Wednesday, April 7, 2010

Account Security and You

Following up on my previous post on Gold Spammers, the amount of people performing such acts seems to be on the rise. Hardly a day goes by where I don't recieve one whisper or another trying to sell me gold, scam me into giving personal information for a "free mount," and other devious ploys to get an unsuspecting player to drop their guard.

The shared topic over at Blog Azeroth is one of the best I've seen in a while.

First of all, what is the problem, really?

I'm sure everyone has seen spam in trade or the body messages in main cities avertising a gold-selling service. The gold and items they sell does not appear from thin air; they have to get it somewhere. If not hiring people to farm for them, then by using trickery to gain access to your account.

There are mamy ways that they are able to gain access. One of the most common is a link on the forums from an already-compromised account that has you "log back in" to Blizzard services, or forcibly downloads a keylogger. I have also heard stories of people getting ingame mail, whispers or emails asking for their password to prove that the account is theirs for "security purposes."

Blizzard will never, ever, EVER ask for your password. They don't need it for anything. This alone is a huge red flag that this person sending you these message really isn't who they're claiming to be. Anything offering a "free mount" or "free gold" or anything similar is a sure scam; anything officially offered by Blizzard will be announced on the Blizzard website, and not through ingame means.

How can I protect myself when I'm not playing?

There was a (fairly) recent breach in Blizzard's security on the forums, where an ad was planting keyloggers on players' computers. When this happened, I took the opportunity to download NoScript and AdBlockPlus for Firefox. NoScript blocks any and all scripts from being started without your permission, and AdBlockPlus blocks all ads from loading and appearing. Combined, they create good security for ad-based keyloggers, but can do nothing for those that require you to actually go to a website and put in your information. Remember to always check the url when you get redirected from a link. It may only be a single letter off.

If you're running Internet Explorer, I'm sorry, but you're wrong. Internet Explorer is rightfully notorious for having gaping security holes, which can compromise your computer and accounts on various websites. I know it's hard, but try to stop using it. Really. Do it.

If you really must continue to use it, try getting an addon that blocks popups, and a variation of AdBlockPlus called HostBlock. I'm not entirely sure how well HostBlock works, as I don't use IE, but any ad blocking addon is better than none at all.

Opera is a lightweight and fairly secure browser. I was able to find a widget that works on Opera, Chrome and Firefox called Adsweep. Adsweep is essentially the same as AdBlockPlus.

Safari has PithHelmet and Saft for adblocking.

If you're using the same passwords for everything, stop. This should be obvious, but you'd be surprised how many people use the same password for everything. Things like emails can be pretty easy to get into, and once someone gets that when your passwords are all the same, you're screwed. Change them if they're all the same, use a combonation of letters and numbers (and symbols where applicable), and change them often. Don't use something easy, either, like dog1 or password0. Ideally, it should be a random string of letters and numbers. Try to avoid using things like names, birthdates (ex: 1980), locations, and common words and phrases.

An example of a strong password would be, say, 4k95a73y. This looks intimidating, but can be easy to remember: we have 4 kids, 1995 is our anniversary, and I was born in the year 1973.

A weak password would be something like billy1996, cat, password, 12345, etc.

The stronger your password is, the harder it will be for brute-force hacking to occur.

What else can I do?

Perhaps the most obvious, and one of the easiest things to do would be to buy an authenticator. They're very inexpensive ($6.50), are durable, and can help prevent a lot brute-force and even stupid missteps.

Authenticators are small keychains that generate a random string of numbers that are connected to your account via a serial number on the back of the device. If they are lost, broken or stolen, it just takes a phone call to Blizzard support to get it removed or replaced. Without the authenticator, nobody will be able to log ingame or into account management but you.

My guild uses the authenticator as one of the requirements for full, virtually unlimited bank access (known to us as Bank Trustees). I am one of the few people who can pull anything from any tab as much as I want, not only because I earned the right, but because I have an authenticator. It's less likely this way that our entire bank will be jacked because of hacking. Even if that does happen, we have a rank that we can be demoted to with zero bank access. It's a good way to avoid having your guild bank cleared out, which can take a while to restore.

Be smart, be secure.


Zan says: AdBlock and FlashBlock are available for Chrome, which are similar to AdBlockPlus and Noscript, respectively. Also be careful when you torrent or download things. It's best to steer clear of torrenting altogether, but if you really must, run a scan on all the files first.

An antivirus, virus scanner, and firewall are pretty much required. AVG Free is a free Antivirus software whose basic package also doubles as an anti-spyware, which is a plus.

Avast! also includes anti-spam features and a firewall. This one has been recommended to me numerous times by my comp-sci buddies.

I've also heard some nice things about Avira, which has some nice features as well.



  2. Druid, get the hell out of here!

  3. That's an interesting suggestion for the password thing.

  4. It really helps for a more secure password, since the ones most commonly brute-force hacked are common words and numbers.

    The more complicated (for them) the better!

  5. Chrome supports extensions and has for some time.

    I run Flashblock and AdBlock in my Chrome and it runs faster than Firefox.

    I've seen people get keyloggers from torrenting. Having security smarts should also apply to running basic security software.

    A virus scanner, firewall, anti-spyware suite, etc are also useful.

  6. I did a search for security extensions for Chrome but couldn't find any. Thanks for the heads-up on those, though.

    I knew I was missing a couple points when I drafted this (at work), but I think I figured that having a firewall and antivirus was pretty standard.


  8. Yes, druid, this means no more porn for you.