Thursday, June 24, 2010

RealID, privacy, and account security

When Blizzard switched World of Warcraft from using freely chosen account names to using e-mail addresses, I was worried that this could compromise account security. Before that change, somebody who wanted to hack my account would have had to guess both my account name and my password. But if I had used as account name, everybody could have easily guessed that part, and would only have to guess my password to hack me. Thus I used a different e-mail address, one I got from my ISP, which I rarely use for anything else. Account security problem solved.

Now Blizzard introduces RealID, and if I wanted to use it, I would have to reveal that non-public e-mail address to friends, from which it would spread to guild mates, their friends, and ultimately to who knows where. And I'd be back with that account security problem: You can't use RealID without revealing your account name, which is half of the information needed to hack you.

Of course you can add another layer of protection to your account by adding an authenticator (I did), but those have been reported to not provide 100% security either. And besides the security concerns, there are the obvious privacy concerns, like me not wanting to publish an e-mail address other than to be linked with games. Even my Facebook account is using that "fake" identity, because Facebook is the prime example of how you can think you are talking to your "friends" and end up publishing too private information to everybody, including potential employers.

I get "Cataclysm beta invite" and "WoW account banning notification" phishing mails in my blog e-mail every day, and know that they aren't real because that blog e-mail is not the one I told Blizzard about. Our guild bank has been hacked in the past several times, so now only a few people have access to it (which renders it a lot less useful). I am not at all confident that if I reveal my RealID even to real friends, that ID isn't going to leak out, for example through a friend of a friend's account getting hacked, and my real e-mail ending up on the list of potential targets of some professional WoW hacker, or at least on their spam mailing list, making their phishing mails look more real because they have better information about me.

So for reasons of both privacy and account security, I'm opting out of Blizzard's RealID system. The very concept of RealID, which is basically to link your real identity to your virtual identity more visibly, is not a good idea in my opinion.

No comments:

Post a Comment