User:Rocode/Security Guide

From Wowpedia
Jump to: navigation, search

Introduction

While the WoW game itself is relatively safe, there are several things you can do to protect your account from hackers. WoW accounts sell for a considerable sum on the black market.[1] Thieves do not care that you spent five years getting a full set of T9 gear on every character[2] - they will sell it for the few pieces of gold they can get and transfer the money to gold farmers to make real world money.[3]

Account Security

Use a Strong Password for your Account

Think of the password as the key to unlock your account. If it is too simple, it is easy to pick the lock. Words from a dictionary, pets names, birthdays and "password123456789" are all easily guessible, or, with software, can be fired at a website by a botnet (massive networks of malware infested PCs, thousands of them) until the password is cracked. A strong password, like a strong lock, means the thieves are more likely to be detected trying to break in, so will move on to easier pickings.

A strong password[4] is:

  • At least 8 characters long, preferably 12 to 14
  • Contains alphabetic, numereric and punctuation characters (e.g. my#2nake1s!0n_aplane)
  • Note however that passwords are case-insensitive! Don't rely on CaMeLcAsInG.
  • If written down it is encrypted in some way (e.g. if you write it in your diary, don't write down that it is a password; create a long list of fake passwords)
  • Can easily be remembered by you, and you alone (e.g. is a phrase from a book, and only you know which page and paragraph; initial letters of the fourth line of your favourite song)
  • Is never stored on your PC (any file could be stolen)
  • Is only used for BattleNet and is different to your eMail password
  • Changed regularly, at least every quarter

Remember:

  • Never, ever, share it with anyone (e.g. someone telephoning or eMailing you or contacting you in-game "from Blizzard" saying there is a problem with your account)
  • If you do ever share it, (e.g. to allow your room mate to log on and tell your guildmates you are stuck in traffic), then change it as soon as you get home
  • Never let your younger brother know your password, or shoulder-surf while you are typing it in. Get him a trial account instead

Use a Blizzard Authenticator

An authenticator is a small key-fob device that gives you a One Time Password (OTP) to enter in addition to your normal password, thus ensuring the user has something as well as knows something. These are cheaply available from the Blizzard store. Note that they are not infallible - you still need to keep your PC free of key-logging malware. These trojans, such as emcor.dll[5], can intercept the code you type in, tell you that you have "entered an invalid code" and send the real code, along with your username and password, to a thief working in real-time. This is called a "man in the middle" attack.

Use a Separate eMail Address for Blizzard

With the merger of accounts into BattleNet, you will now have to use an eMail address to log into WoW. It is highly recommended that you set up a separate eMail address to use for, and only for, logging into WoW and getting eMails from Blizzard.

  • For your paid for service, create a separate alternative eMail with a nonsensical extension such as JSmith_altmail_dffduh@virgin.net
  • For free mail services such as GMail, CryptoMail (secure), HushMail (secure), MSN Hotmail, S-Mail (secure, but Windows/Linux only), or Yahoo, create a unique but nonsensical address such as Bubba196Huggle@yahoo.com or This1IsNin@live.co.uk
  • Set the Secret Question to a custom question (where possible) and treat this like you would a password
  • Do not use an email service where you cannot choose a custom question (names are easily guessable)
  • Uncheck "Remember Me On This Computer" whenever you log in
  • Set the Secondary Account field to another new email address that you do not use, ever, except when you have forgotten your password. If you have to use it to recover the password, then delete the account and create a new one

Install Blizzard Updates via the Launcher

Blizzard have supplied a launcher which should automatically download and install updates for you. This is particularly useful when there is a large patch as they typically make it available in sections which can be downloaded over several days, thus reducing the impact on your PC and their server. More information is at the Blizzard Background Downloader FAQ and Blizzard Downloader FAQ.

However there are times when the background downloader does not work. This seems to be an issue with Windows Vista users who allowed Blizzard to automatically create the Public > Games > World of Warcraft directory, though it also occurs with Windows XP users. Blizzard believe it could be conflicting background applications[6], though its advice on closing background services requires more technical knowledge of Windows XP[7] or Vista [8] to carry out safely than most non-expert PC people have. The advice on updating Windows is relatively sound. Or it could be a problem with security software conflicts, or the downloader itself[9]. One option to try is to backup the entire directory to a removable hard drive, delete the original and create a new c:\users\public\games\World of Warcraft directory from the administrator account. There are other issues and solutions scattered through the US and EU support pages and EU Technical Support Forum.

If you find you are still unable to download the patches, having followed all the forum advice, then the best option is to copy the WoW-n.n.n.nnnn-to-m.m.n.mmmm-enGB-downloader.exe file from a computer or user you trust to have a "clean" PC. Run your own virus checking software on the download media or email before your copy it across. Running this should download the patch direct. There are many mirror sites listed (including those on Wowpedia) but these have frequently been attacked by crackers, with the purpose of installing malware to capture account information. Use these only as a last resort, and check any listed URL by copying it and running a Who-Is query at a reputable site, such as Network Tools.com. Note that you may have to remove the "http://" part if the site requires it and leave just the first main part (up to and including, for example .com or .org or .co.uk). The second complication is obfuscated URLs[10]. If the URL contains the "@" character or "%40" then it will redirect you to the site after those characters. In short, if you are not sure it is safe, do not use it and contact Blizzard Technical Support for help.

Never Share Your Account

Blizzard is very strict on this[11]:

"Blizzard does not recognize the transfer of WoW Accounts or Blizzard Accounts (each an "Account"). You may not purchase, sell, gift or trade any Account, or offer to purchase, sell, gift or trade any Account, and any such attempt shall be null and void."

and

"You are responsible for maintaining the confidentiality of the Login Information, and you will be responsible for all uses of the Login Information, whether or not authorized by you."

This includes the use of "power levelling" services, sharing with a friend or spouse, etc due to the risk of the account being compromised, the contents sold and emptied (either to earn real-life money or for revenge). This costs Blizzard time and money to resolve and takes away time from legitimate users of the game who have to wait longer for legitimate issues to be resolved. The consequence of Blizzard finding you responsible for account sharing ranges from a temporary ban through to deletion and permanent closure of the account with no restitution. Gold buying may also result in account compromise, banning when discovered, or, worse, mis-use of your credit card, or even identity theft.

Exception for Minors

The ONLY exception allowed is if you are an adult, you are allowed to open account on behalf of a minor child (in the UK this is below age 18, may vary by country)[12].

"You agree to these Terms of Use on behalf of yourself and, at your discretion, for one (1) minor child for whom you are a parent or guardian and whom you have authorized to use the account you create on the Service."

Further Reading

For more information see:

Blizzard Forum Links

References

 
  1. ^ 'Vuln left me naked and penniless' - http://www.theregister.co.uk/2007/04/10/wow_hijackings/ - The Register, April 2007
  2. ^ "Guild Member Hacked and Banned" - http://forums.wow-europe.com/thread.html?topicId=9036454824&sid=1, WoW Europe Forums, May 2009
  3. ^ "Cursor hackers target WoW players" - http://news.bbc.co.uk/1/hi/technology/6526851.stm BBC News, April 2007
  4. ^ "Guidelines for strong passwords" - http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords - WikiPedia, October 2009
  5. ^ "Hacked with Authenticator - Blizzard EU Forums, 27 Feb 2010 - http://forums.wow-europe.com/thread.html?topicId=12730404058&sid=1&pageNo=1
  6. ^ "Does your Blizzard Downloader fail to launch?" - http://us.blizzard.com/support/article.xml?articleId=21624&searchQuery=background%20downloader&pageNumber=1 - World of Warcraft Technical Support, May 2009
  7. ^ "Turn Off Unnecessary Windows XP Services" - http://www.jasonn.com/turning_off_unnecessary_services_on_windows_xp - Jason A. Nunnelley, April 2005
  8. ^ "Tweak Windows Vista services the right way" - http://blogs.techrepublic.com.com/window-on-windows/?p=720 - Greg Shultz, June 2008
  9. ^ "Download todays patch over and over" - http://forums.worldofwarcraft.com/thread.html?topicId=16473141623&sid=1&pageNo=1 - Neerdia of Rising Storm, April 2009
  10. ^ How to Obscure Any URL - http://www.pc-help.org/obscure.htm - PC Help, January 2002
  11. ^ WORLD OF WARCRAFT® TERMS OF USE AGREEMENT, Section 11 - WoW US, 29 July 2008 - http://www.worldofwarcraft.com/legal/termsofuse.html
  12. ^ WORLD OF WARCRAFT® TERMS OF USE AGREEMENT, Section 3 - WoW US, 29 July 2008 - http://www.worldofwarcraft.com/legal/termsofuse.html