Shostack + Friends Blog Archive


On Banking Security

Dave Maynor comments:

Blizzard is going to sell a One Time Password device…Isn’t it kind of funny when an online game has better security than most banks?

Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, the lightweight and waterproof Blizzard® Authenticator is an electronic device that generates a six-digit security code at the press of a button. This code is unique, valid only once, and active for a limited time; it must be provided along with the account name and password when signing in to the World of Warcraft account linked to it.

Damnit, Dave, I have nothing to add to that analysis!

4 comments on "On Banking Security"

  • Nathaniel H. says:

    I’ve noticed this enhanced security in games published by IGG. They’re one of the big players in the MMO arena and leading the way in ‘micropayment’ style revenue streams. Upon logging in you can either manually type in your username and password, or use a provided virtual keyboard/keypad. I also remember something about the ability to use a PIN for character deletion. This is a far cry from the old Everquest and Ultima days, that’s for sure. I guess Blizzard cares about its customers unlike most banks.
    This brings up a question I have, though. Has anyone seen any research relating the economies of developing countries to the number of ‘hacking attempts’ (for lack of a better phrase at the moment) coming out of those countries? I wonder if that just has to do with computer crime such as this not being worth it in the developing world, where as developing nations have a reasonably good economic sector based around selling virtual currency? I can’t even begin to bring up some of the fascinating sociological issues raised by third world gold sellers.

  • I do not see why this makes banks look any worse, or how it is “funny”.
    Bank issues with two-factor (e.g. usability and cost) are very different from a gaming company.
    Gamers love gadgets and rapid development/change — if you really want to play THIS game, you need to use the cool new two-factor authentication, and you have to pay for it. You can easily see how the device can become another part of the status/group symbolism.
    That is an entirely different world from banking.

  • nick owen says:

    As I referenced in my blog, which I am too lazy to link to directly (half day at best today :), I think that the banks must be waiting for better technology. They need protection from MITM attacks and MITB attacks which means mutual authentication and some form of transcation auth or signing. It probably makes economic sense to wait for a better solution.

  • Tamzen says:

    And Blizzard sold out of the Authenticator in 2 days. They are working to ramp production up but clearly they had no idea that this would sell out so fast. And they are making it available for what looks like less than it costs them. $6.50 is really cheap for something like this.
    For them to move to this model probably means they are really bleeding out mucho $$ on tech support for people being hacked and having all their stuff stole and sold.
    It was VERY funny reading on the forums where the few clueful people were trying to explain 2-factor authentication and RSA Secure ID and how, no this can’t be hacked in 3 days and yes it is secure.

Comments are closed.