It would probably surprise people to learn that Blizzard, a game company, provides better security options for players of its games (World of Warcraft and now Starcraft) than nearly all banks and financial services companies do for their customers. The problem Blizzard faces is that people steal World of Warcraft accounts all the time, either to use the characters to farm gold, or to just strip all of the cash and things that can be sold from the account and pocket the cash.
A number of methods are used to steal passwords, including phishing, catching the passwords using key loggers, and just brute forcing them. Blizzard’s first big attempt to solve the problem was to give users the option of protecting their account using two factor authentication — their password and an authenticator that is tied to the account. The authenticator is a key fob (or an phone app) that generates a number every few seconds that must be entered in order to log in. Once an authenticator is tied to your account, getting your password stolen is no longer a problem.
Despite the fact that the authenticator app is free and the physical authenticator only costs $6, many players do not use them, and accounts still get stolen all the time. Indeed, account thieves almost always attach their own authenticator to compromised accounts as soon as they’ve been compromised, making it that much more difficult for players to get them back. (I shudder to think about how much money Blizzard spends dealing with account theft.)
To enable players who haven’t gotten an authenticator to secure their accounts, Blizzard has introduced a dial-in authenticator. With it, you can assign a phone number to your account. If there’s something unusual about an authentication attempt, you will be required to dial in to a toll free number from that phone and enter a PIN in order to log in successfully.
There’s bound to be an interesting article written about the economics of account security that explains why Blizzard finds it more worthwhile to implement robust authentication solutions when so many businesses that are susceptible to financial fraud do not. Are people that much more likely to steal your World of Warcraft characters than they are to steal your Amazon.com account and use the credit cards you’ve saved there? Or is it that people are more willing to go to extra trouble to secure their game accounts?
Update: There are lots of smart comments about this at Hacker News as well.
November 10, 2010 at 6:54 am
I think gamers are just a more tech-savvy demographic group than users of online-banking and -shopping.
There was a study recently (which I can’t find now but I think it came out of Microsoft) that asserted that not minding security is a rational economic choice: for a tech-layman, the effort spent to understand even basic internet security principles bears a higher cost than the overall risk of identity theft. With gamers at a (slightly?) more sophisticated starting level, the balance apparently tips the other way.
November 10, 2010 at 8:15 am
Yes. The ethical threshold for stealing someone’s WoW account is a lot lower than for stealing their credit card. While serious players would argue that there is no difference, most people would be able to easily rationalize game theft, “Oh, it’s just a game. It’s not like I’m stealing anything important!” or, “If they can spend this money on a game, they obviously don’t really need it.”
I’m sure that a lot of the Wow thieves would argue that they’re just engaging in advanced trolling. But to steal banking information, well, that’s “real” theft.
November 10, 2010 at 8:20 am
This actually sounds like a bank feature. My bank does something similar with large purchases. If I were to buy something really expensive (doesn’t happen often) they’ll call to confirm the purchase.
That Blizzard has automated something like this is impressive, though it seems easier to do since they have access to IP addresses and other things about the person logging in.
November 10, 2010 at 8:41 am
Yet, they don’t even offer case sensitivity in their passwords. Add this, and I’ll be listening.
November 10, 2010 at 9:17 am
Unlike amazon and bank accounts, WoW accounts get comprimissed all the time. I dont think blizzrad would have created all the authenticators if account stealing wasn’t already a huge problem.
November 10, 2010 at 10:19 am
Oh, and btw, last I checked they authnticate the start of the session (user login) and not transactions. So it’s still possible for malware on ther users computer to hijack the session after the user has authenticated corectly ..
November 10, 2010 at 10:34 am
how come they arent using a public key based authentication approach, thus for users with a private computer, the only way to login is to use that computer! eliminating passwords! they can of course carry their keys wherever they go.
November 10, 2010 at 12:15 pm
Credit card and bank fraud are regularly prosecuted. But there’s no penalty for stealing a Warcraft account. No one’s going to investigate or send the thief to jail. So Blizzard’s on its own to protect itself.
November 10, 2010 at 1:00 pm
Other sites also have other ways of mitigating this risk. For example, Amazon will only let you use saved credit card information if you ship to an address for which you have used that card before. Thus, somebody who steals your account can then send you stuff but not themselves. Not very attractive for the attacker and apparently enough of a deterrent.
November 10, 2010 at 2:15 pm
I work for a banking software company and we’ve implemented that feature in our home banking for about 4 years now. So using the word “innovate” is a bit misleading.
November 10, 2010 at 2:50 pm
I agree with what Nelson said. Breaking into a bank account and committing credit card is much more likely to be prosecuted and tracked down by authorities.
It’s much harder to convince those authorities that a online gaming account carries real-world value. Therefore it is left up to Blizzard to put these mechanisms in place not only to protect their consumers as well as trying to reduce the amount of time devoted to restoring characters and items in-game.
November 10, 2010 at 4:52 pm
The banks aren’t held directly responsible for security breeches.
Sure, they get a little negative publicity (iff the breech is publicized), but sloppy security is never punished.
Two-factor security is dead ( http://www.schneier.com/blog/archives/2005/03/the_failure_of.html ), but until my bank moves into the 19th century, I’d feel better if they gave us a SecurID.
November 10, 2010 at 8:09 pm
US banks have been largely successful in persuading the government to subsidize investigations into successful theft and to dodge true responsibility for bad security design. Blizzard doesn’t have that luxury and thus has to take the problem seriously.
November 11, 2010 at 10:42 am
The key here is in “insurance” I feel that financial institutions etc. also get the oogly good feelings from paying insurance premiums for the event of a security breach into their systems. Of course that cost is also handed to customers – however when you’re avatar gets stolen – I don’t think state farm is gonna have me back my epics. TLDR I think theft/espionage is a considered a constant in the banking industry and thus just thought of as everyday business.