Psychochild's Blog

A developer's musings on game development and writing.

25 March, 2009

I can’t believe it happened to me…
Filed under: — Psychochild @ 1:16 PM
(This post has been viewed 9251 times.)

Dear MMO letters,

I've read a lot of the stories about MMO accounts, but I never thought it would happen to me. I was logging on my World of Warcraft account when I saw it...

...a female gnome in her underwear. It was at that point I realized that my account had been violated!

So, yeah, my WoW account got "hacked" sometime in the last week. My interest in WoW has been waning for some reason. I haven't logged on much, whatever additional free time I have has been going toward writing and other work. My friends haven't been playing as much lately, either, and the content isn't compelling enough for me to go through solo.

I was logging on to help a friend's alt with a group quest when my password wouldn't work. Uh oh. Heading to the website and resetting my password to something different, I logged on to find the previously mentioned characters in their underwear.

I'm not an idiot... mostly...

Now, I know a thing or two about internet security having been online for longer that some people reading this blog might have been alive. I don't click on suspicious links. I run anti-virus and keep it up to date. I don't use Internet Explorer. I don't re-use the same username/password combos for important accounts.

So, when I saw my account hacked, I was a bit confused as to what happened.

The first step: panic!

My first thought was that I might have a keylogger on my computer. This would be troublesome, because I have things a lot more important on my computer than my WoW account username and password.

So, I went through and made sure that my antivirus was up to date and did a complete scan on both my computers. While that was running, I did some research about the topic, including reading Blizzard's own page about account security. I also downloaded a few rootkit detectors for my computers to make sure there wasn't something really buried. The only thing that came up was that my hosts file was changed. Well, yes, because I had changed it; I did double-check it to make sure nothing had been added or altered. Unfortunately, the software was kind enough to delete the hosts file for me, causing some swearing on my end. Thankfully I had a copy of the file on my old computer.

I also ran some file access and network traffic monitors while trying to log into my WoW account a few times. I didn't see anything doing anything suspicious or out of the ordinary in the dozen or so times I tried. So, I'm reasonably sure my systems weren't compromised; as much as you ever can be.

Solving the puzzle

Now that I wasn't in panic mode, I'm taking a look at some of the details so I can figure out what happened. I'm a game developer, and this is a potentially interesting puzzle to solve.

The first thing I did was considered how someone could have gotten my username and password. I use relatively secure passwords, but they're not as strong as they could be. I also don't always use unique passwords for each site I visit. But, my WoW account username and password was a unique combination not found on other sites.

One possibility that came to mind was a rogue element on the inside. I know we had some problems with the paid CS representatives at 3DO while I worked on Meridian 59, and there were only 4-6 people managed by one of the most capable people I know. Now, consider an operation like Blizzard that has hundreds of CS people and you can imagine someone interested in using (or obtaining) access to account information to make a bit of cash on the side. Perhaps there is some sort of precedent for that type of behavior.

Then I considered that the password had been changed on my account. Why change the password if they have my account password in the first place? This seems like an unnecessary additional step since you can only change the password through the web interface for WoW.

I also discussed the issue with a security expert. We had a little discussion about the problems of automated systems, particularly ones that can reset passwords. That got me thinking a bit more about security while I was filing a CS ticket in WoW.

Oops, they did it again!

I was playing LotRO with my better half when my friend notified me that I had just logged on two of my characters on WoW. Uh oh. That was irritating, seeing as how I wasn't playing WoW and had changed my password. Luckily, they got nothing since I hadn't been reimbursed yet, but the fact that they had my new password made me pretty cranky.

Heading to the website to reset my password, I noticed something interesting: there were two other emails waiting for me in my inbox about the password being changed on my account.

Oh. That kind of narrowed down the vector of attack.

How they probably did it

Heading to the password reset screen, I took a bit more note of what was required. All someone needed to do in order to reset my password is to know my account name, my email address, and have access to that account. Want to change the account? All you need is the old email address and an answer to a "secret question".

The email address for my WoW account is a spam-catching Hotmail account, not exactly a bastion of security. I signed up for it a long time ago, and it's had the same weak password for years now. It's funny because I recently changed it from an old psychochild.org account that I never check anymore due to an overwhelming amount of spam. I wanted to have a valid email address in case I needed CS assistance in the future. I picked my spam-catcher account because I didn't want to get any "special offers" from Blizzard if they decide to start selling addresses for a bit more cash. Since Blizzard sent account updates, with my account name included, to this email address, I assume that's how the hacker got the account name.

Even though they didn't change the email account, my "secret question" has an all-to-common answer, unfortunately. This wasn't something I considered when I filled it out way back when. But, now, there's no way to change the secret question that I could see. So, that could be another vector for attack.

The aftermath

I took some steps on my end to try to avoid the situation. I've changed a bunch of passwords on my accounts, and have come up with a scheme for having unique passwords on sites. I changed my Hotmail account password, obviously. I also increased security on my browser, including installing a plugin that prevents scripts from running on websites. Never hurts to be a bit extra careful.

While researching the issue of hacked accounts, I came across a lot of information. Some stories posted about hacked accounts talked about Blizzard requiring people to get documents notarized before releasing an account. That seemed like a lot of hassle, and probably not something I would go through to keep the account. But, the process went smoothly and I got pretty much everything I cared about back through the in-game mail system. Either this was a surprisingly open-and-shut case, or accounts are compromised too often for them to have to deal with the full song and dance anymore.

I felt a bit under pressure, because I had canceled my account and it was going to go dormant in a few days. Yesterday I got all my stuff out of the mail just before the account was canceled. If I want to play in the future, I'll have my characters ready to go.

Lessons on security

So, what lessons can we draw from all this excitement?

Security is a trade-off with convenience. Being able to reset my password on the site is nifty if I forget my password, but it sucks if someone else manages to figure out how to do it without my permission.

Email isn't a secure medium, especially web mail services. That's a big "duh" for anyone who has been online for a while. Email tends to be a nice way to identify one person for another, but there is no guarantee that each person has only a single address; in fact, I use at least 5 on a regular basis, and could create many more since I own my own domains. But, assuming that sending information to their email account is secure can be a bad decision. Obfuscating some information, such as account names, is also wise.

Being big means being a target. As I mentioned, I play LotRO as well. Those characters weren't touched. Although, I've seen more spam by gold sellers in LotRO lately, so they may be gunning for those next. Luckily, the usernames and passwords are very different; but if they do get hacked, time to scrub the computer clean. But, I figure my WoW account was hacked because it was a WoW account.

Yes, it can happen to you. A lot of responses to people posting about their WoW accounts getting hacked were of the form: "You were stupid and installed a keylogger!" or "You gave your account information to someone who took your stuff!" Neither of these have to happen for you to get your account compromised. All it takes is one minor thing like not worrying about which email account you have your account updates going to.

That doesn't mean people aren't stupid. One time we had an account that was "hacked" in Meridian 59. We asked the customer the standard questions: "Do you have anti-virus?", etc. The telling answer was in response to "Did you give your account info to anyone?" She replied, "Only to my bf, but I trust him." That's not what the access logs say, dear.

What about you? Have you had any experiences with compromised accounts?

--


« Previous Post:
Next Post: »





20 Comments »

  1. Hi Brian, was wondering what your opinion was on the Blizzard authenticator. I bought one of those for my wife because I knew she would be upset if she lost her stuff. It's a bit of a pain and we almost lost it once when one of the kids thought it was just a toy and took it away. It makes me feel a little safer, but I'm still not sure how safe it is from the "insiders" you mention.

    Comment by Ethic — 25 March, 2009 @ 1:47 PM

  2. I bought a Blizzard Authenticator. I might consider one for any game I play for more than a month or two, but so far as I know Blizzard is the one one currently making use of them.

    Comment by Sandra "srand" Powers — 25 March, 2009 @ 2:08 PM

  3. Final Fantasy XI is going to offer them "in the near future".

    Comment by Ethic — 25 March, 2009 @ 2:10 PM

  4. Brian, you are probably right. It is very easy for people to find out the answers to the "secret question", as the options they give users for the question are rather limited. I also wonder where the hell I can change this question and the answer! I am going to find this out, as you are right, it is very easy to hack an account this way.

    I just tested it with two friends and informed them. I knew the maiden names of their mothers... voila, account hacked.

    Actually, it is not only the user who is to blame - Blizzard basically gave them flawed options for the secret question. And I still do not know how to change the secret question.

    Comment by Longasc — 25 March, 2009 @ 2:37 PM

  5. I also have a Blizzard authenticator. It is synced to my account. No one can log into my account without my exact authenticator. Even I can't log into my account if I don't have the authenticator -- secret questions or not. Same is true for logging in via WoW's website. No authenticator, no access.

    Comment by Game Dame — 25 March, 2009 @ 2:55 PM

  6. OK, the result: Only the Account & Billing department can change the secret question. They ask questions that are VERY hard to answer for the account owners. The key you created the account with is only one question, and they take some 2-3 days time usually to react to customer questions and wishes like this.

    Comment by Longasc — 25 March, 2009 @ 2:55 PM

  7. FFXI provides an on-screen keyboard so if you DO have a keylogger all they get is mouseclicks instead of your account info.

    Comment by Phoe — 25 March, 2009 @ 3:02 PM

  8. Ethic wrote:
    [W]as wondering what your opinion was on the Blizzard authenticator.

    It's handy, as you can see from the other comments, but it's not a substitute for good security on either the user or the game provider end. As I mentioned in my post, if I get a keylogger installed, I will have larger issues than just my WoW account getting compromised. I'd prefer that my WoW account gets hacked to let me know there is a problem rather than an authenticator keeping that hidden a bit longer.

    Longasc wrote:
    The key you created the account with is only one question....

    Heh. I think my original account key might be lost to the ages. I've moved a few times since I set up my account back in the day, and the original CD key may not even be readable anymore. I just have to hope that nobody finally figures my info out.

    It comes down to the old problem of proving just who someone is online. Not an easy task.

    Comment by Psychochild — 25 March, 2009 @ 3:29 PM

  9. Yep! This happened to my roommate last Thursday morning. Which in turn meant that my guild storage bank (full to the hilt with crafting goodies - or it was) got emptied. But here's some stuff I learned while looking into how one goes about changing passwords, exactly.

    If you've just lost your password, they don't send you a temporary password. They send you a link to reset the password. This is great. It's when you say you've lost access to the original email that they get to the part involving your secret question...

    In fact, they don't even need your Secret Question answer or your original email!

    Go to "Retrieve Password". There's a link for you to click if you have lost access to your original registered email. On that page, it asks for:

    A Current Email (to send the temp password to - not a link, but a short password)

    The Account Name (with 11 million subscribers, it is probably easy to type in almost anything and get an account name)

    And then EITHER your secret question's answer OR the last 6 digits of your WoW CD Key.

    Now, I'm no stranger to the internet or game piracy. There are key gen programs out there to generate keys for hundreds of games. Does anyone believe WoW is somehow immune to the same technology?

    Add to that the fact that the page does not seem to limit attempts, nor does it have a simple security check such as a Captcha.... and it's pretty easy for someone who is in it for the cash to get an account name, and then utilize the "cannot access registered email account" option to simply run numbers until they get in. At that point, the temp password is sent to the "current" address that was entered, and apparently to the original address. (My roommate received an email with the temporary password, but like the OP uses a not-often-checked address, so didn't see it until Saturday. When he "retrieved" his password, he got the link to reset it.)

    I honestly don't think anyone compromised your hotmail account. I think the system to set up a temporary password (which would also allow you to change your email address on your account) is horribly flawed and unsecure.

    Comment by Jenna — 25 March, 2009 @ 3:50 PM

  10. Jenna, how would they link the 6 digits of the WoW CD key to the account name? Given an account "Dave", you need to know Dave's CD key, not just any CD key.

    I think CD Key + Account name is pretty strong.

    As for Secret Questions, one tip I've used to answer a different question, not the question that was asked. So if the question asks for your mother's maiden name, put down your favorite food. A secret question is just a password with a hint, the answer doesn't actually have to make sense.

    Comment by Rohan — 25 March, 2009 @ 4:25 PM

  11. funny...I just checked my email after reading your blog and sure enough, someone merged my account with there battlent account. The Bliz rep said its running rampant right now with 11 million having to merge there WoW account with a new battlenet account. He told me a single individual had scammed 50 different accounts.

    Comment by coppertopper — 25 March, 2009 @ 8:52 PM

  12. I've got a Blizzard Authenticator here, too. The security technology behind that token is proven since years. Although there exist scenarios where even this one can be breaked, it definitely raises the bar for hackers. And I definitely do not want to get my precious Paladin heal-can emptied :-) (Although I have cancelled my account, too).

    To comment the security by having an mouseclick-driven keyboard: That's a nice approach. And yes, a keylogger would just give them the coordinates of your mouse click. But: That's all they need (well, they need the screen resolution, window position and such): When they have the coordinates, they know what fields you click. And even of the field positions are randomized: One screenshot, and there goes your security. (I must admit that I did not see the implementation of that system myself yet).

    Comment by Elendil — 26 March, 2009 @ 1:57 PM

  13. After begin hacked TWICE in WoW, I got an Authenticator too.

    Comment by Bobby Thurman — 26 March, 2009 @ 8:05 PM

  14. You can read some of Steven Davis' thoughts about "secret question" attacks over at his blog: http://www.playnoevil.com/serendipity/index.php?/archives/2476-Sarah-Palin-Psychochild-Secret-Question-Attack-Victims-Are-You-One-Too.html

    Comment by Psychochild — 28 March, 2009 @ 10:21 AM

  15. A Word of Warning

    [...] I can’t believe it happened to me… [...]

    Pingback by Tish Tosh Tesh — 30 March, 2009 @ 9:55 AM

  16. "I was logging on my World of Warcraft account" ...

    I think I found your mistake :p

    Comment by Melf_Himself — 30 March, 2009 @ 4:31 PM

  17. Here's an article going into a bit more detail about the vulnerability of secret questions, which used information from this post:

    http://www.technologyreview.com/web/22662/

    Comment by Psychochild — 18 May, 2009 @ 2:44 PM

  18. More Blizzard Account Phishing

    [...] enough to be believable at first glance, and I still had in the back of my mind the events of another account hacking. But I had to wonder how anybody could change my password since I have the Blizzard [...]

    Pingback by The Ancient Gaming Noob — 8 January, 2010 @ 10:54 PM

  19. The Factions of WoW Account Hacking

    [...] in things like Adobe Flash or JavaScript, people who have actually been hacked and were able to run down how it happened, people who were hacked even though they were security aware, people, like me, who just distrust [...]

    Pingback by The Ancient Gaming Noob — 16 August, 2010 @ 9:56 AM

  20. Clean as a Whistle and Still Got Hacked

    [...] February 13, 2011: I found a nice post on Psychochild’s Blog that you may want to read as well, in case you’ve been hacked like I was. Oh, and I received [...]

    Pingback by Chordian — 13 February, 2011 @ 9:31 AM

Leave a comment

I value your comment and think the discussions are the best part of this blog. However, there's this scourge called comment spam, so I choose to moderate comments rather than giving filthy spammers any advantage.

If this is your first comment, it will be held for moderation and therefore will not show up immediately. I will approve your comment when I can, usually within a day. Comments should eventually be approved if not spam. If your comment doesn't show up and it wasn't spam, send me an email as the spam catchers might have caught it by accident.

Line and paragraph breaks automatic, HTML allowed: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <div align=""> <em> <font color="" size="" face=""> <i> <li> <ol> <strike> <strong> <sub> <sup> <ul>

Email Subscription

Get posts by email:


Recent Comments

Categories

Search the Blog

Calendar

April 2014
S M T W T F S
« Feb    
 12345
6789101112
13141516171819
20212223242526
27282930  

Meta

Archives

Standard Disclaimer

I speak only for myself, not for any company.
(More information here)

My Book





Information

Around the Internet

Game and Online Developers

Game News Sites

Game Ranters and Discussion

Help for Businesses

Other Fun Stuff

Quiet (aka Dead) Sites

Posts Copyright Brian Green, aka Psychochild. Comments belong to their authors.

Google