Comments on: A New Fob For Your Keychain

By: Mercilius

Mercilius — Tue, 01 Jul 2008 19:09:23 +0000

Bravo Blizzard. Hopefully this will catch on and other companies will follow suit.

By: zabuni

zabuni — Sat, 28 Jun 2008 18:48:12 +0000

I would have preferred a PKI CAC card system, for better portability, but this is probably the easiest way to carry around your account information without needing external hardware.

@Freakazoid: No, they won’t. If they do, they will have done what legions of cryptanalysts have not. This is one of the central tenets of cryptography, do not reinvent the wheel. Governments, military and corporations all use the same type of cryptography to prevent items like this, and their log ins are worth more than World of Warcraft itself.

I believe Warden already looks for keyloggers and the like, but such black lists are arms race. Blizzard already uses some of the same tricks they would use to hide the innards of the keyloggers.

By: Sara Jensen Schubert

Sara Jensen Schubert — Fri, 27 Jun 2008 16:43:21 +0000

“I never would have guessed WoW to be the first game to feature two-factor authentication, but it really is a good way to increase security. (With the side effect of increasing tech support to boot.)”

I bet that tech support is a metric fuckton cheaper than what they were spending on customer service. If people are really being hacked at the rate that they complain on the boards, and CS is taking as good of care of them as I hear, it’s not cheap.

By: Bleaktea

Bleaktea — Fri, 27 Jun 2008 16:34:22 +0000

FFXI had plenty of account hackings and keyloggers – some shipped in ad banners, even. Allakhazam got hit with that one. The devs have this odd habit of releasing notices of how many gilsellers they’ve banned and how much in-game currency they’ve seized in a given period, which read like police reports about big drug busts.

These tokens are a great idea and I am buying a pair for me and the wife the moment they show up somewhere I can click “Add to Cart”.

By: Rob

Rob — Fri, 27 Jun 2008 16:28:53 +0000

(Sorry, only the first two paragraphs should be italicised.)

By: Rob

Rob — Fri, 27 Jun 2008 16:27:44 +0000

The best idea I have seen for preventing MMO account hacks is for the game to send not only the user ID/password, but a ’snapshot’ of the system, including the operating system license number. (example: windows xp license number)

If the login server sees more than two accounts attempting to log in from the same license number it locks all logins attempted from that license number.

Think how this would work in practice: if I’m visiting a friend and want to log in from their system, I would have to add their system ID to the account admin system.

Except to offer any kind of security, I would also have to lock down the admin system to only be usable from allowed snapshot IDs. So I’d have to go home first to activate my friend’s system ID for my account. Not exactly user-friendly.

And if I upgrade my machine, how do I log in? Using the CD key? So now you have a fixed master password for the account which isn’t locked down to a system ID. How is this a step forward? And what about the users who’ve lost their CD key? (I have no idea where my own is, for example.)

By: Drakks

Drakks — Fri, 27 Jun 2008 16:25:34 +0000

[i]You are mistaken, Drakks. There is nothing complex or ground-breaking about this method of authentication. (That is, in fact, one of the reasons it works so well.)[/i]

In the context of an MMO providing account security, it is. I didn’t mean as a technology in general.

By: kalain

kalain — Fri, 27 Jun 2008 16:22:10 +0000

WoW’s the first game I’ve seen with horror stories of hacked accounts and keylogging all over.

Most of the EQ era stories were “I shared my account with guildmates, then <> and all my shit’s gone”

These people won’t buy the FOBs, because then you couldn’t share your account (yes, I know it’s against the tos anyways)

WoW is large enough that people actually go about infecting site ad banners to hack accounts. That’s impressive and kind of new.

By: Paul

Paul — Fri, 27 Jun 2008 15:44:50 +0000

It is for an MMO.

This about how most MMOs treat customer accounts. I can understand not trusting the client, but most MMOs treat customer security with contempt. Horror stories about hacked accounts abound.

Any company can tell its customers to engage in better security practices. But that is a bullshit measure taken by companies that don’t know or don’t care about actually providing security for customer accounts. The customer doesn’t own the account, so why should the provider feel responsible?

Actually doing something about keyloggers, even if its something that customers have to pay a premium to use, is a step in the right direction.

By: Anticorium

Anticorium — Fri, 27 Jun 2008 14:36:53 +0000

You are mistaken, Drakks. There is nothing complex or ground-breaking about this method of authentication. (That is, in fact, one of the reasons it works so well.)