Blizzard Deems Authenticator Lawsuit ‘Frivolous’

By Nathan Grayson on November 13th, 2012 at 4:00 pm.

Well, that didn’t take long. Hackers sneaked past Blizzard’s hyper-sophisticated security system – presumably by cinematically lowering themselves from a cyber-ceiling to avoid all the e-lasers – and people weren’t too terribly happy about that. Unsurprisingly, a couple of them decided to sue. Unsurprisingly-er, Blizzard’s replied not by groveling and begging for heartfelt forgiveness, but instead by whipping out its fightin’ words pistols and shooting down the whole thing.

Blizzard recently released a statement on the matter, and it didn’t leave much room for compromise. Foremost, the Titan-developing titan declared the suit “without merit and filled with patently false information.” Here are the other key bits:

“The suit’s claim that we didn’t properly notify players regarding the August 2012 security breach is not true. Not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed.”

“The suit also claims that the Battle.net Authenticator is required in order to maintain a minimal level of security on the player’s Battle.net account information that’s stored on Blizzard’s network systems. This claim is also completely untrue and apparently based on a misunderstanding of the Authenticator’s purpose… Considering that players are ultimately responsible for securing their own computers, and that the extra step required by the Authenticator is an added inconvenience during the log in process, we ultimately leave it up to the players to decide whether they want to add an Authenticator to their account. However, we always strongly encourage it, and we try to make it as easy as possible to do.”

Blizzard concluded by deeming the lawsuit’s claims “frivolous” and noted that it plans to “vigorously defend itself” in the event of any resulting legalities. And while it’s true that Blizzard was fairly communicative when the breach occurred, this response still doesn’t really do a great job of addressing why Authenticators are so potentially problematic. I mean, they are required for certain game features. Blizzard throws around the word “optional” when referring to the tiny plasticine gate guard to its massive virtual worlds, but I’d say that’s stretching the definition pretty far.

Moreover, users might be responsible for securing their machines, but Blizzard should absolutely, unquestionably bear the burden of locking down its products. In the statement, however, it attempts to blur the lines between those two sides, and the result comes off as more than a little disingenuous. Speaking personally, I think the lawsuit’s overreaching and a couple of its demands are hilariously outrageous (No Battle.net for any and all non-MMOs? Really?), but some of those concerns definitely warrant further examination.

Even if this one fails to get off the ground, here’s hoping it results in some kind of mentality shift at Blizzard. Because there’s reason for concern here, and the blue behemoth’s willingness to dismiss it so casually leaves a pretty yucky taste in my mouth.

, , , , , , .

133 Comments »

Sponsored links by Taboola
  1. Ich Will says:

    Its very difficult to see even a glimmer of validity to this lawsuit.

    • Groove says:

      It’s difficult to see much validity outside of the authenticator being required to use the Diablo real-money auction house. THAT is a massive point, since it was billed as a considerable feature of the game (it may or may not be a way to scam money out of players, but they sure didn’t sell it as that).

      • Thomas says:

        It’s not required, it’s simply required for use of one of the payment methods to do so.

      • Brun says:

        There may be considerable financial and legal liabilities on Blizzard’s behalf resulting from fraudulent in-game purchasing. Financially, a large volume of fraudulent credit card charges would generate fees for Blizzard (CC companies fine your business each time a customer disputes a charge) and would make working with the CC companies generally a pain in the ass (they come to regard your business as “shady”).

        For the same reason (fraudulent purchases) Blizzard could be held liable for hackers stealing money directly from hacked accounts (by converting real money to gold and transferring that gold to accomplices, who then convert it back to money). The fact that they facilitate such an exchange, as well as taking a cut themselves, could make them accessories to wire fraud or money laundering in some countries.

      • rawrty says:

        The only way its valid is if they can prove negligence on Blizzard’s part caused them to suffer damages. The fact that the authenticator was an extra step taken by Blizzard to help them beat common hacking attacks invalidates the entire premise. I’m not a huge fan of Blizzard myself lately, but I think this is pretty much the definition of a frivolous lawsuit.

        • Hirmetrium says:

          The fact that Blizzard don’t accept the merit of the lawsuit, and call it “Frivolous” shows that they are very negligent of their customers wishes/intentions/whatever. Their are two sides to every coin.

          • Nevard says:

            In what world does calling a completely ridiculous lawsuit “frivolous” equate to being neglectful of your customers?

          • caddyB says:

            Internets

          • mittortz says:

            i’ve never read something that made my brain feel more like a washing machine

  2. mr.ioes says:

    Is the full lawsuit text available anywhere?

  3. djbriandamage says:

    Authenticators are required for certain game features?

    • FuriKuri says:

      Yes, on Diablo 3’s real money auction house, you need an authenticator to send cash to your blizzard account (you don’t if you send it to paypal).

      WoW gives you a unique pet, debatable as to the use of it but it still falls under ‘feature’ IMO.

      • djbriandamage says:

        Thanks, I forgot about the RMAH requirement. I think that’s a smart precaution.

        I’m also very proud of my core hound minipet thanks to my WoW authenticator.

  4. Reefpirate says:

    But Blizzard is eeeeevil, of the soul-sucking, money-grubbing variety. They must be stopped!

  5. Premium User Badge

    LTK says:

    …the Authenticator is an added inconvenience during the log in process…

    And they decide to charge people for this inconvenience. They’re not making themselves look very good here, are they?

    • zipdrive says:

      It’s added security for the price of inconvenience and a few bucks for the hardware. I see no problem with that.

    • DrGonzo says:

      I’ve given up on Blizzard and their games. I’ve had 3 accounts now, they all get hacked very quickly. The only way I can see to stop it is to buy an authenticator, so I won’t bother. It’s not like my accounts are easy to hack either, I use different passwords everytime, and I’ve never had another account for anything hacked.

    • Premium User Badge

      darkChozo says:

      Surgery is something of an inconvenience, and they also tend to charge for it. Down with surgeons!

      • sub-program 32 says:

        Except they don’t charge you for surgery in the UK! Up with UK surgeons!

        • Premium User Badge

          darkChozo says:

          Ah, but the surgeons are instead paid through the government, who is paid via taxes, and I bet you spend more on taxes than I do on surgery. Ergo UK surgeons are more evil than US surgeons vis a vis the obfuscation of their offering inconvenience for currency. (Q.E.D.) DOWN WITH ALL SURGEONS INCLUDING BUT NOT LIMITED TO THOSE IN THE US OR UK!

          • eks says:

            US citizens pay income tax too, the only difference is you don’t get healthcare in return. I wouldn’t exactly be holding that up as something to brag about.

          • Beelzebud says:

            I’ll bet people in the UK can’t name one person in their life that has had to declare bankruptcy over medical bills. I can name a list of people I know who have had to do that. FREEDOM!

          • Premium User Badge

            darkChozo says:

            Alas, it is all for naught. Follow the money and you will find that all paths lead to the pockets of corrupt surgeons. DOWN WITH THE ILLUMISURGERY!

          • Premium User Badge

            Lord Custard Smingleigh says:

            I embrace the fallacy of the Golden Mean!

            Surgery for some, bankruptcies for others, a pox on both your houses, and down with everyone!

    • Brun says:

      1) Completely optional in every way.

      2) The Android/iOS authenticator is free.

      3) The physical authenticator is “sold” at cost, meaning Blizzard takes in no profit for it.

      Out of all the reasons people seem to hate Blizzard, “their authenticator practices” is the LEAST legitimate. Stop being pretentious and trying to dress up your problems with Blizzard behind everything they do, and just come out and say what you don’t like.

      • Randomer says:

        So it wouldn’t bother you if they charged $7 extra for Act 4 (but made it free for people with smartphones)? After all, playing the entirety of the game is completely optional!

        • Hahaha says:

          Do you need to sell/buy things on the RMAH?

          • Randomer says:

            Do you need to play Act 4?

          • Hahaha says:

            You brought the game so yes you do need to play through the content provided the RMAH has nothing to do with content you have brought.

          • kalniel says:

            Thus far, I’ve not needed anything from either auction house, real or otherwise. Granted, I’m only just finishing up Hell difficulty though. If I can’t do inferno without I won’t lose any sleep over my purchase.

        • KilgoreTrout_XL says:

          It’s free for people who have a computer. Is that free enough?

          • Randomer says:

            This is the first time I’ve heard any mention of WinAuth. After taking a look at it, I would say that that amount of free seems great!

        • frightlever says:

          That would make act 4 optional DLC, given away free to people who take the extra step towards helping Blizzard keep their accounts secure (accounts which are often lost due to the users downloading trojans and not using unique passwords. Often.)

          You’re actually right, that’s exactly what Blizzard should have done – download a free authenticator or pay for a dongle and BLAM extra content. Good thinking.

        • secuda says:

          Why are people making up stories that you need RMAH? i have not use it a single time and made it through Inferno with a friend who have not used RMAH as well.

      • Randomer says:

        Sorry, I think I’m mainly just pissed at Blizzard. Not trying to target you. To be fair, were I to buy D3 I really would have no intention of using the RMAH. I still think it’s a bit stupid that they built a system where people without smart phones need to pay extra.

        But the more I think about it, the more silly the lawsuit seems. The free market already punishes Blizzard every time they piss off a potential customer with stupid practies. There is no need to inflict legal fees on top of that.

    • sarbian says:

      The iOS & Android Authenticator apps are free. They charge you for chipping and the cost of the auth.
      The auth are custom build VASCO token, I’m sure VASCO charge for them too…

    • elfbarf says:

      Actually, they have a *free* authenticator app available for smartphones. The physical authenticators are optional and cost money to manufacture/ship, and last I checked no other game provides such an item for free.

      I foresee quite a bit more mindless Blizzard bashing in the comments for this article.

      • SkittleDiddler says:

        I hate Blizzard with a seething, mindless passion, but I’m going to refrain from commenting.

    • djbriandamage says:

      Blizzard offers a free authenticator for mobile phones, or you can buy a hardware token for $7. Both are optional.

  6. zipdrive says:

    Nathan, While I agree that the “optional” tag on something that is flat-out required for some features is misleading, there is absolutely NOTHING blizzard can do to prevent hackers from taking over a person’s account if the person in question has his machine compromised (depending, of course, on the level of compromise). Software exists today that can run in the background and play key-logger/man-in-the-middle and collect one’s passwords, authentication data harvest other information and there is no way for blizzard to know “who’s calling” when all information has been stolen.

    Requiring the Authenticator is a huge step in securing one’s account, but it inconveniences the user and is, properly, left for his discretion if, for example, one doesn’t want all the trading and such, but simply to play. Demanding Blizzard to “lock down their its products” is a meaningless phrase – what do you mean by that?

    • DrGonzo says:

      Valve have taken steps to secure Steam accounts, and they did it for free.

      Or you could compare it to bank accounts. They send you an authenticator for free, because as you said, they cannot protect your account from your own pc, it would be wrong for them to provide an online banking service WITHOUT some kind of security like that.

      Blizzard should have to follow those same standards. If I HAVE to have an online account to play their singleplayer games, then they HAVE to keep my details secure.

      • ScubaMonster says:

        While they don’t have an email system in place, you can use their smart phone mobile authenticator app for free from what I understand. Also banks aren’t required to do that, they just do it because it’s common sense. Also, one’s bank account is far more important when it comes to security than a video game account.

      • Premium User Badge

        darkChozo says:

        I’ve never had a bank offer me an authenticator, not sure if that’s as widespread as you might assume.

        Also, Blizzard offers a free version of the authenticator as a mobile app. The extra charge is for them sending you a physical authenticator, which is understandable, because that’s not free for them (probably doesn’t cost them $6, either, though).

        And I think that holding Blizzard to the same standard as a bank is a little silly, considering that I can’t think of any other games that even offer two-factor authentication. Admittedly, Blizzard does suffer from the Windows problem that it’s a huge target, which means lots of phishing and social engineering attacks get directed at Battle.net accounts.

        • Brun says:

          I’ve never had a bank offer me an authenticator, not sure if that’s as widespread as you might assume.

          Apparently it’s quite common in Europe, but pretty much unheard of in the US.

          • Ich Will says:

            Its also worth noting that your authenticator remains the banks property and you have to return it for new batteries etc. If you lose it you are charged for a replacement etc

          • diamondmx says:

            That also depends on the bank, some will replace for free – perhaps there’s an unspoken limit on free replacements, much like your bank cards have one.

      • zipdrive says:

        I’ve never seen a bank authenticator, but maybe that’s just because I live in the middle east.

      • Ich Will says:

        It’s ridiculous to claim that just because one company offers something for free at a loss to themselves, all others offering the same thing must follow! I would imagine that companies with massive market shares could bankrupt rivals at will if this were the case.

      • Hahaha says:

        “I’ve given up on Blizzard and their games. I’ve had 3 accounts now, they all get hacked very quickly.”
        -DrGonzo

        That is all

        And yep your reading that right, he has had 3 accounts hacked, for some perspective I’ve not had one account hacked in over 18 years of being online.

      • KilgoreTrout_XL says:

        I’d just like to point out that that authenticator you got from your bank? Yeah. That was really far away from “free”.

        • Hahaha says:

          Was free for me

          The point it is trying to make is banks give them away why can’t blizz.

          • KilgoreTrout_XL says:

            The cost of that app is buried in the fees your bank charges you for having the audacity to retrieve some of the money you gave them, or the hutzpah to leave your money in their vault, calling them on the phone…

            Besides, Blizzard does give them away. When you can’t afford $6 and also can’t figure out how to install an authenticator on your computer for free, it’s time to think about not playing games on your pc any longer.

      • gktscrk says:

        I wish someone had said that to NatWest, that they were not supposed to charge me. Oh wait, they missed it. And same with the two other banks I know…

        Since online banking is not a prime service, I’ve never had anyone provide me with free secure access to it: the authenticator’s to all three have made me pay money (although admittedly they didn’t want money for an original password sheet that had the passwords needed — only the newer enter-your-card type things have had an additional fee).

        EDIT: I would probably have to add that I don’t pay a monthly fee on my bank accounts — I find it plausible to believe that if you do, the banks would be kind enough to forget about the online authenticator.

    • D3xter says:

      Since this is going to come up again, I brought it up in the last of these threads, to start off let’s set some parameters as how this is on Blizzard and not their customers:

      1) There is NO NEED for an Account-based Login for a SinglePlayer game (see, almost every SinglePlayer game in existence or even Blizzard previous titles like Diablo 2 or WarCraft III)
      2) There is NO NEED to have any sorts of financial transactions happen within a game (see, almost every single game out there yet again)
      3) There is NO NEED for credit card or other sensible information being stored on said Accounts for ANY reason.

      I haven’t heard anyone DEMAND from Blizzard that they include Always-Online DRM or a Real Money Auction House in the game because they all wanted to spend their money on virtual items creating a toxic environment where in game gold is worth actual money, helping to make that practice even more “mainstream” and creating an environment where Hackers systematically try to attempt to steal accounts. That’s pretty much all on Blizzard.
      For that matter, I haven’t heard much about Torchlight 2 Account Logins or Data being stolen…

      Blizzard chose to do all of those things out of purely for-profit reasons and it’s on THEM to ensure that kind of information doesn’t get into anyone elses hands.

      There’s also several dozen things they could have done to prevent people from getting hacked in the first place I can think of:

      1) SinglePlayer Mode and Open Battle.Net, so everyone can choose if they’d rather play the game or get hacked
      2) Put in place a number of several “authentication” questions á la “What is your favorite movie/car/whatever?” at every Login, like Star Wars: The Old Republic did, which goes beyond password requirement
      3) Give players the ability to Lock down items they don’t want to sell anymore to their accounts and don’t save credit information
      4) Introduce a hardware-based Login system similar to how Steam Guard works, if something changes within the machine used to Login pop over a Code via E-Mail one has to Input to Login
      5) To prevent Keyloggers they could use a KeyPad where you use the Mouse to Input the Password at random positions on the Screen instead of a text field.
      6) If they wanted to go the “Authenticator” way, include one in every box, they literally cost cents to produce and it would save them the trouble of Support cases (although take away their excuse if people would still be getting hacked) instead of making people pay for them.

      etc.

      • ScubaMonster says:

        Be that as it may, it’s their game, you’re merely paying for a license to play it and they have their own EULA you agree to when you click Accept. There’s no grounds for a lawsuit, especially if Blizzard covered their ass in that EULA you agree to before ever being able to play the game.

        • SkittleDiddler says:

          The EULA doesn’t need to be mentioned simply for the fact that it doesn’t override the law of the land. The court taking this case could easily ignore it if they so choose.

          • Vorphalack says:

            Indeed. I have no idea why people keep proliferating the myth that an EULA is some sort of iron clad defense against any possible legal action. It’s not a contract and it’s not a replacement for local consumer / business practice law.

      • Brun says:

        1) There is NO NEED for an Account-based Login for a SinglePlayer game (see, almost every SinglePlayer game in existence or even Blizzard previous titles like Diablo 2 or WarCraft III)
        2) There is NO NEED to have any sorts of financial transactions happen within a game (see, almost every single game out there yet again)

        You should have just stopped typing here, because this is what it’s really all about isn’t it? You’re just projecting your distaste over these issues onto their account security practices – just come clean and say it, we won’t judge.

        • D3xter says:

          You damn well better believe that I am disgusted by their practices for several years, in fact I did somewhat of a write-up shortly before StarCraft II and since then haven’t bought a single one of their games (so basically since WarCraft III: TFT): http://www.teamliquid.net/forum/viewmessage.php?topic_id=128252

          As such I haven’t accepted any of their EULAs and don’t intend to any time soon, although it’s important to say (apparently) yet again that EULAs aren’t written laws that everyone has to abide by (companies can’t write laws… yet), are only that particularly strong in the US and are invalidated if they infringe on the laws of the land or any consumer protection issues.

          Your only defense for that matter is apparently that you are a Blizzard “fan”, and as such they have the right to circumvent customer protection, to give out your data, to be able to lose it because of lax security and write whatever they want in their EULAs and everybody should fall to their knees and accept, because they’re Blizzard, or how am I to understand you getting all defensive over these issues?

          • Brun says:

            I’m getting defensive because they’ve gone above and beyond (with authenticators) what pretty much everyone else in the same market does (nothing) and yet people claim to hate them for it. Be honest with yourself – hating them over their security practices (which are superior to those of not only most other video game companies, but many financial institutions!) is completely irrational. Hating their security practices is just a pretense for hating their DRM (among other game-related issues). And it’s that pretentiousness that drives me insane.

            TLDR: I would be less defensive if you just said “I find Blizzard’s DRM to be objectionable” and left it at that. It’s not like hating DRM is socially unacceptable or something (especially here, of all places) – why do people feel the need to crucify the entire company (to the point of irrationality) over one issue?

          • Ich Will says:

            As the argument “You are obviously a fan” is already being thrown around let me start by stating that I am rather indifferent to acti-blizz. I am definitely not a fan – I own starcraft 1 + brood wars which I played for a couple of years, likewise with D1+2 but I own starcraft 2 and only played for a few months likewise with D3.

            So a fan I most certainly am not, I am kinda indifferent to them as a company. I like their products but not more than other products from other companies, I may go back to their games, I may not. I most certainly won’t pick up the expansion pack for sc2.

            Now that that has been said, please explain what customer protection are they circumventing? If a login request is made at battlenet and comes with a valid username and password, what is the problem with allowing that login to happen? If you as a consumer are worried about your ability to keep your username and password safe, you can use an authenticator for free on your smartphone. If you do not own a smart phone, you may purchase a device for $7 is it? like £4. And you have carried this disgust with you for years over £4, my oh my! Sounds like a lot of pointlessly wasted energy to me.

          • D3xter says:

            I wasn’t reffering to this one particular issue, but just look back at the launch of Diablo III and everything that went on with that, for instance they had their offices searched in South Korea and there was a Class Action lawsuit: http://www.forbes.com/sites/erikkain/2012/06/13/blizzard-faces-a-class-action-lawsuit-in-korea-over-diablo-iii/
            They’ve also been targetted by several consumer protection agencies, like in France or Germany over several issues, although they did give in to the demands on the last and it didn’t come to a lawsuit: http://diablo.incgamers.com/blog/comments/german-consumer-agency-targets-blizzard

            They are systematically and gradually eroding consumer rights by locking down their games and services, trying to take ownership over E-Sports leagues and Mods, making them Online Only, and above that when it backfires in a glorious way they say they aren’t responsible.
            The same old (Activision) Blizzard that used to allow Spawn Installs of their games, didn’t require B.Net to play them, had LAN modes, allowed people to play over the same account and were generally more open and friendly this is not.

            To be honest I just find the idea that they’re the “victim” here and have to be “defended” after all they’ve done a little perplexing as they get more and more rights and power and their customers get less, at some point you’re going to have to say that enough is enough and while we have several consumer agencies or even private people take them on in the court of law here we are again with several people relativising that they aren’t “all that bad” and all of those claims are “frivolous” acting entirely contrary to the interests they should have and hold dear as consumers.

            I even understand people not caring, but actively working against their own interests is what I don’t get, it’s like that “Apple syndrome” that some people have.

          • Hahaha says:

            Changing times who would of guessed.

          • Brun says:

            Yes. But my point was that none of that changes the fact that their security measures are still better than those offered by pretty much everyone else in the industry except Valve and Arenanet, and superior to those offered by many outside the industry (such as banks) who are charged with safeguarding significantly more important personal information.

            Whether you like it or not, account security is an area in which Blizzard has gone out of its way to improve. They aren’t perfect (no security is) but they’re doing a damn sight better than Sony, for example.

          • D3xter says:

            The main difference to that being that none of those are even remotely as rampant in being hacked, mainly because they’re mostly in the business of making games and not money-machines like Blizzard.
            I for instance haven’t heard of a single case of a Torchlight II Account being hacked, or Rockstar Social Club, Tribes II or anything like that, since there’s nothing much of worth there to be sold for hundreds of dollars, nor do they have anything remotely resembling a Real Money Auction House.

            Blizzard is the one with a security and hacking problem, and that because of choices they’ve made, not the “rest of the industry” (aside of SONY).

            If I’m allowed an entirely stupid comparison, it’s like building a Casino near a Fast Food Restaurant, providing about the same security and wondering why you’re constantly getting robbed.

          • Brun says:

            mainly because they’re mostly in the business of making games and not money-machines like Blizzard.

            Really? How delusional are you? Blizzard is a target because their games are more popular than those others you listed, and because unscrupulous players are willing to illegally pay real money for an advantage in those games – an advantage created by stealing from other players. Those unscrupulous players come with being a popular game. As someone else said, they suffer from the Microsoft effect in a big way.

      • zipdrive says:

        your 3rd point is wrong, since the subscription model requires being able to access you credit card details. As far as I know, and I might be wrong, no subscription game offers Paypal subsription or some such.

        • Brun says:

          inb4 he suggests something ridiculous and impractical like forcing everyone to buy Prepaid Time Cards at GameStop.

        • Snarfeh says:

          Eve Online does allow paypal to be used as a sub method.

      • Premium User Badge

        darkChozo says:

        This is completely orthogonal to the Diablo 3/Starcraft 2 always-online issues. Even if they had standalone singleplayer (which they should, BTW), their multiplayer components and WoW would still be using Battle.net, and therefore vulnerable to hacking and subject to security concerns.

        From a security standpoint, 4 and 6 are about the same when it comes to authentication strength. All the rest are subject to phishing attacks, which I imagine is a large source of stolen accounts. So there’s a reason Blizzard chose authenticators.

        While redundant measures would be nice, there’s nothing wrong with how they do their authentication, and they have no responsibility to secure anything out of their control; this service is an add-on to what you buy when you buy their game. They’re doing it at cost, too, which is admirable; they could easily be selling a $20/year “security service” or something.

        • D3xter says:

          It’s not really, most of their issues are self-made through their practices and design decisions. For instance most people wouldn’t even HAVE any of these issues if they didn’t need an Online Account to play and could simply play through the game in Single Player, they would be entirely safe.

          For that matter I believe StarCraft II wasn’t as sought-after by hackers for the sole reason that they couldn’t do much at all with the accounts other than play StarCraft II.

          They introduced a real money economy to their game, they tried taking over certain roles of digital goods sellers and banks, they better be ready for the consequences and up their security thusly. They have created a digital marketplace with goods trading and real money involvement, including the need for credit card details, PayPal etc. instead of a game and there’s certain things that come with the field.

          They’re also not selling anything at cost, the authenticators are worth mere cents: http://daeity.blogspot.de/2011/02/profit-from-blizzard-authenticators.html , there’s no licensing cost or anything like that involved and they’re making money from the sale, that myth and ridiculous belief that Blizzard must surely sell them at a loss in a noble gesture of self-sacrifice, they’re practically giving them away and doing everyone a favor seriously has to die.

          • Hahaha says:

            Why do you keep linking to this crap?

            “To access your blogs, sign in with your Google Account.”

          • Brun says:

            Most of these security decisions were made before Diablo III came out – the authenticators were designed to protect against hackers that would steal WoW accounts and sell the gold, characters, and items pilfered from those stolen accounts for real money (illegally). So the claim that adding a real money economy to the game made Blizzrad a target is, quite frankly, false. They were targets LONG before a real money economy existed in ANY of their games.

          • KilgoreTrout_XL says:

            “They’re also not selling anything at cost, the authenticators are worth mere cents: http://daeity.blogspot.de/2011/02/profit-from-blizzard-authenticators.html

            Jesus.

            You’re right and you should get on the phone to Vasco and tell them that their product isn’t worth more than a few pennies, so they simply must sell it to Blizzard for a few pennies (because: things), so the cost to the players will be pennies, which is what blizz should have done years ago. Or you could grow up.

          • Premium User Badge

            darkChozo says:

            Diablo 3 reached 10 million sales rather recently; WoW has 10 million active subscribers, who pay continuous money for a rather old game. Who do you think is the main target for hacking attempts? Seriously, thinking that this has anything to do with the RMAH is just silly.

            Also, I didn’t say they were selling them at a loss, I said that they were selling them at cost, ie. just at enough so they don’t lose money at them, including overhead. I actually agree that $5 or whatever sounds dubious, but that presumably takes into account shipping, some R&D, support costs, etc. Regardless, it’s pretty obvious that this isn’t a main revenue stream for Blizzard, and the fact that they offer a free alternative makes it hard to accuse them of ulterior motives without sounding somewhat conspiratorial.

            PS. that link is to a private blog, dunno what you’re expecting me to do with it

          • Sir-Lucius says:

            “For instance most people wouldn’t even HAVE any of these issues if they didn’t need an Online Account to play and could simply play through the game in Single Player, they would be entirely safe.”

            Lolwat. So the solution to the question of their security practices is to jut completely isolate yourself from taking advantage of online functionality? Are you even reading what you write? Sure, if there was a completely offline SP mode the people that chose to only play the game through that mode would be unaffected. But large numbers of their player base DO CHOOSE take advantage of their multiplayer components, and they would still be subject to the issues at hand. Offline SP would be great and IMO there’s no reason they shouldn’t have included that functionality, but it would still do nothing to alleviate the problems faced by the people that do take advantage of the online components and is far from this cure-all solution to the question of Blizzard’s security practices.

            And as others have mentioned, the authenticators and their problems with hack attempts have been around far longer than Diablo 3 and the RMAH. To say that they are the root cause of Blizz’s security issues is disingenuous at best.

            As far as authenticator costs go, even if you are correct in that it costs nothing for Blizzard to manufacture them, I can assure you it doesn’t cost them nothing to ship them, and that their shipping costs are included in the price. Shipping costs are not cheap, even for small items, and almost every big box etailer I know of has seen shipping costs go up the past few years. And that’s with them having deals in place with shipping services for reduced pricing due to the bulk amounts they send out every day.

            I’m in complete agreement with you on many of Blizzard’s design decisions and policies with regards to DRM and the way they control their games. But I disagree with how you seem to try to conflate those issues with issues of account security, when there has been little to no evidence to support the claim that Blizzard has been intentionally negligent or tried to force users into buying a secondary authentication device. Trying to tie every little issue the company runs into back to their always online decisions doesn’t server any purpose other than to take away from legitimate gripes you have with the company.

          • D3xter says:

            If you mean that all the Hacking attempts are because of World of Warcraft, then why would they merge the two account systems, it’s another one of those dubious Blizzard decisions that people will defend, it prevents resale and the likes and puts all games into “one basket”, this happened rather recently too: http://us.battle.net/en/account-merge/

            The blog was open previously, sorry for that, it just stated that the material costs are within the cent areas and even with additional costs it shouldn’t be anywhere above $2 or such, seeing as Blizzard likely buys them in bulk from their provider and just puts a sticker on them I’m rather sure that most of what goes above that is pure profit. But we all know that (Activision) Blizzard isn’t above even charging money from their fans for a LiveStream of their own promotional events like BlizzCon at $30+ which basically costs nothing.

            Edit: But the security issues DO boil down to them using the Always Online Mode and the RMAH (making Diablo III not just a game, but a micro-economy), just look at Torchlight II (or any other number of similar games), which also has an Optional Online Account and point me to ANYONE that has said their Torchlight II Account was hacked.

          • Premium User Badge

            darkChozo says:

            The merge is more likely because centralized systems of the sort are easier for both providers and customers to work with. Think of the uproar whenever someone produces games that rely on something like GFWL or Gamespy, or even when something is a non-Steam release; a lot of it is due to the fact that people don’t want to make multiple accounts or install new programs on their machines (GFWL and Gamespy being bad examples that, actually, because in that case the services are admittedly shitty). While it does result in some monoculture and therefore new security threats, it’s not necessarily a poor design choice, nor one that has to cause more harm than good.

            I completely believe that the authenticators are cheap as hell to produce. If you told me that the bulk price per unit was over 50 cents, I probably wouldn’t believe you. Still, unless this is an in-house solution there are licensing fees for the system to account for (I’m seeing people say it’s licensed, I have little to no insight on the matter), plus shipping, packaging, general overhead, all that.

            $5 does seem about right; and even if it is closer to $2 or $3, I can hardly imagine that this is padding Blizzard’s coffers much. By definition, anyone who wants one of these is going have bought what is likely a $50 game or is subscribed to WoW. They’re not going to be buying multiple authenticators for multiple games, and Blizzard is offering a free alternative. Blizzard’s other practices aside, it seems unlikely that the main reason for the authenticator is profit motive.

            If it helps, personally, I’m rather apathetic towards Blizzard. I’ve only played Starcraft and D3, and while I thought the restriction on the latter was beyond stupid it didn’t affect me because I played with friends and don’t care at all about the AH. So there’s that.

          • Brun says:

            If you mean that all the Hacking attempts are because of World of Warcraft, then why would they merge the two account systems

            Because it makes sense? Honestly I was kind of surprised back in 2005 when I started playing that I couldn’t use my Warcraft III Battle.net account from the early 2000’s to log into WoW.

            Even if Blizzard had kept the account systems separate, they would have (theoretically) used the same security systems (authenticators). A successful breach of one system would mean that the same technique could be used on the second. So you’d be making life more difficult for your customers (many of whom would have accounts on both games) by forcing them to keep track of two accounts, passwords, and authenticators, for little tangible security benefit.

            But the security issues DO boil down to them using the Always Online Mode and the RMAH (making Diablo III not just a game, but a micro-economy), just look at Torchlight II (or any other number of similar games), which also has an Optional Online Account and point me to ANYONE that has said their Torchlight II Account was hacked.

            While I don’t doubt that the RMAH has made Blizzard accounts even more attractive to hackers (which is why Blizzard REQUIRES the use of Authenticators to spend real money on the RMAH), as I stated before the hacking started and reached its peak intensity with WoW accounts.

            You can keep touting this argument, despite being given solid evidence to the contrary, but all I’m seeing is you grasping at straws in an attempt to tie Always-On DRM to security risk. Always-online DRM is a bad design decision on its own, you don’t need to spew bullshit conspiracy theories about account security to convince people of that fact. But since you seem so intent to do so, maybe you should go write for Eurogamer, since they clearly have no problem embellishing the truth when they want to smear something they don’t like.

          • Silarn says:

            Frankly I’m tired of this assertion that you have some kind of privileged information about the costs Blizzard has to pay on the purchase, customization, shipping (probably twice per unit, once for bulk shipping to their own warehouses and once for each individual authenticator sale to digital purchasers or a second bulk shipment to retailers), backend systems maintenance and development of the physical authenticators. Unless you get your hands on Blizzard’s internal cost spreadsheet and can show definitive proof that they are selling for a considerable profit margin, you are using baseless conjecture.

            Judging Blizzard’s total costs by the material costs are laughable. The ‘material costs’ for a can of soda are just a handful of cents (not the labor and maintenance costs, mind you). Even still, Coca Cola isn’t going to start selling to retailers at that price (and then retailers will mark it up even a little more, especially when they buy syrup instead of cans).

            None of this is to say that you can’t have personal issues with their business practices, but please don’t use unsubstantiated hearsay and speculation as proof.

            While it was not initially the case, Blizzard now has two-factor authentication in place for people with authenticators. They actually use a combination of the authenticator code AND the system/location detection used by VALVe, Arena Net, and Trion to detect access from unknown systems. These other companies rely on an uncompromised e-mail account to ensure unknown access is legal. Blizzard will enforce the entry of an authenticator code.

            This is actually why it’s more secure to NOT enter your auth code for every login, as the system knows you have logged in there before (within the last couple weeks) and will not open up your current code to a man-in-the-middle attack. An attempted access from a remote system will trigger the authenticator check. This also gives you a small window where you might detect the infection of one of these programs before the next required authenticator checkin. Forcing the authenticator entry for every login actually opens yourself more to the man-in-the-middle attacks.

            I will add, however, that if the lawsuit is pushed I would be interested to see what those costs are.

          • Sir-Lucius says:

            “Edit: But the security issues DO boil down to them using the Always Online Mode and the RMAH (making Diablo III not just a game, but a micro-economy), just look at Torchlight II (or any other number of similar games), which also has an Optional Online Account and point me to ANYONE that has said their Torchlight II Account was hacked.”

            I’d imagine a lot of that would have to do with D3 selling 10 times what T2 sold, as well as the fact that the account is linked to the entire Blizzard library. It’s a simple numbers game. Why would I target a smaller game (especially one that has such vocal support from within the gaming community) when I could target a larger playerbase AND get access to other games they may own? Especially when I can gain public validation and support for my efforts? How many times have you seen “Blizzard deserved to get hacked” or “People who supported D3 deserved to get hacked” in comments sections throughout the web? There is little benefit to hacking Ruinic. There has been, and will continue to be, greater potential reward from hacking Blizzard, regardless of how they handle their non-MMO titles in the future.

            Security through obscurity is not a real argument. If T2 had posted numbers anywhere NEAR D3 than you might begin to have fair comparison and an argument to be made. But even then there are so many other factors involved, namely the fact that the account crosses multiple titles in Blizzard’s library vs the 1 in Ruinic’s, that you’d be hard pressed to directly tie the always online modes and RMAH to hack attempts on Blizzard. Especially since Blizzard has been a target for several years before either was introduced.

            EDIT: We also have no idea if any attempts to hack T2 have even been made. It’s impossible to say if their system is truly more secure than Blizzards or if nobody has even bothered to try to access them. With the information currently available it’s just as easy to say that Ruinic has garbage security and nobody has bothered to try as it is to say that they have had numerous intrusion attempts and have fantastic security measures in place. I’m sure they are handling things appropriately, but companies don’t go telling the public about every attempt to illegally access their database (people would go crazy if they knew how often it happened). It’s an apples to oranges comparison, despite the fact that the products in question are very similar in nature.

          • D3xter says:

            “There is little benefit to hacking Ruinic. There has been, and will continue to be, greater potential reward from hacking Blizzard”

            You said it yourself, but the main reason there isn’t any benefit to hacking Runic is because you can cheat all the items you want yourself and have access to a various number of Mods to play with. There is no worth to equipment and the likes. It’s mainly a GAME that people play to have fun and not a low pay sweatshop or bot-infested haven of grey market activity, while with Blizzard games there’s an entire economy of “gold farmers” and “item sellers” and all that going on based on their design decisions.
            http://www.eurogamer.net/articles/gold-trading-exposed-the-sellers-article

            If you want to compare it as a numbers game of popularity, you could compare it with Minecraft for instance, how many Minecraft account hacking-sprees have there been, although there’s 8 Million of them out there (last time I heard)?
            Blizzard are putting people in this position.

          • Brun says:

            How would MMORPGs like WoW work without Always-Online DRM then, O wise one (the equivalent of “always-online DRM” obviously being a part of any MMO)? Or are you suggesting that MMORPGs should simply never be made?

          • Silarn says:

            Actually, there is rampant hacking in Minecraft. Much of it is to play for free on official servers, often with the aim of griefing for lulz. The cost benefit in this case is simply not paying Mojang your $20.

            Minecraft security is near non-existant and people were editing the code, despite obfuscation, almost from the beginning. Mojang has decided to embrace those that have made these to benefit the community while mostly letting the community enforce their own hacking protections.

            http://www.nextgenupdate.com/forums/computer-hacking-programming/478211-minecraft-account-hacking.html

            I’d like to point out I found that link by typing “minecraft account hacking” into google, after realizing I should probably justify my claims.

      • Moraven says:

        I have been locked out of B.Net when I changed locations. Had to reset my password before I could play.

        The missus had her account compromised when she was away from the computer for 3 days. It was reported by friends, it was locked, items were restored (WoW). All of this was done with no action done by her. She was sure her password she had was used in the past at one time. They got it from another friend’s computer and/or email chat is the thought.

        After that we ordered x2 $6 + no shipping auths. Once the smartphone app came out I switched to that.

  7. D3xter says:

    Regarding “frivolous” lawsuits, there was a good HBO documentary that deals with the issue and media manipulation around it you might want to watch, here’s a Trailer: http://www.youtube.com/watch?v=bBKRjxeQnT4
    I didn’t exactly agree with all of the points it is trying to make, but as a whole there are very few actual “frivolous” lawsuits brought up by private persons against corporations for no reason and there’s a lot of propaganda and ass-covering going around, as well as influencing of the judiciary and legislative branches to be able to hand-wave issues away and make things like the arbitration clauses brought into a lot of EULAs legal in the US.

    • reggiep says:

      Lawsuits get thrown out all the time. That documentary seems to be highlighting how certain high profile cases that the media deemed frivolous weren’t actually frivolous. And I would agree. But claiming that frivolous lawsuits are rare is being ignorant to the fact that there are many lawyers out there looking for a big payout, and they’re willing to bring up frivolous lawsuits over and over again until they eventually hit the jackpot.

      This lawsuit against Blizzard is rather silly and could easily be described as frivolous. The cost of the authenticator unit, packaged and shipped could easily meet or exceed $6.50. It’s not likely Blizzard is seeing any profit from them. And the fact that free alternatives exist supports that.

      The lawsuit is made more frivolous in that they try to tack on turning Diablo 3 into an offline game. Ridiculous.

    • Arglebargle says:

      Interesting addendum: A few years ago, the state legislature of Florida was wrestling with the issue of Tort Reform (or more accurately giving the Insurance industry the license to steal). The Florida Senate called a bunch of the insurance execs to testify, and swore them in for that testimony. Under the threat of perjury charges, the execs totally changed their stories about frivolous lawsuits and the growing payouts from them. It was all lies to try to get legal backstop for them screwing everyone. This in Florida, which really does have a lot of sharkey lawyers and has loads of TV ads from them

      Usually though, in the USA anyway, this tactic works for the insurance lobby.

      • Baines says:

        John Grisham, who routinely makes lawyers the heroes of his novels, had nothing positive to say of class-action lawyers. King of Torts was about a good lawyer seduced and corrupted by the evil of class-action suits, who eventually has to redeem himself for the happy ending. With the novel at times effectively being commentary by Grisham about how the US legal system needs serious tort reform, or the whole legal system could eventually be put in jeopardy.

  8. KilgoreTrout_XL says:

    “Moreover, users might be responsible for securing their machines, but Blizzard should absolutely, unquestionably bear the burden of locking down its products.”

    Like making shittier games so that they don’t attract these kinds of attacks?

    This is crazy. These “victims” probably used the same login/password on dozens of sites (especially Diablo 3 fan sites and their ilk), and their accounts were compromised that way.

    Unless you think they actually infiltrated Blizzard’s servers*. That would be much more difficult, and ultimately silly, when there are plenty of lemmings (or random websites) leaving account information wide open. And if Blizzard did get compromised, wouldn’t people with authenticators have been hacked too?

    And yeah, they’re required for certain parts of the game- the RMAH. First, I think that that’s a legal requirement, or at the very least, an extremely sound legal precaution. They have every right to make it. Second, this is a good idea for everyone, especially because of the RMAH. Third, they cost $5 (FIVE dollars) if you’re one of the 10 people who can run Diablo 3 but don’t have a smartphone. If you have a smartphone, they’re free. I’ve had one for the past 5 years or so. Five Dollars. I think shipping was free for mine back then too.

    That the lawsuit is garbage and they’ll never be permitted to certify the class given recent events is besides the point (there’s really no use in getting upset about the filing of a lawsuit, no matter how silly- a system where there was some subjective eye-roll test before you could make a claim would be worse)

    What is important is that Blizzard has done nothing wrong and has nothing to say sorry for here (well, except for seriously dropping the ball on Diablo 3.) They’re video games, but the plaintiffs are adults. So maybe it’s time for these idiots to grow the fuck up and take a little responsibility for themselves instead of trying to blame one of the better developers in history because they were too stupid to protect their account information.

    I can’t wait until they learn that their banking institution has an authenticator app as well.

    Edit: I should say successfully infiltrated Blizzard’s servers, since no one with an authenticator was compromised and that was 3 months after the game was out.

    • Brun says:

      Blizzard’s servers did get hacked but all the hackers got were hashed passwords and emails as far as I know. (N.B. “hashed passwords” – a choice Blizzard consciously made – already means this attack will do less damage than many other site compromises that have happened over the past few years, in which passwords were stored in plaintext). So authenticator-protected accounts will still be safe, but they recommended that everyone change their passwords anyway.

      • KilgoreTrout_XL says:

        Yeah, i forgot about that. But by then rumors of “hacking” were incredibly widespread and the message on the login screen to get an authenticator had been up for quite some time.

        • Brun says:

          It’s unfortunate that it happened right after Diablo 3’s release, when the gaming press, fueled by DRM-hate, was willing to run with any story that cast Blizzard in a negative light, including all of those rumors about authenticators being circumvented (which turned out to be outright lies).

          • KilgoreTrout_XL says:

            Yeah, D3 was horrible (or funny, depending). I shudder to think about the mundane detail in HL3 that will be nominated as the #1 “Gabe Newell personally insulted us” that will make the internet want to burn down Valve’s offices.

            My guess is that there will be a lot of pink in the color palette of one level which of course is fucking OUTRAGEOUS.

          • D3xter says:

            I’m not exactly sure how they “turned out to be outright lies”, I still remember several articles of gaming writers/journalists over at the Examiner, PCGamer, EuroGamer and other publications that were hacked, some of which specifically stated that they used an Authenticator.

            I also remember a lot of people defending Blizzard back then as they do right now, the end of the hacking accusations came rather abruptly after a Patch to the game, shortly before Blizzard admitted that they had the security breach: http://www.cinemablend.com/games/Diablo-3-Hacked-Account-Claims-Instantly-Stop-What-Happened-43412.html

          • Brun says:

            Many of those journalists admitted to attaching those Authenticators after the fact (or were using only the SMS feature, which is not an actual authenticator), meaning that at the time of the hack, their accounts were unprotected.

          • KilgoreTrout_XL says:

            Hey Dexter:

            “I still remember several articles of gaming writers/journalists over at the Examiner, PCGamer, EuroGamer and other publications that were hacked, some of which specifically stated that they used an Authenticator.”

            This is the lie part.

            Here, you’re just lying about articles you read. Before, people were lying about having an authenticator when they didn’t. And don’t come back with the “SMS Authenticator” bullshit. We’ve been through all that with you kids.

            Glad we cleared that up though.

          • KilgoreTrout_XL says:

            Nice Eurogamer article, Dex:

            “Blizzard offers an Authenticator designed to provide extra security to your account. Donlan did not have the authenticator before the hack”

            You’re not very good at this, are you?

          • D3xter says:

            Ars Technica: http://arstechnica.com/gaming/2012/05/my-brief-life-as-a-diablo-iii-hacking-victim/

            I’m sure there’s more sharing their “Getting Hacked” experiences… obviously they were all too stupid to secure their accounts and it’s absolutely not on Blizzard, some don’t specify how they were hacked, the Examiner article went into detail on how she had an Authenticator attached to her account, the Ars Technica one too although somewhat hazy on details.

            I’m always finding it rather curious (and somewhat fascinating) how people are always accused of lying whenever they even SUGGEST that Blizzard might be at fault for something at some point.

          • KilgoreTrout_XL says:

            “the Examiner article went into detail on how she had an Authenticator attached to her account,”

            You’re fucking pathological, aren’t you?

            And where the fuck are you getting the idea that that bullshit nonsense “article” was about a woman, anyway? Was it because there’s a picture of Ashley Judd at the bottom? I bet it was, Dexter.

            Piss off.

          • D3xter says:

            It was actually because of the “By: Tara Swadley” at the top of the article.

            And her specifically stating:

            “This reporter, after having her own account with authenticator hacked, firmly believes this is a serious security breach on Blizzard’s side, though they either do not want to admit it, or are still unaware of the problem. Many who have had their account on Diablo 3 hacked were logged in at the time of the hack and support staff tells them there was no evidence of their account being hacked. That indicates there is an exploit in the system being taken advantage of. “

            Not sure how that has to do with anything, though. The Blizzard Defense Brigade is always getting sensitive rather quick.

          • KilgoreTrout_XL says:

            Oh, you’re right about that. Ok, I’m going to say something, and it’s going to hurt, but it’s the truth, so, I guess, here goes: Tara Swadley is full of shit.

          • HothMonster says:

            I thought she eventually came out and said she had an sms auth and didnt realize there was a difference.

    • spleendamage says:

      My password was hacked within 2 weeks of creating a battle.net account for Diablo 3. No, I didn’t use the same password as anywhere else, but I was also not using an authenticator. I am not sure how it happened, but I have never had any other accounts hacked. Blizzard sent me an email saying it was likely my fault and although they would restore my account, I would use up one of two available times I could request a restore. Fortunately, I was able to get a refund for Diablo 3.

      • KilgoreTrout_XL says:

        Well, if that’s the case, unless you played the shit out of it for those two weeks, what utility was there for someone to select your account out of millions to steal items/gold from?

        If they didn’t have your Login from somewhere else, they would have had to specifically target your account, right? For a pretty lousy return too. It just seems like an incredibly strange thing for them to do.

        • seattlepete says:

          This guys story is almost exactly the same as mine. Bought D3, played through the SP in about 2 weeks then stopped playing for 2 weeks. Then I got an email that my account was compromised.

          It’s a long story, but I was never able to get my account back. That means I lost access to SC2 and D3. Basically I never trusted Blizzard to keep my information secure, so I lied to them about my identity when I set-up my BNET account. The name I gave them when I bought SC2 doesn’t match up to the name on my CC.

          All in all I think I got off pretty easy. I learned my lesson without having to cancel my credit cards or set-up a credit check monitor. Whoever controls my account now doesn’t know who I am, which is what made me so nervous about this business in the first place. I’m out the $100 for 2 games, but I knew going into it that I was actually “buying” anything real from them…

          • KilgoreTrout_XL says:

            Uh, that might be considered, technically, not perfectly legal.

            More importantly, if you were able to buy the games with a fake name that you attached (apparently?) to your real credit card number, why are you convinced that other people can’t do the same thing?

        • spleendamage says:

          Yeah, I didn’t play very much. I don’t think I lost very much. I had a couple characters, none more than level 20. It seems unlikely that I would have been a target on purpose. I can’t really speak as to the rationale of the hackers.

  9. faelnor says:

    I’m going to sue Blizzard for using the words “vigorously” and “frivolous”.

  10. orionsmasta says:

    Unfortunately, their lawyer only speaks Italian.

  11. HadToLogin says:

    “No Battle.net for any and all non-MMOs? Really?” – Torchlight 2 exists without BattleNet without problems. Same with some other PC games. And (nearly?) all console games.

    I’m not sure what’s funny in wanting DRM-less games. And yes, I hate this one thing in Steam called “to run offline mode, start steam online” – my net provider had problems because of storm, and I lost Steam for a week. If they would have proper offline mode, I would be able to play my games…

    • Ich Will says:

      We all want DRM free games, but this lawsuit is not the way to get them!

      • HadToLogin says:

        Well, only alternative is stop buying DRM games.

        So, when we’ll start boycotting Steam?

        Ergo, lawsuit that would order developer/publishers to make it an OPTION instead of FORCING this kind of DRM is the only way to get DRM-free games. Because now we want DRM, because as long as this DRM works, we’re happy for all its options. But when it doesn’t that’s when crying starts…

  12. Moraven says:

    I see authenticators as a extra layer to protect the user from himself. Use the password more than once. Easy password to guess. Hacked email. Clicked on phishing mail and got keylogger.

  13. j6m says:

    “…tiny plasticine gate guard…”

    The image of Morph dressed as a bouncer springs to mind.

  14. satoru says:

    It was shown quite conclusively that EVERYONE that was hacked did so BEFORE they put authenticators on their system. The only people hacked with authenticators were WoW people with a sophisticated virus that intercepted the autehntictaor inputs and sent them directly to the hackers who had 30 seconds to log in.

    Tara had the SMS AUTHENTICATOR option WHICH DID NOT WORK in Diablo3. She mistakend the SMS authenticator option with the real two-factor auth that was available.

    ALL intstances of supposed ‘hacking’ with the authenticator occured BEFORE any such authenticator was attached. Everyone that was hacked had reused their password and such.

    The lawsuit is friviolous because the authenticator is OPTIONAL. You do not need it to play the game, or to play online. You need it only for the RMAH. Want better gear, the Gold AH is available. The RMAH is NOT REQUIRED to play the game in any way shape or form. You can play the entire game, play online, buy sell stuf from the gold auction house, and fully enjoy the game without even touching an authenticator in any way. I have one from my WoW days. But I’ve never even touched the RMAH and I’ve never had need to. Any implication that it’s ‘required’ is simply untrue.

    Note also that Blizzard buys rebranded tokens from Vasco. MANUFACTURING costs might be low, but note that Blizzard doesn’t manufacture the tokens. They buy them from a reseller. At $7 they are selling them at cost. Official RSA tokens can costs upwards to $50 a pop. Non-RSA tokens again cost about $5-$7 depending on the vendor. Again Blizzard does not manufacture tokens, therefore the manufacturing costs being a few pennies is utterly meaningless. This is like saying BestBuy is ripping you off because that DVD player only cost $5 to manufacture but they’re charging you $99. Note that BestBuy isn’t the manufacturer so they don’t see the $5 manufacturing cost in any way. They’re reselling a product.

    This also discounts the fact that the infrastructurue to maintain a two factor authentication is expensive. The token isn’t even the real licensing cost, it’s the ACCESS. Even if you go pure soft-tokens, the licensing alone is close to $25-100 per license. The idea they are ‘making money off the tokens’ is pure stupidiy on a grand scale.

    • FCA says:

      Some rage here….

      1. So the SMS authenticator doesn’t work for Diablo 3. That’s actually quite confusing, don’t you think?
      2. Why does it seem that apparently Blizzard is a juicier target for hackers than not just other gaming companies, but also every bank? My bank in Europe had a (free) authenticator, but when I moved across the ocean, my new bank didn’t. I didn’t hear rampant tales of hacking, even though my bank has more customers (and loads more money) than Blizzard.
      3. The authenticator actually costs around 12-14 dollars in Europe, depending on where you live. Taxes are higher there, but not so high. If 6 dollars covers the cost, that’s quite a profit margin. The free mobile authenticator is only free if you have a smartphone, and you need a creditcard to pay for it, which not everybody has (certainly not in Europe).

      Also, it can take up to 3 weeks to get the authenticator once you’ve ordered it. That’s a long window of opportunity.

      • Brun says:

        1. So the SMS authenticator doesn’t work for Diablo 3. That’s actually quite confusing, don’t you think?

        The SMS alerts (don’t want to call it an “authenticator”) was a confusing product in general. I’m fairly certain that it did not actually function as an authenticator for two-factor authentication a la Google SMS Protection (i.e., it was not a substitute for a dongle or a smartphone app). I believe that it simply sent you text messages when changes were made to your account so that, were it compromised, you would know about it immediately. So it wasn’t really that it didn’t work for D3, it simply didn’t perform the authentication function that those people expected.

        That said, it was indeed a confusing feature in general, which is why Blizzard has since decided to discontinue its use.

        2. Why does it seem that apparently Blizzard is a juicier target for hackers than not just other gaming companies, but also every bank? My bank in Europe had a (free) authenticator, but when I moved across the ocean, my new bank didn’t. I didn’t hear rampant tales of hacking, even though my bank has more customers (and loads more money) than Blizzard.

        This is actually a pretty interesting question if you can get over the rather laughable insinuation that this is somehow Blizzard’s own fault. I think it boils down to a couple of factors. Penalties for bank account theft are likely to be more tangible and/or severe than stealing virtual items – laws exist that cover theft of dollars (even electronically), virtual gold is not protected by any law.

        On a similar note, what would a hacker do once he gained control of a bank account? Transfer the money to his account? The bank would have a paper trail leading them directly to the hacker. Writing bogus checks might work but even then they would have to forge your signature and jump through a bunch of other hoops.

        It boils down to Blizzard being the biggest game in town. The hackers work other games as well (they were targeting GW2 accounts within a day or two of release), but the volume of hacks will correspond to the popularity of the game. WoW and Diablo 3 have more people willing to spend real money for in-game advantages than anywhere else, so that is where the hackers focus their efforts.

        3. The authenticator actually costs around 12-14 dollars in Europe, depending on where you live. Taxes are higher there, but not so high. If 6 dollars covers the cost, that’s quite a profit margin. The free mobile authenticator is only free if you have a smartphone, and you need a creditcard to pay for it, which not everybody has (certainly not in Europe).

        I’m unsure about this item, as I’m not familiar with European tax policy. It’s possible that Blizzard makes you pay international shipping.

        I’m also not sure if, when you say “you need a credit card to pay for it”, you’re referring to a smartphone or to the app. You don’t need a credit card for either, as the app is free and you can buy smartphones (and pay your bills) with checks or debit cards (unless, again, telecom providers in Europe are weird and only let you pay via credit card).

        • Premium User Badge

          darkChozo says:

          A second note on 2: Battle.net accounts are also likely to be significantly easier to attack using social engineering techniques than bank accounts are. People are more likely to be careful with their online bank credentials, partially because they know that there’s real money on the line and partially because there’s been a concerted effort in recent years to train people to detect phishing attempts. Not to mention, the idea that banks don’t receive a lot of “hacking” attempts is a bit spurious; identity theft is a problem for a reason.

          People are more likely to use throwaway passwords for their gaming accounts, I have to imagine, and they’re less likely to scrutinize any emails they get from Blizzard support. That means more accounts hacked for reasons entirely out of Blizzard’s control. Not to mention there’s almost certainly some selection bias in hearing about Battle.net accounts vs. bank accounts being hacked, because you hear about the former a whole lot more on gaming sites than the latter.

  15. Dances to Podcasts says:

    The best conspiracy theory I’ve heard about this is that the lawsuit is brought or sponsored by the hackers/gold sellers as an attempt to discredit or remove authenticators. :)

  16. malkav11 says:

    I’m not sure the lawsuit’s particular argument has any merit, but Blizzard has been very dismissive of hacking issues that persist around their games and any suggestion that there might be a problem at their end. I like to think that I am reasonably security conscious. I run firewalls both software and hardware, don’t download from dodgy websites, run an antivirus and use strong passwords. I have only ever had one account hacked: my WoW account. Said hacking happened a year after I had last touched the game or anything related to it, and 3 months before I noticed that anything had happened.. It is extremely difficult to believe that they got access to my account through me, especially since it would almost have had to involve waiting a full year to do anything with the information. Blizzard never even attempted to verify any of this. And I don’t think that’s okay at all.

    Also, authenticators are optional in the sense that you can certainly not buy one if you really enjoy gambling with what can be a multi-hundred dollar financial investment, to say nothing of time. Battle.net accounts are hacked on a daily basis, by the dozens or hundreds. If it hasn’t happened to you yet, congratulations, but every day you spend without an authenticator is another roll of the dice.

  17. voorsk says:

    “The suit’s claim that we didn’t properly notify players regarding the August 2012 security breach is not true.”

    If it’s not true, how come this is the first I’ve heard of it? They never sent me an email about it, and I’ve been ignoring Blizzard related news stories due to not giving a monkey’s about Pandaria or Diablo. :s

    *goes off to change password and login question*

  18. PopeJamal says:

    Jesus Christ. Now that we’ve been all around the world and back with name calling and personal insults, let me emphasize something that people keep missing:

    This case is about MONEY. Blizzard is “sort of” acting like a bank.

    They want to let people convert “internet stuffs” into real money. Money that you can cash out. Like play for 5 hours, luck out on the auction house, then drive over to the store and buy an Xbox with your winnings. And they want to be able charge you for the privilege. Sort of a virtual “Currency Exchange”.

    THAT puts Blizzard in new territory. THAT makes them more accountable for security. THAT is why this lawsuit isn’t frivolous.

    “RMAH” stands for “Real Money Auction House”, and “Real Money” is never frivolous. At least here in the US. Things get serious quickly when real money is involved.

    • Brun says:

      THAT makes them more accountable for security.

      Their security measures are at least on par if not superior to those of many major US banks.

    • Silarn says:

      No, I’m afraid that’s what you want the lawsuit to be about, but it’s really only an ancillary topic to the real thing. The real thing is claiming damages based on the idea that Blizzard forces people to get an authenticator to securely use their services without telling them beforehand, and that they sell these authenticators for a large profit. If those two claims don’t hold up, there is no way this will pass in court. It will be substantially weaker if Blizzard can show they use adequate security to protect their internal database – a breach of which has happened once and that they quickly responded to and took actions to correct.

      The fact that Blizzard has started to handle currency exchange (beyond product purchases) barely comes up in the lawsuit beyond side references which are not under attack.

      It also comes down to a certain abdication of personal responsibility. Yes, authenticators make you more secure, but there are not the only method to use to protect your passwords and they aren’t foolproof either. They simply make it far harder for those who have obtained your passwords to get into your account. It has to be proven that Blizzard doesn’t protect your password information rather than the user being culpable. Proving it’s Blizzard’s fault that passwords are taken is really the only way you can make the case that they ‘force’ people to buy authenticators.