Blizzard thinks security is a joke!
I say this for a few simple reasons. Several of which were said the moment Real ID was announced, if not all of them.
I'm not going to bother reading ALL the topics on this subject. Instead I'll make my own and add in a few things that aren't just about Real ID. I even have a solution that is very similar to what's already in place. Also I hope you are defense capped and have over 100k hp or you will be crushed by this wall-of-text world boss!
So when you add a Real ID friend what information are you giving that person exactly? Everything but your account password perhaps? Damn right you are!
The most obvious thing you give them is your first and last name. Now lets say one of your Real ID friends ends up getting hacked, it doesn't matter how much you trust that friend you just gave that hacker your real name AND the names of all YOUR Real ID friends. That's right you, the guy that wasn't hacked gave all your Real ID friends real names to this hacker. All of these names could be used to harass you and your buddies outside of the game. Identity theft might even become a possibility. Yes that is a scary thought to throw out there but seeing as we don't know what information that hacker already has access to or who this info might be provided to that in turn enabled them to commit fraud how can you simply deny the possibility? How many people have found you or you found them on facebook that you haven't seen or heard from in who knows how long? Like so long you don't even know who this person is until you look through their pictures on facebook and recognize them in a picture they put up from 4th grade.
While you might trust someone with your real name do you trust the same people that person trusts? Friends of friends have full access to your real name so I hope you trust them all. Just so you know those 3 Real ID friends of yours might be handing out your name to 10+ other people. I know I mentioned that above but thought I'd mention it again in case you overlooked it.
Another problem with Real ID exposing your last name is with account character transfers. Last I knew only the last name must match between two accounts transfer characters. Real ID makes it stupidly easy for a hacker to get your last name and then transfer a character from your account to another account completely.
What may not be quite so obvious at first is the fact that in order to become Real ID friends you MUST divulge your battle.net account name why not just give that buddy your account password while you are at it. With the number of people getting hacked everyday does it really make sense to just go handing out 1/2 of your account information to anyone? Yes I know, if I don't trust them then don't give it to them. Shit happens and who you trust today might not be who you trust tomorrow. If everyone could always trust everyone in this world then locks, security alarms, murder, divorce, etc. would not exist correct? Not to mention worrying about your safety and identity wouldn't be a problem in the first place thereby eliminating this post altogether.
With battle.net using your email as the account name you should tell them your email password too if it is different from your battle.net password in the first place. I know most people claim they are different but who are we kidding really? Speaking of which why the hell is the battle.net account name your freaking email address in the first place? With that thought in your head that makes EVERY FREAKING EMAIL ADDRESS is a potential battle.net login and considering just how many people have a WoW account, active or not, and the sold copies of StarCraft II that potential is staggering. Plus the future sales of Diablo III. I'm sure many of us have multiple emails, I for one do. The one I use in particular for battle.net is one I keep very secretive. Now I'm expected to just go handing this out willy-nilly to anyone I wish to be friends with so I don't have to friend each of their multitudes of alts or simply to be able to talk to them cross-server or cross-game?
For all of Blizzard talk of protecting their users and being mindful of security they sure are handing out a lot of unnecessary information on everyone to everyone else. What I find absolutely hilarious that one of the loading screen tips is never give your account name and/or password to anyone but yet you must give your account name to someone to be Real ID friends. Conflict of interest anyone?
You probably noticed I never mentioned Blizzard's Authenticator. That is because it is super easy to plead with Blizzard's Customer Service to remove them from an account while providing only basic information on an account ie battle.net account name, first name and last name. Did you read that? All that info is also passed around freely by the current Real ID system. Scary no? And before you say they want more information than that. I say no they don't. My older brother and his wife's account got hacked recently and that is all guy on the phone needed to remove the authenticator on each of their accounts. Hell the Blizzard rep even changed the email associated for my brother's account for him! Perhaps the guy only asked for that much info because the accounts were flagged as potentially being hacked, what do I know. My counter to that is however, how did that guy on the phone know my brother wasn't simply a different hacker trying to gain access to the account and that the true owner was still unaware of the problem?
<strong>Here's my take on how it should be that eliminates all of the above problems without too drastic of a change!</strong> If not all problems are eliminated tell me! I missed it on my proof read.
1) Having your battle.net account being your email is OK, I guess, but I'd much rather have it as something else. You should never ever have to give your battle.net account name to anyone for ANY reason outside of possibly having to give it to Blizzard support representative for reclaiming a hijacked/stolen/whatever account, obviously.
2a) The Real ID should be a GUID instead that is randomly generated and tied to your battle.net account. Yes, that GUID will be a large mess of random characters that you will never remember but see 2b, 2c!
2b) You can set a DISPLAY NAME that all of your Real ID friends will actually see. The default DISPLAY NAME will be your GUID until changed; I know, yuck but would you prefer it be your SSN by default? DISPLAY NAME is changed from friend management panel or from battle.net account management. The DISPLAY NAME doesn't not have to be unique after all not all real names are unique. It is hard enough finding a toon name that is unique for a server but to make you find one that is unique battle.net wide would be silly.
2c) The friend management panel should have a easy method of displaying, copying and/or linking your GUID for giving it to others. Linking your GUID can only be done in whispers, party, guild, and maybe raid with a warning first (yes links GUID, no strips it). All other channels will replace the linked GUID with the text {{GUID_REMOVED}}.
2d) Linking of someone else's GUID always results in {{GUID_REMOVED}}.
3) The forums can now use your Real ID GUID since it will no longer be that gaping security hole that is public showing off your real name.
Q: What all can someone do with your GUID I hear you ask?
A: Nothing new just befriend/ignore you as they already can.
Q: If that is all they can do then what's the point of stripping GUID's from chat?
A: For linking your own GUID it would be hassle to decline all those friend invites when you link it in trade chat by mistake, right? That will happen we all know it will. haha. As for linking someone else's GUID that is to eliminate accidental linking entirely, in theory at least. Plus it is a really weak way to enforce politeness as they should be the one to give their GUID to others not you. Of course, that won't prevent the determined from linking someone's GUID.
Does the above there sound familiar to anyone? It does to me. I practically ripped that straight from another service. Guesses, anyone? For those that didn't figure it out, it is Valve's Steam platform. I know you add people by their email or Community name and not their SteamID but that is how the Steam platform keeps track of who is friends with who behind the scenes regardless of what your/their community name was at the time you became friends.
So SteamID becomes my Real ID's GUID and Steam's community name becomes my Real ID's DISPLAY NAME.
Published on 2010-08-25 23:12:28.