Every time I bring up World of Warcraft accounts getting hacked, as I did yet again this past weekend, the comments that follow seem to fall into three distinct categories. This pattern seems pretty consistent.
Unfairly, but in the name of simplicity, I have given these three categories names, They are:
- It is Your Fault
- It is Blizzard’s Fault
- It is Complicated
Or, graphically:
It Is Your Fault
This point of view is probably best summed up by a comment from a read that said, essentially, “Blizzard didn’t get hacked, you did.”
This point of view insists that you are responsible for the security of your account, so if you got hacked, you did something to cause it to happen.
Tobold thinks you likely fell for a phishing email if you got hacked. As he points out, there are a lot of them out there, though if he is seeing “extremely well made” versions, he must be getting a higher class of phisher than I generally do. The sentence structures that I see most frequently could best be described as the “Me phish you long time!” school of grammar.
Others are more blunt, and insist, without any actual knowledge of what occurred, that you were phished, that you fell for one of those emails, and that there is really no possible alternative explanation.
And there is an Occam’s Razor simplicity to this point of view. Certainly, the easiest way for somebody to obtain your account name and password is for you to give it to them.
There is also a distinct sub-group in the “It Is Your Fault” faction the believes that if you do not have a Blizzard Authenticator then you might as well given a hacker your account information. This is the “No authenticator, no sympathy” faction.
It Is Blizzard’s Fault
There are, I feel, a couple of threads to this faction. The primary thread seems to stem from the “don’t blame the victim” school of thought.
After all, the person who had their account hacked, they are the ones that lost valuable virtual items (people want to steal them, so they must be valuable) which they left in Blizzard’s care. This isn’t Grass Valley, they didn’t leave the car door unlocked only to find something stolen. They used the default option for account security, in fact the only readily available option for account security, a password.
If a WoW account needs more security than that, the thinking goes, then Blizzard should provide it. We’ve been hearing about WoW accounts being hacked by the tens of thousands for a few years now, and in that time only two security related initiatives have come about.
The first was forcing people to use their email address as their log in ID, which was really a move in the wrong direction, since most people will use their main email address, something easy to find. This arguably made the situation worse.
And the second was the Blizzard Authenticator.
As with the first group, there is a sub-group focused on the Blizzard Authenticator. This group runs a spectrum from people who believe Blizzard should give the things away for free to the conspiracy theory faction that believes that authenticators are just another Blizzard profit center.
There is also a sub-group who believes that account hacking, and the gold selling activities that drive it, all serve to enrich Blizzard in some fashion, so Blizzard can’t be serious about account security.
It Is Complicated!
There always has to be the “other” column.
After the previous two categories, there is the gray area populated by people who might be leaning towards one of the first two groups, people who have to deal with cleaning up the problems that result from the security flaws in things like Adobe Flash or JavaScript, people who have actually been hacked and were able to run down how it happened, people who were hacked even though they were security aware, people, like me, who just distrust any easy answer, and probably a few dozen other identifiable different points of view on the subject.
The Ignorant
If you count the people who know nothing, or next to nothing, about people getting their accounts hacked, the people who have never gotten a phishing email, the people who have never heard of the Blizzard Authenticator, then The Ignorant is by far the largest group.
If you are reading this, you are more aware of WoW account security than probably 80-90% of the people who play the game, and not by virtue of anything I’ve written. People who care about the game, who take an interest in the game outside of just logging on and playing, are most certainly the minority.
The ignorant do not, however, comment here, so they don’t count towards the three categories to which I referred at the top of this post.
Where Do You Fall?
Just to give this observation some point on which to end, I think it is time for another poll.
I got hacked before I got my authenticator and I consider it my own fault. You don’t have to have an authenticator but if you don’t its much easier for hackers to get you. All I did was visit a website i thought was the official armory, acquired a key logger in the process and the next time i logged in, bam they had my account.
Account security rests with the account holder, apparently I sucked at it so I got the authenticator as a backup.
LikeLike
I put the blame and the fault squarely on the hackers themselves.
It’s a radical idea, I know, but I can’t help but feel that if it wasn’t for them, we wouldn’t have this problem.
LikeLike
I’m somewhere between “it’s your fault” and “it’s complicated”.
To a certain extent, it has to boil down to the individual. Did you use the same password for multiple things? Did you log in at a friend’s house or on a computer that you do not have SOLE CONTROL over what websites it visits? Do you block scripts on websites and java?
There are also the people who get hacked even with authenticators and who, supposedly, are very strict about their security habits. To those people I would just say “sucks to be you” and shrug. Something must have happened — you just don’t get hacked for no reason, even if it’s out of your control.
LikeLike
@Winged Nazgul – Exactly! It’s the fault of the hackers, not the hacked. This trend of blaming the victim or the provider is the exact same as if you were dealing with a non-gaming account- fallacious.
LikeLike
A Wraith and Nazgul agree. There has to be a joke in there somewhere.
The problem with blaming the hackers is that there is not much you can do to stop them, unless you’ve come up with an amazing new idea, because I’ve got nothing.
LikeLike
I totally agree that it isn’t your fault or blizzard’s. Before I played wow, the only multiplayer games I played were console games sitting next to my friends, then later on, fps and rts games using steam and battlenet. It is still hard for me to wrap my head around how gaming has lost it’s innocence.
Now that I play Wow, I have to be careful when I check my email, when I use google, when I send text messages or use friend’s computers. I have to carry an authenticator when I travel. For most folk, this sounds like maintaining a bank account, and that’s asking too much.
LikeLike
I’m with Keen – between “your fault” and “it’s complicated”. With a very heavy bias towards “your fault”.
Despite not having an Authenticator for years, despite never changing my password, despite even sharing my acct info once (way back in Classic). Despite not having an anti-virus and even using IE as my web browser for years… I was never hacked.
Partially I was lucky. But mainly, I’m a smart internet user. I don’t go to sites I don’t know. I don’t click links without checking where they go.
You and Tobold talk about getting WoW-spam, but I don’t. Ever. My Gmail account (used for posting in blogs) gets zero messages. My actual email address gets ZERO spam. I don’t even get “Viagra” and “wealthy foreigners” spam.
I have an Authenticator now, because it was free for my iPod Touch. If I didn’t have that iPod – I probably wouldn’t run an Authenticator still. 95% of the “zomg I r hacked” “victims” are victims of their own ignorance (a better word than stupidity).
LikeLike
I have noticed the fake beta invites keep getting more & more “real” looking. If they were not full of links, I might fall for it.
LikeLike
@Wilhelm2451
*grin* – I hadn’t noticed that!
As for the rest, the problem isn’t to stop the hackers, it’s to place the blame where it is supposed to be. Instead of vilifying the victims or the providers, why not place the blame directly on the hackers, instead of giving borderline trollish remarks towards either of the other parties? True, the resolution isn’t going to come from the other end, but rather than a holier-than-thou approach, a more reasoned approach towards solving what we can would be better for those of us that live on this side of the law, IMO.
LikeLike
I don’t think you can stop bad guys, as long as it’s financially worth them doing so. Main problem here are gold buyers. No buyers, no business, no stolen accounts. This problem can be tried to get fixed (at least to some extent) by hitting on gold buyers and trading channels. It seems that for some reason Blizzard doesn’t do enough in that area. They do ban gold buyers (at least they say so), but frequency is far too low to be a good threat to potential buyers.
Than what about channels. One specific gold selling site is still in business, though they were advertising in the game itself. Can’t Blizzard shut them down or they just don’t bother to (too expensive to sue or something /from their point of view, of course/)?
It is complicated. Security awareness of majority of the users is too low (security software: why to use, what to use, when to use and how to use it) and insecurity of internet raises. Problem is generated by users taking a path of lesser resistance. Those with money and not willing to invest effort (“why should I bother grinding something, when I can simply buy it”). Companies (Blizzard in this case) not seeing further than the length of their nose and introducing things that lower security even more. I can only guess that they don’t care much. It’s cheaper for them to fix someones account than to go and change everything to make it more secure (which they can’t know; they needed unique identifier for all this ID bull and email was perfect choice; too much effort invested to throw it through the window). At least for now. We’ll see what future will bring.
LikeLike
@Wraith – Okay, I get what you are saying and am mostly in agreement. There is, in my mind, a threshold of security awareness below which you’ve failed to secure your own best interests.
I linked that Grass Valley post, with a list of people who had things stolen from their unlocked car in a single day, as an illustration. Yes, the thief is the bad guy, but it is hard to feel sympathy for somebody who left valuables sitting in an unlocked an unattended vehicle. But I have also worked in areas where leaving anything in your car (like spare change visible) was an apparent invite to smash your window, so it is somewhat situational.
Now what that threshold is for a WoW account I am not sure. Somebody will say “authenticator,” and having one gets you brownie points for going all the way, but should people have to do that? And how do you fault somebody who never got a phishing email and used a very strong password?
LikeLike
We are constantly inundated by phishing attempt – some obvious, some not. It is the obvious one that has engendered our rule that whatever the message it is fake until proven true. This means we verify everything by contacting the source directly ourself.
In the end it is a mistake to find someone to blame. It is far more productive on how to prevent.
LikeLike
It’s definitely complicated. Things like requiring our userids to be an email account (/facepalm) reduced account security, and that’s Blizzard’s fault. Blizzard also needs to do a better job of policing blizzard related urls. I’ve had phishing e-mails that actually led to pages with a blizzard.com suffix. Really? Come on now.
On the other hand, people should never ever ever ever enter their account info into a linked page. Always type in the base worldofwarcraft or battle.net url and navigate from there. That sort of thing makes it the individual’s fault.
To the no authenticator, no sympathy faction, get bent. You should always feel sympathy for a hacked fellow gamer, even if they did something stupid, but especially since, believe it or not, it’s entirely possible they did nothing wrong and still got hacked.
LikeLike
I’ve been on both sides of the issue: a developer who had to deal with “hacked” accounts and someone who had my WoW account compromised. The reality most certainly is “it’s complicated”.
People want simple answers, and there are none here. I heard just about every variation of every possible story about why a person’s account got hacked. Although Meridian 59 accounts weren’t valuable, most of the time the only excuse someone could come up with about why they broke the rules was that their account was “hacked”. Of course, most of the time their story didn’t agree with the logs. But, I heard everything from “I was playing on a computer at the library” to “I’ve only ever given my password to my boyfriend, and he wouldn’t do anything like that!” (Yeah, a learning experience for the young lady in that last example.)
That said, some stories did check out, so it’s not always the case that someone’s lying. And, as I mentioned, my own WoW account got compromised. I’m experienced with internet security, I don’t follow phishing emails, and I run more trusted security software than most people even know about. When my WoW account got hacked that was actually a pretty minor inconvenience. My bigger worry was that I have a lot more sensitive information on my computers than my WoW password. So, I spent a lot of time making sure I didn’t have a keylogger or rootkit on my system. I’m still not 100% sure what happened, but I believe that someone compromised the ancient Hotmail account that I use to catch spam (and used for my WoW account) and just happened to find an old WoW email to find out my WoW info. My fault? Perhaps you can try to pin some blame on me for using webmail, but I’m not sure that’s fair.
And, as people have pointed out, the real culprit here are the people who do the hacking: gold sellers, vengeful significant others, etc. Even the best security can eventually be compromised by someone if there’s enough profit in it.
My thoughts.
LikeLike
I am with others between your fault and complicated. Blizzard could do more, failed log in attempts and the whole useing your email as your username is just DUMB. On the otherhand I took it on myself to get a new email address to resolve that.
But still trust Blizzard itself is safe, I doubt that your mac friend picked up some sort of keylogger as I am involved in that community and their are no hints of any current vulnerability.
So that leaves the user shared details across multiple sources ie some sort of user community ,
Or phishing, and Authenticators dont do much for phishing because we have been trained to enter user name , password and authenticator and in 30 seconds that can be entered into live.
Incidentally last year my old guild the wife of the Guild master was hacked. A few weeks later we had a rash of hackings, DId they get into the guild website? I suspect so.
LikeLike
I played WoW before the first expansion came out and before authenticators were around. I got to level 48, then grew bored with it and walked away. I had been away from the game for several months, with my account untouched, and suddenly in the week before I went to re-activate, I got a notice telling me my account had been banned due to someone hacking it.
How does that work? I played at an Internet Cafe, so it’s possible that someone keylogged me or the like, but if so, they then sat on my account details for weeks without accessing the account whilst I was still. Additionally, they then sat on the details for months without accessing my account, after I stopped playing and stopped subscribing, only to finally access it after nearly 3 months of dormancy?
To me, that seems more like how events would play out if someone hacked my details from Blizzard directly in the lead up to a new expansion. Of course, the simpler possibility is that it was my fault, but the timing just doesn’t make sense for that, so to this day, I’m still confused as to what actually happened or whos fault it was…
LikeLike
I voted for it’s complicated. There are methods of gaining access to PCs that really aren’t the fault of the ordinary PC user. In fact Windows and IE have traditionally carried an element of openness about them that allows viruses to be written and Microsoft to make lots of money selling essential security patches to companies. A well-written keylogger could be transmitted from all sorts of apparently innocuous methods. I heard one of the Curse addons had a keylogger slipped in at one point, another urban myth that could be true is that at one point an ad on WoWhead could infect you simply if you browsed the page (even without clicking the ad).
I use Mozilla, NoScript and AVG. The problem with NoScript is you do actually want to see stuff so you end up overruling it most of the time. So it protects you from dodgy sites that your common sense would tell you not to trust but it doesn’t protect you if the virus is somewhere that would seem a reasonable place to trust.
Having said that I’m sure a huge proportion are just silliness on the part of the user. I get a vast amount of cataclysm beta invites in my spam folder and there’s a part of my brain that always says “it could be genuine, you know”. Fortunately it hasn’t managed to lure me into accepting one of these offers. Yet.
LikeLike
It’s your account details. It’s your responsibility, not Blizzard’s, to ensure that your account details are protected. To use an analogy, it is hardly the bank’s fault if you give your credit card to a shady dealer or leave it in a restaurant.
An authenticator is not a requirement for security. It’s an added layer which you can choose to use if you are worried about, to use the previous analogy, accidentally leaving your credit card in a public place or giving it to an untrustworthy individual. Should Blizzard give these out for free? That would help, sure, but why do that when the problem is solved by simply being smart with your password? As I said, it isn’t Blizzard’s fault if you do something stupid with it.
Now, it would be Blizzard’s fault if their account system was actually being hacked. However, it is not. It really irks me when people say that their account was “hacked” when in reality their account details were just found out by someone. That is not “hacking”.
LikeLike
It’s all of the above.
Users who go to “bad” websites or click links in emails are to blame themselves.
Blizzard hasn’t done enough to make things more secure. Using emails as log-ins was a horrible idea, among the dumbest ever. The authenticators are okay, but lead to more problems of hacked accounts being locked out with them (now sorta fixed).
But Blizzard could easily use an on-screen random placement number pad and require clicking in a pin code to log into accounts along with passwords.
So the blame goes both ways. Dumb users and a company not doing enough. Personally I haven’t had a problem, but then I don’t fall into the first group.
LikeLike
“But Blizzard could easily use an on-screen random placement number pad and require clicking in a pin code to log into accounts along with passwords.” – ScytheNoire
I need to comment on this… Contrary to popular belief, those are actually not secure. If a program can detect your key presses and log them, they can just as easily do the same for your mouse. Write a little code to detect where the pad is on the screen and it can send that in its report as well. If that doesn’t work, just take a screenshot and send it (compressed as much as possible to ensure it gets through). The point is, if your computer is compromised, anything you do on it is compromised, no matter what security measures you are taking. Now of course, some keyloggers won’t be this advanced, but having a random pad (which is bothersome and annoying for the user) just to prevent those less advanced keyloggers is not really worth it.
I’ll agree that using your email address as your login ID is not the best idea as far as security goes. But I personally always assume my login ID, no matter what service I am using, is compromised already. For me, it always comes down to protecting my password in as many ways as I can. Keeping your login ID secret is of course another helpful layer of security, but there are few services which completely allow this.
LikeLike
@InvisibleMan – The problem with your analogy is that you assume that the person who got their credit card information stolen, or their account hacked by logical extension, did something that a reasonable person would know was obviously wrong.
I have had my credit card information stolen and used twice in the last decade. Both times the trail lead back to reputable restaurants where somebody on the staff was skimming credit cards and selling the information. Was that an act that a reasonable person would see as an obvious risk, paying a restaurant check with a credit card?
I cannot buy into the “You got hacked, therefore you did something you knew was wrong” line of thought. You might as well simplify it, as another commenter did on the post I referenced, and declare that if you got hacked, you clicked on a phishing email, end of story.
LikeLike
@Wilhelm2451: It could happen by accident, but that wasn’t the point of my argument. The point is that it is your responsibility to protect that information. The service provider does what it can to prevent account theft (and performs cleanup afterwards if possible), but just like having an authenticator, that should only be a fall-back position. You are the first line of defense.
Not all service providers will provide adequate protection on their end, but I believe Blizzard is doing what they can.
LikeLike
I was hacked this weekend, yet I remain in the ‘It’s your fault’ faction. I’m very careful about keyloggers and the like, so the most likely reason for me getting hacked is that I simply use the same password far too often around the net. Sooner or later that info gets into the wrong hands. Have now changed all my passwords to something different and unique, and keep track of them all with a cheap application on the iPhone (good until that get’s hacked too!).
What was interesting in my case is this- Blizzard had recognised suspicious activity on my accout, locked it, returned my stuff (plus some extra gold) without me even registering a complaint. I changed my password, logged in to discover my toons naked but all their gear waiting for me in the mailbox. Good job Blizz!
LikeLike
Put me squarely in the ‘Your Fault’ camp. I’ve played WoW since launch, and have never been hacked. I still don’t have an authenticator. I don’t see a need for one. Are they extra security? Yes, but if you’re lax about security it’s wasted money anyway.
On the subject of comparing it to CC theft, it’s really not comparable. As Wilhelm points out, CC theft is more likely to be the result of a skim than anything else.
LikeLike
@Invisible Man – it is hacking. Hacking isn’t just something you do at the computer- ask most of the first ‘hackers’. When security was just something that applied to physical barriers, they found passwords by asking questions, digging through trash- all of that is hacking. It’s just social hacking, so the term applies.
@Jason – Wasted money? You don’t have to pay for it if you get the software so there’s no money to waste. And the point is, you *can’t* be lax about security if you have an authenticator. Unless they actually hack the id servers, there’s no way to be hacked. And as a last point, no matter how paranoid you are about security, you can still be hacked if someone puts their mind to it- never think that *any* security is hack-proof- it’s just a matter of making it as hard as possible so that it makes it not worth the time to do it.
LikeLike
@wraith808 – That’s commonly referred to as “social engineering”. I think you are the first person I have seen use the term “social hacking”.
LikeLike
@Invisible Man – It is *now* referred to as social engineering- back in the day, it was referred to as social hacking.
LikeLike
@Invisible Man- just to expand (hit the button a bit too fast), Social Engineering has wider connotations than just hacking. Cracking relates to the strictly computer related methods of getting into a system. Hacking relates to the whole plethora of methods used, including social methods.
LikeLike
I have played since the launch and never been hacked. I do use some simple security measures that help protect me. First, my battlenet account was set up with a separate email address (made just for the occasion) and password that is only used for WoW. Any WoW emails that come to this address are studiously ignored. Second, I never use anyone else’s computer to play on. Third, I never log in with my account email and password. I have them stored in a notebook page and when I want to log in, I copy and paste them (actually faster than typing them in, as my password is a random 17 letter-number combination). On the off chance I get a keylogger, all it will see is crtl-v for both my email address and password. I have decided that I will be getting an authenticator also (can’t be too careful).
LikeLike