Solution to end keyloggin/hijacks
Solution to end keyloggin/hijacks
I would like to put forth a suggestion to add one step to the sign in process that would prevent any accounts from being damaged by key-loggers / hijackers ever again. This solution will be simple from the end user perspective, but may not be on the server side. Though I am not privy to the setup on the server side I am sure Blizzard employees can address any issue there to implement the solution.
Solution Summary:
Upon successfully entering in their correct User Name and Password an additional screen is presented to the player. This screen will present the player one of his/her own characters (selected by the server) and have him/her click the character’s server & name from two separate lists; lists that also contain incorrect selections. Three (3) incorrect submissions will cause the account to be auto-locked, password changed, and an automated email to be sent to the players contact email on file; containing a notice of the incorrect log in and instructions to retrieve the new password.
In Depth Description:
(Lacking any artistic talent/skill what so ever I will do my best to concisely describe it.)
The new screen will appear after login and have 3 [three] sections:
The left section will have one of the players characters, as seen on the current character selection screen. This section will have a title bar that reads “CHARACTER”.
The center section will have a title bar that reads “SERVER”. In this section there will be 5 or 10 items setup with either check boxes next to them, or as “click to highlight”.
The right section will have a title bar that reads “NAME”. This section will also have 5 or 10 items setup the same way as the center section.
In both lists there will be 4 or 9 actual server names or character names and one selection that reads “Not on this list.” The position of the “Not on this list” selection should be at random, not fixed.
The server should select a character at random from the account, limiting itself to the highest level or most played characters. It would be advisable for the coding to ignore any characters under level 10 unless there are no characters over that level, to take in account Bank Alts with many hours logged in game.
Example:
* I log into the game with my User Name and Password.
* I am then presented with the new screen which has my Warlock (100 days played or so)
* The center section appears as below:
Trollbane
Onyxia
Bleeding Hollow
Frostwolf
Norgannon
Not On This List
Thunderlord
The Venture Co
Bonechewer
Scilla
Let’s say my server is Bonechewer, it is listed there so I would select “Bonechewer”
* The right section appear as below
Reguntar
Mila
Not On This List
Ramrock
Pie
Shell
Baka
Sereen
xLegolasx
Toothpaste
As my character name is NOT listed, I would select Not On This List.
* Click the Submit button.
* The server checks my answers against known information – sees they are correct.
* The character selection screen then appears and I can play the game.
Some Q & A that I think is needed:
Q. What would be the benefit of this to Blizzard?
A. An immediate drop in tickets due to hacked accounts/characters and a drop in work load on the GMs/Customer Service for item/gold/etc replacement. Happier and more secure players. It will also help to enforce EULA standards against sharing/trading/selling accounts.
Q. Why have a “Not On This List” option?
A. It is important that both lists have the chance to never list the actual name/server of the character being shown or a hijacker could just sign on, log the information, close program and repeat until the name server were revealed as they were on the list every time they checked. Allowing the real name/server to NOT be shown prevents this completely.
Q. Would there be any confusion on which character appear?
A. Due to the nature of MMOs is very unlikely that a player would not know his/her own characters by sight, their name, and the server they are on. If the coding is designed to go with highest play time, and present the character without appearance changing effects active players should be able to click though in seconds.
Q. Would this replace the need for a Blizzard Authenticator?
A. No. The best security a player could have is the Blizzard Authenticator. But as the B. Auth. is currently only available in the US region this solution will provide a way to stop hijacks in ALL regions, and is free to the end users.
Q. If someone has a Blizzard Authenticator would they have to go through this process?
A. Not if they did not want to have it active. It would be best if this security step was able to be shut off only on accounts that have been upgraded to use a Blizzard Authenticator. It could be turned off by default when the account is upgraded, and left as an option in the Account Management section.
Q. Why have a random position for the “Not On This List” option?
A. To prevent logger programs from tracking which times the fixed “not on this list” option is clicked, and which times it is not. It is more of just a preventive step that may never be needed depending on how the coding is setup – but better to have and not need, then need and not have.
Filed under: World of Warcraft