We created a lot of waves with this post about Blizzard's Authenticator key allegedly failing -- as you know if you've been listening to the podcast, lots of people have emailed us with their own input on the situation, alternately thanking us for making it known that the Authenticator wasn't 100% secure, and lambasting us for being "ignorant" about how Blizzard's security token works. At the base of the story, there are two things we know are true: that someone was using the Authenticator on their account, and then was subsequently hacked. For that reason, we've stood by the "Authenticator fails" story -- while having an Authenticator on your account is a helpful line of defense, it, like all other computer security measures, isn't a 100% guarantee against getting hacked.

Most people agree on that. Where opinions differ are in how the account was hacked -- originally, we and a few other sources speculated that the Authenticator had been somehow removed from the account in question. But now Belfaire has responded (we believe to the incident in question, though a link to our story was removed from the original post), and says that as far as he can tell, the Authenticator was not removed from the account. In fact, after the password was changed back, the Authenticator's serial key was asked for and given, so the Authenticator remained attached to the account the whole time.

Of course, that just leaves the most important question: how did the account get hacked? We've heard all kinds of various insights as to how the Authenticator works (it only lasts for 60 seconds, supposedly each key can only be used once, so there's no way a keylogger could nab the Authenticator code and reuse it), but the fact remains that the person we're talking about was using the key, and still got hacked. One hack out of all the Authenticators sold so far is a terrific record, and could prove that, statistically, an Authenticator is good as 100% security. But the fact remains that this person got hacked while using the key (however it was done), and if security can be broken once, it will be broken again.

Think a Blizzard Authenticator will keep your account from being hacked? Think again -- we've got our first known report of someone who was protecting their account with one of Blizzard's keys, and still got their character hacked down to their undies. Someone in this forum thread apparently logged out one night and logged on the next morning to find her account stripped of everything but PvP gear, and her Authenticator no longer connected to her account.

Supposedly, to deactivate an Authenticator from an account, you need to get in touch with Billing services, and reportedly they'll then ask for a notarized statement with a picture, like a driver's license, just to remove the Authenticator. But obviously, this one was removed even without that, and we're being told that all you might need to remove the Authenticator is the answer to the user's secret question and a CD key (or even less). In other words, the fault isn't with the technology, it seems to be with the support reps on Blizzard's side of the phone line -- if they can be convinced to remove the Authenticator, the account can then be hacked.

The little keys have been selling like hotcakes since they were released -- almost everyone has figured that $6.50 was cheap for peace of mind. But while an Authenticator still does provide an extra step in security, the sad truth is that it hardly makes an account impermeable.

[Via BRK]

Update: Married IRL has more analysis, including a comment that confirms all you really need to get past the Authenticator is the user's secret question answer, usual address information, and the original CD key. If the standard for getting an Authenticator removed really is a Photo ID, it's fairly clear that Blizzard's reps aren't doing their jobs right.

More after the break.

We had heard that there were problems with the Blizzard Authenticator (a few people who'd ordered them had gotten their money refunded by Blizzard), but apparently there are at least a few going out. Mania got hers -- she says that it works great, that she has already associated it with her accounts, and that she's thrilled with her purchase.

Not everybody is so lucky -- reader Tweaky emailed us to say that his order was supposed to go out UPS Next Day Air, but after it didn't show up and he had a tussle with Customer Support, he then found out it was actually going through the USPS and that it would show up late. No word on whether he's seen his yet or not. A few people commented on our last post that they actually had shipping returned to them, so maybe Blizzard originally planned to send some UPS, and then had to switch to a cheaper mailing method.

At this point, Blizzard has the keyfob sold out on their website, and there's no indication when we'll see any more (soon, probably). It appears that not only did they vastly underestimate demand for the Authenticator, but that people are seriously concerned about the security of their World of Warcraft account. No other game company has ever offered anything like this before, but given the response, it could soon become a standard.

Avast! anti-virus, which is used by millions of people around the world, recently upgraded to version 4.8. Unfortunately, it seems that this upgrade has caused many WoW players to have a drastically lower play experience.

The most common symptom is severe keystroke lag while playing the World of Warcraft. Mouse actions also seem to be affected by this. Delays as low as a second and as high as five seconds between keystroke and the game receiving that action have been reported. Supposedly, running WoW in windowed mode fixes this, but your mileage may vary.

Recently we've had several posts about being hacked, guild banks assaulted, and Blizzard's typical response. The Customer Service Forum is filled with threads started by desperate World of Warcraft players seeking the return of their accounts and belongings as a gesture of goodwill. It is our responsibility to keep our accounts safe from hackers.

I speak from experience when I say that being hacked is just dreadful. Although it is usually possible to have your account returned, there is usually significant damage done in the process. In the past, even Blizzard employees have had their accounts compromised. This post is designed to help you do the best you can to protect your World of Warcraft investment.

It seems that keyloggers and phishers are not the only fraudsters infiltrating World of Warcraft. Halifax, a bank in the United Kingdom has ceased processing most transactions with Blizzard Entertainment. This measure was taken in response to increasing numbers of reports fraudulent transactions for WoW services. I had a similar issue with another bank based in the United States. That institution saw my recurring Blizzard charge as suspicious. Once I contacted them to verify my subscriptions my credit card was quickly returned to an active status.

In this case, the only fault on Blizzard's is making an astoundingly popular, subscription-based RPG. Do be on the lookout for unexpected transactions from Blizzard Entertainment and be sure to report them to your bank as soon as possible. Representatives from Blizzard Entertainment declined interviews with the Register, which investigated this phenomenon.

Do not be surprised if the transaction for your WoW subscription is refused in the near future. Halifax customers can use their credit cards to pay for their WoW subscriptions by making special arrangements with their account services department. If you would like to continue to use your Halifx Visa or Master card, be sure to contact customer support for authentication.