Authenticator
Latest
Updates to the iPhone mobile authenticator
Normally we don't get too excited over updates to the Battle.net Mobile Authenticator, but reader El Oreo brought the most recent update to our attention. Version 1.1.0 of the iPhone version of the mobile authenticator contains the following updates: A new "Copy" feature lets you copy the currently displayed authentication code into your device's clipboard. You can then paste it into other text entry fields, such as when accessing Battle.net Account Management on Safari. Miscellaneous UI improvements. Obviously that second note isn't all that exciting, but I think the first one is worth mentioning. This is a feature users of the mobile authenticator have wanted for awhile, not just for Safari but also for Blizzard's other upcoming app. To be more specific, the Auction House app that Blizzard has recently announced (which I hope and pray is as good as Fallen Earth's mobile app). You'll need to log in to use it, so you'll most certainly need to use the authenticator that's on the exact same phone. Since the iPhone doesn't let you use two applications at the same time, this copy feature is going to be a welcome addition. Sure, you could just remember what the generated code is, but this is 2010. Who remembers things anymore? I have computers for that.
The Queue: Keeping it classy
Welcome back to The Queue, WoW.com's daily Q&A column where the WoW.com team answers your questions about the World of Warcraft. Alex Ziebart will be your host today. We haven't kicked off The Queue with reading music in awhile, so let's change that. Once upon a time I posted some Rhett and Link for you, an internet-based musical comedy duo, and people seemed to enjoy it. So here's more! Behold, the T-Shirt War. T-Shirt War was actually my second choice behind the far more hilarious Butt Drugs, but perhaps Butt Drugs aren't as safe for work. Still, funny stuff. Butt Drugs. The Queue is actually a bit short today, since a majority of the questions we've been receiving require rolling bones and gazing into a crystal ball to answer. If you have a non-Cataclysm question for us, please ask in the comments below! busuan asked... "Why is there almost no sound effect for a warrior's shouts? In Diablo II, the similar shouts come with awesome sound effects. But in WoW, warrior shouts merely generate a visual cue. If Blizzard though effect were annoying to other people, they could have restricted the effects as self-only."
Update: Keylogger source identified
Just a quick update from from our friends at World of Raids about the current situation regarding circumvented authenticators. It appears there are multiple websites being used for this malware. Be careful of which sites you go to in order to update your addons from; fake website addresses are being used to trick users. For example, one of the fake sources appears as a "Sponsored Link" right at the top of a Google search. Don't actually visit that site and be sure to warn players asking about addons where to go. What happens is the fake site will allow you to download a fake copy (did you see fake?) of the WowMatrix AddOn Manager which installs the emcor.dll. This Trojan (Malware.NSPack) can currently be detected by Malware Bytes. Thanks Kody!
Man in the middle attacks circumventing authenticators
It has been brought to our attention that Blizzard's technical support department is currently handling a security exploit that is, in a limited capacity, circumventing authenticators. Before we get into the details, please do not panic. This does not make authenticators worthless, and it is not yet a widespread problem. Do not remove your authenticator because of this, and do not base your decision on whether or not to buy an authenticator off of this. They are still very useful, and your account is much safer with an authenticator than it is without one. This is not the only report of this that we've seen, but it is the first time that a Blizzard representative has openly acknowledged that there is something afoot. For a full account of what happened, check the thread on the EU Technical Support forums. To sum up: There is a piece of malware (emcor.dll is what is being reported at the moment) that is being used as a hijacking tool to facilitate Man-in-the-Middle attacks on users. Kropaclus After looking into this, it has been escalated, but it is a Man in the Middle attack. http://en.wikipedia.org/wiki/Man-in-the-middle_attack This is still perpetrated by key loggers, and no method is always 100% secure. source To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.
Mobile Authenticator available for Android
Blizzard appears to be trying to make it easier for everyone to have an Authenticator and to that end, there is now a Mobile Authenticator for Android. The Android version works just like the iPhone/iTouch app and is available at the Android App store (you can view it via a third party site). Once you get it on your phone, you then link it to your account at the official World of Warcraft Account Management page. We have reports of the app working for people. Though we were unable to find this app from Blizzard directly, we believe it to be legitimate. However, we have contacted Blizzard for confirmation. We'll let you know what they have to say when we hear back from them. Update: Here is the link to the official Blizzard support page for the Android app. Looks like it's legit. Update 2: Here is the official announcement. If you don't have an Authenticator yet, we can't recommend it enough. The added protection an authenticator provides to your account is much greater than the slight inconvenience of needing access to your phone whenever you login. This is particularly the case if you game at internet cafes. %Gallery-49197%
Debunking another hacked authenticator story
One of our readers, Bill, sent us a tip about a WoW account issue on The Consumerist. It seems that the ownership of Anonymous's friend's account is under dispute and Blizzard won't let him use it in the meantime. The ownership became disputed after the account was allegedly hacked, even though there was allegedly a mobile authenticator on the account. His friend has given up on the account, complete with Val'anyr, and has created a new one. We can't confirm any of the facts in this case. I am willing to believe that Anonymous is truly upset and believes the story he tells to be true, even though he is posting anonymously. There are some serious red flags, however, that seem to point to Anonymous not having all of the facts:
Blizzard shines the spotlight on account security
At least judging by the number of emails we've been getting about them, WoW scams have never been more popular than they are now. So I'm very happy to see that Blizzard has launched a new Account Security section on their Battle.net site, featuring tips on how to keep your Battle.net account safe. A lot of it is common sense - things like using an authenticator (which also gets you a nifty Corehound pet), not giving your account name/password to anyone (even if they say they're a Blizzard employee), and keeping up-to-date browser software and anti-virus on your computer. It never hurts to reiterate these things, though; many accounts get compromised every day through not observing these rules.
Help! My account has been hacked!
There are so many scams going around like the Catclysm Alpha invite and the WoW Armory phishing site, that people's accounts are getting stolen more than ever. With all of the work that Blizzard has to do to keep up with the problem, it's no wonder they are offering the fast solution of care packages. We've talked about how to avoid scams as well as how to protect yourself. Here is a guide as to what to do if your account gets stolen. Important note: The following guide assumes that you have not put an Authenticator on your account. There are no confirmed cases of accounts being stolen if they are protected by an Authenticator.
Breakfast Topic: What are you doing to protect your account?
While it is certainly nothing new, it seems that you can't spit without hitting someone who has, or has had, a compromised account. These WoW account predators are getting more clever by the day, with using everything from keyloggers, sham contests, betas and security checks, to even grabbing an account and immediately attaching an authenticator to it. Now, any moderately-savvy internet user would just scoff, and say that they take all necessary precautions -- what's there to worry about? Fair enough, but what about those who, well, don't? Blizzard has said time and time again about safe-guarding your account information, yet people still jump onto those fake Cataclysm betas and fancy new mount prizes. Make something idiot-proof, and they'll build a better idiot, eh? That being said, what are you doing to protect your prized polygons? Do you have a good anti-virus installed? A malware scanner? If you don't have an authenticator, how come? It's only about the price of a grande Starbucks drink, and will provide a longer-lasting effect of happiness and joy to your life. Discuss amongst yourselves!
Beware of WoW Armory phishing scams [Updated]
First things first: the correct address for the WoW Armory is wowarmory.com. Bookmark it. Memorize it. But don't ever, ever search for it again. We've talked before about how misspelling searches can get you into trouble. But even if you spell WoW Armory correctly when Googling, the first sponsored site that shows up is a phishing site -- and it's a really good one. Update 1:10pm: Google seems to have removed the site from their sponsored listing in the short time since I wrote this post. Kudos! Nonetheless, there are and will be more sites using the same technique, so the warning remains valid. Do not go to the following site: armory-worldofwarcnaft.com/wowarmory/, it is evil. Notice the n in warcnaft? You may not when you are clicking on it in your search page or when it shows up in your address bar. And that's what they are counting on. Because the rest of the site looks authentic. When you type in what you want to search for, you get asked for your Battle.net info. Then, no matter what you type in, it gives you a password error. (I typed in profanity. It was fun.) They have stolen all of the elements of the actual Blizzard pages, so that if you want your login page in other languages, just a click of the button will get you there. But don't. It's evil.
The Queue: Not quite mutual destruction
Welcome back to The Queue, WoW.com's daily Q&A column where the WoW.com team answers your questions about the World of Warcraft. Alex Ziebart will be your host today. I want to kick off this edition of The Queue by thanking you guys for submitting your armories to the reboot of Pimp My Profile. Our first edition will be hitting this upcoming Wednesday. In an ideal world, we'll have one for you every single Wednesday after that. On to the Q&A! RogueJedi86 asked... "Why were the Dragonflight Aspects created/assigned if they can be killed with no repercussions whatsoever? Killing Malygos didn't do so much as give Mages a nosebleed, despite being the Custodian of Magic. And I doubt killing Deathwing will do anything to the earth either."
The best of WoW.com: January 6-13, 2010
It's been a busy week over at WoW.com and in the WoW world. We've heard from our sources late last week that the internal friends and family alpha will be beginning for the next World of Warcraft expansion, Cataclysm. And while this has lots of people excited, chances are you probably will never get in -- unless you know someone. There were also lots of other interesting stories this past week, from the WoW movie being pushed up thanks to Spider-Man's demise, to security holes and care packages, to papercrafts that prove none of us have any real artistic talent. The best of WoW.com for the week is after the break.
The Queue: Now or later
Welcome back to The Queue, WoW.com's daily Q&A column where the WoW.com team answers your questions about the World of Warcraft. Alex Ziebart will be your host today. It's been awhile since I've done listening music for The Queue. It's a lot of fun to do, but we do it so often here on WoW.com that it's starting to get a little stale. I've started to miss doing it though, so here you go. Today's listening music is some fantastic Rhett and Link, who you probably have never heard on the radio. Which is a shame. YimmyZ asked... "Is there any lore related to Emblems/badges? Something like the people need so many badges to draw magic from to imbue items or some such?"
In defense of care packages and mandatory authenticators
If you read WoW.com with any regularity, you probably saw and read our pieces on Friday discussing some rather curious policies Blizzard has recently instituted. There are two in particular that I'd like to discuss further: The care package for hacked accounts and the possibility of mandatory authenticators. First, how many of you have had your accounts stolen, or know someone that had theirs stolen? Chances are good every single person that reads this post will raise their hand to that question. The problem is not a small one. I'm in a rather large guild, and every few weeks someone has their account stolen and the little bits of our guild bank they have access to go with them. My large guild is also just one guild in a larger guild alliance which suffers the same problems. Every two weeks or so, someone I see online on a regular basis gets their account stolen.
Blizzard giving serious consideration to mandatory authenticators
WoW.com has learned through trusted sources close to the situation that Blizzard is giving serious consideration to making authenticators mandatory on all accounts. According to our sources, while this policy has not been implemented yet and the details are not finalized, it is a virtually forgone conclusion that it will happen. This response is a direct effort to stop the massive number of compromised accounts by gold sellers and keyloggers. The seriousness of the situation with compromised accounts has reached such a level that wait times for item and character restoration are entirely unacceptable, even to Blizzard executives. Blizzard has taken other internal measures to deal with long wait times of people in account restoration queues, and we'll be covering those measures tomorrow. However, with the inclusion of mandatory authenticators, this should solve a major problem for Blizzard's support and account administration teams.
The Twelve Days of Winter Veil: Day nine - BlizzCon goody bags
The last of the three contests today is quite a bundle of goodies. BlizzCon 2009 goodies to be exact. We are giving away two BlizzCon 2009 goodie bags, including all original contents. Winners will recieve, among other things, a code for Grunty The Murloc Marine in-game pet, the Noobz Raynor action figure and an official BlizCon 2009 authenticator. You can view the full contents of the goody bag in the gallery below. The contest is open to legal residents of the 50 United States, the District of Columbia, and Canada (excluding Quebec), and everyone who enters must be 18 or older. To enter, leave a comment on this post before 12pm ET (noon) Saturday, December 26, 2009. Please be sure to use a real email that you check often to enter, so we can contact you should you be one of the winners. You may enter only once and two winners will be selected randomly. Each winner will receive 1 BlizzCon 2009 goody bag with a retail value of US$125. Click here to read the official contest rules. EDIT: Contest closed. Thanks everyone! %Gallery-70612%
Using the Corehound Pup to secure Guildbanks
Authenticator owners received a nice surprise in their mailboxes when Patch 3.3 dropped: the corehound pup pet. It's absolutely adorable and a completely unexpected bonus to having a secure account. But it has also caused much kvetching among those who feel they are too careful to ever need the authenticator. Pet envy caused some to sign up for the free application for their phone or buy the physical gadget in order to obtain the two-headed cutie. But they soon discovered that removing the authenticator from their accounts also removed the pet. Their loss can be your gain, however. One problem that many guilds have is that some of their high ranking members, with full bank access, have account security issues. When a guildbank gets raided by a hacker, it affects the entire guild -- not just the compromised account. One thing guild leaders can do to protect all members is require authenticators for bank access. Previous to patch 3.3, this was hard to prove. Now GLs can just ask to see your corehound pup.
Shipping costs removed from Authenticators
We'd already noticed last week that the Authenticators in the US store had gone free shipping, but now official updates on Blizzard's site say it's true in the EU as well. American authenticators still cost $6.50, but you no longer have to pay anything extra for shipping, and EU authenticators have had their price dropped to €6.99. That's still over $10, but they're at least cheaper than they used to be. There's a drawback, however: apparently they went with cheaper shipping, because you can no longer track shipments of authenticators, and shipping will take a little longer (up to 15 business days in the US). Which makes sense, given that you want these things as cheap as possible. Ancilorn answers some other Authenticator questions as well -- there's no discount for buying multiple units at all; what you see is what you get. And while the only authenticator for purchase at the moment is the Corehound branded unit, there may be more art available in the future, and of course you don't need a Corehound-branded Authenticator to get the Corehound Pup pet. Any Authenticator will do that, including any of the authenticators made for mobile phones, as long as it stays attached to your account. Whew -- that should answer all the questions anyone has. As we said the other day, if you don't have one of these yet, it's probably time to look in to getting one. Not only will your account be more secure, but you'll get that free pet as well.
WoW Insider Show live today at 3:30pm Eastern
Our podcast is live on the virtual air today at 3:30pm Eastern (8:30pm GMT) over on Ustream, and it's an all-star show for sure. We'll have Michael "Belfaire" Sacco, Matthew W. Rossi, and Adam Holisky all on the show with us, so I don't expect to have to say anything. Maybe I'll just shout out something like "patch 3.3" and see what evolves from there. But Turpster and I will still be on, and if we can corral these guys, we'll be talking about how big a change the Dungeon Finder really is, Corehound Pups in the mail for Authenticator users, and this patch in general. Should be quite a show. And we'll be answering your emails -- if you have a question for any of us, feel free to send it along to theshow@wow.com. And of course we'll be doing the usual preshow and aftershow, so if you plan to turn up live after the break (or listen via the Ustream app on the iPhone), make sure to stick around for a little bit afterwards and we'll be chatting with you directly. See you this afternoon!
Time to get that Authenticator
Well, they started giving away pets for having an authenticator, so I guess it's about time I went ahead and put one on my account. I've had the app on my iPhone for a while, actually, but I never really saw the point in attaching it to my account, especially since it seemed like just more hassle, and who knows what kinds of errors could pop up. And honestly, I haven't worried much about hackers -- I use a secure browser, I don't click on unknown links. But I know, I know, it's safer, and with the cute Corehound Pup out, I might as well go ahead and attach it. And you might as well, too. Blizzard's Store was flooded with people looking for authenticators yesterday, but things have slowed down a bit, and they've even got a brand new design with the Corehound Pup right on there. The price, as usual, is $6.50 with free shipping. If you've got an iPhone or an iPod touch, you can get the app free from iTunes, and we're told that it's coming to other platforms at some point in the future (guess when: "soon"). Even if you don't want to apply the Authenticator for whatever reason, just think of it as an almost-half-price pet.
