Blizzard Authenticator passcode token adds anti-theft enchantment to your World of Warcraft account
Filed under: Gaming
Previous
Editorial: Taking the iPhone 3GS off the job market
myTouch 3G hands-on (with video!)
Olympus E-P1 hands-on, test shots, and mini-review
Wii MotionPlus impressions
HTC Hero hands-on
MacBook Pro (mid 2009) in-depth impressions
Engadget Podcast 153 - 07.03.2009: Independence Day edition
Breaking news Feed
- Sony Ericsson Rachael UI video leaks out, Kiki comes for the ride
- T-Mobile's myTouch 3G launch event: pre-orders now available
- Google announces Chrome OS, coming to netbooks second half of 2010
- LG teases next-generation Chocolate for August unveiling
- Sony Vaio W netbook now official in US, coming August for $499
- Palm Pre official on O2 and Movistar in Europe, launch "in time for holidays"
- Creative Zii and Zii EGG touchscreen players with HD cameras served up by FCC
- Sony announces VAIO W... netbook!
- Sony Ericsson "Rachael" Android XPERIA handset unveiled?
- Sprint matches Verizon's pace, launching BlackBerry Tour on July 12
Featured stories Feed
- How would you change Sony's OLED Walkman?
- Editorial: Taking the iPhone 3GS off the job market
- Video: Toshiba TG01 gets UK launch, we handle it again
- Ask Engadget: What's the best nettop out there now?
- HTC Hero vs. T-Mobile myTouch 3G... fight!
- Switched On: With Google, this is not your father's OS war
- myTouch 3G hands-on (with video!)
- T-Mobile's myTouch 3G launch event: pre-orders now available
- Verizon BlackBerry Tour 9630 review
- How would you change the Palm Pre?
Engadget Video
- Best of the Rest: Robo-Table, Michael Jackson Flash Mob
- Sarah Palin Impersonated on Twitter, Site Institutes 'Verified' Status
- French Hackers Give the Finger to President Sarkozy's Internet Bill
- Plots Disappearing From Porn, Thanks to Short Online Attention Spans
- Crook Reaches Through Window to Swipe Laptop From Man's Lap
Resources
Sections
WIN Network
- Autos
- Technology
- Lifestyle
- Gaming
- Entertainment
- Finance
- Sports
- Also on AOL
Reader Comments (Page 1 of 2)
Tom Robertson @ Jul 1st 2008 8:19AM
Good idea. I know of some banks that incorporate this idea as well.
bohsocks @ Jul 1st 2008 8:37AM
Yes, but these banks are... real... involving real money, and aren't in the fantasy land which this game provides....
Oops, I mean......
These depositories are IRL, and not for currency bartering in the WoW.
Tom Robertson @ Jul 1st 2008 8:44AM
Why does it matter where it's being used? It's to stop hackers from going into your account regardless of the use being a bank or a game. Nobody wants their account being hacked.
maty @ Jul 1st 2008 8:45AM
@Bohsocks
With a monthly subscirption fee, when you can spend moths getting a level 70 with epic gear, its actually quite an investment of time and actual, real, earnt money.
Its to protect that investment. And I for one think its a great idea.
John @ Jul 1st 2008 9:12AM
ima lootz all ur SOJs n Wirts legses!!
John @ Jul 1st 2008 9:18AM
Question: What's to stop someone from buying one of these, lifting the code from the chip, and then emulating the code on a computer? Maybe I don't understand how it works, but it looks like it just spits out some random number (or worse, a static number that could also easily be phished). Sure, it's another layer of security, but it seems just as easily broken (the code isn't even alphanumeric).
bohsocks @ Jul 1st 2008 9:26AM
@maty
Touche. Excellent point.
Rhys @ Jul 1st 2008 9:29AM
John:
The code isn't random, or static. Both the token and Blizzard's server mash up a unique ID on the passcode (which you initially link to your account) along with the current time to give the code, which changes every 30 seconds.
Kyrra @ Jul 1st 2008 9:29AM
@John:
RSA Key Fobs have 2 seeds for each number that is generated. #1 is the current time (it has an internal clock) #2 is a serial number or some other random key that is associated with that key fob. These keys are 1-time use and are only active for 60 seconds. So you login with your normal Username/Password, at which point WoW will say "Please press the key fob button now", and you do, then you enter the 6-digit code on it.
Blizzard then has the same key generator algorithm on their end, and since they know the time and serial number of your key, they generate the same code on their end and compare it with what you input.
John @ Jul 1st 2008 9:50AM
Cool, but it still seems like you could reverse-engineer it rather easily. If enough people with WoW had a keylogging trojan on their computer (it seems like many probably do), then hackers could find patterns in the numbers, given that the keylogger could also log timestamps along with the number it spits out. That's 2 of the three variables right there. The third is the serial number, which, after the algorithm is figured out, would be simple to pop into a software program and spit out a number much like the key chain does.
Matt @ Jul 1st 2008 10:07AM
@ John
Most companies with any sort of information worth keeping locked up have been using this for years. If anyone wanted to reverse engineer it, I doubt the fact that people using them to secure WoW accounts will be what finally inspires someone to break the system.
Daza @ Jul 1st 2008 10:11AM
It's not impossible John, but it's not likely either. Banks have been using this technology for quite some time and if you do some calculations to see what the chances are of finding a pattern it will be really next to impossible to find anything. Remember, a user may only input the key-fob numbers once or twice a day, they don't have to enter it every 30 seconds.
So even if you have 1,000 results finding the seed will be very difficult. If you can invest enough time into discovering a pattern you're probably better of stealing from something that's going to provide better returns.
Josh @ Jul 1st 2008 10:43AM
However, the way banks use it is a different story. You have to physically have the bank card, enter your pin, and it'll then generate a random unique (i assume) code which you put in online. I've got a Natwest one, so i'm not just spouting here.
Presumably they work on the principle that the code will simply take an unreasonable amount of time to break. It could use prime numbers, like the banks do to generate PINs or some other "unbreakable" system.
To be honest, i'd rather see this as a replacement for normal game keys, rather than all this SecuROM bollocks. It's a lot more secure, and provided you get a unique key generator that's linked to your game (say you have to "register" it with the serial with your game then it would work pretty well.
fincan @ Jul 1st 2008 11:07AM
RSA and the likes keyfobs generates the numbers with an algorithm which uses prime numbers and that algorithm is not closed source at all. While it is easy to create a prime number, it's really too hard to find the factors of a big prime number. So you to reverse engineer and create a new code you only have 60 seconds and for now and likely in the near future, you cannot calculate that in 60 seconds even with the fastest supercomputers.
Murfygirl @ Jul 1st 2008 12:50PM
@maty
It's not an investment unless you get a return. Fake items in a virtual world isn't exactly a return on your investment.
Draaaainage! @ Jul 1st 2008 2:40PM
@ Murfy
Who says ROI has to be measured in dollar and cents? If you go on vacation you are investing in rest and relaxation; you are essentially investing in your well being. The return on your investment is hardly in dollars and cents, but does that make it non-existent?
Anyone who has taken a basic economics class know that costs don't always imply a dollar amount.
Mvtt @ Jul 1st 2008 8:19AM
Ummm
"An error has occurred."
When entering the store. Just wanted to know how this thing works...
JamesR @ Jul 1st 2008 8:20AM
If it's a $6.50 one time fee for the dongle then this is pretty reasonable. The users get added security and Blizzard gets to short circuit a large number of calls:
User1: My account got hacked!
Support: Do you have the SucureID Dongle?
User1: Uh...no...but my lewtz!
Support: Sorry, can't help you. Thank you for playing WoW.
Chris @ Jul 1st 2008 4:14PM
yeah but it will go the same way.
User1: My account got hacked!
Support: Do you have the SucureID Dongle?
User1: yes!
Support: Sorry, can't help you. Thank you for playing WoW.
Michael @ Jul 1st 2008 8:20AM
I think you mean EPIC loot. :)
w00t @ Jul 1st 2008 8:22AM
Is there going to be one of these for World of World of Warcraft?
I'd hate to log in to find some bastard has deleted WoW off my virtual computer in the game!
Dale @ Jul 1st 2008 8:46AM
Yes, I believe you have to press Ctrl-Shift-Alt-F4 for your World Of World Of Warcraft avatar to cuss when he can't find his keychain.
Flashpoint @ Jul 1st 2008 8:22AM
This sounds like a lesson in capitalism.
Act #1 charge customers for a product that is inherently flawed
Act#2 develop a fix for the flaw and charge customers for it.
Peter @ Jul 1st 2008 8:59AM
That seems to be what some open-source software providers are doing.
Here, we'll give you our product for free, but it's really complex and hard to setup and use and there's no documentation. But if you need help, we will gladly charge you a fortune for our support services.
Tony Rayo @ Jul 1st 2008 9:09AM
I'm sure you are using many user/password based programs/websites/etc. In fact, since you are posting to Engadget it's likely you are doing so now. Flawed? I call it human engineering.
John @ Jul 1st 2008 9:13AM
Solution: Destroy all humans.
kjb434 @ Jul 1st 2008 9:16AM
And there is a problem with that?
It isn't done on purpose.
Apple sold a "flawed" phone with no 3g. Waited a year and re-releases a phone with 3g which it knew pretty much everyone wanted to begin with. How many people with non-3g will switch? Woah, Apple made some money.
I don't think Apple did this on purpose. The first iteration of the phone was developed before 3g and to change it at the last minute isn't worth it. And I don't think Blizzard doing something bad either.
A problem arrived in WoW, and Blizzard developed a solution. It is capitalism working at its best by solving problems that consumers will pay for the solution to.
I.P. Freely @ Jul 1st 2008 9:34AM
Well, since WoW is advertised to keep all spyware/adware/keyloggers off of your computer I agree whole-heartedly. I mean, I don't even play MMO's, I just use them to make sure I'm safe from malware. I use to have Firewalls, Anti-Virus, and change my password frequently... I don't have to do any of that thanks to WoW!
Yep, it is totally their fault that you can't keep your computer free of malware... logic FTW!
SweetSauce @ Jul 1st 2008 12:21PM
@I.P.Freely
.......what?
Ariejan @ Jul 1st 2008 8:23AM
I think this is actually a good thing. Wouldn't it be great if we could integrate an 'open' device like this with OpenID and solve all these theft/fraud situations all together?
NHAnimator @ Jul 1st 2008 8:27AM
I'd like to be standing behind the guy trying to explain this thing to airport security.
Tom @ Jul 1st 2008 8:34AM
Why is there always someone who has to make a comment about airport security with EVERY frikkin thing posted on engadget, jesus.
dlheritage @ Jul 1st 2008 10:32AM
I am always amazed at people who make comments like this one. Are you serious that you think that TSA wouldn't be clued in on what an RSA SecureID token looks like?
Life must really be scary for you...
Forrest @ Jul 1st 2008 11:23AM
Have you BEEN through airport security lately?
A good portion of those people are absolutely clueless. I carry around a couple of unusual peripherals for my laptop (a 3d mouse and a drawing tablet) and you should see the CROWD of TSA agents I draw if I forget to take them out of my bag.
Don't assume your average airport security worker knows the first thing about any gadget. Period.
Wwhat @ Jul 1st 2008 12:38PM
Indeed, I heard stories that make you wonder what cave these security people live in that is so far away from any industrialised area or technology, you wonder if they arrive in a horse-drawn carriage.
NHAnimator @ Jul 1st 2008 1:43PM
"Are you serious that you think that TSA wouldn't be clued in on what an RSA SecureID token looks like?"
Uh, I tried to get through security with a survey instrument. You know, the kind that you've seen EVERYWHERE since you were 4 years old? I was told that I couldn't bring it on the plane and that it would have to be checked. There was no way I was gonna check a $7000 piece of equipment.. A senior official viewed it, stuck it in a sniffer, then okayed it. What they did confiscate was a 3-inch long flathead screwdriver that was part of the instrument's tool kit. I kid you not.
So would they be puzzled by something that looks like a keyfob with just numbers on it? Uh yeah.
Also, mention that it's for WoW and that should get you the "full" search.
Das Gluten @ Jul 2nd 2008 12:31AM
Yes, airport security are very tech savvy,
http://www.macnn.com/articles/08/03/10/macbook.air.confusing/
N30 G30 @ Jul 1st 2008 8:30AM
I didn't think these things were cheap.
for anyone curious, in the company I worked for it went like this:
1. Enter username
2. Enter password
3. After password enter what it says on the keychain
4. Press enter
5. ???
6. PROFIT!
sgt pepper @ Jul 1st 2008 11:15AM
Wow. You somehow took a stupid joke and made it worse.
N30 G30 @ Jul 1st 2008 8:31AM
I didn't think these things were cheap.
for anyone curious, in the company I worked for it went like this:
1. Enter username
2. Enter password
3. After password enter what it says on the keychain
4. Press enter
5. ???
6. PROFIT!
Kit @ Jul 1st 2008 8:43AM
I never played WoW, but I knew they did followed other companies approch in China.
The account creation card have a grid with different number / symblo on it, which required to enter a specific number / grid during account login...
I think that's pretty successful and much more cheaper than doing that.
w00t @ Jul 1st 2008 10:29AM
More successful than your grammar I hope! ;)
Wwhat @ Jul 1st 2008 4:17PM
Since he speaks of china perhaps he's not a native english speaker?
(Not that I didn't think that before and I was dead-wrong)
Pochi @ Jul 1st 2008 8:44AM
Ever wonder what it would be like to hit on women with a giant herpes sore? Try the World of WarCraft Authenticator instead! Less annoying and just as effective.
lance @ Jul 1st 2008 8:46AM
My bank has had this for almost 2 years. I think they work great. If I'm say out of the country, it can SMS my GSM the number, and since my GSM number is set up in advance thru my online acct it stays secure.
It's possibly the greatest enhancement to online security since the SSL.
Easy, quick, painless, actually works = great product.
Dale @ Jul 1st 2008 8:48AM
Back when I had to use SecureIDs, we were told it would cost the company $30 per device if we lost them. $6.50 is a bargain.
sp00ks @ Jul 1st 2008 9:06AM
agreed...I highly doubt they are developing the SecurID software inhouse...meaning they are going to have to purchase it (considering it is Blizzard, that is no big deal) for...dunno how many servers they have now, but enough to comfortably accommodate millions. but for $6.50 per person, I have to say it seems like a steal. I don't think they are doing this to turn a profit, they are trying to retain die-hards and alleviate customer service issues about phat l3wts getting stolen.
Derek @ Jul 17th 2008 8:20AM
Back when I worked for AOL, they used them and said they were $100 to replace. I lost mine when my lanyard broke and fell off while I was riding my bike to work. Three mile search could have ensued, but a lady found it and brought it by.
I wanted to give her a reward and only had a couple of $100s since I had just cashed my check. Tough situation. I asked the guard up front if he could perchance break a C-note for me or knew someone who could. The lady got impatient and insisted, quite rudely, that I give her $100 reward "because I know how much these things cost and it's cheaper than getting new ones".
She was right, I was told $100 for the ID and $20 for the RF badge.
Long story short, I told her where to stick it and elected to get a new badge and SecureID. I was only charged $20 for replacement of the badge and SecureID (with a good lanyard) after the management saw video of the whole incident.
I was going to give her like $20-$40 if she hadn't been such a bitch. At $35 an hour including bonuses, she was doing me a huge favor just in time saved searching. Sad.
jason.verges @ Jul 1st 2008 9:05AM
I bought mine. :)
It's a great investment for an extra layer of security. I'm all for it.
Mile @ Jul 1st 2008 9:06AM
Can't the Bruce Willis magazine photo easily circumvent this?