03 November 2011

A change in your usage pattern


I have used an authenticator for about 6 months now.  I use PC's at two different addresses to access WoW; albeit on the same ISP.

I recently got my hands on a netbook powerful enough to run WoW (specifically - I can post auctions on it).  I broke down and purhcased the Curse premium client to make it easier to sync addons and settings.  I finally set up my mobile phone and netbook so that I can use the phone as an internet access point.

This morning I attempted to log in for the first time using the phone as a wireless modem.

Our login system had dectected a change in you access pattern. In order to protect the account
we require you to verify your identity and change your password via our website For more information plase visit (link provided)

I suppose I understand the test.  It would provide a barrier to an account hacker.  However, in terms of account security; I already had a authenticator.  I thought this was meant to assist in positive identification.  Blizzard's decision to insist on an email address as a login code is terrible from a security point of view; I was asked 4 security questions; If you know my login code you already know 3 of the answers.

The fourth question was a choice of cd key from the install CD's (original and expansions), or a previously set up security question.  I was on the road so didn't have any hope of a cd-key.  I am pleased that I remembered my security question that I set up years ago.

11 comments:

  1. I've had this happen to me twice now, albeit without an authenticator attached. I talked to a GM the first time and what had happened to me was one of the IP's I used was associated with hacking or gold selling or whatever

    ReplyDelete
  2. Joy. Just what any goblin wants. A toon that makes too much gold associated in any way (even by ip address) with a gold hacker or seller.

    ReplyDelete
  3. Get used to that happening often. I get that question and have to change my logon password every time I switch between regular internet and phone as a modem. I've even had to change my password twice in the same day.

    ReplyDelete
  4. Get used to this. Blizz refuses to make it so their system will learn a pattern that includes more than 1 ISP or to allow you to opt-out of this feature. I have had an authenticator ever since they came out and yet I have to reset my password twice each day as I have to switch between a VPN connection during business hours and my regular DSL after-hours (same hardware / location). I've called their support numerous times since August without any success.

    ReplyDelete
  5. Sorry but I don’t want to change my usage pattern, I have my authenticator attached but I prefer not to log-in my account to other device except my computer alone. Out of my safety precautions with my account I know if I get banned or hacked there’s only one to blame. Is the time when my account gets compromised with wow gold sellers last month. So far my account still kicking, no email or noticed received from Blizz. : )

    ReplyDelete
  6. Blizzard has not revealed all the algorithms behind their "suspicious activity" decision.

    I've been using the Dial-In Authenticator since it came out and haven't had an issue, even when I flew out of state for a business trip and played WoW from a hotel.

    I haven't heard of anyone else using a Dial-In Authenticator, but it does seem like Blizzard has implemented some if its features more broadly, what with the authenticator entry box being removed from the login screen (with much end-user QQ as the response).

    http://us.battle.net/wow/en/blog/1113829
    http://us.blizzard.com/support/article.xml?locale=en_US&articleId=35806
    --
    Regards,

    potatoe

    ReplyDelete
  7. "Blizzard's decision to insist on an email address as a login code is terrible from a security point of view"

    Agreed, I've told them that many times. The person who came up with that boneheaded idea should be fired... He doesn't have the first clue about security.

    ReplyDelete
  8. Even Better - had a Consortium Member who's pretty sure he was hacked remotely, since he has an authenticator associated with his account, and when support was questioned no "suspicious" activity could be determined.

    So, if the hackers can make it seem as though it's you accessing your regular WoW computer as usual, no authenticator prompt will be thrown at all and they'll be free to hop right into your account and have their way with it. Awesome.

    This security system is an absolute joke, IMO. As you've pointed out, they've got all the hurdles in all the wrong places. When legitimate users can't get at their account legitimately, and illegitimate ones can, that's not security, is it?

    ReplyDelete
  9. Regarding IP security, when you access a service via Internet provided by a mobile device, the IP address the device provides to Blizzard's security systems is the IP address of the phone company. Anyone using a Sprint phone, for instance, will provide Blizzard with the same IP address. You can assume that Blizzard's systems see these phone provider IP addresses as suspicious since there's quite a few accounts tied to them.

    ReplyDelete
  10. That is only true if your phone company assigns you a NAT-ed address which most don't.

    ReplyDelete
  11. I travel a lot for work and use an aircard or the hotels Internet. I have to change my password about 1 or 2 times a month because of this message. Pretty annoying IMO

    ReplyDelete

Due to the blog mostly being inactive and the only comments recently being anonymous spam; I have restricted comments to "Registered Users"; hat includes anything google recognises as an account (google, openId, wordpress etc). I am still (mostly) active on foo-eve.blogspot.com

Blogger comments supports basic html. You can make a link 'clicky' by <a href="http://yoursite/yourpage">yoursite/yourpage</a>

Disagreements are welcome - especially on speculative posts. I love a great disagreement.

I have a comment moderation policy (see the pages at the top)