Recently in Security Category

I have noticed a high occurrence of flash ads on sites lately. These are not unusual, in their essence. The problem with flash ads is that either by limitations of code or intentional omission, they often do not display a URL. When these appear on game sites, especially ones which are a haven for WoW players like DeathKnight.info, I grow incredibly concerned about my security. Until I have an Authenticator in my hands, I will remain very cautious of my security.

Right now I surf on my laptop and game on my desktop, still being incredibly careful what I download and where I surf to. You never know if a trojan will know to look for zip files or other known packaging used in the Mod community. I do not know if the URL issue is a coded one or a Flash based flaw, but I refuse to risk myself and my account on the chance of a cool product or game that is marketed to people like me.

Add to this the chance of so far unknown holes in Flash or other multimedia ad methods, the prevalence of gold farming, leveling guide, and power leveling ads on any site that has Warcraft or MMO in it's keywords, and you really become concerned about clicking much of any link on the sites you visit online.

I wonder, though, a I paranoid? I know a lot of folks thing that all these big security measures that even the less secure take are too much, and I go much further in my own technology. Would you go so far as to refuse to click any Flash based links? Would you take security measures like weekly trojan searches, multi PC use, and other such measures? Or are you one of the many that thinks a decent browser and some addons for it is enough?

Yesterday I posted a thread about the Blizzard Authenticator being sold out on the General forums, and the thread got to 3 pages before Blizzard put their own sticky about the topic, and even addressed the US only concerns I have previously expressed. The thread, though, was dominated by one clear message which I found both foolhardy and completely misinformed. Add to that a healthy dose of 'WTF' factor, and you begin to see a really disturbing picture of the WoW community.

The first bit that really annoyed me was from Celada of Lothar. 

Its a false sense of security... Nothing beat knowledge and a litle bit of common sense. You can about 100% protect yourself with

Firefox
-addons
--FlashBlock
--Adblock Plus
--Noscript

Celeda, you talk about a false sense of security? Tell me the FCC and many other government agencies from around the world have a false sense of security in this form of multi layer authentication. You have a false sense of security if you think that such measures have any form of security to them. With new bugs and holes being found all the time, all it takes is a single day of being unpatched for your computer to be infected with a keylogger. How many mod sites have found trojans in their code? Almost all of them, and everyone has them as trusted.

Next up we have Celeda's response to my points about a true false sense of security coming from Firefox:

Ive been playing this game since beta never once been keylogged
Cause im not stupid enough to click any links i dont know

Blizz can sell false sense of security all day, that cant sell common sense and they cannot cure stupid

Just because you have not, does not mean you will not. Past actions do not dictate future results, especially with the rising value of WoW account info ont he black market.

Now to this gem from Kybeorie of Baelgun

Clue:

Someone has a trojan on your computer.
You have the authenticator.
They can't login to your wow account, but they are STILL LOGGING YOUR KEYS. The difference is that now you don't know it, because your wow account is ok. So you go merrily about your business, while your mother is now sending some money "you need to borrow", because you said so in an email, to some address far away

All due respect, Kybeorie, if you are using those Firefox addons as your only protection from trojans and keyloggers, you deserve to be scammed. Also, if your mother can't pick up a phone and check with you to make sure a sudden 'I need money' email is real, well, then your mom needs some lessons in common sense, cause I know my mom is smart enough to actually talk to me when I ask to borrow money.

In the end, this is not the be all and end all of protection, but it is not a false sense of security. This is a very secure additional form of security for your WoW account. If you feel your Firefox plus addons method of security is fine, great. It just means that when Blizzard does start shipping these to Canada, I won't have to wait in line behind you to get mine. I, though, will be very comfortable paying a lowly $7 USD for this increased measure of security.

According to the writer of the isheepthings blog, the Blizzard Authenticator, after about two and a half days on sale, is listed on the Blizzard store as sold out. This all happened with no Canadian being able to order one themselves unless they had a US shipping address. There are those who advise that Canadians go and order from the European store, but to my knowledge the Authenticator was never available from there, only showing Sold Out for the entire duration.

[Update: Blizzard has now posted both about the sell out and the lack of availability to Canadians. Thank you Blizzard for answering the questions I and others had.]

Incoming is a regular part of From the Abbey to Outlands where the author will rant at length about a topic that is frustrating or aggravating in the World of Warcraft. Keep reading for more, we have a Rant Incoming!

You may have heard that the new Blizzard Authenticator is now available for purchase from the Blizzard Store. It's a great little device which will increase account security an enormous amount, and could potentially be the catalyst to the elimination of the account hacking going on by Gold Sellers. That is, of course, if everyone can get it, which they can't. "This product can only be shipped to the United States." is what you will see if you go to the Authenticator item page I linked to before. Now, however, there is an item page on the European Blizzard Store, which does not limit where it can be shipped, though the item is not yet actively for sale.

The following is an email I sent to Blizzard's billing department after getting off the phone with a rep who pretty much had no clue why it wasn't for sale to Canadians, and was guessing distribution issues.

I would like to express my frustration that Blizzard is not shipping the new Authenticator to Canada. This device is a great idea, and should increase the security of accounts substantially, but it cannot do that if we cannot buy it. I fail to see why the USA and Europe are the only are the only areas who are allowed to maintain the highest level of security on their accounts, while other countries must sit back and simply hope their accounts don't get hacked. I guess one has to question if, in addition to contests, Blizzard has a complete lack of respect that extends to not caring about our security. I am sad to see this come to pass.

I look forward to a response from Blizzard, even if it only comes in the form of a change in that policy so that we here in Canada can enjoy the same level of security as others in the US and EU.

[Update: Blizzard has now posted both about the sell out and the lack of availability to Canadians. Thank you Blizzard for answering the questions I and others had.]

Acquiescing to the many criticisms and demands, Blizzard took a page from the books of PayPal when they announced today that they will begin selling a security ID keyfob to increase the security of accounts exponentially. The key chain sized device will, when triggered, generate a 6 digit code that can be entered into the game client once the device is connected to your account.

The good thing about these types of devices, similar ones are in use by such groups as the FCC, the aforementioned PayPal, and many businesses and governments departments with sensitive data accessed remotely, is that a keylogger only does half the job. The hacker or trojan can get a hold of my username and password all they want, but once my account has been associated with this, the game will deny access unless the 6 digit code output by the device is present as well.

What does this mean to you? This means that your character, be it a level 19 twink, a level 60 non upgraded, or a 70 in full tier 6 and Sunwell, can be safe from the many looming threats on the internet. The even better thing? One device can be used for multiple accounts, so multi boxers only need 1 device for all of their many accounts. I feel that this is a long overdue addition to our gaming world and very good thing for account security in the World of Warcraft.

Some might think that this kind of technology for a measly game is a waste of the technology. I would say that since the technology has become cost efficient enough and small enough for this purpose means a great deal for the future of security in our offline and online lives. That, however, is a story for another blog, and another blogger. For us, for now, it just means that for less than the cost of a month of play, we can afford to protect our multi year investment in our characters.