Account Hacking: It’s bad for you!

Why companies should care more about their security

Posted by Josh Folland on Jun 6, 2013 in Blog | Comments Off on Account Hacking: It’s bad for you!

Having your gaming account hacked sucks. There’s no denying it. You’ve elected to spend your free time as well as your hard-earned cash on a game, only to have it plucked away from you is the complete opposite of what you are trying to accomplish by playing the game in the first place. Even if you manage to get the account back, the paranoia will always be there.

I for one know this all too well. A few weeks after the launch of Diablo 3 in 2012, account thieves swept the game (conveniently after long enough for me to reach the max level on my main character at the time ). I was one of many, many victims of these thefts and although I hadn’t played Diablo 3 in a few weeks, the theft of my account ensured that I wouldn’t be coming back for a very long time.

Full disclosure: I did not have an authenticator on my account at the time. I figured my password (12 characters, upper and lower case with numbers) was secure enough to not need it and I consider myself a technically savvy enough person to not have keyloggers and the like installed on my system. For those of you who aren’t yet in the know: An “authenticator” is Blizzard’s second factor in their two-factor security approach. When you log into the game, you enter you username and password as usual, followed by entering a constantly-changing code generated by your authenticator. This can be its own standalone $10-ish device, or a free app on your smartphone (which becomes problematic if you’re like me and enjoy trying new ROMs on your Android device on a regular basis as the app generates its own unique ID and ties it to your account when you activate it. Wipe the phone for a new ROM, lose access to your account. I also learned this the hard way. Oops!)

Blizzard urges you to have an authenticator to avoid having your account stolen. This in and of itself is fine and good, so long as the underlying security measures (ie the 1^st factor in the two-factor authentication) is also up to snuff. In Blizzard’s case, I discovered after my account was stolen that they’ve elected to use the following password properties:

• Passwords are NOT case sensitive. (WHAT?!)
• No Special Characters/Alphanumeric only
• 8-16 characters in length

I’ve read speculation among the community that the reason Blizzard has elected not to use case-sensitive passwords is to cut time wasted by customer support staff on assisting users who THINK their account has been hacked or their password is not working, but they’ve actually just got caps lock toggled on. Now, Blizzard has yet (to my knowledge) to admit to this, but from an economic and pragmatic business standpoint, this makes sense. They’ll save time and money on customer support calls, be able to sell more authenticators or have the app installed on more user’s phones. From a security standpoint, you don’t have to work for the CIA to understand that this reasoning behind the decision would be pants-on-head idiotic.

Blizzard isn’t the only one to catch flak for this. In 2011, hacker/activist group LulzSec cracked Sony’ database right open and published tens of thousands of user’s credit card numbers just to expose Sony’s flawed design. Sony has since shored up, but not before having their brand and reputation tarnished. The list goes on and on – DayZ has had a hacker issue for a long time and when frustrated players head out to the internet to find hacks of their own in spite of getting killed in-game and losing all of their gear, instead what they download is an application that steals their game key. It’s easy to say “serves them right!” but I would argue that these are the kinds of weeds you need to kill at the root, not once the problem has propagated and evolved to an even more toxic environment.

Trust is becoming more and more important when it comes to our games. With the move to free-to-play or freemium models as well as subscriptions in which you are injecting time and money into your account, the importance of having your account secured is higher than ever. Having an account stolen that you’ve put dozens if not hundreds of hours and dollars into is a great way to make sure you never want to play that title and start from scratch again. The fact that you’ve put time and money into it means you’ve probably developed somewhat of an emotional attachment, which means you’re inclined to tell your friends and family about your crappy experience. Very bad for player retention overall.

People are becoming more and more fed up with being treated like numbers by the companies who produce their favorite games (or who produce anything for that matter), and with everyone and their mother having multiple social networking accounts word travels fast when someone feels they’ve been mistreated. Poor security practices should be no different. I for one can confidently say that LulzSec had the right idea, even if their methods were a bit extreme. I did eventually get my Diablo 3 account back, but it’s unlikely I’ll reinstall the game and extremely likely I’ll keep telling my story to others.