So I'm convinced Blizzard has security issues

[crowdx]

I too had an account compromised. the hacker had emptied my guild bank because I had access to all tabs, vendored all items except my gear (this I found rather odd because he kept the gear for my multiple specs).

I purchased an authenticator after this and I didnt even change the password. The next day I took the authenticator off of my account and waited to see if the account would be compromised again. (I am crazy like that) Well it never happened.

Me being the paranoid person that I am immediatly thought, "Inside job!" What's stopping a company from doing shadey dealings, such as faking a hacked account just to make you buy an authenticator, once they see you have one, they go to the next person. All items were restored of course.

Overview:

What does blizzard have to gain from compromised accounts? Sales in authenticators.

They have the information needed, the power, and a motive. And who is to say someone in the coorporate ladder couldnt be selling your account information to ammatures to "do the deed". Thus pushing you to purchase their new safety feature.

Highly unlikely, but hey it would be pretty hard to "catch" if everyone is so ready to accept that it could never happen. Maybe I shouldn't watch The Manchurian Candidate when drunk haha!

Quite a conspiracy theory lol. I think the hackers are doing a fine job by themselves to get players to use authenticators lol. I think if blizz wanted to sell authenticators they could just add it as a go forward requirement.

I believe it is simply a case that there is A LOT of money being made hacking accounts and selling gold, as I stated in my hack thread, the GM I dealt with that finally resolved most of my issues said that "there are between 2 - 3k accounts per day being compromised in the US and Australica alone" , now that is a serious amount of gold. The peon hacker is most likely being paid a few dollars a week and their bosses are making the big money, THIS IS BIG BUSINESS.

[Khatovar]

They have the information needed, the power, and a motive. And who is to say someone in the coorporate ladder couldnt be selling your account information to ammatures to "do the deed". Thus pushing you to purchase their new safety feature.

Why in gods names would Blizzard resort to something like this for a $6.50 per keyfob or $1 per mobile, most of which they don't even see as profit. Every hacked account costs them far more in terms of canceled subscriptions and man-hours for research to find out where the gold and items went, restores and customer service to deal with the hacked customer and customer service to deal with the spam/hack complaints about the compromised account. And that doesn't take into account the potential for multiple account loss in situations where one person gets compromised and quits, so other friends or family members quit, too.

If Blizzard wants to make money for nothing, they release a new vanity pet or mount or something through the store, they don't hack their customers.

[CavScout]

I can see how that might lead you to believe you're not the one in error here but if there's one thing I've learned over the years, it's that hackers are an ingenious lot. I know it's hard to believe but the alternative theory goes beyond the pale. I just cannot fathom that Blizzard has some security hole where accounts get hacked regularly for 5 years and NOBODY has found out about it yet. It would not be a normal hack, either, because they're not entering your logon/password for any trojan to sniff. /shrug

If Bliz had been hacked, you think they'd be announcing it? Besides, it doesn't even need to be a "hack" since their customer service folks probably make nominally more than minimum wage, the class of folks working there is probably lacking.

[Knytestorme]

The thing people forget is that you aren't asked for an auth code when you try to log into the wow forums, passwords are case-insensetive and there is no limit to the number of login attempts you can make.

All the hackers need to do is get a list of email addresses, feed them into a bruteforce password generator and throw each attempt at the wow forums until they find accounts that log in. They take that list and try to log into the account management and if there is no auth attatched then your account is now theirs.

To an extent Blizzard is at fault for their design decisions on passwords and forum log-in (eg limit it to 5 login attempts before blocking the account until user action, making passwords case-sensetive would increase time to crack etc) but there is almost no excuse for anyone to not have an auth attached to their accounts by now given they can be gotten either as phsyical or phone/ipod apps

[edit]
TBH, if I were in charge there I'd make having an auth mandatory along the lines of the change to battle.net logins

[jimbobobb]

All the hackers need to do is get a list of email addresses, feed them into a bruteforce password generator and throw each attempt at the wow forums until they find accounts that log in. They take that list and try to log into the account management and if there is no auth attatched then your account is now theirs.

THIS

I recently had my account compromised, and it occurred to me after I swept my computer 50 times, finally reformatted it, and started it all up again - that battlenet is the dumbest thing on the planet, and that the way I use that computer, the chance of it being compromised through my actions were approaching zero.

Why in the hell, is my EMAIL ADDRESS my login name? Does that just not seem like an absolutely awful idea to anyone else? I mean, half of my login information is almost compromised by default - if you have your email visible to people on ANY wow forums, make it invisible now.

[zenga]

How hard can it be to go to gmail.com, make another email that does not contain any references to your name, use that one for either wow or for forums and set it to forward all to your main email address.

What I do is:

gmailaccount1 for forums i like/trust
gmailaccount2 for randomsites that require me to login
gmailaccount3 for msn
...
those are all forwarded (and emptied right away) to
gmailaccount4 which is like a collector,
gmail4 forwards to my main emailaddress

they all have crazy passwords that i dont have to remember since i never log them in
if they would hack one of the emailaddress, the tier system makes it such that the rest of my 'accounts/data' is not compromised

[crowdx]

Following my hack, I changed my email address to a wow only address, the email is dedicated to my battlenet account and not used for anything else. I use Outlook and so just collect the email from it in the same way I get any other email but never use it for sending emails. The only issue I have with this setup is that legit gm emails got caught by gmail spam filers and so I had to add it to my safe list.

I agree that having battlenet as an email address does increase the chance for the regular user to get hacked, and in fact may have been a contributer with my old email which a month before getting hacked started to get a lot of random spam emails which I presume was caused by a forum or some such sharing that email with someone else and so got me spammed.

My real issue for those of us that chose to combine all their Wow accounts under one Battlenet account (pretty much the way Blizz wanted us to and designed it to work) have everything exposed once that single signon is compromised, THAT SUCKS!

[jimbobobb]

How hard can it be to go to gmail.com, make another email that does not contain any references to your name, use that one for either wow or for forums and set it to forward all to your main email address.

What I do is:

gmailaccount1 for forums i like/trust
gmailaccount2 for randomsites that require me to login
gmailaccount3 for msn
...
those are all forwarded (and emptied right away) to
gmailaccount4 which is like a collector,
gmail4 forwards to my main emailaddress

they all have crazy passwords that i dont have to remember since i never log them in
if they would hack one of the emailaddress, the tier system makes it such that the rest of my 'accounts/data' is not compromised

While I totally agree this is a good idea, and I will in fact change my email and probably steal this idea, why do I have to go through this bs? What was so hard about just having a login name, that had absolutely nothing to do with anything?

Add to that the fact that blizzard doesn't ship authenticators to the country I live in, so your suggestion is the closest I'll get to an added level of safety.

[zenga]

While I totally agree this is a good idea, and I will in fact change my email and probably steal this idea, why do I have to go through this bs? What was so hard about just having a login name, that had absolutely nothing to do with anything?

lol don't shoot me, i might be a blizz customer but i didn't design their system, nor can i answer in their place

Add to that the fact that blizzard doesn't ship authenticators to the country I live in, so your suggestion is the closest I'll get to an added level of safety.

Well there is another one, but then i'm going to repeat myself and most people find that out of the question. However the link can be found in my signature.

[Malgor]

Now, I have read that some of you had your CC info hacked, and they actually used it. What exactly did they use your CC on?

They didn't use my credit card for a few months. Then suddenly it was being used for purchases around the $50 dollar range... daily for about a week before I noticed it.

Called my bank got it closed that day and got the forms and was reimbursed all that I lost which was about $250 total. Took some time though before I got the money back.