Filed under: Account Security

Blizzard has come through with its promise of updated and more expansive options for its controversial Real ID feature, connecting Blizzard's games through use of real names as identifiers. The new options allow you to opt out of being listed in the "Friends of Friends" of other users, to deactivate the ability to be seen in Starcraft II's Facebook feature, or to turn off Real ID altogether.

To change your Battle.net privacy options, log in to your account's Battle.net management page and select Settings, then Communication Preferences.

Now all we need is an "go invisible" feature on Real ID, like most instant message clients have, and I'll be a happy Real ID user.

The full announcement by Nethaera is below:

Nethaera -- New Battle.net Privacy Settings

We'd like to make you aware of the new Real ID-related privacy options we've introduced to Battle.net. These options provide Real ID users with additional tools for customizing the service based on their preferences, enabling the ability to opt in or out of the Real ID "Friends of Friends" and "Add Facebook Friends" features or to turn off Real ID altogether.

Real ID offers an optional, convenient way for keeping in touch with real-world friends you know and trust, whether they're playing World of Warcraft, StarCraft II, or one of our future games. The "Friends of Friends" and "Add Facebook Friends" features provide you with even more options to stay connected while you play by making it easier for real-life friends to locate each other on Battle.net. You can easily enable or disable these features through your Battle.net privacy settings by logging in to your Battle.net account at http://www.battle.net/.

source

World of Warcraft accounts have been under siege for years, with hackers and gold-selling outlets stealing passwords, items and more to fill their coffers, selling that gold to unwitting buyers. Blizzard has fought back incessantly over the years to stem the tide of gold farming and account hacking, and as you can imagine, the scale at which this happens is very tasking on its customer support department.

Blizzard has just announced a new, speedier way to get help and answered about your hacked account, stolen items, authenticator issues and more! Now, under the new system, you will not have to email or call Blizzard to get these matters into its queue -- simply use the Account Recovery Form.

The Cataclysm beta currently features a Requires Authenticator checkbox in the guild controls for each rank in a guild. Once activated for a rank, you cannot promote someone to that rank unless he or she is using an authenticator. At this time, the highest rank below Guild Master defaults to Requires Authenticator's being checked, and all other ranks default to its being off.

This is a much more reliable tool than making members show their Core Hound Pup in order to get guild bank privileges, which was really the only way to verify authenticator use before. Of course, this is the beta, and that means the functionality may change drastically before making it to live, if it does. I predict, however, that Blizzard will try its very best to release this setting, as its use should reduce time spent recovering stolen bank items.

Guild leaders, will you use this feature? Guild officers, what is your opinion of this change?

---

World of Warcraft: Cataclysm will destroy Azeroth as we know it; nothing will be the same! In our Guide to Cataclysm, you can find out everything you need to know about WoW's third expansion, from brand new races to revamped quests and zones. Visit our Cataclysm news category for the most recent posts having to do with the Cataclysm expansion.

---

This Breakfast Topic has been brought to you by Seed, the Aol guest writer program that brings your words to WoW.com.

Hacked! It is not fun, and it happens more than anyone would like to admit. Gear, gold and pride, all pilfered by some stranger.

It starts with a simple email from Blizzard. Hmmm, it's my first-ever email from Blizzard that causes immediate concern. It says that my account has been "banned and deleted" for buying or selling in-game gold for profit. I am stare at it in shock for a minute ... Is this a joke? My heart starts racing. I run back to my office computer to figure out what to do, and my head starts spinning in confusion. My immediate emotional response catches me off guard ... My head starts to pound. All that work, all that time, all the friends ... just gone ...

And then the high-level anger sets in, as logic begins to prevail. Wait, I never bought gold. I never even considered it! What is going on? I jump online and write an appeal with blazing speed, fueled by my troll rage. In retrospect, this was not exactly the smartest move and probably served to delay my account restoration. I recall that it read something like this ...

Blizzard announced via the customer support forum that it will take proactive steps to quell some of the unsavory behavior on Moon Guard (US), a server notable for its infamous Goldshire inn naughty shenanigans. After a father posted about canceling his son's account because of the general and trade chats on the Moon Guard server, Blizzard customer service responded in definitive terms -- Moon Guard's Goldshire will be actively "patrolled" by customer service team members.

Check out the full Blizzard response after the break.

We've talked before about using parental controls to opt out of Real ID and we've talked about the new Battle.net site, but we haven't actually talked about setting up an account for your child ... until now.

The gallery below is a walk-through on what settings are available and how to set them up for your child. If you are taking the route of electronically limiting your child's play time, I highly recommend setting up both limitations and a schedule. This way, you don't have to be constantly checking to see if your child is playing outside his approved play schedule. However, it's a very good idea to look over your child's shoulder to make sure he's not griefing the locals or using language that previous generations would wash out mouths for.

For a while now, account thieves have been putting authenticators on their stolen accounts to buy more time for their scumbaggery. Blizzard has recently made that more difficult by requiring email confirmation when an authenticator is added to a Battle.net account. Rather than just logging in and putting in the appropriate information, you now have to follow the steps in a confirmation email sent to the address registered in your Battle.net account.

Note: Changing the email address on the account requires not only your password (which the account thieves already have at this point) but also the answer to your security question. So make sure the answer to your security question is not guessable or obtainable by any phishing information. As I have suggested before, if you use a password for your security answer rather than an actual answer, you are adding a very thick level of security. Make it a separate password you use just for security questions, like p45sw0rd (don't use that one).

We don't know how long ago Blizzard added email confirmation The email confirmation has been active since July 27 and we believe it will reduce the workload of Blizzard's customer service. More importantly, this will make getting your account back less painful.

Of course, the best way to prevent someone from stealing your account and then adding an authenticator to it is to put an authenticator on it yourself. There are keyfob and mobile versions available.

[Thanks for the tip, Joel!]

• no current plans for an online handle to be used in game with Real ID instead of your name
• feature to disable your name's appearance in Friends of Friends list coming around the time of StarCraft II
• plans for some sort of unique ID on the WoW forums

The full announcement is after the break.

Yesterday we sent an e-mail to a number of consumers who wrote to us in recent days expressing their concern with respect to Blizzard's Real ID program. Given the large number of messages we received, we decided to respond with a mass e-mail so those who'd written us would receive our response as quickly as possible - rather than responding to each message individually, as is our usual practice.

Through an unfortunate error by one of our employees, some recipients were able to see the e-mail addresses of others who wrote on the same issue. Needless to say, it was never our intention to reveal this information and for that we are genuinely sorry. Those who write to ESRB to express their views expect and deserve to have their contact and personal information protected. In this case, we failed to do so and are doing everything we can to ensure it will not happen again in the future.

The fact that our message addressed individuals' concerns with respect to their privacy underscores how truly disappointing a mistake this was on our part. We work with companies to ensure they are handling people's private information with confidentiality, care and respect. It is only right that we set a good example and do no less ourselves.

We sincerely apologize to those who were affected by this error and appreciate their understanding.

Sincerely,
Entertainment Software Rating Board

I am glad that the ESRB apologized, and it is telling that they have also acknowledged how ridiculous the mistake was in light of the subject matter. Suffice it to say, good on the ESRB for not only apologizing but understanding the issues present over online privacy. Hopefully this whole debacle can be used as a teaching moment.

One of the sadder parts of this job is reporting on the numerous scams that sweep across the World of Warcraft landscape. It's no secret that your WoW account is valuable to thieves -- the entire gold-selling industry is built on a foundation of hacked accounts and stolen items.

Their latest scam vehicle? Our inherent desire for sparkle ponies. Let's get two things straight off the bat:

1. You did not just win a free Celestial Steed mount. That in-game tell is an attempt to steal your account.
2. No one just bought you a Celestial Steed mount. That email you got is an attempt to steal your account

If it sneaks by your spam filter, the latest scam email can be quite convincing. The message, which appears to be from sales@mail.blizzard.com, masquerades as a receipt for the purchase of the $25 Celestial Steed mount. Of course, the email is not actually from Blizzard (the "from" email is spoofed), and the links to Battle.net and Worldofwarcraft.com inside send you to a phishing website designed to steal your password or infect your computer with a keylogger.

Attempt to collect your sparkle pony, and within a few short hours, your entire account will be under someone else's control. If you haven't put an authenticator on your account, the scammers will do it for you, locking you out of your own account and severely hampering your ability to get it back.

More information on the latest scam, what you can do to protect yourself and what to do if you're a victim, all after the break.

Update: The ESRB has since issued an apology.

During the recent Real ID catastrophe on the forums, many players decided to appeal to an industry source that might have been able to sway Blizzard to change its mind. These players contacted the ESRB (Entertainment Software Rating Board) as a Better Business Bureau-type middleman in this situation with their concerns. The ESRB itself has championed such causes in the past with its Privacy Online program, which is designed to help companies meet various privacy laws like the Children's Online Privacy Protection Act (COPPA).

Since Blizzard recanted its decision about the forums, the ESRB faithfully followed up with those concerned.

Unfortunately, in that followup email, the ESRB exposed individuals to a new set of privacy concerns.

The letter and more information after the break.

This is not a discussion of the good (yay, crossrealm chat!) and the bad (boo, privacy fail) of Real ID. This is a guide for how to truly opt out of this feature and how to adjust the settings if you do participate in game.

To be clear, everyone who does not have a parentally controlled account has in fact opted into Real ID, due to a security flaw. Addons have access to the name on your account right now. So you need to be very careful about what addons you download -- make sure they are reputable. In order to actually opt out, you need to set up parental controls on your account. This is not an easy task. Previous to the Battle.net merge, you could just go to a page and set them up. Done. Now, you must set up an account as one that is under parental control. Once your account is that of a child's (a several-step process), your settings default to Real ID-disabled. Any Real ID friends you have will no longer be friends. In order to enable it, you need to check the Enable Real ID box.

Setting up parental controls:

1. Go to the appropriate battle.net site for your region. (That link should take you there.)
2. Push the Create or Manage a Battle.net Account button.
3. Log in as normal.
4. Click on Parental Controls, which is an option listed under Manage My Games. (And, if you're like me, you'll be sad that you are still not in the beta.)
5. Choose the No - Setup Parental Controls button.
6. Fill in your info as both the child's account and your own. (Why they make this distinction, I don't know. Parental controls always used to be an option for adults to manage their own game time.)
7. You will receive an email. You need to save this email, because the link in there is the only way to get to the parental controls. Otherwise, you have to make Blizzard resend it. Click the link to get into the controls.
8. Save Settings and then be told it will take up to 30 minutes to go into effect.

That is how to opt out. How to optimize opting in is after the break.

When Blizzard first announced the Real ID concept at last year's BlizzCon, it seemed like a promising idea. The ability to keep in touch with real-life friends across realms and even across different Blizzard games seemed like something World of Warcraft needed, what with some real friends being separated by faction or realm. With new games on the horizon, it also seemed cool to be able to call someone playing Starcraft 2 and pull them into Azeroth if you lacked one more member for that heroic dungeon.

Sure enough, when Patch 3.3.5 was implemented, I had a lot of fun hooking up with my real friends on other servers, and it was truly awesome to be able to chat with them even if we weren't on the same faction or even realm. Of course, after a while, it became clear that there was just no way to turn it off -- I always knew what my real friends were up to, from running dungeons to putting up auctions on an alt or griefing lowbies on a character previously unknown to me. This also meant it was impossible for me to jump onto a low-level alt on some low-population server for some mucking around without their knowing. Not that my friends were ever going to intrude or anything, but there just wasn't any real personal time with my Real ID status always being broadcast.

Yesterday, it got even stranger. Blizzard suddenly announced that the new forums would display everyone's real first and last names if they chose to post on them. For some reason, Mark Zuckerberg's idea of opt-in privacy is becoming the norm. The Facebook founder has said that when people share more, the world becomes more open and connected. It's a maverick notion, and people always have the option to keep mum on things, after all. In many ways, it works for social media. And there's the rub.

If you're using a mobile authenticator on any kind of phone or mobile device, it's important to remember that it's fairly easy to ensure that you can use it again quickly after the phone gets any sort of update or patch.

All you need to do is write down the serial number of the authenticator application you have on your phone. This way, if you need to deauthorize for any reason (or an update causes any issues) you can do so quickly and easily at battle.net without having to wait for a phone service call or what have you.

This is particularly important for those folks getting the latest iPhone OS, iOS 4. If the upgrade goes haywire for any reason, you'll likely lose all your data off the phone; including the authenticator serial number. This means if you're going to upgrade your iPhone, iPod Touch, or iPad to iOS 4, you must write down your authenticator serial number to be safe.