Select Page

Being myself a World of Warcraft player since they published the beta a few years ago (at least during the weekend when my wife allows me to play a bit) I’ve noticed recently that you can buy a 2 way authentication token for the game.

No, that’s not a joke:
http://www.blizzard.com/store/details.xml?id=1100000182

I saw daily people complaining that their account got hacked and all gold and items were stolen. Stolen items and gold? That may sound childish, but in real world it’s worth real money. There are always buyers who pay real money to get the in-game currency “gold” delivered. Players need gold to buy equipment for their character. 1000 World of Warcraft Gold sells for about $39 US. There is always a market for the gold, since some people do not have the time to spend hours for collecting gold during gameplay.

The password stealers for such online games significantly outnumber the game serial stealers from other games. The reason for this is that there are so called Goldseller Companies which not only sell gold, but also buy gold for real money from other players so that they can resell it later, in a professional way, for profit. This motivates hobby hackers to create their own keylogging software to gain some extra money. Once a person has access to the playing character, the Gold can be sent via the in-game e-mail to themselves. In most cases, the hackers create a temporary account. Later, they simply delete the account once successful transactions have been made.

Seeing that you can buy this token optional will solve some of the security issues but not all. Because when it is optional not everyone will buy it. And people that spend anyway attention to their computer security (by considering / purchasing this item) are most likely informed about antivirus solutions and that they have to keep them up-2-date.

The high risk users still remain as long as this gadget is not bundled in every new game that is sold. However, it is highly honorable for blizzard to improve their security system, even if it’s just for a game. The next step should be that they include a time out blocker for their online account managing system. Because in this way you could brute-force the login data for the first authentication process….

Signing off, Michael St. Neitzel