Saturday, 28 June 2008

Rock, Plastic, Hackers

I can only imagine that the account stealing lowlives are, at this very moment, looking for new avenues of immoral revenue generation.

For those who don't know (all three of you,) Blizzard just announced that it's introducing a new security token for protecting WoW accounts.  Curse has some details, and you can read Blizzard's page on the authenticator.  Rather than simply re-hash what's on those pages, I'm going to go a little into why this is likely going to more-or-less eliminate account stealing, and how it all works.

In The Beginning, There Was "super_funny.jpg.exe"

Firstly, how do people's accounts get stolen in the first place?  There's a few ways to do it; the most direct is to get a keylogger or other malware on to a user's machine.  This software will then either record the user's keystrokes, or simply sniff WoW's memory to get your username and password.  No, copy and pasting it from a file won't help.  Neither will checking "remember account name."

Another way is to simply guess the password.  If you can find out someone's account name, you can make a few educated guesses on their password.  People have a nasty habit of chosing amazingly easy-to-guess passwords like "1234567" or "qwerty" or even, I kid you not, "password."  If you are one of these people, change it now!

Before we get on to how the authenticator works, let's take a little side trip.

Deterministic Capriciousness

Computers can't do random.  They just can't.  A computer has the imagination of a lump of concrete.  Any time you see a computer come up with a "random" number, what it's actually doing is generating a pseudo-random number.  In other words, fake random.

The way it does this is that it starts with a seed.  It can be whatever you want, really.  Typically, it's either zero (not good) or the date and time the computer/program started (better.)  Then you ask for a random number.  The program does a bunch of (waggles fingers around) things to the number.  The result is your random number.

When you ask for another random number, it does those same things to the last number it gave you, which gives you the next one.

Now, what's interesting is that if you know the seed, and the algorithm being used, you can exactly reproduce the entire sequence of random numbers.

Aside time: lots of computer games use this to good effect.  For example, when you started a multiplayer DOOM match, all of the players' computers would be synchronised to the same random seed.  This meant that when a "random" decision was needed, all of the computers would make the exact same decision every time!

If It's Good Enough for Banks, It's Probably Good Enough for a Computer Game

So why did I drag you through that?  Because that's basically how the authenticator works.  Blizzard gives you a little plastic token with four things: a button, a small screen, a serial number and a random seed.  To associate your token with your WoW account, you tell Blizzard the account name and the serial number.

What's important is that only Blizzard knows what seed your token is using.  So when you go to log in, and they tell you to "press the button and type in what number the token shows," they are the only ones who know if it's right.

So let's say someone's managed to get a keylogger on to your machine.  They get your account name, they get your password, and they get a token number.  But that number is useless to them, because each number is only valid exactly once.  Once that code has been used, it isn't used again.

So even if they get your account name and password, they still can't get in!

Same thing with attempting to brute-force your password.  Maybe they'll succeed.  But even if they do, it doesn't matter, because the chances of getting both the password and the token code correct at the same time is infinitessimally small.

Does this replace a good password?  No.  For optimal security, you need three forms of authentication:

  1. Something you know,
  2. something you have and
  3. something you are.

The first is a password, the second is something like these authenticator tokens, and the last is biometrics like fingerprints or DNA.  Blizzard isn't likely to implement the third, nor do I think it's really appropriate or necessary.

Just Five Easy Installments of Your Soul

So then there's the issue of cost.  Some have balked at having to pay US$6.50 for the token.  RSA has a similar product called SecurID where the hardware tokens costs around US$40 each (it's tricky to find exact pricing, mind you.)  Blizzard is offering this at a fraction of the cost.  When you're spending $25 a month to play, paying US$6.50 once to secure your account is not asking much at all.  Keep in mind that this would have required extra infrastructure on Blizzard's end, which they haven't charged you extra for.

Some have said that asking customers to pony up money for it is wrong, and that they should just make the servers more secure.  The problem isn't that the servers aren't secure: I have never heard of a case of Blizzard's servers being compromised.  What is getting compromised are people's accounts.

It's that weak password.  It's the software you run on your machine without personally auditing it, or verifying the source.  It's the emails you get from other compromised machines, spammers and relatives filled to bursting with malicious images, animations, scripts, the lot.

People who want to steal your account would be insane to try and attack Blizzard when the end-user's machine typically has all the security of a damp tissue in the middle of a typhoon.

And that's not something Blizzard can "fix."  It's something the entire industry has been struggling with for decades.  You know how they overcome it?  By using hardware tokens and biometrics.  Expecting Blizzard to secure a simple two-factor system is like asking a hippopotamus to learn to fly.  It's just not physically possible.

Others have made objections along the lines of "Blizzard should just allow third parties to produce these."  Ok, fine; user goes and buys a hardware token from "" and loses their account two days later.  Why?  Because "" was a front for gold-sellers, and since they sold the tokens, they know what the random seed is.  Whoops; there goes your security.  The fact is that unless Blizzard sells them itself, it has no way of knowing whether the third parties are trustworthy or not.

I,  For One, Welcome Our New Plastic Security Token Overlords

Long, rambling and somewhat disjointed story short:

The new Blizzard Authenticator is awesome, cheap, as secure as the best internet banking sites, and it's about bloody time.

Disclaimer: I am not a security expert.  I just happen to be a programmer, and have done several courses on the subject at Uni; enough to know what's going on here.


Kestrel said...

This is a fantastic article (and the pictures don't hurt a bit!), and I hope everyone is willing to do the little bit required to increase the security of their WoW accounts by an immeasurable amount.

Itsnoteasy said...

Glad you liked it! It's also nice to know the pictures are enjoyable; it took a bloody long time to cut out the various mechanostrider bits...

David said...

Bahaha that was awesome.