Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Blizzard Sued over lax B.Net Security; Profiting on Authenticators

123578

Comments

  • sunshadow21sunshadow21 Member UncommonPosts: 357
    Originally posted by zymurgeist
    Originally posted by sunshadow21
    Seems to me that if phishing and keyloggers are the biggest problem, a virtual keyboard and tougher passwords that require people to come with something unique are two very easy steps that Blizzard could implement and and remove most of the soruce of the problem. Would some people quit with more complex passwords? Probably, but really, if they're going to quit over something that minor, chances are in the long term, Blizzard is better off without them, because at some point, they are going to have to choose between that low lying, problem causing fruit, and the better quality fruit higher up that is more likely to stick around and show loyalty when the game starts to show it's age. Of course, then they might only have 6 million subscribers instead of 9 million, and only make 1 million dollars a day instead of 2 million, but they would improve there chances of keeping the valuable subscribers around for a longer period of time, meaning they would probably make more money in the long run.

     I don't think you're ever going to convince Blizzard they would be better off without most of their customers. You seem to have a higher opinion of the average internet user than I do.

    25 most common passwords of 2012 from Gizmodo.

    1. password (Unchanged)
    2, 123456 (Unchanged)
    3. 12345678 (Unchanged)
    4. abc123 (Up 1)
    5. qwerty (Down 1)
    6. monkey (Unchanged)
    7. letmein (Up 1)
    8. dragon (Up 2)
    9. 111111 (Up 3)
    10. baseball (Up 1)
    11. iloveyou (Up 2)
    12. trustno1 (Down 3)
    13. 1234567 (Down 6)
    14. sunshine (Up 1)
    15. master (Down 1)
    16. 123123 (Up 4)
    17. welcome (New)
    18. shadow (Up 1)
    19. ashley (Down 3)
    20. football (Up 5)
    21. jesus (New)
    22. michael (Up 2)
    23. ninja (New)
    24. mustang (New)
    25. password1 (New)

     

    Password has been the most common password almost as long as computers have had passwords. That's what a 25+ year unbroken record of  stupidity?

     

    Oh and this is just beautiful:

    SplashData's findings are pretty consistent with those of security consultant Mark Burnett, the author of the book Perfect Passwords. Think your password is a special snowflake, unique in the world?Burnett did an analysis of 6 million username and password combinations last year, and found that 91 percent of users had used one of the 1,000 most common passwords—with 99.8 percent using a password from the 10,000 most common. And "password" was the leader of them all, in use by 4.7 percent of user accounts.

     

    You can't fix stupid...............

    Actually, you can, but you have to be willing to try. Simple rules for passwords that eliminate almost all of the above passwords while still allowing for reasonably easy to remember passwords have been designed by dozens of companies.  Virtual keyboards are even easier to implement. As for the losing customers, I highly doubt they would permanently lose that many customers to a change in the password system. They would certainly see a dip, but it would come back up when people realized they had no choice.

    It's not that I believe that the average internet consumer is all that intelligent; rather, that I believe that the internet is enough of an addiction to enough people that they will grumble, emoquit for a time, and come back when they realized they needed their fix, still grumbling, but needing the fix bad enough that minor things like a stronger password wouldn't stop them. People will adapt to the circumstances they are put in; this would be no different.

  • sunshadow21sunshadow21 Member UncommonPosts: 357
    Originally posted by zymurgeist

     The most common method of strengthening password is to force the addition of a number and a capital letter. Most business networks do this. It led to an alarmingly high incedence of the use of "Password1." Unfortunately unless you vet individual passwords people will find new and creative ways to be stupid. Then complain because they can't even remember that one.  Passphrases are a great example. When asked to create a four word passphrase people choose things like "This is my password"  Then they use it everywhere so they only have to try and remember one. It's not as easy to fix as it sounds. The best system would be to force every password to be unique. Unfortunately then the checking  mechanism itself becomes the weakness because it has to check hashed passwords for uniqueness and hashing is a one way process. Phishing works no matter how simple or complex your password is. So does stealing passwords from unsecure third party sights. Passwords themselves aren't even the biggest problem.

    Other simple rules that I've seen include no words, no continuous series like 123 or abc, no repeated characters like aaa, special symbols, and those are just the ones off the top of my head. Of course, if the password isn't the problem, but truly the user is than Blizzard is probably just hosed, but that's what shooting for the lowest common denominator does. They could still implement the stronger passwords and give those with some intelligence a fighting chance at least. It would also give them a better answer if they have to answer "Could you have done more?" while under oath on the stand in the courtroom.

  • sunshadow21sunshadow21 Member UncommonPosts: 357
    Originally posted by zymurgeist

     I don't think Blizzard is giving IQ tests to qualify customers. Gamers over all are pretty low hanging fruit, especially kids. Those with some intellegence should pull up their big boy britches and choose secure passwords on their own if they want a fighting chance. The standard isn't "could you have done more" it's did you do what could reasonably be expected. If you eat the hemmoroid cream it's your fault. They did put a warning on the tube after all.

    Than in this case your definition of what qualifies as "reasonably be expected" and mine are different, because even a virtual keyboard would be an improvement, and not that hard to implement. Also, what is reasonably expected of a startup company and a company like Blizzard cannot and should not be the same. If they want to say they are a leader in the industry, they need to prove it by not just meeting standards but exceeding them and making them stronger.

  • sunshadow21sunshadow21 Member UncommonPosts: 357
    Originally posted by zymurgeist

     It's not your definition or mine that counts. In the absence of government regulations it's industry standards that matter.  Startup companies don't get any leeway either. Virtal keyboards don't protect you from people who know your passwords. To exceed industry standards you need two factor authentication. Blizzard supplies it for a nominal cost or free if you have a smart phone. Their security is better than a lot of banks.

    Not any bank that I've ever belonged to; if I found a bank that left that many matters of security up to the customer only, I wouldn't be banking there long. You can't simply hand out an authenticator and call the battle won. It's an active, ongoing process, and I haven't seen anything from Blizzard ever to suggest that they get this one crucial detail. It's not even all that hard for something like an MMO if you can just get on top of it; if you can eliminate the low lying fruit and keep it pruned, most people won't bother you. This is where Blizzard has failed and almost every other MMO has done a much better job. Even given the addtional challenges that Blizzard faces, it shouldn't be that hard to at least contain the problem; right now, they've basically waved the whiite flag, and told their customers that they are completely on their own, because the authenticator is firmly on the "customer handles the problem, not the company" side of the fence. No one is ever going to convince me that Blizzard is incapable of doing anything more, not with the resources they have; the only resource they lack is will, and that's a pretty lame excuse.

  • sunshadow21sunshadow21 Member UncommonPosts: 357
    Originally posted by zymurgeist

     My bank requires, you guessed it, one capital, one number and a total of eight characters in their passwords. No two factor authentication is available. They do ask a security question every couple of months but that's it. Most banks are exactly the same. Blizzard is doing fine.

    And last I checked, Blizzard doesn't actually require the authenticator, and I'd be surprised if more than half of it's customers use one or even know about it. Banks may not have the authenticator, but they have a stronger system overall because everyone, not just those who think about it, have to play by the same rules (something Blizzard lacks, as the authenticator is not required), and pretty much every bank I've ever seen takes a pretty active role in maintaining their security structure, responding not just to the intial problem, but any other problems that may be revealed as well. Blizzard seems to think that once someone has an authenticator, their job is done, and literally everything is now the responsibility of the customer; that's not how security works.

  • stygianapothstygianapoth Member UncommonPosts: 185

    why do we need 50 thousand threads on this? moderators sure can do their job against people like me who post a thread that is slightly comparible to someone who posted 2 days before, but yet i see this blizzard sueing BS everyday.

     

    mods?

     

    wanna ACTUALLY do your jobs?

  • XiaokiXiaoki Member EpicPosts: 4,037


    Originally posted by sunshadow21
    Than in this case your definition of what qualifies as "reasonably be expected" and mine are different, because even a virtual keyboard would be an improvement, and not that hard to implement. Also, what is reasonably expected of a startup company and a company like Blizzard cannot and should not be the same. If they want to say they are a leader in the industry, they need to prove it by not just meeting standards but exceeding them and making them stronger.
    Virtual keyboards mean nothing.


    Do you really think keyloggers havent evolved to compensate?


    For years now there have been keyloggers that if a virtual keyboard is detected will take a picture of the screen when you click the mouse and then the pictures are sent to the hackers.


    The only security a virtual keyboard gives you is a false sense of security.

  • RidelynnRidelynn Member EpicPosts: 7,383


    Originally posted by FrodoFragins
    Originally posted by Ridelynn Authenticators can't save you if they break into the server and steal all the data. That was part of the fiasco here - there was enough information stolen that accounts can, and were, broken into - including those tied to authenticators. Because they had security questions & answers, they were able to go around the authenticator protection. There was some speculation if the mobile authenticator was hacked as well (since enough data was taken) - but I don't think that was ever proven. The "text/call" authenticator option proved to be utterly worthless - they had enough data they would just change the call-back number (and to Bliz's credit, they have disabled this form).
    You're spreading a lot of falsehoods here.  Blizzard was never hacked of account names/passwords like sony and others were.

    http://news.yahoo.com/online-accounts-blizzard-video-games-hacked-151630115--finance.html

    http://www.ibtimes.com/blizzard-accounts-hacked-2012-your-battlenet-info-safe-5-tips-keep-your-account-secure-742718

    http://www.huffingtonpost.com/2012/08/10/blizzard-video-games-accounts-hacked_n_1764356.html

    http://news.yahoo.com/blizzard-hack-exposes-millions-accounts-211513085.html

    These aren't exactly WoW-bashing sites, these are world news organizations. They are all saying the same thing, and I believe they are all citing from a Blizzard Press release.

    They got pretty much all they needed. As far as "encrypted passwords" - those become extremely easy to hack if you have a list of common email/password combinations (such as from loose security on message boards) and can use those to crack at the new encrypted passwords.

    So umm.. what falsehoods are those again?

  • sunshadow21sunshadow21 Member UncommonPosts: 357
    Originally posted by Xiaoki

     

    The only security a virtual keyboard gives you is a false sense of security.

    That is true of any single security measure, and my biggest reason for believing that the authenticator really isn't all that when it comes to Bnet security. It's the only component that seems to be in play, and as such, easily enough worked around by those who want to. Probably what Blizzard needs most is multiple active, visible counter measures that work together. A combination of the authenticator, the virtual keyboard, stronger passwords, and simply being creative and active in their counter measures would reduce most of their problems to the level that other games keep it at. Blizzard's response just seem overly stiff, overly focused on one solution, and unfriendly to a lot of simply responses that taken as a whole still wouldn't cost much, but have a large effect.

  • ScotScot Member LegendaryPosts: 24,273

    If you have money someone will find a reason to sue you.

    Are you a company, government or wealthy individual? We need you to help us redistribute some wealth to our needy plaintiffs! Call 0800-I-Want-Your-Money now and give generously.

  • saurus123saurus123 Member UncommonPosts: 678

    max 16 letters length and no case sensitive passwords just make it easier

     

    blizzard security is crap and blizzard know it

    offering authenticators for extra $$ is not a solution to weak security

     

    remember first months of d3 where you could type wrong password over and over and over?

    other companies just block your ip for a limited time after few wrong tries or block your account until you confirm it via email

     

    and whats so hard to give players that captcha thing many of F2P mmos have? its another way to secure the account

     

    but blizz is lazy (dont want to spend additional money to update thiers flawed system) and just sell thier authenticators

    if you didnt buy one ohh well its your problem.... (typical answer)

     

     

  • IcewhiteIcewhite Member Posts: 6,403
    Originally posted by zymurgeist

     My bank requires, you guessed it, one capital, one number and a total of eight characters in their passwords. No two factor authentication is available. They do ask a security question every couple of months but that's it. Most banks are exactly the same. Blizzard is doing fine.

    Mine just updated!  Add a special character ("@^%$!"), that's totally more secure.  So now instead of "Password1", I'm sure they're getting more "Password@1".

    I mean, I guess every additional check feature makes a couple of hundred people think more deeply about what they're using for passwords, maybe.  But it probably also results in less frequent voluntary updating..."That's too hard to remember! Gosh!"

    On the other hand, some web site password paranoia standards have reached the point of insanity.  You best hope is to avoid using real personal information on web forns, ever...not a gadzillion digit, update password weekly system.

    Self-pity imprisons us in the walls of our own self-absorption. The whole world shrinks down to the size of our problem, and the more we dwell on it, the smaller we are and the larger the problem seems to grow.

  • worldalphaworldalpha Member Posts: 403
    Not sure it would be in Blizzards best interest to appear to be hacked, just so they could sell Authenticators.  Sounds a little too consipiracy theory to me.

    Thanks,
    Mike
    Working on Social Strategy MMORTS (now Launched!) http://www.worldalpha.com

  • OzmodanOzmodan Member EpicPosts: 9,726
    Originally posted by Roxtarr
    Authenticators weren't created because of bad security on Blizzard's end.  They were created to protect gamers from themselves.

    Well, had my account hacked on Wow, my fault, somehow had a keylogger.  Fixed that and put a very secure password on my account, then stopped playing the game.  3 months later got a email from Blizzard saying my account was banned.  Somehow a gold seller hacked the account again and paid for a sub.  

    Not sure what happened there, had a very good password, 15 digits, not something in a dictionary, have not had any viruses since.  Certainly suspicious.

    One thing that Blizzard does that is counter to good password security, they do not recognize capital letters.  

    So you really have to wonder about the security on their end.  Sure customers should be responsible on their end, but I do not think Blizzard is doing their part.

  • expressoexpresso Member UncommonPosts: 2,218
    I have seen many replies saying that blizzard are not tackling the "route cause", well the route cause is the user -- the only way to tackle that is if a user knowningly or otherwise gives his username and password to hackers then blizzrad need to take them (the user) outside and shoot them in the head thus tackleing the route cuase.
  • kturockkturock Member Posts: 16

    Blizzard has had terrible security. Battle net has been hacked since day one. They've combined back since there was on warcraft online.

    My account was hacked over 1 year after I stopped playing. I received a series of email saying I was doing unlawful activities and was about to be suspended, ten it was suspended and then locked. I called them They said I must have given my info to someone. I told them that was impossible since I don't recall the info. The game was uninstalled for over a year; the date my subscription ran out. They suggested I get an authenticator. I told them that I wasn't interested since I haven't played the game for over 1 year and that I didn't want to play again.

    When I saw the authenticator, I said, what a scam. Blizzard won't pay to get better security, so they want the players to do it for them.

    I have a coworker who still plays. He has 3 accounts; 1 for him and 1 for each of his 2 kids. Between the 3 accounts they've been hacked several times. The always rotate their passwords and each have an authenticator. Blizzard's security sucks and always has. They're not willing to correct the problem. They're selling items to correct the problem and it doesn't work. They should be sued and lose.

    I still get phishing emails on that account saying there's been a problem with my WoW, and Diablo 3 account[s].

    I haven't played WoW for over 2 years, and never played D3. So where is the leak giving my email showing I had/have an account? On Blizzrd's end.

     

  • PhryPhry Member LegendaryPosts: 11,004
    Originally posted by kturock

    Blizzard has had terrible security. Battle net has been hacked since day one. They've combined back since there was on warcraft online.

    My account was hacked over 1 year after I stopped playing. I received a series of email saying I was doing unlawful activities and was about to be suspended, ten it was suspended and then locked. I called them They said I must have given my info to someone. I told them that was impossible since I don't recall the info. The game was uninstalled for over a year; the date my subscription ran out. They suggested I get an authenticator. I told them that I wasn't interested since I haven't played the game for over 1 year and that I didn't want to play again.

    When I saw the authenticator, I said, what a scam. Blizzard won't pay to get better security, so they want the players to do it for them.

    I have a coworker who still plays. He has 3 accounts; 1 for him and 1 for each of his 2 kids. Between the 3 accounts they've been hacked several times. The always rotate their passwords and each have an authenticator. Blizzard's security sucks and always has. They're not willing to correct the problem. They're selling items to correct the problem and it doesn't work. They should be sued and lose.

    I still get phishing emails on that account saying there's been a problem with my WoW, and Diablo 3 account[s].

    I haven't played WoW for over 2 years, and never played D3. So where is the leak giving my email showing I had/have an account? On Blizzrd's end.

     

    you created a new account just for this.. wow.. just.. wow.. we should totally give you the benefit of the doubt for not feeding us BS..    really have to wonder at the agenda here, almost as if someone is trying to create enough of an uproar in the hope that blizzard will get wind of it and pay up out of court..  personally i'd sue the ambulance chaser..  god knows there are far too many of them, but it would be fun to make an example of at least one of them, shame hanging isnt an option image

  • Dreamo84Dreamo84 Member UncommonPosts: 3,713
    If this guy wins, could be the worst thing to happen to online gaming. Whats to stop every MMO from getting sued now for players being hacked? This happens everywhere.

    image
  • Dreamo84Dreamo84 Member UncommonPosts: 3,713
    Originally posted by worldalpha
    Not sure it would be in Blizzards best interest to appear to be hacked, just so they could sell Authenticators.  Sounds a little too consipiracy theory to me.

    Nice to seem some people still use a little logic. Thats like making cars that purposely break after a year so you can sell repairs. It doesn't help you in the long run.

    Plus, imagine if someone came out and admitted to being hired by Blizzard to hack users? They would be ruined, completely.

    image
  • EdeusEdeus Member CommonPosts: 506

    I just want to know why mmorpg.com couldnt stop promoting the latest mmo-whatever and actually do some reporting on this story.  It's interesting and obviously effects the industry...

     

     

    image

    Taru-Gallante-Blood elf-Elysean-Kelari-Crime Fighting-Imperial Agent

  • BurntvetBurntvet Member RarePosts: 3,465
    Originally posted by Edeus

    I just want to know why mmorpg.com couldnt stop promoting the latest mmo-whatever and actually do some reporting on this story.  It's interesting and obviously effects the industry...

     

     

    You and me both.

    This site gave up any aspirations to "real journalism" long ago. All the articles here do is hype one thing or another.

    And, if you notice, most of the "news items" are really thinly veiled advertisements behind a very small fig leaf of calling it a news story.

    It is not fooling anyone.

     

  • Dreamo84Dreamo84 Member UncommonPosts: 3,713
    Originally posted by Edeus

    I just want to know why mmorpg.com couldnt stop promoting the latest mmo-whatever and actually do some reporting on this story.  It's interesting and obviously effects the industry...

     

     

    Maybe they thought some lame law suit with no real merit wasnt actually news?

    image
  • BurntvetBurntvet Member RarePosts: 3,465
    Originally posted by Fendel84M
    Originally posted by Edeus

    I just want to know why mmorpg.com couldnt stop promoting the latest mmo-whatever and actually do some reporting on this story.  It's interesting and obviously effects the industry...

     

     

    Maybe they thought some lame law suit with no real merit wasnt actually news?

    Well, it is not just this story, there have been several others in the last week that are simply not covered here.

    There is a big story brewing that Origins servers have been hacked and another loss of customer data, but not a word of that on here. (And, what do you know, EA is a paid advertiser here).

    So there are plenty of "legitimate news stories" that are passed over in favor of "Newsvertisements".

     

  • kturockkturock Member Posts: 16
    Originally posted by Phry
    Originally posted by kturock

    Blizzard has had terrible security. Battle net has been hacked since day one. They've combined back since there was on warcraft online.

    My account was hacked over 1 year after I stopped playing. I received a series of email saying I was doing unlawful activities and was about to be suspended, ten it was suspended and then locked. I called them They said I must have given my info to someone. I told them that was impossible since I don't recall the info. The game was uninstalled for over a year; the date my subscription ran out. They suggested I get an authenticator. I told them that I wasn't interested since I haven't played the game for over 1 year and that I didn't want to play again.

    When I saw the authenticator, I said, what a scam. Blizzard won't pay to get better security, so they want the players to do it for them.

    I have a coworker who still plays. He has 3 accounts; 1 for him and 1 for each of his 2 kids. Between the 3 accounts they've been hacked several times. The always rotate their passwords and each have an authenticator. Blizzard's security sucks and always has. They're not willing to correct the problem. They're selling items to correct the problem and it doesn't work. They should be sued and lose.

    I still get phishing emails on that account saying there's been a problem with my WoW, and Diablo 3 account[s].

    I haven't played WoW for over 2 years, and never played D3. So where is the leak giving my email showing I had/have an account? On Blizzrd's end.

     

    you created a new account just for this.. wow.. just.. wow.. we should totally give you the benefit of the doubt for not feeding us BS..    really have to wonder at the agenda here, almost as if someone is trying to create enough of an uproar in the hope that blizzard will get wind of it and pay up out of court..  personally i'd sue the ambulance chaser..  god knows there are far too many of them, but it would be fun to make an example of at least one of them, shame hanging isnt an option image

    No, I didn't set up a new account. i usually don't post on the forums. I hve better things to do than troll these forums, unlike you. Glad you read the content of my post and commented on it, rather than just trying to start a flame war.

    I've been a member here a while. I usually only read the previews, reviews of the new games. I've long burned out on most MMO's. I started playng them since EQ 1st released. They're all the same and I'm not going to waste my $ on the same old thing. I only play a new game if I can try it for free. If not, then I'll stick to the free to play games; when I have time.

  • Dreamo84Dreamo84 Member UncommonPosts: 3,713
    Originally posted by Burntvet
    Originally posted by Fendel84M
    Originally posted by Edeus

    I just want to know why mmorpg.com couldnt stop promoting the latest mmo-whatever and actually do some reporting on this story.  It's interesting and obviously effects the industry...

     

     

    Maybe they thought some lame law suit with no real merit wasnt actually news?

    Well, it is not just this story, there have been several others in the last week that are simply not covered here.

    There is a big story brewing that Origins servers have been hacked and another loss of customer data, but not a word of that on here. (And, what do you know, EA is a paid advertiser here).

    So there are plenty of "legitimate news stories" that are passed over in favor of "Newsvertisements".

     

     Do companies really pay directly to advertise on websites anymore? I thought most of that was set up through sites like google that provide relevant advertising. I think thats how you find ads for competitors games on a game's website.

    image
Sign In or Register to comment.