5 Oct 2010

Authenticators: Busting the Myths

There’s been a lot of talk about the Blizzard Authenticator recently. Some people are firm advocates who feel they are a magic bullet for account security. Others believe they’re a waste of money or a pointless inconvenience. Still more think that an Authenticator is only for those people who don’t practice safe computer hygiene.

All of these opinions are wrong and I’m going to explain why.

A Small Exercise

I want to start off by asking you to think about your Warcraft account. Go in-game on your main and type /played, then make a note of how many hours you’ve clocked up. Do the same for any of your major alts. Multiply this by the hourly rate that you’d normally be paid, or expect to be paid if you were working.  You could have spent that time earning money, or learning a new skill. Instead, you and I choose to spend our precious spare time in-game. That time is worth something.

Next, have a look at your subscription. Work our how many months of subscription you’ve paid and how much you forked out for the game and its expansions. Again, this is probably a fairly big number.

So we have a figure for how much you’ve spent on the game, and a rough idea of the value of the time you’ve spent playing. Now you could add them together and come up with a number for the total value of your Warcraft account, based on the time and money you’ve poured into it. I’m not going to ask you to do that. Just keep the figures in mind.

Risk Mitigation

I’ve discussed the gold trade before in a previous blogpost back in April. I don’t want to wax lyrical on it. The mechanics behind hacked accounts and gold selling is well known. But what are the risks to your account if you don’t use an authenticator? What methods do hackers use to get access to your account, and how can you protect yourself against them?

  • Network Intrusion & OS Vulnerability – put a computer on the internet and someone will start attacking it. Hackers scan vast swathes of the internet with automated tools, looking for exposed and vulnerable PCs that are easy to exploit. Using a router can shield your computer, as can strong firewall software.
  • Browser Vulnerabilities – it was once possible to visit a web page using Internet Explorer and pick up all kinds of computer viruses. Although browsers these days are more secure they’re not bulletproof. EpicAdvice recently fell victim to a malware problem that was caused by a compromised advertising provider, so you can’t even rely on trusted sites to remain secure. Most modern anti-virus software will detect Trojans as long as they are regularly updated.
  • Plugin Vulnerabilities – Tools like Flash have been used to inject malware onto computers. As we’ve already established that you can’t rely on trusted sites to remain safe, the only other option is to disable browser plugins completely. It’s either that or remain at risk.
  • Website Vulnerabilities – Do you use gmail, Yahoo mail or any other webmail service? Are you registered on a guild forum or a fansite with that address? Do you use the same password for some or all of these? Hackers are known to target these websites for email addresses and passwords. Keep them separate from your Warcraft RealID, or use a different password, or both.
  • Zero-Day-Exploits – this is when a new attack is discovered and used by hackers before the antivirus or software companies know about it. Depending on the attack vector (the mechanism used to get it onto your computer) there may be no known way of protecting yourself from it.

So although you can harden your network, use updated security software and practice safe computing, you can’t make yourself completely immune to attacks. That’s the real risk – something you’re unprepared for will sneak onto your computer. If you have a laptop and surf the internet in a public place, you increase that risk.

How It Works

Most malware parcels up your account data and sends it off to be processed later. Your account might be hacked the first time your login data is copied away, or it might be several weeks. It’s impossible to say. Once they have your username (your RealID) and your password they can login to your account when you’re least likely to be around. An authenticator protects against this type of attack, as the generated code expires after a few minutes.

In a twist, hackers these days tend to add an Authenticator to accounts that they manage to get the details for. After all, if your details have been picked up by one then chances are that they’ll be picked up by others. They don’t want a different hacker taking their newly-won account from them.

A few attacks these days happen in real-time, alerting the hacker as soon as you launch Warcraft. He then watches your keystrokes as you type them and uses them to log into your account management pages, before changing your details. Importantly, this attack can be used against people with Authenticators, although good computer hygiene makes it much more difficult to pull off.

Exposing Others

Now that we’ve established the ways in which your Warcraft account could be at risk, it’s worth looking at the size of that risk.

If your account gets hacked, what would you do? Would you put in a request to get your account reinstated or items returned? Would your reputation in your guild or server be damaged if your characters were used to spam gold adverts on the forums? Would you just throw away the time you’ve invested in the game and quit entirely?

Widening the picture slightly, do you have guild bank access? Are you an officer or crafter that has the ability to remove valuable stock? Would your guild be able to carry on normally if you withdrew everything you could from the guild bank? Would your guild’s reputation be damaged if you were hacked, harming future recruitment?

It is important to understand that you as an individual might decide that not using an authenticator is worth the risk. But these days being hacked doesn’t just affect you – guild banks, recruitment and so on mean that you’re also exposing others to the consequences of you taking a risk.

Is it worth it?

Authenticators should not be necessary. If operating systems were secure, if browsers worked safely and plugins were locked down we would probably be fine. If the guild website your guildmate made three years ago was hardened and maintained to industry standards you probably wouldn’t need to worry.  And if Warcraft was a single-player game that we never went back to, it probably wouldn’t matter anyway.

The problem is we don’t live in that world. Systems are imperfect, used by imperfect people and wrapped in imperfect security. Practicing safe computing only helps so far. An authenticator helps reduce the risk substantially, but doesn’t eliminate it completely.

The decision has to be your own. Part of that decision is how much risk you think there is to your account. Understand the consequences of what happens if your account is hacked, and how those consequences affect others.

Authenticators aren’t a “fix all” or magic bullet, but they do help to dramatically reduce this risk. For anyone who’s invested time in the game or has access to significant resources, I’d encourage you to get one.


Like this? Try these other related posts:

Tags: ,