By now most gamers have head about the NSA watching games like WoW and SecondLife for dangerous individuals. If you’re also watching out for potential impacts from the NSA’s activities exposed recently, you’re probably now saturated with odd and scary stories.
A meandering thought or two is below.
Frankly the entire concept reads like fiction to me, and is scary enough that I’m seriously considering changing a huge amount of what tools I use and what I do online.
By way of really dreadful example – please consider these revelations about what is plausible for surveillance. It is an video explanation of the methods recently exposed. Actual hardware hacks, device exploits, and all other manner of “hacks and hijacks”.
Not the first, and not the last account security alert for a game company came yesterday from Blizzard. In short – their systems were significantly compromised sometime around Aug 4 2012, and while no credit card information, billing addresses, or real names were exposed, the basic message is that everyone needs to change their passwords and account information. Details here.
Honestly I think that this is a mess, and a mess that demonstrates a few points worth noting for organisations which have either a vocal population or sensitive information (yes, everyone):
- Anyone is vulnerable to a hack, even the monolithic software devs. Consider that the larger the company, the larger the revenue, and the larger the honeypot of information is that could be obtained. That makes Blizzard an exceedingly juicy target.
- Good tools and development principals can assist in protecting customers. The authenticator makes a big difference. The password storage mechanism inside the system/DB makes a huge difference.
- Telling customers the open truth will garner the best reaction. Following up with extra news and responses to questions will save the share price.
- Telling customers quickly is critical. If a customer finds out late then the vendor is on the hook for every poor experience in the customers mind from that point forward, however illogical they are.
- Always provide a plan of what to do next, and what is happening next.
It is not that companies need good security (they do), but they also need excellent protocols for security events. A gaff in dealing with a breach in security will hurt a long after the actual systems are restored. The public has a long memory.
This means that while trying to patch the issue Blizzard are also considering the PR damage control. It appears from my first review that Blizzard took the honest path – they spoke clearly about what happened. I think I read elsewhere that they also have involved external consultants to help. Even bloody better. Nothing makes a systems or a dev person stand up like having another techie review how you do things. In spite of the hack, its good to see.
So go update your passwords, I’m not sharing a “password reset” link as I distrust any links like this that I don’t type out myself. Continue reading
Cryptic tell me via email today that my password and some user credentials might have been compromised.
“The unauthorized access included user account names, handles, and encrypted passwords for those accounts. Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database.
All accounts that we believe were present in the database have had the passwords reset, and customers registered to these accounts have been notified via e-mail of this incident.”
I want details, more detail than they supplied. It is a huge concern when the gaming market is going for micro-transactions, and those accounts can store credit cards, especially for inactive games. This event apparently only directly relates to Star Trek Online and Champions Online, but any breach is serious.
Cryptic are doing the right thing by owning up to it, and making channels available to the community affected. They’re doing the minimum right thing. But sheesh Cryptic – how many times has this happened to game companies in the past, and why is it so ungodly difficult to establish a secure database system? Continue reading
So WoW’s account security got a shot in the arm today, with the forums requiring the authenticator.
Isn’t this more of a “sorry it took so long” situation? This was so bloody obvious that it surprises me that it has taken till now. Maybe there were technical reasons why this could not be done, and as a consumer I do not appreciate the work involved. Maybe.
But maybe it is also not unreasonable to expect this level of forethought when a feature like the authenticator is introduced, and expect a change to the systems we use within a good timeframe. Say less than two years after the press release.
I think the change was implemented to help slow down account hacking. If you think about it the forums are the perfect place to brute force attack a username/password combination; as its a web based delivery system that has to be tollerant to many different interfaces, and has been around a very long time. That means it was probably installed to be a basic solution, and became the juggernaut before anyone really saw what was happening.
The follow-up question is why now rather than later or much earlier; and only Activision-Blizzard could tell you that; the cynics will say its because hacks cost too much (meh), but it could also be that it will be a legitimate and substantial improvement to the forums systems, that has been planned for a while. If the changes for RealID were being planned, it stands to reason that this was part of it.
So yes, it is a very good move, and something that has been asked for a long time.
Update 8 Aug 2010:
Further to the account security, the WoW login screen now recommends some security measures, like letter and numbers – but still fails on the upper or lower case for those characters.
There is much rejoicing about the iPhone based authentication recently released, and why not? Its a free version of the keychain. I said previously:
This little app has the potential to help every one of the millions of Blizzard clients, and if done well will help change our expectation of online services.
But they’ve got it 90% right. I tested the sign-up process and have found two things that I don’t like.
A software based authenticator for mobile devices has been announced. Good god, that is an interesting idea!
I think the employee who thought this up, or even the team who wanted it should be taken out to lunch. Somewhere nice too, with white tablecloth. This little app has the potential to help every one of the millions of Blizzard clients, and if done well will help change our expectation of online services.
- Can you reverse engineer a iPhone/mobile/whatever app? Probably, but how hard. Does the delivery to so many platforms make it easier to get security flaws, as there are so many difefrent platforms?
- Connection only needed the first time it runs, to setup the account link. Obvious, but important.
- I wonder if I can put in the serial of my physical keychain, and then use my iPhone for authentication. This way I have two devices linking to my account. Why? So that if my iPhone crashes, or I drop my keychain into the toilet by accident I can still play wow.
- It won’t be free (nothing good is) but hopefully its no more expensive that the keychain model.
This is also a great sign of what online games, apps, links, and services all over the place should be doing if the proport to have “high security”. 10/10, but it remians to be seen if its safe. The early adopters will be taking a few risks, so I’ll stay with the keychain till after the first few rounds of release.
ps. I wonder if the Apple App Store will give the Devs grief to get the app approved. Afterall you can talk about rude things while playing the game….
As a response to security concerns and account hacking it seems that Blizzard will facilitate an optional security token system. Initially I though this was a late April fools joke, but after taking off my cynical hat, maybe some users will like this. I really don’t know.
If it works for all Blizzard games going forward and remains an optional device – its a good thing. It raises a question about using different PCs, how many could be authorised, and what customer support will be needed.
My humble opinion is that this will not be broadly adopted. I certainly won’t be using one as I move between so many machines and have a tendency to loose my keys.
A software based solution might make more sense, and if Blizzard really want to stop accounts being hacked, they should:
- change out account name as well as password
- set minimum complexity rules
- have the wow forums using a different login to the account login.
- don’t show “account already in use” when creating a new account name. When creating my account I was told that my first few choices were already in use. Thats half the user/pass combination hacked right there.
- what about areas outside USA for customer support?
Edit: Apparently these only sell to the USA and Europe (which sucks if true), and the one authenticator can be used on any number of accounts; which is great.