Friday, November 12, 2010

Thoughts on the Authenticator

In a thread on the Guild Relations Forum, Karamoone of Dark Iron expresses a view on the Blizzard Authenticator that I've often seen espoused by various "power users" or highly technical people:
I don't get malware on my PC, and if I did I'd look at blocking the infection vector (to prevent things like my credit card number and SSN from getting snagged) rather than just slapping on a band-aid to protect access to one video game. If I played on insecure PCs I'd get one in a heartbeat, but I only play on one PC. I'll probably set up the phone number authenticator, since it doesn't involve any additional annoyance in my normal style of play, but that doesn't count for the 'require authenticator' ranks in a guild.

This authenticator madness seems to me to be driven by a bunch of people with really unsafe computing habits who pick up malware routinely, but don't want to believe they're being incautious so choose to believe that everyone has a parade of keyloggers on their systems.

...

But really, I think if you're going analogize to home security, it really makes more sense to analogize the house to a computer than to a single video game, since the house has multiple valuable things in it and isn't used just for the one game. The game account is better represented as a collection of RPG character sheets or a single board game. So really, getting the authenticator is like getting a safe to store the paper character sheets for your RPG characters while leaving your credit cards, emergency cash, SSN card, and title documents out in the open on your desk, and the attitude some people are expressing is like not worrying about a break-in because they couldn't get to your character sheets.

I think this attitude is somewhat hubristic. I've never been hacked or had a virus, and I try my best to keep my computer secure. But I'm only human, and I can make mistakes. Maybe some of the hackers are smarter than me, and might outwit me. Maybe one of the people I rely on to help me keep my computer safe will themselves make a mistake and let me down. (And this is the worst, because sometimes I might not realize that they let me down.)

To go back to the analogy, a house has multiple vectors for a break in. They might come through the doors, the windows, maybe even the wall or the roof. I can harden each potential attack vector, but I might make a mistake. Or maybe a new attack that I did not anticipate will appear. Adding the safe to protect my RPG sheets might be good idea if I care that much about them, or if losing them will negatively affect other people.

I looked at the authenticator and decided the trade-off was worth it. It was fairly cheap, and typing in the authenticator code is pretty quick and doesn't add that much more to the login process. Plus, I got a corehound.

Considering an extra layer of security is never to be sneered at.

As well, consider that this layer of security is verifiable. If you are in a partnership with someone else online or at a distance, you can't tell if she follows good computing practices. All you have to go on is her word that she is doing things correctly. An authenticator can be verified, and acts as a guarantee. You hope that your partner is doing everything else correctly, but if it turns out she isn't, at least she had an authenticator which helped protect your interests.

In many ways, your authenticator is not so much about protecting your interests--though it definitely does that--but about signalling to others that their interests will not be attacked through you.

19 comments:

  1. Personally, I work on Antivirus software and the instant I was able to, I got an authenticator. Malware is increasing in sophistication, and more and more of it is targeted at unpatched operating system exploits. You can get infected with stuff with the best protection in place. Additionally your home network is only as secure as the weakest link. Got a relative who comes over with their malware-encrusted laptop? The instant they hop on your network, you could be compromised.

    Besides that, Blizzard make the authenticator available for free. There's really no reason not to use one. Hell if you ask me, they should include one in the box with retail copies.

    ReplyDelete
  2. I've seen a lot of people post things like that, and it really annoys me. I've known people who had very secure computers with up to date virus scanners get caught by a keylogger and hacked, just because the keylogger was made to get around the protection. Assuming that anybody who was being careful is safe reminds me of the people who used to (before 2001) say there'd never be a terrorist attack on US soil.

    It's not like the authenticator is a huge breach of privacy or something super expensive. It's free (or very cheap if you get the physical version) way to keep your account safe.

    ReplyDelete
  3. Never posted here before, but this is rather an important topic. Some variation of the quoted text is so commonly given out by "experts" that many people seem to think it's the common expert opinion. I'm posting to say that's not true. Experts with real world computer security experience are very likely to already own one of the authenticator types. Hell, most likely they bought one the day they became available. Snarky comments like the quote generally only come from those with book knowledge who have yet to be tested in the real world of "yes, china is trying to get into your computers and yes they know what they are doing."

    The actual expert opinion is, "why have you not acquired one of these yet? Shoo, shoo, go buy one now."

    ReplyDelete
  4. I have nightmares about my authenticator getting lost (same nightmare I have about my wallet). I imagine the process for getting it replaced would not be fun.

    I also know that wow is riddled with people that like to share account information. This is probably the true reason for the "techno stud" stance on the forums.

    ReplyDelete
  5. @Big Heals

    The process for getting it replaced/removed is actually not so difficult, i had mine removed within 24 hours of losing it, simply by scanning and emailing a copy of something that identified me as the owner of the account to Blizzard, and filling out a form indicating what it was that i wanted to be done (In this case removing the Authenticator). I've since gone with the mobile authenticator to avoid losing it, and written down the serial number just incase. If you have the serial number, it's much easier to remove it.

    ReplyDelete
  6. Also, is it not possible that they acquired your password through some trickery (maybe you responded to that beta email or you logged into some fake blizzard site) and then they simply logged into your account from an outside computer? Just because they "hack" your character does not mean that you you have a virus or worm or whatever on your home computer. In this case whatever you did to give out your password was dumb (but a lot of people fall for these tricks) and would have been stopped if you had an authenticator.

    ReplyDelete
  7. A really annoying commentary imo - it's arrogant and makes people believe that the only one responsible for a viral attack or hack on your PC is you. No it's not.

    it's true that you can diminish the risk of malware attacks by using the internet with care, running addons and security peogis and whatnot to shield yourself. however, not everyone has the same PC knowledge and even if you do, that doesn't make you 100% safe from breach.
    it sounds awfully like blaming the victim to me if you tell a person that the reason he was hacked is because he is such a 'noob' and that really, if you wanna use the inet you need to have all that extra knowledge. well you shouldn't have to - it's gotten to an extent where many people simply feel lost.

    I encourage everybody to get the authenticator, whether you run a 'super-safe' system or not. it's an extra measure of safety that is imo worth it to protect your wow account.

    ReplyDelete
  8. I'm in a large guild and in the last two years I've seen dozens of people hacked that thought they were safe users. My first question is always ... "Did you have an authenticator?" The answer is always, "No, but I've got one on order". Our guild bank has been hit a few times but the worst was when our guild master got hit and hundreds of thousands of gold and items was temporarily gone. Our raiding schedule got interrupted as we had to quickly create a temporary guild with donated gold/mats so we could continue to raid.

    With the new guild features we have instituted a new policy that if you want to raid in Cataclysm you need to have an authenticator. Even after all our problems people are whining about it. I don't get it but don't really care. If someone doesn't care enough about their fellow raiders to protect the guild with an authenticator then they don't deserve to raid with us anyway.

    ReplyDelete
  9. As the GM of a guild, I was hacked roughly two years ago and it was much more devastating to the guild than to my personal stores, most of what they took was armor saved for alts and my RP wardrobe, but the guild bank, all the time and effort was destroyed. Luckily we got it back, and that was before this big surge in attacks and authenticator awareness. Since then we have been hit a few more times and it opens someones eyes to what that extra layer of security means.

    Yes...it is a little annoying when you DC in a fight and have to drudge out your phone (for me, I use the mobile authenticator) which you may or may not have had sitting in front of you.

    But I don't think that you keep up your part of the "partnership" as you so excellently put it, when you don't have one.

    The level of sophistication the emails are reaching to snag the account information is unprecedented. The latest one I saw, was 1 mistake away from seeming legitimate. The grammar perfect...the email, perfect...and it was believable that the account information had been changed.

    The more we try to protect it all, the more they try to get in and by not having an authenticator you are doing yourself, and your playmates, an injustice.

    ReplyDelete
  10. I've had several people I know hacked who aren't even playing anymore. So, it isn't like a keylogger got their password or something.

    But the real thing is, if they want to hack your account and they have the know how they will. The goal is to make it so it is easier and more cost effective to hack someone else's account. So, I'm all for these silly people with their hubris not getting authenticators. I just wish people didn't accept their "expert" opinion. :/

    ReplyDelete
  11. Agreed. The verifiability feature alone is what makes authenticators valuable to me. It's sort of like having hand sanitizer with you so you don't catch anything from anyone else.

    Prior to the advent of the Core-Hound Pup (and now the in-game setting that allows for requiring authenticators for certain ranks), Minions of Khaos had several instances of guild bank theft via hacked accounts. Granted, only one of those instances was anyone who could have done real damage, but now we don't have to worry about valuables and gold disappearing due to someone else's poor computer security habits.

    In addition, the guy you're quoting is forgetting something: no matter how good he is at security, there will likely be a better trojan or virus or malware or keylogger programmer out there. It's sort of like saying that I'm smart enough not to expose myself to sick people so there's no reason to eat a healthy diet and keep my immune system strong. Life just doesn't work that way.

    ReplyDelete
  12. As soon as the mobile authenticator became available for iPhone I got it, thanks to Blizz it is really hard to get one delivered to South Africa :/ My main reasoning for wanting it is the huge amount of phishing mail I have been getting for years that claim my account is suspended. As Tarinae mentions the sophistication of these mails is just getting better and better. I just wish my damn bank would get a similar system for private accounts

    ps It is not like it takes ages to get back in if a DC happens.

    ReplyDelete
  13. The Authenticator is largely a boondoggle. What you're missing is that all these 'keyloggers' constitute man-in-the-middle attacks that only need minor adaptation to deal with the Authenticator. So while the Authenticator will deal with current threats, it will be obsolete in about a month. In essence, two passwords is no more secure than one when both passwords are going through the same place.

    ReplyDelete
  14. However the second password is on a very quick expiry timer. While it's certainly possible for someone to be able to log both passwords and quickly turn around and log in, it's fairly unlikely.

    But as was mentioned by other comments, that doesn't mean it's impossible. But it also doesn't mean the authenticator is useless. It is still a very strong added security measure.

    ReplyDelete
  15. So while the Authenticator will deal with current threats, it will be obsolete in about a month.

    The authenticator has been in use for over a year and no verified hacks have been found.

    Your hypothesis has been falsified.

    ReplyDelete
  16. I haven't seen any data from Blizzard on the authenticator's effectiveness. I still believe the biggest opponents to it are people that account share.

    ReplyDelete
  17. "The Authenticator is largely a boondoggle. What you're missing is that all these 'keyloggers' constitute man-in-the-middle attacks that only need minor adaptation to deal with the Authenticator."

    I love "experts" that say things like this. I've heard the man-in-the-middle excuse from my guildies as well. The thing is ... this gives them like 30 seconds to log in and while it is possible it is very rare.

    Here's the other thing most people miss. The reason it usually takes so long to get your account back is because the keylogger put an authenticator on the account which has to be investigated. While it is ironic that keyloggers want to use an authenticator it would be would be impossible for them to do this if you alreadcy had one on your account in the first place.

    Bottom line - You can keep your head in the sand but expect to find fewer and fewer guilds that will accept people like you.

    ReplyDelete
  18. I've seen that attitude towards the authenicator expressed many times as well and it's certainly maddening if you know anything at all about malware. Here's the thing most people don't realize about anti-virus, anti-malware software: it only protects against known exploits and threats. There's always a small window of vulnerability between the time an exploit is released into the wild and software vendors can patch their software. During that time anyone can be vulnerable to an infection or exploit. Given this situation it's hardly fair to say it's all the user's fault if they get infected from merely accessing a supposedly safe website using up-to-date security software. Just to get an sample idea of what the average user is up against, Apple just released a security update that addressed 134 vulnerabilities. 55 of those vulnerabilities were for the Flash Player alone.

    Buying and using an authenticator is a smart preventative measure.

    ReplyDelete
  19. Best use of 'hubristic' I've seen in a long time.

    ReplyDelete