'World of Warcraft' to sell token device for added security

The makers of World of Warcraft are offering players of the online role-playing game an optional layer of security in the form of an electronic token device called Blizzard Authenticator designed to prevent unauthorized access to an account.

The lightweight device, which fits on a keyring, provides a unique, one-time six-digit numeric code that the account holder includes when logging in. It is used in addition to a password and account name.

It was offered to attendees at the 2008 Blizzard Entertainment Worldwide invitational in Paris over the weekend and will be available for $6.50 through Blizzard's online store soon, according to the company.

"It's important to us that World of Warcraft offers a safe and enjoyable game environment," Mike Morhaime, CEO and co-founder of Blizzard Entertainment, said in a news release distributed last week. "One aspect of that is helping players avoid account compromise, so we're pleased to make this additional layer of security available to them."

World of Warcraft users have had their share of security issues. Last year, hackers were luring players to Web sites and surreptitiously downloading keylogging software onto their Windows computers through vulnerabilities in Internet Explorer. The software allowed the hackers to hijack the victims' WoW accounts and sell off valuable in-game assets.

WoW players also have been targeted by a password-stealing Trojan sent via e-mail and peer-to-peer file-sharing sites.

It's unclear exactly what prompted the company to release Blizzard Authenticator. A company spokesman said on Monday that representatives were still in Paris where it was late at night and could not immediately be reached for comment.

[someguy999]

What they really need to do is sell life-tokens which prevent people from being on WOW for more than 3-4 hours at a time and encourages people who spend too much time on WOW to go outside and see what the really world is like.

[The_Decider]

What a pointless device, other than to use to fleece the ignorant. A strong password is good enough, Blizzard should be enforcing a much stricter password policy. Of course that doesn't bring in more money.

[mementh]

ummm dude.. if paypal uses a token of this nature.. its good.. why should a token device not be used?

I got my passworrd guessed once and the person took 20k (USD) of stuff off my account in runescape.

[rucknrun]

My account got hacked. I think it is a good idea. Somehow I got a key logger on my machine. I stopped playing after that.

[crazynexus]

Blizzard's account security is a joke. I'm a casual player, and I happened to notice while on vacation with my fiancee an email coming through saying my account password had been changed. I tried logging in via the website, and couldn't. Managed to get the password reset, and when I got home, all my gear was gone. The ONLY way they could access my account was a brute force attack. My computer at home is more secure than the gov't network I use at work, so there was no trojans at all or keyloggers. I don't have any addons loaded, so they HAD to brute force my account and password. Giant freakin' joke, and the GM's treat you like it's your fault that your account got hacked and that they're doing this MAJOR GIANT service for you by giving everything back. Took 3 weeks and a threat to the GM review email to get my gold back. I've barely played since resetting my password, and will probably just quit alltogether here soon, especially if they treat all clientel that way.

[bullryder8476]

I don't undertsand how this is any added security. If there is a keylogger program picking up what you key in wouldn't it pick up the 6 digit security code you are entering?

[bullryder8476]

I don't undertsand how this is any added security. If there is a keylogger program picking up what you key in wouldn't it pick up the 6 digit security code you are entering?

[Idyot]

It's probably something like one of these: http://www.rsa.com/node.aspx?id=1158

It generates a numeric key every 5 seconds or so. The key gets synchronized on the server-side during logon. If the server does not validate the numeric key (eg: you took too long to logon), then you need to relogon using the next key that is generated. I've used 2 kinds of these in the past - 1 that just keeps on generating new keys, and another that had a keypad that required you to enter a 4-digit PIN before it would display a key.

[zero-kill]

@crazynexus: if it were a browser based keylogger (which is of-times the case) then no matter how secure you think your computer is, they can get you. Also it doesn't matter if you use Mozilla vs. IE, they were both compromised by the simple algorithms.

@bullryder8476: Yes and no, the code changes every time you log into the game (or so it should) thus it will give that layer of protection. As for how effective that'd be versus a keylogger has yet to be proven.

I'd say go ahead and try this, all though probably a waste of resources since the main population of WoW has never or ever will be "hacked", I'm not to worried about my account being tampered with, nor that of my friends; it's just the cost of surfing the internet in the wrong places and not scanning an inbox or two correctly.

[crazynexus]

to Zero-kill: It could be, but what's weird is the group of people I usually run around with, about 60% of us got nailed in the stretch of about 2 months. The only websites I'm usually on when I log into WoW is either wowhead, cnn, or espn checking sports scores. I use gmail, so that should be safe. I've never been to a gold farmer website, nor had anyone else use my account. Not to mention I had not been logged in for over a week when I did get hammered.

[bullryder8476]

ty zero-kill, i dont worry to much about it either its more the people using such websites as the gold sellers and powerleveling that i believe are the ones getting "hacked".

[VerusEx]

Blizzard seems to have an internal security problem. Accounts on new computers that have never surfed or received Email are being hacked.

Our small guild is made up mostly of adults many in the software development and security community and we are seeing a rapidly increasing number of hacked accounts.

The new device may not be useful but it will placate users while Blizzard woks on the real problem.

NB... How will Blizzard explain hacked accounts when users are using their new security device?

[skeeech]

Well I have been a fan of Blizzard's from the days of the original Warcraft and Diablo games. My WoW account got hacked and I use a Mac and don't go to sites that might infect a machine. I would have to think my account was brute forced as well. I've played for 4 years and did not have any uber stuff really but it was a drag for the few days it took to get everything back. But within 5 days of reporting the theft/compromise Blizzard made me whole. If these tokens work like my token for work it will and a second factor for security which will help at least a little. I was also guilty of having a password that was not very complex. I've fixed that now.

[anonymous123123123]

Found out this morning that my old, defunct, World of Warcraft account (had not played since early release in April 2005) apparently was comprised/internally hacked. It couldn't have been a keylogger or trojan on my end because I hadn't played the account since 2005. Thus it must have been internal job. Someone went in, reset the password, and also activated a subscription with a Discover card I don't own. (I'm guessing Blizzard had purged my old credit information, fortunately).

Have tried to call Blizzard today at their 1-800 support/billing number, but keep getting either a busy signal or a message "We're sorry, all lines are busy" ... so I'm becoming suspicious this is not an isolated incident.

[striike]

Ok, this is how it works. I know because we use this at work. You have a token on hand that gives you a generated 6 digit number. It is only good for about 30 seconds. You use this code in addition to your password. So even if there is a keylogger, they won't be able to hack your account, since the code is only good for one use. When the hacker tries to use your info, the code has already changed, and it will continue to change every 30 seconds=making it impossible to crack the password.
Even if the hacker was sitting next to you, and logged you off by logging on immediately after you entered your info, you would be able to kick them off by logging in again, and they would no longer have the password.
The only way someone could get in on someone elses account, would be to hack blizzard directly, and their security is a bit better than what average Joe has in their house.

[striike]

Oh, forgot to mention. The tokens my work uses is a second party company. So more than likely, Blizzard is using the same thing. So hacking Blizzard wouldn't help, either. The investment to beat this system would be too much for the average hacker to bother with.