

  • Blizzard policy changes in reaction to account security concerns

    Adam Holisky
    Adam Holisky

    WoW.com has learned through sources close to the situation that after our series of posts describing some questionable internal policies at Blizzard concerning account administration and security, as well as the likely introduction of mandatory authenticators, a few of these policies have been changed this evening. First, the abilities of billing representatives to directly roll back characters to previous states has been more or less removed, preventing the onioning exploit we spoke about earlier. Account administrators still have the ability, of course, but it should prevent people from being able to game the system over the phone. We do not know if this ability will be returned when billing representatives obtain the proper training and tools. Second, the care package deal has been sweetened. We're not exactly sure how, only that it's been improved from what it was this morning. World of Raids was tracking the response to these stories on the Customer Service Forums and found a post by CSF blue Syndri detailing some specifics of the care page as it stood earlier today. We cannot be sure Syndri's post applies to the package now or not (given its changes), however it's probably safe to assume that it does. We have also learned that managers are being directed to ensure everyone is presented this care package as an optional alternative to full restoration, something we understand was not consistently happening before. Syndri's enumerations after the break.

  • How flaws in Blizzard's billing department are being exploited

    Adam Holisky
    Adam Holisky

    Please see the update to this original post. In our continuing series on account security issues present within Blizzard's offices, we bring you news that lax training in Blizzard's billing department is being exploited by those attempting to game the system and illegitimately acquire more gold and high value in-game items. The critical flaw in Blizzard's system is that billing support personnel are currently given the ability to "roll back" characters to previous versions more or less on the spot, with the customer on the phone. Because of this, there is a high degree of flexibility and personal accountability on the part of the billing representative. The flexibility extended here is vitally important to customer service, however the training that comes with the flexibility, we are told by multiple sources, is inadequate and leads to this exploit being practiced by a growing number of individuals. The exploit involves human interaction (aka social engineering), which in security systems is the notoriously weak point. The exploit is often referred to internally as "onioning," which involves the player repeatedly claiming the account was compromised to the Blizzard billing support representatives. There are obviously more details to doing this, but we don't want to provide a how-to. Blizzard is aware of how this is done, and they are currently not implementing checks to combat this.