A new trojan has been discovered that hacks into WoW accounts that use authenticators, MMO Champion has the details. I find this amusing after all the going-ons recently with people getting on their authenticator bandwagon and preaching down to the peons who don’t have one. The thing is, you can’t protect people from themselves, and this proves it. Nothing, and I mean nothing beats good general internet security. This means having a decent bloody anti-virus and actually using it. But more importantly it means practicing sensible internet use. If you download torrents or watch porn or click on dubious outside links on youtube or click on the link in your spam mail from the dude in Namibia because you think it will be funny, or buy gold, then you are well on your way to being hacked. I find it ridiculous that the general argument is that you have to have an authenticator. It’s like telling people who want to lose weight to drink diet coke instead of regular coke, or to eat ‘low fat’ food. It’s a seemingly easy way out of a problem, but the reality is that unless you change deeper habits then you’ll still be at risk of being hacked, or in this case you probably won’t lose weight.
We always want easy solutions to problems that are often a direct result of our very actions. You go to your doctor and discover that you’re sick, and you take the quick and simple solution, a handy pill. Often medicine serves to mask the symptoms of a disease. So in effect we’re popping pills to hide from the fact that we have a potential problem. We’re paying to stick our own heads in the sand. The authenticator is the same thing. Just use it and all your WoW hacking problems will be solved. And it’s just $6, (plus a huge amount of postage if you live outside the US). I’ve had many people say to me to get it. What’s your problem, they ask me. It’s only $6. And all your problems will be solved …
MMO Champion says that this is just a single virus. That may well be, but it may also be the only one that has been discovered so far. A few days ago it was commonly accepted that using an authenticator was 100% safe. Of course it was, becuase that was what they told us. Today the authenticator is 99% safe when used together with a decent anti-virus, or so we are told. I wonder what the commonly accepted view will be next week?
February 28, 2010 at 11:58 pm
I’m trying to find a tactful opening to this reply in the way that you would if you were trying to tell someone their baby is ugly.
I agree with you in principle that there is no such thing as absolute security, have a look at a book called “Secrets and lies” by Bruce Schneier, he’s a real expert.
Where I differ in opinion is that we have to keep on trying. Hacking WoW accounts for in game gold is an industry and wow isn’t the only victim, more or less all MMOs suffer from the same blight. From stolen accounts through to stolen credit cards to pay subscriptions for nefarious activities is a reality and whilst I don’t subscribe to the post 9/11 fear culture, acknowledge that the real life money garnered from this activity has some very sinister applications.
Please don’t trivialise the problem, it is real.
Apologies for the slap.
March 1, 2010 at 8:49 am
Chewy,
Perhaps I didn’t convey my message correctly, (it was Sunday night after all and I was a bit tired). My beef is not with the auntheticator. If people want to use them then that’s great. My beef is with people saying that the authenticator is the only totally secure way to protect your account and trying to get Blizzard to make these mandatory by the next expansion.
March 1, 2010 at 3:00 am
“Build a missile shield, and someone will build a better missile.”
Another common mistake is posting on high-traffic WoW-related blogs like wow.com using the same email as you use to login with. The comments sections are harvested en masse, and it is ABSOLUTELY STUNNING how many people use common easy-to-guess passwords.
Makes you long for the days before battle.net forced (forced!) people to log into the game with an email address instead of a name that forced people to be original (and thus hard to guess).
March 1, 2010 at 8:49 am
Jagger,
That’s a very interesting point, I hadn’t considered that at all.
March 1, 2010 at 4:45 am
It’s not an issue with the authenticator really, but rather a ‘nice’ workaround with a keylogger. Your authenticator codes are good for about a minute before it switches, so, the keylogger logs your code and sends it to a different PC while giving you a fake “wrong code” message. Now, this foreign computer has under a minute to log in using this password, which is already possibly expired by the time they use it. A 1 minute window is small. Even if they succeed in logging into your account, there’s not much they can do unless they decided to start hitting the account site before actually logging in. I’m pretty sure you need the serial number of the authenticator too in order to remove it from an account. You could call a friend w/o the virus and give them your pw, then give them an authenticator code when the code box pops up to kick the person off the account. Once they’re off they have no way of getting back onto your account unless you give them ANOTHER active code for them to use.
Even if the authenticator isn’t foolproof, it’s still a good buffer. Normally, once they have your pw, a ‘hacker’ can log in, change your pw, account settings, etc. You get locked out due to a PW change and they have free reign until you get blizzard to fix something. Due to how often the authenticator changes, they’re pretty limited in what they can do to your account. They basically log on your chars and try to grab as much as they can before they’re kicked off. Once they’re offline they’re done; they can’t just log back in anytime they please unless you’re actively updating them with new auth codes.
March 1, 2010 at 10:46 am
The authenticator is just an extra layer of security, and it can be defeated. But I imagine the hackers will still aim for the low hanging fruit of people without one first.