SGnTN Casey Fleser / Some Geek in TN

If you are even remotely familiar with video games, and even if you’re not, you’ve probably heard of World of Warcraft (WoW) and the company that created it: Blizzard Entertainment. World of Warcraft is a legitimate phenomenon with as many as 11.5 million monthly subscribers playing the popular massively multiplayer online role playing game (MMORPG). WoW follows the Diablo, Warcraft, and Starcraft series and each was very well received. The reasons for this are many, but not least of these is Blizzard’s commitment to not releasing a game until they feel it is ready and meets their high standards. Whether of not this continues with after the merger with Activision remains to be seen, but that’s not really why I’m writing this post.

As good as Blizzard’s games are, their online account management leaves something to be desired. Like pretty much every online game, WoW requires a username and password to log into the game. This username and password are vulnerable to keylogging software which can be installed without your knowledge through your web browser. This software runs on your computer and relays back information to the bad guys, who can log into your account and clean out your bank and everything of value. If you don’t play the game, this may not seem like a big deal. It’s just polygons and pixels, right? Sure, polygons and pixels that can be sold for as much as $1000 or more. One thousand actual United States dollars. Have a look and see what a geared level 80 toon is going for these days. People have invested weeks or months of time in their World of Warcraft characters and you would hope that this account information could be made secure, but this keylogger vulnerability is apparently fairly common.

I know this because recently a friend’s account was stolen. Someone gained his account information, changed his password, transferred his character to another server, sold all his stuff, and took all his gold. Cleaned him out. Adding insult to injury, Blizzard charges $25 to transfer your character to another server. And since they have your payment info for the monthly fee, they will conveniently charge that $25 to your account so you don’t have to reenter any messy payment info. They took his fake money and some real money to boot. I’ve heard that several others in my current and former guild have had their account stolen as well over the years so this isn’t uncommon.

Blizzard does offer a device to combat this vulnerability, but that device will cost you an extra $6. Instead what Blizzard could do, without much effort at all, is to confirm a password change, account transfer, etc., by simply emailing a confirmation link to the email address associated with the account. Or alternatively, requiring the answer to a security question. Easy. Lots of other sites do this or something similar. This only prevents part of the problem, but it’s an easy fix and with 11.5 million people paying $15 a month to play, Blizzard can surely afford to spend a little to make a more secure system.

The next step would be a bit more trouble, but not any more than the work required to for the little USB device that they’ve created. Basically they just need to add an optional signed key solution. Login to the web site, generate a signed key which is stored on your computer and only allow a computer with a valid key file to login to the game. Keys, can only be activated through an email confirmation link. Problem solved. Instead, Blizzard is spending time and money chasing down these stolen accounts and trying to put everything back together for their customers. They’re spending untold amounts of time on a solution that is making no one happy, except possible the thieves.