Sunday, October 13, 2013

Final Fantasy XIV ARR Account Hacked

Just over a month ago I went out and purchased Final Fantasy XIV - A Realm Reborn. I encountered some very concerning security issues and poor customer service along the way and recommend you think twice before playing this game.  

Let me fill you in on my unfortunate journey with Final Fantasy and their creators, Square Enix.

To start with, there were major issues with servers overloaded for the first week after game launch, resulting in the inability to log into the game. Square Enix obviously had very poor capacity planning and in hindsight, the warning bells should have been ringing for me at this stage.

In any case, after about a week the server overload problem subsided.  I proceeded to play the game for almost two weeks and the stopped playing since it was not the game for me.

About 1 week later, I received a curious, automated email from them:
We are writing to inform you that we have suspended the FINAL FANTASY XIV service account registered to this e-mail because on 9/24/2013 you breached the FINAL FANTASY XIV User Agreement.  
They went on to say that that I had violated two clauses of their agreement - 1. that I was not truthful with my registration information and 2. that I had participated in real money trading, farming or power-leveling.

Being the security guy and strongly expecting this to be a bogus phishing email, I decided not to click on any links in this email.  I went to my game login and tried to login.  To my surprise, my account had indeed been disabled.

So how did I breach their user agreement? I did not play on 9/24/2013 (or any day either side of this), nor was I in anyway dishonest with my registration info.

I could only conclude that my account had been compromised.

To have had my account compromised, the attacker would have had to either got hold of my login and then done a dictionary attack on the password or they would have needed to compromise the Square Enix user database.  You might be surprised to know that MMO's allow multiple password attempts so that you can't purposely deny another player access by locking out their account with failed password attempts. Consequently, a dictionary attack on the password is quite feasible.

If someone had compromised the Square Enix user database then it is very difficult to confirm this unless the company discloses it.

If their systems have a problem then it is likely that more people would have been affected. A google search for "Final Fantasy XIV ARR account suspension" came up with a lot hits.  One great example quotes "it looks like there have been waves of people getting hacked since launch":

http://www.codeweavers.com/compatibility/browse/name/?app_id=7892;forum=1;msg=152733

So it appeared that I was not the only one suffering here.

I then discovered a recent news post from Square Enix warning users that they are seeing accounts compromised:
Currently, we have confirmed that a third party is using account names and passwords, thought to be obtained from security breaches of other companys' online services, in attempts to gain unauthorized access to Square Enix accounts.
If you are using the same account name or password as your Square Enix account on other online services, there is a much greater chance that a security breach at any of the other online services could potentially lead to your Square Enix account being compromised. source
I decided to try and follow the instructions in my breach notification email in the hope that their tech support team may see the error in their ways and provide great customer service and sort this out painlessly for me. How wrong I was.

I started by resetting my Square Enix account password - this was a fairly seamless process.  I then raised a support case.  I received any automated reply to my support case.

Seven days later, I finally received a response from a support person offering to open an investigation for me if I were to send them my date of birth, my email address and a copy of my passport or driver's license. I asked them to re-instate my account without me having to send private information to them just so they can investigate.  I was not comfortable sending my passport info to a company that clearly had issues with their security systems.

I get a reply another four days later saying they cannot help unless I identify myself. Meanwhile my one month of included subscription time has just expired and I was definitely not prepared to invest any more time and money with this organization.  While I understand their need to identify legitimate users, they clearly need to get their support and security systems sorted first.

For the record, my biggest issue here is with the slowness of their customer service team.  My second biggest issue is the fact that I paid money, had my account compromised and then had to wait long periods of time to get any help at all.  MMO accounts get compromised, especially those without a security token - but all I wanted to do was play the game for my first month to decide if I would continue with it - at which point I would have certainly attached a token to it.

I highly recommend you re-consider participating in any online products from Square Enix until they can prove that they have the skills to run a MMO.  Their lack of capacity planning, poor customer service and apparent security issues are the reasons I won't be going back to them in a hurry.  If you must play their games, be sure to add a security token to your account!

PS - Square Enix have been invited to comment

Thursday, August 9, 2012

The Great Battle.net Compromise

Blizzard has recently announced that their battle.net database, the database that holds all of their usernames and password for games such as World of Warcraft and Diablo, has been compromised:
Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts. We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. 

What are the implications of this?


  1. Your battle.net ID/email address are now out there - not only does this put your account at more direct risk from a targeted attack, if the email lists fall into the hands of the bad guys then you are much more likely to receive phishing emails.
  2. Your personal security questions/answers are out there - making a social engineering attack on your account, like the recently published attack on Apple, somewhat easier.  Blizzard have vowed to get us all to enter new security questions and answers shortly - let's hope they also advise their tech support teams to be especially vigilant in the meantime.
  3. It appears that the Mobile Authenticator serial numbers/seeds and account link information has been stolen - if this is the case then it is quite feasible that mobile authenticator codes could be generated and used for users with mobile authenticator accounts.  Authenticators rely on the account link info and serial numbers to be kept secret for them to be effective - the algorithm for such schemes is often available in the public domain.  While this type of attack would require some level of sophistication, it is not out of the realm of possibility for modern-day hackers.

What should you do?


First and foremost, go and change your battle.net password.  Yes, the stolen passwords were hashed, but there are techniques for comparing the frequency of hashed passwords to work out which passwords are more likely to be one of the more commonly used passwords.  A "salted" password helps protect against this but we don't know exactly what form Blizzard stores their passwords in (other than they are "cryptographically scrambled").

Second, go buy a hardware authenticator.  The hardware authenticator serial numbers were reportedly not stolen and the technology is developed by a security vendor (Vasco) as opposed to the mobile authenticator app which was developed by Blizzard.  This is not to say the mobile authenticator is bad - it is certainly better than not having an authenticator at all, but the hardware authenticator is the best.  I certainly have one on my account!

Third, be particularly wary of phishing emails.  If your email is now in the hands of the bad guys then you will certainly get hammered with more of these. 

Lastly - don't stress too much.  Our good friends at Blizzard will restore accounts that have been compromised and given that raiding is currently in a quiet time, I am sure that your guild will forgive you.


Tuesday, May 22, 2012

Blizzard Confirms a Rise in Diablo 3 Hacks

Diablo 3 account compromises are currently happening and there are a string of accusations kicking around from the victims of these attacks.  Fingers are being pointed at Blizzard and at each other.

The vast majority of these incidents, in fact close to 100%, are occurring where the victim not having an authenticator attached to their battle.net account.

Blizzard has published a lengthy statement on the issue and have confirmed that they are seeing an increase in account compromises:

LYLIRRA: We'd like to take a moment to address the recent reports that suggested that Battle.net® and Diablo® III may have been compromised. Historically, the release of a new game -- such as a World of Warcraft® expansion -- will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo III. 

While they don't explicitly say that they have not had their own systems compromised, they go on to say that their authenticator is the best form of defense against these attacks and that everyone should go and pick up either the hardware token or one of the (free) mobile authenticator apps.

While I can't comment on Blizzard's internal security status, I can certainly comment on the value of the authenticator. For those that may be new to the concept of authenticators, let me take a quick moment to explain how they work.

The authenticator is a device (either a hardware token or a mobile application) that has a built-in clock and algorithm that generates codes every 30 seconds. These codes are in a unique sequence that is tied to a "seed" that is contained in the device/application.  This seed is paired to the serial number of the device.   When you attach it to your battle.net account, you tell battle.net what the device's serial number is and the battle.net server can then derive your unique "seed" and generate it's own stream of codes that should match yours.

When you login to battle.net via Diablo 3 or WoW you will need to grab your authenticator/mobile app, generate the code and enter it in. Meanwhile the battle.net server is doing the same code generation on its end to validate your code.

This adds an extra layer of security by requiring you to be in physical possession of the authenticator - in the security world we call this 2 factor authentication and the authenticator becomes "something that you have".  (You are also required to enter your battle.net password - we call this "something that you know")

In asking for a code, the authenticator virtually eliminates the effectiveness of a dictionary attack on your password.  Additionally, with its rolling number sequence, the authenticator also drastically limits the opportunity to brute-force the authenticator code itself. Phishing attacks become useless unless they capture the authenticator code as well - and even if they do - they have a very limited time in which to use it before it expires.

I have worked with around 30-40 people that have had their battle.net accounts hacked over the years and all of them had no authenticator.  I am yet to find someone that has been hacked when they have had an authenticator attached to their account.  Now, I am not saying that it can't happen - it can - but I would estimate that having an authenticator will improve your security and reduce your chance of getting hacked by a factor of 50 to 100.  It is not 100% safe - no security mechanism is - but it will add a very solid security layer to your gaming account.

Here are my ten simple steps you can do to reduce the chance of your battle.net account being compromised:

  1. Don't share your game password with anyone and pick a password that is not easily guessed 
  2. Don't use the same password for subscribing to fan sites 
  3. Keep your operating system, browser and other software fully patched - start with Windows Update 
  4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption 
  5. Don't click on email attachments, especially when you don't know the sender 
  6. Don't download and run executable files from web pages 
  7. Don't enter your game password into any web site other than the official game sites 
  8. Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised 
  9. Be very suspicious if an addon requires some form of install package to be run 
  10. Invest in a Blizzard authenticator or install the Battlenet authenticator application on your phone
Follow these steps to help protect your most valuable asset - your gaming account.  There are a lot of bad people out there trying to get into your account so make it hard for them and don't become a statistic.

Sunday, September 4, 2011

Diablo 3 Beta Phishing Season Begins

The scammers are out in force with the recent Diablo 3 beta opt-in announcement.  

Phishing scams are very common around any Blizzard beta release announcement so it is time to be especially on your guard.


I received the following in my in-box today:

Greetings from Blizzard Entertainment!
We’re gearing up for the forthcoming launch of Diablo III and would like to extend you an invitation toparticipate in the beta test. If you are interested in participating, you need to have a Battle.net account, which you can create on our Battle.net website.
We will flag you for access to the Diablo III beta test when we begin admitting press. You do not need to go through the opt-in process.
To secure your place among the first of Sanctuary’s heroes,Please use the following template below to verify your account and information via email.
* Name:
* Battle.account name:
* Password:
* Country:
* E-mail Address:
Thanks and see you all in the Burning Hells!

The email claims to give you an express beta invite without having to go through the formal opt-in process. Naturally, this is a phishing attempt aimed at getting hold your valuable battle.net account details. The reply email address resolves into a d3-blizzard.com domain which, not-so-surprisingly, is registered in China:

Domain Name: D3-BLIZZARD.COM
   Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
   Whois Server: grs-whois.hichina.com
   Referral URL: http://www.net.cn
   Name Server: DNS27.HICHINA.COM
   Name Server: DNS28.HICHINA.COM
   Status: ok
   Updated Date: 29-aug-2011
   Creation Date: 29-aug-2011
   Expiration Date: 29-aug-2012

Remember, Blizzard will never ask your for your battle.net password - be wary of any communications that requests this.

Tuesday, April 5, 2011

Top WoW Phishing Scams for March 2011

I have established a WoW phishing honeypot and I see a lot of active phishing scams.  I thought I would take the time to cover off the top two WoW phishing scams for March :

#1 Titled "Too Many Attempts Warning No.x" - 37% of WoW scams

The most common phishing scam for March comes in the form of a straight text email that warns you that your account has been locked due to too many login attempts. It provides a link to restore your account, but naturally points to a fake battle.net site, where your account details are captured.

-----------------------------------------------------------------------------
Dear customer, 
Due to suspicious activity, your Battle.net account has been locked. You tried to login your account too many times (403). We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you follow these steps:

Step 1: Secure Your ComputerIn the event that your computer has been infected with malicious software such as a keylogger or trojan, simply changing your password may not deter future attacks without first ensuring that your computer is free from these programs. Please visit our Account Security website to learn how to secure your computer from unauthorized access.

Step 2: Secure Your E-mail AccountAfter you have secured your computer, check your e-mail filters and rules and look for any e-mail forwarding rules that you did not create. For more information on securing your e-mail account, visit our Support page.

Step 3: Restore access to Your accountWe now provide a secure link for you to verify whether you have taken the appropriate steps to secure the account, your computer, and your email address. Please follow this site to restore the access to your account: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

If you still have questions or concerns after following the steps above, feel free to contact Customer Support at xxxxxxxxxxxxxxxxxxx.

Sincerely, 
The Battle.net Account Team 
Online Privacy Policy
-----------------------------------------------------------------------------


#2 Titled "Account Change" - 26% of WoW scams

This scam attempts to scare you into thinking that your contact information has been illegally modified and entices you to log in to a fake site to verify your account information.

-----------------------------------------------------------------------------
Hello,
This is an automated notification regarding your Battle.net account. Some or all of your contact information was recently modified through the Account Management website.

*** If you made recent account changes, please disregard this automatic notification.
*** If you did NOT make any changes to your account, we recommend you log in to xxxxxxxxxxxxxxxxxxxx review your account settings.

If you cannot sign into Account Management using the link above, or if unauthorized changes continue to happen, please contact Blizzard Billing & Account Services for further assistance.

Billing & Account Services can be reached at 1-800-59-BLIZZARD (1-800-592-5499 Mon-Fri, 8AM-8PM Pacific Time) or at billing@blizzard.com.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,
The Battle.net Support Team 
Blizzard Entertainment
Online Privacy Policy
-----------------------------------------------------------------------------

Other active scams including a "7 days free access offer", "investigations on the sale/trade of your game account" and various "compensation" emails.  I have also started to see scams for LOTRO and RIFT.  You know that you have made it as an MMO when you see active phishing scams - sad, but true.

Learn more about the mechanics of these scams.

Sunday, March 27, 2011

Trust Me, I am a Security Pro

Everyone you talk to seems to have their own special advice on how to avoid having your game account hacked. Unfortunately, there is both good and bad advice given. While I normally blog about the good advice, I decided to take some time and dispel some of the common IT security myths out there.



Myth: You can't get hacked by simply visiting a web site

People often claim that you can't be hacked by just visiting a web site and that you need to download and install something by clicking on it.

This is false. You can indeed pick up a trojan/keylogger simply by browsing to a web site that has malicious content which takes advantage of a vulnerability and, depending on the vulnerability, you may not even know that you have been infected.

Vulnerabilities can be found in the operating system, your browser, your flash player, your media player and in any piece of software that runs on your machine. Many of these vulnerabilities, if exploited, allow remote code execution which can be used to automatically download malicious software without your interaction or knowledge.

Myth: Running Firefox/Mozilla means I am safe

Internet Explorer has traditionally been one of the most exploited browsers, mainly because of its historical prevalence. These days, Firefox is the most popular browser amongst WoW users (44%), with IE (22%) and Chrome (21%) coming next... and the hackers have followed. Many vulnerabilities and exploits have been discovered with Firefox.

Other browsers are not perfect either. For example, a competition at a security conference found that most browsers could be easily compromised with Google's Chrome being the last one standing.

Myth: Run 'noscript' and you will be fine

Noscript is an addon for firefox that allows you to block flash and javascript on web pages. It helps alleviate issues such as flash vulnerabilities that are often announced. 

Noscript is a very good idea in concept but it breaks most web sites, especially modern web sites that require flash and javascript (which is nearly all of them).  This is the traditional trade-off you get with security.  Noscript provides some excellent protection but you will not get the full functionality from web sites without extensive whitelisting.

Myth: I run a Mac and Macs don't get malware

Yes they do - just not as much malware as what Windows users can expect.

However, you can still get phished.  Given that many of the account hacks are a result of phishing attacks, Mac users need to remember that they are just as vulnerable to these as any other user.

Myth: Pick up free anti-virus software and you will be right

Honestly, you get what you pay for.  As someone that comes from the anti-virus industry, I know the investment required to produce a top-quality anti-virus solution.  Free AV is good, but paid-for AV is better. It ultimately comes down to your tolerance of risk and whether you are prepared to pay for better protection. You can see a list of AV products and their ratings at avtest.org.

Myth: I have an Authenticator therefore I am protected 100%

No security will provide 100% protection. Whenever you hear someone say that something is 100% secure then don't believe a word of it.

The authenticator recently fell victim to some malware that intercepted the authenticator's code and sent it off to the hacker. But don't despair - the authenticator is still one of the best prevention mechanisms you can buy.

I don't have an authenticator, I don't run AV, I don't have a firewall and I have never been hacked.

You should go and buy yourself a lottery ticket. Seriously, you are very lucky.

As discussed earlier, you can get infected simply by surfing a page that features some malformed objects designed to exploit a vulnerability in some piece of software on your PC.

But you avoid bad sites such as hack sites or porn sites, right? 

Well, even the good sites get hacked to become a source of malware. This is becoming a much more common method of malware propagation.

Visit our 10 Easy WoW Security Steps post to learn more about securing your WoW account.

Thursday, November 11, 2010

Blizzard Adds Dial-in Authenticator

Blizzard has announced a new security service for US players called the Dial-In Authenticator.

"Similar to the Battle.net Authenticator and Mobile Authenticator application, the Battle.net Dial-in Authenticator is an optional tool that provides an additional layer of security against unauthorized account access. The Battle.net Dial-in Authenticator is not a physical token or application run on a mobile device, however. Instead, it is a free opt-in service that will actively monitor an account and request additional authorization from the user when a potentially unauthorized login attempt occurs."

The service asks you to nominate a phone and a PIN.  When your account is accessed from a different IP address it will ask you to authenticate by dialling a US toll-free number from your nominated phone and entering your PIN and a single-use security code.  The service is optional and best of all, it is free.

This is a good addition to the security arsenal, especially for those users that move around a lot and don't have a hardware authenticator. Remember that good security is made up of several layers of protection, and this offers yet another layer.

More information can be found at the official Battle.net Dial-in Authenticator FAQ.