On Security
So, a while ago Blizzard came out with their Authenticators, a two-part token authentication system. Super cool. We have had a number of guildies hacked in the past, as I’m sure most of you have seen. So, Cay and I got one, as did a large proportion of our guild. And when they finally came in, we hooked them up and breathed a sigh of relief. This made hacking our accounts much less likely.
Unfortunately, it’s apparently only “less likely,” not “impossible.”
This morning, one of our holy paladins (who bought the authenticator and tied it to her account) tried to log in. She got an invalid password a number of times, so she went through account management to reset her password. She logged in again, and the character selection screen popped up.
Did you spot the problem?
That’s right, it went straight to the character selection screen - without requesting her authentication code. When she logged her character on, she was in Stormwind, in her PvP gear, with no gold and no PvE gear.
So, the fact is that this hacker somehow managed to get the security token removed from her account. Now, this isn’t something that could be done with a keylogger - the token information is all kept in Blizzard’s system. And from what I understand, you’re not supposed to be able to remove a token from the account without at LEAST speaking personally to customer support. There is no “remove token” option in your account management page, so even if Blizz’s WEBSITE was somehow hacked to allow someone to bypass the need for a token to get into account management, the hacker still shouldn’t be able to remove the token to the account.
This raises two distinct possibilities.
The less likely of the two is that Blizzard’s account servers/authentication servers have been hacked directly. Why do I think this is less likely? Because it would mean that some hacker, somewhere, has access to EVERY World of Warcraft account in the US at least. I can’t imagine a security hole that big, at least, I can’t imagine a security hole that big that wouldn’t quickly become public (the existence, if not the details of the exploit that let it happen) as account after account got hacked.
The more likely of the two is that Blizzard’s policy on how to handle the tokens has gaps in it. Whether someone at Blizzard removed a token for an email request, or the hacker actually had the gonads to phone them up and somehow social engineered his way into getting the token removed from the account, this is the most likely scenario.
Either way, it doesn’t make me all warm and fuzzy about my accounts security. I hate to say it, but I’d RATHER it be the second possibility, at least then it’s a stupid person, rather than a gaping security flaw. But either way, it is inexcusable. Even if our friend was infected with every keylogger known to man, those keyloggers can’t crack the token. That has to be done by Blizzard, or someone with access to their systems.
Actually, that opens up another possibility I hadn’t thought of until now. It could be a Blizzard employee doing the hacking.
So what about it, Blizz? How did this happen? How was the system compromised? Because in this case, you can’t point to the customer. The fault ultimately lies, incontrovertibly, with you and your system. Whether it is your computer system or your customer support agents remains to be seen.
Believe me, I’ll be asking this on the official forums when I can post there.
As soon as I get home. To my security key. :/
Update 1: The player in question has spoken to a GM. They’ve started the standard retrieval process, but the GM was unable to say how, when, or why the token was removed from the account.