Seri sez: Account Security – If you’re not paranoid, you should be.November 27, 2008
Sorry folks, no pictures this week… just a big wall of text. Really, I’m lucky I got this much done with the NaNoWriMo deadline looming. 12.5k to go!
I’m not sure if there has been a rise in WoW account theft/hacking since the expansion or if it’s just sheer coincidence that two people I know were hacked in the last week. Nonetheless, it is a matter that deserves community attention.
I’m going to go out on a limb and say that pretty much everyone knows someone whose account has been compromised. Horror stories abound, from characters deleted/transferred/liquidated to guild banks emptied and candy stolen from babies. The sad and inescapable truth is that there are a lot of truly despicable human beings (and I use the term loosely) out there who think nothing of preying on others for personal gain.
Just because you’re not paranoid doesn’t mean no one’s out to get you.
While the theft of virtual valuables may not be quite as extreme as busting kneecaps for ‘protection’ money or swindling old ladies out of their retirement fund, it can be a violation on a very personal level… kind of like coming home to find your underwear drawer empty and your cat missing.
To safeguard your account…
Choose a secure password and change it regularly. 8 characters minimum. No dictionary words. No dictionary words done ‘133t’ style. Use a mixture of letters and numbers, upper case and lower. Throw in a symbol or two. Don’t use your birthday! If you have trouble remembering the password… great. It’s a lot less likely to be guessed. Eventually you’ll have it memorized, I promise.
Don’t use the same login/password combination for multiple online services. One of the most common methods of gaining login/password information is for a savvy hacker to trick you into following a link to a fake login page for a bank or other common online service (eBay, Paypal, Amazon, etc.) and use that login/password combination at other common online services to see if they work. Of course, you can’t change your WoW account username, but using a different password than you use for other online stuff will protect you against this sort of attack.
Always be suspicious of links in e-mail and web forums. Speaking of links, you should never click blindly on links you’re given in e-mail/forums (or even blogs, really). A link may not be necessarily what it claims to be. It could send you somewhere entirely different from where you’re expecting, and you might not realize it until it’s too late. This is how keyloggers are commonly spread, and how malicious e-mails trick you into visiting fake web pages as mentioned previously. When in doubt, right click the link and there should be an option to copy it. Paste it manually into your browser address bar and look at it before you hit enter to load the page. Is it supposed to go to eBay? Why does it go to ‘hahahackers.it/ebayspoof’? Check the domain name. If it doesn’t match where you’re supposed to be going, don’t load the page!
Don’t open attachments from untrusted sources. (And think carefully about who you trust!) Viruses and keyloggers are often spread through attachments. If you don’t know who it’s from, don’t open it. Caution may be warranted even if you do know the person, if they are what you would consider to be technologically challenged.
Don’t share your login/password. When you give someone your login/password, you’re not only trusting them to not give it out you’re trusting that their security precautions are as rigorous as yours. All the security in the world won’t help you if you give your buddy your account info and he has a keylogger.
Invest in an authenticator. These little things are a marvelous way to keep your account safe for a small one-time investment. When your account is protected by an authenticator, even if a hacker gets access to your login/password they can’t log in unless they have the code from your authenticator, which changes every minute or so. The down side? If you lose it or don’t have it with you, you’re locked out of your account until you find it (or until you contact Blizzard and jump through whatever hoops they require). Also, if you do share your login/password with someone you’ll have to give them the PIN from your authenticator and they’ll need to enter it in quickly before it expires. Note: For the International audience, authenticators are also available for Canada/Australia/New Zealand/Latin America, Europe and Korea.
Run virus/malware scans regularly and update your virus definitions religiously. (Especially if you use Windows.) You can never be too careful. Get yourself a scanner and schedule it to run automatically overnight so you don’t have to remember to run it yourself. No, I don’t really have any to suggest… I’m a blogger not a security consultant. I use ClamXAV on my Mac. YMMV.
To safeguard friends, family and guildies…
Be at least peripherally aware of their habits and/or alert for strange behavior. I once noticed a level 70 guildie had been hanging out in Azshara for hours, so I sent him a whisper just to ask how he was doing. He replied, and I was relieved. I told him that I had been concerned because he hadn’t said a peep in guild chat since logging on and he’d been hanging out in Azshara for hours… something very unusual for him. He was thankful that I’d been looking out for him!
If they ask you to log them in, ask them to change their password first or remind them to change it when you’re finished. It may seem silly, but what is it they say about an ounce of caution? Yeah. If nothing else, it gets them to change their password if they haven’t been.
Submit a ticket if you are suspicious. Although a GM will never boot someone or restore gold/items unless the request comes from the account owner, it’s good to start a paper trail in case they need to build a timeline. You won’t get anything but a canned response, but that’s OK. It’s all about due diligence.
If you are a guildmaster…
Take extra precautions. You are more vulnerable than anyone in your guild if your account is hacked. A GM friend of mine logged in the other day to find out that not only had her main character been stripped bare, others had been deleted and her guild had been disbanded. When I was a guildmaster, this sort of thing was my personal nightmare. I still worry about it, due to the sheer amount of time I have put into growing my characters, though at least now the fate of a guild isn’t in my hands.
Set withdrawl limits. The only person who should have unlimited access is the Guildmaster, who should be rigorously following the aforementioned account security suggestions. Remember: Even with limits, the more characters a player has in the guild the more an intruder can steal from the guild bank.
Review your transaction logs for suspicious activity. You don’t have to keep track of everything everyone takes out, but get in the habit of checking the transaction log every day just to make sure no one is making mass withdrawls. If you are suspicious about someone, bump them down to a rank that has no withdrawl access until you get a chance to talk to them and verify all is well.
Picking up the pieces.
If your security precautions ever fail you, don’t panic. Blizzard can and will restore your items once the account is back in your hands. Here are a couple things to note:
- It may take several petitions to get everything restored. I hate to say it but… GMs can be lazy. When one of my officers was hacked earlier this year it took several weeks and numerous petitions to get everything back. They just kept leaving stuff out.
- Check your billing info. Someone I know once had his account hacked and didn’t realize that they’d changed his account to bill to a stolen credit card. A couple months later, Blizzard locked his account and it took a lot of jumping through hoops and a cashier’s check to get it turned back on.
You may be thinking to yourself, “Isn’t this overkill?” That’s really for you to decide. Just by reading this and thinking about it you’re already way ahead of the curve. If I’ve said even one thing here that affects (or reinforces) the way you approach account security, then I consider this article a success. We’ve all put in the time and the effort to get where we are, and while stolen items/gold/characters are only temporary losses they are still an interruption of our enjoyment of the game. Don’t let it happen to you!