This is a long time coming, but that’s the way it goes with a 1-year-old around.
Randy Johnson of The Instance hypothesized that only about 1/5 of the people who have purchased or been given a Blizzard Authenticator are actually using them. Now I understand how every time security measures are increased, the resistance to adoption grows almost proportionally. But, unlike many security features (i.e. stupidly long and complex passwords that change every 2 weeks and cannot be reused, just begging people to write them down), I think this one could actually live in the sweet spot between additional security and additional operator overhead where people will actually use it and be excited enough to get their friends and relatives to use them as well.
Before I continue, I should lay down some basic terms.
Multi-Factor Authentication: I think the great Steve Gibson would agree with my over-simplistic definition of Multi-Factor Authentication as, “Something you know with something you stow.” What this means is that you’ve got something like your username and password combination and something else that generates some sort of unique identifier that shows that you are, in fact, in possession of the paired device.
Keylogging/keylogger: The act of being “keylogged” involves a third party piece of software that reads your keystrokes. That software would commonly grab your username and password keystrokes (or, in the more advanced versions pasteboard accesses), report them to some malicious user who would then use that information for their own nefarious purposes. For our purpose, we’ll consider goldselling and account selling.
Phishing: When a malicious third-party sends you correspondance trying to mislead you into giving out your sensitive information. In my opinion the most common form would involve an official-looking email sent to you that directs you to a site that has been designed to look exactly like the official site, into which you’d enter your authentication credentials.
Clickjacking / UI Redressing: In very basic terms, making it appear that the information you’re submitting to a website is actually being entered in a hidden layer beneath what you’re actually seeing. Imagine your web page as a piece of paper between panes of glass, and that there’s a transparency sheet above your site (or a hole in your sheet…doesn’t matter). Data you entered on what you thought was the web page is intercepted (hijacked) by the container between the other sheets of glass.
Okay, enough of that. I think just reading those definitions gives you a little bit of an idea of what we’re looking at. Essentially, I’ll be talking about a small piece of tech that will help WoW players protect their investments. Quick aside for the non-Azerothian. World of Warcraft (WoW) is a Massively Multiplayer Online Role-playing Game (MMORPG, MMO, etc). What that means in our case is that it’s a persistent gaming environment in which massive amounts of people participate, on the order of thousands in a given realm (server) at the same time. Being a persistent environment means that people spend a good deal of time gathering items, virtual currency and relationships that, while they have no real-world representation, certainly have real-world value. There are hundreds if not thousands of sites dedicated to the conversion between real and virtual currency alone. These “gold selling” sites have to operate under the radar, as what they’re doing is against the terms of service in this, and most other MMO’s. One of the more recent avenues for this clandestine operation is to use keyloggers, phishing and clickjacking to steal players’ account information, log in and liquidate all their equipment and items and move that cash to some mule they have planted on a given server so they can turn around and sell that gold for real American dollars, at a pretty decent exchange rate too.
This obviously has a negative impact on the players and their friends, as well as their guild if applicable. I’ve heard far too many stories and have had far too many friends lose their characters, equipment and gold. It’s a very humbling feeling, much like being robbed in real life. Recovering these lost goods is a hit-and-miss process, and a very time intensive one at that. To help us players and, I assume, to cut down on the manhours spent fighting these issues, Blizzard introduced their Authenticator around June of last year (2008), for a very affordable price of $6.50.
The Authenticator is a small security token that algorithmicly produces a 6-digit one-time use code, acting as the “someting you stow” in the multi-factor authenticaton scheme. There is a time association with the device, as well as a 10-digit identification code that is presumed to drive the production of the code, which is reproduced on the authentication server. The key bit is, during a given window of time it’s presumed that only your authenticator will produce the code that will continue the authentication sequence.
So, once you’ve ordered one it shows up in the mail not too long afterward in an un-presuming package much like this:
You simply follow the given instruction card
Log in to the site mentioned using your standard Blizzard username and password
Enter the 10-digit serial number on the back, wich will be associated with your account for future code validation, and from then on when you attempt to log into WoW you’ll be prompted for your 6-digit Authenticator code.
From then on you can take comfort in knowing that you’ve added another layer of security on to whatever system you had been using. Most people I’m sure will have a fairly typical password paired up with their user name, but I’ve heard of many who had gone so far as to carry around an encrypted USB drive with a text file of some sort on it, and have stored a long, “untypable” (by this is merely mean extremely difficult to reproduce accurately) password in there that they could copy and paste into the password field. As you may have gleaned from my description of keylogging, modern keyloggers have been able to read from the paste board and steal that information anyhow, so the advantages of this type of system aren’t as great as it would seem.
I’m sure the Authenticator isn’t perfect either, but it’s one more thing that will slow down a would-be attacker. I could envision a case where your serial number (which I’m sure links to some other “untypable” key) became compromised (as well as the algorithm that produces the 6-digit code) where reproducing the same code your authenticator would be possible, albiet unlikely. Other disadvantages of the Authenticator include remembering to bring it with you whereever you think you might want to play, or even log into the account management site (or armory). It’s also, most assuradely prone to time drifting given enough time. Blizzard has built in some lag into the setup (for instance I have come to believe you can use any of the current, first previous or first next codes), so chances are very good that by the time most Authenticators drift out of their window we’ll either be on some other game or will be using another, more secure, authentication scheme.
The biggest downfall to this system, in my view, is this. We’re lazy people. We don’t want to go through the hassle of remembering to use the system. We don’t want to have to enter it every time we start up the game. We’d like to think that this sort of thing only happens to somebody else. Unfortunately, as my good buddy in-game says, there’s a Calvin and Hobbes for every situation.
So, in closing, I’d like to highly encourage those of you reading this for WoW reasons to go out and get an Authenticator. But most importantly, actually use it when you do! Parting security tip: Never click on a link in email. Type it out yourself. People do tricky things to try to phish up your information. (for instance url’s like http://www.mitgr81.com (safe demonstration link) or using ‘vv’ as a ‘w’).
Thank you for reading. Hope to see you walking, fully clothed, across the plains of Azeroth soon!
Footnote: I’m sorry for the blurriness of the photos. I was incredibly short on time when I snapped them.
Fight this from both sides: don’t buy gold!
