Douglas

Be careful: no, it doesn't. It makes your account safer, but it cannot guarantee safety.

As more people start using them and the economic incentive to defeat them arises, attacks that work on them will appear. A low-hanging one is phishing. There are real Blizzard web sites that ask for your authenticator code. If you can trick someone into thinking they're at one of those sites, you can get one of their codes, and if you can use it quickly enough, you can do damage. If you can trick someone into giving you two "in a row", the attacker can even dissociate the authenticator from your account and then re-associate it to another authenticator, and then, yow.

A level far beyond that is, what happens when the hackers hack your ISP's DNS servers, and make your WoW client try to authenticate via servers Blizzard doesn't actually own? Certainly there are ways to protect against this, and I find it likely that Blizzard is doing some of them. But the upshot is, having an authenticator does not let you know that you're actually safe. You're safer, and that's all you can do.

One of the reasons authenticators work as well as they do is, if you're using one, you're no longer in the "low-hanging fruit" set. There are so many people not using them that the economic incentive to attack them in earnest just isn't there. Why spend the effort (ie. money) when there are so many less-secure people out there? You don't have to run faster than the dragon, you just have to run faster than the gnome with no run enchant. If everyone were to start using authenticators, the low-hanging fruit would be "people who use authenticators but who are cocky about it and not careful enough".

Not trying to throw anyone into a panic. Not trying to convince anyone authenticators are pointless. I use an authenticator myself, and would advise anyone else to. I'm just trying to make sure that people really know: even with an authenticator, you still have to be prudent and careful. There's simply no getting around that.

 

Guinss

Those who make theese scams can barely write english, i dont think it's gonna be a problem to see those fake sites.

That's where the launcher does its job. The launcher check for this and programs etc before running wow.

Having an authenticator makes it so incredible much harder for a hacker to do their job. They would need your email, your password and a random digit code. I use an authenticator for my bank-services. Why do you think they use them? I'd say it's safe. Im not saying its foolproof.

 

Grigorim

Argumentum ad bankum isn't very good. Just something to watch out for -- one thing banks will use secure transaction tokens (two-factor auth tokens, or even England's chip and pin ATM system) for is to shift liability to the customer in the case that your account is breeched. A lot of people don't notice in the fine print when they sign on for flashy new security features that some contracts stipulate the bank is no longer responsible for fraud relating to account access. Just thought I'd toss that out there. They have more reasons for certain security measures than the actual security they provide.

But that said, you're basically agreeing with Douglas. The authenticator makes you harder to hack. For instance, if Cataclysm ships with authenticators or has a major push towards getting players to use them, expect people to be more serious about probing them for vulnerabilities (or just plain phishing for credentials). And it's not exactly hard to get a percentage of the population to cough up their email address, with password only adding a bit more difficulty. It seems reasonable to guess it would be easier to get people's email addresses than login names, as there's conventional wisdom against using login names on associated sites, but generally no such conventional wisdom regarding using different email accounts.

tl;dr get an authenticator, but it's just like a home security system. The main benefit is it makes you less of an easy target than your neighbors.

 

Maltaas

Keep in mind that there are lots of WoW-players that are foreign speaking. English may be second or third language. There are also lots of players that are in their teens, and some of them do have english as their first language. In the end there are lots of players that may not be fluent enough in english to pick up the errors on fake sites. I'm not sure if the fake sites have appeared in the other EU-languages, such as spanish, german, french etc, so some of those people might be safer for now.

Edit: typo and some language

 

Ronninn

One scam I believe I saw recently was an in game email that I received saying that I had won a WoW related prize (wow gold), and that if I went the this "official" Blizzard web site I could then claim this so called prize. I can't tell you what was on the website since I just clicked delete, but I have to admit I was curious to see what kind of web page these scammers had rigged up. That's right along the lines of telemarketers telling you you’ve won a cruise, but first you must give us your personal information and buy our products (gold in this case).

The reason I brought up my concern earlier is because a number of the members in my guild had been hacked recently, and this weekend one of the was an officer and the guild bank was cleaned out. We affectionately named the Hacker Roybot since the toon he hacked went by the name of Roy. Hopefully blizzard replaces everything that was lost as the guild always took care of raiders enchants and gemming. I assume he was hacked due to carelessness, but since it didn't happen to me I can't really speak as to the reason it really happened. Roy hadn’t signed up for battle.net yet, so one of the first things the hacker did was sign him up so Roy couldn’t get onto his account. Sneaky.

The other 3 guild members this has also happened to however did have battle.net accounts, so until I’ve had more time to investigate this and draw my own conclusion I’ll be vary wary of transferring my account. I’m not sure I like the idea of a 3rd party taking care of my game logins for WoW, but it won’t really matter in a few weeks since it’s mandatory for everyone.

 

Broxx

You really need to stop being paranoid. Battle.net is not a third party, it is Blizzard. There is in no way a greater chance of a keylogger with a bnet account than a not merged one. Getting them is due to carelessness, not anything else. And if you do get keylogged, they have your login whether it is a bnet account or not. The best solution is to just download noscript and be careful of what you do while browsing, and following that if you want further security get an authenticator.

http://sig.gamerdna.com/quizzes/INFL...jerks/Brxx.png

 

Ronninn

Key loggers aren't my main concern as the computer I play WoW on is only used for that, and to use my company VPN for development on my work computer from home. I don't download music, games, or applications, let alone enter my private information on untrusted website, or download suspect files because some website advises me to do so in order to enhance my so called viewing experience.

What I am concerned about is not having the login client on my own computer that connects to the server, but instead using my email (or any other private information) as a user ID on a remote web page that I can't verify the integrity of.

As for me being paranoid, you nailed that. Funny enough my wife is twice as paranoid about merging her account to battle.net. I don't want to be the next in a long line of people that get their accounts hacked, even though I believe I'm pretty safe with my online practices.

 

Rhaegal

I think you're not understanding what Battle.net is. You would not be logging into WoW via a website, you log in through the same means you do right now. The only difference is that it routes to Blizzard's Battle.net authentication servers instead of the WoW-specific ones. Battle.net is 100% owned and operated by Blizzard just as much as WoW is. There's no third-party applications or websites to go through. As Broxx said, nothing about Battle.net is less safe than WoW, other than that if a keylogger gets ahold of your Battle.net username and password, it has access to all of your Blizzard games, not just WoW.

Stand back! I'm going to try SCIENCE!

 

ildon

I don't agree that there's really any increased risk with the Battle.net account but I feel the need to clear up some confusion here. I don't believe he's referring to Battle.net as the third party site, but rather some other random site. Let's say, for example, I use the same e-mail for EJ as I do my WoW account. If EJ got hacked, the hacker would now have my account login via my e-mail. In theory this makes my account less safe, but really, with a strong password I don't think knowing someone's account name really hurts as much as people think it does. If it really bothers you, the obvious solution (mentioned several times already) is to open another gmail/hotmail/yahoo account that you only use for WoW and nothing else, and forward its mail to your main account. This would be an identical situation to the current one in regards to the security of your login name.

 

chaud

Using an email address is hardly less secure, if you are worried make another email account just for WoW. Battle.net is not a proxy, and no additional servers are used, you can send me your login packets and I still can't steal your account, nothing is sent in plaintext.

I could write a script to go through member profiles on various WoW forums and come up with 1000s of email addresses, they are really not that hard to find.

No one is going to sit and monitor constantly for the 10 second window they would have to log in to someones account. Let me know when someone manages to hack an ISPs DNS servers, emulate a WoW server, and stay out of jail. Clearly there is nothing better to do when hacking DNS. Not to mention, I doubt any private server like server emulators have working support for authenticators.
Please read up on the actual hardware, SecurID - Wikipedia, the free encyclopedia .