Tuesday, May 26, 2009

Blizzard Authenticator: Coming to a Credit Card near you

User accounts for virtual worlds are the preferred target of high tech thieves nowadays. Not only is it relatively easy to liquidate stolen digital property, but there's almost no risk of prosecution. Virtual property isn't really understood by most courts of laws around the world and a majority of legal systems would find it hard to define stealing such items as theft. However, just because it's difficult to establish real world value for virtual property doesn't mean it's worthless. In recent years, digital criminals have devoted more effort into setting up phishing scams and trojan installers for game accounts then credit cards. This shows that there is obvious real world value to these accounts.

As World of Warcraft has grown into the largest subscription based MMO its become the main target of scams and computer viruses seeking out account information. It's safe to say that as the criminal activity targeting the game increased so has the load on it's customer service system. Since each case requires a fair amount of time to investigate and fix, the costs associated with customer service have risen. Also since Blizzard has several high level competitors they can't simply ignore requests to restore hacked accounts. It's because of this situation that Blizzard eventually introduced the authenticator. This relatively simple device can be registered with a player account and then provides a different password every time the player wants to log in.

I'll admit that it's a small increase in effort to log in with an authenticator, but players who have been repeatably hacked feel like it's worth the trouble. The device seems to be working quite well in preventing compromised computers from gaining control of World of Warcraft accounts. In fact it seems to be working so well that Visa is exploring a similar system for it's credit cards. Currently being tested is the Emue card which has a screen on the back which generates an additional pin number for every transaction. This doesn't help much if the card is physically stolen, but more then half of all credit card fraud is committed online nowadays. Thus just like the Blizzard Authenticator, the Emue card protects it's account holders with a layer of protection that can't be broken online.

The relative similarity between the two systems makes me wonder if Visa and Blizzard are using the same security company. Since game accounts and credit card information are two of the top targets for online crime I guess it makes sense that they use the same security measures. Of course just like the Blizzard Authenticator, the Emue card will probably only be adopted by people who've had their information stolen before. Still since Visa is planning on making the system backwards compatible that means stores will be able to handle both types of cards. If the Emue card becomes widely available for free then I expect anyone who shops online will adopt it pretty quickly. And the fact that the Blizzard Authenticator system has been working so well makes me believe this is a pretty secure technology and not a simple gimmick.


fizziksman said...

Blizzard didn't invent this type of security, so its not likely that they have anything in common.

When my wife took maternity leave from her company they allowed her to work from home. In order to do that she had to log into their network remotely. She was given a key fob very much like the Blizzard authenticator, and she used that to generate a new code each time she logged on. This was at least 5-6 years ago, well before Blizzard introduced their authenticator.

I'd use a Visa card with that technology in a heartbeat. The authenticator has given me a great sense of security about my WoW account. I'd like to feel that confident about my credit cards as well.

Anonymous said...

Really fantastic idea. Of course, will require a lot of adapation on the vendor side but overall a fantastic advancement in credit card technology.

Anonymous said...

This technology isn't unique to Blizzard. There's a company called RSA which sells the SecurID, for example. They have been selling fobs to corporate America for what - at least a decade - which are used by employees to do things like access the corporate VPN. No fob, no code, no access.

RSA's model uses two-factor authentication - you have to know your PIN and you have to type in the temporary code from the fob. This is in addition to whatever OTHER logins your network might require.

The kicker is that we used to pay SecurID almost $50 per fob last time I was involved with them (which admittedly was several years ago now, so the price could have dropped some). When Blizzard came out with the authenticator, I could not figure out how they could sell it for only about $7 because the fobs I had dealt with in the past were much more expensive.

But after I got one I realized - the encryption Bliz is generating on their fobs is not of the same high standard that the SecurID tokens use. This is mainly because they do not use the two-step process - they do not require both a PIN and the temporary code. That said, it's good enough for an online game. It doesn't need to have the level of protection an internal corporate network would require.

If the Visa people were smart they would not put the code generator on the card itself. It's the equivalent of writing your PIN on your ATM card with a sharpie. But yes, it at least protects from online card theft, if not physical.