Posted by Stropp on
May 4, 2011
I doubt anyone has missed the big news this week.
Okay. It hasn’t exactly been a slow news week. First of all there was the Hereditary Head of State (Tipa corrected me on Dictator) Wedding on Friday night. That one was inescapable unless you unplugged completely, or found a rare TV station that wasn’t pandering… (Hooray for Bill & Ted’s Bogus Journey!)
Then the US government finally won it’s game of Where’s Wally and proved that you cannot hide forever when billions, dare I say trillions, of dollars are spent in finding you.
But the big news that relates specifically to our little neck of the woods are the massive problems that Sony, and now SOE, are having keeping their customer data secure.
If you are one of the very few (a number somewhere around the size of Plank’s Constant) people in the gaming community who haven’t heard what’s happening, the story is a couple of weeks ago Sony was hacked. The hackers gained access to an outdated database of Playstation Network customer data with something like 77 million accounts. That’s bad enough, but in the last couple of days it has been revealed that there were somewhere north of 20 million non-US SOE accounts compromised in addition.
When the initial breach was discovered, Sony shut down the PSN, but still took several days to inform the public. I’m not a PS owner, but I think the PSN is still down. To make matters worse, all SOE games and websites are now offline as a result of the SOE data revelations.
Mission Critical Systems Must Be Secure
First of all, let me say this: Not for one minute is any of this Sony’s fault. It’s the hackers fault, whether they are a script kiddie or a organised crime group, these criminals should bear all responsibility. To blame Sony/SOE as some are doing is akin to blaming a rape victim for dressing provocatively, it’s something that’s just not right.
Having said that, I have to wonder what Sony was thinking, keeping a database of outdated data on an accessible network.
Once the data had been upgraded to be more secure; that’s what it seems happened as the old data stored information in an unsecure format; the old database should have been archived and stored offline. It’s crazy to fix a security problem and then leave the old system still accessible, even if you think it is on a secure network.
Unfortunately, this simple oversight has not only cost the company millions in lost revenue, it has hurt their reputation even more, especially since they dropped the ball when it came to informing their customers when the breach first occured. SOE doesn’t exactly have a stellar reputation, although that is more to do with player perception on how their games are treated by the company, but this will hurt player confidence in how their precious personal data is treated.
How many potential customers will think twice about entering credit card details now?
Who Else Is Insecure?
All this makes me wonder how secure other providers of these games are.
After all, the bulk of the budget in developing a MMORPG is in the game itself. While the websites, forums, and ecommerce systems are important to the ongoing operations of these games I wonder how much effort actually goes into their development. After all, it’s pretty easy to develop a website. Forum and Support software is available as both open source and commercial packages, as is ecommerce software. So it’s pretty likely that many of these systems are simply dropped in and modified to suit the business requirements.
How secure are these systems, really?
The Silver Lining
My guess is that this event has scared a lot of people throughout the MMORPG and gaming industry, and that a lot of additional resources have been devoted over the last few days to check out exactly how secure the ecommerce databases really are.
This can only mean that for us, the player customer, that our personal data will be more secure than ever.
And if it isn’t after this, then perhaps the MMORPG companies can be blamed.
Posted by Stropp on
March 19, 2011
I guess it’s a sign of how well Rift is doing, but apparently there are a lot of players reporting account hacks.
The Ancient Gaming Noob, Wilhelm, puts a big chunk of the blame on Rift’s 16 character limited passwords. I’m not so sure that it is such an issue seeing as most players won’t be using passwords that long anyway. Most likely, a lot of players are using a simple easy to remember password that is susceptible to dictionary attacks. However, even 16 char passwords are susceptible to rainbow table attacks.
Still, using all 16 characters with a combo of uppercase, lowercase, numeric, and punctuation characters will put you at the head of the curve, or as Wilhelm puts it, above the low hanging fruit.
My opinion, as always, is that the plague of account hacking by gold sellers is the result of in-game currency being such an integral part of character progress.
There will always be players looking for the easy way out by buying gold.
There are a two things that developers can do to minimize this plague.
- Stop requiring gold for character progress, or at least minimize the need for it. At most, gold should only be used for trade between players, and all trade should be face to face.
- Flag and permaban players who buy gold.
Point 1 is self explanatory, however, gold sellers will always try and get around it. Point 2: Permanently banning players will put a hole in the gold market faster than you can say “Rift Gold.” After a few players are caned for buying gold the news will get around that it’s not only gold seller accounts that get banned, and any player not wanting to lose their account will be too scared to buy gold.
And it’s easy to do to. Every gold transaction is logged anyway, and if it isn’t it should be. The devs know the source and destination of the gold. If the gold comes from a seller, and it’s easy to tell who is selling gold, the buyer can be flagged for further review. If it turns out they’ve bought gold. Wham! Gone! Hooray.
As I said, once word gets around, the gold sellers are out of business.
Posted by Stropp on
December 20, 2010
I just wanted to do a little public service announcement.
I’ve been seeing a huge rise in the amount of email phishing for my World of Warcraft account lately. I figure it is because of the renewed interest in the game because of Cataclysm. With thousands, dare I say millions, of new players and many old players resubscribing it must be like phish in a barrel season for the email scammers.
The scary thing is that a lot of these emails are getting very sophisticated and seem to be the real thing. They tell you someone has accessed your account (plausible), and use link anchor text to disguise the real destination of the link so that it looks like Blizzard is sending the email. Hover over the link however, and you’ll see the real destination in the status bar. This is usually some long combination of words like blizzard-account-security-something-something.net (or the like) that will take you to a website that will install a keylogger on your system to steal your password.
As always there are a few things you can do.
- Never click on links in an email. This is the biggie and most important tip. Not doing this will prevent most security breaches. If you’re a World of Warcraft subscriber you already know the address, just type it in to the address bar on your browser.
- Get the authenticator. That adds another layer of security to the login process, and it’s a layer that cannot be intercepted by a keylogger for any useful purpose.
- Use a secure browser. That means, DO NOT use Internet Explorer. At least don’t use any version prior to and including version 8. I’ve heard version 9 is a complete revamp and addresses security better, so it may be okay. I use Firefox mostly, but am moving more and more towards Google’s Chrome browser as it has some decent site malware detection built in. I’ve been warned off a few sites by Chrome now. Very good.
- Never give your password to anyone. That way anyone can not give your password to anyone else. I’ve heard a few stories where guy gives little brother access to WoW and a few days later finds the account cleared after little brother gave the password to a guildie. It’s in Blizzard’s terms of service too.
Just a final note.
The funny thing about this latest influx of phishing emails is the email address to which they are directed. For a long long time it was easy to discount an email because it was directed at my Stropp’ s World email address, and that is not the address I use for the account. The username I used to use for my WoW account was odd too and wasn’t guessable from any ingame characters. But since Blizzard has forced all WoW subscribers to use Battle.net and the username for that is my email address, I’ve been getting phishing emails to that account.
Anyway, just follow the tips and you should be okay.
Posted by Stropp on
October 8, 2010
World of Warcraft, according to some articles popping up around the web, has just hit 12 million subscribers.
This is after sitting on 11.5 million subs for quite a while. It seems that the announcement of the Cataclysm expansion release date has spurred some players into reactivating old accounts in order to get started. That’s to be expected.
Still, I’m wondering what Cataclysm is going to do to WoWs subscriber count. That 11.5 million isn’t the same 11.5 million players that have been playing all along. There’s a lot of attrition in a MMORPG. And since Cataclysm is promising a radical change to the original zones, it’s entirely possible a very large number of former players will resubscribe.
Could we see World of Warcraft hit 20+ million subscribers the months after Cataclysms release?
On related news, I received an eMail from Blizzard late last night (early this morning.) It appears someone tried to log into my WoW account from a different IP and Blizzard locked the account. It’s kind of an interesting situation because I unsubscribed some time ago and haven’t been near it since then. It’s definitely odd since I’m wondering how anyone could get my account/login details if I haven’t actually logged into my account for months.
Anyhow, I logged in to the BattleNet account to verify the situation and changed the password.
Though, I’m yet to decide if I want to go to the trouble of getting the account unlocked as I’m highly unlikely to be one of those returning subscribers I mentioned above. Cataclysm doesn’t hold any appeal for me, and with my limited time I’d rather play other games.
I think I’m done with WoW.
Posted by Stropp on
August 31, 2010
It’s time for a little reminder.
What has prompted me to write this is that over the last week I have received a few emails telling me that someone has reset my Battlenet account, and these folks have kindly provided a link for me to click on and get more information.
Of course, if I do click on a link like this, there’s little doubt my computer will quickly be infected by some sort of keylogger waiting to collect my account information and send it off to scheming piece of sh*t that devised this fraud.
The big problem with these emails is that they look kosher. I had to look fairly carefully at it to see the flaws, as the return and link addresses looked quite plausible. But as they say, the devil is in the details, and there were some tell tale signs.
The problem most people face is that the signs often shift around a bit. Often the emails will become more sophisticated as more is learned.
So here’s what you do… actually what you don’t do.
- Don’t click on a link in an email. Always manually enter the address of the support site into your browsers address bar, even if you know that the email is legit. Even though you miss out on the automation, it’s just a good habit. Links are designed to help the lazy, wonderful things that they are, unfortunately they’ve been exploited.
- Don’t use Internet Explorer, or have it set as your standard click-and-go browser, I recommend Chrome. It still has a low adoption, meaning that exploits probably aren’t around for it yet, and it has a nice feature of detecting malicious sites. Firefox is getting more common now, that alone makes it a hackers target.
BTW, the same applies to other accounts, especially your financial ones. If you receive an email from Paypal or your bank, for the sake of your bank account and your sanity (it can be a nightmare to get your money back and repair your financial details) enter the details manually using a secure browser.
So if you do get an email from Blizzard, please check it before clicking the link, and then type it in manually anyway.