Wolfbytes

So, the mate of a mate got his WoW account hacked. Made me think of a minor server blowout last Christmas, when Blizzard was trying to educate it’s customers on how to keep their accounts safe – and the rant I had back then in my old blog. Translated and updated here for the benefit of foreign devils. You’re welcome.

Blizzard’s anti-hacker advice was good enough, as far as it went. Never share your account information. Change passwords regularly. Buy an Authenticator, if you play at net cafes – that sort of thing. They just completely skipped the most fundamental problem:

The vast majority of MMO gamers are complete muppets when it comes to basic computer security.

This was made painfully clear when Blizzard’s warnings were discussed on the server forum. Before we knew it the page was filling up with tales of woe, people proclaiming their sympathy for the victims of hacking, and otherwise completely rational people nodding sagely and explaining that it is, of course, impossible to build a hacker-proof computer, so anyone at any time can fall victim to vicious hackers. The fact that banks, international corporations and entire damn nations succeed in keeping their data traffic secure  every day of the week doesn’t seem to matter to these people. No, really, securing your WoW account, that’s voodoo beyond the grasp of us mere mortals.

Hacked accounts are a favourite tool for gold sellers. They can also be ripped off for more merchandise.

The thing is, they’re technically right. With determined enough effort anything connected to the net can be hacked – but if you just want a few thousand WoW-keys, you don’t need to go to the trouble. Why should you, when gamers will line up to just GIVE away their accounts?

“Well of course I clicked the link, it was from a friend.”
“No I could see it installs something, but I thought it would be something funny.”
“But configuring IE is hard, and I don’t want to use another browser. ”
“I can’t use this stupid antivirus software, it kills my framerate.”
“I don’t use a firewall, I don’t have anything worth stealing anyway.”
“I can’t be arsed to reinstall to get rid of one virus, I’m buying a new PC next month anyway.”

The depressing part isn’t that those are actual quotes from actual hacking victims. It’s that each and every one of them was an educated and otherwise very sensible person, who honestly believed even afterward that they hadn’t screwed up even a little bit.

What should they have done?

The same thing everyone else who cares about data security and uses Windows should be doing.

1) Make sure that Windows Automatic Update is running. Install the newest updates immediately. No exceptions, ever.

2) Install a fully featured security suite and make sure auto-update is on. Never turn off any part of the software – it will only protect you if it’s running. Your security suite should have anti-virus, anti-malware, phishing protection, a two-way firewall and ideally also rootkit detection.  Unless you’re completely broke (and if you can afford WoW, you obviously aren’t), buy a commercial license. Free security suites will work in a pinch, but are generally better for experienced users who know how to configure them properly. Norton, Panda, F-Secure and ZoneAlarm come to mind.

3) Get rid of Internet Explorer. Yeah yeah, it can be configured to be safe – but is that easier for a net newbie than just changing browsers? Even if you do make IE secure, it’s still the most common browser on the net, which automatically makes it the favourite target for hackers. Many key loggers are countered simply by having Firefox, Google Chrome or Opera, which are immune to malware exploiting known vulnerabilities in IE. If you just can’t bare to lose IE, install Google Chrome Frame – it introduces a few potential new risks (more code means more things can go wrong), but it also closes a lot of old ones. Alternate browsers don’t have perfect default security either, but at least they get targeted less frequently.

4) Do not click strange links. Not even if a friend sent them, not even “just to see what it is” – this is exactly how a lot of viruses get passed around. Ask if they meant to send it first, and don’t click until you’re sure the link really was sent by your mate, not malware on their computer. If you’re still worried about accidentally clicking the wrong thing, install WinPatrol. It’s a security program that takes a snapshot of your system and then smacks you with a popup warning every time something tries to change it. Bloody annoying if you’re a veteran user who tweaks and changes stuff regularly, but a good line of defence for casual users who just want to surf, chat and play MMO’s in peace.

5) Read the alerts your security software gives you. If you don’t know what the process that is asking permission to run or change the registry or connect to the internet is, google it. That should give you multiple hits to help you decide if it’s safe to allow it. If you’re still not sure, deny permission just in case.

When it doubt, google it. The more links you get saying that the process is part of some safe program, the more likely it is no disaster will come of approving it.

None of the steps on this list will give you a mystical hackerproof PC – but they would have saved the accounts of every last friend, acquaintance and random internet contact who’s ever cried about their hacked account within earshot of me. Online gamers are muppets about their security, and this is exactly what WoW-hackers rely on. Even basic security will keep hackers off your back, because the vast multitudes of suckers who don’t even do that much can be ripped off with a fraction of the effort.

Why should anyone care?

The thing is, you can’t just laugh it off as idiots getting their dues. If your security sucks enough to get your account hacked, your epixx should be the least of your worries. Symantec’s bi-yearly Internet Security Threat Report and other reputable experts have long been laying it out: computer crime isn’t geeky pranking, it’s a whole new kind of underground economy. Viruses and malware, the basic tools of e-criminals, will hardly ever inconvenience the host PC in any way. Their goal is to stay invisible, and to hijack the computer for data theft and criminal activity.

Do you ever shop online? The virus just nicked your credit card number and PayPal codes. Do you pay bills or use social networks? Personal data gleaned from them is the corner stone of identity theft. And that’s not even counting all the nastiness that a criminal with a few thousand infected computers at their fingertips can do. Most spam and viruses are spread by the remotely controlled computers of ordinary people who screwed up with their security. Even worse, hijacked computers are also how e-criminals spread child pornography or execute web-blocking denial of service -attacks, most commonly used for extortion.

Even hacking game accounts isn’t as petty as it seems. Though gold selling is against the terms of service in most games, it’s been estimated that in China alone the market was worth hundreds of millions of euros in 2007 – and was declared taxable income in 2008. For us gamers, it just means annoying gold spam. For law enforcement it’s a genuine concern, because the lack of a paper trail attached to virtual currency trades makes it a perfect money laundering channel for organised crime. Nevermind “cheating at the game”, or whatever morally righteous crap gamers usually spout when they denounce gold selling – the real dirt is that gold trade exists on hacked accounts and at least some of it serves organised crime.

So no, your computer’s security is not a personal choice. Hacking is not a calamity you get to cry about. Would you feel anything less than stupid if you left your car unlocked and joyriders ran someone over with it, or used it to rob a bank? An unprotected PC getting hacked is much more likely, just a matter of time. I have no sympathy for gamers who don’t realise the damage they do, neglecting basic computer security. They’re not “just” hapless victims who should be hugged and comforted and given free pants for their newly nekkid paladin. If they can’t be arsed to do the five easy things listed above, they’re also part of the problem.