account-security
Latest
January Eye on Community promises more for 2010 in Aion
The latest Eye on Community from Aion team member Andrew "Tamat" Beegle covers two of the biggest issues in player's minds these days: the recent account security breaches, and upcoming new content. This month's player question was, "A lot of players are wondering about the future development of Aion. Since the Aion Vision Trailer we haven't heard anything." Tamat does mention that something as big as the Vision trailer will naturally lead fans to expect something concrete, and promises a "significant amount of content" this year brought to the game through several updates. He also addressed the continuing security concerns, reminding players to take what steps they could to protect themselves on their end. Check out the first Eye on the Community for 2010 here.
You are not invited to the Cataclysm alpha
In the wake of yesterday's rumor that the Cataclysm Friends and Family alpha will be starting this Tuesday, January 12, we should expect an increase in scammers trying to get your account details by offering phony alpha invites. We saw a lot of these for both Burning Crusade and Wrath of the Lich King as well, and some of them were very well crafted. At this phase of Cataclysm's development, though, it will be comparatively easy to keep yourself safe. Since this is a friends and family alpha, if you don't have friends or family that work at Blizzard, you will not get an invite. Therefore, anyone offering you one is trying to pull a scam. Basically, everyone who's going to be getting legitimate access to the alpha should know who they are already. Everyone else, sit tight and stay tuned to WoW.com for the latest on WoW's next chapter. World of Warcraft: Cataclysm will destroy Azeroth as we know it. Nothing will be the same. In WoW.com's Guide to Cataclysm you can find out everything you need to know about WoW's third expansion. From Goblins and Worgens to Mastery and Guild changes, it's all there for your cataclysmic enjoyment.
How flaws in Blizzard's billing department are being exploited
Please see the update to this original post. In our continuing series on account security issues present within Blizzard's offices, we bring you news that lax training in Blizzard's billing department is being exploited by those attempting to game the system and illegitimately acquire more gold and high value in-game items. The critical flaw in Blizzard's system is that billing support personnel are currently given the ability to "roll back" characters to previous versions more or less on the spot, with the customer on the phone. Because of this, there is a high degree of flexibility and personal accountability on the part of the billing representative. The flexibility extended here is vitally important to customer service, however the training that comes with the flexibility, we are told by multiple sources, is inadequate and leads to this exploit being practiced by a growing number of individuals. The exploit involves human interaction (aka social engineering), which in security systems is the notoriously weak point. The exploit is often referred to internally as "onioning," which involves the player repeatedly claiming the account was compromised to the Blizzard billing support representatives. There are obviously more details to doing this, but we don't want to provide a how-to. Blizzard is aware of how this is done, and they are currently not implementing checks to combat this.
Account Administration encouraged not to restore hacked characters
Please see the update to this original post. In a stunning revelation from a veteran account administrator at Blizzard, WoW.com has learned that account administrators are being encouraged by Blizzard managers not to restore people's characters and items after their account has been ransacked by gold sellers and keyloggers. Instead, account administrators are being told to give people a "care package" and get them to accept the package in lieu of total account restoration. If the player does not accept this care package, they are then forced to go into a character restoration queue that is consistently several days to weeks long. According to sources familiar with the situation, this "care package policy" has been implemented in order to lighten the work load of those Blizzard employees who perform account restorations. Similar policies have existed at other times account compromises have been high, such as during the transition from Vanilla WoW to The Burning Crusade. This care package being offered consists of the following:
City of Heroes offers a reminder on account security
NCsoft hasn't been having an easy start to the year, at least not in the eyes of security-minded players. The entire Guild Wars security question recently came to a head with suspicions and accusations that the flaw was something wrong with NCsoft's account management, a black eye if ever there was one. Of course, that raises questions about not just Guild Wars, but any game under the company's aegis, which includes City of Heroes. So it should come as little surprise that a reminder about account security has recently been posted on the official site. The reminder itself is fairly standard boilerplate, reminding everyone to avoid giving out their account information to any other players, only log in from secure locations, and so forth. It also addresses the issue at hand in a roundabout fashion, mentioning that they found no malicious workarounds after investigating "current claims." However, the very next line mentions that they have added more robust logging and security procedures, which can lead to the obvious conspiracy theories. With fewer items to be traded than many other games, City of Heroes has a smidge more built-in security -- but a little extra reminder and caution never hurts.
Potential smoking gun found for Guild Wars security issues
It started as a surprise. Guild Wars players reported suddenly finding themselves hacked, their accounts cleaned out, no indication of what could have caused the problem. NCsoft and ArenaNet offered suggestions, security safeguards, new measures being taken, hints that the problem lay in a popular third-party website with an undisclosed name. But with the recent rash of problems that Aion players have been having regarding security, new facts have begun coming to light, and they paint a picture that isn't pretty. Specifically, some players seem to be finding that it doesn't take any skill to wind up hacking someone's account accidentally. And all it takes is a few log-in attempts to find yourself with access to someone's account name, password, and billing information for all of a player's NCsoft games.
NCsoft taking first visible steps to improve security
Back at the end of November, we talked about the ongoing security issues affecting Guild Wars players. ArenaNet has been assuring players that they are working hard on the problem, and Monday evening the community saw the first fruits of that labor. Players saw a message in their chat windows that most of them have never seen before: "The Guild Wars servers will be taken offline momentarily for required maintenance." It was a quick change, but once it happened, players logging in saw a surprising addition to the login screen. Besides the usual username and password combination, you now have to correctly enter the name of any character on your account before you are able to log in. ArenaNet posted a FAQ on their site along with the update and Community Manager Regina Buenaobra interacted heavily with the community immediately afterward, logging in to Guild Wars to discuss the change with players (and presumably be asked a few hundred questions about Guild Wars 2.) She also spent time on the main fan forum sites, addressing concerns, clarifying the reasoning behind some decisions, and passing some well-deserved thanks from players on to the ANet team. While not everyone is satisfied -- and when are they ever? -- this first step is a very welcome one to most players, and we look forward to seeing more.
Using the Corehound Pup to secure Guildbanks
Authenticator owners received a nice surprise in their mailboxes when Patch 3.3 dropped: the corehound pup pet. It's absolutely adorable and a completely unexpected bonus to having a secure account. But it has also caused much kvetching among those who feel they are too careful to ever need the authenticator. Pet envy caused some to sign up for the free application for their phone or buy the physical gadget in order to obtain the two-headed cutie. But they soon discovered that removing the authenticator from their accounts also removed the pet. Their loss can be your gain, however. One problem that many guilds have is that some of their high ranking members, with full bank access, have account security issues. When a guildbank gets raided by a hacker, it affects the entire guild -- not just the compromised account. One thing guild leaders can do to protect all members is require authenticators for bank access. Previous to patch 3.3, this was hard to prove. Now GLs can just ask to see your corehound pup.
Guild Wars account security issues continue
If you play Guild Wars, you're undoubtedly a little paranoid about your account these days. Back in mid-October, posts on forums and wiki pages began popping up, all with a similar theme: "I've been hacked." These incidents quickly gained attention in the Guild Wars community because of the very similar methods used and rapid succession of the incidents. Before long ArenaNet staff had stepped in to assure players they were aware, concerned, and working on it, and were able to release a bit of information. Support Liaison Gaile Gray revealed that "one of the trading sites associated with Guild Wars may have experienced a security breach and its account database (including user names and passwords) may be in the hands of hackers." The statement predictably invited extensive speculation, but at least told players that ArenaNet was making progress in their search. For the time being, ArenaNet continues to work on the problem and players continue to get their accounts looted. (As of this writing the most recent reported incident was Sunday.) The issue continues to be widespread, with one alliance reporting at least eleven members hacked. It probably goes without saying, but while ANet sorts things out players can lower their risk a bit by changing their passwords and taking another look at the account security suggestions, if they haven't already. Best of luck to ArenaNet in solving the problem soon!
Microsoft warns users of worm that targets MMO players
Remember how we always tell you to remain vigilant against malicious programs that can compromise your MMO account's security? Well, it seems we now have more reason to remain vigilant.Microsoft's latest security intelligence report covers the resurgence of worm type viruses and specifically mentions one that targets MMO players -- Taterf. As a worm, Taterf attempts to divine the user's account name and password through keystroke logging, reading the active memory, and even injecting itself into the game client. Either way, by the end of it, you end up naked and goldless. Hrm, we wonder if Taterf has been masquerading itself as our last girlfriend.
Blizzard warns against buying gold
If it wasn't already obvious, Blizzard put together a page on their official website making clear their stance towards buying in-game gold, and have just recently given it another big push. To put it simply: don't. The page outlines what we at WoW.com have known for quite some time (hence our collective stance against buying gold) -- that gold buying harms other players. The site doesn't go into specifics other than to say that gold selling companies often acquire their gold through unscrupulous means. They sum up their statement by saying that "players who buy gold are supporting spamming, botting, and keylogging." Basically, if you're a gold buyer, you're part of the problem. No, seriously. Gold sellers acquire gold by hacking into other players' accounts, taking their gold, selling all their items, and sometimes maliciously deleting their characters. That gold you think some Asian spent hours farming in Nagrand or something is more likely to be some other player's hard-earned gold and the seller is just as likely to be some dude from Jersey. As tempting as buying gold may seem -- and I've read many arguments towards why people buy them -- the bottom line is that it is harmful to the game and you're not doing yourself any favors in the long run. Blizzard says that it "diminish(es) the gameplay experience," but that's putting it nicely. Gold selling and power leveling are against the EULA, anyway, so anybody who patronizes these services are in danger of getting banned. And if you don't believe in buying gold (go you!), protect yourself by getting an authenticator or reading up on account security.
Anti-Aliased: Hax0red
Today was a beautiful morning. It was a morning filled with sunshine, chirping birds, and a good night's rest. I was up writing late last night, so it was nice to sleep in a little before getting a start on the day. Yet, all cozy naps must come to an end, as I had to get up to man my computer, check my e-mail, and get a start on today's work.As I booted up Mozilla Thunderbird and looked over the e-mails that were floating in my inbox (yesterday's MAG comments, Star Wars Galaxies comments, and some new screenshots for D&D Online) I saw one that kinda stuck out. It was from Blizzard Entertainment Support, and it was a password change notification from Battle.net. At first I chuckled, thinking it was some type of spammer who was trying to get me to give up my password, but on looking through the letter, I noticed it was authentic Blizzard material.That's when my phone rang. It was one of my guildmate's numbers flashing on the screen. Those birds stopped chirping after that booming string of profanities escaped my mouth.
Requiring authenticators for guild bank access
m0rtis has an interesting question over on WoW LJ: should guilds require authenticators on the accounts of everyone in the guild with bank access? Authenticators are relatively cheap, if not free (and still in stock most of the time nowadays), so if you're running a guild and in a position where your bank is important enough to protect, should you be able to require authenticators to keep guildies from getting hacked?There are a few caveats here that m0rtis doesn't mention, but we will: first of all, there's no way to guarantee whether someone is using an authenticator or not, so while you can make guildies promise, there's no real way to check up on them. Second, not all guild banks get emptied out due to hackers -- many guild banks get ninja'd by someone within the guild, and there's no authenticator that can protect against that. So having authenticators on bank members (or at least having them promise they've got them) isn't 100% protection. But it is something.
The Queue: Nuts and bolts
Oh boy. Most of us are the walking dead after BlizzCon, but let's get back to something resembling normalcy with a Queue. We're going to start off today with an important matter concerning authenticators and account security, then move on to a bit of WoW.com business and Onyxia. I'd also like to direct attention to two really good comments from the last column re: technical issues, Shadow's and Logarth's.Zerounit asks... I recently got an Authenticator in the mail and I noticed something while I was inspecting it: there appears to be no way to open it short of cracking it open with large objects. Is there a battery life on these? If it stops giving me my magic codes, will I have to get a new one? I got an authenticator for my own use recently and have to admit I hadn't thought to look into the battery life, which is a very good question indeed. A dead authenticator means you have no way of getting into the game (or even into your online account) without official help from Blizzard. Turns out the little security doodads are manufactured by a company named Vasco, and after poking around their website, I'm reasonably certain that Blizzard authenticators are a variant of Vasco's DIGIPASS GO 6 model. What makes me so sure? The GO 6 model page is the only one accompanied by an article on fraud and hacking in online gaming. They don't come right out and say that Blizzard is a customer, but unless Hello Kitty Online is a bigger hive of scum and villainy than even we gave it credit for, you don't have to be a genius to figure out that World of Warcraft figures prominently in MMORPG account theft.
PSA: Don't get scammed by Cataclysm phishing
No, what you see above is not the logo of the (probably) upcoming World of Warcraft: Cataclysm. It's the graphic being used by a phishing site that's been making the rounds lately and we've received a number of emails about. To make sure everybody is completely clear, if you see the logo above, the website you're visiting is absolutely not legit. There are no Cataclysm Alpha invites going out to the public, and certainly not Beta invites. When Blizzard kicks off a beta, we'll be sure to tell you. And even better, Blizzard will be sure to tell you. Until that happens, please be careful about what you click on. The pre-expansion period is prime time for phishing attempts.Naturally, even if that's not the graphic you see, you should be wary of Cataclysm-related phishing sites. There are quite a few right now, and they will even grow more numerous after BlizzCon. Be mindful of the sites you're linked, be careful where you enter your WoW account information, as well as your personal information. I know we've said it many times before, but we really can't say it enough. Don't do anything silly, and if you want to be absolutely sure that you don't do anything silly, grab yourself an authenticator if you can. If you can't get the physical authenticator, there's always one of the mobile authenticators.
The fight against RMT in EVE Online
It's an unfortunate reality that most any massively multiplayer online game running has to cope with outside influences on an in-game economy because of real money trading (RMT). Game developers tackle the problem in different ways. For instance, Final Fantasy XI has an anti-RMT task force and Warhammer Online has a zero-tolerance name-and-shame approach to RMT. Other companies grab the bull by its horns and base their game around a virtual item trade they can regulate. The problem of RMT has affected EVE Online just as it has other MMO titles, if not moreso given how its player-driven economy and the Interstellar Kredit (ISK) currency is central to the game. Beyond the potential revenue lost to the black market when players pay real cash for their ships and modules or buy huge sums of ISK outright, there are also issues with players getting their accounts cleaned out by the shady companies (ostensibly) selling the ISK. When that cleverly-named player "ajakdsk" links you to his ISK selling site in a chat channel, following that link could infect your computer with a keylogger, resulting in a fire sale on whatever they find in your account. EVE Online's creators CCP Games have taken a two-prong approach to handling these issues.
Dodgy Second Life viewer doing the rounds
We'd like to caution our Second Life readers about a dodgy Second Life viewer that's currently doing the rounds under rather dubious circumstances. The viewer is calling itself Neil Life, and purports to include some content-ripping features over and above those normally available to users. One particular feature of the viewer, apparently related to a permissions exploit, appears to have triggered Linden Lab to perform an emergency update to Second Life to close the exploit last week. The viewer was widely advertised last week with distributed notecard advertisements in-world which purported to have been created by famed resident, Gwyneth Llewelyn. In actual fact, a copy of one of her existing notecards had simply had the text replaced so that it appeared that she had authored it. (This is one of the main reasons we don't generally accept the provenance of notecards in Second Life)
Battle.net authenticator now available for other platforms
The Battle.net mobile authenticator is now available for a wide variety of mobile platforms in several different countries through the Battle.net mobile store. Originally available only for the iPhone through the App Store, the mobile authenticator can now be used on virtually any phone that can run third-party applications. There's only one catch - unlike the original mobile authenticator found in the App Store, these new versions aren't free. The prices vary depending on your country due to PayPal conversion rates, but they amount to roughly $1 (it's €0.50 in parts of Europe).Despite the need to purchase it, we at WoW.com can't recommend it highly enough. Account security is an important thing, particularly with the rampant account hacking and phishing going on these days. Now that it's available to use in a wide variety of platforms, there's little reason not use the Battle.net mobile authenticator. A dollar is a very small price to pay for that additional layer of security.Editor's Note: Apparently now the download is showing as "Coming soon" for US/EU carriers. It was showing as up before, but now is not. We blame the Gnomes. Or Ghostcrawler.Thanks to Medros from All Things Azeroth for the tip!
WoW Rookie: Keeping your account safe and sound
New around here? WoW Rookie points WoW's newest players to the resources they need to get acclimated. Send us a note to suggest a WoW Rookie topic.It doesn't take keyboard gymnastics to prevent your account from getting hacked. As a new player, you're bound to be concerned – and if you do any digging at all, you're also bound to uncover a tangle of acerbic, rather arcane-sounding comments (many of them on posts right here at WoW Insider) about what operating systems, browsers and browser add-ons are most secure.You really don't have to change your entire computer system simply to keep your WoW account safe. This week, WoW Rookie rounds up a selection of WoW Insider posts that show you how (and why) to keep your WoW account from being hacked and prevent your computer from spilling its beans to the world at large.
Authenticators back in stock in European Blizzard Store
We might still be waiting on Battle.net here in Europe and the free iPhone authenicator app, but don't worry. Those of you who are eager for your account to be even more secure are in luck. European Blue Ancilorn has posted on the official forums that the authenticator is finally back in stock in the European Blizzard store -- complete with a new look! So if you want/need one, head to the Blizzard store and get one before they're gone. What is €6.00/£4.80 for a little peace of mind?
