Monday, January 11, 2010

Don’t blame Blizzard – blame the user

WoW.com reported (posted?) today several interesting tidbits about Blizzard; mandatory authenticators (maybe), long queues for account retrieval (with pressure for reduced returns), and some social engineering hack against the administration team. While this may not come as a complete shock to everyone, I’m sure that there are more than a few folks who didn’t see this news coming. In particular, the news about the authenticators and the reduced return on a hacked account seems to be drawing the most heat. To be completely fair though, I think the HFB nerf that rogues got is getting more blue time.

Mandatory Authenticators

RSA SecureID authentication is not a new concept in the IT Security world. Strong authentication has always included multiple layers – both something you know, and something you have. Short of extreme circumstances, or the user being a complete idiot regarding security, it’s very difficult to get your hands on both of these keys. I’ve been using a SecureID for years now to access my servers remotely via Citrix, and I’ve never had an account compromise.

Blizzard authenticators are the exact same SecureID, just with a Blizzard logo on them (in fact I’ve grabbed the wrong one before) to keep their product name out there. In addition to having the fob keychain piece, you can also get an authenticator through the iTunes app store (for free if I remember correctly). If you want a physical device, I believe the cost is five dollars or some such. This basically covers the cost of shipping the thing, and pays for someone to put it in the envelope.

Personally, I like the idea of having authenticators be mandatory – but I’d wait until the shipment of Cataclysm to do it. Put an authenticator in every box of Diablo, Diablo 2, Starcraft, Warcraft, etc. This way there’s zero chance that someone who purchases the game won’t have one. Once you get home you can pitch the authenticator if you already have one, or add that authenticator to your account. It would certainly eliminate the need for extra shipping costs, and the actual cost of the authenticators would be covered by the reduced man-hours required for account retrieval.

Account retrieval queues

This is another point where I’m going to side with Blizzard. Looking over logs takes time, a lot of time. You have to be vigilant against the player who is trying to scam the system for more gold/epics, the habitual player who’s had four recoveries this month, and gather evidence at the same time. While this isn’t a criminal investigation (as opposed to say, someone stealing your corporate files), this is still an investigation that will probably lead to an account or three getting banned.

Let’s suppose however that each account retrieval takes about an hour to complete, from the time the ticket lands on someone’s desk – to the time you have your stuff back. While I don’t know the numbers on how many accounts are compromised every year, this person could handle (if they did nothing else) about two-thousand eighty (2080) account retrievals in a year. Even if that employee’s salary is say - $35,000/yr, you’re looking at purchasing 7000 authenticators (at $5 each). This means you could protect three times the number of people, for the cost of one employee’s salary (the number goes up higher when you consider all the other costs associated with retaining an employee).

What Blizzard has done in the interim, is to offer (as a choice, not mandatory) a quick band-aid solution in the way of a care package. In an official update, Blizzard stated that you’d get your soulbound items back (95% of your raid gear) along with 2500g and some emblems. So if you’re not in desperate need of those bank items, you can be back up and running almost instantly. Of course if you have full guild bank access, plus a sizeable stack of gold, this might not be the way to go.

One question I did have about the care packet though – is that issued to every toon on the account? If you made your maximum number of characters, that’s a pretty penny. Of course in my case, I’d be out quite a bit more than that in gold, plus the consumables I have squirreled away.

Social-Engineering

People, as a general rule, want to be helpful. Sure, in game you have your share of rudeness (internet anonymity at its best), but there are also tons of folks who are willing to go out of their way to help you out. This is no different in the real world, where a bit of smooth talking and fast thinking can get you in easier than following the rules.

Part of this comes from a lack of training, and part from the type of folks who generally hold the exploited positions. While I’m not going to write a book on Social Engineering (there are some good ones out there), I will say that I can understand how this kind of thing happens. Especially when the staff aren’t trained properly.

First, the administrators have a long queue of calls to handle. I’m sure they have some program that shows them who’s on hold, and how long they’ve been on hold. Second, they probably have a metric by which they are measured, stating that they should handle x calls in y time. When you combine these two factors, you have someone who wants to give you what you need (so they get a good review), and give it to you in a timely manner (so they can get to the next call and not get fired). This leads to all kinds of openings for exploitation, and I’m glad to see that Blizzard has recognized this and is working to fix it.

Conclusion

In short, it should be fairly simple to see why Blizzard is leaning towards mandatory authenticators, and has offered the care package instead of waiting for full account restoration. I expect we’ll see the care package sweetened in the near future, though I’m not sure we’ll ever see numbers on how many take the deal.

Edit: Should have posted this Friday, as WoW.com has put up a similar defense already.

1 comment:

  1. Nice post. From working in a call center myself I know that social engineering can be difficult to circumvent. However I would have to say, from personal experience the call time metric does not significantly increase fraudsters ability to circumvent the system. It is much more important that centers recieve the proper verification from the caller and handel the call properly thus avoiding fraud. The biggest way to prevent this type of issue is training and experience.

    ReplyDelete

Note: Only a member of this blog may post a comment.