Automatic Authenticator Removal – Feedback

(Locked)

Blizzard Employee
Greetings All,

We recently implemented a feature that allows players to remove an authenticator (i.e. lost or broken) via our interactive phone system. We’d like to take this opportunity to ask those who have used it for any and all feedback regarding the use of this feature.

How it works
Similar to our self-service password reset, you may use the authenticator removal feature by calling in using the registered phone number on the account (This is to prevent unauthorized requests). After choosing the authenticator removal option, you will be prompted to hang up and a callback will be placed to the registered number to confirm your request. Once the request is confirmed, the authenticator will be removed.

We appreciate you taking the time to provide feedback!

Thank you!
MVP - Customer Support
100 Tauren Druid
13465
Well, since the primary phone number is not visible when logging into the account, and the callback helps prevent PBX Caller ID spoofing... I'd say this is very secure.

Hopefully, players will find it similarly convenient when necessary.

Thanks for putting this in!
________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com
"Hey you just posted, and this is crazy,
But here's a sticky, so read it maybe?" -- Roraks
91 Human Mage
11025
I would have questions about this, especially with the Mobile Authenticator. If the phone on the account is stolen as well, a phone call would be placed to that same phone, thus allowing the person who stole the phone to have access to the account.

I would imagine that only a minimal percentage could have this kind of issue - but just something that was brought to my mind.
92 Blood Elf Paladin
10635
If a phone is stolen with the Mobile Authenticator, then they would already have access to the account. But all of this is assuming that someone steals a phone, knowing the owner's login information.

EDIT: And while I haven't used this feature, I would assume there's some sort of verification beyond the phone number. Maybe SQ/A, or some question with a numerical answer. Date of birth, zip code, something.
Edited by Madisón on 4/10/2013 2:37 PM PDT
- Technical Support
12 Human Mage
9315
Phishing emails are now going to ask for the phone number on the account :( They are already submitting fake IDs and successfully getting Authenticators removed. I have confidence that they will up the game to include phone spoofing soon. The callback may stop that, but I still worry.

Please ensure that the login tips, blog, services messages, all include the note that Blizzard will never ask for your phone number. Also ask everyone to please ensure the data currently on the account is accurate!
MVP - Customer Support
100 Tauren Druid
13465
04/10/2013 06:14 PMPosted by Mirasol
The callback may stop that, but I still worry.


Erm, no, it WILL stop that. Cloning a mobile phone to the point where it can receive calls (and, more importantly, so that the original won't get them) is... nearly impossible, on modern mobile networks. And even when it's not, it requires some extremely specialized hardware - and is blatantly illegal. You'd also have to be on the mobile network of the carrier in question, so you'd have to be in the US (in most cases).

Is it possible to do? Theoretically, sure. You'd need to get some information from the "victim's" phone (ESN and MEID), of course - and that's not something you're going to be tricked into giving away via a phish (most people don't even know what it is, let alone how to extract it from a mobile phone). Then you'd have to get access to a custom EEPROM...

Let's just say that it's WAY too complicated for video game account thieves. They'll stick to their usual methods.
________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com
"Wiggle, wiggle, wiggle, wiggle, wiggle."
92 Blood Elf Paladin
10635
04/10/2013 06:14 PMPosted by Mirasol
They are already submitting fake IDs and successfully getting Authenticators removed.


Allegedly. Besides, if someone is able to fool Blizzard in this manner, the situation is MUCH more dire than worrying about your WoW account.

I know that we invest time and money into our accounts, but in the end, this is still just a game.

Also ask everyone to please ensure the data currently on the account is accurate!


They already do this, with the creation of every new account. If someone isn't willing to heed this advice before, they're not likely to do so just because of this feature.

04/10/2013 06:26 PMPosted by Pahanda
Cloning a mobile phone to the point where it can receive calls (and, more importantly, so that the original won't get them) is... nearly impossible, on modern mobile networks.


Are you SURE? I saw a movie once where the bad guys grabbed the good guy's phone, plugged it into a laptop, and cloned the information to a new phone within 5 minutes....

;)
MVP - World of Warcraft
90 Troll Rogue
14190
04/10/2013 08:25 PMPosted by Madisón
I saw a movie once


Dramatic licensure.

If someone had the original phone, they would not need to make a clone of it just to dial in and remove the authenticator from the account.
Edited by Kozzae on 4/11/2013 2:36 PM PDT
- Technical Support
12 Human Mage
9315
I have not seen said movie. Heck, I have not even had TV in over 12 years.

My point also stands about reminding people to keep the account info updated. Sure, people are told at account creation, but most don't stay on top of it. We want to HELP them use the feature, not punish them because they don't remember some account advice given at creation time. Some of these accounts (like my own) are from 2004. If they do not use SMS protect they may not have a phone number on the account, or it may be very out dated. Knowing about this service and knowing to keep the account updated, is great info to give players.

Phone communications networks are not something I have any experience with, and I am more than happy to be educated. Thank you Pahanda for your polite explanation.
86 Goblin Warlock
4380
I would have questions about this, especially with the Mobile Authenticator. If the phone on the account is stolen as well, a phone call would be placed to that same phone, thus allowing the person who stole the phone to have access to the account.

I would imagine that only a minimal percentage could have this kind of issue - but just something that was brought to my mind.


The problem you bring up isn't a real issue.

Most accounts are compromised what basically amounts to an automatic system. Once an account information is known to work a human is only involved at that point. These humans don't have physical access to your phone they just have your account information. These gold selling companies are basically sweat shops.

So if you lose your mobile phone and somebody found it they would need to know you play World of Warcraft. The best way to avoid this is to register your phone so you can remote wipe it, report the phone stolen so it can be disabled and be replaced, and of course use the security feature on the phone to lock the phone so it cannot be used by anyone except you.

Say you find a phone by the road, call blizzard to remove the authenticator attached to an account ( you believe exits ), you still don't have access to the account after you do this.

There is also the fact these gold selling companies only sell banking information they don't actually use it themselves because of the legal ramifications that causes. Even China doesn't like a bank thief.
Edited by Hathios on 4/12/2013 12:46 AM PDT
55 Gnome Death Knight
9715
I’d like to leave a comment regarding this.
First I think it’s a great idea! It gives a way for people who don’t have SMS protect enabled on their account a way for them to remove their lost/broken authenticator.
I tested this both with my SMS protect ON and then again with it OFF. It worked great. I got the call backs right away.

The only thing I would say that’s kind of a down side is since Blizz changed how and when the customer support number is displayed, not many people may know about this option and many people might think they only can submit their ID to get it removed if they don't know how to do web chat or get the number to call during normal hours on the support site. Also the customer service phone number is NOT available on the support site when the phone lines are closed, yet if someone already knows the number (i.e they have it programmed in their phone) they can call and the automated system will still pick up and they can still get it removed. So displaying the number like I mention in the example below would be more helpful.

Example: -I went to us.battle.net and clicked the account button to go to the log on page.
-Then I clicked the “can’t log in?” link (under the sign-in)
-Then I clicked the “I lost my authenticator and I want to remove it from my account.” This took me to a page and asked for my battle.net e-mail and my name on the account.
-The next page asked me to upload my ID. (I know when SMS protect is enabled it would at this point send the code to the phone)
The direct link to the page is https://us.battle.net/account/support/remove-authenticator.html

I think on this page (if no SMS protect is enabled) it should also mention an alternative way to remove it by calling support and provide the phone number. It can still show the option to upload ID but include something like "OR remove it now by calling (phone number goes here) from the registered phone number on your account!"


Something along those lines. I'm all about informing customers all their options easily and in the same place and since the customer service number is only displayed during normal hours on the support site, displaying it on the removal page would help for after hours removals :D

Also I think maybe adding an option to disable this option on the account if someone decides they don't want this might help anyone who may have concerns regarding this. Especially if they share the same phone with other people (I.e. Roommates, family etc) I know just removing the authenticator doesn't grant access to the account (still need battle.net email and password) I'm just saying it might help for anyone who may have concerns about this feature. It's kind of like how you can choose whether or not to be asked for your authenticator code each time you log into the game. Some people still like to enter the code each time VS once a week or if location etc changes.

Another idea is in order to use this service you first have to set up a battle.net phone pin (from your bnet account) Then if/when the customer calls to remove their authenticator the automated system calls back the registered phone number (like it does now) but then it asks for the battle.net phone pin. So unless the correct pin is entered the authenticator is not removed. This will help avoid someone who shares the same phone from someone removing it either accidentally or on purpose for what ever reason and it also helps verify the owner of the account. I realize there are pros and cons to this idea, I was just simply offering it.

Over all I think this is a great idea and as I said before especially if someone doesn't have SMS protect enabled on their account.

Thanks Blizz !
Edited by Sepheras on 4/12/2013 8:12 PM PDT
90 Night Elf Druid
9860
I haven't needed to use this yet, but I think it's wonderful. If your phone is stolen, in most cases a call to your carrier will at least get the service turned off for your line. Most smartphones have a remote wipe, or it can be added with an app..

I still think this is plenty secure and am glad this was implemented!
68 Tauren Paladin
17180
Feedback? Well my first thought is that if my phone is lost or stolen, then I can't actually use this feature because that is the exact phone I have registered on the account. Wont be able to call in from that number when the phone is lost/stolen!
MVP - Customer Support
100 Tauren Druid
13465
04/13/2013 04:57 PMPosted by Klaes
Wont be able to call in from that number when the phone is lost/stolen!


No, you won't. Which is why it's a good thing that Blizzard's other methods of removing the Authenticator will still work - specifically, the webform.
________________________________________________
Customer Support Forum MVP
HDL - http://hdl-the-guild.com/~nodrama/
E-mail - neppyman.no@spam.gmail.com
"Shhh. My common sense is tingling." -- Wade Wilson
55 Human Death Knight
0
This new system allowed a hacker into my account today.

I have not played the game in several months, but started receiving emails from blizzard support today.

4/14/13 10:02am EST: "... Your Support ticket #xxxxxx868 has been successfully created... This is the ticket description: Not Working Properly.Please Help!..."

4/14/13 10:39am EST: "The status of your Customer Support ticket #xxxxx868 has changed to 'Answered.'... We were unable to verify the authenticity of the primary form of identification included. Please submit a different form of identification."

---

4/14/13 10:55am EST: "... Your Support ticket #xxxxxx563 has been successfully created... This is the ticket description: Not Working Properly.Please Help!..."

4/14/13 11:05am EST: "The status of your Customer Support ticket #xxxxx563 has changed to 'Answered.'... We were unable to verify the authenticity of the primary form of identification included. Please submit a different form of identification."

---

4/14/13 3:03pm EST: "... Your Support ticket #xxxxxx516 has been successfully created... This is the ticket description: Not Working Properly.Please Help!..."

4/14/13 3:13pm EST: "The status of your Customer Support ticket #xxxxx516 has changed to 'Answered.'... We are pleased to inform you that your request has been processed and approved. The Blizzard Authenticator that was attached to this account has been removed..."

Good game.
55 Gnome Death Knight
9715
This new system allowed a hacker into my account today.


Um, this new phone service to remove a authenticator DID NOT get you hacked.
In order for a hacker to do as you suggested, they would have to one know what phone number is listed on your account, some how clone the phone to be able to call Blizzard so the call appears from the registered number AND receive the call back from blizz and not even have your phone ring. So very unlikely this happened.

Sounds like you have bad stuff on your computer and will want to review
http://us.battle.net/en/security/help I would follow ALL the steps found there!

From what you posted seems like the hackers were going here (which isn’t new) https://us.battle.net/account/support/remove-authenticator.html And submitting bad IDs ..Just my guess

But in any event, I would definitely make sure to UPDATE & run FULL scans of any and all anti-virus and anti malware programs you have. Once you are 100% sure your system is clean I would change your E-MAIL password, then create a NEW email address and change your battle.net email to the new one and of course change your battle.net account password. Use a password you DON’T use with ANYTHING ELSE!

You can also contact Blizz during normal hours (10am -6pm Pacific time) https://us.battle.net/support/en/ticket/submit You can use the web chat feature, or the phone in option if its available for more info etc.

Best of luck!
Blizzard Employee
Closing this thread as we've collected all the feedback we need at this time.

If you haven't yet, don't forget to add an authenticator (Mobile or Physical) to your account as an additional layer of security.

Thanks!
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]