Coin Lock, an end to MMOG account hacking?

Filed Under: Data loss, Malware, Privacy, SophosLabs

World of Warcraft logoThere's a huge market in MMOGs (Massive Multiplayer Online Games) for virtual currency that is sold for real world currency, despite it being a violation of a games rules. An example of such a game is World of Warcraft, a world with nearly 12 million players spending countless hours building their characters just the way they want them.

Unfortunately, some players opt not to spend the hours to build their characters. Instead they choose to pay someone to level their characters, or simply buy their items from virtual currency vendors, which is what has created this need for a black market.

Initially this market was filled with currency earned through "legitimate" means, that is, they hired people to play the game and earn the virtual currency themselves with the intent of selling it for real world currency.

As time went on people realized that they could save a lot of time and money by simply hacking actual player accounts, steal all the virtual money and then sell it for a profit without the hassle of having to earn it in game.

The methods used to hack an account vary from widely. They employ email scams, phishing links on game forums and emails, malware designed specifically for these games to log your keystrokes as you enter your username and password, brute force attacks, and who knows what else.

World of Warcraft security tokenGame companies have taken steps to reduce the problem by educating their users on proper security practices, telling them not to support these virtual currency sellers so the market goes away, offering an optional two-factor token for authentication (though with the recent RSA security breach, how safe do you feel?), legal action against these companies, and their own fraud investigations team. Unfortunately, this hasn't been enough to stop the problem.

This morning I received an email from Trion, developers of the latest MMOG, Rift. The email reads as follows:

Greetings Ascended!We are continually working on ways to keep your Trion Worlds account secure. With that in mind, we are introducing Coin Lock.

Here's what you need to know:

Coin Lock

Users will be coin locked if they log in from a new or different location or computer. When their account is coin locked, they will be sent an email to the address that they have on their account (their login email) with a code to enter into the game.

Users will see the Coin Locked icon in the spot where their tutorial button shows up. Deactivating the tutorial tips will not turn off the Coin Locked button.

While in a Coin Locked status, users will have the following limitations:

  • No access to the auction house
  • No ability to SEND mail. Users can still receive and view mail as well as remove items from mail
  • No ability to SELL to vendors. Users can still purchase items from vendors
  • No ability to salvage, runebreak or destroy items
  • No ability to trade
  • Users can continue to play and gain coin and items, but cannot get rid of them.

If you are Coin Locked, simply click on the Coin Locked icon and enter the code found in your email from Trion.

You will only have to enter the code once for each computer at a given location. If you play from multiple locations, or on multiple computers, you will have to enter your code the first time you log in from each new location or computer.

If you log in and your account is coin locked, check your email! Someone may have logged in from another location with your account.

It seems they took a page from what Facebook did with tracking the various locations you login from on a day-to-day basis, giving you the ability to lock down your account if you see a suspicious login. The limitations listed above pretty much result in you still being able to play the game, but not being able to sell, delete or trade anything on your account.

Rift logoKeep in mind that some of these items or currency that hackers are going after are things players have spent months or perhaps even years working on obtaining, so with no way to offload the virtual goods, hacking an account is fairly pointless since support teams are generally pretty good about recovering accounts to their rightful owners if the passwords are changed.

My initial thoughts were that this was a great idea, but unfortunately the security researcher in me can see the one big flaw in this feature.

Your username for the game is your email address, and I can almost guarantee you a majority of players are using the exact same password for both their Rift and email account.

If they're using one of the standard free webmail services (Gmail, Yahoo, MSN), all they'll need to do is login to your email account with the same password, release the coin lock, and steal away.

Of course for people who follow good security practice that have a unique password for every site they use, or for those who don't have a free webmail account, this feature is going to work great.

At the very least, this will help reduce account hacking and should be a feature that all other MMOGs implement as well even though it's not perfect. I'll be interested to see how well this feature works, and what the next move is in this battle between game developers and hackers.

, , ,

You might like

3 Responses to Coin Lock, an end to MMOG account hacking?

  1. Thu Win · 1258 days ago

    I can see a potiential annoyance. With Facebook (if I enable warn me of new computers logging in), they warn me everytime I log in if my IP changes. How does Trion new of a "new location"? Is it IP based? If so dialup/DSL users will be bugged everytime they redial (dialup) or turn off their router (DSL)

  2. kurt wismer · 1258 days ago

    using different passwords is certainly a good idea. might i also suggest the use of forwarding disposable email addresses when signing up to services like this? that way your "username" doesn't actually give an attacker any information about where the true inbox containing the coin lock email is.

  3. Richard Wall · 1258 days ago

    Valve (Steampowered.com) is also employing the same system. At the moment I believe it is beta and opt-in but it seems to be very effective.

    In Valves case the username isnt your password and to be honest anyone using the same password for their email as their games is asking for trouble.

    Personally I would be happier with a complete account lock out rather than just coin lock though. I'd rather the baddies couldn't log into my stuff at all and then ask for the code to unlock the account on the logon screen.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s