So the Real Money Auction House went live today for Diablo III. They appear to think of it as a cause for celebration. Hey, we’ve been waiting for this since launch, right? Now we can buy and sell rare artifacts with both in-game gold, and real money! You’ll have to forgive me if I’m not particularly excited. See, I’d rather Blizzard fixed their security before offering hackers and gold farmers even greater incentive for account theft. Basically, they need to get their damned act together.
But hey, they’re forcing people to use authenticators if they deal with real money. That’s improved security, right? You’ll have to forgive me if I find myself a bit incredulous. Now, before we begin, I’ll admit, this post is a bit more rant-ish than my usual fare, and probably not quite as coherent as what you’re used to reading here, and for that, I apologize.
I’m going to tell you folks a story about a friend of mine…we’ll call him Trevor. He and his boyfriend bought themselves Diablo III. The two of them would often play together. To my knowledge, they avoided public servers entirely- it was only ever the two of them.
Neither ever purchased any hacked items, and Trevor had a reasonably strong password. He regularly scanned his computer for spyware, adware, and malware. The other day, Trevor logs into his account to find out that all of his gold was gone-liquidated down to the last piece. I was there when it happened. He signed on, and a look of disbelief crept into his features. “I’ve been hacked,” he said, staring in dumb shock at the screen. To their credit, they restored his account fairly quickly, and a few days later, he’d gotten back everything he’d lost.
He got off easy.
My roommate signed on to talk to a buddy in-game a few days ago, and raised an eyebrow when his 60th level Witch Doctor popped up on screen- completely and utterly naked. All the gold in his account, all the items in his stash, everything down to his potions were simply gone. Now, let me tell you something about my roommate- he’s not computer illiterate. He’s looking to become a certified computer technician, and he built his PC from the ground up. He doesn’t browse hazardous websites, he keeps his PC clean, and he definitely didn’t fall for any hacks or phishing scams. The only thing he didn’t have was a mobile authenticator.
Not that it’d help, anyway– the fact that so many users are finding their accounts cleaned out even after after either downloading the free authenticator or shelling out cash for one (more on that later) underscores the fact that, whatever Blizzard’s doing to keep their players safei s woefully, undeniably inadequate. These compromised accounts are not isolated incidents.
The compromises are too widespread to be the fault of the customer– perhaps the blame lies with Blizzard and their poorly-conceptualized, sloppily implemented always-on DRM? The fact that a user has to always be connected; always sending data to Blizzard’s servers even while they’re playing single player is the crux of the issue- it’s honestly, as Paul Tassi of Forbes writes, what makes this whole fiasco possible. There’s also one fine detail that pretty much drives home the point that this is server-side, and not user-side.
As Paul Tassi points out, not all of the characters on his hacked account were stripped of their items. His password was not changed, nor was anything else about the account. For all intents and purposes; it was as though the character had become sentient, stripped down, gone on a drunken bender, and spent all their gold on ale and wenches. It wasn’t even his best character- it was an alt.
So, what’s Blizzard doing at the moment, aside from restoring violated accounts? Are they owning up to the fact that their security isn’t up to snuff? Are they looking into improving the encryption on the data sent between servers? Are they admitting that maybe, just maybe, this problem’s too big to be the result of user error?
Nope. Click that link, and scroll down. The blue post on the matter is almost laughably delusional, first implying that most of the compromised accounts were compromised because they bought gold, then stating that the people who’ve been hacked through the authenticator don’t exist- they’re just people hired by foreign businesses to spread false rumors.
Uh huh. What’s more believable? That we’ve got organizations of cyber criminals who are being paid to tell everybody they got hacked through Blizzard’s mobile authentication service, or that there’s actually a problem that Blizzard simply can’t be arsed to fix?
We’re not even going to get in to all the game masters who have been flippant, dismissive, condescending, or outright rude to people reporting compromised accounts. Some of them don’t even seem to think there’s a problem. It’s as though they assume everyone who’s gotten their account hacked is a knuckle-dragging simian who came up with their password by picking a random piece of furniture and typing it into the box.
Half Baked Authentication
See, Blizzard’s authentication service is well and good, if you’ve the ability to actually access it. Not everybody does. See, the trouble is, you need either Android or iOS on your smartphone to make use of the authentication service. If you don’t have equipment, you’ve got to shell out $6.50.
Not a particularly high price…but if you ask me, it’s five bucks too much. If Blizzard is truly serious about protecting their user’s account information, they need to look into what’s causing the compromises in the first place. They need to double-check to see if their authentication service is actually securing user accounts, or just providing another thin layer for hackers to crack through. And finally, they need to provide the service for free- and not just to anyone who happens to own an iPhone or Droid.
What can Blizzard Do?
From where I’m standing, it definitely feels like there’s a storm coming. The fact that people will be linking real funds and finances to their accounts, that they’ll be able to buy and sell items through a legitimate channel doesn’t sit well with me, in light of these security concerns- it seems like it just provides extra incentive to break through Blizzard’s security. The worst part about all this is that there’s such a simple solution. I’m not the only one who’s suggested this- not by far- but why not simply implement a protocol in the game that temporarily locks someone out of their account if they start trading all of their equipment-including what their character’s wearing- and gold en masse?
Why don’t they have some sort of notification system set up that tells users when and where they’ve logged in? There’s so much more they could be doing, and the fact that they’re just tossing us an authenticator and going “use this” is almost insulting. In Blizzard’s defense (I’ve been lambasting them for almost a thousand words now) there might not be anything they can do,unless they really are using low-grade encryption.
For all we know, there could be a grain of truth to what they’re saying- gold farming’s always been big business, after all, and it’s not inconceivable to think that a large corporation, even if an illegitimate one, might have access to advanced password cracking techniques. But if so, why aren’t more accounts being sold? Why aren’t they going straight after the Battle.net accounts to mine them for information? Why aren’t they changing the passwords and personal information to lock users out of their accounts? Why do they just take items, when they could take so much more?
If they’re going to saddle us with shoddy DRM that forces us to remain connected to the Internet, the least they could do is ensure that their interests aren’t the only ones being protected.