Wednesday, May 7, 2008

Account hacked in WoW

Not mine, fortunately, but our guild master's account in World of Warcraft got hacked, and the hacker then proceeded to empty our guild bank of 10K+ of gold and all items. Ouch! The matter is under investigation by Blizzard, but there is a chance that our guild leader will get his character back, but not the content of the guild bank. But what interested me most in this story is the question of how the hacker got our guild master's account name and password.

If you use capital letters, small letters, and numbers, you have a selection of 62 different characters. If your password is lets say 8 characters long, there are 62^5 or 218 trillion different combinations. If somebody had software to test all these combinations one by one, at 1 second per combo, he'd still need 7 million years to test them all. So brute force is probably not a viable way to hack a WoW password.

Things get a lot easier for the hacker if you use a weak password. I once met a guy in Everquest, who told me he had been hacked. After grilling him on how that could be possible, he admitted that his account name, his password, and his main character's name were all the same. Doh! Other weak passwords are "password" and all names. While brute force programs don't work, a program that just tests the 1,000 most popular weak passwords will probably be able to hack into quite a large number of WoW accounts. Hands up everyone who used the name of his girlfriend as password!

One other possible weakness is people using the same password for many different sites. How sure can you be about how safe your username and password is on some random internet forum? And if you use the same username and password for WoW or other important sites, it is the safety of the weakest site that can compromise all other applications.

So on my guild forums there is currently discussion about using software like KeePass, which generates very strong passwords for all of your different applications, and stores them on your hard drive in encrypted form. I'm not a fan. I want to be able to access things like Blogger even from some internet café, so having a password I can't memorize and which is stored at home isn't highly useful to me. And I had enough hard disk crashes in my life to dread the idea I might lose all my passwords in one such crash. I mean, who really does regular backups of his encrypted KeePass database? I prefer well-known techniques to create and memorize strong passwords. And I'm using a completely un-hackable storage system for passwords: pen and paper. I could theoretically be burgled and my password list stolen, but what are the chances of that? Most probably the burglar will take the computer and the stereo, and leave the paper behind.

If you have a strong password, you might still fall victim to a trojan or keylogger. Various WoW-related sites have been infected with those in the recent past. Your best defense against these are the various (and often free for personal use) anti-virus programs available. I'm using Avira AntiVir, which is free, and only nags you about buying a better version every time is updates. Funnily I found that paid-for antivirus software annoys me a lot more often, and is often so over the edge that it prevents you from playing online games in the first place unless you fiddle with complicated controls. Firewalls can also help to some extent. Microsoft having a bad image, people will often advise you to increase your safety by switching from Internet Explorer to another browser, like Firefox. 52% of the visitors of this blog use a Firefox browser, and only 40% some version of IE. So I wouldn't count on Firefox being less targeted by malicious software than IE forever, some people even claim that Firefox has more vulnerabilities. Either use some really exotic browser, or use a well-known browser and update it regularly.

At the end I'd like to discuss one major vulnerability: stupidity. Some people lose their passwords because they fell for some phishing attempt. A popular one for WoW offers you a spot in the Wrath of the Lich King beta, and directs you to a site where you have to enter your username and password to "register" for that beta. Only that the site is a fake, and somebody will soon use the data you so easily gave away to rob your account. In a similar vein a lot of people share their userid and password with friends, family, or guild mates. That isn't safe at all. Sharing passwords with your guild so that somebody else can play your raid healer when you are away is not a good idea. How often do guilds turn sour, and then somebody you pissed off could easily disenchant all your epics and mail all your valuables to his account. Or your spouse could have finally enough of you never having time for her and delete you character. Or your little brother could use your password on a friends computer to show him your epic character, but the friend has a keylogger installed. The more people know your password, the less secure your account is.

Probably the biggest disadvantage of RMT (gold selling) is the secondary effect that it puts a dollar value on your account. Whoever hacked our guild bank got away with hundreds of dollars, and is pretty much completely safe from prosecution. Worst that can happen to him is to get his account banned, at which point he simply opens the next one for a fraction of money he hauled in by robbing us. It is that monetary interest that makes modern hackers so much more dangerous than the just-for-fun kind of earlier ages. Your account might be worth some serious money, and thus you should think of protecting it better. How strong is your password and your protection from trojans and WoW keyloggers?

No comments:

Post a Comment