Two factor security solves everything (“well done, Blizzard!”)

Or so this blog on security says.

“Some experts claim that two-factor authentication won’t work. They are wrong, of course.”

The expert linked to is Bruce Schneier, and the main attack he points out that isn’t affected by TFS is … fake website asking for your credentials.

Funny. That was one of the main ways of stealing people’s MMO player accounts when I first got into MMO dev around ten years ago. And it’s still one of the main ways now (although there are plenty of other good ones, as noted in the linked post). It’s just … so easy!

Which would suggest that yes, actually, Bruce is right: TFS is going to do little to combat the *actual problems* being faced here.

Personally, I’ve always been on the side of security is pretty simple really: prevention is impossible, and anything that claims to provide great prevention is snake oil, and the reason security in practice is hard is because you have to find ways to deal with detection and response, and *that’s* where all the interesting stuff is.

On the other hand, I’ve now heard a couple of people suggest that the one-time-passwords thing from Blizzard isn’t about the passwords anyway: it’s about reducing credit-card chargebacks by shipping goods to the actual address first. In a way, it’s a basic form of TFS on the act of issuing a CC charge: you have to know the CC details and be able to intercept snailmail post, and until you succeed at both, the company doesn’t need to issue the CC charge.

Again … prevention? Nah, I can still intercept post, even on a large scale. But … detecting that interception is going to be somewhat easier, and responding to it (getting people fired from FedEx, or whichever company has been infiltrated and/or has a dodgy employee that’s been fired) is probably a lot easier than dealing with an unknown anonymous person from “somewhere” on the planet who bought 10,000 CC’s on the black market.

So, props to Blizzard. But not for making “a better form of password”. And a thumbs-down to Errata Security: sorry, but I’m not convinced by your analysis. I see what you’re saying, but I suspect you’re barking up the wrong tree. And I’m afraid I’m always suspicious of people who defend any preventative measure too closely – security doesn’t seem to work like that, sadly.

5 replies on “Two factor security solves everything (“well done, Blizzard!”)”

I actually believe the TFS device will reduce account hacking from the use of ubiquitous username/password pairs. I would presume that most players use the same login info for dozens of websites as they do for their WoW account. I agree that it doesn’t make you completely secure, but Isn’t security all about making it harder for a thief to target you so they go for an easier target?

The problem is that, ime, the very device they’re using tends to have clock drift and becomes unusuable after a few months (It involved logins to a remote bug tracking service via a VPN and 2-factor authentication).

There are ones which don’t suffer from that, but they are several times the price.

Yeah, I wondered at that – I’ve only ever used high-end ones provided by a corporate willing to pay whatever it took (and I was surprised and impressed at how much they claimed it was costing them) – but I’d heard stories of people having problems with cheap clock components. I assumed that good quality components had now come down in price to the point where you could get good quality for this low a price.

So, in the light of your experience … am I too cynical, or does this add extra weight to the “not about securing accounts, but about preventing chargebacks” argument? :)

Well, they might have fixed the clock drift issue (or just allow far more tolerance for drift).

I think it’ll “work”, for some factor of “work”. Certainly it’ll stop nasty trojans from pinching your login, but it won’t fix people who follow links from emails and login to fake pages.

For the price they’re charging, I wouldn’t be that cynical. (Although you do have to remember the minor additional CS load from people losing/breaking them).

Actualy as has been pointed out to me this is awesome for people who use shared or internet cafe PC’s to play WoW on.

Comments are closed.