Interesting how the MasterCard promotional picture suggests that TouchID on iOS is required to withdraw cash when a weaker factor send sufficient (an SMS to a trusted number?). Removing/weakening 'something that you have' from ATM authentication only makes remote attacks easier.
This reinforces my opinion that we're way overdue for teaching the general public enough knowledge about safe computing to be able to spot and avoid these and other kinds of fraud. It's a really important life skill that should probably be addressed in school as it's easily costing the global economy billions and billions.
When I was working Customer Service for Blizzard Europe, I anecdotally figure that by around 2010, about half of CS cases were in regards to customers having been victims of their account being compromised and cleaned out by gold sellers.
In all cases it was the "fault" of the customer. While Blizzard did have a credential DB compromise at some point (which they disclosed), the passwords were hashed such that it was practically impossible that any passwords were determined before they did a force password reset on the affected accounts.
Customer accounts were most commonly compromised due to one of the following reasons: fell for phishing scams (probably most common); had credentials shared with an unrelated but compromised web site; had some sort of credential stealing trojan on their computer; shared credentials with a friend/relative who fell for any of the earlier mentioned causes.
Back in 2010, Blizzard easily spent EUR 1M monthly (in Europe alone) on Customer Service and if half of that was dealing with compromised accounts (for a non-financial institution), we can only imagine how much money gets lost globally due to what is essentially a poor public education problem in regards to safe computing.
Blizzard has offered 2FA since before 2010, but most people wouldn't consider it unless they or someone they know had been compromised, it's pretty much the same as people only seeing the value of using things like seat belts/car seats/condoms after they personally witness an incident. I think the average person has this attitude that bad things only happen to _other_ people, until it happens to them personally.
There was also often enough this attitude of "I don't understand why they decided to hack _me_" which also shows general misunderstanding of the very non-personal nature of this "industry" in that bad actors are merely throwing out the biggest nets they can, hoping to catch as much as possible. It's like a fish naively wondering why a commercial fishing boat decided to catch them in particular.
I acknowledge that saying this is the "fault" of the customer seems unfair, but I left school close to 20 years ago and I have never fallen for a phishing scam or managed to land up with malware on my computer. While the fault does ultimately lie with the bad actors, the fact is that while material things (such as money, or food) are important, there will always be bad actors. So as a society we need to strive to keep their success rate as low as possible to prevent their "industries" from flourishing at the expense of the rest of society.
Blizzard's Battle.net is an interesting example [had to edit my post a few times with additional thoughts]. They use 8 digital characters instead of 6, and they're using an implementation by the company Vasco. Contrast that to Steam who only use 5 characters, but these being letters instead.
If you enable 2FA on Battle.net you get a unique companion pet in WoW (usable in a pokemon-esque metagame). Collectors are after these.
Blizzard also didn't do enough about gold buyers until they added the WoW token (legalised buying/selling gold with Blizzard as trusted third party) and added a way to easily create gold (garrisons, crafting, both for the masses).
The issue with SMS is that it is very cheap to catch these, if you have physical (vicinity) access. A Stingray device gets cheaper every year.
Once Blizzard invests more in mobile gaming (beyond Hearthstone, such as Diablo Immortal) the 2FA and the game will be once again more often (but not always) on the same device. FIDO2 using NFC/USB would solve the issue though.
> I have never fallen for a phishing scam or managed to land up with malware on my computer
> Blizzard's Battle.net is an interesting example [had to edit my post a few times with additional thoughts]. They use 8 digital characters instead of 6, and they're using an implementation by the company Vasco. Contrast that to Steam who only use 5 characters, but these being letters instead.
If you enable 2FA on Battle.net you get a unique companion pet in WoW (usable in a pokemon-esque metagame). Collectors are after these.
I'm not exactly sure what point(s) you're trying to make here, I assume it's about incentive to use authenticators and/or strength of the security they provide.
In terms of incentive to use them. Over time Blizzard found good ways to incentivize, such as WoW pets and giving guild leaders the ability to be able to limit access to their bank to those members with authenticators. Since I left, smartphones became more ubiquitous allowing more people to freely get a "virtual" authenticator App and it also eventually offered a push and approve method which improves convenience too. I don't know how much the latter helped as it happened after I left, but the WoW pet and guild bank features did not noticeably reduce the number of incidents because the gold sellers merely stuck to accounts which weren't secured with an authenticator.
In regards to the strength of security offered by the authenticator, I feel the only thing that matters is that the scheme isn't able to be worked around by the gold sellers through some algorithmic weakness or leaked private key. The codes are only valid for a couple of minutes at most, and a million combinations to try is far more than needed if you restrict logon attempts per account to no more than 1 per second. The other thing to keep in mind is that they aren't protecting state or even corporate level assets, the gold sellers were low income earners from overseas operating in a competitive market with low profit margins.
Did you know Battle.net account passwords also aren't (or at least weren't) case-sensitive? My feeling is that Blizzard weighed the value of the added security vs the increased support incidents and opted to have to deal with less support. Before anyone tries to claim it's a reckless cost saving measure, consider that all account compromises by gold sellers happen through phishing or malware, meaning that password complexity makes 0% difference.
> Blizzard also didn't do enough about gold buyers until they added the WoW token (legalised buying/selling gold with Blizzard as trusted third party) and added a way to easily create gold (garrisons, crafting, both for the masses).
Yes, providing a legitimate gold buying option was probably the right call, especially as it helped a lot with EVE Online. It was probably done with great trepidation though as Blizzard has always cared deeply about the gameplay experience, and being able to buy gold for money had the potential to diminish the gameplay experience for many players. I suspect the only reason they did it is because the gameplay experience would be worse now if they didn't.
I don't think garrisons helped at all, because having more gold available leads to higher inflation on the player driven auction house market which leads to needing more gold to buy the same stuff. I had to save for a mount in Vanilla WoW and that was hard, once daily quests arrived in the first expansion though, making gold became easy enough. Gold is also a very minor part of the game, all the significant progression is not helped by gold. Buying gold and gathering bots were probably the two biggest contributors to
inflation on the auction house. Gathering bots would cause mats such as leather, ore and herbs to be sold for far lower prices by botters than players who invested real time into doing it themselves. And on the other side, gold buyers would pay insane prices for items because they didn't appreciate the time value of gold by legitimate players.
> The issue with SMS is that it is very cheap to catch these, if you have physical (vicinity) access. A Stingray device gets cheaper every year.
While I agree that SMS is not a good 2FA scheme and it really should go as soon as possible, the truth of the matter here is that SMS vs secure mobile application would not have made any difference for these cardless transactions as the weakness was that the account holders fell for phishing scams. People have more chance at this time of dying in a commercial plane crash than being a victim of a non-law enforcement official using a stingray. If they become more common, then banks should absolutely move to more secure communication channels, such as encrypted channels on mobile apps, or otherwise accept they will suffer lots of fraud costs.
> Once Blizzard invests more in mobile gaming (beyond Hearthstone, such as Diablo Immortal) the 2FA and the game will be once again more often (but not always) on the same device. FIDO2 using NFC/USB would solve the issue though.
A valid concern on platforms like Android, but it's not dependent on there being games for the same platform, it's a general problem that malware is increasing on mobile devices and could be used to steal private authenticator keys on the same device. Interestingly, people who proclaim that Apple's walled garden approach on iOS is an anti-feature, are failing to acknowledge that for this this kind of application, it's absolutely a great feature.
> > I have never fallen for a phishing scam or managed to land up with malware on my computer
> How do you know this for sure?
Really? You may as well be asking a qualified doctor if they know for sure that they don't have an STD.
In regards to phishing scams, I know for absolutely sure because I know how to review TLS certificates and hostnames in URLS that I enter my credentials into. Meaning the service itself would have had to suffer some sort of hijack of their domain and cert for me to be handing them my credentials through a web page. I am also cynical about giving information to say people who call me, and I instead call them back using a number that I know to be theirs.
In regards to malware, I keep my software upto date, I don't engage in bad practices like downloading and running random crap, I don't trust AV to be adequate (another problem is that to many people think AV that can protect them against even the most reckless practices) and I am tech savvy enough to be able review suspicious processes on computers, of which I had seen plenty back in the day when I was an IT techie. I suppose it's possible that I have a rootkit and not know about it, but it's about as likely as a virgin getting an STD. About the only thing I need to realistically worry about is a trusted publisher getting compromised and malware coming along with their download.
If in the future find that I would likely be worth being a target of a spear head phishing or social engineering attack, then there are some more measures I could apply, at the cost of convenience.
One day the public will better appreciate physical isolation of separate concerns. Until then, expect more of this kind of thing with your single devices used for everything.
