Monday, October 12, 2009

WoW: Battle.net account merge incoming


Blizzard announced today a deadline for the conversion of World of Warcraft accounts to Battle.net accounts: November 11, 2009. That gives WoW account holders 30 days to make the switch.

As an incentive, Blizzard is offering an in-game penguin pet.

In light of the high number of stolen WoW accounts it will be interesting to see how Battle.net compares in security. While we can hope that Battle.net accounts will be more secure, a few things come to mind.

Battle.net uses the primary email address as the account name. It may be somewhat easier to guess, or in Tolbold's case, very publicly known, which is why he's all over the security ramifications in Blizzard sabotages WoW account security.

Instead of taking Tobold's suggestion of setting up another email account for use with Battle.net, gmail subscribers can use the alias feature to make the Battle.net account name hard to guess. In gmail, you can add +anything to an email address and still receive the email, so if your email address is foo@gmail.com, you will also get any email sent to the alias foo+anything@gmail.com. Replace anything with something obscure and your Battle.net account name becomes as unguessable as your old WoW account name was. This is a convenient alternative to Tobold's suggestion of setting up another email account just for Battle.net.

I just used a gmail alias to set up a new Battle.net account, and it worked. (With one small glitch, the link in the first verification email failed, so I had Battle.net send a second verification email.)

Of course the problem remains that using an email address for the account name is a very bad choice. Email addresses are not usually considered to be private information and are much less well protected than passwords. For example, email addresses are often sold to third parties, thus increasing the risk of the address becoming public. Indeed, Blizzard is well aware of the problems with email addresses becoming known, as shown by this forum post about Fake E-mails from "Blizzard Entertainment":
Why am I receiving these e-mails? What can I do to ensure malicious parties do not have my e-mail address?
    In most cases, e-mail addresses are gleaned from unofficial World of Warcraft web pages(guild websites, fan sites, etc) and social networking sites (Facebook, Myspace, etc). As such, you may wish to set-up a new, separate email address and register it to your account. When selecting the username and password for this new email address, ensure that these variables do not overlap with that of your WoW account or any other login type (guild websites, Facebook, MySpace, etc). Once this address is registered, do not use it for anything else: no additional registrations, no guild websites, no newsletter sign-ups, et al. Keep this address isolated.
First Blizzard tells people to protect their email addresses so they won't receive emails phishing for account info and then turns around with the new Battle.net and uses the email address as the login!

One indication of how bad the situation is with stolen WoW accounts is that the Blizzard Authenticator is being sold for $6.50 with free shipping. At that price Blizzard is making little if any money on them. It's cheaper for Blizzard to hand out the Authenticators essentially for free than to incur the support costs in dealing with customers whose accounts have been stolen.

To anyone who objects to the cost of the Authenticator: Blizzard charges $25.00 to move bits around if you purchase a Paid Character Transfer. Yet it will ship an actual physical object to you for $6.50, which is basically the cost of shipping. There's a reason for this: the Authenticators work. And by keeping accounts secure they save everyone grief and time. Well worth the money.

No comments:

Post a Comment