Password stealing malware targeting popular MMORPGs such as World of Warcraft for instance, has become so prevalent, that video game developers are taking their authentication model a step further, by introducing two-factor authentication into play. And while marketable, is the new authentication layer actually useful in a real life situation? Depends. From Blizzard's press release :
"Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, the lightweight and waterproof Blizzard® Authenticator is an electronic device that generates a six-digit security code at the press of a button. This code is unique, valid only once, and active for a limited time; it must be provided along with the account name and password when signing in to the World of Warcraft account linked to it.
This optional security measure will be available for a cost of €6.00 at the 2008 Blizzard Entertainment Worldwide Invitational, which takes place June 28-29 in Paris, France. In addition, the Blizzard Authenticator will be made available for purchase via Blizzard Entertainment's European websites in the near future for a cost of €6.00 plus shipping.
"It's important to us that World of Warcraft offers a safe and enjoyable game environment," said Mike Morhaime, CEO and cofounder of Blizzard Entertainment. "One aspect of that is helping players avoid account compromise, so we're pleased to make this additional layer of security available to them."
Mike Morhaim's comment speaks for itself, since the two-factor authentication cannot prevent account compromise since a host that's already malware infected has already obtained and sent back the accounting data. What the two-factor authentication aims to achieve is ruin the efficient approach of abusing the hundreds of thousands of already obtained passwords. And as always, it's usability versus security, since there are flaws allowing the bypass of the two-factor authentication.
For instance, the two-factor authentication is still optional, meaning that a great number of gamers wouldn't bother embracing it, and the higher the number of these, the more likely that the old fashioned management of hundreds of compromised accounts will continue in its curent form. And with the number of people playing MMORPSs nowadays, this proportion of gamers that aren't using two-factor authentication would again remain vulnerable to the current types of password stealing malware. Timing is everything, and the worldwide launch of the token shouldn't have been announced before it was available to every gamer out there, since I anticipate "a wholesale summer promotion of stolen goods" before the compromised account holders associate their accounts with the Blizzard authenticator and start using it.
As for the future development of malware targeting WoW gamers, an interesting propagation vector Storm Worm used in early 2007 is the perfect analogy for what's to come. Next to using bogus Blogspot accounts, Storm Worm infected hosts were waiting for the end user to authenticate herself by filling in all the CAPTCHAs, a CAPTCHA that Storm Worm cannot and doesn't even need to break at legitimate blogs and forums. So once the end user authenticated herself, the now authenticated Storm Worm started posting links and blog posts redirecting to malware patiently waiting for the end user to provide Storm with access to its assets. Which is exactly that we've seen seeing on the Ebanking malware front since 2007, and what we'll be seeing in password stealers in the short team - adapting to the process and bypassing it entirely with the help of the malware infected gamer, a situation where SSL and two-factor authentication aren't an obstacle.
Since the stolen passwords are a commodity, but the authentication cannot be achieved remotely, password stealers for MMORPG's have the potential to mature into automated virtual asset stealers. Which is what they are after anyway.