WoW Security (or lack thereof)

#0 - Feb. 3, 2009, 10:21 p.m.

I posted about my account being compromised at this address: http://forums.worldofwarcraft.com/thread.html?topicId=14697305440&postId=148934390108&sid=1#10

Since posting, I have looked into it and it looks like I am far from the only person who this happened to on the same exact day. Other people who have posted about their account being compromised on Feb 1st / 2nd:

<Links removed>

I'm sure there are others as well, but this is just to name a few that I have found.

In a few instances, the victim was up-to-date with their anti-virus and anti-spyware programs, and had nothing that could be considered malicious on their machines. I know that on my machine, there was nothing at all that would have been able to collect my password, not to mention any other viruses, trojans, or keyloggers. I scanned it just to be sure using MacScan, and it was confirmed that my machine was clean. I am a Power User, I have had PCs and Macs and know my stuff with both systems. I don't share my information with ANYONE.

Another person who was hacked (in the link to Teravastl's post) was not even playing after the point that they had been hacked the first time when they were hacked a second time. This means that there was definitely not a keylogger involved.

The point is this: I DO NOT HAVE A VIRUS. I DO NOT HAVE A KEYLOGGER. This was not a security issue on my end AT ALL. Something is going wrong somewhere else.

The thing that I really don't understand is why there is a "Change Email" through the World of Warcraft web site. You don't even need to log into your account to change the email. The only place that you should be able to change your email is within the account management or over the phone with Blizzard.

The email address was changed on my account. At no point did I receive an email telling me that it had been changed. The email had to have been changed before the password was changed because they used the password retrieval page and I never received an email about that either.

On the web site, to change an email, you simply need to enter your account name, current email address, and the last six characters of your WoW key, which can be brute forced. They don't even have to answer the secret question.

I really think that Blizzard needs to step it up a few notches with security. Implementing captchas and other things that might slow down hackers that are trying to brute force the system might help. In the rare instances that someone needs to recover their password, I'm sure they wouldn't mind going through a few more steps to make sure it is secure. And in the VERY rare instance they would need to change their email, they should do it through their account (logged in), or over the phone with Blizzard. It also would probably be nice if Blizzard implemented a few more security questions (like three per account).

Falrinn @ Turalyon talks some more about securities and brute force in his post here: http://forums.worldofwarcraft.com/thread.html?topicId=14697555206&postId=146959637850&sid=1#11

Login attempts should definitely be limited, and players should be able to change their account name at will. As I said in my post, I do not feel comfortable having an account that has been compromised. Since it has the same account name, it can be targeted again, and entry can be gained through brute force.

Yes, there is the Blizzard Authenticator, but why do we need to spend more money to have security, which should be provided with a service we are already investing >$100 initially and $15 per month thereafter. Blizzard could provide these at purchase, or when someone has paid for 6 months of play time. If Blizzard doesn't want to give the Authenticator to everyone, they could at least give them to those whose accounts have already been compromised.

They also need to make strong passwords. I tried to add a symbol to my password but Blizzard did not allow it. They also do not use case-sensitivity, which would help improve the strength of the password and make it more difficult to get in to accounts.

Syndri

#8 - Feb. 3, 2009, 10:40 p.m.

Q u o t e:
This was not a security issue on my end AT ALL. Something is going wrong somewhere else.

As unsettling—and, perhaps, as humbling—as it may be, Eveie, accepting that compromises occur client-side is the first and most important step in bolstering your account's security.

Now, I'm not placing blame or fault upon you. Many compromises occur despite how diligent we may be as end users; mistakes happen, loophopes in our browsing practices exist. Your responsibility is to accept the advent of these mistakes and loopholes, identify them, learn from and correct them, and then work to prevent either from jeopardizing your account again.

Here are some simple and basic tips to practice at home:

Complete operating system updates regularly (preferably as they become available).
Download or purchase one very solid anti-virus program and at least two anti-malware programs to run weekly. It's beneficial to use multiple anti-malware programs, as individual scans alone may not be able to identify all trojans, keyloggers, etc. Overlap here is good.
If you use FireFox, install NoScript and run it consistently while browsing.
Select a secure password and change it periodically.
Monitor the availability of your email address and keep it as isolated as possible.
Avoid willfully sharing your login and password. Even friends, family, and significant others can place your account at risk.
Be aware of "phishing" emails and websites, and do not to respond to any invalid requests.
Consider purchasing an Authenticator and attaching it to your registered accounts.

What I want for you to do right now, Eveie, is to scan your system for trojans, keyloggers, and malware. Again, yes. After these scans have finished, or perhaps while they are running, set up a new email address from a clean a computer—one that you are absolutely certain is devoid of potential keyloggers.

When selecting the username and password for this new email address, ensure that these variables do not overlap with that of your WoW account or any other login type (guild websites, Facebook, MySpace, etc). Register this new address to your account and do not use it for anything else: no additional registrations, no guild websites, no newsletter sign-ups, et al. Keep this email address as isolated as possible. Once your new email address is registered, reset or your retrieve your password via Account Management.

I recommend that you do as this as soon as possible, as I notice that you've not selected a new email address; rather, you're still using an old one. Should those who compromised your account previously still have access to this information (which is absolutely possible), your account will remain at risk until the address is updated. As a side note, one may not change your email address online without possessing your SQ/A or the last 6-digits of your original CD key.

Q u o t e:
What I really believe this comes down to is a breach in security on Blizzard's end. As I type this, I am getting a "404 File Not Found!" error for their password retrieval page, which makes me wonder if it is something on their end that they are trying to remedy. However, I don't appreciate being told that I did something wrong if it is something on their end. I have been playing WoW since it came out and have not had a problem like this before.

The "quicklink" provided on our main page is incorrect. This is a matter of which we are aware and are working to correct at this time. You'll want to use the following URL:

http://www.worldofwarcraft.com/loginsupport/

With that said, I understand that our company and its employees are easy scapegoats. I want to assure you, though, that our systems are secure; no breach has occurred to date. You've thus the opportunity to approach this situation proactively rather than defensively. I hope you take it. :)

Should you have any further questions or concerns, please let know.

Syndri

#9 - Feb. 3, 2009, 10:42 p.m.

Also, I would encourage you to review our ** Account Compromise Info Center ** sticky for information regarding the retrieval, recovery, and restoration processes. :)

http://forums.worldofwarcraft.com/thread.html?topicId=14318909866&sid=1

Syndri

#22 - Feb. 4, 2009, 12:33 a.m.

Q u o t e:
Please note that the account I am posting from on here is not the account that was hacked.

There are two accounts registered to your name, Eveie. Both emails addresses are the same. I would suggest that you update them.

Orlyia

#79 - Feb. 4, 2009, 1:24 p.m.

When we see compromise spikes, it is almost inevitably around announcements of IE vulnerabilities, Flash vulnerability, etc.

We have millions of accounts, what spikes we do occasionally see are a drop in the bucket to what could and WOULD be if the vulnerability was on our side.

Of course there are a plethora of ways, and malware is only one. We try to encourage folks to practice good security habits, update and scan regularly, educate them about what a phish is, etc. - but ultimately it has to fall to them to do so. That's not even getting into the area of physical breeches or confidence games, or dealing with folks whose livelihood revolves around breaking our terms of use and will cheerfully steal back everything they just sold a player - with anything else not nailed down to boot.

Nor is it touching the topic of account sharing. There are EXCELLENT reasons account sharing is expressly forbidden by our terms of use. Once ANYONE else has access to your information, even if they are totally trustworthy, you have lost control over what system or systems they may be using or what may be lurking in those systems. Also, once that control is gone there may simply be no way to ever definitively diagnose exactly where the breech occurred.

This has never....not once....been found to be on or from OUR systems, not once - ever.