Is Blizzard's Diablo III Real Money Auction House Opening Them Up For More Trouble?

diablo_3dhackIt looks like the gang behind Diablo III still feel their severs are secure enough to go ahead with their Real Money Auction House. This is where you can spend real money for virtual items that are collected in the game world. Blizzard gets a cut of the money that changes hands so we understand why they are pushing ahead, but what we do not get is how they can continue to move forward on this when they have had so many unanswered security questions.

Since the launch of the game Blizzard has had numerous account hacks, compromises and even servers that had to be shut down due to bots that were replicating items (Blizzard says that any cheating will earn a lifetime ban). So with all this in mind is Blizzard looking at a new source of revenue or a lawsuit waiting to happen?

On the one hand Blizzard is thinking that all of the compromised accounts are user error (just read the Battle.net forums for that). To get around this they are requiring the use of their authenticator. This extra step in the login process is designed to prevent unauthorized access to a user’s loot by using two step authentication processes.

Many secure VPNs use something similar where you associate a serialized token to an account. When you login using that account your token will generate a random number that you must enter to authenticate. Each token will generate a specific range of numbers based on the encryption key that is coded into it. Normally this is an exceptionally secure way to do things, however even this system has been cracked before.

In January of 2011 smart card authentication for government systems was cracked through the use of compromised servers and PCs inside the network. They were able to get a proper token by redirecting the request to an authenticated system (which happily supplied the token). In the majority of cases the hack required the use of targeted malware and keyloggers but the researchers said that it was not always the case.

Even as far back as July 2006 token based security was cracked with a man in the middle attack. At that time the attackers used specialized sites to trick the users to input the security token. This was forwarded on to the actual bank servers where the information was accepted and the attackers had access to the user’s banking information.

This last one is one way that some feel the Diablo III accounts are being compromised. All it takes is on hijacked or compromised login server to allow this type of theft. Now that real money is involved there is a much greater likelihood that someone is going to file suit against Blizzard for negligence if there information (credit card etc) is lifted and can be traced back to the online auction house.

For now the real-money auctions are only going to be open in the Americas and Blizzard is planning to implement new features to prevent someone from buying replicated or fake items. In one report there is already a bot system in place that is capable of generating something on the order of $1,000 per hour. Blizzard says they are working hard to identify and ban these types of setups from the game world, but as many companied have found out that it like trying to block water with a screen.

We think the idea of allowing players to trade virtual items for real money is something that will come back to haunt Blizzard. By legitimizing it and having a service for it they open themselves up to liability, before when it was frowned upon but ignored they could protect themselves by stating that it was against the game rules. Maybe greed has gotten the better of Blizzard at this point.

We know they are facing a class action lawsuit in Korea over the game and their refusal to refund money after a series of server outages right after launch. There is also talk of one in the US based on the Always online requirement for the game.

We will be interested to see just how long it takes before there is a major issue with the RMAH and what Blizzard does about it.

 

Discuss this in our Forum

No comments

Leave your comment

In reply to Some User