I am copying this from the most excellent thread on SomethingAwful by Incoherence that can be found here. Full credit goes to him for being through and complete.

Welcome to the magical world of "popular online games with semi-liquid currency". If you place any value at all in your Battle.net account, you're going to want to pay attention to account security issues. Hopefully this post will limit the number of stupid questions you feel compelled to ask about the topic.

If you wish to see the same information as this post with bigger text and more pictures (because you are five years old), Blizzard has a page on account security with very similar information but with more exhortations not to buy gold (because that's what started this mess).

If you don't even have that much patience, here's the executive summary: buy an authenticator. (Plastic token, iPod/iPhone, and Android versions, respectively. The iPod/iPhone and Android versions are free, so you have no excuse.) Seriously. Do it now.

Why Battle.net accounts?

A report from Symantec in mid-2007 stated that WoW accounts were more valuable on the black market than stolen credit card numbers, in part because you're less likely to get the cops coming after you if you steal a WoW account, but in part because the value on a WoW account is fairly easy to strip. (I'm sure this is still true, but haven't seen a more recent reference.) D3 accounts have a similar benefit/drawback.

What value, you ask? Gold selling. Gold selling companies do not keep a large stash of gold around for each of the several hundred WoW servers: the mule characters look suspicious to Blizzard GMs and if a mule account gets banned, the gold selling company is out a fair amount of money. Instead, what they tend to do is steal a bunch of people's account credentials, check what servers those accounts have characters of value on, and wait until they get an order on that server.

When they get an order, they take one of the compromised accounts on that server, sell anything that can be easily removed (anything with a vendor value, basically, including guild bank contents if the character has access), and ship the gold off immediately. They may also use compromised accounts as short-term mules, or as mining bots using a teleport hack. (This is why you'll occasionally see someone get a compromised account back with a shitload of ore, or other valuable items.) But if the account gets banned, or the victim takes it back, no big deal: they got their money, and they'll just move on to the next one.

Types of attacks


Phishing works like this: An attacker sends you an email, or an ingame whisper, or makes a level 1 alt and runs it to a city, to try to convince you to go to some site the attacker controls. The message may claim that you've won some prize, it may claim Blizzard needs to "confirm" something by having you reenter credentials, or it may claim that Blizzard is taking action against your account unless you go to their website. Once there, the website may look more or less like a real Blizzard page, and tries to get you to enter your username/password. These usernames and passwords then go into the big list of compromised accounts I mentioned earlier.

How to not get phished:
  • Get an authenticator. Unless you manage to type your authenticator key into the phishing site (and even then it makes the attacker's life more difficult than if you didn't have one), you're pretty safe from phishing. If you're not sure why this helps, read the Appendix on how authenticators work at the bottom of this post.
  • Be very suspicious of emails that claim to be from Blizzard. From addresses in emails are easy to spoof. Links may LOOK like they go to worldofwarcraft.com, but when you click on them they go to a phishing site worldofwarcratf.com; most mail clients (including webmail clients) will allow you to mouse-over links and see where they go before you click on them.
  • Better option: don't click on links in emails. Ever. Banking websites have become pretty good at this: they won't even provide a link to their website in an email, but will make you type it in or copy it from plaintext. The whole point of the phishing email is to get you to click on the link. (Corollary: if there's no link or at least no mention of a website, it's not phishing.)
  • Before you type your Battle.net username/password into a website, check the URL. If it's not an official Blizzard site, don't do it.
  • Also, check to see if the connection is secured: your browser will have some sign somewhere (usually something obvious like turning the address bar a different color) telling you the SSL certificate and other nerd shit checks out. A URL saying "https" instead of "http" is not enough (and in fact if it's https and your browser DOESN'T tell you it's secure, that's a giant red flag).
  • Don't be a gullible idiot. No, you have not won some special prize from Blizzard, and even if you had, they wouldn't have sent you a tell on a level 1 warrior named "Xwefoilkc".

Keylogging and other malware

Attacker crafts a program which runs in the background, notices when someone types a username/password into a B.net game client (this is not terribly difficult), and sends the username/password back to the attacker. That part's not too hard. The only hard part is getting it onto the system of someone with a WoW or D3 account. Common vectors: getting people to download an executable which looks legitimate but isn't, and using old vulnerabilities in unpatched versions of browsers, Adobe Reader, and Flash. (Most of these folks aren't smart enough to make their own exploits, but it's commonly known that attackers will reverse-engineer security patches to Windows and other popular software to try and exploit the vulnerability on unpatched machines.)

How to not get keylogged (as much):
  • Get an authenticator. It's not 100%, but it makes the attacker's life much harder. See the next section. If you're not sure why this helps, read the Appendix on how authenticators work at the bottom of this post.
  • Be extremely suspicious of executables. WoW addons do not require executables to install, and if someone tries to convince you otherwise it's probably a keylogger. There are exceptions (the various flavors of "addon updaters", a couple of complicated addons), but you should be very careful to only open them if you trust the source.
  • Don't use an old browser. If you're using IE6 still, upgrade it, then kill yourself for still using IE6. If you're using IE7, upgrade. If you're using a two-year-old Firefox or Safari version, or if you somehow managed to turn off the Chrome updates, upgrade that too. Now that you've done this, make sure the auto-update feature is on. The moment a security patch comes out that you don't have, you're now far more vulnerable to the exploit than you were before the patch came out.
  • Also update your plugins: Flash and Adobe Reader especially, but stuff like Java and QuickTime as well.
  • AdBlock is not a bad idea, especially for sites which have had problems with bad ads in the past (most of them).
  • If you can stand to use FlashBlock or similar, do so, for the same reason (besides, Flash ads are annoying).
  • Again, don't be a gullible idiot. You are not going to be able to hack yourself to 99999 of all stats and level 999 by downloading some program. It's a keylogger. (Or a private server client, I guess.)

But I practice "safe browsing" and all that other bullshit and will never get hacked!

Get one anyway. When you do get hacked, you will come in here and be totally confused about why you got hacked, and the first response to you will be something like "why didn't you get an authenticator, you numbskull". Also, the first sign you will have that you were hacked is that you will be notified by email that an authenticator has been added to your account, which will cause you additional pain because you will have to call Blizzard (and thus get out of bed at a reasonable hour instead of sleeping until 5pm and playing video games all night) and get them to remove the authenticator before filing a GM ticket to get your shit back.

Oh, and if your D3 account gets hacked once, you will be unable to use the RMAH without an authenticator. If your D3 account gets hacked twice, you will be permanently unable to use the RMAH. (source)

What about that authenticator hack?


No, seriously, get an authenticator anyway. Are you throwing your condoms out because they're only 99% effective? No, of course not. (Oh, wait, goons. Bad example. Shit.) So why are you skipping the authenticator because it's only 99% effective? (Sidenote: Nothing in computer security is 100% effective. The whole point is to make it unnecessarily expensive and/or time-consuming, to the point where the attacker finds something better to do with his/her time.)

In order to steal the credentials of someone using an authenticator, you have to log in on his/her behalf in real time. Basically, the attack works like this: victim acquires malware somehow, victim logs into WoW, malware steals username/password/authenticator key (possibly based on some signal from an attacker-controlled server), malware disconnects victim and probably locks him/her out for 30 minutes or so, malware immediately sends information to attacker-controlled server, attacker logs in immediately as victim before the authenticator key expires, attacker strips gold from account before victim gets too suspicious. Alternate version: after malware disconnects victim, you hope the victim tries to log in again with the next key, you use those two keys to remove the authenticator, and you hope the victim doesn't notice for awhile. Both of these are way harder to pull off than the garden-variety malware, because they imply that the attacker can log in as the victim immediately, that the malware can screw with traffic between the machine and Blizzard, and that the attacker can mule the gold somewhere quickly.

But remember what I said about how gold sellers operate? They don't like having mules loaded down with gold, because mules get banned and take the gold with them. So not only is it more expensive to steal the gold, it's more expensive to hold onto it. This increases their cost of doing business, making it more likely they'll go out of business and/or fuck off and leave WoW/D3 accounts alone (ha).

So yes, this hack exists, authenticators do not make you 100% secure, and you should get one anyway.

Given this, I'll throw in one bonus tip: never type in consecutive authenticator codes for any reason unless you are doing so in order to remove the authenticator (which you should only do if you're changing to a different type of authenticator or upgrading your phone version, since the phone authenticator tends to change its serial number when major phone upgrades happen).

Does the dial-in authenticator work?

More or less. You're at the mercy of Blizzard's "suspicious activity" detection here: obviously if they notice the hacker trying to log in, it'll help, but if they don't, you're just as screwed as if you didn't have one at all. This isn't exactly a difficult problem for Blizzard to solve, so you should be okay, but I'm paranoid. Also, it only works for WoW and the website for some inexplicable reason. Recommendation: Use it as a stopgap until you can get a better authenticator.

I noticed Blizzard doesn't ask for an authenticator code every time; is there a problem?

Not really, although if it bothers you you can turn it off on the battle.net website so that it asks you every single time. Again, I'm paranoid and could think of attack vectors that are possible with this "optimization" (intended for people who get disconnected mid-raid and start breaking out in hives while they type in a 6 digit number to get back into the game).

What about emulated authenticators?

Occasionally you'll see someone post a method of running an authenticator on your computer without the need for a phone or a token. Usually this involves emulating a phone environment and installing the authenticator app through it; the most common one I've seen involves the old Java-phone authenticator, although you could probably also emulate Android.

Is this a good idea? It's better than not having an authenticator, certainly, so if you live in some moon country where you can't get the plastic token shipped to you and you can't get any phone capable of running an authenticator, you may as well.

But you can imagine that this is somewhat easier to crack than a separate device. If you have a keylogger, you already have some kind of malicious program running; the question then is what the malicious program can do aside from "log your keystrokes". You could imagine that if a lot of people used this emulation method, the attackers might modify their malware to go looking through your hard drive for an emulator with an authenticator installed on top of it, and could get the secret key from inside it, at which point you're fucked. But this is all theoretical until someone actually goes through the trouble to do it.

You could also run it on a separate machine that you don't log into Blizzard games or sites on, but now you have a very heavy, expensive authenticator.

Bottom line: if it's possible for you to use a standalone authenticator, do it.

Other tips
  • Don't use the same username/password for B.net that you do for other shit, particularly websites related to those games. Popular web-forum software like the kind your guild uses probably also has some flavor of vulnerability which might allow an attacker the ability to steal usernames/passwords from it and, just for the hell of it, try them in WoW. Same goes for your email password: using the same username/password for Gmail that you do for B.net is a tremendously bad idea in both directions.
  • Note that if your account gets hacked, and the attacker wishes to keep it for more than ten minutes, they'll probably attach an authenticator just to make the account harder to take back. This is another reason you should attach yours first: presumably you, too, wish to keep your account for more than ten minutes.

Appendix: How does an authenticator work?

Short version: It's one of these. In particular, the plastic token is this with some custom branding on it, and the phone version is just an app that uses the same principle.

If that doesn't mean anything to you because you don't speak computer security:

The idea of the authenticator is to set up a second channel through which Blizzard can prove who you are: this is called "two-factor authentication", and combines something you have (the authenticator or the phone) and something you know (your password), on the assumption that it's difficult for an attacker to take both at once. The tokens are the same sort of security used for banks, confidential corporate information, and so forth, so if someone cracked the algorithm behind them (which is rather difficult), they'd probably be doing some kind of corporate espionage rather than dicking around with WoW accounts. (This has happened before to RSA, which has a similar system.)

Each authenticator contains three things: a clock, a secret key (which is not necessarily the serial number!), and a function which takes the time and the secret key and generates a number. The function is well-known; the secret key is not. Each key is good for about 30 seconds, after which point the authenticator function returns something different. (On Blizzard's end, they'll accept one or two codes in either direction, in case your authenticator has a fast or slow clock or you type it in too slowly.) And each key is only good once: once used, Blizzard won't let you log in with that key again. So simply stealing the authenticator code only really buys you one login within the next minute or so.

You can imagine that Blizzard (or their vendor Vasco) has a big database somewhere with the serial number of every authenticator token ever made and the associated secret key. When you type the serial number into the "add an authenticator" page, Blizzard then associates that secret key with your account. The phone version works a bit differently, since there's no "manufacturing" a downloaded app. Not totally sure of the exact method, but I assume it works on the assumption that your phone is not compromised to begin with. So when you launch the app for the first time, it talks to some Blizzard servers and negotiates a secret key through some other method that may or may not have anything to do with the "serial number" on the app.

Now you and Blizzard have a shared secret which was negotiated over a separate channel (either the postal service or your phone's data connection) from the one you're going to use later (your computer's Internet connection). If you can't convince Blizzard that you know the shared secret (say, because your password gets keylogged and the person logging in as you isn't really you), you don't get to log in.

Okay, so now you're logging in. You press the "get code" button on your authenticator, and the authenticator takes the current time and displays a code. When you send it to Blizzard, their servers use the secret key they have associated with your account and do the same calculation, plus or minus a couple codes in case your plastic token has a shitty clock. If the codes match, Blizzard can now confirm that you still have the authenticator.