MMO Security: An Emo Tale

Last weekend at Blizzard's World Wide Invitational in France, Blizzard announced the "Blizzard Authenticator", a hardware dongle that provides "Two-Factor authentication" security to World of Warcraft.  The device immediately sold out, and on it's first restock, sold out again.  Obviously, this is an in demand item.

In early 2007, I had both my WoW accounts hacked.  It was less than two weeks after the release of the Burning Crusade, and I was about half a level from 70 on my main.  I logged on to find my toons naked at the login screen and logged in game to find every item and all my gold (my flying mount money!!) gone.  And, to make matters worse, I was GM of a significant raiding guild at the time.  I had to immediately transfer guild leadership for fears that the assailant might wreck havok on my guild.

Doing the sensible thing, I notified a Blizz GM about the situation.  I really didn't expect them to do anything, but I thought it wouldn't hurt to try.  Was I ever wrong!  They concluded I was a victim of a keylogger.  A couple of days later, they logged onto my toons to restore my lewts, then sent me an email telling me they permanently banned me for cheating.  The following was the first paragraph from that fateful email:

This is a notification regarding your World of Warcraft account. Access to this account has been permanently disabled for exploitation of the World of Warcraft economy or for being associated to accounts which have been closed for intended exploitation. While we try to be as lenient as possible in our assessments of the results of exploitation investigations, reoccurring trends in exploitative endeavors on your account have ultimately resulted in account closure.

This just made me mad.  I called their call center and spent nearly an hour arguing with the guy on the other end, demanding to speak to the person responsible for cancelling my account.  I demanded to speak to someone who had some knowledge of my history that could explain the contradicting messages I'd received.  I demanded to know the details about the keylogging assailant, for if he could get my WoW account, could he get my bank account info too?  I demanded to know what the legal department's contact info was.  I was livid, and the run-around, shut-me-down methods of their customer service just made it worse.

Eventually, I got ahold of the fax number of the account retrieval department, so spamming the fax line I went.  It did pay off, and I did get my accounts restored.  I figured the time they spent with me on the phone and the fax spam must have easily cost them $100, not to mention the work they had to do behind the scenes.

Also, the whole situation just left me sour.  Every day when I would login after that, I always had this nervous feeling that I would find my toons naked at the login screen.  These events, more than anything, killed my desire to play WoW.  After getting my accounts restored, I pretty much cancelled my subscriptions and let them expire.  I just had no interest in playing.  So, getting my account hacked was a double whammy to Blizzard: not only did they incur the cost of my phone/fax wrath, but they lost the revenues of my multi-subscription WoW habit.  Providing better security is in their best interest.

And, it looks like they've finally done it.  This hardware authentication scheme is the same mechanism corporations use for giving their employees access to VPN services.  It's pretty robust, and if a hacker could routinely crack it, it's doubtful they waste time stealing gold in MMO's.  All for $6.50, assuming you can get one.

A company like Blizz charging their customers for better security using their software seems kinda lame.  I can see the business need to charge: if it were free, then everybody would want one and few would use it.  Putting a cost on these things does create a barrier to entry that gets it in the hands of those who'd actually use it.  Blizz could however, slowly refund the cost of the device with something like a few extra days on their subscriptions.

They could also include them in special edition boxed versions of the game.  I've heard rumors of a big expansion coming to WoW, something about a Lich King.  Maybe an opportunity to get these in the hands of the masses.

I also wonder if this will be a mechanism to cut down on the service calls cost too.  I can see that phone rep on the other end explaining to an irate customer that there is a way to prevent account compromises; the customer chose not to use it.  Too bad, so sad <click>.

Still, regardless of how this device shapes Blizz's behavior, this is a good thing, and more game companies should consider it for customer retention and reducing customer service costs.  I can't wait 'til I have a box full of security dongles for all those old games I used to play.