Thoughts on Account Security

This topic has been bugging me for a few weeks now because I was recently hacked. I didn't lose my gear like many players do, luckily Blizzard caught them in the act and locked down my account for 24 hours. It seems they were satisfied with my 70k gold and were in the process of cleaning out my banks when they got shut down. While the inconvenience to me was minimal, the emotional toll was not. On the plus side, Blizzard did a very good job of handling my situation and getting my gold and items back to me.

But the whole incident got me thinking about how much time they waste fixing hacked accounts. Being married to a web programmer, I spent much of my restoration period discussing security. It became very obvious to me that there's no guaranteed way to secure internet connected computers. Hackers can now install their crap on your system through PDF files and even images on web pages. This is a scary prospect to me. Despite practicing web safety we can still get hit through technologies we generally consider benign. And the hackers are constantly adapting to stay one step ahead of us.

The problem for us as WoW players is that our game is being targeted. As soon as Blizzard comes up with a new security measure, hackers cook up a scheme to break it. My husband shot down every brilliant idea I had by explaining how a hacker would work around the new hurdle. Instead of playing the hackers' game, why not try changing the playing field? Instead of trying to keep hackers out of our account, perhaps we just make it harder for them to take the goodies they find. If they know they can't make off with our stuff, they might stop trying to get at our accounts. I suspect it's an easier task for Blizzard to control how things work inside the game than trying to control Internet security on 11 million user systems.

Five years ago when WoW first came out, it was a different scene than it is today. I recall one of the developers saying that juggling bag/bank space was a sort of mini-game in it's own right. With the new threats to our items and our gold, I think it's time to reconsider that philosophy. Real criminals are targeting our virtual stuff and we probably need to do a better job of protecting it. Unfortunately, players don't have a way to do that without developers giving us the tools. Even if hackers get in, maybe we can prevent them from pillaging our hard-earned items. Here are some ideas I have for ways to secure our items in the game:

Make Our Bank Secure
I would like to see our bank become a true vault. It should be a place where we secure items we don't need to carry on our person. We would be able to put our excess cash there and know that it's locked down. To do this, bank access should have it's own password. It should also require a second authenticator code. This would thwart keyloggers since they would have no way to grab this second layer of information from us while spoofing us out of the system. Guild banks also need this extra layer of protection from officer accounts that get hacked. Sometimes our guild suffers just as much as the victim if the compromised account had bank access. I'm sure guild leaders would willingly password sections of the guild bank if it protected them from hacked officer accounts.

End the Mailbox Shuffle
Our bank needs to have enough room to store our items so we aren't force to carry extra stuff around with us or store it on alts. If we had enough space to store the items we collect, there would be less need to swap items back and forth. We'd be able to keep the bulk of our items in the vault, where it would be harder for hackers to take. Plus it would be easier to spot nefarious item swapping if you got rid of the noise of our current inventory juggling games.

Improve Crafting Mechanisms
Another key change that I think would eliminate a lot of problems is to adopt a new person-to-person crafting mechanism. All tradeskills should function more like Enchanting does, where the crafter and the buyer do not exchange goods. The buyer would put all the required ingredients into the crafting window. The crafter would select the proper recipe, hit the "Create" button and the buyer would get a finished item in their bag. Eliminating legitimate reasons to make large trades between characters will make it easier to police black market activities. In addition, this would protect players from small time scammers and save GMs from having to intervene in a trade gone bad.

Put a Cap on Major Transfers
A big change that I would seriously consider adopting is a cap on how much gold (or equivalent goods) can change accounts. I'm sure Blizzard already tracks what items are worth for game balance purposes. This would involve blocking any trades that go over a certain maximum. In other words - I can't just give you 5000 gold. I can sell you something worth 5000 gold and you can pay me for it, but we would be blocked from making grossly imbalanced trades across accounts. This could be a cap of say 1000g. Or it could be a password-protected transaction like bank access. On the very rare occasion that you legitimately want to give your spouse or friend a really nice item (like a crafted epic), you would just have to provide your bank password and a fresh authenticator number to verify the transfer. In fact, this would hamper gold buying as well as gold selling since receiving a large amount of money from another account could become a red flag activity.

I'm sure most WoW users would accept these types of limitations if it meant that account hackings were drastically reduced. It's not often that the average player would even be affected by some of these changes. And if hackers were no longer getting easy access to our stuff, it would remove their motivation to keep trying.

Let's face it, we're all affected by hacking even if we're not the target. Our guild bank gets cleaned out on a regular basis. Our friends don't show up for raids because all their gear is gone. Sometimes we have to help them gear back up. It won't be long before we can't even trust our own add-ons because hackers use them as a way to get onto our computer. GMs take longer and longer to handle legitimate requests because so much manpower is devoted to dealing with hacked accounts. Even if you think it doesn't affect you - it does. All those things you wish Blizzard would add to the game to make your experience better? That manpower is sucked away from real issues to handle the constant stream of hackers tapping into our game and bleeding it dry.

22 comments:

  1. I often wonder just what people do to be "hacked". About 12 months ago my powerbook died so I have been playing on a old PC for a while now. Windows update turned on, No anti-virus, using Firefox with no script. So far in 12 months I have had no problems. Now before everyone yells and states that I have been "hacked" and don't know it, I run snort on my home NAT'ed network. I *know* my network is clean. From chatting to guildies who have been "hacked" they all swear they know about security, then you work out they download software via torrents, use IE, run as administrator, use the same username/password for everything and never update their apps for updates.

    As far as I can see the vast number of people getting "hacked" lack very basic IT skills. Yes Blizzard (and Microsoft) could be doing a lot more, but can they really be expected to deal with the vast majority of the WOW players have limited to no IT skills.

    I have given serious thought to getting an authenticator, but again having seen the problems they cause when our main tanks authenticator died on a Friday afternoon I'm not sure they are worth the bother. Now if I could link 2 of them to my account I would be very interested.

    ReplyDelete
  2. few grate ideas Kaliope - Im sure that Blizz should think through some of them.
    I liked moust concepts about trade skill/crafting window and bank spacing and security. Guild Wars have quite nice system too heaving 1 voult for all chars and materials stacking into huge amounts to solve probs of heart devoted crafters.
    For me personally i need 3 Alt banks all fully equiped in bags and 4 tabs just to sort materialls for all professions and on chars i play to store some neat armor sets i collect since vanilla. Here another thought from Guild Wars or Ever Quest -- personal room, place where one gets in solo and can store armor on special raks, items in cashe or fun items on walls ect.
    Im not sure if games I mention uses some patented engines or tools - but why not to use some checked ideas that are life already within mmorpg communities. (soz if my eng is not the best ;p)

    ReplyDelete
  3. Do you have an authenticator? It's not full proof but its tons safer than living without one. Significantly lowers the chance of getting hacked.

    ReplyDelete
  4. Yes, I did have an authenticator at the time. I also had antivirus running on my system, but even after I diagnosed the keylogger, none of the scanners we tried could find it. Sometimes a new hack just isn't on anyone's radar when it gets you. No matter how careful you are, someone is out there trying to get around your precautions. They got to me through an add-on I downloaded. We heard recently that Curse was distributing an infected file, so even if you get your add-ons from a "safe" source, you can still get hit.

    The real problem is that no system is foolproof - hackers are working all the time to get around whatever we set up. That's why I wanted to posit ways to remove the carrot instead of continually erecting higher barricades in front of it.

    ReplyDelete
  5. I maintain two six-slot guild banks for our group (each player has at least one toon on each guild), one bank holds mats and the other holds items. When one of the officers got hacked, both banks were robbed. The hackers got shutdown by Blizzard in the middle of a paid realm transfer - they were going to sell his 80's. It took over a week for Blizzard to deal with everything. He had an updated antivirus and uses FireFox to surf with, but got nailed with an evil add-on.
    I use an authenticator and have gone cold-turkey on add-ons. As much as I love them, they're not worth the pain of getting your account hacking.
    I love your suggestions. Blizzard probably won't go for increased bag space judging from their game philosophy (bank space, on the other hand, should be doable). The other ideas just make sense. How many have had a d/c in the middle of crafting an item for someone, or getting one crafted for you? (Raises hand)
    I would definitely go for a 'safety deposit box' with a password on it!

    ReplyDelete
  6. I had an idea for a bit of security that Bliz could set up that would be very hard to bipass. Simply tie the IP of the computer that is mainly used to the account, yes i know there a few people who play on laptops while working and certain things could be set up for them as well. where that wouldnt be a total fix it would help a great deal.

    ReplyDelete
  7. There are dynamic IPs, anonymous.

    I have a hard time believing that an account with an authenticator was hacked. It just sounds like a stupid idea to attack the better protected accounts. But if you said that happened, then I happened. That's scary. I don't even have an authenticator for my bank account...

    Blizzard should also increase security.

    - Don't use your e-mail as login. That was a stupid move.
    - Don't use your game login credentials to login to something as insecure as a web forum... Very idiotic from them.


    And, hell yes, give me a storage like in guild wars where you store all your stackable materials. And make this accessible from every of your chars. It'll look like this.

    Frostweave: 673647
    Linen Cloth: 456
    Frozen Orb: 7
    Vision Dust: 4536
    .
    .
    .

    ReplyDelete
  8. I didn't expect to get hacked with an authenticator until it happened. Clearly enough accounts are using them that someone out there decided it was worth the effort to figure out a way around them. In my case they used a real-time keylogger to feed them my login credentials while spamming me with a fake error message so I couldn't use the auth code before they got into my account with it.

    And yes, it is scary to think that a keylogger could be grabbing all your logins, not just the WoW ones. In my case it didn't matter whether my login was an email address or not, they collected the information right from my keyboard as I typed it. Blizzard encourages you to use a separate email address for your Battle.net account that is not used for any other purpose. And yet, if someone is capturing your keystrokes it doesn't matter how secure your login/pwd is, they've got it.

    At this point I'm with Tweel. I went cold turkey on add-ons. I now have a separate Windows system for gaming and a Mac for more sensitive computer tasks. I type in my authenticator code in separate bits so they can't read it just by following the keystrokes. Even with the extra hurdles I've added, I fully expect that hackers could work around my barriers if they really want to get my info. That's why I think it makes more sense to make our game less of a target rather than trying to outrun them.

    ReplyDelete
  9. WoW Add-on?

    It's impossible that a WoW add-on has anything to do with a hacked account. The add-ons are loaded while entering the game world, which is way after the login procedure.

    Add-ons can only be written in Lua and can only access the functions allowed by Blizzard. A huge part of the Lua library is shut down by Blizzard, like file system I/O.

    On the other hand, if someone puts a trojan.exe into the ZIP file which distributes the add-on and gets the users to execute this exe, then he can install a keylogger. But that has nothing to do with Add-ons.

    ReplyDelete
  10. I feel your pain. I also got hacked and other than an authenticator, which I dont want to do, I have doen everythign that I can think of the prevent it. I have never went to any wow-type websites. I dont use addons. I have the blizzard recommended email address that is ONLY for the battle-net account. I run my antivirus and malicious spyware software daily, and yet still got hacked. I to was treated very well by the blizzard team and recieved my gear and gold back after a week or so, but yeah, it made me feel very vulnerable, not only to wow, but now to the thought of all transactions such as banking I do online. May be time to go back to the cash hidden under the matress with the shotgun like the good ole days eh?

    ReplyDelete
  11. Kring: Agreed, it's impossible for a proper add-on to harm the WoW client. But it's not impossible for an add-on to be tied to a hacking if someone hides their malware inside a download posing as an add-on, which is how they got me. I clicked on the file in my browser to unzip and it turned out to be an .EXE that installed itself. That was my error - that I didn't pay close attention to the type of file I had downloaded and trusted my anti-virus software to spot malware for me. This particular hack was new enough that none of the anti-virus/spyware products we ran could locate it. Which is how anti-virus products can let you down, if you get infected with something they don't know about.

    Unfortunately it's quite easy to hijack a legitimate add-on and use the download file to distribute bad code. Mine came from a web site posing as the author, all it takes is $10 to buy a domain name and set up shop under their name. I've never had reason to be suspicious of author-run sites until this incident. That said, even Curse.com acknowledges that no scanning technology is 100% reliable, so counting on them to protect you from bad files isn't a guarantee of protection either. The way I see it, we can't trust author sites because they are actively being faked. Nor can we trust Curse.com because they acknowledge that malware can sneak past their scanners too.

    It saddens me to say this as an add-on author myself, but if your top concern is security you probably have to stop using add-ons. My Blizzard helper pretty much affirmed this when I asked how best to avoid another incident.

    I agree with you Anon, it can be very uncomfortable to realize how vulnerable you are despite your best efforts. My solution was to purchase a Mac Mini, which will serve as my banking computer. Macs aren't perfect either, but hackers don't tend to target them and Windows-based attacks don't work on them. Not a guarantee, but it moves you lower down the malware food chain.

    ReplyDelete
  12. Kaliope, I love your blog but many things your are saying here seem to show your idea of IT security is far from best practice.

    Is your windows account an admin account? If it is you should change that. Never doubleclick a file from a browser download list. The file extention can be hidden. Use firefox with noscript and add block. Noflash is also good. Make sure windows updates are turned on. Do you have windows configured to show the file extention? if not you should configure that.

    ReplyDelete
  13. while i havent been hacked myself, i have been online while a firend was. we actually saw her get kicked out of the game and while we were in vent with her, her toon logged in and ransacked her back and the guild back.

    ever since then i have been more careful with my account. I have an anti-virus software taht has a on-screen keyboard that you click the keys. that way no keylogger will ever get your pass/login until they figure out how to track the mouse.

    I still use add-ons, but i stopped downloading from curse when i first heard about the corrupted files. I refuse to go to wow-wiki, or any wikipedia site, and only frequant a few wow related websites, this one and some tanking forums.

    no system is perfect, but buy doing your part, you can help curb teh GM's workload. However, i know ppl who get hacked about every 2 months. and they get everythign back each time. i feel GM should give it back to you at most twice. after taht if you are still getting hacked, then you are doing something wrong, and shouldnt be rewarded for failing at basic internet security. granted there should be exceptions, but if you are hacked that many times and keep getting your stuff back, then how will you ever learn?

    that said, i love the ideas, keep up the good work kaliope!

    ReplyDelete
  14. Anon, step back and look at the size of your suggestion list. All of them are good suggestions and will help, no doubt, but is it really reasonable to expect your average home computer user to know about and do all of those things to protect themselves? It'll never happen.

    It certainly doesn't help that Windows (at least most versions) defaults to hiding file extensions and creates a single user account with administrator privileges. It also doesn't help that many programs won't function without administrator privs. Noscript and AdBlock are helpful, but can also be crippling to your web experience if you don't know how to manage exception lists. I know a LOT of computer users who couldn't understand, let alone manage, Noscript exceptions.

    Things really need to evolve so that best practices, for most people, is the simple out-of-the-box experience.

    ReplyDelete
  15. Anon: I may not be perfect in following "proper" procedure, but I've only been hit with malware a few times over the last 20 years, so I don't think I'm a moron either. Much as your advice might be spot on, it shouldn't require a degree in IT to operate a computer. Since clearly it does, that constitutes bad design, which I believe is on Microsoft's head. Users are now paying the price for Microsoft's lack of R&D and corporate ineptitude.

    That said, I'm not trying to have a conversation about my personal security protocols. I'm trying to have a conversation about the futility of Blizzard trying to fight Microsoft's fires for them. I'd prefer to discuss the viability of Blizzard bringing the war to their own turf - the part of the computer world that they actually have control over. Blizzard can either continue to throw money at a problem that they have no ability to fix, or they can look for ways to change the game around in their favor. I'd like to see them spend their gobs money on other things... like new content. That's why I'm advocating that they look for ways to minimize theft inside the game and divorce themselves from the OS security wars.

    ReplyDelete
  16. This is an interesting topic, with several good suggestions being thrown around. However, best one is Kaliope's "no matter what you do, there is always a way to bypass it."

    While your "End the Mailbox Shuffle", "Improve Crafting Mechanisms", and "Put a Cap on Major Transfers" seem to me like adequate steps, because they all address BOTH player mechanics and security flaws, I have to disagree with your "Make Our Bank Secure" idea. While a keylogger can't directly get what you're typing up in WoW (and I'm not wholly sure it can't be done, BTW), if a malicious program gets installed into your system, they can "sniff" the data traffic you send/receive to/from Blizzard, so in short - harder but possible, while adding a whole new user hurdle.

    I don't use the Authenticator because of precisely that: if you make life hard enough for your users, a good number of them are not going to take the hassle, and that means less clients and less profit for Blizzard.

    While we're thinking outside the box, we could also reflect about the "walls" problem. You complain we have to always erect higher walls around our virtual properties. But why do we have to do so? Because they're valuable. Now is that just "too easy" an analysis? I think not. The key quality that makes your ideas valuable, specially the "End the Mailbox Shuffle" and "Put a cap on transactions" is that they:
    * Don't affect the usual user's experience (saved for guild mail/bank alts, supposing there is still people using them instead of regular guilds)
    * They can be put into place without disturbing the game flow (no need to authenticate twice)
    * Dramatically (if done right) reduce the amount of profit one can get from a hacked account before one is caught (supposing Blizzard catches evildoers within the day, what they seem to always manage as far as I've read, and that includes my personal experience). In the real world, you can't limit how much profit can make a burglar from stolen jewels, there are too many commerce layers. But in WoW, there is just two ways to commerce: mail, and direct transfer (ok, there is also character transfer, but that is already monitored). If I have a limit of 5k gold a day (and let's say a reduced limit for newly created characters - an account limit won't work, since you can use a new character on a hacked one) I can only be inconvenienced to a certain limit.

    I'll conclude with another suggestion: transactions over a certain amount (or a certain item value, as you wisely suggest) should be checked and approved by a GM. Other MMORPGs use this system and works OK).

    Thank you for bringing this up

    ReplyDelete
  17. Hi Scar - thanks for jumping into the conversation! I really like your idea regarding new characters, I've seen the same type of "probation" period in other MMOs but mostly for trial accounts. I agree with your thinking on the user experience, it's always a challenge to protect users without crossing the line of willing participation. If limits were put into place for transfers between accounts, you could probably do away with the "vault" security procedure. Either that or make it an option that the user can opt into rather than making it a mandatory process.

    I would also like to see more vendor-based items become BOA and do away with the BOE goodies, but that may infringe too much on users as well. Mostly because they are now accustomed to using badges to purchase BOE stuff, which Blizzard opened the door themselves on that. Still, it's an idea I toyed with including but ultimately left out because of the user experience issues with it. But if Blizzard can completely kill the Path of the Titans, perhaps they can weather the howling over removing BOE stuff from badge vendors.

    ReplyDelete
  18. Wow, I'm sorry to hear that. I can understand to a degree how you might feel about the whole issue. I've had 2 guild mates in the last 3 months who had their accounts hacked and they lost everything. Blizzard later restored everything to their accounts but both people are personal friends of mine so it was a very disturbing issue for me. Neither of my guild mates had an authenticator so from a security standpoint, I've encouraged them to look into it. I have an authenticator on my account and still take extra precautions but there's never a full guarantee. Hopefully issues like these will be sorted out in the very near future. It's become a habit for me to log in, check to see who has been on when in my guild, and run to the guild bank to make sure everything is still in place. Overall, I'd like to see the ideas you listed above in the game just to give us a little more peace of mind.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. I take as many steps as I can to protect hours of crafting/gathering etc - and have an authenticator, run noscript on FF, use an email address that I use nowhere else for logging in, and even do not use my wow-box for anything other than wow.

    So thanks for pointing out just how a trojan can be delivered through the packaging round an addon. I do use them, and cannot play without them.

    Such a shame that you have been spammed on your blog by someone who sells wow accounts :( I guess they will keep commenting day after day even though you try to remove them.

    Korenmolen

    ReplyDelete
  21. Bah, no kidding! I would turn comments off for this post, but I hate doing that for a topic that's reasonably current.

    If my experience helps someone else avoid being hit by a virus via a method they were not already aware of, it's been worth talking about. I fully expected to get barraged with "noob" comments, but luckily we've managed to keep it reasonably sane :)

    ReplyDelete
  22. Kaliope, thanks for the thoughtful ideas on changing a few game mechanics to slow down the hackers' after they have access. I've never been hacked, but have really started to be concerned with all of the stories.

    You're approach is dead on about limiting the profit opportunities that hackers can get, rather than solving all of the security opportunities on a web-based game with millions of users.

    ReplyDelete