account-security
Latest
SOE releases account authenticators
Sony Online Entertainment has joined the growing list of gaming companies that offer physical authenticators for protection against account hacking and associated fraud. EQ2Wire brings us the details on the new device, which at $9.95, is slightly more expensive than Blizzard's comparable Battle.net fob. SOE's authenticator may be used on multiple Station accounts, and for now at least, is shipping out sans handling charges (even for overseas orders). EQ2Wire also has a handy and detailed guide to the new authenticators from last month's Fan Faire, and the website notes that free iOS and Android security apps will be forthcoming at an as-yet unannounced date.
Ask Massively: Stay inside edition
In sharp contrast to last week's advice, this time around, I'm advising everyone to stay inside. There's all sorts of cool stuff wherever you are right now, and it's kind of hot out today. Besides, look at how much fun Christopher Walken is having inside. Don't you want to be like Christopher Walken? Don't you want the ability to fly when your indoor cavorting requires it? In other news, please enjoy the earbug that's infected the entirety of the Massively staff on the day this was written. In other other news, it's time for this week's installment of Ask Massively, addressing significantly less weighty issues than last week's gold selling question. No, this week we're talking about old livestream videos, the reason for the non-ubiquity of authenticators, and of course, the great outdoors. If you've got a question you'd like to see answered in a future edition of the column, leave it in the comments or send it along to ask@massively.com.
Opt-out option incoming for recent authenticator security change
If you follow WoW account security, then you've probably heard about (or personally encountered) a recent change to the way Battle.net authenticator devices work. Basically, when you log into the game, the client attempts to determine if you're logging in from your "home" computer or at least a computer you use regularly. It uses several factors to make this determination, such as your MAC address and your IP address. If the information doesn't indicate that the login is taking place from a safe machine, it'll prompt you for your authenticator code. If it is a safe computer, then you'll only be asked for your code randomly, once a week or so. The change, aimed to make authenticators less of a hassle for those who log on from the same computer quite a bit, caused an odd uproar on the official forums from players who were worried that this change somehow made their account less secure. Addressing these concerns, Blizzard Community Manager Zarhym announced today that Blizzard is working on providing an opt-out option for this convenience feature. Details were scarce since, as Zarhym noted, Blizzard hasn't quite nailed down specifics yet, but he assured players that it's something Blizzard's been looking into since the authenticator change was first announced. The full announcement post and followups are after the break.
Battle.net Mobile Authenticator now available for Windows 7 Phones
Android and iOS device users have had the luxury of using the Battle.net Mobile Authenticator, a software version of Blizzard's downright necessary keyfob authenticator, on their phones or tablets for a while now. As of today, Windows 7 Phone users can also take advantage of the Mobile Authenticator by downloading it from the Windows Phone Marketplace. At this point, there's pretty much no reason not to have an authenticator -- they're 6 bucks and free to ship for a physical device and no cost at all for a software version available for every major mobile platform. Just get it! Battle.net Mobile Authenticator for Windows® Phone 7 Devices The Battle.net Mobile Authenticator, an application for mobile phones that provides an extra layer of account security, is now available as a free download for Windows® Phone 7 devices on the Windows Phone Marketplace. The Battle.net Mobile Authenticator provides a one-time password that you use in addition to your regular account name and password when you log in to a Battle.net account to play World of Warcraft or StarCraft II. Versions for other mobile devices are also available for download here, or you can purchase a physical Battle.net Authenticator from the online Blizzard Store. Visit the Battle.net Mobile Authenticator FAQ for more information, or head to the setup page to get started after you've downloaded the application. For additional account security advice, check out our Account Security page. source
Battle.net authenticator process updated with smarter log-in detection
A substantial updated to the Battle.net authentication system was announced today. Players will soon notice a change to their authenticator log on -- it just might not appear. Blizzard's login servers and authentication system now intelligently track where your account is logging into the game from and, if you're consistently logging in on your home computer, the authentication servers will let you pass, no code needed. Blizzard wants make the authentication process less intrusive and this is a first step towards that goal. Right now, having to input a code each and every log in is a pain, sure, but it also makes me feel secure. I'm never going to say no to more security, however, and if the system is something that can accurately figure out where I am and let me on, that's great. This doesn't take into consideration the circumstance where you use an authenticator to prevent access to WoW, even from the home PC. I know some parents who use a simple password that their kids can remember but use the authenticator as the gate to prevent unwanted play. Maybe there will be an opt-out feature of some kind to always ask for the code. You can check out the Battle.net account security page or check out the Blizzard mobile site for application information. For more information on this specific change to the authenticator system, follow me after the break.
The Lawbringer: Account management and you
Pop law abounds in The Lawbringer, your weekly dose of WoW, the law, video games and the MMO genre. Running parallel to the games we love and enjoy is a world full of rules, regulations, pitfalls and traps. How about you hang out with us as we discuss some of the more esoteric aspects of the games we love to play? Writing The Lawbringer has taught me a lesson in trends. Over the past few months, specific questions are sent to me in topical batches. Sometimes it is a few emails about selling accounts. Other times, I get four to five emails about account security or compromise. May's email topic of choice was transferring accounts to family members. Blizzard is very restrictive about what you can and cannot change regarding your account information. On the one hand, it is your account, right? Shouldn't you have ultimate control over the information you provide for the facilitation of a service you pay for? On the other hand, there is a certain degree of problem mitigation that comes with restrictive change. If Blizzard can control certain aspects of what you do with your account and the information it is all filed under, problems can get mitigated before they appear. Today's topic is really all about damage mitigation.
First Core Hound Pup adoption campaign winners announced
Blizzard's Core Hound Pup Adoption Campaign is giving players the chance to win an iPad as well as boost their own account security. In an effort to get more authenticators attached to accounts, Blizzard ponied up some iPads to get the job done. Each month, a screenshot entry is chosen to win one of 12 iPads. Just take a screenshot of you and your security pup companion doing something crazy, out of the ordinary, or just plain awesome, hit up the contest rules page, and you've got a shot at winning. The first four winners have just been announced and their screenshots released. %Gallery-122048%
RIFT bringing out a new authentication service today - but not yet
Authenticators are one of the most popular forms of account security around, giving players an extra layer of defense against hackers and keyloggers. RIFT has been dealing steadily with account security issues since launch, so the upcoming authenticator service is no surprise to players. Using a digital authenticator service, players will very soon be able to use their Android mobile devices for authentication services -- but carefully note the "soon," as the service isn't yet ready for prime time. Currently, using the authenticator will prevent players from logging in, as the code for using said authentication isn't yet in place. A new launcher will be put into place for the game later today, allowing players with Android devices use of the authentication service. While the current release is only for the Android platform, code for the iOS is being finalized, meaning that iPhone and iPad users won't be left out in the cold. So if you're playing RIFT and want to have a little more random number to go with your login, you'll soon be able to do just that. (But not quite yet.) [Thanks to Puremallace for the tip!]
"Solid one-two punch": Trion responds to account hacks
The saga of RIFT's account security woes continues, as Trion World's Scott Hartsman responded to the hacker attempts, reassuring fans curious about what steps were being taken to secure their accounts. Citing "constant attacks" since the launch of RIFT that have impacted 1% of accounts, Hartsman said that the team is blocking hackers and botnets as quickly as they are identified, but that this will also be an ongoing process. "Both the login fix and the Coin Lock addition have been doing their part in signficantly reducing overall incidents over the last 18 hours," Hartsman wrote. "Neither one is a silver bullet, but so far it is looking to be a solid one-two punch for the weekend." According to his post, Trion will be hiring additional staff to tackle the problem, and is working on a "two-factor authentication" process for the future. Hartsman also praised the efforts of the player who brought a serious log-in vulnerability to the team's attention. ZAM tracked down the player for an interview, who himself had his account hacked in early March. The player is an "ethical hacker" who owns a security software company and realized that these hacks were not the fault of the player, but an exploit that had been discovered.
Player identifies "huge security hole" in RIFT's authentication system, Trion seals it
Hacking and account hijacking have been severe issues for RIFT ever since launch, even though Trion Worlds anticipated the onslaught from the beginning. Yesterday we saw Trion implement the so-called Coin Lock patch to prevent hackers from selling other players' items in-game, which some see as a novel (partial) solution to the problem. However, this may not be enough to stop the truly malicious invaders from getting into RIFT accounts. One player, identified as "ManWitDaPlan" on the forums, claims to have circumvented the account login completely, leaving a "huge security hole" for hackers to exploit: "I have verified the authentication system can be bypassed by successfully logging into another account without needing its credentials. Worse, all it took was about thirty seconds of time once I got all of the details locked down. I did trigger Coin Lock, but I was fully able to access that handy delete-character button, so this exploit is a griefer's dream. I will not post details on how to do this (so don't ask), but I'm positive that I can reproduce this at will and likely on any account on the system." Later in the thread, a Trion representative added: "We have some things in the works right now and have been passing on your feedback, concerns, and thoughts throughout the day (no matter how radical or unlikely). Sharing sensitive information about our actions (no matter how broad) naturally also informs those carrying out these attacks. This puts us in a tight spot with how much information we can provide, and the questions we can answer." And it looks as though the problem may be fixed, as ManWitDaPlan posted late last night: "Got word back from Steve Chamberlin, the development lead for Rift. This hole is sealed."
RIFT adds Coin Lock to improve security... probably
Getting your account stolen in an MMO is generally accepted to be about as much fun as having your car's engine fuse into a solid block of melted parts or getting bamboo slivers shoved under your fingernails. RIFT's newest patch, 1.02, includes a new feature designed to fight precisely that dreaded eventuality, with the new "Coin Lock" system restricting use of a character if the parent account logs in from a different location. While locked, the characters cannot access the auction or trade functions until the player verifies his or her identity. While the system is a great idea in theory, several players are reporting that the coin lock system is not working as intended, with supposedly "locked" characters remaining accessible and capable of using all features freely. There are also several threads devoted to claims that account hacks are still taking place, although as with any account security issue, culpability is difficult to determine. While RIFT's Coin Lock is an excellent idea, it remains to be seen whether it's actually accomplishing the stated goals. [Thanks to Simon for the tip!]
RSA security hack not affecting Blizzard authenticators
Many people were quick to wonder and worry about whether the recent hacking of the RSA (the security branch of EMC) had the potential of harming Blizzard's authenticators or authentication software. Fear not, as the blues have chimed in with a response: RSA Hack and Blizzard Authenticators Pokzin, The Blizzard Authenticators are based off modified Vasco tokens. I'm sorry to hear about RSA's troubles, but it will not affect the Blizzard Authenticator. source It doesn't look like Blizzard will be harmed by this at all. As a reminder, please keep your account safe by not clicking links in emails that don't appear to be from Blizzard, always check your email headers for incoming email addresses, and if you have any questions about whether an email is legitimate, contact Blizzard first. And do please get an authenticator for your account. Check out some of our own security articles here.
Valve introduces Steam Guard to fight account phishing and hijacking
What's Steam's "number one support issue" according to Valve's Gabe Newell? "Account phishing and hijacking," says the boss. In an effort to combat the theft of digital goods, Valve has announced Steam Guard, a new service that allows users to restrict account management to a specific Intel-powered PC. Using Intel Identity Protection Technology (IPT), a hardware-based feature available in second generation Intel Core processors, Steam Guard users will be notified whenever a different PC attempts to log into or modify their account settings. This should give Steam users "the account security they need as they purchase more and more digital goods," said the filthy rich Newell. Because Steam Guard is hardware-reliant, the service will not be available to all Steam users. Still, Valve's Doug Lombardi expects "to see widespread adoption of hardware-based security like Intel IPT by other service providers" in the future. "If as a customer you are buying movies, music, games, or digital goods, you want to know that they are more secure than your physical goods."
NCsoft adding additional security to master accounts
There's another layer of account security on the way for NCsoft master account users. The Korean gaming giant has posted updates on its City of Heroes, Guild Wars, and Aion websites inforrming users that they'll need to answer some additional security questions to log in to their master accounts. Once the queries are correctly completed, you'll be granted one-time access as well as the ability to add that particular computer to an approved list. Login attempts from other computers will of course trigger the questions again, and users that have forgotten the security info entered at account creation will need to contact NCsoft support for assistance.
APB blog talks beta applications, information security
Welcome back to the weekly APB Reloaded update. This time around, GamersFirst has a followup to last week's beta application deadline announcement. APB's beta application process is a bit different than the norm, and GamersFirst producer Jon "Neume" Merriex has penned a lengthy blog entry that aims to fill in the gaps. In addition to reviewing the game's beta key redemption process, the entry touches on the time-honored tradition of fudging your beta app in the hope of presenting a more appealing tester profile (and thus increasing your selection chances). "In the end, if you do fill out the form accurately and completely, we expect that the vast majority of beta applicants will in fact get closed beta access well before the roll out of the open beta," Merriex writes. Finally, this week's post spends a bit of time on your personal information, and more specifically, the sharing of it with third parties. In a nutshell, GamersFirst pledges to keep your email address, phone number, credit card number, and other valuable bits of data both secret and safe. Information sharing from beta participants "is always aggregated, such as '85% of our players are male between the ages of 18 and 25,'" Merriex says. Head to the official APB Reloaded blog for more specifics.
Blizzard posts new account security guide
Make no mistake: it really sucks when your WoW account gets compromised. Even with the speed with which compromises are handled by the support department nowadays, it's still a pain to have to wait to get your stuff back -- and it's even worse to know that someone was in there mucking around with your dudes, you know? Blizzard's been better about helping people with account security problems recently, like giving out free authenticators to some hacked accounts and offering a free phone-in authenticator service, but in the end, a lot of the responsibility falls on you the player to keep your account secure. To that end, Blizzard has assembled a new account security guide. It's a pretty comprehensive list of the steps you can take to secure your account, from getting an authenticator to learning how to recognize phishing emails to making sure that your computer itself is secured through the use of antivirus software. Learn it, live it, love it. In account security, as in Planeteering, the power is yours.
Breakfast Topic: What made you decide to get an authenticator?
This Breakfast Topic has been brought to you by Seed, the Aol guest writer program that brings your words to WoW Insider's pages. Once again, Blizzard is encouraging its players to use authenticators to protect their Battle.net accounts. In addition to the incentive of a lovable Core Hound Pup pet provided to all World of Warcraft characters on an account that has an authenticator attached, there is now a contest going on to win an iPad for your best Core Hound Pup screenshot, and we've even received reports that free authenticators are being offered to owners of accounts that have previously been compromised. Still, incentives alone aren't enough for some players. Sometimes it takes an incident to drive the point home. For me, it was a hacking scare involving my girlfriend's account. We had just resubbed to WoW in preparation for Cataclysm and were having a blast when she got a notification from Blizzard that her account had been locked due to an unauthorized break-in. Nothing was gone, no items destroyed, no gibberish-named level 1s created, but she did have to change her password and verify to Blizzard that she was still herself. She was playing on a Mac, used Adblock and had disabled Flash on her browser, and she only visited a handful of websites on a daily basis, all very innocuous places like Gmail and WoW Insider. We figured it was an isolated incident, but just to make sure, she wiped her hard drive and reinstalled WoW. Then, a week later, it happened again. I couldn't believe it, and I still don't know how or why she was targeted, but I ordered our authenticators the very next day. We haven't had a problem since. What convinced you to get an authenticator? Was it a contest, a promotion by Blizzard, or a hacking scare? If you don't have an authenticator yet, what's holding you back?
Frogster not giving in to hacker's demands
Free-to-play giant Frogster isn't playing along with Cpt.Z3r0, a hacker who resorted to blackmail and account theft to voice his views about the company's customer service and forum culture. Frogster, which publishes Runes of Magic, was stung by the release of over 2,000 RoM account names and passwords to its public forum last month, and has since been working to repair the damage done to its security systems as well as its reputation. "Our team has to focus and work on making the system more secure, on managing the whole incident. It means that they can't work on their regular goals and targets, like making events for the game, or improving it in other ways," company COO Dirk Weyel told GamesIndustry.biz. A police investigation into the hacking incident is ongoing, and Frogster is tight-lipped regarding any possible changes or improvements to its customer service apparatus, preferring instead to concentrate its PR firepower on the anonymous hacker. "Why is someone so angry? Why do they want to harm Frogster and the user base? Obviously, in any community you have people who complain. Some of them are reasonable, and some complain in a way that is unacceptable," Weyel said. He goes on to acknowledge that Frogster's community management isn't perfect, and that open and transparent communication are the ultimate goals.
Codemasters unveils Lord of the Rings Online hacked account program
With great playerbase numbers comes great security responsibility. Wait, no. That's not the movie metaphor we're looking for. How about keep it secret, keep it safe! That's more like it, but unfortunately for some Lord of the Rings Online fans, the secret (and the safe) parts are being compromised as the free-to-play title sees a rise in hacked accounts to go along with its expanding user numbers. All hope is not lost, however, as Codemasters (LotRO's European publisher) has introduced a new Hacked Account Restart Program designed to assist victims and speed them back onto the road to Mordor. The program has a few prerequisites, among them player support eligibility and GM verification of the actual account owner. Claims must also be filed within seven days of the security breach, and reimbursement methods will vary at Codemasters' discretion. You can read the official announcement on the Codemasters website, and you'll also want to check out Customer Service Manager Sincilbanks' blog entry on the subject.
The Road to Mordor: Hacked!
"My kinship had just finished an instance run about a week-and-a-half ago and was in the process of reloading back into the world when I got the message that I was being disconnected because I had just logged into the Brandywine server. Huh? Suspecting the worst, I immediately hit up the Turbine Account page and changed my password then re-logged back into the game, which would boot the hacker offline just like I had been booted minutes earlier. "I was lucky and did that before the hacker had time to switch servers to where my active characters are. Other kinmates have not been so lucky." So goes the frightening tale of Pumping Irony's Scott, who shares this in the hopes that others may avoid a similar scare. Unfortunately, it seems as though stories such as these are becoming more and more common in Lord of the Rings Online, where the worst threat to your quest may not be the eye of Sauron but the malicious intent of hackers gutting your account while you're offline. Today we're going to step off the path for a temporary side trail into the gloomy undergrowth of account security and an MMO under siege.
