Seri sez: Account Security – If you’re not paranoid, you should be.

November 27, 2008

Sorry folks, no pictures this week… just a big wall of text. Really, I’m lucky I got this much done with the NaNoWriMo deadline looming. 12.5k to go!

I’m not sure if there has been a rise in WoW account theft/hacking since the expansion or if it’s just sheer coincidence that two people I know were hacked in the last week. Nonetheless, it is a matter that deserves community attention.

I’m going to go out on a limb and say that pretty much everyone knows someone whose account has been compromised. Horror stories abound, from characters deleted/transferred/liquidated to guild banks emptied and candy stolen from babies. The sad and inescapable truth is that there are a lot of truly despicable human beings (and I use the term loosely) out there who think nothing of preying on others for personal gain.

Just because you’re not paranoid doesn’t mean no one’s out to get you.

While the theft of virtual valuables may not be quite as extreme as busting kneecaps for ‘protection’ money or swindling old ladies out of their retirement fund, it can be a violation on a very personal level… kind of like coming home to find your underwear drawer empty and your cat missing.

To safeguard your account…

Choose a secure password and change it regularly. 8 characters minimum. No dictionary words. No dictionary words done ‘133t’ style. Use a mixture of letters and numbers, upper case and lower. Throw in a symbol or two. Don’t use your birthday! If you have trouble remembering the password… great. It’s a lot less likely to be guessed. Eventually you’ll have it memorized, I promise.

Don’t use the same login/password combination for multiple online services. One of the most common methods of gaining login/password information is for a savvy hacker to trick you into following a link to a fake login page for a bank or other common online service (eBay, Paypal, Amazon, etc.) and use that login/password combination at other common online services to see if they work. Of course, you can’t change your WoW account username, but using a different password than you use for other online stuff will protect you against this sort of attack.

Always be suspicious of links in e-mail and web forums. Speaking of links, you should never click blindly on links you’re given in e-mail/forums (or even blogs, really). A link may not be necessarily what it claims to be. It could send you somewhere entirely different from where you’re expecting, and you might not realize it until it’s too late. This is how keyloggers are commonly spread, and how malicious e-mails trick you into visiting fake web pages as mentioned previously. When in doubt, right click the link and there should be an option to copy it. Paste it manually into your browser address bar and look at it before you hit enter to load the page. Is it supposed to go to eBay? Why does it go to ‘hahahackers.it/ebayspoof’? Check the domain name. If it doesn’t match where you’re supposed to be going, don’t load the page!

Don’t open attachments from untrusted sources. (And think carefully about who you trust!) Viruses and keyloggers are often spread through attachments. If you don’t know who it’s from, don’t open it. Caution may be warranted even if you do know the person, if they are what you would consider to be technologically challenged.

Don’t share your login/password. When you give someone your login/password, you’re not only trusting them to not give it out you’re trusting that their security precautions are as rigorous as yours. All the security in the world won’t help you if you give your buddy your account info and he has a keylogger.

Invest in an authenticator. These little things are a marvelous way to keep your account safe for a small one-time investment. When your account is protected by an authenticator, even if a hacker gets access to your login/password they can’t log in unless they have the code from your authenticator, which changes every minute or so. The down side? If you lose it or don’t have it with you, you’re locked out of your account until you find it (or until you contact Blizzard and jump through whatever hoops they require). Also, if you do share your login/password with someone you’ll have to give them the PIN from your authenticator and they’ll need to enter it in quickly before it expires. Note: For the International audience, authenticators are also available for Canada/Australia/New Zealand/Latin America, Europe and Korea.

Run virus/malware scans regularly and update your virus definitions religiously. (Especially if you use Windows.) You can never be too careful. Get yourself a scanner and schedule it to run automatically overnight so you don’t have to remember to run it yourself. No, I don’t really have any to suggest… I’m a blogger not a security consultant. I use ClamXAV on my Mac. YMMV.

To safeguard friends, family and guildies…

Be at least peripherally aware of their habits and/or alert for strange behavior. I once noticed a level 70 guildie had been hanging out in Azshara for hours, so I sent him a whisper just to ask how he was doing. He replied, and I was relieved. I told him that I had been concerned because he hadn’t said a peep in guild chat since logging on and he’d been hanging out in Azshara for hours… something very unusual for him. He was thankful that I’d been looking out for him!

If they ask you to log them in, ask them to change their password first or remind them to change it when you’re finished. It may seem silly, but what is it they say about an ounce of caution? Yeah. If nothing else, it gets them to change their password if they haven’t been.

Submit a ticket if you are suspicious. Although a GM will never boot someone or restore gold/items unless the request comes from the account owner, it’s good to start a paper trail in case they need to build a timeline. You won’t get anything but a canned response, but that’s OK. It’s all about due diligence.

If you are a guildmaster…

Take extra precautions. You are more vulnerable than anyone in your guild if your account is hacked. A GM friend of mine logged in the other day to find out that not only had her main character been stripped bare, others had been deleted and her guild had been disbanded. When I was a guildmaster, this sort of thing was my personal nightmare. I still worry about it, due to the sheer amount of time I have put into growing my characters, though at least now the fate of a guild isn’t in my hands.

Set withdrawl limits. The only person who should have unlimited access is the Guildmaster, who should be rigorously following the aforementioned account security suggestions. Remember: Even with limits, the more characters a player has in the guild the more an intruder can steal from the guild bank.

Review your transaction logs for suspicious activity. You don’t have to keep track of everything everyone takes out, but get in the habit of checking the transaction log every day just to make sure no one is making mass withdrawls. If you are suspicious about someone, bump them down to a rank that has no withdrawl access until you get a chance to talk to them and verify all is well.

Picking up the pieces.

If your security precautions ever fail you, don’t panic. Blizzard can and will restore your items once the account is back in your hands. Here are a couple things to note:

  1. It may take several petitions to get everything restored. I hate to say it but… GMs can be lazy. When one of my officers was hacked earlier this year it took several weeks and numerous petitions to get everything back. They just kept leaving stuff out.
  2. Check your billing info. Someone I know once had his account hacked and didn’t realize that they’d changed his account to bill to a stolen credit card. A couple months later, Blizzard locked his account and it took a lot of jumping through hoops and a cashier’s check to get it turned back on.

You may be thinking to yourself, “Isn’t this overkill?” That’s really for you to decide. Just by reading this and thinking about it you’re already way ahead of the curve. If I’ve said even one thing here that affects (or reinforces) the way you approach account security, then I consider this article a success. We’ve all put in the time and the effort to get where we are, and while stolen items/gold/characters are only temporary losses they are still an interruption of our enjoyment of the game. Don’t let it happen to you!



  1. I want to add to this list that you should use browse the web using Firefox with the NoScript Add-On (http://noscript.net/), or an equivalent.

  2. Speaking as someone whose job duties used to include securing a network (mostly against its users), I can say that this is generally pretty good advice. Although I should note that most of the password tips will only help against brute force attacks or attempts to compromise your account by people who already know you, which constitute a vanishingly small percentage of the types of attacks that are generally used in these circumstances. My passwords rarely meet them and I’ve never had any trouble because I stay away from the more dangerous stuff.

    I would go a bit farther on e-mail links, though: don’t ever click on a link in an e-mail or a site to any place that requires credentials. Always, always, always navigate there yourself. Spoofing domain names isn’t really that hard, especially given some of the conventions companies helpfully use to obfuscate their own entries. And the recent DNS weakness notwithstanding, you’re generally much safer typing in the name of the site yourself, just to be sure.

    I’ll also second the recommendation of NoScript. You should also never type credentials into anything while you have a window with a flash interface open; they’re really, really vulnerable to man-in-the-middles that can intercept keystrokes meant for other windows. NoScript will by default block flash as well, and you should let it do so for any site you don’t completely trust (and even then you should follow the earlier advice to close out of the browser if you have flash windows open, as there’ve been several nasty injection-bugs wherein a trustworthy site has had its own flash turned into a keylogger).

  3. Well, that confirms it. This page has a keylogger built in, I’m sure. And we’re all gonna be hacked after reading Seri’s post.


  4. The authenticator was one of the best purchases I’ve ever made..even if I do get weird looks when people see it on my keychain and ask what it’s for.

    Also, Firefox + NoScript is your best friend.

  5. Your underware drawer empty and your cat….! Seri, is there something you need to talk about with the nice people? Tell us where the bad hacker touched you.

  6. Hackers don’t touch people. Shadow priests Vampiric Touch them. 😐

  7. I ordered my authenticator. =). After a guildie was suspected of being hacked. He had some really strange online behavior and did not respond to g chat or whispers. He was promptly gkicked and emailed to find out what was up. Luckily, it was his little brother with permission to play, but it was still a bit scary, as we usually don’t keep a lot of gold in the gbank, but at the time we were making a group effort to get epic flying skill and so had quite a bit. Officers without demotion privileges were bumped up to be on watch.

  8. I would like to suggest a simple anto-phising/malware tool called NoScript. It’s an addon for Firefox (you’re not using IE, aren’t you?) that blocks ALL scripts. This is the best way to surf safely, as no anti-malware software can cover every possible harmful phishing attempt in real time. The only way is to block all javascript and enable the trust, safe sites when you enter them and see for yourself they’re ok.

  9. […] Authenticator is now available for iPhone and iPod Touch. (More coming soon, I hope!) I’ve sung the praises of Blizzard’s authenticators before, so I will try not to be more redundant than usual. You might be surprised to hear that I […]

Comments are closed.

%d bloggers like this: