Sunday, July 19, 2009

Protecting Your WoW Account: Ten Easy Steps

You invest a lot of time leveling your characters so don't leave yourself exposed to the disappointment and frustration of account compromise.

Let's explore the common hacking methods of the bad guys and introduce some simple and easy steps on how to help prevent character loss and down time.

How do WoW accounts get hacked?

The keylogger

Keyloggers or keystroke loggers are covert pieces of software that sit in memory, logging your keystrokes when you enter the game or when you enter the Blizzard account or forum web sites. The keylogger then sends this information out to the bad guys. Many people wrongly believe that keyloggers only look for your password when you enter the game, but more commonly than not, they intercept it when you enter the Blizzard forums or account pages on the official web site.

Keyloggers are often included in the functionality of malware called "Trojans". Trojans are pieces of software that are designed to look like legitimate software but have backdoors for malicious functions.

Reputable antivirus software will detect keyloggers as soon as they attempt to install themselves and will often identify them as trojans. There are plenty of good, free antivirus products out there but if you sometimes get what you pay for. In fact, there are many scam products out there that appear to be antivirus products which are actually keyloggers themselves. I recommend sticking with the major commercial antivirus vendors such as Symantec, McAfee, Trend Micro, Sophos, AVG and Kaspersky. If you think you might have a keylogger then most of these vendors have a free online scan that you can use to check your system - in fact, it is best to try a couple of these free scans to be sure.

Also note that some newly developed keyloggers may not be detected by antivirus software so don't rely on it 100%.

But how did you get the keylogger in the first place? There are several ways that you can pick one of these up:
  1. You opened an email attachment that launched this software on your machine.
  2. You downloaded and launched the software thinking it was something else. For example, you may have been browsing a web site that prompted you to download a "codec" to watch a video. You excitedly clicked on the download and then the "run" button, only to find that the video still did not play. In the background, you just installed a keylogger.
  3. Your browser or some browser application such as Flash was not patched for a certain vulnerability and you browsed a page that automatically launched and installed the keylogger.
  4. You downloaded what you thought was an addon, that strangely asked you to run some installation package.
The common theme here is that to install a keylogger you generally have to be tricked into running some form of installation process.

Don't think you are perfectly safe if you have a Mac either. While the Microsoft operating systems have traditionally been the target of most malware, Macs are beginning to increase in popularity for malware writers.

The Blizzard authentication token is a great way to protect against a keylogger. The authenticator helps provide two-factor authentication. Two-factor authentication is far more effective since it requires two pieces of information from two different sources - in this case, something that you know (your regular account password) and something that you have (the authenticator generated password). The added security comes from the fact that the authenticator changes its password every 60 seconds - so even if the keylogger captures the authenticator password it is only valid for a very short time.

If you have a iPhone then you can pick up the free Blizzard Battlenet Authenticator application from the iStore.

The phishing site

Phishing is the process of using deceptive methods to acquire sensitive information, in this case your game account details.

For example, you saw a notice in trade chat or received a whisper saying that you have won a competition to win a spectral tiger mount. All you have to do is visit a web site and type in a special redemption code. You go to the site, it looks legitimate, you enter the code and it then asks you for your account name and password so that the tiger mount can be mailed to your character. STOP! This is a phishing site with one aim - to get you to type in your username and password so they can log in to your game account.

A similar ploy is the email that reads "Official email from Blizzard. Your account has been suspended. Click here to confirm your details and unlock your account". Again, you click on the link in the email and it looks like a legitimate Blizzard site... but it is nothing but a scam.

It often takes a trained eye to spot a fake web site. Be extra cautious when any site asks you for your account details. I know of only three sites that should ever require your game password - worldofwarcraft.com, blizzard.com and battle.net. If the URL is anything other than these then it is highly likely to be a phishing site that you are visiting.

Again, the Blizzard authenticator provides great protection here since phished authenticator passwords are only valid for a very, very short time.

The insider

You have shared your account password with a friend or a leveling service. You never changed your password and now your friend is no longer a friend or the leveling service had other intentions. The solution here is - don't share your username/password with anyone. Choose a password that can't be easily guessed by your friends and enemies.

Also, be sure to use a different login/password combination when you subscribe to Blizzard fan sites. There are hundreds of fan sites and not all are reputable. Even reputable fan sites with username/password databases are a gold mine for successful hackers.

The Ten Steps - Don't become a statistic

Here are ten simple steps you can do to reduce the chance of your account being compromised:
  1. Don't share your game password with anyone and pick a password that is not easily guessed
  2. Don't use the same password for subscribing to fan sites
  3. Keep your operating system, browser and other software fully patched - start with Windows Update
  4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
  5. Don't click on email attachments, especially when you don't know the sender
  6. Don't download and run executable files from web pages
  7. Don't enter your game password into any web site other than the official game sites
  8. Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised
  9. Be very suspicious if an addon requires some form of install package to be run
  10. Invest in a Blizzard authenticator or install the Battlenet Authenticator application on your iPhone
Remember, security is never 100% guaranteed and there will always be opportunities for your account to be compromised. I have touched on the more common methods in this post. The important message here is to make it as difficult as possible for the bad guys. Out of all the advice, the hardware authenticator is one of the simplest, inexpensive and most effective steps you can take to avoid becoming a hack statistic. Pick one up from the Blizzard store today.

Update: You can also purchase this as an application for many mobile phones at mobile.blizzard.com.

12 comments:

  1. I would also highly recommend that if you decide to use the Battle.net mobile authenticator, that you write down the serial number. If your iPod touch crashes like mine did today, and you have to reset it, there is a good chance that you will have a new serial number and your authentication code on your iPod will not link to your account. Having the old serial number written down and ready to provide the Blizzard rep with makes it incredibly easy for them to switch you over to the new authenticator.

    Just a way to make sure your authenticator doesn't become a problem for YOU.

    ReplyDelete
  2. here's one too to scramble up keyloggers:

    typ out the first few and last few letters of the password, then with your mouse (not keyboard!) click in the middle of what u already typed and type the rest of the password

    ReplyDelete
  3. Blizzard announced today that you can also purchase an authenticator application for most mobile phones via their mobile store at http://mobile.blizzard.com/

    I have updated the blog to reflect this.

    ReplyDelete
  4. That's not true. There are lots of phones listed but in truth most of them are NOT compatible. For example, none of the HTC phones are and only a few Motorola.

    This confusion stems from the fact that most work with the ringtones and wallpapers. They just don't work with the authenticator.

    ReplyDelete
  5. FYI Blizzard authenticators are back in stock!

    ReplyDelete
  6. This article doesn't mention what I believe is the cause of a significant percentage of account compromises these days, i.e. reusing your WoW password for other things like fan site forum passwords etc. Especially since your login is now your email address. Too many sites get hacked and the user database (usually unencrypted) is stolen, sometimes without the site knowing, and some sites are in the business of harvesting and reselling login names/passwords.

    Blizzard is certainly thinking about requiring authenticators in the future, but if that happens the hackers will just adapt by making the keylogger capture the authenticator code, then log in as you in the background while giving you a "server down please try later" message. Banks and brokerage houses are already having this problem with hardware tokens like the authenticator.

    The best defense is a healthy dose of skepticism and caution in your online activities.

    ReplyDelete
  7. Thanks for you comments - the caution about authenticators still being a risk with sophisticated phishing attacks is a good one.

    However, you mention that the article does not cover using passwords on fansites, when in fact it does:

    "Also, be sure to use a different login/password combination when you subscribe to Blizzard fan sites. There are hundreds of fan sites and not all are reputable. Even reputable fan sites with username/password databases are a gold mine for successful hackers."

    ReplyDelete
  8. The thing that annoys me is that we pay to play WOW each month and now they expect us to pay for an authenticator to protect what we pay for.

    IMO these should be provided free or Blizzard should make the account login process more secure. Banks have different methods to protect against hackers with virtual keyboards ect so why cant Blizzard adopt these for securing our accounts.

    To me this is just another money grabbing scheme and just plan lazy on Blizzards behalf.

    ReplyDelete
  9. I agree with the above comment.
    There should be a better method of securing our accounts.

    ReplyDelete
  10. Well if that's the case stop paying for WoW. If you don't want to pay for something that can help increase your security then so be it. No one is stopping you from making your account vulnerable.

    ReplyDelete
  11. At bonehead post "I think Authenticators should be free..etc.." There were 9 other ways listed which are all free to prevent your account from being compromised. The token was the last recommendation. Virtually all instances of accounts being compromised, either your bank, credit card or even WoW were all successful due to YOUR poor security practices. No amount of technological device will overcome human complacency.

    ReplyDelete
  12. I don't think Blizzard are charging for authenticators to make a profit. At only $6.50, I suspect there is very little profit in this at all.

    In my experience, if you give something away for free then people don't value it. If you charge a token amount (excuse the pun) then people tend to take better care of their investment.

    If you are holding back on purchasing an authenticator because they cost $6.50 (plus postage) then consider the time and effort you have put into your characters and how much a delay in restoring them is worth to you. It adds up quickly :)

    ReplyDelete