How Blizzard Could End Account Hacking in World of Warcraft
In the past six weeks, six separate players in my guild have had their accounts hacked. As our officer that is in charge of the technology-related aspects of guild maintenance (website, Ventrilo server, etc.), I have been working tirelessly to instruct our members in safeguarding their accounts. However, as important as that is, Blizzard could completely end the practice of account hacking in World of Warcraft if it wanted to, and as the practice becomes more and more prolific, I think it’s worth some discussion of what could happen on their end to solve the problem. I firmly believe that Blizzard ought to implement intelligent, reasonable mechanisms to protect subscribers against account hacking.
Explaining the Issue
Before delving into this topic, I should explain how account hacking generally works. What happens is basically the same every time; the user somehow gets what’s called a “key-logger”, a piece of malware that saves their keystrokes and sends them secretly to the thief, who ascertains the user’s login name and password, then logs in to their account in the middle of the day or night, strips the character, sells everything they have to a vendor, and sends all the cash on the character somewhere else, probably to be exchanged eventually for actual currency through gold-trading services.
This practice is becoming much, much more prolific. Like the gold spamming last year before Blizzard took action to quell it, account hacking has gone from being a rare occurrence–the stuff of nightmares, so to speak–to being relatively commonplace. My level of surprise when hearing about an account’s being hacked has diminished basically to zero in the past couple of months.
Now, before delving into what Blizzard could do, let’s put responsibility where responsibility belongs. The ultimate blame for account hacking lies with the account hacker. Hacking into a privileged account that belongs to someone else is theft, and is illegal in the United States and basically everywhere else. Similarly, I firmly believe that computer users should use their computers responsibly, and should be aware that malware exists and take steps to prevent getting it. However, with that said, this game is marketed to the general populace (it has over 10 million subscribers), many of which do not know how to protect themselves from malware when a weekly virus scan just isn’t enough (it seems common that a user gets a key-logger on one day and has their account hacked on the next).
By contrast, I believe that Blizzard could end account hacking if it wanted to, and believe that it ought to take steps to do so. Therefore, I intend to discuss possible ways that Blizzard could effectively quell the evil practice, and establish that it’s feasible.
I am going to discuss two methods that I’ve thought of off of the top of my head. Blizzard could theoretically do either or both of these.
Method #1: Machine-Specific Whitelisting
Every computer with an Internet connection has an identifier called a MAC address, and for all intents and purposes, they’re unique. MAC stands for “Media Access Control” (it has nothing to do with Macintosh, and Windows machines have them too), and it’s attached to the Ethernet card in the computer. This is an oversimplification, but basically, your MAC address identifies your computer uniquely on the Internet. If you move to a new house, and get a new Internet Service Provider, most other things about your Internet connection would change, but that would remain the same.
How does this affect account hacking? It’s simple. Allow a user to have a MAC address whitelist. In other words, in addition to needing proper credentials (username and password) to log on to a World of Warcraft account, it also has to be from a computer I’ve whitelisted. If I have a MAC address whitelist, then any MAC address not on the whitelist is denied access. As account hackers don’t have physical access to your machine, having your username and password becomes insufficient. You could edit your MAC address whitelist on the World of Warcraft website using your in-game credentials (Blizzard has plenty of precedent for this), and adding a MAC address would require an automated e-mail confirmation from the e-mail address attached to the account, to prevent an account hacker from going to the World of Warcraft website, adding his own MAC address, and logging in anyway.
One issue with using MAC addresses as your whitelist is that MAC addresses can be spoofed. There are, however, more secure ways to do this. A great way that comes to mind is to use RSA and/or DSA key authentication. This is the same concept, and is used by the SSH protocol for passwordless access between two machines. It works, and it works well. Even better, basically everything Blizzard would need to implement this is already written, is open source, and at least one implementation (FreeBSD’s) is available under a BSD license so they can use it freely even for commercial use (read: it’s free as in beer). Users running Windows would need to download (freely available) software to generate these keys, but there’s nothing wrong with that. Even better, Blizzard could offer either option.
One objection that could be made to this argument is that most users don’t know how to find their MAC addresses or generate RSA/DSA keys. Wouldn’t Blizzard be inundated with otherwise-absent technical support requests? I agree that most people aren’t technically savvy enough to do this on their own. However, Blizzard doesn’t need to take the brunt of the work; they have the community in place to do that for them. It works like this: make the whitelist an “opt in” system. In other words, you don’t have to have one, and if you don’t, then any computer is allowed. However, if you want the extra protection, you can do this. All Blizzard needs to do at that point is state that it’s available, and put up a simple instruction page. Guild leadership will take care of the rest. Think about it: If one of our guild members (or, worse, officers) has their account hacked, it means that I’ve lost a valuable raid member for as long as it takes Blizzard to do an account restoration. What happens if it’s my best-geared healer? Or my only paladin tank? Similarly, it means the guild bank probably gets robbed, too. So I have a lot of motivation to get my guild members to use the feature, and to help them get it set up correctly. I can promise you that I would personally spend however many hours on Ventrilo that it took to walk each and every guild member through the process and get them up and going correctly.
For those that think that this solution is too complicated, let’s talk about something completely different...
Method #2: Mouse-entered credentials, Warcraft style
My title for this method sounds a lot more complicated than it actually is. We’re all familiar with PINs. You go up to an ATM, and type in your four digits to access your account. This is a bit of a knockoff of that.
Basically, the idea is that you have an extra security step which you enter after a successful username and password entry. The simple version is this: you have a PIN, and after you type in your username and password, you get a mouse-only entry keypad where you click the numbers of your PIN and then an “Enter” or “Go” button, and you have to get the PIN right to gain account access. Key-loggers are just that...key-loggers. Since the PIN isn’t being entered with the keyboard, the hacker no longer has sufficient information to gain access to the account.
Let’s take this one step further. We all know that a malware writer with sufficient time on his hands could probably write something that will end up logging the mouse clicks, and he could map them. It doesn’t take much work, however, to make that job an order of magnitude more difficult. First, throw out the numbers (people will try to type them anyway). Use something else. Conveniently, Blizzard already has the perfect thing: raid symbols. We all know them: skull is the main tank’s target, moon gets sapped, star gets turned into a sheep, and so on and so forth. So, instead of a traditional PIN, I make up a sequence of raid symbols that I have to click in. For instance, one could be, “Star, Circle, X, Circle”. Even if you limited them to being only four symbols long (which there’s no need to do), you have 84 possible combinations, so we’re good to go there.
But how does this solve the mouse mapping difficulty? It’s simple. Now that we don’t have numbers that users expect to be on the keypad in a particular place...just shuffle the symbols’ positions on the keypad every time. This is only a minor nuisance to enter, and it would be much, much more difficult to reverse engineer.
Like the machine identification method, this could be an opt-in program, so that users needn’t be bothered if they don’t want to be. However, this method is simple enough that it could also be mandatory, which I believe would have the positive effect of basically ending account hacking. However, I can also see that method being annoying to some players, and an opt-in system is likely good enough, as guild leaders of any serious guild will pressure their players to use it.
To sum it all up...
Account hacking is an evil practice. It’s as simple as that. However, it’s becoming more and more prolific, and I believe that it’s gotten sophisticated enough at this point that players are unable to protect themselves against it on their own. I believe it’s time for Blizzard to take notice and put a system in place in order to frustrate this theft. My ideas are merely suggestions on what they could do; I’m sure there are many other valid ways for Blizzard to better safeguard their subscribers’ accounts. However, they should do something, and they should do it soon.
Posted by Luke at 11:05 a.m.
Even if Blizzard does not implement these ideas, specifically, it does at least highlight the fact that there is SOMETHING that Blizzard could do to help protect user accounts. I think it's extremely important for Blizzard to acknowledge the fact that, while all users may not be doing EVERYTHING they can to ensure the integrity of their accounts, many ARE doing all they can, and some aid on Blizzard's end may be required to cease account hacking entirely.
As long as gold-selling is profitable, and hackers are able to gain access to accounts with relative ease, account hacking will continue, and likely become more and more commonplace. How many company resources does Blizzard already expend in trying to fix damages caused by account hacking? And how will that number spike when hackers realize that nothing is being done to prevent it?
If we can get Blizzard to recognize that there is in fact something that they themselves can do to contribute to account integrity, I think we've got a very good shot at snuffing out account hacking. And, more to the point, by eliminating account hacking, Blizzard will also make it more difficult for gold-selling services to acquire "merchandise" (which would subsequently drive up their sales prices), which is in Blizzard's own best interests.
There is a LOT of potential here for a solution to several different problems, and I hope the WoW community as a whole, and Blizzard in particular, take the time to stop and recognize that.
Posted by Lassirra on 2008.05.29 at 11:24 a.m.
In the corporate and banking world, SecureID is used. It's a little device which shows 6 numbers, and every minute those six numbers change. A keylogger can grab those numbers, but they can only log into that account within 60 seconds.
The downside is that the keyfob is around $100. But at $15 a month for years and years, Blizzard could offer this at a discounted price (or offer it to those who've had an account for 6+ months)
As with the MAC address (which is very easily spoofable, and can easily be read by a keylogger), it's all about two facter authentication. Something you know (password) and something you HAVE. (MAC address in your computer, keyfob with dynamic passcode, etc. Something hackers cannot physically access)
I like the keypad code with dynamic placement of raid symbols. ING Direct uses something similar, but you have a numeric PIN code, and the 1-0 number icons show random alphanumeric characters. so 1234 would translate to ABCD one time, and WXYZ a next)
There are many ways in which Blizzard could, financially efficient, improve account security. I'll be the first to sign up when they do.
Posted by Canth on 2008.05.29 at 12:32 p.m.
Another idea I just thought off.
Everyone has USB. Sell WotLK on a USB stick instead of a DVD (with a huge download option ofcourse.. There's no need for them to give out 4Gb USB memory sticks. They could cover the cost of the USB stick in the sale of the expansion. Shouldn't need to be more than $15 for them to produce the stick). At first login, tie that specific USB stick to your account (with possible opt-in/out). WoW will not run unless that USB stick is inserted in the computer at login. Go to a friends house to play? Just bring your USB stick, and insert it when logging in so you can play.
It's all about the 2nd factor of authentication. Find something you have that hackers don't.
And seriously.. Who wouldn't want a cool WoW branded USB stick on their keychain to show off their allegiance (Blizzard, please make Horde and Alliance branded versions. kthxbai)
Posted by Canth on 2008.05.29 at 12:38 p.m.
An acceptable scheme would have to have the following characteristics:
A) Simple (an 8 year old needs to be able to do it, as does somebody with little to no computer literacy).
B) Fast (players will have little to no patience with spending time on security, just like users everywhere else).
C) Easily transferrable (many players don't own a computer, and play only at internet cafes where they may be on a different machine every time).
D) Not hackable.
It strikes me that the whitelisting schemes fail A, B, and C, the PIN scheme fails D badly (it's trivial to log screen position and key clicks relative to a window), and the USB stick scheme (which could easily just use the install CD) fails A and B.
Put it another way. Most users prefer the risk of being hacked over solutions that require them to carry a disk or other physical device around, put up with arcane security precautions, spend an extra 15 seconds logging in, or go through extra work to get set up. If it's not completely transparent to users, they're likely to hate it.
Posted by Mulak on 2008.05.29 at 12:55 p.m.
@Canth:
I agree, which is why I suggested that something more akin to RSA/DSA would work better.
Posted by Luke on 2008.05.29 at 1:26 p.m.
The reason that I like the idea of having heavier security as an "opt in" option is that it changes players' attitudes towards it. If Blizzard makes everyone do something, then folks complain. What if they don't make anyone do it? Instead, you have me on the boards telling the folks in Dusk Eternal -- "You need to do this."
I still agree that not everyone would jump on board, but I think after a few of their friends get account hacked, a decent number of people would.
And logging clicks is trivial, but it's less trivial when the target is, for all intents and purposes, moving.
Posted by Luke on 2008.05.29 at 1:36 p.m.
@Mulak
Option B isn't actually required. As long as the security scheme is optional it doesn't have to be fast. I would be glad to spend an extra 1-5 min logging on if I knew it guaranteed my accounts security. As long as the option is there I figure that Blizzard has done their job to help our security. If I have the option and don't use it because it is too slow...thats my fault. Just give me A C and D.
As for the PIN scheme being easy to log. If the display was randomized there would be nothing to log. I would know that I need to click 4-8 buttons on the screen but even if you logged my mouse clicks you wouldn't know which 4-8 because they would be in different positions each log in.
I agree though that carrying around a physical device like SecureID would be a bit much.
Posted by Dammerung on 2008.05.29 at 1:49 p.m.
I used to play another MMORPG - Runescape. Dealing with a similar problem of hacked accounts, they instituted a PIN system just like you describe. You were presented with an image of a keypad, and had to mouseclick on your PIN numbers (4 digits). The position of the numbers changed randomly on the keypad each time, so just recording the position of the mouseclicks would not help the hacker.
You were presented with this keypad at login and again the first time you tried to access your in-game bank account.
In most ways, WOW is incredible better than Runescape in my opinion, but in security, they lag behind.
Posted by Kibbles on 2008.05.29 at 2:02 p.m.
We could just hunt down the hackers and kill them.
Posted by Chris on 2008.05.29 at 7:02 p.m.
I like Chris's suggestion. :>
My intuition is that users won't "opt in" if it costs them very much. Especially since the risk is small. Worst case, you lose a little bit of your time while you wait for Blizzard to fix it or - absolute worst - you have to find a different game to play. And if only 10% (optimistically) of users will opt in, then it's probably not a feature that Blizzard will spend resources on when they could put those resources into something that sells copies (like more and better content). The cold, hard reality of the games industry is that there is always, *far* more than you want to do than you have resources for, regardless of your budget
Ultimately, people can already opt in by running anti-virus, updating their OS, running a good web browser, etc. The ones who are getting snagged are those who have already opted out.
Posted by Mulak on 2008.05.29 at 7:20 p.m.
#2 (Mouse-entered credentials) sounds great and should be pretty easy to implement.
There's many players, including me who share accounts with friends so MAC address/USB key or whatever else would be a bit inconvenient. Yes I know sharing accounts is not allowed, but it doesn't mean it's not happening.
Whatever they come up with, they better do it fast. Account hacking is as you said no longer a surprise, and it's time to end it. Spamming trade channel is one thing, stealing people's accounts is unacceptable.
Posted by Horns on 2008.05.29 at 8:25 p.m.
"Ultimately, people can already opt in by running anti-virus, updating their OS, running a good web browser, etc. The ones who are getting snagged are those who have already opted out."
That is a false generalization.
Posted by Lassirra on 2008.05.30 at 8:19 a.m.
It may be a false generalization, but it's still a good point. Savvy users already protect themselves with these types of things. Any system implemented would have to be easy for the average user to use, and though I love RSA keys (and use them frequently) easy to use they are not.
All in all, it sounds like the mouse-click entry method may be the best way to go.
Posted by Grolnen on 2008.05.30 at 2:36 p.m.
The downside to any sort of whitelisting scheme (that works) is that it's significantly more work to get it set up. This is one of the reasons why I like a PIN entry as an option. It seems a bit overkill (and needless) to offer both, although if both were offered I would set up whitelisting.
There's a limit to what I can do, though. One person on our boards said, "Why not write a security mod?" The answer: "Because the hacker would simply not use it."
The point is that, with relatively limited effort, Blizzard could empower us to protect our accounts significantly more than we are able to do right now.
Posted by Luke on 2008.05.30 at 2:53 p.m.
[quote] As account hackers don’t have physical access to your machine, having your username and password becomes insufficient. You could edit your MAC address whitelist on the World of Warcraft website using your in-game credentials (Blizzard has plenty of precedent for this), and adding a MAC address would require an automated e-mail confirmation from the e-mail address attached to the account, to prevent an account hacker from going to the World of Warcraft website, adding his own MAC address, and logging in anyway. [/quote]
With account info, you could still log into the official wow website then change the email adress, then confirm the MAC adress change. I don't see the big solution here :/
Posted by Sam on 2008.06.03 at 6:24 a.m.
There'd need to be some check around changing an email address, also (such as still having access to the old one).
Posted by Luke on 2008.06.03 at 7:58 a.m.
This is a fantastic post, and I love some of the ideas coming out of this.
However, I *do* have one point to bring up, a point I haven't seen used anywhere.
Blizzard has the power to stop all of this without needing to implement anything new. It's already there. Why the hell isn't Blizz using Warden to counter key-loggers?
For those unfamiliar with Warden, its a program that comes packed with Warcraft, and is run every time you connect to a Blizzard server. What it does is detect programs running that could potentially be bots or packet-dupers. Basically, its trying to determine if you're cheating or not.
So my question is this. Why doesn't Blizzard update Warden with known key-loggers? My idea is this. When you log in, if Warden detects a key-logger, it automatically freezes your account (note: doesn't ban you) and gives you a visual notification (much akin to the 'you have to download a new patch notification) that you may have a key-logger on your system, with a button below allowing you to bypass the screen. It then asks that you run any anti-virus/spyware/malware program that you have. Load up the game again, and if you no longer have the issue, Warden unfreezes your account and you can move on. For people who really can't be bothered to run a scan, they click the bypass button, and play. People who are worried can take action immediately, while those who think getting hacked is something that happens to everyone else and not them, oh well :)
Or, better yet, give users to option to give Warden administration rights over your system, and let it close those processes. Many people are hesitant to give Warden that much power, yes, but at the same time, when was the last time you heard of Blizzard ruining someones life with Warden? For all the scares people bring up with Warden, almost none of them are realistic. I'd do it in a heartbeat.
The only thing I can see that affecting is key-binding programs (for gaming keyboards and controllers), but even then Warden already has special exception rules for those.
No, its not transparent. For some users, this would be highly frustrating. Its mere minutes out of their precious playtime! They could have farmed an extra mote of fire with those minutes!. However, how many users ever leave the game over their particular class being nerfed? The majority of the WoW community has shown how passive it is when push comes to shove, and making something like this REQUIRED would probably elicit complaints from a few hardcore raiders/impatient people, but ultimately its for the best. I'm sure your raid will understand that you're a few minutes late because you were making sure you didn't get hacked.
tl;dr version
- Blizzard should use Warden more in fighting key-loggers.
Thats my two cents :)
Posted by Kensington on 2008.06.05 at 2:59 a.m.
Oh, and I forgot to mention under my idea, when Warden freezes your account, it also resets your password, which is then emailed to you with the email address provided.
That way, after you've cleaned the logger out of your system, you don't have the stress of the key-logger still containing data that could be used to breach your account (since Warden would kick in AFTER the keylogger has done its stuff).
If you clicked the bypass button, you are allowed to continue on to your account, but the next time you login you have to use the randomized password provided (or whatever you changed your password to).
All in all, whether you want it to or not, your account would have more security.
Posted by Kensington on 2008.06.05 at 3:07 a.m.
That can only catch known keyloggers. It doesn't help you if someone writes a new one. Speaking as a programmer, keyloggers aren't exactly difficult things to write (I could write one in a few minutes, literally). In other words, that doesn't do anything to address new malware–and in this case, if a hacker can find a way onto your system, he or she can easily write a new keylogger.
So, the short answer is "because it's ineffective".
Using Warden to monitor all network traffic (rather than just traffic to/from World of Warcraft) would also raise monstrous privacy concerns and likely a lawsuit.
Posted by Luke on 2008.06.05 at 3:38 p.m.
Google Blizzard Authenticator . Problem solved.
Posted by Mike on 2008.08.13 at 10:50 p.m.
I think that people just need to get some more skieel motheruckers
Posted by athenelól on 2008.09.02 at 7:57 a.m.
Method #1:
So you're saying I've compromized your system sufficiently to record your keystrokes, but I will somehow be unable to record your MAC address.
Let's say we use your other suggestion of a cryptographic key. It's stored on the computer's hard drive, and thus easily readable by keyloggers.
This method would completely fail to provide any security, while adding a great deal of overhead.
Method #2:
If I've already compromised your system sufficiently to record your keystrokes, it's trivial to take a screenshot and record your mouse clicks.
Again, this method fails spectacularly. Adds a great deal of overhead, and provides no increase in security.
Posted by Jeff on 2008.09.05 at 4:22 p.m.
Post a Comment