Suggested change to log in process

While looking though my Spam folder today, the thought occurred that Blizzard has one aspect to the authenticator system that makes it easy to launch a systematic spear phishing campaign against World of Warcraft users.

When you try to log in to or to World of Warcraft the system preforms the following steps:

Enter email address and password
Ask server if the account with that email has an authenticator
Prompt for authenticator
Check both password and authenticator number
Log in

The system will prompt you for the authenticator code even if the password is incorrect before it checks it.

The issue with is, given a list of email addresses, a phishing group could attempt to log in to them. If prompts for an authenticator, they know the account has one attached. Since the farmers have the resources for a wide-spread account takeover operation, it would then be a simple matter to prompt their phishing site to ask for the authenticator code if needed. Since Blizzard has assured users that only Blizzard knows if the account has an authenticator, it would give an extra level of credibility to the site.

I believe that Blizzard should change this order to not ask for the authenticator code until verifying the password is correct. It would increase the log in process by another step, but given Blizzard's recent change to only prompt for the authenticator randomly and on unknown computers, I feel it would greatly decrease the chance people with authenticators would fall for phishing scams.

Shared with Blizzard on 2011-08-16 at


Popular posts from this blog

Sentinel.v3.5Client and Windows 7

Clojure: The Main-Class specified does not exist within the jar.

Installing Bugzilla under Hostgator Cpanel