Late Night Rant: Let’s Talk Security

I want to start out with saying that my hacked account story had a happy ending – all my stuff is back and my account has been returned to me. It went fast, I am extremely happy. I won’t be touching the game again until I can get an authenticator though, I don’t want to go through this again. I trust my friends will let me know if something dodgy is going on, but the password is changed and I’ve gone through my own security habits and updated them a lot. You won’t get my stuff again!

Pantless gnome

My character ran around like this for hours, farming elementals for the hacker.

But let’s talk security. When your account is hacked, who is really to blame? This is all a thought experiment, this is not actually blaming anyone for what can happen to your account. Don’t get upset. But I can’t help feeling that the usual defense – “it’s all your own fault, Blizzard/NCsoft/Game Company X had nothing to do with it” – can be a bit, well, weak.

Because frankly, we don’t know. We don’t know what is going on on their side. While I am quite sure that this was all my own fault, somehow, it is hard to not hear warning bells ringing when every sweep of my computer turned up nothing at all. Now, no anti-virus or malware-scanner is infallible. Something might have been missed. It might not even be on my computer, perhaps it’s from a forum or WoW-related site that I used the same e-mail and password for (I just love logging into WoW with my e-mail, btw. Absolutely love it. /sarcasm).

There has been a rise in hackings lately, we certainly saw a huge rise in it around Christmas. There might be all kinds of reasons for this, but I won’t rule out that there might have been a security breach at Blizzard. It’s unlikely, a huge company like that can of course afford the best security money can buy. At the same time, the hackers are getting bolder and bolder, and – worst of all – richer.

Do you seriously believe that they would add an official authenticator to your account if they couldn’t afford to buy one just for that particular hack? They get your username and password, add a $6 authenticator to it to buy themselves enough time to grab as much gold as they can before Blizzard can intervene. That’s $6 dollars off the bottom line that they just have to hope will be worth it in the end (I doubt that my account was worth it, I hardly had any gold worth mentioning and not many emblems for gems), for every account. It’s no longer a quick hack and run. It’s a hack and fortify run.

There’s so much money in World of Warcraft now that these schemes are getting more and more complicated. The hackers constantly come up with new plans to circumvent the security measures that are put in place. Even the authenticators, hailed as a way to end hacking, are being used against the poor sods (like me) that don’t have one. And they will keep doing it, until either someone comes up with a security system that is fail safe, or the market in World of Warcraft gold collapses. And only the players can make that happen.

Because of this, I don’t buy into the whole “it’s always your own fault”-idea. It is probably true, but since we don’t know what actually is going on at Blizzard, I think we should at least be open to the idea. People make mistakes, every security system can potentially be compromised. And the hackers have shown, over and over again, that they are able and willing to do whatever it takes to get hold of your gold. There’s just too much money in it.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

6 comments

  1. Moxy says:

    Wait, “perhaps it’s from a forum or WoW-related site that I used the same e-mail and password for” you say? You mean you used the same user/pass combo on 3rd-party sites? Umm if so, I would have called off the keylogger search from the beginning… There’s your security leak right there.

    People are way too suspicious of malware on their system, in my opinion. Hacking and pulling password lists from other websites is way more common and effective. If the Chinese cyber-terrorists were able to get partway into Google, and hack god knows how many other “large companies from a wide range of businesses” then how far do you really trust your average WoW-related website that’s probably using well-known, out-of-the-box forum software with no security patching at all.

    There would be way less hacked accounts if people just followed the simple rule: Do not use your WoW password *anywhere* else.

    • Petter says:

      Very true. I am not sure, but in a brief lapse of sanity, I might just have done that. Sad, embarrassing, but probably true. I learned my lesson way too late.

  2. I think it’s pretty terrible that Blizzard switched from a username to your email address. It basically means that if someone knows your email, it’s one less thing to hack.

    Was your account brute force hacked? Do Blizzard have anything in place to prevent or detect it?

    • Petter says:

      Yeah, I think it’s idiotic as well – it’s for Battle.net. My old username had absolutely nothing to do with me and you had to really know me and a few friends to even briefly consider it. I guess I should set up a completely new e-mail just for it, but I didn’t think that far. “It won’t happen to me”, etc etc.

      See above, I believe it was a third-party site somewhere, mixed with me having the same e-mail/password there. Blizzard always put the blame on the customer, of course. Not much else they can do, really, even if they had a security breach themselves. It would be a PR-nightmare if that was true and leaked.

  3. Longasc says:

    I wonder if they would have made Pockie into one of the Un’Goro farmbots – for that, they mostly use Rogues or Fury Warriors.

    I am glad you have your stuff back, but I am also concerned: Even before christmas extremely aggressive hacking and new methods (like hacking fan forums and greatly “improved” phishing mails) made me very concerned, a lot of my friends got hacked.

    NCsoft is of course the worst offender in this regard: They don’t restore stuff like Blizzard (Aion, GW etc.) and their webpage had blatant security flaws – i.e. the infamous you could randomly get logged in to someone else’s account. It already happened to me during Aion launch, suddenly I was in the account of someone who had only GW Prophecies and Factions. I logged out – I really did not realize it was not my account, I just noticed this is “wrong”.

    As I just got contacted in the STO -BETA- by a goldseller, I would like to add something more… for those who probably don’t read this anyways.

    By buying gold you do not safe yourself time and you also “do not hurt anyone”. You support such account theft and all that. If there would be no demand, this industry would not exist. Think about it.

    • Petter says:

      The NCsoft story should make anyone wary of any MMO-company, that there might be problems server side. It was just bizarre.

      And the gold seller in beta is just hilarious. Absolutely mindblowingly hilarious. Wonder how much business they got out of it? I remember back in PotBS, when I played it for a review, it felt like I was all alone together with the gold spammers. Chat window was useless, spam in every channel. It was scary.

Copyright © Don’t Fear the Mutant
Virtual worlds, massive multiplayer games and assorted ramblings

Built on Notes Blog Core
Powered by WordPress