World of Warcraft: Account “Hacking” out of Control
Last night, I logged in to my WoW account, got a request to join my guild for a raid, then sat there for 10 minutes. Eventually, the guild’s second in command came on the Vent to apologize for the delay, then explained to us that the guild leader (who has like 5 level 80′s) got hacked and that all of his gear and everything from the guild bank was gone. One of the guys in Casualties of War (which is where all my other characters are) also got hacked a while back, and just got his account back.
The active rumor out there is that the Curse client has a keylogger in it. Curse asserts that their client is clean, AS LONG AS YOU GET IT FROM THEM. It seems a lot of people don’t want to pay for the added convenience that is in the Curse Premium Client, and have been downloading a “cracked” version from other sites, including torrents. Guess what, that kind of stuff may contain keyloggers. If you don’t want to pay for added functionality that is your prerogative, but if it causes you to get your account hijacked and all your virtual goods stolen, then I have no sympathy for you. Shame on you for stealing the intellectual property of others, and congratulations on your just desserts.
These examples I noted above which are anecdotal reports are just part of the discussion though. WOW.com reported a couple of weeks back that Blizzard is so inundated with trouble tickets from this kind of account and virtual goods theft that they just can’t keep up with it any more. They have taken to offering players a “Care Package” which contains gold, emblems, and items to get them back up and running again. That’s fine for a lot of people but if you get your guild’s stuff taken and you want it back then you are looking at weeks before they get to you to do an investigation and the possibility of recovering your items.
To battle this, rumor has it that Blizzard wants to require everyone to use the Blizzard Authenticator to log in to their accounts. I’d be interested in how they want to roll that one out to the user base. I think requiring hardware at this point would necessitate them distributing them at no charge, or including them in the box in Cataclysm. Some additional in-game benefit should be given to those of us who have already spent our $6.50 to secure our accounts. That concern is minor though.
What is the driver behind all of this account theft? Gold sellers. Gold takes time to farm. Time=money. Delays in delivering cause canceled orders. So if you are running a gold-selling business you can staff up and spend real money to have real people generate your fake money, or you can buy a keylogger and find a way to get it into wide distribution. Then all you have to do is log in to accounts that you capture and steal the gold, then sell it for real money to those who want to purchase it. Kinda pokes a hole in the “victimless crime” argument that proponents of gold selling like to make. There are real victims here. Blizzard is a victim. People who are inconvenienced or lose enjoyment are victims.
In part, Blizzard is a victim of their own policies. I lay part of this problem at their feet for banning bots but not being able to do the same with gold sellers. Part of the problem is how the battlenet login reduces account security by also giving the thief an incentive to also hijack the user’s email account. At least with bots, they sellers were in a perverse way earning their gold. Now they are just stealing it. So bots are getting crushed, demand remains the same or continues to rise, depending on who you believe, and all that gold that is getting sold has to come from somewhere.
What’s the solution? Increased account security with an Authenicator is an absolute minimum. I have checked the box on the launch page which remembers my account name, so I don’t have to type it in. If I never type it again, no key logger can capture it. Make sure your email account has a different password than your game account. It’s not that hard to change it up. And NEVER share your user name and password with anyone.
Blizzard needs to keep developing their tools so they can more effectively track and ban accounts that participate in theft activity, as well as the down-the-line accounts where the proceeds end up.
I guess it’s a testament to the power of the gaming sphere that a stolen WoW account is now worth more on the black market than a stolen credit card number. We wanted gaming to be mainstream and now we are living with the criminal element that comes with anything that has potential monetization.
For all of us gamers, be careful out there. Don’t let one of these common criminals ruin your day.
-Genda
Recently a friend of mine got hacked. He was pretty sure he got the keylogger from a mod or something similar. But, if it wasn’t for his diligent friend’s his account would have been completely trashed. So, if you notice friends logging on and off different characters and not responding to in game chat messages and all of this happening at odd hours, then report them to a GM. Worst case scenarios is your friend’s account is frozen for a few days while he tries to get it back from Blizzard, best case is you prevent the hacker from selling off all his stuff.
The funny thing is when logged in, the hacker stayed in Wintersgrasp the entire time. Apparently, there must be a mail box at the alliance camp there, which allowed him to access auctions as items got sold and to mail off the profits as well as sell items to the vendors in the camp. Lucky for my friend, he got his account back and all stolen items returned to him.
My advise, the best way to keep your account safe is to have friend’s watching your back in and out of the game.
I have had my account hack a long while ago, but that might be from the time I purchased some gold online. I am glad that I have an authenticator, but I think it sucks that it’s almost a requirement now a days.
As for the curse client, I download the free version off their site, at least I did when I was using mods. Hopefully the free version is ok.
I don’t understand why Blizzard complain about security but recently forced us all to switch from using unique usernames to more obvious email addresses.
Also, the care package thing boggles my mind. Why not just offer a charged services for retrieving an account?
[...] WoW account hacking seems to be on the rise, it’s a minor concern to me and one I’m not actually that bothered about it. At the end [...]
>>I have checked the box on the launch page which remembers my account name, so I don’t have to type it in. If I never type it again, no key logger can capture it
i think your accountname is stored in Config.wtf in cleartext. so no added security there.
keyloggers log key strokes. if no key strokes are made IE the typing in of ones account name, the keylogger in unable to discover your account name.
[...] A couple of weeks ago, I logged into my e-mail account to find an e-mail from Blizzard Entertainment stating that my World of Warcraft account password had been changed; this was alarming, because I knew I hadn’t changed it, which could only mean one thing – my account was hacked. Gold farmers are having a glorious time making a living off of other peoples’ progress in game, and I had become their most recent victim. There are interesting articles online that explain the account hacking, so I won’t bother writing about it in this space. If you want to learn more, click here. [...]