Posts Tagged ‘security’

h1

Seri sez: It’s not paranoia if they really are out to get you.

May 7, 2009

It's a bird! It's a plane! It's the Battle.net Mobile Authenticator!This isn’t exactly breaking news, but the Battle.net Mobile Authenticator is now available for iPhone and iPod Touch. (More coming soon, I hope!) I’ve sung the praises of Blizzard’s authenticators before, so I will try not to be more redundant than usual. You might be surprised to hear that I don’t actually own one of those spiffy little dongles, given how passionately I spoke about account security.

What can I say? I’m cheap/lazy. Do as I say, not as I do.

The mobile authenticator, on the other hand… wow, they really ran me out of excuses this time. It’s free (which appeals to my frugal nature), it’s for iPhone (which is the only phone I have, Mr. Seri and I don’t even have a land line) and… did I mention it’s free?

Laziness did win out for a few weeks, but I finally got around to downloading the app yesterday and syncing it with my Battle.net account. It was very easy to set up; once you have the app installed it gives you a unique serial number that you plug into your Battle.net account (click “Change Security Options” after you log in to the Battle.net site) along with whatever the current security code is on the app. That’s it!

Once you’ve synced the app with your account, you’ll be prompted to enter a security code whenever you log in to your account so be sure you keep your mobile device handy. The code changes every 20 seconds or so, so you’ll need to be quick about typing it in before it expires.

This code is technomagical… it’s tied to your serial number in such a way that you can’t just use any authenticator to log in to an account that requires a code. You have to use your authenticator code, the one that’s tied to your authenticator’s serial number, or it just won’t work. For this reason, you have to be careful about doing anything that might change your serial number (deleting the app, restoring the device to factory defaults, etc) unless you log in to your account first and turn off the security setting to require an authenticator code. When you go back to turn it on, it will prompt you for a serial number again. Of course, a Blizzard rep can turn this setting off for you after verifying your identity… which I’m sure wouldn’t cost you more than a few vials of blood, a kidney and your firstborn.

Although Blizzard’s documentation indicates that you must have wi-fi access to use the authenticator, it seems to be working just fine for me over 3G.

I know that I’m probably going to have some ‘incidents’ in the future where I get annoyed with the inconvenience of having to dig my phone out just to log in (and I know for a fact there is going to be a problem with me forgetting my phone on my desk at home when I leave for work in the future) but I tell myself that it’s for the best. It gives me peace of mind, and keeps the grubby little paws of uninvited guests out of our guild bank.

Though, the irony hasn’t escaped me that my Battle.net account is now more secure than my online banking. Excuse me, I think I need to go change some passwords.

h1

WoS PSA: Bloggers beware! New phishing e-mail in the wild.

March 30, 2009

caution!Hi all! Just a quick little note here from Snarkcraft HQ about an e-mail we received this morning claiming to be a notification of account suspension. It looked very legit and all the links were valid links to Blizzard pages… except the one encouraging us to log in to Battle.net.

Why did I feel it important to notify you all of a random phishing scam? Because the e-mail address we received it at was NOT associated with a World of Warcraft account. It is an address only used for World of Snarkcraft, which means that it is quite possible some nefarious person(s) is/are harvesting WoW blogger e-mail addresses and targeting them specifically.

As always, we encourage you to be cautious with any e-mail you receive that claims to be from Blizzard (or anyone else you have an online account with). Always inspect links, and be suspicious of any communication that does not address you by name!

h1

Seri sez: Account Security – If you’re not paranoid, you should be.

November 27, 2008

Sorry folks, no pictures this week… just a big wall of text. Really, I’m lucky I got this much done with the NaNoWriMo deadline looming. 12.5k to go!

I’m not sure if there has been a rise in WoW account theft/hacking since the expansion or if it’s just sheer coincidence that two people I know were hacked in the last week. Nonetheless, it is a matter that deserves community attention.

I’m going to go out on a limb and say that pretty much everyone knows someone whose account has been compromised. Horror stories abound, from characters deleted/transferred/liquidated to guild banks emptied and candy stolen from babies. The sad and inescapable truth is that there are a lot of truly despicable human beings (and I use the term loosely) out there who think nothing of preying on others for personal gain.

Just because you’re not paranoid doesn’t mean no one’s out to get you.

While the theft of virtual valuables may not be quite as extreme as busting kneecaps for ‘protection’ money or swindling old ladies out of their retirement fund, it can be a violation on a very personal level… kind of like coming home to find your underwear drawer empty and your cat missing.

To safeguard your account…

Choose a secure password and change it regularly. 8 characters minimum. No dictionary words. No dictionary words done ‘133t’ style. Use a mixture of letters and numbers, upper case and lower. Throw in a symbol or two. Don’t use your birthday! If you have trouble remembering the password… great. It’s a lot less likely to be guessed. Eventually you’ll have it memorized, I promise.

Don’t use the same login/password combination for multiple online services. One of the most common methods of gaining login/password information is for a savvy hacker to trick you into following a link to a fake login page for a bank or other common online service (eBay, Paypal, Amazon, etc.) and use that login/password combination at other common online services to see if they work. Of course, you can’t change your WoW account username, but using a different password than you use for other online stuff will protect you against this sort of attack.

Always be suspicious of links in e-mail and web forums. Speaking of links, you should never click blindly on links you’re given in e-mail/forums (or even blogs, really). A link may not be necessarily what it claims to be. It could send you somewhere entirely different from where you’re expecting, and you might not realize it until it’s too late. This is how keyloggers are commonly spread, and how malicious e-mails trick you into visiting fake web pages as mentioned previously. When in doubt, right click the link and there should be an option to copy it. Paste it manually into your browser address bar and look at it before you hit enter to load the page. Is it supposed to go to eBay? Why does it go to ‘hahahackers.it/ebayspoof’? Check the domain name. If it doesn’t match where you’re supposed to be going, don’t load the page!

Don’t open attachments from untrusted sources. (And think carefully about who you trust!) Viruses and keyloggers are often spread through attachments. If you don’t know who it’s from, don’t open it. Caution may be warranted even if you do know the person, if they are what you would consider to be technologically challenged.

Don’t share your login/password. When you give someone your login/password, you’re not only trusting them to not give it out you’re trusting that their security precautions are as rigorous as yours. All the security in the world won’t help you if you give your buddy your account info and he has a keylogger.

Invest in an authenticator. These little things are a marvelous way to keep your account safe for a small one-time investment. When your account is protected by an authenticator, even if a hacker gets access to your login/password they can’t log in unless they have the code from your authenticator, which changes every minute or so. The down side? If you lose it or don’t have it with you, you’re locked out of your account until you find it (or until you contact Blizzard and jump through whatever hoops they require). Also, if you do share your login/password with someone you’ll have to give them the PIN from your authenticator and they’ll need to enter it in quickly before it expires. Note: For the International audience, authenticators are also available for Canada/Australia/New Zealand/Latin America, Europe and Korea.

Run virus/malware scans regularly and update your virus definitions religiously. (Especially if you use Windows.) You can never be too careful. Get yourself a scanner and schedule it to run automatically overnight so you don’t have to remember to run it yourself. No, I don’t really have any to suggest… I’m a blogger not a security consultant. I use ClamXAV on my Mac. YMMV.

To safeguard friends, family and guildies…

Be at least peripherally aware of their habits and/or alert for strange behavior. I once noticed a level 70 guildie had been hanging out in Azshara for hours, so I sent him a whisper just to ask how he was doing. He replied, and I was relieved. I told him that I had been concerned because he hadn’t said a peep in guild chat since logging on and he’d been hanging out in Azshara for hours… something very unusual for him. He was thankful that I’d been looking out for him!

If they ask you to log them in, ask them to change their password first or remind them to change it when you’re finished. It may seem silly, but what is it they say about an ounce of caution? Yeah. If nothing else, it gets them to change their password if they haven’t been.

Submit a ticket if you are suspicious. Although a GM will never boot someone or restore gold/items unless the request comes from the account owner, it’s good to start a paper trail in case they need to build a timeline. You won’t get anything but a canned response, but that’s OK. It’s all about due diligence.

If you are a guildmaster…

Take extra precautions. You are more vulnerable than anyone in your guild if your account is hacked. A GM friend of mine logged in the other day to find out that not only had her main character been stripped bare, others had been deleted and her guild had been disbanded. When I was a guildmaster, this sort of thing was my personal nightmare. I still worry about it, due to the sheer amount of time I have put into growing my characters, though at least now the fate of a guild isn’t in my hands.

Set withdrawl limits. The only person who should have unlimited access is the Guildmaster, who should be rigorously following the aforementioned account security suggestions. Remember: Even with limits, the more characters a player has in the guild the more an intruder can steal from the guild bank.

Review your transaction logs for suspicious activity. You don’t have to keep track of everything everyone takes out, but get in the habit of checking the transaction log every day just to make sure no one is making mass withdrawls. If you are suspicious about someone, bump them down to a rank that has no withdrawl access until you get a chance to talk to them and verify all is well.

Picking up the pieces.

If your security precautions ever fail you, don’t panic. Blizzard can and will restore your items once the account is back in your hands. Here are a couple things to note:

  1. It may take several petitions to get everything restored. I hate to say it but… GMs can be lazy. When one of my officers was hacked earlier this year it took several weeks and numerous petitions to get everything back. They just kept leaving stuff out.
  2. Check your billing info. Someone I know once had his account hacked and didn’t realize that they’d changed his account to bill to a stolen credit card. A couple months later, Blizzard locked his account and it took a lot of jumping through hoops and a cashier’s check to get it turned back on.

You may be thinking to yourself, “Isn’t this overkill?” That’s really for you to decide. Just by reading this and thinking about it you’re already way ahead of the curve. If I’ve said even one thing here that affects (or reinforces) the way you approach account security, then I consider this article a success. We’ve all put in the time and the effort to get where we are, and while stolen items/gold/characters are only temporary losses they are still an interruption of our enjoyment of the game. Don’t let it happen to you!

Follow

Get every new post delivered to your Inbox.