy all humans.

And there is a problem with that?

It isn't done on purpose.

Apple sold a "flawed" phone with no 3g. Waited a year and re-releases a phone with 3g which it knew pretty much everyone wanted to begin with. How many people with non-3g will switch? Woah, Apple made some money.

I don't think Apple did this on purpose. The first iteration of the phone was developed before 3g and to change it at the last minute isn't worth it. And I don't think Blizzard doing something bad either.

A problem arrived in WoW, and Blizzard developed a solution. It is capitalism working at its best by solving problems that consumers will pay for the solution to.

Well, since WoW is advertised to keep all spyware/adware/keyloggers off of your computer I agree whole-heartedly. I mean, I don't even play MMO's, I just use them to make sure I'm safe from malware. I use to have Firewalls, Anti-Virus, and change my password frequently... I don't have to do any of that thanks to WoW!

Yep, it is totally their fault that you can't keep your computer free of malware... logic FTW!

@I.P.Freely

.......what?

Why is there always someone who has to make a comment about airport security with EVERY frikkin thing posted on engadget, jesus.

I am always amazed at people who make comments like this one. Are you serious that you think that TSA wouldn't be clued in on what an RSA SecureID token looks like?

Life must really be scary for you...

Have you BEEN through airport security lately?

A good portion of those people are absolutely clueless. I carry around a couple of unusual peripherals for my laptop (a 3d mouse and a drawing tablet) and you should see the CROWD of TSA agents I draw if I forget to take them out of my bag.

Don't assume your average airport security worker knows the first thing about any gadget. Period.

Indeed, I heard stories that make you wonder what cave these security people live in that is so far away from any industrialised area or technology, you wonder if they arrive in a horse-drawn carriage.

"Are you serious that you think that TSA wouldn't be clued in on what an RSA SecureID token looks like?"

Uh, I tried to get through security with a survey instrument. You know, the kind that you've seen EVERYWHERE since you were 4 years old? I was told that I couldn't bring it on the plane and that it would have to be checked. There was no way I was gonna check a $7000 piece of equipment.. A senior official viewed it, stuck it in a sniffer, then okayed it. What they did confiscate was a 3-inch long flathead screwdriver that was part of the instrument's tool kit. I kid you not.

So would they be puzzled by something that looks like a keyfob with just numbers on it? Uh yeah.

Also, mention that it's for WoW and that should get you the "full" search.

Yes, airport security are very tech savvy,
http://www.macnn.com/articles/08/03/10/macbook.air.confusing/

Wow. You somehow took a stupid joke and made it worse.

More successful than your grammar I hope! ;)

Since he speaks of china perhaps he's not a native english speaker?
(Not that I didn't think that before and I was dead-wrong)

agreed...I highly doubt they are developing the SecurID software inhouse...meaning they are going to have to purchase it (considering it is Blizzard, that is no big deal) for...dunno how many servers they have now, but enough to comfortably accommodate millions. but for $6.50 per person, I have to say it seems like a steal. I don't think they are doing this to turn a profit, they are trying to retain die-hards and alleviate customer service issues about phat l3wts getting stolen.

Back when I worked for AOL, they used them and said they were $100 to replace. I lost mine when my lanyard broke and fell off while I was riding my bike to work. Three mile search could have ensued, but a lady found it and brought it by.

I wanted to give her a reward and only had a couple of $100s since I had just cashed my check. Tough situation. I asked the guard up front if he could perchance break a C-note for me or knew someone who could. The lady got impatient and insisted, quite rudely, that I give her $100 reward "because I know how much these things cost and it's cheaper than getting new ones".

She was right, I was told $100 for the ID and $20 for the RF badge.

Long story short, I told her where to stick it and elected to get a new badge and SecureID. I was only charged $20 for replacement of the badge and SecureID (with a good lanyard) after the management saw video of the whole incident.

I was going to give her like $20-$40 if she hadn't been such a bitch. At $35 an hour including bonuses, she was doing me a huge favor just in time saved searching. Sad.

And you probably assume the insurance for your car is coverd by you paying for the fuel? Or the drinks are covered by you paying for the food?

Nop, sorry, doesn't work like that.

It's an EXTRA layer of security, that is actually pretty cheap. The basic security is provided already.

It is $6.50? (That's less than a month's sub. price)

Imagine your account gets hacked -- It'll take you ~1 month to get some (not usually all I don't think) of your stuff back. You can't fault Blizzard for people making keyloggers.

...again, its $6.50. I made that much typing this response. (almost)

If all you do with your computer, EVER is play WoW, then yeah, you can feel safe. You have no need of this device, and by itself WoW's authentication system is safe enough.

If you do anything else with your computer, though, there is a risk of infection that could lead to your account data being compromised.

There are certain WoW related sites I will not visit for fear of keyloggers, and I am worried that my automatic add-on updater may some day turn into a keylogger. I get sloppy with typing in my password, and if I'm exceptionally sloppy I may have to type it in two or three times - I always get a tiny knot in my stomach that my account may have been compromised.

This would alleviate those fears, and give me a bit more freedom with what I do on my WoW machine. Well worth $6.50 IMO.

These things have batteries in them that last 10 years or so. Somehow I doubt you'll be still playing WoW then.

That good, huh?

Wow, man. That's the ultimate Quad-comment fail.

Thanks for the low rank guys :)
hehe

Yeah, right - the machine is stupid...

Perhaps if you'd waited a few minutes instead of hammering the send button you would have noticed it can take a few minutes for your comments to show when there is a lot of traffic...

No, you don't need to send it four times, just don't be ...ehm ... stupid ...

Actually, Blizzard is fairly good about ensuring you use a secure password.
Here are their password requirements taken directly from their site:

* Your Account Password must contain at least one numeric character and one alphabetic character.
* It must differ from your Account Name.
* It must be between eight and sixteen characters in length.
* It may only contain alphanumeric characters and punctuation‚ such as A-Z‚ 0-9‚ or !"#$%.

So, it's not a matter of people using extremely poor passwords. More often than not it's a matter of either A) being stupid and signing in on a public computer either onto the forums or onto WoW itself or B) more commonly Malware of some sort. I have a number of friends that aren't stupid enough for the first scenerio, and that are computer savy enough to use a good password. More often than not it's because of a lack of adequate spyware or virus protection software/updates or windows updates that allows the malware to get in and poke around. This extra layer of security will help quite a bit with that.

While there is no cure for stupidity. Stupid people now can pay for easy security without the need to get smart. Isn't that what modern technology is all about?

Yeah, it's not "all about" that, but that what it's good for for most people ;)

Great point. Which is why it probably only costs $6.50.

The only problem I see in the future is having boat loads of these things to carry around. Got one for work, got one for the bank, got one if you play WoW. Just implant some chip in me and get it over with.

I actually used to have a bank that used something like this for their security years ago, I think they stopped using it though after a while.

Its not event based. Its time based. The display is only turned on when the button is pressed to save power.

Really how could it even be event based. Keep track of how many times it was pressed? Blizzard would have no way to track that.

Excellent point that, made in china = tricky :)