Shostack + Friends Blog Archive


On Gaming Security

Adam comments on Dave Maynor commenting on Blizzard selling authentication tokens.

Since I have the ability to comment here, I shall.

This isn’t the case of a game having better security than most banks (as Maynor says). This is a game company leaping ahead of some banks, because they realize they have bank-like security issues.

It’s been a year or so since I read on El Reg that on the black market, a credit card number sells for (as I remember) £5, but a WoW account sells for £7. I would look up the exact reference, but I’m not in the mood. Your search skills are likely as good as mine.

The exact reasons for this are a bit of a mystery, but there are some non-mysterious ones. There is a black market for WoW gold and (to a lesser extent) artifacts. That black market is shuddering because Blizzard has done a lot to crack down on it. (Blizzard’s countermeasures are one main reason that the artifact market is low. Most artifacts become bound to one character when used, and so are not transferrable and so are not salable.) Nonetheless, many WoW players have gold in their pockets that would sell for hundreds to thousands of dollars on this black market.

(If you think from this, that WoW can be a profitable hobby, think again. That many players have gold worth some real change says more about the time they have spent playing than anything else. If you live in a first-world country, you can earn far more flipping burgers than playing WoW. It is only if you are in a third-world country that WoW is a reasonable career choice.)

This means that by putting a keylogger on someone’s system, you can steal a pretty penny from them and sell it on the black market. A not-insignificant number of WoW players have logged into their accounts to find their characters naked and penniless. However, there’s an interesting twist on this. Blizzard can and does restore the lost gold and items.

Presumably, Blizzard has a transaction log and can rewind it. However, this is work for them and annoyance for the victim. Two-factor authentication will lower Blizzard’s costs but fear of robbery is high enough among the players that they’re snapping these things up and are willing to pay for them.

Bank customers rightly think that increased security is something that the bank should pay for. So in the banking world, the cost-benefit calculation of two-factor authentication is complex. In the gaming world, it’s pretty straightforward. Since Blizzard can shift the cost of the device to the customer base, it’s easier to justify.

5 comments on "On Gaming Security"

  • Nathaniel Husted. says:

    “Presumably, Blizzard has a transaction log and can rewind it.” — Most of the time, in many MMOs the customer support folks will not return any lost, stolen, bugged, etc. equipment. This either means that most companies don’t care (which could partly be the case) or that their transaction logs are not nearly as useful as some might think. This is something I’d love to hear more from the publishers of these MMOs and their developers, because from the customer standpoint, it seems they have practically no information logged about transactions in their own games.

  • Mordaxus says:

    Yes, but Blizzard will return lost and stolen equipment. They cannot return any enhancements to the equipment, but they do return the equipment itself. I believe that they will do this only three times per account, but they do do it. If this is unusual in the MMO biz, then perhaps it helps explain why Blizzard dominates the market.

  • tim says:

    Whats missing here is that a character in WoW (or similar games) is a different type of asset. It represent thousands of hours of work that carry a lot of emotional connection to the ‘owner’. The ‘owner’ of that character has a much higher incentive to protect it than numbers in a bank account.
    (i built up a 70 level character and asked myself – is this it? and canceled my account. However – my bf still plays and I can’t imagine having to deal with him if someone stole his character)

  • Alex says:

    I wonder what the going price of a cracked WoW account is vs. the price of a cracked bank account….

  • Nathaniel H. says:

    @Mordaxus – I think that could perhaps explain some of it besides the design element (which could be a whole post in its entirety, and completely off topic). I should clarify that my above post only stated my experience with MMOs (I’ve played a few since I started with Everquest).
    @Alex – This site, and page in particular might shed some light on the value of a cracked WoW account:

Comments are closed.