Security Professionals - ipfw add deny all from eindgebruikers to any

Article Authentication of Guildwars 2 and World of Warcraft

17-06-2013, 22:32 door FoodableNoodles, 1 reacties
This is an article I had to write and publish for a class at college. Please read and take the time to comment if you can, it would be greatly appreciated. I am especially curious as to whether my recommendation is a decent one.

*Authentication and account retrieval in Guild Wars 2 and World of Warcraft*

In this article you will find information on how the authentication system in the most popular massive multiplayer online roleplaying games (MMORPGs) work, followed by the methods and security of account retrieval, the cost of playing the game, Dutch law involving hacked accounts and concluding with a recommendation for both MMORPGs on what the realistic amount of authorization is compares to the cost. The MMORPGs covered in this article specifically are Guildwars 2 and World of Warcraft.


*Authentication*
In this paragraph, you will find information on what level of authentication is required for Guildwars 2 and World of Warcraft.

*Guild Wars 2*
Guild Wars 2 (GW2) is an online game that has been released in august 2012. When registering for GW2, it is required to fill in a username and password, as well as an e-mailaddress. To play, it is required to fill in a valid username and password combination. Upon first login, this will present you with a message saying “Since you're logging in from a new IP address, you're required to authenticate using the e-mail that has been sent to you”. The user then receives an e-mail with a link from which you can allow yourself to log into the game. Conclusively, when you log into the game from your own home IP, logging in requires a 1-step authentication. When logging in from a new IP, GW2 uses 2-step authentication.

*World of Warcraft*
World of Warcraft (WoW) is an online game that has been released in november 2004. To register for World of Warcraft, you are required to fill in your username, password, an e-mailaddress , a secret question and the user code given with the official game or one of the expansions. To log into WoW, it is required to fill in a username and password. Users have the option to use an authenticator from either the battle.net website, or a mobile application for Android, Iphone, Blackberry and Windows 7 phones. The authenticator gets connected to the user's account, and upon login the game asks the user for a code from the authenticator.


*Account Retrieval*
In this paragraph, you will find information on which steps need to be taken in order to retrieve your account after it has been hacked.

*Guild Wars 2*
To retrieve your account in Guild Wars 2, it is required to send a support ticket through the official website. In this e-mail, it should state your account name, your display name and the serial code displayed on the box.

*World of Warcraft*
If your account gets hacked, there is a way to get your account back. There is a blizzard support center which allows you to answer a number of question to get your account back. This method requires you to fill in your e-mail address, first name and last name. It then offers you three options for account retrievel. The first one is to answer the secret question you filled in upon registering. The second one asks you to fill in a part of the authentication code stickered onto the game cover. And the third option is available if you can't answer the first two, which requires you to upload a scan of your ID-card, fill in which game you last played and when.

Restoration of characters is always possible, but restoration of items may or may not be possible, depending on the item. Which method of restoring items and characters World of Warcraft uses cannot be found.


*Cost*
In this paragraph, you will find information on how much the game costs to play. This is based on the current status of the game, including expansions, and the amount of time played converted to minimum wage per hour in the Netherlands. To have comparable data between the two games, the timespan will cover half a year.

*Guild Wars 2*
To have a full version of Guild Wars 2, the only thing required is to buy the official game at a cost of €39.99. Guild Wars 2 currently has no expansions available, as it has only been launched 9 months ago.

Players of Guild Wars 2 spent an average of 38 hours a week playing the game, based on information given by 52 players sharing their game time with the world. Playing for 38 hours a week results in a total amount of 1007 hours played in the period of half a year. Combining this with the Dutch minimum wage of €8.53 per hour, this results in a total cost of €8589,71 over a half year period. This brings the total value of a guildwars 2 account played for 1007 hours for half a year up to €8629,70.

Guild Wars 2 also has a currency called gems to use in the auction house, which can be bought with real money. However, as the spending varies heavily per person, these numbers have been left out of the cost calculation.

*World of Warcraft*
To have a full version of World of Warcraft, you need to buy the original game and several expansions. The World of Warcraft Battlechest costs €14.99, and contains World Of Warcraft, The Burning Crusade expansion and the Wrath of the Lich King expansion. On top of this comes the Cataclysm expansion at a cost of €19.99 and Mists of Panderia for €34.99. To play the game, a monthly subscription fee is required, coming up to €65.94 for half a year. On top of the game, you can buy an authenticator for your account at the cost of €9.99. Over a period of half a year, the total cost is €145.90.

Players of World of Warcraft play an average of 21 to 22 hours a week playing the game, based on a survey held under 4000 players. For calculation purposes we will use 21 hours a week. Playing for 21 hours a week for half a year equals 546 hours. The minimum wage in Holland is €8.53 per hour, for a fulltime job. This results in a total cost of €4657.38 over a half year period. This brings the total value of an account played for 21 hours a week for half a year up to €4813.27.

World of Warcraft also has items in-game which can be bought with real money off of the official website. However, as the spending varies heavily per person, these numbers have been left out of the cost calculation.


*Dutch law involving hacked accounts*
Note to readers: This information is only useful in the case of a dutch citizen stealing your account or items. It is near impossible to prosecute someone from abroad, as it is a national law, and therefore not applicable in international cases.

Following precedent, it is illegal to steal someone else's items in a game in the Netherlands. This is based on case number BQ9251, in which the suspect forced the victim to log into his Runescape account and trade his virtual mask and amulet to the suspect. The virtual masks have been defined as goods, due to the fact that they had a real value to the suspect as well as the victim. Due to this precedent, it is possible for a dutch citizen to prosecute another dutch citizen in case of a stolen account or stolen items.


*Recommendation*
In this paragraph you will find my opinion on the strength of the authentication and account retrieval system based on the facts listed above. This recommendation is pure personal opinion based on facts, and any disagreement is encouraged in the comments below this posting.

*World of Warcraft*
As the initial monetary investment for World of Warcraft over the first half year is €145.90, which is relatively high, combined with the fact that World of Warcraft requires a subscription fee per month, which means that you will be paying to play this game for the rest of your WoW gaming carreer, a high level of account security and authentication is required. Combining the money investment and time investment leads to a total account value of €4813.27, which is the equivalent of 2 and half month's salary, in half a year's time.

As the creators of World of Warcraft realized, the value of accounts is so high, that it is required to properly protect an account. By allowing a user to upgrade their protection from a 2-step to a 3-step authentication using the authenticator, and requiring a user to verify their ownership of their account in multiple ways, it is my opinion that the current methods of authentication and account retrieval are at the required level for the worth of the account.

*Guild Wars 2*
The initial monetary investment for Guild Wars 2 is low compared to that of World of Warcraft. The cost over the first half year is €39.99, with no monthly subscription fee. As the monetary investment is relatively low for a massive multiplayer online roleplaying game, it seems only reasonable that Guild Wars 2 has a standard 1-step authentication with a maximum 2-step authentication. However, based on research, Guild Wars 2 players spend a considerate amount of time playing the game, leading to a time investment worth €8589,71 over the period of a half year. The cost of loss in this case is very high, almost double the cost of losing a World of Warcraft account.

As this is the case, my personal opinion is that Guild Wars 2 doesn't have the required level of security for authentication and account retrieval. The chances of being hacked are considerable, specifically when your e-mail address has been hacked, and in case of loss of your account due to being hacked, if you do not have your serial code from the original box, it is near impossible to retrieve your account. Due to this, I would advise Guild Wars 2 to introduce an authenticator in the way World of Warcraft has done, and offer alternatives to prove your ownership of an account in case of it being hacked.


Sources:
Forums:
http://www.guildwars2guru.com/topic/62756-whats-your-played-time/
https://forum-en.guildwars2.com/forum/game/gw2/Average-play-time
http://www.guildwars2forum.com/threads/11554-Time-Played-On-Average
https://forum-en.guildwars2.com/forum/game/players/Share-and-post-your-Lifetime-Statistics
Yee, WoW Demographics
http://www.nickyee.com/daedalus/archives/001365.php
Court case BQ9251
http://zoeken.rechtspraak.nl/detailpage.aspx?ljn=BQ9251
Reacties (1)
19-06-2013, 09:35 door ProLibertate
While I can't really argue with the facts you have given I can argue with the conclusions you draw. One of my big concerns is the monetary value you put on accounts used for gaming purposes? If somebody spends time gaming they obviously do not spend it working. To say time equals money is only true in certain circumstances as there is a limit to how much work and thus how much money one person can put into one day without going insane.

If we however do classify all time with a monetary value I would not put the minimal wage on it. There are a few problems with that.

Minimal wage says nothing about the average wage of the people playing it. For instance children will make less than adults while they can still play the game. You might have people on welfare playing the game. While at the same time very few people that do work actually make minimal wage, most make more, not necessarily a lot but still more. So you would have to find an average to put a proper value on it. Now this average would be incredibly difficult to find, but it would give a fairer representation. For instance it could lead to the conclusion that while people playing GW make an average of 9,47 an hour people playing WoW make 12,49. A rather big difference.

You also seem to argue that the value placed on the game should be based only on the value of the account based on a six month period. However WoW has been out for several years, somebody who played it often a year ago and not so much now could still value his or her account far more than the number you put on it. In my personal opinion the likelyhood of a WoW account having great value is higher then the likelyhood of an GW account having that same or even greater value to the individual.

As for the entire security around it, I personally don't think GW is lacking in security. 2-factor authentication is already better than what most offer, that your e-mail account might be compromissed is hardly their fault or responsibility. If you want 3-factor authentication or fear the loss of your account you could also take more responsibility yourself, by for instance not using one e-mail address for everything. Creating strong passwords and checking them every now and then.
Furthermore account retrieval does not seem to be limited to just one e-mail, and if you have the information required you would probably get your account back, so I don't see the real problem here.
Reageren

Deze posting is gelocked. Reageren is niet meer mogelijk.