"that explains why Blizzard finds it more worthwhile to implement robust authentication solutions when so many businesses that are susceptible to financial fraud do not."
It's quite simple, a wow player that gets hacked and loses his items will most probably quit if he doesn't get his items back. Getting items back means you need to talk to a Game Master, who must determine if you actually got hacked or if you're trying to scam the game by giving all your stuff to a friend, and then claiming you got hacked.
Having Game Masters employed costs a lot of money, and I guess the cheaper option is simply to improve account security rather than hiring hordes of GMs.
As for banks and similar, comitting fraud is an actual crime that results in jail-time if you get caught, which is a pretty huge disincentive in itself. Added to that, real money transactions are much more traceable so it's possible to find out where the money and went and who benefited.
Finally, a wow account costs $15 a month for everyone, I guess the average value per customer is much higher for wow players than bank customers?
I guess the average value per customer is much higher for wow players than bank customers?
No. Cost of customer acquisition for a single credit card is roughly the same as WoW lifetime value (both in the vicinity of $250).
Lifetime value for a middle class bank customer depends on their product mix. On the low end, low three figures per year for a checking account which generates few fees. On the high end, well, suffice it to say middle class families are very lucrative indeed. (If you run $20k through your credit card a year, with an average balance in the $2k region, and you have a home loan and car loan, and... run some numbers for what your parents probably pay every year for banking services.)
Oh, well, where I am, almost noone has a credit card (the monthly billable kind with juicy revenue for the banks), and the only money my bank makes off of me comes from what they can get from the money floating in my accounts. Oh, and my bank's online security is better than wow's, so my perspective is pretty different.
Anyway, with those numbers, then I guess the profits from being a bank is so much higher and the actual fraud so much lower that they can afford to not care about it as much as Blizzard.
As someone who has bank accounts in Europe (I am a foreign national working in the US) I can tell you that bank security in The Netherlands is standard two-factor authentication.
My "chip and pin" card contains the standard mag stripe along with an embedded microchip that can be used with chip transactions. Along with that i got an "e-Identifier" which is a stand alone device.
When I go to log into my bank I type in my account number (listed on my card), the card number (listed on the card) and then click next. On the screen will be a series of numbers that I then have to type into my eIdentifier.
So I slide my card into my eIdentifier and type in my pin number (what I have + what I know) and then type in the number presented to me, it then spits out another random number, I fill that in on the web form that the website provided to me. At that point I am logged into my banks website and I can look at my transaction history, and everything along those lines.
If at some point during that time I want to transfer money or do anything else that affects any part of my account I once again have to enter in my pin and go through the same steps as before to login on my eIdentifier.
This provides security for me. I never type a password into any part of the website, the codes are one time use only, and even if someone were to come to an open session and attempt to use it to transfer money in or out of the account they would be required to have my card, pin number, and an eIdentifier.
I'm a big fan of systems like that, it provides me with much more security than anything else, including "I wish it were two factor authentication" that American banks provide (look at this picture, now provide us a password).
What Blizzard is doing is considered standard security practice in Europe and other countries where banks are more stringently controlled and regulated and fraud is not taken lightly, and the only real new "innovation" if one may even call it that is that a online computer game is using this mechanism.
I can't speak for all banks, but I'm with Barclays in the UK, and their system makes keyloggers a non-issue in a similar way. I can login to "basic online banking" using a few things from memory (surname, online ID number, debit card number, date of birth and password all required), but to actually do anything (like send money to another account) I need to authenticate using a chip+pin machine that they sent me free of charge. I insert my debit card, enter my PIN, then it gives me an 8 digit number that's time-sensitive. Frankly, this annoys me, why can't the reader connect via USB to save me typing in that number?
And I know at least one American bank has the same thing (possibly Bank of America?), as a friend of mine was the guy who pretty much created all of it.
I think they all do, nowadays. The only reason I don't need a keyfob for my Alpha account is that when I opened it, 9 years ago, they didn't have keyfobs. Their password policy was retarded, though, it wouldn't accept a $ in the password. Of course, you can't do anything without the keyfob now other than view the balance and pay some bills, so it's okay.
That's security through obscurity. All existing techniques have been attacked (eg. keyloggers now take screenshots to defeat the silly pull-down menu "security"), so it's only a matter of time before they start capturing USB output and using it to attack the account in real time.
What's wrong with a key fob displaying numbers with no physical connection to the computer?
Edit: The first UK retail bank to offer this as standard would definitely get my custom. I'm quite serious about that. Also drop "VerifiedByVisa" nonsense at the same time and replace it with similar real security.
NatWest require the secondary factor if you either add a new payee or send a payment for the first time to a particular payee. You can still login and do almost anything else without it, though.
The black-market value of a WoW account is actually higher than a working credit card number, somewhere around $10, last I heard.
I still believe it is appalling that banks don't even do the bare minimum to protect accounts. My retirement account with all of my 401k money in it is only protected by a 6-digit NUMERIC PIN. This is ridiculous.
This is due, at least in part, to the fact that it's considerably easier to track down card thieves, whereas Blizzard is largely focused just on getting the accounts back in working order for their customers (and, as mentioned in this article, preventing them from being stolen in the first place).
I live in Norway - in my bank, I have to enter my social security number, an alpha-numeric password that I picked and a one-time code. I also have to enter a new one-time code each time I perform a transaction. And, of course they use 256-bit AES encrypted SSL all the way.
PIN length is the wrong area to focus on. The two questions to ask are whether they block failed guesses and require out of band confirmation for major actions like transferring funds.
If I had to guess here, I'd wager that the people in banks and similar financial services organizations responsible for making the decisions are very insulated from the effects of fraud compared to the equivalent people at Blizzard.
Every time an account gets stolen, it's pretty likely Blizzard is going to hear about it, either through a GM complaint or a call to customer service or a chargeback, and all of those impact their bottom line (one way or another). Stolen accounts are typically used for further fraud, either for real-money transactions or for spamming other players, so it has a ripple effect on the rest of the customer base. As a result it has to be hard for all the decisionmakers at Blizzard to look at customer complaints about stolen accounts and think 'well, that's not my problem', even if they'd rather be working on other things. The impact is also more 'real' because Blizzard employees are going to feel it when they play the game themselves, either through hearing about a friend losing an account or seeing spam in local chat.
On the other hand, if you're working as a mid-level manager at a bank and you don't have any control over fraud controls or the technology used to build your online banking software, I have to imagine it's pretty easy to think 'not my problem' when faced with customer complaints about fraud.
My experience at a different MMO developer was that while we internally had very stringent security practices and did a lot of work to help customers who lost their accounts, our parent company/publisher wasn't nearly as serious about security, and it seemed like the same effect was at work there.
This could be considered innovative, if they hadn't done it wrong. Problem: It can't be used in conjunction with with fob- or phone-based authenticators. It's a step backwards. Now, rather then using two-factor authentication every time you log in, users using this method will only be verified when Blizzard deems it suspicious. Account being stolen from an IP in China? Blocked. Account being stolen from an IP in Canada? Have a nice day!
Can anyone briefly explain to me how a Blizzard authenticator works? I'd like to implement something like that for fun, but apparently my google-fu is weak. A link would also be good.
[If anyone cares, I bought some model rocket motors and a TI Launchpad, I have a modem and a landline... Dialing in a launch and requiring the use of an autheticator to do so sounds like great fun. My own pretend nukes.]
The other day I logged into my WoW account at an unusual hour from an IP in an EU country I usually always logged in from and was greeted with my account being locked down for suspicious activities.
As far as banks are concerened, some are offering TANs to mobile phone text messages which I think is pretty awesome.
It's quite simple, a wow player that gets hacked and loses his items will most probably quit if he doesn't get his items back. Getting items back means you need to talk to a Game Master, who must determine if you actually got hacked or if you're trying to scam the game by giving all your stuff to a friend, and then claiming you got hacked.
Having Game Masters employed costs a lot of money, and I guess the cheaper option is simply to improve account security rather than hiring hordes of GMs.
As for banks and similar, comitting fraud is an actual crime that results in jail-time if you get caught, which is a pretty huge disincentive in itself. Added to that, real money transactions are much more traceable so it's possible to find out where the money and went and who benefited.
Finally, a wow account costs $15 a month for everyone, I guess the average value per customer is much higher for wow players than bank customers?