Account Security and You (Yes, You)
Some players are dedicated to collecting sets of epic gear while others prefer to make a few quick coins in the auction house. No matter what style of play you prefer, we want to equip you with the tools and knowledge you need to protect yourself against account compromise. To help get you started, below you'll find a series of tips and suggestions aimed at improving your account and computer security.
Since we’ve been encouraging account security awareness for quite a while now, you might have already run across some of this information on our Account Security Awareness page, in one of our support articles, or posted by your fellow players here on these forums. We want to make sure that as many players as possible have secure accounts, though, so we encourage you to take some time to read over this refresher, make sure your account is secure, and share these tips and resources with your friends and guildmates, too.
Security Basics
There are a few cardinal "rules" for maintaining a secure Battle.net account. They're simple and straightforward, but they can help ensure that your account information doesn't get into the wrong hands.
- Never give out your account information. Sharing account information with a family member, friend, guildmate or, worse, a stranger who's promising you a chance to "beta test a new mount" is an easy way to lose control of your account security and experience the tragedy of account compromise. Even if your goal is just to be helpful, allowing someone else to access your account can definitely put it at risk because you can't control how that person will make use of your account information, or how secure their own system might be.
- Be mindful of phishing scams. Phishing scams are designed to trick you into giving out your account information, and they'll usually come in the form of emails or in-game messages that appear to be sent by Blizzard employees. Sometimes these messages encourage you to visit a malicious website, which might contain a web form, or even software that can steal your login information. In other cases, you may be asked to reply with your account name and password.
While most of these types of scams are easy to identify -- they'll frequently use poor grammar and spelling, or make outrageous threats about banning your account -- some can be difficult to distinguish from legitimate Blizzard correspondence, so it's important to be cautious of what you click on and when. (Learn more about how to identify these kinds of scams here.)
- Don't use gold selling or power-leveling services. Supporting these types of illicit services is not only against the Terms of Use, but it promotes botting, spamming, and other forms of exploitation -- as well as account theft. While the promise of gold stockpiles and effortless level-85s may be tempting, you could end up paying more than just cash for sharing your account information with these companies. (Also, that gold you're interested in buying? We've found that it's most commonly stolen from compromised accounts and turned around to be sold back to other players. Not cool.)
Going The Extra Mile
In addition to following the security basics, you'll also want to make sure your computer is protected against malicious programs known as "keyloggers." Keyloggers are pretty serious, and they're capable of gleaning information directly from your computer, either by monitoring your keystrokes or by gaining access to important applications like your Clipboard.
The advice listed below will help you combat this type of security risk and maximize your computer's security.
- Grab an Authenticator. The Battle.net Authenticator and Mobile Authenticator are easy ways to add an additional level of security to your account. They work by providing a secure authentication code on command that's unique to your Battle.net account. After an Authenticator is associated with your Battle.net account, the authentication code will be necessary for each client and Account Management login, increasing your protection against account compromising attacks. (They also will provide your characters with an adorable Core Hound Pup companion.)
The Battle.net Dial-In Authenticator is another handy option. It's a free opt-in service that will actively monitor an account and request additional authorization from you when a potentially unauthorized login attempt occurs.
- Install antivirus and anti-spyware software. There are a number of programs that can help you identify and remove any viruses, Trojans, and/or keyloggers that may sneak onto your computer. If you're unsure of what software might be best for you, check out our support site for a list of recommendations.
Keep in mind that most antivirus and anti-spyware programs will periodically issue software updates to ensure that they're able to identify the latest malware threats, so be sure to install those updates before beginning any new system scans.
- Keep your operating system up-to-date. If you're using Windows, you can check for the most current updates at any time by visiting the Microsoft Windows Update page, or by clicking Windows Update in the Start menu. If you're a Mac user, you can check for software updates at Apple.com; Apple security updates are also available here.
- Keep your browser and browser plug-ins up-to-date. As with your anti-malware software and computer operating system, you'll want to keep your web browser as up-to-date as possible. In addition to providing more tools and functionality, browser updates can also include new security definitions and a more comprehensive phishing filter (detailed further below).
Using the most recent versions of your browser plug-ins and applications (like Adobe Flash Player and Adobe Reader) and regularly checking for security updates is also important, because they can sometimes become targets for certain types of malware. A lot of plug-ins and applications will prompt you to update automatically, but it's still a good idea to check the distributor websites on occasion to make sure you're running the latest versions.
- Turn on your browser's phishing filter. Phishing filters work by comparing the websites you visit against a massive database of legitimate (secure) websites and websites that have been identified as potential security risks. If you happen to visit a website that's flagged by your browser's filter, you'll be alerted and given the opportunity to continue onto the page or -- in most cases -- navigate to another site completely. Most popular browsers have built-in phishing filters that are turned on by default, but you can always double-check filter settings/availability in the Tools menu. Additional information about popular phishing filters can also be found here:
Internet Explorer Phishing Filter FAQ
FireFox Phishing and Malware Protection
Opera Fraud Protection
Chrome Phishing and Malware Detection
What If...
While these steps will go a long way to keeping your account secure, if you are unfortunately affected by an account compromise, don't panic. Our in-game, billing, and technical support representatives will work with you to get your account and all associated data safely restored to you. Our Help! I got Hacked! guide goes into all the details, but rest assured that we've got your back (and your lewtz) should you need us.
Account security is incredibly important to us, and we hope that it's important to you, too. If you have any additional security recommendations to add to this list, please feel free to share them in the comments!
Comments (909)
Detheroc
and im blitzcraft
Detheroc
Detheroc
Saurfang
Cenarion Circle
Cenarion Circle
Illidan
Cenarion Circle
Cenarion Circle
a few things i do too keep my account's safe witch has helped becuase i have never been hacked and dont plan on it is.
make a rotating password list 5 or 6 will do rotiating passwords monthly keep em geussing
also use a stand alone e-mail address for your account as this will reduce the likelyness of having someone figure out your log in via e-mail.
and take the password of the month list place it in a text document and use copy and paste this will prevent them from following keystrokes this is just a few things i do too keep my account safe from hackers and pirates.
Nagrand
Scarlet Crusade
Uldum
Tichondrius
Zangarmarsh
Twisting Nether
Cho'gall
Dentarg
Laughing Skull
Andorhal
Consider this additional level of security; every time you log in from a different IP address, Blizzard has a server-side program generate a random four to six digit number that they then text to your cell phone. This number must then be entered by the client at login, after the normal authenticator. But wait! There's more! They can't use the keyboard. They have to use a virtual group of numbers (0-9) that pop up on random places on the screen. The texted code expires after 1 minute and upon expiration your account is locked. Rough, I know, but from the authenticator we learned that we should have our mobile devices handy when logging in. Or the keychain... If you don't have a cell phone with texting, then this protection plan obviously isn't for you. Get a go-phone or something, if you can afford $15/month for WoW you can afford that.
This would entirely beat simple keylogging as even recorded mouse data would be useless due to the random positioning of the numbers every time. It'd take a much more intrusive worm to muscle out the positioning data of the numbers from the game itself. And although a single text-in code could be maliciously intercepted by a determined hacker, the fact that it is generated randomly every time would render that useless as well, unlike the authenticator--it's Achilles' heel is the fact that the numbers are generated from a source code that could be resolved--that's how it synchronizes with your keytag/smartphone.
Of course, neither of these options can protect you from a domestic threat, such as an angry ex girlfriend or a mischievous roommate with nothing better to do. For those, you can only use common sense; don't give them your password for one. Or, change it when you break up with someone or make them mad lol.
My knowledge of network exploits is limited, but we can all agree that more options can do no harm.
Illidan
The steps you mentioned in the second paragraph are good in theory - However too much work. By saying this I mean there are too many steps and too much time spent attempting to log in.
SW:TOR attempted to use the "account lock" feature if you failed to enter your secret question 3 times in a row - You would have to call customer service EVERY time this happened. This is beyond annoying, and when you drink as much as I do on rare occasions - The last thing I want to do after derping 3 times in a row is talk to some guy in India named Bob. Good in theory, terrible upon application.
I like the way it is now. You have the options of multiple authenticators, not all of them cost money, and it's optional. If you don't have an authenticator and you get hacked - Recover your **** and go buy one. That's what I did, and it works like a charm. Forcing customers to do even 1-2 extra steps that the masses wouldn't deem "necessary" (albeit it's situational for every individual) will turn off players, i.e. customers.
Gundrak
Uldum
Laughing Skull
There is currently no app for Windows Mobile Phones so I (among many other) users of the platform are limited in security-by what seems like it would be a ridiculously quick and easy development, yet highly valuable feature to probably a good number of subscribers whom, like myself would even pay a buck or two just for the easy download without the pet.
Is there a reason not to support ALL capable phones and just make such a huge problem and headache go away not just for many subscribers but also you Blizzard?
Ravenholdt
Destromath
Laughing Skull
Onyxia
Caelestrasz
Kul Tiras
Echo Isles
Bloodhoof
Me?
Ghostlands
Or better yet, install a server side coin-lock feature that locks the account from having items moved off it or vendored until a passcode sent to the account email is validated --- Coin Lock is activated any time a login is detected from a different IP address than the one used for at least 5 of the past 7 successful logins.
The ONLY reason I can think of for not requiring an authenticator on an account is that you are making more money selling new copies of the game to hackers and gold farmers than you are paying your staff to restore accounts after they are stolen.
Tichondrius
Frostmane
Oh, wait...
Dragonmaw
Bloodscalp
lol
Uther
Aggramar
Winterhoof
Blackwater Raiders