News

Blizzard facing class action lawsuit over Battle.net security
Posted: 11.11.2012 09:02 by JonahFalcon Comments: 12
Two gamers have filed a class action suit on Blizzard, aimed at the company's alleged poor security and its profiting on the sale of Authenticators, which are used to combat keylogging.

According to the lawsuit, Blizzard has required the security devices "in order to have even minimal protection for their sensitive personal, private, and financial data", and that the studio "negligently, deliberately, and/or recklessly" fails to properly safeguard player information.

Some incidents are explicitly noted, including a May incident in which Blizzard acknowledged the hacking of Diablo III, and the August hacking of Battle.net.

Blizzard has made, according to the suit, over $26m from the sale of Authenticators, which cost $6.50 each.

The class action lawsuit is suing for damages, and requesting an injunction from forcing players to have to create Battle.net accounts to play non-MMO titles like Diablo III and Starcraft II. The suit also demands Blizzard be prevented "from tacking on additional, undisclosed costs to ensure security in the form of a post-point-of-sale Authenticator."

Stay tuned.

Comments

By danfreeman (SI Core) on Nov 11, 2012
danfreeman
I really hope this will be the kick in the teeth blizz needed to get to wake up.I don`t see other major mmo`s using these authenticators and they`re doing just fine,and i know blizzard has security issues,i get about 3 fake e-mails from blizz and their games DAILY,and let`s not forget about the drm they impose.

Blizzard you used to be my favorite company bacause of your stellar games,i didn`t mind your greed because you gave games that were worth it but now your greed has skyrocketed while the quality in your games is underground.

I love wings of liberty but it`s missing a lot of features that were in the trailers and of course it`s just one part of a full game.

Diablo 3,while i had fun with it,is well under expectations and the drm is just god-awfull,the time put in the game was not to make it better but because you were lazy and wanted to introduce the auction house to squeeze even more money and it lets players buy power,to those of you saying it doesn`t there will be pvp soon and since the game requires no skill your items will be the deciding factor in a fight.
By nocutius (SI Elite) on Nov 11, 2012
nocutius
So they are basically profiteering on their bad security? That's kinda low.
By SirRoderick (SI Elite) on Nov 11, 2012
SirRoderick
Sneaky stuff that, but not really unheard of. TOR has those authenticators as well. Although I suppose their security record is somewhat better.
By herodotus (SI Herodotus) on Nov 11, 2012
herodotus
Key authenticators are used for more than just gaming, as many banks use them for extra security when conducting internet banking. The problem is, if the security is poor to begin with, and Blizzard/Battlenet are notoriously bad, then nothing will stop a hacker getting in.
I have one for "TOR" (had to import from U.S. as they're not sold here in Aus.) but so far I haven't heard of anyone having their accounts hacked, with or without them. Blizzard's poor track record is the reason why they were marketed in the first place.
Blizzard is simply a ripe target for hackers, and an easy one. One more strike against their constant online connection policy.
By Hammerjinx (SI Veteran Member) on Nov 12, 2012
Hammerjinx
The authenticator only stops people accessing your account after hacking the client computer. While Blizzard themselves have been hacked a bit, what the authenticator insures against is your own lack of security.

It's true that a lot of MMOs don't have hacking issues as much, and don't have authenticators, but Warcraft is a large, tempting target. The player base is huge, there's a large number of people who are otherwise not very PC savvy, and there's people willing to pay cash for your ill gotten gains. The chance of getting caught is less than hacking a bank account, and penalties are much, much lower as well.

Ultimately, if your own security is fool-proof then you don't need an authenticator. It's not, so a few bucks as a once-off is a good investment to protect yourself. The only reason it seems to be more of an issue with Blizzard is because of the number of people involved, making it a juicy target.

There's thing they could do better, sure, but those are easily circumnavigated. Probably the best option server-side would to be to issue everyone PINs, then require them to be entered in via a scramble pad. So, your PIN 1234 might be entered as PQJS today, and UTSK tomorrow. Regular keyloggers are then out, and the next day the hackers start trying to infect you with keyloggers that also take screen caps, and then you're back to square one.

With an authenticator, they need to employ a man in the middle attack where they corrupt or replace your client software to send them your log-in data, but block that data from going to Blizzard *and* have a guy use that data to log into your account, change your password and remove the autheticator **within the next 60s or less** and then clean you out before you contact Blizz to find out why you can't connect. It happens, but not a lot. It's generally too labour intensive when all your looking for is a quick, easy buck.

The only other thing that Blizz could reasonably do would be to provide the authenticators for free. They could afford it, but is it reasonable to say that the should do that? What about someone who buys vanilla, plays it for a bit and says "This is nothing like EVE, I don't even have a spaceship! Bye"

So yeah, I think that a small charge for a device to cover *my* lack of security is fine.
By JonahFalcon (SI Elite) on Nov 12, 2012
JonahFalcon
The issue is that the suit is accusing Blizzard of not bothering to beef security, instead profiteering on selling Authenticators.

Fact is, without the Authenticator, you're screwed, which I found out when someone hacked my Battle.net account despite it being inactive for months.
By SiyaenSokol (SI Elite) on Nov 12, 2012
SiyaenSokol
I luckily have never been hacked before, and I do have an Authenticator. This is quite shocking news to hear that their security is actually not that good. They make a lot of beef when you visit their site, but it seems that it is more show than strength.

I wonder if Blizzard is ever going to start listening to their fans... while they actually still have them.
By wolfsrain (SI Veteran Newbie) on Nov 12, 2012
wolfsrain
Many of blizard fanboys went overboard. Showed "support". It's alsao well known the Blizzie statement over the free Authenticators that you can get over the smartphones: that those might have been compromised earlier this year.

So if you want to be secure, you have to buy an Authenticator.

No, i don't think that Blizzard cares about anything, but money. And as long their fanboys accept to be treated like c..p, those people deserve whatever it's coming to them.
By herodotus (SI Herodotus) on Nov 12, 2012
herodotus
Why would Blizzard care about the end user (I think 'fans' is pushing it these days). They have a secure South Korean base...that's all they care about. What sells in the West is icing on the bulging cake.
By SiyaenSokol (SI Elite) on Nov 13, 2012
SiyaenSokol
Quite true, but nothing lasts forever. Everything that has a beginning has an end. I can't say how long Blizzard will be able to keep this nonsense up, but eventually it is going to turn back, and give them a major punch in the face.
By FoolWolf (SI Elite) on Nov 14, 2012
FoolWolf
Blizzard lost the running record of being the "good" developer - one by one the big and once mighty fall and the bigger they are - the harder they will fall...
I seriously hope that Blizzard gets smacked down hard to show that people paying for a service is actually entitled to have security already taken care of by companies benefiting from their money and time.