5 Oct 2010

Authenticators: Busting the Myths

There’s been a lot of talk about the Blizzard Authenticator recently. Some people are firm advocates who feel they are a magic bullet for account security. Others believe they’re a waste of money or a pointless inconvenience. Still more think that an Authenticator is only for those people who don’t practice safe computer hygiene.

All of these opinions are wrong and I’m going to explain why.

A Small Exercise

I want to start off by asking you to think about your Warcraft account. Go in-game on your main and type /played, then make a note of how many hours you’ve clocked up. Do the same for any of your major alts. Multiply this by the hourly rate that you’d normally be paid, or expect to be paid if you were working.  You could have spent that time earning money, or learning a new skill. Instead, you and I choose to spend our precious spare time in-game. That time is worth something.

Next, have a look at your subscription. Work our how many months of subscription you’ve paid and how much you forked out for the game and its expansions. Again, this is probably a fairly big number.

So we have a figure for how much you’ve spent on the game, and a rough idea of the value of the time you’ve spent playing. Now you could add them together and come up with a number for the total value of your Warcraft account, based on the time and money you’ve poured into it. I’m not going to ask you to do that. Just keep the figures in mind.

Risk Mitigation

I’ve discussed the gold trade before in a previous blogpost back in April. I don’t want to wax lyrical on it. The mechanics behind hacked accounts and gold selling is well known. But what are the risks to your account if you don’t use an authenticator? What methods do hackers use to get access to your account, and how can you protect yourself against them?

  • Network Intrusion & OS Vulnerability – put a computer on the internet and someone will start attacking it. Hackers scan vast swathes of the internet with automated tools, looking for exposed and vulnerable PCs that are easy to exploit. Using a router can shield your computer, as can strong firewall software.
  • Browser Vulnerabilities – it was once possible to visit a web page using Internet Explorer and pick up all kinds of computer viruses. Although browsers these days are more secure they’re not bulletproof. EpicAdvice recently fell victim to a malware problem that was caused by a compromised advertising provider, so you can’t even rely on trusted sites to remain secure. Most modern anti-virus software will detect Trojans as long as they are regularly updated.
  • Plugin Vulnerabilities – Tools like Flash have been used to inject malware onto computers. As we’ve already established that you can’t rely on trusted sites to remain safe, the only other option is to disable browser plugins completely. It’s either that or remain at risk.
  • Website Vulnerabilities – Do you use gmail, Yahoo mail or any other webmail service? Are you registered on a guild forum or a fansite with that address? Do you use the same password for some or all of these? Hackers are known to target these websites for email addresses and passwords. Keep them separate from your Warcraft RealID, or use a different password, or both.
  • Zero-Day-Exploits – this is when a new attack is discovered and used by hackers before the antivirus or software companies know about it. Depending on the attack vector (the mechanism used to get it onto your computer) there may be no known way of protecting yourself from it.

So although you can harden your network, use updated security software and practice safe computing, you can’t make yourself completely immune to attacks. That’s the real risk – something you’re unprepared for will sneak onto your computer. If you have a laptop and surf the internet in a public place, you increase that risk.

How It Works

Most malware parcels up your account data and sends it off to be processed later. Your account might be hacked the first time your login data is copied away, or it might be several weeks. It’s impossible to say. Once they have your username (your RealID) and your password they can login to your account when you’re least likely to be around. An authenticator protects against this type of attack, as the generated code expires after a few minutes.

In a twist, hackers these days tend to add an Authenticator to accounts that they manage to get the details for. After all, if your details have been picked up by one then chances are that they’ll be picked up by others. They don’t want a different hacker taking their newly-won account from them.

A few attacks these days happen in real-time, alerting the hacker as soon as you launch Warcraft. He then watches your keystrokes as you type them and uses them to log into your account management pages, before changing your details. Importantly, this attack can be used against people with Authenticators, although good computer hygiene makes it much more difficult to pull off.

Exposing Others

Now that we’ve established the ways in which your Warcraft account could be at risk, it’s worth looking at the size of that risk.

If your account gets hacked, what would you do? Would you put in a request to get your account reinstated or items returned? Would your reputation in your guild or server be damaged if your characters were used to spam gold adverts on the forums? Would you just throw away the time you’ve invested in the game and quit entirely?

Widening the picture slightly, do you have guild bank access? Are you an officer or crafter that has the ability to remove valuable stock? Would your guild be able to carry on normally if you withdrew everything you could from the guild bank? Would your guild’s reputation be damaged if you were hacked, harming future recruitment?

It is important to understand that you as an individual might decide that not using an authenticator is worth the risk. But these days being hacked doesn’t just affect you – guild banks, recruitment and so on mean that you’re also exposing others to the consequences of you taking a risk.

Is it worth it?

Authenticators should not be necessary. If operating systems were secure, if browsers worked safely and plugins were locked down we would probably be fine. If the guild website your guildmate made three years ago was hardened and maintained to industry standards you probably wouldn’t need to worry.  And if Warcraft was a single-player game that we never went back to, it probably wouldn’t matter anyway.

The problem is we don’t live in that world. Systems are imperfect, used by imperfect people and wrapped in imperfect security. Practicing safe computing only helps so far. An authenticator helps reduce the risk substantially, but doesn’t eliminate it completely.

The decision has to be your own. Part of that decision is how much risk you think there is to your account. Understand the consequences of what happens if your account is hacked, and how those consequences affect others.

Authenticators aren’t a “fix all” or magic bullet, but they do help to dramatically reduce this risk. For anyone who’s invested time in the game or has access to significant resources, I’d encourage you to get one.

http://bit.ly/993Fcz

Like this? Try these other related posts:

Tags: ,

17 Responses to Authenticators: Busting the Myths

  1. Keeva says:

    When our bank balance when up over about 50k, I realised it was time to protect it with an authenticator.

    I’ve removed all withdrawal (gold) levels for officers, but that was because of ex officers abusing the bank. Everyone squeals “omg, X got hacked, demote him!” and I tell them to relax. The most that can happen now is that they could withdraw some glyphs out of the first tab.

    I think people are too complacent – they figure they can just put in an ticket and get it replaced. I’ve seen lots of friends go through the pain of having to have their items restored, it’s not always simple and it’s not fast – quite different to what many people think.

    • Gazimoff says:

      I’ve heard reports of a raidguild officer getting hacked hours before raid start time and taking out all the guild’s farmed consumables. They ended up cancelling that night’s hardmode progression.

      I agree though, guild bank access controls are something to consider as part of this.

      Do you think you’ll restrict some bank access or guild levels to require an authenticator when the feature becomes available?

  2. Pingback: Tweets that mention Authenticators: Busting the Myths | Mana Obscura -- Topsy.com

  3. Tillemon says:

    A friend recently brought to my attention an interesting feature of authenticators. You can’t use the same authenticator code twice, even if you log in within the time limit. You can try it yourself – log in with a fresh code, quickly log out and try logging in again with the same code. It won’t let you. Presumably this is to prevent Man in the Middle attacks.

    • Gazimoff says:

      That’s an interesting effect I wasn’t aware of, and you’re probably right about it preventing man in the middle attacks. Thanks for the heads up.

      • The last Man in the Middle attack against authenticator users intercepted the real login attempt and prevented it from reaching Blizzard’s servers, meaning that the code was never used and was still usable to the attackers.

        That said, it takes a very sophisticated and very time-sensitive MitM attack to pull off.
        Rilgon Arcsinh recently posted..Dig For Victory!My Profile

        • Svinder says:

          Read about that aswell, that is why everytime I get the message that my pw is wrong (which wow says if either, the pw or the auth code is wrong), i always enter the pw anew with the same auth code, and about every time it just works.
          ofc the reason i mess up my pw from time to time is by writing it too fast, having a simple typo. But just to be sure, I always use the same auth code again.

  4. Bigguss says:

    Frankly, i think its absolutely daft to NOT have an authenticator bound to your account. As you quite rightly point out the time invested in the game, for nearly everyone i know who plays the game, is huge. To not do everything possible to protect that investment is madness.

    The relatively small cost to purchase a Authenticator is a tiny cost to pay for an additional layer of security for your account. Plus, you get a cool two headed doggy thrown in for good measure.

  5. Bordy says:

    I forked out for a keyring type authenticator when they first became available. It eventually became out of synch and I was unable to access my account or play WoW until Blizzard fixed it. By ‘fixed’ they suggested I remove it from the account (though there were very sensible security precautions to ensure I had the right to do so).

    I now have the iPhone authenticator app which is free (if you have an iPhone or the iPod Touch). I wouldn’t be without one, and my guild will now not permit ANY guild bank access without one.

    • Gazimoff says:

      No bank access at all? Has that caused any friction/problems?

      • relysh says:

        we did something similar – we gave non-auths access to only our 1st tab (so we can do things like move something down there for them/they can contribute and we can move it if they like) and restricted the rest of the tabs from them. After having 4 accounts hacked and 4 guild bank restores, we had to put the hammer down. It didn’t cause any friction at all, and we actually had many guild members get themselves authenticators after watching other people be unable to raid for 2 weeks while they waited for their gear to be restored.

  6. Bordy says:

    As far as I know there was no problem and all active guild members use authenticators anyway.

  7. Derevka says:

    The new Guild Management tab can restrict access for members/officers with or without an authenticator. I gotta admit when I saw it I went “Oh ho! well played blue….”

  8. Cynra says:

    We, too, implemented a policy some time ago requiring members to have an authenticator in order to have access to the bank. Officers would have to visually confirm the use of an authenticator (typically with use of the Core Hound) before promoting anyone to a rank with guild bank access. This was a decision made after a number of our members were hacked — sometimes repeatedly.

    In general, the decision was fairly well received. All of our members recognized the need to increase security on our guild bank. There was some grumbling, but within the span of perhaps two weeks 95% of our members had an authenticator associated with their accounts. We’ve yet to have an authenticator-carrying member hacked and our guild bank has remained untouched for months.

    One thing to note regarding the authenticators is a substantial change in policy Blizzard has made in their use. The company is recently announced that, from this point forward, authenticators can only be associated with a single Battle.net account at a time. While neither Lylirra nor Zarhym provided explanation for the change, most people are assuming that this is to prevent compromised accounts from being linked with a single authenticator (though some crackpots are surmising that this is actually an attempt to bolster authenticator sales).

    You can read more about it in Battle.net Authenticator Change on the official General Discussion Forum.

  9. Pingback: Authenticators; or Why I Wasn’t Guild Leader For A Week « Manalicious