Warcraft, security, and reality

In the time it takes you to read this everything you have worked for in Warcraft could be gone. It has happened to lots of folks. Some of them had (relatively) good experiences with it like Lassirra illistrates in her blog Here. Others have been much less fortunate as posted about by Big Bear Butt Here. Others know lots more about this topic than I do, one site in particular that comes to mind is confessions of a serial ganker.I have found his work to be well written and informative.

I am A maintenance man. I work as an electrician, mechanic, and machinery repair man. I have had years of training and experience in systems analysis and analytical troubleshooting. That being said, when I look at something that is not working well I tend to think of ways to make it work better. On the other hand I tend to err on the side of over-engineering at times.

Like an almost headache that you feel in the back of your head, this one has been bugging me for a while. I sat down with a good friend of mine we will call “Wayne”, mostly because that’s his name. The idea was to look at suggestions that would help Blizzard make our Warcraft accounts more secure. Wayne got drafted for this for three reasons. Firstly he plays warcraft so he knows the system I am talking about, secondly he has worked in IT at a security company, and thirdly he is a friend of mine so I can bribe him into helping me keep this realistic. I’m thinking pizza, possibly even with breadsticks.

If you are not familiar with the story my brother’s account getting hacked i’ll give the short version. He was logged in to his second account and watched his first account log in and start ransacking his main. He immediately tried to log into his primary account to change the password while others online put in tickets explaining what was going on to GM’s.

when trying to change his password he found it had been changed by the “bad guy” and was unable to revert the change without the new password. He was completely stripped, everything sold, and as we later found his characters deleted. While this was going on he was attempting to get with someone on the phone to stop this.

 
It took a bit over three weeks to get his account restored, however he did get his character and most of his stuff back. The communication he received was hard to come by and in many cases downright confrontational, despite the fact that he was the victim in this case Blizzard seemed to imply that he had stripped the account himself and now wanted all his stuff back after mailing the money off. That may not have been their intention, but the poor communication seemed to imply it.

 
The story overall had a happy ending, but was very frustrating while it was going on. Now I am going to break this down into several different things that went wrong, and see what could be reasonably done to keep it from happening again. These are both my thoughts on the topic and ideas I have had suggested to me by other users. I will then bounce this off of Wayne and post his response as well.

 
1. The account was compromised by a key logger. We later discovered the key logger had picked up his full log in information while he accessed the forums to post from a friends house.

   a. make separate log ins for forum use and admin/character log in (the friend had the account name saved and only typed the password, he was never completely compromised)

   b. have the forums/admin log in screens have the option to remember account name like the character log in does.

2. his password was changed by the “bad guy” to keep the rightful owner out.

   a. have password changes require a email link-back to make them final.

   b. make certain the log in name and customers email address are different.

3. There was no way to stop what was happening, even with putting in a ticket to GM the response was just too long in coming.

   a. put a “panic button” of some sort into the game for cases such as this. If we can have an instant report button for gold spam, we can have  a button on the ticket screen for this too.

   b. give GM’s authority to put a hold on the account upon suspicion or report of this happening, instead of waiting for a TOS violation. Besides last time I checked logging into someone elses account WAS a TOS violation.

4. his characters were deleted as well along with unlearning all his skills.

   a. require an email link-backfor character deletion above say level 10 as well. If It takes a link-back to transfer a toon it should take one to delete it.

5. Telephone response was not available.

   a. Blizzard runs a game that operates round the clock all year long, customer service should reflect that. they are staffed 40 hours per week, however taking maintenance into account the game is running approximately 160 hours per week. This is only 25% customer service coverage and that is unacceptable. Hell, my bank is open more hours and more days.

6. The form letter emails were difficult to come by, and worded in a way that appeared to accuse the victim of wrongdoing.

   a. If form letters are the way to go please have more than one or two letters. Perhaps one for accused EULA violators and another for folks who have been victimised.

7. The account was turned back on fairly quickly, however the character was returned naked, broke, and skill-less.

   a. Even a set of level appropriate greens, or return quest rewards from some level appropriate quests would have helped him get some use out of his account while waiting for resolution.

 
note: when the resolution went through several weeks later he did get his skills and most of his gear back.

 
I sent the first half of the post over to Wayne at this point and received this reply in return.

 
Since I was formally part of the IT end of things, as a simple user I still tend to see both sides of the coin and play devil’s advocate with all issues.  First, I do understand Blizzards reason for not returning items.  On their end, there is no way of telling the difference between someone looting their own character, or someone being hacked.  It looks the same as far as a computer or database is concerned.  However, what would be nice is if they kept some sort of log of all transactions over 100, 500, or maybe 1000 gold.  That way they can see which character got the money sent to them, and then see who owns that account to catch either the bad guys or their accomplices.  They must have some sort of log of the character post deletion though if they were able to rebuild him.  So you would think that they could have restored the skills and rep too.  Why keep a record of one thing but not the other? Programmers…

 

I know it’s terribly annoying, but frequently changing passwords and/or having different passwords for all your different accounts is necessary in today’s world.  Most people don’t want to be bothered with it though, and hackers depend on this to get you. Key loggers are a real bitch too.  The logistics of an in game panic button to instantly/temporarily freeze an account could be just as devastating in a different way.  Now you have hackers randomly going into peoples’ accounts and freezing them just to be a prick while the real person is actually playing.  Can you imagine being in the middle of a huge raid and about to defeat the boss when suddenly you get booted and your account locked.  By the time you clear everything up, your team is all dead and you have to start over.

 

As for form letter responses, those are more and more common throughout tech support in all fields these days.  Operators are needlessly tied up answering the same silly questions over and over and this is a way to answer some of the simpler ones.  Operators are free to handle more complicated issues, and you save money by not needing as many operators because you have handled half your load through automation.  Most of the time the email isn’t even sent or seen by a real person, but by a computer without human intervention.  The computer scans the service request for key words and then sends the form letter that best matches what those words are usually about.  I’ve gotten standard responses at times that had absolutely nothing to do with my problem, but it picked up on the wrong keyword.  A real person doesn’t get involved till much later typically.  I would love to see 24/7 live support, that would be awesome!  Heck, I would like to see my in game tickets answered within 5 hours.  I consider blizzard moderators like the government.  The government wants you to believe that they are capable of so much stuff so that you don’t do anything wrong out of fear of being caught.  Blizzard is the same way, “don’t do that, the moderators are watching”.  Sometimes I think they are just as real as the vendor I get my items repaired at.  Don’t believe me, like a moderator scanning the system couldn’t tell that a level 1 character in orgrimar with the name of asdfghjklis isn’t up to no good…  

 

Email verification of all these items sounds simple, but that’s going to be a load on the servers, and slow down when people are actually really trying to do something.  Humans, more specifically Americans are inpatient, they aren’t going to want to wait and have to confirm in an email every time they want to do something.  They want it quick and easy.  Security is only considered “after” you have had a problem.

 

As with everything in life, it’s all about finding the delicate compromise and balance between security and ease of use.  Plus, there is a triangle in business between price, speed, and reliability.  As the sang goes, you can have any two but not all three.  We can have WoW be fast and stable but it will cost a bloody fortune, or we can have it be fast and cheep but crash all the time. 

 

After looking at it from the position of someone who actually has some experience on the other side of the tech support and IT security issue I have narrowed down my wish list just a little bit.

 
1. I still think having separate log ins for the admin and the game/forum sides of things would increase security quite a bit. It would also improve the parental controls aspect of the game as the parent could have the administrative password and the child could be only given the character log in password.

 
2. I do now realise that an email link back would not be a good idea for everything, however I would still like it to be in place, if only for password changes.

 
3. I still believe that telephone tech support should be staffed to some degree 24/7. At very least a small staff that could handle the issues where time truly is of the essence.

 

To sum it all up I think these few things would go a long way towards providing better security in a way that is at least somewhat realistic. In the end however any security tools that Blizzard can provide will only ever be as secure as the person using them. Do your homework, read up on how to keep the bad guys away, come up with a security plan and stick with it. If its worth spending an hour poking around the net to figure out which armor kit would work better on your legs, it’s worth an hour to help those legs still be there when you come back online.

At least that is my two cents on the matter. (void where prohibited, some assembly required, your milage may vary)