WoW: Account Hacked - Battle.net Merger

So, when I created my Battle.net account four months ago or whatever I was unable to merge my (dead) WoW account. I didn't think anything of it, but the other day I decided to contact Blizzard and get it straightened out. After calling them and deciding I'd rather just email them (there being a 37 minute wait and all). Well, a few hours after I emailed support with my problem I got a phishing scam presumably initiated by whomever hacked my WoW account. Nice. The hackers got back to me before Blizzard.

Anyway, now I'm in contact with the actual Blizzard I sent in all the paperwork with a picture of my driver's license ... on which I blurred out the driver's license number because those bastards don't really need that. But apparently they do. Why in the hell do they need my driver's license number? Pissed me off enough I may just say screw it and let the hacker have my level 27 Druid and whatever other sub-20 characters I had.

So long as the scammers don't have your personal information, and you can find a cheap copy of WoW classic (refer a friend?), I'd say to cut your losses.

Driver's license? Weird. I had my account hacked and they never asked for a driver's license. I never had to mail them anything, either.

Funkenpants wrote:

Driver's license? Weird. I had my account hacked and they never asked for a driver's license. I never had to mail them anything, either.

Was this before or after Battle.net existed? It seems with Battle.net they've stepped things up.

Here's what you need to fill out now and they request a driver's license, birth certificate, passport, etc.

Form: http://us.blizzard.com/support/artic...

Instructions: http://us.blizzard.com/support/artic...

Funkenpants wrote:

Driver's license? Weird. I had my account hacked and they never asked for a driver's license. I never had to mail them anything, either.

My son had to fax a copy of his DL when he got hacked. In his case, the hacker had slapped an Authenticator on the account.

I got hacked back in March and I'm seeing e-mails from them talking about my Battle.net account. It sounds like they changed their approach since then, because for me it was just a couple of e-mails back and forth.

Enix wrote:

My son had to fax a copy of his DL when he got hacked. In his case, the hacker had slapped an Authenticator on the account.

That's what happened to my account. It's kind of crazy that we're at the point where to play a game you need to pass a security clearance. Amazing stuff.

Seems an appropriate place for this: Battle.net Dial-in Authenticator FAQ

What is the Battle.net Dial-in Authenticator?
The Battle.net Dial-in Authenticator is an optional tool that offers Battle.net account users an additional layer of security to help prevent unauthorized account access. If you sign up for the Battle.net Dial-in Authenticator, you will be asked to make a toll-free phone call from a specific phone of your choosing to authorize login attempts with the associated Battle.net account. You will be asked to make this phone call when something is unusual about the login attempt. For example, you may be asked to call when you play World of Warcraft from a different location than you normally do.

Is anyone going to add it to their account?

Scratched wrote:

Seems an appropriate place for this: Battle.net Dial-in Authenticator FAQ

What is the Battle.net Dial-in Authenticator?
The Battle.net Dial-in Authenticator is an optional tool that offers Battle.net account users an additional layer of security to help prevent unauthorized account access. If you sign up for the Battle.net Dial-in Authenticator, you will be asked to make a toll-free phone call from a specific phone of your choosing to authorize login attempts with the associated Battle.net account. You will be asked to make this phone call when something is unusual about the login attempt. For example, you may be asked to call when you play World of Warcraft from a different location than you normally do.

Is anyone going to add it to their account?

That sounds interesting, but really, how many people with an authenticator have been hacked? I know it's theoretically possible, but this service sounds like overkill to me. The push-button authenticator should be more than enough for anyone. Then again, Blizzard wouldn't be offering this dial-in thing unless their costs of account recovery related customer service are pretty darn high.

I honestly don't get the new Dial-In Authenticator service. Why bother? Why spend all the time and money setting up a 1-800, the application services to run it and all the extra overhead & maintenance? Wouldn't it be cheaper to just give every effin' WoW player a free mobile authenticator? Hell, jam a physical one in the Cat retail box, it's not like they're expensive.

Just make the damned things mandatory and get it over with.

They've already got a call centre infrastructure. I also don't know what proportion of players have authenticators, and there's also the issue of whether people want a physical security token to hold onto, and go through some bother if it gets lost. If you know you only play in one location, dial-in would be non-invasive, and should only trigger when something bad happens, rather than having to use the token every login.

I keep getting emails that someone has requested that my password be changed. Of course, since I've had an authenticator for a long time, I'm not the least bit concerned about it, and the password on my WoW account is long since defunct. But seriously, I could get those emails all day and not care because of it.

Authenticators, people. They'll kill this thread for good, and it will be a good death.

Until Bliz give them out for free and force their use it won't happen.

The other thing is that it's a people problem as well as a "I used an innocent website on my computer and I got keylogged" technology problem. Not everyone is clued into keeping their computer updated and secure, some people believe those e-mails telling them there's a free mount waiting for them, that they need to click here to sort out their investigation into controversial currency transactions, and some people do buy gold. In an ideal world people wouldn't do those things, but they do.

I'd be interested to see if Bliz ever make a security measure like the dial-in opt-out instead of opt-in by default (with a good notification), or make it a condition of having your account restored as otherwise it's too much cost to them if you account is regularly hacked. Or some 'smart' system that monitors normal use and sets up accordingly. I'm sure quite a lot of people wouldn't notice as they do have a predictable usage profile or just from one computer/IP.

The difficulty is that it's a game, and not new customer comes into a game with liking the idea that they'll need an NSA device or risk getting hacked. So it's a marketing issue as well.

I had a simple password when I got hacked that was probably brute forced, but if it was a brute force attack you have to wonder why it's not possible for the server to shut someone out after X number of tries in succession. Ten tries in a row, freeze the account and send an e-mail to the user. That sort of thing would at least cut the number of successful hacks. Is that hard to put in? (not a rhetorical question- I have no idea how this stuff works)

Funkenpants wrote:

I had a simple password when I got hacked that was probably brute forced, but if it was a brute force attack you have to wonder why it's not possible for the server to shut someone out after X number of tries in succession. Ten tries in a row, freeze the account and send an e-mail to the user. That sort of thing would at least cut the number of successful hacks. Is that hard to put in? (not a rhetorical question- I have no idea how this stuff works)

It's trivially easy to implement, but there's nothing to stop the hacker from trying again after you unlock the account. You'd be perpetually locked out as they kept trying and trying. Not only that, but griefers would have a field day.

Tracking the source IP of people who are trying multiple accounts + multiple passwords (with a high login fail rate) and suspending access from those IPs for a period of time might help.

Like you say, it's a marketing problem too. Can't help thinking factors like goldselling might be factored into the long term plans with MMO2 to make them irrelevant. A decent amount of people who want to pay money to save a little time.

I'm not saying we can fix the issues of getting authenticators to the WORLD of World of Warcraft, I'm just saying most GWJers should be able to afford $6.50, or, you know, free, when it comes to the Blizzard app.

They just offered me an authenticator for free. Get your account hacked and they give you one, apparently.

Not bad, but it's still reacting to a problem that's happened rather than preventing it.

MikeMac wrote:

It's trivially easy to implement, but there's nothing to stop the hacker from trying again after you unlock the account. You'd be perpetually locked out as they kept trying and trying.

That doesn't sound profitable to farmers. They get 10 shots at a brute force attack, then have to wait hours or days for me to reset my account. If could be months before they succeed, and by then I've probably put an authenticator on my account because I've been warned they're targeting me. Plus, if Battle.net required passwords that were 10 digits long, case sensitive and included at least 1-2 additional #$%@-style characters, every WoW account would be much harder to brute force.

It could be that most attacks aren't brute force and involve phishing. Would an authenticator prevent a phishing attack?

Funkenpants wrote:

It could be that most attacks aren't brute force and involve phishing. Would an authenticator prevent a phishing attack?

I think it's likely that most attacks are phishing attacks. The only way I can think of to get around an authenticator for a phishing attack is to have a false battle.net login which also asks for an authenticator token, then immediately turn around and use those credentials to log in to the real battle.net and remove the authenticator from the account.

I'm not even sure that's possible given the timing on the authenticator tokens, and I don't think it's worth the bother to do it since so many people don't have authenticators. It's a lot easier to just harvest accounts & passwords with a fake front web page.

BadKen wrote:
Funkenpants wrote:

It could be that most attacks aren't brute force and involve phishing. Would an authenticator prevent a phishing attack?

I think it's likely that most attacks are phishing attacks. The only way I can think of to get around an authenticator for a phishing attack is to have a false battle.net login which also asks for an authenticator token, then immediately turn around and use those credentials to log in to the real battle.net and remove the authenticator from the account.

I'm not even sure that's possible given the timing on the authenticator tokens, and I don't think it's worth the bother to do it since so many people don't have authenticators. It's a lot easier to just harvest accounts & passwords with a fake front web page.

Oh, it's definitely doable, the timing would rarely be an issue, since the attack login could happen within milliseconds. That's almost certainly why removing an authenticator now takes two successive tokens, as that's a bit harder to get via a phishing attack. Not impossible, but harder. Security's always about making it harder to break, not making it impossible (which is impossible ).

Plus, token keys are good for up to one minute, even if the token gives you a new key.

So I just got a notice from Blizzard that my account was closed for "Chat violations: Advertising or Spam".

Anyone seen me online today? (Immolat, lvl 15 Dwarf Shaman, Blackhand)

Edit: Cube was able to confirm that I'd been hacked.

I'd like to point out that since I contacted Blizzard about getting my accounts straightened out I am receiving up to 4 phishing emails a day about WoW. How many phishing emails was I receiving before then? Zero. Thanks for giving the hackers my email address, Blizzard. This has been such an amazing process.

garion333 wrote:

I'd like to point out that since I contacted Blizzard about getting my accounts straightened out I am receiving up to 4 phishing emails a day about WoW. How many phishing emails was I receiving before then? Zero. Thanks for giving the hackers my email address, Blizzard. This has been such an amazing process.

One of the IT guys in my company is got hacked a few months ago. His login and password were hacked despite him using some fairly robust security software and an absurd combination of letter & characters for his login and password. He's sure he never had a key logger and insists to this day that it's a scam by Blizzard to get him to buy an authenticator!

Bear wrote:
garion333 wrote:

I'd like to point out that since I contacted Blizzard about getting my accounts straightened out I am receiving up to 4 phishing emails a day about WoW. How many phishing emails was I receiving before then? Zero. Thanks for giving the hackers my email address, Blizzard. This has been such an amazing process.

One of the IT guys in my company is got hacked a few months ago. His login and password were hacked despite him using some fairly robust security software and an absurd combination of letter & characters for his login and password. He's sure he never had a key logger and insists to this day that it's a scam by Blizzard to get him to buy an authenticator!

He's an wrong on the scam idea. They are sold at cost, Blizzard makes no profit off them.

Dr.Ghastly wrote:
Bear wrote:
garion333 wrote:

I'd like to point out that since I contacted Blizzard about getting my accounts straightened out I am receiving up to 4 phishing emails a day about WoW. How many phishing emails was I receiving before then? Zero. Thanks for giving the hackers my email address, Blizzard. This has been such an amazing process.

One of the IT guys in my company is got hacked a few months ago. His login and password were hacked despite him using some fairly robust security software and an absurd combination of letter & characters for his login and password. He's sure he never had a key logger and insists to this day that it's a scam by Blizzard to get him to buy an authenticator!

He's an wrong on the scam idea. They are sold at cost, Blizzard makes no profit off them.

It is also free on my Droid.

Yeah, and they gave me one for free too.

Just got an email saying my account was accessed/compromised. Looks legit. Is your account name still listed as your pre-battle.net merger account?

I haven't logged in since... March or so. Holding off on cataclysm, but I suppose there will be a rash of hacks going on with the release.

Strewth wrote:

Just got an email saying my account was accessed/compromised. Looks legit. Is your account name still listed as your pre-battle.net merger account?

I haven't logged in since... March or so. Holding off on cataclysm, but I suppose there will be a rash of hacks going on with the release.

i would never believe an email. Go straight to battle.net through google and log in.