Blizzard Sued For Trying To Make Accounts More Secure

from the oh-come-on dept

We've discussed in the past how the class action lawsuit system these days seems often to be more about a legal shakedown for lawyers, rather than anything really designed to help protect the public. The latest crazy lawsuit involves a class action lawsuit (pdf and embedded below) filed against Activision Blizzard... because the company is offering two-factor authentication. You see, Blizzard's Battle.net was hacked a few months back, leading to some email addresses being revealed. Also, like many other security minded places, Blizzard has been pushing two factor authentication to better secure your accounts. Blizzard's two-factor authentication can be downloaded for free on any iOS, Android or Windows Phone smartphone. If you don't happen to have any of those, but still want to use two-factor authentication, they will sell you a $6.50 fob. None of this seems out of the ordinary. Until you read the lawsuit, where these class action lawyers try to make it sound like some horrible scam.
Defendants' acts have not only harmed Plaintiffs and Class members by subjecting their Private Information to hackers, they have harmed Plaintiffs and Class members by devaluing their video games -- purchased from Defendants under certain assurances of security -- by adding elements of risk to each and every act of playing said games.

Moreover, rather than shouldering the burden of adopting sufficient security measures to prevent these repeated hacks and to protect the Private Information of their customers, Defendants instead have informed their customers, after the point of sale, that they must purchase additional security products in order to ensure the sanctity of their Private Information. These additional, post-purchase costs for security products -- which Defendants assert are the only measures that may be taken to ensure something even approximating account security when playing their video games -- were not disclosed to Plaintiffs and Class members prior to the purchase of Defendants' products.
Yeah, notice how they gloss over the fact that the system is free for anyone with a smartphone? And let's not even get into the fact that no system can be perfectly secure and, eventually, every system is going to get hacked. Just being hacked doesn't make you negligent. And, as we've seen, courts have time and time again refused to find any legal claims against sites that are hacked unless actual harm is shown to the users. The idea that providing two-factor authentication -- and charging the basic cost of the fob for the few folks who don't have a smartphone -- is some sort of sneaky business practice is just ridiculous.

Blizzard has hit back and slammed the lawsuit as being based on "patently false information."
The suit’s claim that we didn’t properly notify players regarding the August 2012 security breach is not true. Not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed. You can read our letter to players and a comprehensive FAQ related to the situation on our website.

The suit also claims that the Battle.net Authenticator is required in order to maintain a minimal level of security on the player’s Battle.net account information that’s stored on Blizzard’s network systems. This claim is also completely untrue and apparently based on a misunderstanding of the Authenticator’s purpose. The Battle.net Authenticator is an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromised outside of Blizzard’s network infrastructure. Available as a physical device or as a free app for iOS or Android devices, it offers players an added level of security against account-theft attempts that stem from sources such as phishing attacks, viruses packaged with seemingly harmless file downloads, and websites embedded with malicious code.

When a player attaches an Authenticator to his or her account, it means that logging in to Battle.net will require the use of a random code generated by the Authenticator in addition to the player’s login credentials. This helps our systems identify when it’s actually the player who is logging in and not someone who might have stolen the player’s credentials by means of one of the external theft measures mentioned above, or as a result of the player using the same account name and password on another website or service that was compromised. Considering that players are ultimately responsible for securing their own computers, and that the extra step required by the Authenticator is an added inconvenience during the log in process, we ultimately leave it up to the players to decide whether they want to add an Authenticator to their account. However, we always strongly encourage it, and we try to make it as easy as possible to do.

Many players have voiced strong approval for our security-related efforts. Blizzard deeply appreciates the outpouring of support it has received from its players related to the frivolous claims in this particular suit."
Hopefully the court understands just how ridiculous this case is and dumps it quickly.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 4:00am

    If Blizzard wanted to make their accounts more secure they should have...oh I don't know, NOT MAKE THEIR PASSWORDS CASE INSENSITIVE.

    But like you said the case is dumb and shouldn't go anywhere. It's like sueing your carmaker for not giving you free gas for life or some other nonsense.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Big Richard, Nov 13th, 2012 @ 4:01am

    Aren't "elements of risk" an integral part of games?

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Keii (profile), Nov 13th, 2012 @ 4:04am

    The only thing I wish Blizzard did differently about their security is make it so passwords are case sensitive. They've never been case sensitive.
    But suing over the authenticator is a dumb move and I hope this person gets laughed out of court.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Miff (profile), Nov 13th, 2012 @ 4:09am

    At least it's just a fraud lawsuit and not someone claiming to have a patent on two-factor authentication with "internet" crudely scrawled on it.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Wally (profile), Nov 13th, 2012 @ 4:36am

    Totally missed the lawsuit.

    The point of the lawsuit has nothing to do with making it more secure. It is about making people pay for a key fob decoder while everyone else on a mobile device can get their transfer codes for free.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 4:47am

    Re:

    Depends on what sort of game.

    For example, Duck-Duck-Goose doesn't have any similarities to Risk at all. Heck there's not even dice involved.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    vegetaman (profile), Nov 13th, 2012 @ 4:55am

    It could be worse... They could be like some other company that got off scott free storing their customer's passwords in plaintext.

    So if Blizzard gets nailed for this, it will be the most back-asswards precedent EVER.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 4:58am

    Insecure by design.

    Battle.net (by extension Diablo 3 and World of Warcraft) uses case-insensitive passwords. Try it yourself and see. Then tell me again how secure they want to make things.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    PaulT (profile), Nov 13th, 2012 @ 5:05am

    Re: Totally missed the lawsuit.

    "It is about making people pay for a key fob decoder while everyone else on a mobile device can get their transfer codes for free."

    In other words, they provide the product with no marginal manufacture and distribution cost for free while they charge costs for the piece of hardware that costs them money? All for an optional extra security method that nobody is forced to participate in to play most of their games? What monsters.

    What's the alternative? Are you saying that Blizzard should be forced to offer extra security methods (that most of their competitors aren't offering at all) at a direct cost to them? That no company should charge for physical security options even if a free digital option is available?

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Keii (profile), Nov 13th, 2012 @ 5:06am

    Re: Totally missed the lawsuit.

    Blizzard is not making money on the authenticators. They're selling them at cost. This guy still doesn't have a leg to stand on.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:06am

    Re:

    if you did the minimal amount of research you would find out that making passwords case insensitive saves a shitton on support calls, and the cost to "security" is effectively non-existant because putting random caps in your password has never actually been effective at increasing password strength.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:08am

    Re: Re: Totally missed the lawsuit.

    better than that, blizzard sells the authenticator at cost and then foots the cost of shipping. Pretty sweet deal for consumers.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:09am

    Re: Insecure by design.

    I would love to hear you explain how that matters.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:14am

    those lawers are just pissed off because their new Monk class toon keeps getting ganked by horde at Elewyn forest.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Spointman (profile), Nov 13th, 2012 @ 5:16am

    Re: Re:

    Uh, [citation needed] on that last bit. Or at least some clarification on what you mean. Generally speaking, increasing the number of permitted characters in a password substantially increases the time required to test every single password.

    If you mean that most compromised accounts happen because the attacker obtains the password some other way (not a brute force attack), then yes, I'd agree.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:20am

    masnick what you should comment on, is how blizzard did so well from the South Park episode featuring WoW, it was a great rip off of it, but bliz did not fight it, but embraced it, and gained a massive amount of extra players from it..

    also bliz has been excellent in their QoS, and security, IMO.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:22am

    Re: Re: Re:

    Increasing the number of permitted characters only increases password security if the characters are randomly distributed. Making the first letter capitalized and the last letter a special character or number, does not significantly increase password security.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:30am

    Re:

    How much more secure is a case sensitive password?
    Something along the lines of 8 micro seconds or less.
    After all we are not talking about a kid banging on a keyboard.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:31am

    Re: Totally missed the lawsuit.

    Will the point of lawsuit is wrong. It not reasonable to except a piece of software and piece hardware to have same cost, even when they sever the same purpose.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:34am

    Re: Re: Insecure by design.

    Sure.

    Number of possible 4 character passwords using letters only when case doesn't matter (A=a): 456976

    Number of possible 4 character passwords using letters only when case DOES matter(A!=a): 14776336

    I chose 4 characters to keep the numbers manageable for this example. I recognize 4 characters is ridiculously short for a password. The math works the same adding numbers, special characters, or increasing length.

    Using case sensitive passwords makes brute forcing on the order of 32 times harder, and additionally makes it that much more difficult for someone to shoulder-surf a password.

    Keep in mind that Blizzard uses this same insensitive password scheme for the battle.net store, where they keep payment information around for you. So we aren't just talking about a login for a game.

    That's why it matters.

    I'm a developer. I'm pretty sure I'd lose my job if I designed a system that allowed a successful login with a case-mismatched password, and none of the systems I'm responsible for even store payment information for any of their users.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:43am

    Re: Re: Re: Insecure by design.

    I see your appeal to authority and raise you one XKCD:

    http://xkcd.com/936/

    Thanks, hope it was enlightening.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:46am

    Re: Re: Re: Re: Insecure by design.

    Oh yes, be sure to read the hover text.

    I believe he is referring to this same very type of.. uhm... case.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    sniperdoc (profile), Nov 13th, 2012 @ 5:47am

    Not such a dumb lawsuit

    Considering the fact that FOBs should really be de facto standard nowadays AND that Blizzard should provide them instead of charging customers, I don't consider this lawsuit so frivolous.

    #1 Fobs would be the one way to make sure people actually BUY their game.
    #2 Fobs are a great way to authenticate. Businesses have done it with certain software for a long time now.

    Because not ALL people own a smartphone that has internet connectivity or rather even own a smartphone, means THOSE people are inconvenienced by "purchasing" their protection. THAT is against the law. This means another product has to be purchased to use something a provider has already agreed full access to upon purchase. Just because they add a clause that says "we can change the rules at any time" doesn't mean it's right. Sure it's 6.50 or whatever... what's next? Your next $80 special edition doesn't come with all items promised and you have to dish out another $20 to get the rest?

    Think about it people... it's entertainment publishers and developers taking consumers for a ride once again, seeing how far they can push the envelope... when is enough, enough?

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:47am

    Re: Re: Re: Insecure by design.

    Considering it's easily possible to brute force passwords by leveraging the power of modern GPUs, password complexity is quickly becoming a moot point. Your average $200, mid-range, gaming card probably can probably plow through more hashes a second than a top of the line Xeon, and the people who are serious about it are running a full bank of top-of-the-line, dual-GPU cards.

    That is, of course, assuming that they get a hold of an unsalted hash in the first place.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:55am

    It's kind of funny that they are complaining that Blizzard didn't notify anyone about the Battle.net breach. There was news about it everywhere on Blizzard's sites when it happened, not to mention their close partners (Curse, Zam, etc).

    For even more icing on the cake, Blizzard has actually broken news of other company's security breaches to warn users to make sure that they changed their passwords if they were the same (I seem to recall them sending out notices regarding the security breaches for Sony PSN and Gawker before either of those two companies informed their users).

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 5:59am

    Re: Re: Re: Re: Insecure by design.

    Also, be sure to check out the links in the External Links section at the bottom of the wiki, lots of relevant discussion

    http://www.explainxkcd.com/wiki/index.php?title=936

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 6:05am

    Re: Not such a dumb lawsuit

    The fob isn't a requirement, thats where this whole argument falls apart. You can be perfectly secure without a fob. ANY website, game, service, etc, your password is just as susceptible to phishing, malware, driveby downloads, and password sharing as it is on a Blizzard game. There is literally no difference. (People have their bank account info phished all the time. Why doesn't every bank offer a fob? Neither of mine do. Blizzard offers this OPTIONAL security scheme as a SERVICE to its customers, not as a profit center, as again, they sell them at cost AND pay for shipping)

    And that $80 purchase with $20 to buy later to get the rest?

    Isn't that the current Xbox/PS3 AAA developers business model these days?

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 6:09am

    Re: Re: Not such a dumb lawsuit

    FYI by being perfectly secure, I mean, if you don't share your passwords, you are careful with your browsing, and you keep Flash/Java/etc up to date and you use an Anti-virus/etc you are just as safe with Blizzard games as you are any other website, including your bank or whatever.

    These are common best practices anyway, so you should just be doing them in the first place.

    I played WoW for 4 years, through all kinds of periods of "OMG TEH HACKARZ ARE STEELING OUR GOLDZ" and only got an authenticator in the last year. I got it for the pet (hellhound pup) more than anything else.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    PaulT (profile), Nov 13th, 2012 @ 6:12am

    Re: Not such a dumb lawsuit

    "#1 Fobs would be the one way to make sure people actually BUY their game."

    No they wouldn't. The fobs do nothing to stop piracy, and in fact having to use an extra piece of hardware that can easily be lost just to log into the game would be a turn off for many people. Especially if they're forced to use something that was previously optional and available on the phone they use every day. That translates to lost sales in my mind, especially with products like WoW where people are buying things other than the software itself (e.g. access to public servers).

    "#2 Fobs are a great way to authenticate. Businesses have done it with certain software for a long time now."

    I've never used one for my business software. Maybe I prefer other methods of authentication that don't involve me having a drawer full of crap?

    "Because not ALL people own a smartphone that has internet connectivity or rather even own a smartphone, means THOSE people are inconvenienced by "purchasing" their protection"

    So your alternative is to force Blizzard to mass produce an extra piece of hardware that the smartphone owners don't want and many would be inconvenienced by far more than fob users are now? At their own cost, no less (read: costs passed on to the customer through higher subscription fees)?

    Not thought this through, have you?

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 6:19am

    Re: Re:

    Which of the following two passwords is stronger,
    more secure, and more difficult to crack?
    D0g.....................
    PrXyc.N(n4k77#L!eVdAfp9

    Steve Gibson speaks about Password Haystacks: https://www.grc.com/haystack.htm

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Cowherd, Nov 13th, 2012 @ 6:24am

    Re: Re: Re: Insecure by design.

    Brute-forcing a password in a client-server architecture should never be possible. No properly designed server would allow a client to make unlimited guesses at the password.

    Besides, the increased number of permutations is only realized if users actually use arbitrarily mixed-case passwords. Even when forced to use both upper- and lowercase letter by the system, most users will just capitalize the first letter. And since the attacker knows the system requires users to do this, it does not actually make the password any less guessable.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 6:24am

    Re: Totally missed the lawsuit.

    It's not a requirement to play the game - it is optional enhanced security for the paranoid.

    The key word being "optional."

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    kirillian (profile), Nov 13th, 2012 @ 6:38am

    Re: Re: Re: Insecure by design.

    Your assumption first of all assumes brute force attacks which, well...don't happen. Blizzard has a huge timeout between password authentication attempts.

    Most passwords are stolen when you log into a malicious website which steals your credentials, you download some sort of keylogging software, or when you use the same password on multiple sites and one of them is hacked and your credentials stolen.

    Brute force attacks are completely useless against services like Blizzard's authentication service which uses those timeouts.

    You might be a developer, but you don't have your facts straight. Stop appealing to authority and get your ducks in a row instead.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 6:40am

    Re: Re:

    By my calculations if you only allow lower case characters (or ignore case, which is effectively the same), you can have (for a password of length 8):

    26**8 = 208827064576 possible passwords

    Whereas, if you allow both upper and lower case characters, you can have:

    (26*2)**8 = 53459728531456 possible passwords

    It's somewhat significant, assuming that we are using brute-force attacks. A dictionary attack (which can be surprisingly effective) can cut down the search space considerably, even if we toss in 1337-speak and wacky characters (like, using @ instead of a).

    Best thing to do, though, is to use pass-phrases, which are MUCH STRONGER due to their size, even without wackyness.

    Still, there is no reason for Blizzard not to allow mixed case. If the reason truly is a matter of tech-support, then players of Blizzard games are even dumber than I expected.

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    The eejit (profile), Nov 13th, 2012 @ 7:11am

    Re: Re: Re:

    See the related XKCD comic on that.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    WTFAC, Nov 13th, 2012 @ 7:13am

    Re: Re: Re: Re:

    Are you talking about capitals not being effective from a brute force/rainbow table level attack or from a forced decryption attempt? Mixing capitals and lower case letters together most certainly DOES increase the complexity of the task of breaking the password. You have increased the character pool from 26 possible to 52 possible for each digit position, not including special characters.

    If you choose a stupid simple password that's just a basic word, that's not the fault of the security and leaving it all the same case makes it even more pathetic. An ideal password would possess no common language words at all (forcing dictionary based attacks to be useless), utilize special case characters (increasing the possibility pool), and be as long as possible (increasing the possibility pool per character). Of course it should then be further secured by the system using a SALT and such.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Mark, Nov 13th, 2012 @ 7:15am

    Re: Totally missed the lawsuit.

    Well said. This article's insistence that anybody who is anybody has a smart phone is both inaccurate and beside the point.

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    The eejit (profile), Nov 13th, 2012 @ 7:15am

    Re: Re: Re:

    You've obviously never used their Looking for Dungeon or Looking for Raid tools.

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    The eejit (profile), Nov 13th, 2012 @ 7:16am

    Re: Totally missed the lawsuit.

    The cost fo the authenticator keyfob is literally for Shipping. The fob itself is essentially free.

    There is no grounds for this class-action suit.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    The eejit (profile), Nov 13th, 2012 @ 7:20am

    Re: Re: Not such a dumb lawsuit

    WEll, to be fair, it's fairly simple to remove an authenticator from an account: just prove your ID and explain why you need it removed.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 7:34am

    Re: Re: Totally missed the lawsuit.

    Since the article says no such thing, you probably shouldn't be the one talking about inaccuracies.

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 7:47am

    Perfect, I'll go buy a 600$ phone to play a game. Sigh.

    They should offer it for free. It was their security measures that failed. So yes, they should be improved, but not at the expense of the already paying customer.

    Why not make a free Windows version if they can make free mobile ones?

    How many billions did Blizzard make last year? Yeah. Greedy bastards. Fail, fix, make people pay for our failure. Awesome plan.

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    Josh in CharlotteNC (profile), Nov 13th, 2012 @ 7:49am

    Re: Re: Re:

    Generally speaking, increasing the number of permitted characters in a password substantially increases the time required to test every single password.

    While technically true, this is not really a factor any longer. With the speed of processors (and GPUs), extensive wordlists and rainbow tables, brute-force cracking of a password hash is relatively easy and not time consuming for average 7 or 8 character passwords, mixed case or additonal numbers/symbols not withstanding.

    There are a few things Blizzard can do to for effective account security.
    -Secure the storage of their password files through various means - they have done about as well as they can here, and better than many others.
    -Offer two factor authentication for their users - they have, and in a more accessible manner than many of their competitors

    There are some things that users can do to make their accounts secure.
    -Make use of the offered two-factor authentication
    -Do not reuse the same passwor/account info for multiple sites
    -Use longer passwords - a 14 or 20 character pass-phrase is (generally) more secure than a 7 character password using mixed case/numbers/symbols.

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    PaulT (profile), Nov 13th, 2012 @ 7:57am

    Re: Re: Totally missed the lawsuit.

    "This article's insistence that anybody who is anybody has a smart phone"

    Would you like to quote the sentences that state that? I see nothing of the sort.

     

    reply to this | link to this | view in thread ]

  45.  
    icon
    Fickelbra (profile), Nov 13th, 2012 @ 8:14am

    Mike, I disagree for once

    Honestly Mike, I have to disagree with you for once. I think this lawsuit does have some legs to stand on. Let me give you an explanation. I bought World of Warcraft a while ago, haven't played it in about 3 years. In those 3 years of not playing, my account has been compromised twice. I should not have to pay them money for "extra protection" on something they should have secured in the first place. The only way I find out is I get an email that I was suspended due to spamming and then I have to contact Blizzard and explain that my account was breached.

    I for one cannot stand lawsuits, but to me there is some validity to this claim.

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 8:18am

    Re: Totally missed the lawsuit.

    Boo-fucking-hoo.

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    Mike, Nov 13th, 2012 @ 8:37am

    Re: Totally missed the lawsuit.

    Making them pay $7 for a fob is nothing compared to buying the phone....

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 8:39am

    Re:

    Even Sony handled their breach better than this. It speaks volumes about Blizzard and their greed.

     

    reply to this | link to this | view in thread ]

  49.  
    icon
    Josh in CharlotteNC (profile), Nov 13th, 2012 @ 8:42am

    Re: Not such a dumb lawsuit

    AND that Blizzard should provide them instead of charging customers,

    You think that if Blizzard would be forced to provide a fob to everyone with an account that wanted one, they wouldn't cover those costs elsewhere? Higher account activation fees? Higher monthly fees? Less developers working on content?

    Charging the marginal cost of the fob to those that want one, while providing free mobile authenticator software to anyone with a smartphone, is considerably more efficient - and thus results in lower costs for everyone.

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Joel, Nov 13th, 2012 @ 8:45am

    Re:

    Case sensitive or not, it wouldn't make a difference. Blizzard's games are huge, and attract millions of fans. And like any significant subset of society, there are a lot of stupid people.

    People who fall for phishing emails, or download a virus, or visit a dodgy porn site, etc

    It wouldn't matter if Blizzard required a 200 character, alphanumeric password with a random mix of capitals, lowercase, numbers and symbols.

    The idiots would still give it up.

    And of course then take to the forums and ingame chat to rip Blizzard for not protecting them.

     

    reply to this | link to this | view in thread ]

  51.  
    icon
    Sean T Henry (profile), Nov 13th, 2012 @ 8:50am

    Re: Re: Re: Re:

    "While technically true, this is not really a factor any longer. With the speed of processors (and GPUs), extensive wordlists and rainbow tables, brute-force cracking of a password hash is relatively easy and not time consuming for average 7 or 8 character passwords, mixed case or additonal numbers/symbols not withstanding."

    That is assuming that the online authentication will allow the computer to try every combination at the max speed without locking the account for a fixed time. If you can try 5 passwords then be locked out for 5 minutes assuming no caps an 8 alphanumeric password will take 36^8 minutes to complete all combos. That is 1min(if first answer is correct) to 5,367,408.499 years last one is correct.

     

    reply to this | link to this | view in thread ]

  52.  
    identicon
    Joel, Nov 13th, 2012 @ 8:53am

    Re: Re: Totally missed the lawsuit.

    Well, the article didn't say that everyone had a smartphone.

    But I bet the % of people who have smartphones vs regular phones (or no phone) would be substantially higher than the general population if you only look at those that:

    A) A PC and internet connection
    B) $15 a month to spend on a game subscription
    C) Don't mind forking out $60 a year for the latest expansion

     

    reply to this | link to this | view in thread ]

  53.  
    icon
    Sean T Henry (profile), Nov 13th, 2012 @ 8:53am

    Re: Re: Re: Re: Re:

    Oops I realized I did the calc as 36 character pw with 8 positions it should have been 8^36, that makes it 6.1742495e+26 years

     

    reply to this | link to this | view in thread ]

  54.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 8:56am

    Re:

    You're not even wrong.

     

    reply to this | link to this | view in thread ]

  55.  
    icon
    Josh in CharlotteNC (profile), Nov 13th, 2012 @ 8:56am

    Re:

    Why not make a free Windows version if they can make free mobile ones?

    I don't think you understand the "two" in two-factor authentication.

    One of the things the mobile authenticator protects you from is password harvesting malware on the computer you play the game from. Even if your computer is infected, someone still can't login to your account because they can't get the code from the authenticator.

    The way the fobs and authenticators work is that a seed value is generated on the device. That seed value, along with the current time, is used to generate that changing code. As long as both the login server and your device know the seed value and the correct time, they both can generate the same code - and allow you to login.

    What happens when the malware running on your PC gets that seed value, and your password? They can now impersonate you, login to your account, and steal all your stuff.

    Do you want the illusion of security, or real security?

     

    reply to this | link to this | view in thread ]

  56.  
    icon
    Josh in CharlotteNC (profile), Nov 13th, 2012 @ 9:12am

    Re: Re: Re: Re: Re:

    without locking the account for a fixed time.

    They're not trying to login via Blizzard's servers.

    They're testing passwords based on a password file that contains a "one-way" hash value of the password.

    They don't attempt to login via Blizzard's servers until they're relatively sure they have a correct password.

    Instead of using a lockpick on the locked door monitored by the a security camera, they learn the lock manufacturer, and figure out which key is used by glancing at the number stamped into it by watching when the guy pulls out his keychain in the parking lot. They get a copy of that key, then walk in and unlock the door without alerting security beforehand.

     

    reply to this | link to this | view in thread ]

  57.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 9:28am

    Re: Re: Re: Re: Insecure by design.

    WTF appeal to authority?

    I showed you mathematically how a case-insensitive password system leads to more frequent collisions.

    Everyone replying has hand-waved away that being an issue, with the exception of one appeal to authority in the form of XKCD which I've seen and will raise you with an appeal to StackExchange:

    http://security.stackexchange.com/questions/17824/is-there-any-explanation-other-t han-storing-plaintext-for-case-insensitive-pas/17825#17825

     

    reply to this | link to this | view in thread ]

  58.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 9:30am

    Re: Re: Re: Re: Insecure by design.

    Yes, yes if someone grabs your hashes you are toast. That's a separate issue here.

     

    reply to this | link to this | view in thread ]

  59.  
    icon
    John Fenderson (profile), Nov 13th, 2012 @ 9:34am

    Re: Re:

    the cost to "security" is effectively non-existant because putting random caps in your password has never actually been effective at increasing password strength.


    This is not just wrong, but it is wrong by many, many orders of magnitude. Case sensitivity adds 26 more possible symbols the password may contain, and each additional possible symbol dramatically increases the total number of permutations. The more permutations, the more time it takes to crack the password. It's basic math.

     

    reply to this | link to this | view in thread ]

  60.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 9:35am

    Re: Re: Re: Re: Insecure by design.

    I'm not talking about REQUIRING mixed case. Nice straw man though.

     

    reply to this | link to this | view in thread ]

  61.  
    identicon
    MattP, Nov 13th, 2012 @ 9:38am

    Re: Mike, I disagree for once

    Is it Blizzard's fault that you use the same username and password for everything? How about having malware on your computer? How about choosing the password 12345? At which point does the responsibility fall on you?

     

    reply to this | link to this | view in thread ]

  62.  
    icon
    John Fenderson (profile), Nov 13th, 2012 @ 9:40am

    Re: Not such a dumb lawsuit

    Fobs are a great way to authenticate. Businesses have done it with certain software for a long time now.


    Yes, and those fobs have caused untold losses of blood, sweat, and tears -- not to mention money -- over that long time. It's why you used to see machines that had two or three fobs daisy chained to computers, but you don't see that anymore.

    However, those fobs are different in kind from the random key generator that Blizzard sells, so it's not a good comparison.

     

    reply to this | link to this | view in thread ]

  63.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 9:56am

    Re: Re:

    I think you misunderstand. How is it different from having a standalone software on your phone if you have a standalone software on your Windows?

    "a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is")."

    This can all be done from within Windows.

     

    reply to this | link to this | view in thread ]

  64.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 9:58am

    Re: Re: Mike, I disagree for once

    When YOU get hacked. This time, it was clearly THEM, and they're making their legit customer base suffer for their failure to have properly secured system.

     

    reply to this | link to this | view in thread ]

  65.  
    icon
    Fickelbra (profile), Nov 13th, 2012 @ 10:21am

    Re: Re: Mike, I disagree for once

    Excuse me sir, but I actually do not use the same password for any service. I have a personal algorithm based on the website or services name to randomize all my passwords. This comes from an account that I was not using. Why don't you go cry somewhere else you Blizzard fan-boy. Just because you love them doesn't mean I'm somehow stupid because they can't secure their own system.

     

    reply to this | link to this | view in thread ]

  66.  
    identicon
    6, Nov 13th, 2012 @ 10:23am

    "Yeah, notice how they gloss over the fact that the system is free for anyone with a smartphone?"

    You say that Mike, but the "free" account sec. provided by phone isn't the same as the FOB security, and they are requiring it for some in game actions. Real money AH springs to mind. And they certainly didn't say anything about that back when I had bought the thing.

     

    reply to this | link to this | view in thread ]

  67.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 10:26am

    Re: Re: Re: Re: Re:

    No...just no on everything you've said here. Also, no.

     

    reply to this | link to this | view in thread ]

  68.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 10:27am

    Re: Re: Re:

    And?

     

    reply to this | link to this | view in thread ]

  69.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 10:29am

    Re: Re: Re: Re: Re: Insecure by design.

    Nobody so much as implied you were. Ball's still in your court.

     

    reply to this | link to this | view in thread ]

  70.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 10:36am

    Re: Re: Re:

    How is it different from having a standalone software on your phone if you have a standalone software on your Windows?

    Because you're not logging into the fucking WoW account with your phone.

     

    reply to this | link to this | view in thread ]

  71.  
    identicon
    Todd E, Nov 13th, 2012 @ 10:54am

    Re: Re:

    ...and then Auntie Sarah said to me, "oh, Clifford, don't eat that goldfish with your paprika, it will give you the most frightful ache!" And then the spaceships came.

     

    reply to this | link to this | view in thread ]

  72.  
    icon
    crade (profile), Nov 13th, 2012 @ 11:18am

    Hold on, my Blizzard account info was hacked and they didn't even bother to tell me?!

     

    reply to this | link to this | view in thread ]

  73.  
    icon
    Josh in CharlotteNC (profile), Nov 13th, 2012 @ 11:53am

    Re: Re: Re:

    How is it different from having a standalone software on your phone if you have a standalone software on your Windows?

    If you have the software running that generates the code on the same computer you use to run the game it is not standalone.

    The phone is an entirely seperate channel - malware running on your computer will not effect your phone*. Again you're missing the point of the "two" in two-factor authentication.

    I'm not saying that it is impossible to make software that will run on Windows to generate the codes - I'm saying from a security perspective, there would be no point to doing so as it does not increase security.

    *Yes, I know there are situations where this is not strictly correct (ie phone syncing could introduce an attack vector on the phone).

     

    reply to this | link to this | view in thread ]

  74.  
    icon
    Ferel (profile), Nov 13th, 2012 @ 11:55am

    Of all the things to bitch about, they picked THAT?

    (╯□)╯︵ ┻━┻

     

    reply to this | link to this | view in thread ]

  75.  
    icon
    Ferel (profile), Nov 13th, 2012 @ 12:24pm

    Re: Re:

    What alternate-fucking-reality have you been living in?

     

    reply to this | link to this | view in thread ]

  76.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 1:36pm

    Re: Re: Re: Re:

    Standalone means a different piece of software handles it, just like on your smart phone. You're implying that the user could get hacked this way... but just like any other way. Don't want to get hacked? Well, don't use a computer, right?

    A different software (standalone mind you) is a different channel since it's not tied into any blizzard software, it would just generate what it needs to... like you phone does.

    But judging from Blizzard's way of handling this, I think it's safe to assume, yes, that that software would probably be useless, because, Blizzard developed it after proving they were not security conscious.

    Bottom line is, they just want more money, as OP stated.

     

    reply to this | link to this | view in thread ]

  77.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 1:57pm

    Re: Re: Re: Re: Re:

    Everything you're saying is fucking retarded.

    Standalone means a different piece of software handles it, just like on your smart phone.

    No. Fucking no. Again, missing the fucking point of two-factor authentication.

    You're implying that the user could get hacked this way... but just like any other way.

    What the fuck is this even supposed to mean?

    Don't want to get hacked? Well, don't use a computer, right?

    Never go full retard.

    A different software (standalone mind you) is a different channel since it's not tied into any blizzard software, it would just generate what it needs to... like you phone does.

    No. It's not a different channel if it's on the same machine. It's the same fucking channel, because if the machine gets compromised, everything gets compromised. Are you being purposely fucking dense?

    But judging from Blizzard's way of handling this, I think it's safe to assume, yes, that that software would probably be useless, because, Blizzard developed it after proving they were not security conscious.

    Bravo. Fucking moron.

    Bottom line is, they just want more money, as OP stated.

    They want more money so they're supplying something at cost and not earning revenue from it? How the fuck does this work in your world?

    Your expertise is clearly not security, so how about you stop pretending to understand what's going on here? Your post is one of the stupidest things I've ever read, and I say that having spent a substantial amount of time on /b/.

     

    reply to this | link to this | view in thread ]

  78.  
    identicon
    Anonymous Coward, Nov 13th, 2012 @ 2:00pm

    Re: Re: Re:

    Whichever one is last in the attacker's dictionary.

     

    reply to this | link to this | view in thread ]

  79.  
    identicon
    William Chambers, Nov 13th, 2012 @ 2:56pm

    Re: Re: Re: Re: Re:

    Bottom line is, You're an idiot, as is the OP.

     

    reply to this | link to this | view in thread ]

  80.  
    identicon
    Bengie, Nov 13th, 2012 @ 3:31pm

    Re: Re: Re: Re:

    mono-case is 26 chars. case-sensitive is 52 chars

    Different password Lengths:
    Mono 1 char: 26 combinations
    Sensitive 1 char: 52 combinations
    2x stronger

    Mono 8 chars: 208,827,064,576 combinations
    Sensitive 8 chars: 53,459,728,531,456 combinations
    256x stronger

    Mono 12 chars: 95,428,956,661,682,176 combinations
    Sensitive 12 chars: 390,877,006,486,250,192,896 combinations
    4,096x stronger

    Being case sensitive quickly becomes much stronger.

     

    reply to this | link to this | view in thread ]

  81.  
    icon
    Wally (profile), Nov 13th, 2012 @ 9:02pm

    Re: Re: Totally missed the lawsuit.

    Oh no, it's Ludacris no matter how you look at it. Just saying other sources indicated that my statement was the actual reason.

     

    reply to this | link to this | view in thread ]

  82.  
    icon
    Wally (profile), Nov 13th, 2012 @ 9:04pm

    Re: Re: Re: Totally missed the lawsuit.

    The lawsuit is ludacris.

     

    reply to this | link to this | view in thread ]

  83.  
    icon
    Wally (profile), Nov 13th, 2012 @ 9:12pm

    Re: Re:

    If you want to talk about Corperate Greed and not handling lawsuits very well...try looking at Samsung or Sony...

    The reason Blizzard looks so bad and also like a very good company to me is that they are totally not experienced in class action lawsuits such as this. I've played Blizzard games since I got Warcraft running on my Quadra 605 better than ANY DOS version on the PC. The fact that until now, they've never experienced a class action lawsuit is the ONLY reason they look bad.

    I mean really, who can name a more ballanced RTS game series than Starcraft??? Or who has a game that STILL has people playing in its spinoff's (Warcraft)???

     

    reply to this | link to this | view in thread ]

  84.  
    icon
    Wally (profile), Nov 13th, 2012 @ 9:36pm

    Fun with math.

    Ok, let's assume the use capitalized letters from the English Alohabet only...This is the possible number of combinations you can guess.

    26 (n)letters from a (r)4 character string


    C(26,4) = 26! / ( 4! (26 - 4)! ) =

    14950

    If you wish to allow a letter to be used twice in one string, square the result!!

    223,502,500 possible combinations!!!

     

    reply to this | link to this | view in thread ]

  85.  
    icon
    Wally (profile), Nov 13th, 2012 @ 9:46pm

    Re: Fun with math.

    Upper and lower case letters of the English Alphabet (52 characters in a 4 string pass code.


    C(52,4) = 52! / ( 4! (52 - 4)! ) =
    270725

    Square it to allow for the use of a character twice:

    7.3292025625E+10

    Note that's well over a trillion combinations already.

    So it is extremely secure to say the least to have Case Sensitive passwords.

     

    reply to this | link to this | view in thread ]

  86.  
    icon
    PaulT (profile), Nov 14th, 2012 @ 12:48am

    Re: Re: Re: Re: Re:

    "A different software (standalone mind you) is a different channel since it's not tied into any blizzard software"

    I may as well jump in here since you're demonstrating a complete lack of technical understanding here. let's see if I can make it clearer:

    Blizzard's software is running in an open environment - Windows. If Windows gets compromised, everything gets compromised. Programs share drivers, libraries, etc. Once Windows gets compromised, nothing can be trusted. Spyware, viruses, trojans affect the whole system, not simply the program they happen to be targeting at the time.

    Get that? Now, it's possible that this didn't happen with previous breaches and it was only a single Blizzard program that was affected. But, Blizzard would just be asking for trouble if they assumed that this would never be the case and so they need to make sure that a hack or compromise on one part of the system can never compromise the whole thing.

    That's where two-factor authentication comes in. By having the authenticator located on a completely separate piece of hardware, a Windows breach can never affect the second part of the code. Since both parts of the code are required, even a virus-riddled system that logs every keystroke and mouse movement you make can never get the whole code. That is *impossible* to achieve with a program running on the same hardware as the game code. If the OS it's running on is compromised, all software is compromised.

    Do you get that? It's weird that you're trying to distort a fairly logical security system into some kind of conspiracy or profiteering, but then I'd guess you'd be the first to whine about Blizzard's poor security if the Windows program you demand failed to provide adequate security (which it would, by design).

     

    reply to this | link to this | view in thread ]

  87.  
    identicon
    Anonymous Coward, Nov 14th, 2012 @ 11:18am

    Re: Re: Re: Mike, I disagree for once

    Every person I've ever met whose WoW account got hacked was an IT expert with flawless security, generally professional sysadmins for the last 80 years who know everything there is to know and follow every best security practice ever devised, so there's no chance any blame could ever fall on them.


    Ever.

     

    reply to this | link to this | view in thread ]

  88.  
    icon
    maclypse (profile), Nov 15th, 2012 @ 6:27am

    While the idea of using case insensitive passwords may be questionable (is questionable in my opinion, as it's at least up to the users if they wish to use upper case letters or not), there's far worse things going on around the net.

    There are for example some major places, that shall remain nameless, that feel 6-letter passwords are just fine and dandy, as long as they contain at least one upper case letter and one number - but at the same time they decide to reject 20+ long lower case password because it's apparently "insecure" in comparison, which of course is a load of dingo's kidneys.

    The obsession with special characters in passwords stems from the old days when passwords were 8 letters or shorter. In todays day and age you are much better of with "greenthumbtreehuggerpetflies" than "1eE4ad", not to mention that your strange little word-riddles are a lot easier to actually fucking remember... Of course, you have to use "Gr33nthumbtreehuggerperflies" instead because you have to use numbers and caps, and that makes it slow to type and much more annoying to remember, even when you do the obvious leetspeak letter replacements.

     

    reply to this | link to this | view in thread ]

  89.  
    identicon
    Patrick Kitchell, Nov 16th, 2012 @ 5:31am

    No need for a lawsuit for christ sake

    I had my account blocked after i had been inactive for a few months from Diablo. Long story short is that the hassle to re-open my account was incredible and beyond words. I give awesome credit the the service people as they were to the point, friendly and competent.

    I appreciate the security measures but I assume that hackers can hack again if they want too and balancing between security and user hassle will always be a balancing act. All major companies gaming companies have been hacked ie. Steam and PS3, etc.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This