

Blizzard continues to innovate on the security front - blasdel
http://rc3.org/2010/11/10/blizzard-continues-to-innovate-on-the-security-front/

======
calloc
As someone who has bank accounts in Europe (I am a foreign national working in
the US) I can tell you that bank security in The Netherlands is standard two-
factor authentication.

My "chip and pin" card contains the standard mag stripe along with an embedded
microchip that can be used with chip transactions. Along with that i got an
"e-Identifier" which is a stand alone device.

When I go to log into my bank I type in my account number (listed on my card),
the card number (listed on the card) and then click next. On the screen will
be a series of numbers that I then have to type into my eIdentifier.

So I slide my card into my eIdentifier and type in my pin number (what I have
+ what I know) and then type in the number presented to me, it then spits out
another random number, I fill that in on the web form that the website
provided to me. At that point I am logged into my banks website and I can look
at my transaction history, and everything along those lines.

If at some point during that time I want to transfer money or do anything else
that affects any part of my account I once again have to enter in my pin and
go through the same steps as before to login on my eIdentifier.

This provides security for me. I never type a password into any part of the
website, the codes are one time use only, and even if someone were to come to
an open session and attempt to use it to transfer money in or out of the
account they would be required to have my card, pin number, and an
eIdentifier.

I'm a big fan of systems like that, it provides me with much more security
than anything else, including "I wish it were two factor authentication" that
American banks provide (look at this picture, now provide us a password).

What Blizzard is doing is considered standard security practice in Europe and
other countries where banks are more stringently controlled and regulated and
fraud is not taken lightly, and the only real new "innovation" if one may even
call it that is that a online computer game is using this mechanism.

------
henrikschroder
"that explains why Blizzard finds it more worthwhile to implement robust
authentication solutions when so many businesses that are susceptible to
financial fraud do not."

It's quite simple, a wow player that gets hacked and loses his items will most
probably quit if he doesn't get his items back. Getting items back means you
need to talk to a Game Master, who must determine if you actually got hacked
or if you're trying to scam the game by giving all your stuff to a friend, and
then claiming you got hacked.

Having Game Masters employed costs a lot of money, and I guess the cheaper
option is simply to improve account security rather than hiring hordes of GMs.

As for banks and similar, comitting fraud is an actual crime that results in
jail-time if you get caught, which is a pretty huge disincentive in itself.
Added to that, real money transactions are much more traceable so it's
possible to find out where the money and went and who benefited.

Finally, a wow account costs $15 a month for everyone, I guess the average
value per customer is much higher for wow players than bank customers?

~~~
patio11
_I guess the average value per customer is much higher for wow players than
bank customers?_

No. Cost of customer acquisition for a _single credit card_ is roughly the
same as WoW lifetime value (both in the vicinity of $250).

Lifetime value for a middle class bank customer depends on their product mix.
On the low end, low three figures per year for a checking account which
generates few fees. On the high end, well, suffice it to say middle class
families are _very lucrative indeed_. (If you run $20k through your credit
card a year, with an average balance in the $2k region, and you have a home
loan and car loan, and... run some numbers for what your parents probably pay
every year for banking services.)

~~~
weego
"Bwahaahahaa. No."

Enriching a conversation with your knowledge would be enough, feeling the need
to belittle as well could happily be left on slashdot.

~~~
patio11
My apologies, that was out of line.

------
corin_
I can't speak for all banks, but I'm with Barclays in the UK, and their system
makes keyloggers a non-issue in a similar way. I can login to "basic online
banking" using a few things from memory (surname, online ID number, debit card
number, date of birth and password all required), but to actually do anything
(like send money to another account) I need to authenticate using a chip+pin
machine that they sent me free of charge. I insert my debit card, enter my
PIN, then it gives me an 8 digit number that's time-sensitive. Frankly, this
annoys me, why can't the reader connect via USB to save me typing in that
number?

And I know at least one American bank has the same thing (possibly Bank of
America?), as a friend of mine was the guy who pretty much created all of it.

~~~
mfukar
At least two banks here in Greece use a similar system (it's essentially a two
factor authentication variant).

Connecting it via USB would defeat the whole purpose of this second trusted
information channel, between the OTP device and the bank's customer.

~~~
StavrosK
I think they all do, nowadays. The only reason I don't need a keyfob for my
Alpha account is that when I opened it, 9 years ago, they didn't have keyfobs.
Their password policy was retarded, though, it wouldn't accept a $ in the
password. Of course, you can't do anything without the keyfob now other than
view the balance and pay some bills, so it's okay.

~~~
mfukar
I'm pretty sure Alpha still doesn't permit non-alphanumeric characters in
passwords.

Go figure..

~~~
StavrosK
How people get paid to design systems like that, I'll never know.

------
illumin8
The black-market value of a WoW account is actually higher than a working
credit card number, somewhere around $10, last I heard.

I still believe it is appalling that banks don't even do the bare minimum to
protect accounts. My retirement account with all of my 401k money in it is
only protected by a 6-digit NUMERIC PIN. This is ridiculous.

~~~
daeken
This is due, at least in part, to the fact that it's considerably easier to
track down card thieves, whereas Blizzard is largely focused just on getting
the accounts back in working order for their customers (and, as mentioned in
this article, preventing them from being stolen in the first place).

------
kevingadd
If I had to guess here, I'd wager that the people in banks and similar
financial services organizations responsible for making the decisions are very
insulated from the effects of fraud compared to the equivalent people at
Blizzard.

Every time an account gets stolen, it's pretty likely Blizzard is going to
hear about it, either through a GM complaint or a call to customer service or
a chargeback, and all of those impact their bottom line (one way or another).
Stolen accounts are typically used for further fraud, either for real-money
transactions or for spamming other players, so it has a ripple effect on the
rest of the customer base. As a result it has to be hard for _all_ the
decisionmakers at Blizzard to look at customer complaints about stolen
accounts and think 'well, that's not my problem', even if they'd rather be
working on other things. The impact is also more 'real' because Blizzard
employees are going to feel it when they play the game themselves, either
through hearing about a friend losing an account or seeing spam in local chat.

On the other hand, if you're working as a mid-level manager at a bank and you
don't have any control over fraud controls or the technology used to build
your online banking software, I have to imagine it's pretty easy to think 'not
my problem' when faced with customer complaints about fraud.

My experience at a different MMO developer was that while we internally had
very stringent security practices and did a lot of work to help customers who
lost their accounts, our parent company/publisher wasn't nearly as serious
about security, and it seemed like the same effect was at work there.

------
bconway
This could be considered innovative, if they hadn't done it wrong. Problem: It
can't be used in conjunction with with fob- or phone-based authenticators.
It's a step _backwards_. Now, rather then using two-factor authentication
every time you log in, users using this method will _only_ be verified when
Blizzard deems it suspicious. Account being stolen from an IP in China?
Blocked. Account being stolen from an IP in Canada? Have a nice day!

------
randm_prgrmr
Can anyone briefly explain to me how a Blizzard authenticator works? I'd like
to implement something like that for fun, but apparently my google-fu is weak.
A link would also be good.

[If anyone cares, I bought some model rocket motors and a TI Launchpad, I have
a modem and a landline... Dialing in a launch and requiring the use of an
autheticator to do so sounds like great fun. My own pretend nukes.]

~~~
nlo
<http://bnetauth.freeportal.us/specification.html>

<http://seclists.org/bugtraq/2010/Sep/160>

------
kahawe
The other day I logged into my WoW account at an unusual hour from an IP in an
EU country I usually always logged in from and was greeted with my account
being locked down for suspicious activities.

As far as banks are concerened, some are offering TANs to mobile phone text
messages which I think is pretty awesome.

