Well it finally happened to me, after a couple of years of playing World of Warcraft. I signed on around 7:30AM one fine Thursday morning, just to mail some bags to a friend. Off to work I go, expecting nothing but Random dungeons and ice cold Stella Artois when I got home later that evening. Just before I logged on, at around 8:05PM, I received an email from Paypal saying Blizzard has cancelled my recurring billing. Wha…t…the…why? Yep, it happened. Someone hacked my account, looted all my BoE stuff, and surely stole whatever else they could sell.
Not cool. They added a mobile authenticator to my account, and now I have no access. Neither should they now, however, because naturally my email password and my Battle.net password are not the same. It’s nice that Blizzard says it’s my fault too, as well as many forum posters around the interwebs so rudely point out. Trojan! Gold buyer! You are a really horrible person! Dumbass, can’t keep your email a secret! Wow, stupid, way to fall for phishing schemes!
On the contrary. I have a Mac. I run Eset’s beta of NOD32. I use an email address dedicated to WoW (with a different password than I use to log into the actual email account.) I do not fall for phishing, I use long headers for my emails to see where they actually are coming from and going to. Safety conscious, indeed. Am I perfect? Absolutely not. But to assume any security is 100% hack-proof is setting yourself up for a disaster. No system is uncrackable, some just may take absurdly long to do with current technology. Here’s my take on a couple things Blizzard isn’t doing to keep our accounts secure, one of which I had a GM (through a ticket I opened on a different account) escalate for me.
1. Have ANY account changes verified with an email link. Especially adding an authenticator. If a verification of the change was sent to my email account, it would certainly never have been allowed, and I could have blocked any password changes (which the hackers actually didn’t do….). I have since changed the password, so they have no access again. Strangely, Blizzard does send a verification that you have to click to make the change permanent. Why not on authenticators, too?
2. There is no limit to how many times a failed login can occur without some sort of lockout or delay in repeated attempts. So someone who can guess an email address used for WoW, they can just run a brute force attack on the account until they gain access. This is one of the first things they should have implemented when bringing everyone to Battle.net. Why it isn’t done is beyond me, it’s a simple industry standard security principle. Make it take longer than reality will allow to brute passwords, and people won’t bother trying.
That’s pretty much all I’ve got for suggestions. To the people who think that security lies with the account holder, sure it does. However, they aren’t the only ones that can help secure accounts, and I’m sure Blizzard could use the money they pay people to restore accounts for something better.
Just my $0.02, good luck and keep your passwords as strong as you can remember!
