Why Blizzard is losing the race for account security (and what free alternatives are doing to win)
Any gamer knows that the biggest fear in an MMO is having your account hacked and all of your gear, gold and potentially characters stolen or removed. On a daily basis we hear stories from our fellow gamers about having their accounts hacked and gear sharded and sold off. Blizzard has made a solid effort with their authenticators that definitely do add a great second factor of authentication, but there are other (free) games that are seemingly ahead of the game with their methods of authentication, and they don’t require you to carry around a big blue key chain (or pay an additional $7).
The threat of having your account hacked is spread across all MMORPGs and attacks can range from simple brute force to complicated social engineering and clickjacking setups. In the past, there have not been many attempts by the game developers to implement methods of preventing account theft, and it’s only been in the recent generation of MMOs that GMs have become more willing to restore “stolen” gear. I would attribute this to the improvement in their ability to log the trafficking of goods and golds from character to character and realm to realm making it harder to fake your account being hacked in hopes to get some free lewt.
The most well known example of a game developer providing additional account security is Blizzard’s World of Warcraft Authenticator (pictured above), and it does provide a solid, two-factor, method of authentication that will effectively thwart any attempt at access to your account without the device. However, there has been a strong effort among developers of free MMOs to provide enhanced security without any additional cost. Below, we will profile three games, WoW and two free MMOs, and their particular methods of account security.
World Of Warcraft (Blizzard Entertainment)
Security Method: Additional Hardware
Blizzard has a lot of weight on their shoulders when it comes to ensuring account security if for no other reason than the fact that they have a huge subscriber base and every time someone’s account is hacked, they need to devote resources to researching the attack and restoring anything lost. It is, therefore, Blizzard’s best interest to promote account security and keep gold and epics on the players who earned them. The solution they have provided is an additional piece of hardware, a key fob which produces a pseudorandom yet sequential number when a button is pressed that is entered in addition to your password.
This security model is not particularly new, individuals in the security field may be familiar with RSA SecurID tokens, CryptoCards or YubiKeys which provide either an on-demand or cycling one-time-password (OTP) that can be used for additional authentication when entered either separately or appended to the end of your normal password. PayPal has also recently begun producing their “football” which is the same type of device, but has some security issues of it’s own that we don’t need to get into here.
The benefit of a separate hardware device that produces a OTP is that is truly provides you with two-factor authentication. That is to say, logging in required both someting you KNOW (your password) and something you HAVE (the authenticator) and one will not work without the other. Multi-factor authentication is extremely strong in this situation because it bypasses any type of keystroke monitoring, be it some keylogging software or hardware on the computer you are using or someone staring over your shoulder. It’s no problem if they are able to log your password and write down your authenticator code. The next time someone attempts to login to your account, WoW will simply request the next token code in the cycle and deny anyone without it.
The downside to Blizzard’s authenticator is twofold – the cost and the fact that it is something else you need to carry around. The Blizzard Store (when it’s available) lists the authenticator for about $7, which seems a reasonable price to ensure the security and longevity of your virtual life, and it is unarguably the most secure method of what we will be discussing today, but the point still stands that there is an additional cost associated with it. Also, if you happen to lose the token or if it breaks – which has been known to happen, you are pretty much without the ability to login at all, which could theoretically cause more downtime than actually getting hacked, with how efficient Blizzard generally is when restoring accounts.
Requiem (Gravity Interactive)
Security Method: Mouse-entered PIN
Here we have the character login screen for Gravity Interactive’s free MMORPG, Requiem. Requiem chose to go a different route than Blizzard and added additional security to the logon process by requiring a separate PIN that needs to be entered when logging into a character. As a free MMO, they would be hard pressed to convince customers to invest any amount of money in the game, particularly for account security.
Requiem’s PINs are character specific. Each time you make a new character on the account, you are required to create a 4-digit PIN which then has to be entered whenever you attempt to login or delete the character. An interesting side effect of this feature is that you could have multiple people playing on the same account without having to worry about one interfering with another’s character (not that you couldn’t just make a new account for a second player as the game is free).
What makes this PIN feature truly secure is the fact that it only accepts input from a mouse click, which eliminates key logging, and each time you click on a number they all shuffle. This would prevent a potential hacker from mapping your mouse movements and clicks – each time you enter your 4-digit PIN, you are clicking different areas of the screen. Additionally, with the software based logon, you don’t have to worry about losing anything and not being able to connect. Regardless of where you need to access the game, your PIN will always be available (depending on your state of mind, of course) to authenticate you.
The weakness that is inherent to any static logon information is that someone could watch/video/otherwise observe you entering your password and PIN (though, they are both displayed as *’s on screen so they would have to observe your keystrokes and mouse clicks – a privacy screen would prevent this) and then be able to log into your account and characters. However, even having one character’s PINs found out does not totally compromise the account; each character should have a unique PIN.
Runes of Magic (Runewaker Entertainment)
(RoM actually has decent graphics, this SS was taken on a laptop at lowest settings)
Security Method: On-Screen Keyboard
The final case we will be looking at is Runes of Magic. While they provide what I would consider the least revolutionary of the three, their effort is not to be scoffed at as it still provides key-logger-proof password entry. When logging into your account initially and you tab down into the password entry field, an onscreen keyboard appears and you are encouraged to use a mix of the keyboard and mouse clicks to enter your password. Using only the mouse input as opposed to a combination of both if the better route, especially if your password is something that could be easy to figure out with a few blanked out characters “p__swo_d” wouldn’t be THAT hard for a potential hacker to decipher.
As with the numbers on Requiem’s keypad, RoM’s keyboard is not in a static location on the screen, again in efforts to prevent the mapping of mouse movements and clicks to spoof a login. Each time you go into the password field, the keyboard will appear in a different location on the screen. Additionally, RoM required you to create a second password whenever you create characters on a new server. However, you will only ever be prompted for this password again when trying to delete a character (which, interestingly, has a 24-hour “undo” option which will immediately restore your character).
Summary
While it would be hard to argue against Blizzard’s authenticator being the most secure of the bunch, the fact that it requires an additional investment seems unnecessary. While I’m not opposed to having to pay for the hardware, which is really about all they’re charging, they should not alienate those who don’t want to or for whatever reason can’t get an authenticator by leaving them susceptible to key logging or social engineering attacks. Implementing a simple, free option similar to Requiems or even just the on screen keyboard would be much appreciated and would go even further to ensure the safety of everyone’s accounts.
Digg it: http://digg.com/software/Blizzard_being_shown_up_by_free_MMOs_in_account_security
(easier than having to use the submit button at the bottom of the post
)
Great article, however don’t forget that Blizzard now offers the authenticator for the iPhone/iTouch with a side note indicating their intentions to develop the same platform for other devices soon.
This alternative is free of cost and while it obviously won’t be a possible solution for everyone I wouldn’t expect it to take long for more common alternatives to be made available.
Especially due to the required Battle.NET conversions I expect the authenticators to be usable for all future Blizzard games. Thus driving their desire to get it (the authenticator) out to as many players as possible.
Yeah, I’d imagine the authenticator will eventually be tied between all your Blizzard game accounts through battle.net. Would be interesting if they set up a text based service for non-smartphone users. I’ve heard of some other sites that will send you a OTP via text.
That was nice. Thank you for sharing this one.