Blizzard Announces a Physical Token for World of Warcraft Account Authentication

Theft of World of Warcraft accounts is a huge problem. The perception is that gold farmers are finding it much more lucrative to simply hack people’s accounts by tricking them into to installing keyloggers rather than actually use in-game bots to farm resources. There is an entire class of trojans now aimed largely at WoW players.

So Blizzard recently announced a forthcoming Authenticator product which looks to be a rebranded RSA SecurID. The device will costs $6.50 and asks the user to link the serial number of the device to the WoW account. From then on, when you want to log in you enter your username and password, then press a button on the Authenticator which generates a number that has to be entered as well. The number is essentially a rolling one time pad, and that specific number is only good for 30-60 seconds. So someone who manages to grab all three pieces of data has a very small window in which to gain access to your account.

As some have noted on WoW-related sites, this sort of scheme is still vulnerable to man-in-the-middle attacks. Think of this being used to authenticate login to a bank website. I put my server in between you and the bank. You think your data is going to the bank, but its really going to my server, then I’m passing it on to the bank, and then passing the bank’s response on to you. You never even know you’ve been hacked until I log in with your password and ID later and clean out everything.

Assuming that the Authenticator is ever owned by a large percentage of users — and I’m skeptical it will be — it will be interesting to see if the hackers turn to man-in-the-middle style attacks or simply turn their attention to an easier target.