I'VE BEEN HACKED!

At least when I logged Sunday night I was absolutely positive that I had. See, upon logging into Warcraft, I was not prompted for my authenticator pin. I was sure that a hacker had my password and removed my authenticator from my account! To make matters worse, it was taking dreadfully long to get into my account last night, as Warcraft actually failed to load correctly.

I immediately went over to us.battle.net and found that my authenticator worked there. Hmm. OK, not removed. Come to find out, that Blizzard did this on purpose. They had implemented a new policy that states if you consistently access your account from the same location, they won't prompt for your authenticator, regularly.

Why didn't I get an Authenticator prompt this time?
The Authenticator system will now intelligently track your login locations, and if you are logging in consistently from the same location, you may not be asked for an authenticator code. This change was made to make the authenticator process less intrusive when we are sure the person logging in to your account is you.

 I like this idea, but hate the implementation. Blizzard has multiple means of communication with us end-users, and they could have used any of them to warn us of this major security policy change. I'd love to have seen on the realm page where I type in my password info, "We've changed the way we process authenticators, go to the Battle.Net Authenticator FAQ for more information."

The Good, Bad and Ugly.
How is Blizzard tracking my location? We will probably never know the full details of this, but Blizzard has straight said they were monitoring our account information. I believe it was soon after the mandatory roll over to the battle.net account requirement, that it appeared. I am guessing it is more complex that simply my IP address. Blizzard knows that:

•  IP addresses can change regularly. All of users on dial-up DSL can guarantee a new IP each time they  start the computer. This would imply that each time I reboot, I'll be asked to type in my PIN. What's the point then?
• A computer can be spoofed, sort of. You can spoof my PC name, by creating a virtual copy of my machine with my network card info (mac, IP) , but you can't spoof everything. Could Blizzard be doing a 'reverse lookup' of my IP address? Oh sure, why not. This is a spam-prevention technique. Take the IP address you are reporting, see if it is coming from a domain that owns it. 

Here's how I see it working, "The last 500 times, Elk accessed WoW, it was from 123.456.789.010. That IP address belongs to AT&T DSL in NorCal. Today he's coming in from 123.456.789.010, but it's tracing back to an enterprise connection provided by Cox communications, from a Las Vegas hotel. Get his authenticator PIN."

or else... (random stern look pic)

Blizzard, you can do better. Not everyone reads your forums, blog or other news outlets, but we all log into the game. Use the game to communicate to us, when you make changes to the way we access this game. This Warlock did not appreciate worrying about my security when there was no serious concern.


Sincerely,


Elkagorasa