In our continuing series on account security issues present within Blizzard's offices, we bring you news that lax training in Blizzard's billing department is being exploited by those attempting to game the system and illegitimately acquire more gold and high value in-game items.
The critical flaw in Blizzard's system is that billing support personnel are currently given the ability to "roll back" characters to previous versions more or less on the spot, with the customer on the phone. Because of this, there is a high degree of flexibility and personal accountability on the part of the billing representative. The flexibility extended here is vitally important to customer service, however the training that comes with the flexibility, we are told by multiple sources, is inadequate and leads to this exploit being practiced by a growing number of individuals.
The exploit involves human interaction (aka social engineering), which in security systems is the notoriously weak point. The exploit is often referred to internally as "onioning," which involves the player repeatedly claiming the account was compromised to the Blizzard billing support representatives. There are obviously more details to doing this, but we don't want to provide a how-to. Blizzard is aware of how this is done, and they are currently not implementing checks to combat this.
More alarming is the fact that this vulnerability exists, to a large extent, only in Blizzard's billing department. The training to combat this exploit is available and indeed given to account administrators and game masters, however Blizzard for some reason sees fit not to train their customer contacts in the billing department -- yet allows them much of the same powers (in this case) as an account administrator would have. Some of these concerns may be alleviated when the department rolls out its all-in-one customer service tool instead of the wide variety of separate tools that are currently in use.
This becomes a larger issue when looked at from the perspective of time and effort put into correcting such exploitative action. Blizzard has a limited number of support personnel, and the time it takes to correct actions by exploitative players detracts from the time Blizzard has to help lower long restoration queues and help out the customer elsewhere. The prevalence of these exploits is directly affecting the well-being of the game, and leads to things like requiring mandatory authenticators.
Finally, we want to make it clear that we are publishing this article not to encourage exploitation, but to report policies and practices which allow these exploits to happen.