Blizzard’s Two-Factor Authentication

July 1, 2008 – 8:49 AM

Blizzard’s announcement of two-factor authentication for World of Warcraft is more significant than people realize.

Passwords are obsolete. They are broken. We all recognize this, yet we aren’t quite ready to give up on passwords because we haven’t an easy alternative.

World of Warcraft (WoW) is a good test case. It is the biggest online game and has the largest “black market” where people buy in-game money (“gold”) for real-world dollars. User accounts, protected only by passwords, have real-world value. Hackers first strip the accounts for gold, then use the accounts as mules to sell gold and spam others with messages advertising their gold. Blizzard eventually bans the account, by which point the hackers have moved onto the next hacked account.

This is a huge cost. It costs Blizzard a lot of money (I would guess in the range of $100) to help a user recover from a hacked account. That assumes the user still wants to play and doesn’t cancel their $15-a-month subscription, which costs Blizzard even more money.

Today’s “viruses” usually contain keyloggers that specifically look for people logging into games like WoW. Phishing attacks likewise target gamers. However, there is an even easier way to getting people’s account names. People choose the same username/password for multiple sites. Therefore, if you want to steal somebody’s account, you simply set up a site that requires a username/password and encourage players to log in. You then test all the accounts on your own site in order to see if they are also legitimate WoW accounts. Likewise, when hackers break into online sites, they can crack the password file and test how many are legitimate WoW accounts.

Source:
http://erratasec.blogspot.com/2008/06/blizzards-two-factor-authentication.html