Subscribe
Issue No.04 - July/August (2009 vol.7)
pp: 6-7

Dear Editors, The online article by Chet Ignatowski, "How World of Warcraft Almost Ruined My Credit Rating," makes a statement in the title and the concluding paragraph makes assertions that aren't true, based on the facts as presented in the article. The article also has several serious technical errors.

These problems should be an embarrassment to IEEE and should have never made it past technical/editorial review before posting.

The author's World of Warcraft (WoW) account was hacked due to use of insecure software (Microsoft Windows I.E. 6) combined with his use of a malware site, neither of which are connected to the game (WoW) or the game vendor/operator (Blizzard/Vivendi). Yet the title blames his woes on the game itself, which is completely incorrect.

The author uses a hypothetical assumption as the basis of his assertion that WoW almost ruined his credit ("I imagined what might have happened if WoW had stored my credit-card information in its entirety...") Imagination of an untrue condition isn't justification for a statement of fact such as appears in the article title and in several paragraphs throughout the article.

The statement "a very serious real-life problem he experienced when playing World of Warcraft" is untrue, because the problem he experienced (installation of malware on his computer) happened completely outside the game, and the postulated result "almost ruined my credit rating" is based on an untrue assumption about storage of credit-card information which he acknowledges wasn't done.

He also makes an amazing technically incorrect assertion about protection against malware ("the executable didn't (and perhaps still doesn't) protect users afflicted with a keystroke logger from having their account credentials logged."). NO executable on his computer protects against having information logged by a keystroke logger, not even the antivirus (or security) software he used to discover the keystroke logger. This statement should have never made it past even a moderately computer-knowledgeable editor, especially one associated with IEEE!

The author also makes another untrue assumption about the hackers' profit ("The perpetrators in my case spent their own money to do this [$25 for a character transfer], so I guess my gold and items were worth far more than$25 to them.") The hackers who are attacking WoW accounts are invariably using stolen credit cards for character transfer fees, and this fact is acknowledged by Blizzard.

I am extremely disappointed that this article appears in the otherwise outstanding set of articles on securing online games.

David E. Price SRO, CHMM

Senior Consequence Analyst for Special Projects, CBRNE

(Nuclear, Chemical, Biological, and Explosives Accident/Safety Analyses)

Counterproliferation & Operational Intelligence Support, Z Program

Global Security Directorate

Lawrence Livermore National Laboratory

Chet Ignatowski responds: I encourage IEEE Security & Privacy to publish Mr. Price's critique of my article, as he points out many good observations. I'm not a regular reader of this publication and I gather from the many gasps and groans that lighthearted fare, such as what I wrote, isn't commonplace within the publication. The title might be misleading (I address this later), but the first paragraph ("This is a cautionary tale…") sets the tone of what to come. I would have taken no umbrage had S&P decided not to run my article, as Mr. Price suggests, in order to protect the integrity of the publication. I enjoyed writing the article as it gave me great introspection into the event, and working through the editorial process was eye-opening as well.

I did not intend to blame any woes on the game, as Mr. Price suggests. The article's title is meant to be colloquial. "How Playing World of Warcraft …" or "How Researching World of Warcraft Strategies in order to be a Better World of Warcraft Player Almost Ruined My Credit Rating" is surely more accurate, but lacks the attention-grabbing "zing" of my actual title. The article's first paragraph states clearly the very true story I unfolded for the reader. If readers weren't interested, they could choose to move on.

The article is an editorial. I feel completely justified writing about the assumptions of what might have happened had the transgressors been more aggressive in their pursuit of my virtual wealth. Those fearful thoughts are what drove me to relate this tale, as embarrassing as it is. Had I known immediately that the only real fallout from the event would have been the loss of my WoW gold, which Blizzard recovered, I wouldn't have bothered responding to the article solicitation.

As for other technical and non-technical inaccuracies, I fully admit that at the time of writing the article, I didn't know the intricacies of keystroke loggers. Further, the fact that Blizzard acknowledges this is done with stolen credit cards didn't come up in my research, and I should have worded the character transfer comment as "I did not spend \$25 to transfer the character." I thank Mr. Price for pointing out these flaws.

Upon reflection, I would expand the point I want the reader to conclude when finishing the article. Initially, the point was just that there should be no assumption of security, given that the major components that allow playing World of Warcraft come from large and "trusted" organizations. I did not take into account the ultimate component, the Internet itself; there's no way of completely securing the Internet, besides perhaps never using it.

In retrospect, at the time of my security breach, I never realized that someone's pursuit of my WoW riches would lead to identity theft. I was familiar with email-based security breaches—who in corporate America didn't receive an email 12 years ago because some acquaintance clicking on the "AnnaKournikova.vbs" attachment to an email then flooded the poor sap's address book? If I was researching Drupal administration best practices, as I am doing now, and I came across a sketchy URL, I would never think of clicking it. The fact that someone would want to access my personally identifiable information through a Web site link purporting a WoW-related subject never entered my mind. I place this blame solely on myself.