Sunday, May 27, 2012

On the Recent Blizzard and Diablo 3 Account Compromises

As an avid Diablo fan, I eagerly watched and waited for Blizzard to create Diablo 3. My first impression is that they did a masterful job creating it. Yes, there are some initial frustrations, but it definitely has that Diablo feel to it and despite the running jokes about Error 37 as a new prime evil, I've found that the most powerful boss enchantment has been Time Thief - the ability to suck hours off the clock without me realizing it. Bravo, Blizzard, Diablo 3 is a triumph!

But recently there has been a lot of controversy around compromised accounts in Diablo 3. Many players have found that their characters have been stripped of gold and high-level gear. That's as much a tragedy as being robbed in the physical world - the possessions you've worked for so long and felt so happy to acquire are taken from you by an unknown assailant. People feel violated and angry, which is understandable and which is our nature. Many have lashed out at the closest target. 
The most common and convenient target of anger has been Blizzard's security and practices. Many accusations have sprung up that Blizzard, its servers, the game or other technology has been "hacked" and that essentially any player or account could be compromised because of that. In an interesting parallel, this is commonly the first thing people assume when their bank account has been compromised. 
 
The banking world has long confronted security challenges for online services. For as long as online banking has been a reality, malicious individuals have been hoping to compromise accounts and steal money from them. And so banking has come a long way in combating those threats. I've performed dozens of audits for financial institutions around their information security practices, including a component dealing with authentication in online banking (FIL-103-2005, FIL-77-2006 and FIL-50-2011 if you want to look it up). 
Today, banking is one of the safest activities you can engage in online, although it is also one of the most targeted. Cybercriminals from around the world target banks, banking sites and accounts and it has become every bit as disciplined and efficient as any business. The complexity and innovation is staggering. Yet excellent security measures taken by banks effectively thwart almost any attack out there, when used as intended on both the bank's side and on the account holder's side. 

Most bank account compromises in the last decade or so haven't happened because the bank was hacked - they've happened with legitimate account credentials. It used to be that most online banking accounts were compromised by the victim giving away their username and password or other sensitive information after clicking on links in fake emails. But banks improved the security and attackers responded by becoming more sophisticated. Now most of the time compromises happen because the account holder logs into their account from a computer that has malicious software installed. And it's highly likely that this is what has happened with most of the Diablo 3 account compromises. 
So how does this relate to Blizzard and to Diablo 3?
Blizzard has, in fact, said that malware has been the root cause in nearly all of their compromise investigations. Today's cybercriminals have become very sophisticated in their methods. As Blizzard has also pointed out, there is no one way that they get the information and access necessary to compromise accounts. Essentially they use whatever means they need to, in order to get what they want. In practice, this means there are likely multiple groups, each using many different types of attacks to get as many accounts as they can. 

As with bank account holders, gamers have gotten more savvy about giving away information which would allow someone else to access their account. But the attackers have adapted as well and use other ways of getting that information than by sending fake emails. Here are some of the more creative and sophisticated ways the thieves operate.
  • By calling you, if you can believe it! There's a good video walking through a typical attack where a cyber criminal may call you on the phone
  • Text messaging or emails directing you to call a phone number, usually about account compromise, expiration or closing. The phone number then has a recording asking you to enter your information. You never even have to talk to a person and you've given up too much information.
  • If you are using the same email address and password on another site, if that site is compromised your Diablo 3 account may be too. These compromises happen somewhat frequently, such as the Gawker Media account compromise a couple of years ago. 
  • It's possible to buy compromised systems from cybercriminals. Many of the more sophisticated networks have millions of computers that are infected - far too many for the original criminals to take advantage of. So they sell access to others.
  • It's also possible to buy accounts from cybercriminals. Often they have account credentials for systems they don't typically target - for example if they only target bank accounts, they may sell gaming accounts for some additional profit.
  • Newly compromised accounts are prioritized. The criminals have so many accounts they target the ones that have the highest net worth first. There are stories of operations centers with account queues where each new account is evaluated and ranked according to the amount of money the thieves can get. 
By far the most common way most bank accounts are compromised, and likely Diablo 3 accounts, is simply by installing malware on your computer without you knowing it. Without going into the myriad ways that this can happen, it's sufficient to say that you don't have to visit the shadier side of the Internet to run into malware. Most sites that distribute malware are legitimate. In fact, more than 90% of infected sites find out that they're compromised from someone else. Even some of the most mainstream sites have become malware distributors at times - ESPN, NASA and the Wall Street Journal have all infected their visitors with malware. Many of these sites use standard malware toolkits which exploit dozens of vulnerabilities, generate new malware package for each site visitor and test it against the common antivirus suites before sending it along. It sounds like science fiction, but it's not.
How to protect yourself? 
Security is hard. That's what makes it so hard for an organization like Blizzard to give you one simple answer. But that's not what a lot of people want to hear - even the people in charge of security for companies with huge budgets to protect their information assets often ask "What's the one thing I should do?" So it's not a surprise that most individuals would look for the "silver bullet" solution, if you will.
It's hard to describe how to protect yourself much better than Blizzard themselves did. So instead of rehashing it, I'll just link to Blizzard's excellent article on keeping yourself safe from account theft. But if you're in a hurry I'd say the top 3 things you can do are:
  1. Use the authenticator. Banks use similar technology to protect millionaires and billionaires. If you value your stuff, you can't get a better bargain than this! Even the cost of the physical token is inexpensive compared to what it's worth. Blizzard modestly says they're selling these at cost, but that really means they're taking a loss because of all the infrastructure and personnel resources they deploy on the back end. If you're looking for a "silver bullet" to protect your Diablo 3 account, this is the closest you'll come.
  2. Don't reuse passwords. If you use the same password for your email, battle.net and bank, odds are you're practicing poor password security. My recommendation is to use something like LastPass or KeePass, which make good password security easy.
  3. Update your OS, browser and plugins. Most modern operating systems and browsers will automatically update for you. But it's easy to see the update notification and procrastinate. Don't. Don't wait more than a day or two to update, once you see the notification. For plugins, it's sometimes harder because they don't often announce their updates. Adobe Flash, Adobe Reader and Oracle/Sun Java are the main attack vectors used of all the plugins out there, and they're getting better about notifying you of updates.
How can Blizzard do more to protect you?
I want to preface this section by saying that I don't know the details on what Blizzard is doing on their end to protect player accounts. I'd guess there's a lot going on that they don't talk about, or at least that I haven't read about. But that doesn't mean they can't improve. But I know they're already doing a lot to secure accounts. In many cases, more than your bank does! Things like forcing stronger passwords, investigating many of the reported instances of theft, publishing and linking to a great deal of information, giving you the authenticators, proactively communicating security steps. It even seems like they're refunding money to some gamers whose accounts were compromised, even after determining that Blizzard wasn't at fault - that's got to be some of the best response ever from a gaming company!
What follows is a few ideas I've taken from other industries that may help Blizzard improve. (Or not - again, I don't know for sure what they're doing on their end.)
  • Look at metadata associated with each previous login for the account. Often this metadata will differ between legitimate and malicious login attempts. Things like geolocation, keyboard layout, OS or game language or other data will be significantly different between a player and a thief.
  • Watch the common locations where compromised accounts are publicly posted for any gamer accounts that use the same account name or email address.
  • Drop a unique "cookie" that identifies the system a player logs in from. If the cookie has changed since the last login, or the cookie has been used with multiple accounts, this should raise a flag.
  • If there are multiple logins in rapid succession from a single IP or IP block, this should raise a flag.
All of these items can be indicators of a potentially compromised account or of a potential cybercriminal. Of course these measures consume personnel and system resources, meaning it will cost more to administer - but then how much do the reputation damage and time spent answering questions cost? And it will also result in frustrated players unable to login - but then you can take the stance of "we're sorry that you're unable to login, but it's for your own security" which is hard to argue with. And in conjunction with an email address, phone number, Skype or Twitter account, or other contact mechanism these false positives can be resolved very quickly.
And for our part, players should really be more tolerant of security measures. Again, adding an authenticator to your account takes an additional 5 minutes to set up and 5 seconds to use in practice. But it cuts the probability of compromise to nearly zero even if your system is fully compromised! And if you're like most people I know today, you appreciate it when your bank stops an apparently fraudulent transaction, even if it turns out to be legitimate. So do what's needed to help yourself be more proactive with security. A little initial setup can save you a lot of frustration in the end.

Is there anything I've missed? Do you have a different opinion? I'd love to hear about it so I can address the concern or amend my article. Constructive feedback is always welcome.

UPDATE: In an interview, a Chinese gold farmer claims to know the source of compromised accounts. According to him, forums are being compromised and the email addresses and passwords from there are used to try to log in to Battle.net. This is a pretty common tactic and underscores the importance of using unique passwords across sites and games. And if you're not willing to do that, get the Authenticator which will prevent this.

6 comments:

DracMonster said...

Excellent, eye-opening article, Blizzard should make it required reading for all accounts!

One additional thing, use a browser with selective script-blocking, like Firefox with noscript. That would probably eliminate 90% of malware infections.

bw said...

Hey, DracMonster. I agree that script-blocking plugins are a good way to go and I use NoScript myself. I'm not sure about such a high percentage of malware blocked, but it certainly helps contribute to the defense-in-depth approach.

Anonymous said...

Malicious sites have had quite a while to prepare for diablo by setting up "guide" and "strat" sites and youtube videos trying to suck people into their sites that will serve up malware to install keyloggers and snag accounts. I suspect that's how most people get caught. Even I do such searches and browsing, though usually safely. Still, as I demonstrated just a few weeks ago at work to coworkers, drive-by malware still happens on patched systems with IE by just browsing a twitter user's hosted homepage/server that had malicious code inserted.

It's a hard task to put enough information into the game such that players don't immediately need to hit the web for answers. That's really one way Blizz can help. Maybe more social capability inside battle.net so rather than looking elsewhere, users can self-help or chat or whatever. I believe I read that Skyrim wanted to make sure all playstyles were viable and naturally built through use, so players didn't have to feel like they should look up the "best builds."

You mentioned a few things Blizzard can do. They do track things like where you log in from. For instance even back in WoW, if I moved over to a laptop or went mobile and logged into my WoW account, I'd have to use my authenticator a couple times while their tracking caught up. I imagine this is more annoying for people who share connections (husband/wife players) or play on a laptop in various places.

Also, multiple logins happens sometimes, as people get frustrated trying to log in, latency, or whathaveyou. Though that's probably on the same account. Not sure how multi-boxing works, if at all useful, in d3 like it was in WoW...

-LonerVamp

Anonymous said...

Malicious sites have had quite a while to prepare for diablo by setting up "guide" and "strat" sites and youtube videos trying to suck people into their sites that will serve up malware to install keyloggers and snag accounts. I suspect that's how most people get caught. Even I do such searches and browsing, though usually safely. Still, as I demonstrated just a few weeks ago at work to coworkers, drive-by malware still happens on patched systems with IE by just browsing a twitter user's hosted homepage/server that had malicious code inserted.

It's a hard task to put enough information into the game such that players don't immediately need to hit the web for answers. That's really one way Blizz can help. Maybe more social capability inside battle.net so rather than looking elsewhere, users can self-help or chat or whatever. I believe I read that Skyrim wanted to make sure all playstyles were viable and naturally built through use, so players didn't have to feel like they should look up the "best builds."

You mentioned a few things Blizzard can do. They do track things like where you log in from. For instance even back in WoW, if I moved over to a laptop or went mobile and logged into my WoW account, I'd have to use my authenticator a couple times while their tracking caught up. I imagine this is more annoying for people who share connections (husband/wife players) or play on a laptop in various places.

Also, multiple logins happens sometimes, as people get frustrated trying to log in, latency, or whathaveyou. Though that's probably on the same account. Not sure how multi-boxing works, if at all useful, in d3 like it was in WoW...

-LonerVamp

Anonymous said...

Malicious sites have had quite a while to prepare for diablo by setting up "guide" and "strat" sites and youtube videos trying to suck people into their sites that will serve up malware to install keyloggers and snag accounts. I suspect that's how most people get caught. Even I do such searches and browsing, though usually safely. Still, as I demonstrated just a few weeks ago at work to coworkers, drive-by malware still happens on patched systems with IE by just browsing a twitter user's hosted homepage/server that had malicious code inserted.

It's a hard task to put enough information into the game such that players don't immediately need to hit the web for answers. That's really one way Blizz can help. Maybe more social capability inside battle.net so rather than looking elsewhere, users can self-help or chat or whatever. I believe I read that Skyrim wanted to make sure all playstyles were viable and naturally built through use, so players didn't have to feel like they should look up the "best builds."

You mentioned a few things Blizzard can do. They do track things like where you log in from. For instance even back in WoW, if I moved over to a laptop or went mobile and logged into my WoW account, I'd have to use my authenticator a couple times while their tracking caught up. I imagine this is more annoying for people who share connections (husband/wife players) or play on a laptop in various places.

Also, multiple logins happens sometimes, as people get frustrated trying to log in, latency, or whathaveyou. Though that's probably on the same account. Not sure how multi-boxing works, if at all useful, in d3 like it was in WoW...

-LonerVamp

PS: Try #8 on the blogger captcha...

Anonymous said...

Commenting fail. I swear, I'm not new to the Internet! :)

-LonerVamp