account-security
Latest
Widespread wave of phishing emails reported
Over the past week WoW Insider has received an increasing number of reports of phishing emails. This means that some industrious folks have decided that now is a good time to try to steal accounts from unsuspecting players, and thus we're thinking this is a great time to remind people about the dangers of these evil emails!Most of the current phishing emails have been telling people that their account is under investigation for account trading, and directing them to a website in which they need to fill in their complete account information along with a CD key. Obviously this website is a phishing site, and is illegitimate. There are several things you should look for in a legitimate (or illegitimate) email from Blizzard. After the break we'll take a look at these, as well as provide some places you can go for further information.
Final Fantasy XI borrows page from WoW, offers authenticators
With the rampant MMO account hacks that happen every day - and especially the seemingly high numbers that occur in Final Fantasy XI that we've heard about, we're glad to hear that this change is coming. Square Enix has announced that, like Blizzard, they will be offering an account authenticator security token to players, helping to ensure that their accounts are safer in the future from random hacks. There's no immediate information available on the exact cost or when they'll be offering them through PlayOnline beyond "in the near future", but we're sure that players will snap them up. Also, the FFXI variant will also be coming with a special in-game bonus "which may just prove indispensible during your many adventures in Vana'diel!"Of course, if you're a follower of [GM] Dave, game-master and celebrity Chef de Cuisine to hungry dragons in Final Fantasy XI, you'll likely have heard about this already. He claims to have been the one to think up security tokens years ago, before his supervisor nabbed the idea, and landed a promotion (and [GM]Dave's wrath) out of the deal. (Can you warp supervisors to zones full of dragons without them catching on, we wonder?) Ultimately, whatever the genesis of this decision is, we're sure the FFXI community is glad to see security tokens coming.
Account security is your responsibility, not Blizzard's
PlayNoEvil recently published an article explaining why they think it is that hackers target gamers by stealing their passwords and other account information. While there is some truth in the premises offered, articles like this one only serve to fuel conspiracy rumors and encourage players to think of themselves as victims rather than take responsibility for their own account security. Gaming companies do place some of the blame for a compromised account on the account holder, and for good reason. The hacker certainly didn't gain access to your computer because of their actions, and their computers that store your information are as yet untouchable.The browsers you use, sites you visit, firewall settings, anti-virus software and update practices are just a few of the ways that you contribute to your own hacking experience. Sharing your account information with your lover, best friend and mother may sound safe, but you don't control the security of their computers, or their friends' computers. The majority of people I know who have been hacked signed into their accounts on their sibling's computer or a publically shared machine. In fact, NASA ended up with a keylogger targeted at gamers on the International Space Station. It traveled aboard on the laptop of one of the astronauts. You just can't trust any computer that isn't your own.It may be hard to hear, but a hacked account is because of something you did, whether it was an unfortunate stroke of luck, such as stumbling onto a redirect on a legitimate website in the small window before the site addresses it, or a serious oversight in security on your part.
Japan's online games industry steps up security
The potential for having a hacked game account clearly goes hand in hand with online games, regardless of which country you're in. Japan is taking aim at this particular issue through a rather significant partnership with Visa International, reports Nicholas Aaron Khoo for CNET Asia. The Japan Online Game Association (JOGA) has pushed for the industry-wide adoption of Verified by Visa by year's end. Verified by Visa uses SSL encryption as part of its Three-Domain (3-D) Secure platform, and it's hoped that establishing this industry standard will reduce the frequency of stolen accounts. Khoo writes, "According to JOGA, Verified by Visa has already been implemented by over 60 percent of online gaming companies in Japan -- the highest among any online retail and service provider industry categories." You can check out the full story in Khoo's "Peace of mind for Japanese gamers?" as part of his Geekonomics column at CNET Asia.[Via PlayNoEvil]
Authenticators back in stock
For those of you who have been patiently waiting, trying to catch them in stock - good news! The Blizzard store is currently showing that there are authenticators back in stock for your ordering pleasure. As if that weren't awesome enough, it's not just the United States authenticators that are available and ready for purchase. It seems Blizzard has stocked up across the board as they're showing that the authenticator is available for Canada/Australia/Latin America/New Zealand, Europe and Korea as well. Let's hope this is the beginning of a trend where they're available everywhere more often. That said, your guess is as good as ours as to how long the current stock might last. (Read: probably not long if history is any indication.) So if you forgot to pick up a present for that WoW player in your life and are looking for a way out of the post-holiday doghouse (or just need one for yourself) head on over to the Blizzard store and get your authenticator ordered - quickly.Update: Looks like the Canadian ones are gone as of 7:26 PM. [Via the WoW LJ]
The best of WoW Insider: December 30th, 2008 - January 6th, 2009
2008 was the best year in the World of Warcraft yet -- we got a terrific expansion, a few content patches, tons of class improvements, and lots and lots of great gameplay out of it. The past twelve months have been very good to Azeroth's inhabitants, and we're looking for an even better time in the coming year. To find out about it all, whether you're a level 10 noob or have six level 80s already, hit up Joystiq's WoW Insider for the latest news, views, and insights from the World of Warcraft. News WoW Insider's predictions for 2009It's a new year, and we've got some new expectations for the game. Account security mythbustingA former Blizzard CM lays the truth out on what's up with account security. Teen arrested for making suicide threat to a GMKid didn't want Blizzard to ban him, said WoW was all he had to live for, got the cops called on him. Queue queue moar noobServer queues plague the servers yet again. WoW Moviewatch: The Craft of War: BlindLikely the best machinima movie you will eve see. Features Blood Pact: How the mighty have fallen, or 2008 in reviewWarlocks had a rough time of it in 2008. BigRedKitty: Hunter Loot awards for 2008The best loot in ranged attack land for the last year. Know Your Lore: The Sons of HodirOur lore column takes a close look at one of the newest old players in the reputation game. The Light and How to Swing It: Shine on, a 2008 reviewPaladins prevailed big time last year. Shifting Perspectives: The Druid of 2008
Account security mythbusting
So, you might have noticed the increased number of warnings and advice from Blizzard regarding account security lately. They've even popped up in the game itself, as a server message when you first log in. Needless to say, this has caused no dearth of consternation in the WoW community (read: people be trippin'). So, why the sudden notices? Has something changed? Has Blizzard lost their footing in the war against hackers and gold farmers? Is Blizzard in cahoots with them? What's this itchy pentagram-shaped rash I've developed?Now, there's a lot I can't talk about regarding this stuff, and certainly not for any sinister reason. It's a selfish reason, though, that being that I really like not getting sued. I can, however, use my experience and knowledge to bust or confirm some common account security myths. Ready? I'm a trained professional. Don't try this at home!
Antivirus company claims viruses are out to get you
McAfee Avert Labs, a monitoring and research division of McAfee Inc., claims that malware attacks are on the rise, and the targets are often gamers. According to McAfee, there was a 245% growth in the amount of malware being developed from 2006 to 2007, with roughly 300% more developed from 2007 to 2008. So far this year, development already exceeds 2006 and 2007 combined. Earlier this year, McAfee released a list of some of the most dangerous web domains. Even major, reputable websites are not immune, although the problems are usually addressed almost instantly. Commonly targeted websites include social networking sites like Facebook, as well as gaming sites.The developers harvest the information, and sell it to others who then exploit it, possibly to steal your account information. With so little time until Wrath of the Lich King, I'd like to remind everyone that buying gold or power-leveling services is not only not permitted, it is likely to get you burned. For more information on protecting your computer from keyloggers and other malware, check out the following guides:
WoW Insider Interview: Blizzard speaks about Authenticator security
About a month and a half ago, we reported on the story of a player who had apparently gotten their account hacked while they were using the new Blizzard Authenticator key, and it raised a lot of questions in players' minds about the only hardware Blizzard's ever made: just what does the Authenticator do to protect players' accounts? Have Authenticators actually prevented accounts from being hacked? And what would it take to, through social engineering or other methods, actually remove an Authenticator from an account?At the time we published that first story (which was later disputed by a customer support representative), Blizzard contacted us here at WoW Insider, offering to clear up players' concerns about the new keys. We quickly submitted to them a few questions pulled from our own writers and a few submitted by readers, and they've now returned the answers to us -- you can find Blizzard's answers to our questions about the Authenticator after the break. Thanks to Blizzard for answering our questions about how these keys work, and clarifying some of the issues around their security.
Forum post of the day: Hilarious scam email
Have you ever wondered what one of those fake emails from "Blizzard" look like? The nastier ones are copies of real Blizzard emails, with the links subtly changed. Other scam emails are a bit more transparent, however. While we've identified some red flags for you before, let's add a few more, shall we?If the email refers to the patch you "must" download as "a mod one" then it might not be real. If they have moved said patch to an external website, then you might want to worry.If the reason for the move is because, "recently, Hackers have been trying to crack our folders and steal every future project" then it is time for you to roll on the ground laughing. Just hope that Hackers don't team up with the Boogeyman, or Terrorists!If you are referred to as one of their "lovely members who do not understand" you should get a medal, really. Their repetitiveness is dizzying. Luckily, they will "explain it shortly" for you. I think someone needs a thesaurus (or a brain).
Authenticator failure revisited, Blizzard responds
We created a lot of waves with this post about Blizzard's Authenticator key allegedly failing -- as you know if you've been listening to the podcast, lots of people have emailed us with their own input on the situation, alternately thanking us for making it known that the Authenticator wasn't 100% secure, and lambasting us for being "ignorant" about how Blizzard's security token works. At the base of the story, there are two things we know are true: that someone was using the Authenticator on their account, and then was subsequently hacked. For that reason, we've stood by the "Authenticator fails" story -- while having an Authenticator on your account is a helpful line of defense, it, like all other computer security measures, isn't a 100% guarantee against getting hacked.Most people agree on that. Where opinions differ are in how the account was hacked -- originally, we and a few other sources speculated that the Authenticator had been somehow removed from the account in question. But now Belfaire has responded (we believe to the incident in question, though a link to our story was removed from the original post), and says that as far as he can tell, the Authenticator was not removed from the account. In fact, after the password was changed back, the Authenticator's serial key was asked for and given, so the Authenticator remained attached to the account the whole time.Of course, that just leaves the most important question: how did the account get hacked? We've heard all kinds of various insights as to how the Authenticator works (it only lasts for 60 seconds, supposedly each key can only be used once, so there's no way a keylogger could nab the Authenticator code and reuse it), but the fact remains that the person we're talking about was using the key, and still got hacked. One hack out of all the Authenticators sold so far is a terrific record, and could prove that, statistically, an Authenticator is good as 100% security. But the fact remains that this person got hacked while using the key (however it was done), and if security can be broken once, it will be broken again.
Authenticator fails, removed from account without user's permission
Editor's Note: This entire situation has been debunked. The authenticator was not hacked, compromised, or forcefully removed. The account had been shared, and the authenticator along with it. Authenticators do not offer any security if you give it away. If you're worried about other account security myths, our own Michael Sacco has tackled them in a mythbusting series. Think a Blizzard Authenticator will keep your account from being hacked? Think again -- we've got our first known report of someone who was protecting their account with one of Blizzard's keys, and still got their character hacked down to their undies. Someone in this forum thread apparently logged out one night and logged on the next morning to find her account stripped of everything but PvP gear, and her Authenticator no longer connected to her account. Supposedly, to deactivate an Authenticator from an account, you need to get in touch with Billing services, and reportedly they'll then ask for a notarized statement with a picture, like a driver's license, just to remove the Authenticator. But obviously, this one was removed even without that, and we're being told that all you might need to remove the Authenticator is the answer to the user's secret question and a CD key (or even less). In other words, the fault isn't with the technology, it seems to be with the support reps on Blizzard's side of the phone line -- if they can be convinced to remove the Authenticator, the account can then be hacked. The little keys have been selling like hotcakes since they were released -- almost everyone has figured that $6.50 was cheap for peace of mind. But while an Authenticator still does provide an extra step in security, the sad truth is that it hardly makes an account impermeable. [Via BRK]
Authenticators are going out, via USPS
We had heard that there were problems with the Blizzard Authenticator (a few people who'd ordered them had gotten their money refunded by Blizzard), but apparently there are at least a few going out. Mania got hers -- she says that it works great, that she has already associated it with her accounts, and that she's thrilled with her purchase.Not everybody is so lucky -- reader Tweaky emailed us to say that his order was supposed to go out UPS Next Day Air, but after it didn't show up and he had a tussle with Customer Support, he then found out it was actually going through the USPS and that it would show up late. No word on whether he's seen his yet or not. A few people commented on our last post that they actually had shipping returned to them, so maybe Blizzard originally planned to send some UPS, and then had to switch to a cheaper mailing method.At this point, Blizzard has the keyfob sold out on their website, and there's no indication when we'll see any more (soon, probably). It appears that not only did they vastly underestimate demand for the Authenticator, but that people are seriously concerned about the security of their World of Warcraft account. No other game company has ever offered anything like this before, but given the response, it could soon become a standard.
The Daily Grind: Best news from WWI?
Blizzard's Worldwide Invitational just wrapped up, and aside from the highly anticipated announcement about Diablo III, there were also a huge amount of changes announced for World of Warcraft. From Shamans getting the ability to have their totems cover the entire raid as opposed to just their party, to the confirmation that you will be able to make a Death Knight of every playable race. Many players are buzzing about the upcoming changes. This morning we thought we'd ask you what you thought the most interesting World of Warcraft news was from the Paris Worldwide Invitational? This blogger thinks that her favorite thing (aside from Diablo III, which really isn't WoW news) is the unveiling of the Blizzard authenticator encryption keychain. It will be interesting to see if other MMOG companies follow this step or not.
Avast! update causing issues with WoW
Avast! anti-virus, which is used by millions of people around the world, recently upgraded to version 4.8. Unfortunately, it seems that this upgrade has caused many WoW players to have a drastically lower play experience.The most common symptom is severe keystroke lag while playing the World of Warcraft. Mouse actions also seem to be affected by this. Delays as low as a second and as high as five seconds between keystroke and the game receiving that action have been reported. Supposedly, running WoW in windowed mode fixes this, but your mileage may vary.
WoW Rookie: Account Security Basics
Recently we've had several posts about being hacked, guild banks assaulted, and Blizzard's typical response. The Customer Service Forum is filled with threads started by desperate World of Warcraft players seeking the return of their accounts and belongings as a gesture of goodwill. It is our responsibility to keep our accounts safe from hackers. I speak from experience when I say that being hacked is just dreadful. Although it is usually possible to have your account returned, there is usually significant damage done in the process. In the past, even Blizzard employees have had their accounts compromised. This post is designed to help you do the best you can to protect your World of Warcraft investment.
Bank declines Blizzard charges
It seems that keyloggers and phishers are not the only fraudsters infiltrating World of Warcraft. Halifax, a bank in the United Kingdom has ceased processing most transactions with Blizzard Entertainment. This measure was taken in response to increasing numbers of reports fraudulent transactions for WoW services. I had a similar issue with another bank based in the United States. That institution saw my recurring Blizzard charge as suspicious. Once I contacted them to verify my subscriptions my credit card was quickly returned to an active status. In this case, the only fault on Blizzard's is making an astoundingly popular, subscription-based RPG. Do be on the lookout for unexpected transactions from Blizzard Entertainment and be sure to report them to your bank as soon as possible. Representatives from Blizzard Entertainment declined interviews with the Register, which investigated this phenomenon. Do not be surprised if the transaction for your WoW subscription is refused in the near future. Halifax customers can use their credit cards to pay for their WoW subscriptions by making special arrangements with their account services department. If you would like to continue to use your Halifx Visa or Master card, be sure to contact customer support for authentication.
When it's not nice to share
We're all taught from an early age that it's nice to share. But not when it comes to your WoW account info. And I don't just mean e-mail scammers posing as Blizzard employees asking for your password. What I'm referring to is something that is something much more rampant and just as damaging to your WoW account's continued existence: willingly sharing your account information with a brother/roommate/guild mate/girlfriend, etc.For those of you who don't know what I'm talking about, allow me to spell it out:If you're caught sharing your account, Blizzard will ban that account.You'd think this fact of WoW life would be well known, and I believe it is, but many players are choosing to ignore this rule at their own peril. Why? A few rationalizations seem to be popping up over and over.
Guildportal, keyloggers, and you
In the past week, you may have noticed an increase in complaints about hacked accounts on the forums. Why? Well, the popular guild-hosting website Guildportal was hacked -- hackers added a bit of code exploiting an old Internet Explorer vulnerability (Microsoft had a patch available six months ago) to install a keylogger on visitors' systems. It was a brilliant move by the hackers, who managed to tap into a site visited by a massive number of WoW players -- the perfect place to steal account information. But I can't say it was very good for some of Guildportal's users, who logged on to World of Warcraft to find their characters completely naked next to an unfamiliar mailbox.However, this entire affair was very preventable. First off, Guildportal itself had a vulnerability that allowed hackers to insert the exploit that installed the keylogger. And then in order for the keylogger to be installed, individuals visiting Guildportal had to be running a version of Internet Explorer that was 6 months out of date. Guildportal has taken steps to prevent this from happening again, by patching their systems and banning traffic from China, where the hack attack originated from. (According to Guildportal's response as reported on the forums and a commenter on Madness and Games identifying himself as Aaron Lewis of Guildportal.) But have you taken steps? In Blizzard's post on the subject, they point out Microsoft Security Bulletin MS06-055, released by Microsoft on September 26th, 2006. You can stop many potential keylogger threats by simply visiting Windows Update to download patches regularly -- or, even easier, enabling Windows' Automatic Update feature. Either option would have resulted in your computer being protected from this vulnerability well before now.Think your account has been compromised? GM Kaone offers some good instructions on how to rid your computer of keyloggers (it's a lengthy post but very informative) and then points you to their billing support department for account recovery. (Yes, it is important to get rid of the keylogger before having your account restored -- otherwise you'll end up right back where you started!) But be prepared for a wait -- the account recovery process isn't always fast.See Guildportal's full response to its users after the jump.Other recent security advisories:Beware the cursor hackKeep keyloggers away: New Microsoft hotfix availableMore security warnings from BlizzardBlizzard reminds us to be careful of keyloggers[Via PlayNoEvil, with thanks to robodex for the forums link]
