Journal Timex's Journal: Nothing new under the sun 5
Late last year, the leader of the guild I am part of in WoW experienced a nasty event, where his account was hacked. He (temporarily) lost access to everything he had worked on over the last five years-- he's been playing WoW pretty-much since it launched. Fortunately for him, Wife and I were on at the time that the perpetrator signed on and started doing his damage. We got him (and Blizzard) involved pretty quickly. The damage was minimized and we got back to some semblance of where we were before it all went south. Unfortunately for him, the damage was not limited to his WoW account, but he managed to act quickly enough where nothing else seems to have been affected.
This sort of thing isn't rare-- many MMORPGs have experienced the "gold farmer", someone who has large amounts of the game's currency-of-choice to sell to players that are too impatient to earn it themselves, usually at rates of about $7 or so per 1000 units. Even if there are any gold farmers out there that are honest in how they raise their in0game currency, the nature of the games' economies is such that it's unlikely that most of them are honest, simply because they need to have a substantial amount of it across all the servers that it would cost them more to gather it than they would get to sell it to players. (For the unknowing, most of the games I am aware of treat a server or "realm" as a world unto itself, where one generally cannot easily move money or items from one realm to another.)
One way that Blizzard has come up with (and this is where the title of this JE comes in) is the Blizzard Authenticator. It is a fob (or an app for mobile devices such as the iPhone) that is "connected" to one's Battle.Net account. It has an eight-digit "pin" that changes every 30 seconds. When one logs in, this pin is needed, right along with the usual username (email address) and password.
The idea is not to guarantee security, but to greatly reduce the chances of a person's account from getting hacked.
In my opinion, it's a neat idea (despite the fact that even this has its weaknesses). It's certainly not a new idea, as RSA has had something like this, the SecureID, for several years.
I don't know if there are any legal ramifications to the similarities between the two devices, but that is something that Blizzard and RSA have to work out.
I have heard a lot of people complain about the push (by Blizzard) to get players to buy the Authenticators, but I honestly don't think that Blizzard is out to make a quick buck through these things. Blizzard is selling them for $6.99 USD / £6.29 GBP / â 6.99... If you have a supported mobile device, the app is free.
I think they are a great idea, especially if one puts a lot of time into one's characters.
Question (Score:2)
If an "Authenticator" proves you are a fake character, what would you call something that proves your real identity - an "Unathenticator"?
Re: (Score:1)
Without the Authenticator, you cannot log in. In that manner, it works exactly like the SecureID fob, which is what I was getting at with the "nothing new" title... :D
The "plus": without the fob, you (nor any crackers) can log into an account that requires it.
The "minus": it doesn't prevent someone from rerouting your connection (assuming someone that knows how to do it wants to bother with you) once you log in... ...if you lose the fob (or whatever device you are using), YOU aren't logging in either.
If it
"Authenticator 'fobs'" are not uncommon abroad (Score:2)
Over in Europe just about every bank requires you to have a fob like device to log into your computer bank account.
Very likely Blizzard had worked out a deal with whoever owns the patents on the device to license it.
It makes sense for them economically to push people to use it, as it reduces the incidence of fraud, and thus they need to spend less worker-time to fix problems.
Re: (Score:1)
Over in Europe just about every bank requires you to have a fob like device to log into your computer bank account.
I have to say that I think something like this is a great idea for banks to become interested in.
Let's face it: most of us don't have enough money in the bank to make it worth the time and effort it might take someone with the know-how to do "man in the middle" attacks [wikipedia.org]. This would prevent (or at least make it more difficult for) the average keyboard logger to affect bank accounts, simply because the pin is always changing and once it's used, it's no good, at least until the next time it's chosen.
It makes sense for them economically to push people to use it, as it reduces the incidence of fraud, and thus they need to spend less worker-time to fix problems.
This may b
Re: (Score:2)
That's what I thought of when I was reading this. I had a friend from Zurich in town quite a few years back - I'm thinking 2004 - and we were talking computer security. She showed me a device she carried so she could do on-line banking and it was pretty much exactly what you describe.