Legendary 78: Diablo III Causes World of Warcraft Account Concerns

> Just google youtube “chinese gold farmer tells al”

Assuming you’re talking about Psigoda, he’s actually neither chinese nor a gold farmer. He’s a gold broker, who buys gold (and items) from players and farmers, and then sells it to other players (keeping a percentage, of course).

And he’s clearly not very well informed about how in-game transactions or login credentials work. 

For example, at one point he talks about how Blizzard “uses certain patterns to find out who the gold sellers are”.

Patterns? All Blizzard needs to do is go to his website and buy $20 worth of gold. Then see which character actually sends them the gold, and track it back from there. That’s it. Blizzard (or any other developer) can track down and close any account used for farming or selling in a matter of minutes.

The only reason why he stays in business is that Blizzard knows some people will only play WoW (and pay their subscription) as long as they have access to easy gold, and they’re not going to risk losing those subscribers by banning gold sellers (in fact, the gold sellers _also_ pay a subscription, so Blizzard wins twice).

> It’s already been admitted by one of the leading gold sellers
> that 3rd party site hacking is the vast majority of account theft now.

Again, he seems a bit confused about that, and at one point admits he’s had his account hacked because he used his WoW login info on “every fansite” (so he’s kind of admitting that he’s a moron, and probably projecting onto everyone else).

While some small sites might store passwords in plaintext, making them good targets for hackers (that’s assuming the site wasn’t set up by account thieves to begin with, which would really mean there’s no “hacking” involved and it’s really just a phishing site), any decent-sized fan site is likely to be running established software (WordPress, phpBB, vBulletin, etc.).

And none of those packages stores the actual user passwords. They store password hashes, which can take ages to decode. Short passwords can be decoded quickly with a little trick (called rainbow tables), but longer passwords need to be decrypted using dictionary attacks or brute-force. This is much faster to do locally (after you’ve obtained the website’s database) than over the net, but it’s still too slow to be practical.

This means it’s far preferable to get people to actually type in their password somewhere (where you can catch it in plaintext).

And people who use their Battle.Net password on 3rd party sites are certainly stupid enough to click “free mount” links on e-mails, log in from (easily keyloggable) internet cafés, or follow links posted in game chat by someone called “u$er_$upport_admin_totally_not_fake”.

As I mentioned before, I know Wowhead, Curse and Elitist Jerks have had their user databases harvested. I actually warned the admins about this, but they never bothered to warn their users (probably because they want to pretend it never happened – that’s assuming they didn’t actually sell those databases for profit). I have no idea if the harvesters got the password hashes or not, but I get regular e-mails on my unique Curse / Wowhead / EJ e-mail addresses trying to get me to visit their websites, that look like the WoW / Runescape / etc. log-in pages, so they can catch my plaintext password.

So, while Psigoda’s suggestion (force users to change their password every month) would certainly be helpful, it wouldn’t get rid of phishing, which requires almost zero effort on the part of the account thieves. 

Ultimately, as stated in Murphy’s Law of Economics, maybe it’s morally wrong to let suckers keep their own gold.