Security guide

Introduction
Whilst the WoW game itself is relatively safe, there are several things you can do to protect your account, and information you have on your PC, from people who want to steal it. WoW accounts sell for a considerable sum on the black market. Thieves do not care that you spent five years getting a full set of T9 gear on every character - they will sell it for the few pieces of gold they can get and transfer the money to gold farmers to make real world money.

Some of the things you can do to protect yourself are:
 * Keep your Computer safe
 * Keep your computer updated with the latest security patches from your operating system provider (typically Microsoft or Apple)
 * Install good security software including anti-virus, firewall and spy-ware checkers
 * Run a daily virus scan and on ANY file you download from the internet or from a friend's CD or USB stick or similar and turn off auto-run
 * Run a spyware scan at least once a week
 * Create a low-privilege account on your PC that does not have administrator rights. Use this for everything except when you need to update WoW or your other programs, or to run a full virus scan.
 * Password-lock your administrator account.
 * Run WoW safely
 * Run WoW using the launcher
 * Install Blizzard Updates via the Launcher or from a machine you know has been scanned by a reliable virus checker
 * Use a Strong Password
 * Use a separate eMail address for BattleNet and only for BattleNet
 * Use Real ID sparingly - ONLY for people you know in the real world (and trust) as it is ALSO your account ID
 * Buy a Blizzard Authenticator (US/EU).
 * Take up the offer to use Dial in Authentication
 * Never, ever, share your account details as this could result in a permanent ban. or Blizzard Support EU
 * Surf the web safely:
 * Check web page links before you click on them
 * Check the link matches that listed
 * Use anti-phishing addons
 * Use NoScript for FireFox

If this seems like a lot of effort, remember how long it took you to get all the gear you now have. Note also that it can take up to three weeks to get an account banned for botting and spamming (by the hacker) back. Some of your gear may never be retrieved completely.

Keyloggers will also have been after your log-in details to payment sites (such as PayPal), shopping sites (such as Amazon) and your bank and credit card details, so you may lose money in real life too.

The information on this page will never mean that your are 100% safe, as criminals are always coming up with new ways to "beat the system". However, like the camper who stopped to put on running shoes when his friend was already running from the bear, if you follow at least some of this advice, you will have a better chance.

Keep Your Computer Updated
Computer programs are complex things, written by fallible human beings. As such they may contain unintended flaws. One of the most frequently used ways of getting malware onto a computer is to exploit one of these flaws.

As a consequence the companies, or, in the case of Unix and Linux, the communities, who offer these operating systems (literally the programs that operate your PC), have to issue updates (patches) to fix them. These may address urgent security flaws, that could allow a criminal to craft a web page that could install malware (malicious software ) on your PC. Or they may be fixes to things like drivers (pieces of code that drive a piece of hardware to do something) for your peripherals (such as your monitor or printer) or internal hardware (such as your graphics card or hard disk) that make your game go wrong. Every couple of years, the company may bring out a major new version, such as Windows 7, or Vista from XP. Typically they will have better security, but, may also introduce new faults too. Good advice is "never install version x.0 of anything". For Windows, when Service Pack 2 is issued, most of the major holes will have been addressed.

Malware used to be typically written to show off a cracker's skills, or cause damage by corrupting or deleting a user's files. However, as broadband access became widespread, criminals realised that it was much easier to spy on a persons computer as they typed passwords into their banking website than to rob a physical bank.

Though it is often claimed in forums that Apple and Linux users are "safe", this is increasingly being challenged as criminals realise that these users have grown accustomed to being lax about security. Vista's claim to be "more secure than previous versions" has also come into dispute in a recent survey of malware infestations.

Consider using software such as the free Secunia Personal Software Inspector to check all your other software is up to date. A full scan from a security suite such as Kaspersky Internet Security will also advise you of software with known vulnerabilities.

Windows Updates
Microsoft tend to issues weekly on "Patch Tuesday" but may release urgent fixes to address serious flaws at any point. If you trust Microsoft to get fixes right most of the time, or cannot be bothered with security stuff, then set Windows to automatically update with the latest patches as follows:


 * Log on to the account with administrator privilege
 * Click on Start (the windows button in the bottom left of your screen)
 * Windows Update (if it is not here, try Control Panel > Windows Update)
 * Click on Change settings
 * Select Install Updates Automatically, Every Day and choose a time when your computer will be logged on, but it will not affect game-play (such as 7 in the morning if you power up your computer then to check e-mail)
 * Check the boxes to "Include recommended updates" and "Use Microsoft Update"

If you are less trusting of Microsoft's ability to generate fixes that work and do not break something else, then you can choose a different setting.

Mac OS-X Updates
Mac OS X has a software update tool:
 * Click on the apple logo in the top left hand corner of the screen
 * Click on Software Update

For help on updating your Apple Mac, including how to set it to run automatically, see the Apple website "Mac OS X 10.5 Help".

Linux
If you are running WoW on Linux, you are probably technical enough to know how and why to update it. Otherwise, contact your Linux provider for information on how to download and install updates.

Other Software to Update
If you do not have version checker software, then check regularly for updates to:
 * Security software (preferably set to update daily)
 * Browser software such as IE, FireFox, Chrome and Safari
 * Portable document format readers such as Adobe or Foxit
 * Web content add-ons such as Adobe Flash, Shockwave , Real Player, NoScript and Silverlight
 * Office software such as Word, Excel, Lotus or Open Office
 * any other software installed on your computer such as games
 * Voice chat such as Ventrilo or Teamspeak

Typically the software will have an option under Help to "Check for updates".

Install good security software
There is absolutely no need to purchase anti-virus software. There are some free alternatives out there that are excellent choices and will do a very good job of protecting your system. Just because you paid money for it doesn't mean it's good. Remember, a good anti-virus program is but one tool in your arsenal to keep your computer bug free.

Necessary Software
As a minimum you will need:
 * Anti-virus - this checks files on your computer or media like USB sticks for software that should not be there and will cause your computer harm. The better programs will also scan files as you download them from the Internet. However, most anti-virus programs aren't very good in picking up keyloggers.
 * Firewall - this sits between your Internet connection and your computer and checks that the request to access your computer is legitimate

Ideally you should also have something to check for spyware, which, though it may not harm your computer, tends to send more personal information than you have authorised back to the company that created it. In the worst-case scenario, it may cause system instability, steal your email address resulting in spam , or result in Identity Theft (where someone pretends to be you and opens bank accounts in your name, or even redirects your post). Anti-spyware will also check for ad-ware which slows your computer down and intrudes by popping up windows to their adverts. Typically these anti-spyware software are free, but they do require you to run and update them manually unless you buy a paid-for version.

If you think your computer is secure, and you do not need the hassle, try this tests:
 * Audit My PC Firewall Test
 * Steve Gibson's PC Shield Test
 * Confiker Eye Chart
 * Browser security test
 * PC Security Test
 * User Security Test

Antivirus
As the best software changes annually, see Anti-virus for an up-to-date list and reviews.

You may want to look for anti-virus software with a games mode, such as BitDefender GameSafe. Whilst these will not afford as much protection as a full anti-virus suite, they are designed to minimise the impact on game play. For example, when gamer mode is switched on, pop-ups will be disabled, and the update to virus signatures will be postponed.

Firewalls
As the best software changes annually, see Wikipedia - Firewall for an up-to-date list and reviews.

Anti-Spyware
Two of the best programs are also free:


 * Spybot - Search & Destroy - all features free for non-commercial use
 * Ad-Aware SE - free scans for non-commercial users, but must pay for other features

Run WoW using the launcher
Use launcher.exe rather than wow.exe to run World of Warcraft.

The launcher that can catch some viruses/trojans that you may not know that you have on your computer. One primary example is trojan-downloader.win32.agent that was found on many computers using the Launcher.exe.

Use a Strong Password for your Account
Think of the password as the key to unlock your account. If it is too simple, it is easy to pick the lock. Words from a dictionary, pets names, birthdays and "password123456789" are all easily guessable, or, with software, can be fired at a website by a botnet (massive networks of malware infested PCs, thousands of them) until the password is cracked. A strong password, like a strong lock, means the thieves are more likely to be detected trying to break in, so will move on to easier pickings.

A strong password is:
 * At least 8 characters long, preferably 12 to 14
 * Contains alphabetic, numeric and punctuation characters (e.g. my#2nake1s!0n_aplane)
 * Note however that passwords are case-insensitive! Don't rely on CaMeLcAsInG.
 * If written down it is encrypted in some way (e.g. if you write it in your diary, don't write down that it is a password; create a long list of fake passwords)
 * Can easily be remembered by you, and you alone (e.g. is a phrase from a book, and only you know which page and paragraph; initial letters of the fourth line of your favourite song)
 * Is never stored on your PC (any file could be stolen)
 * Is only used for BattleNet and is different to your eMail password
 * Changed regularly, at least every quarter

Remember:
 * Never, ever, share it with anyone (e.g. someone telephoning or eMailing you or contacting you in-game "from Blizzard" saying there is a problem with your account)
 * If you do ever share it, (e.g. to allow your room mate to log on and tell your guildmates you are stuck in traffic), then change it as soon as you get home
 * Never let your younger brother know your password, or shoulder-surf while you are typing it in. Get him a trial account instead

Use a Blizzard Authenticator
An authenticator is a small key-fob device that gives you a One Time Password (OTP) to enter in addition to your normal password, thus ensuring the user has something as well as knows something. These are cheaply available from the Blizzard store. Note that they are not infallible - you still need to keep your PC free of key-logging malware. These trojans, such as emcor.dll, can intercept the code you type in, tell you that you have "entered an invalid code" and send the real code, along with your user name and password, to a thief working in real-time. This is called a "man in the middle" attack.

Use a Separate e-Mail Address for Blizzard
With the merger of accounts into BattleNet, you will now have to use an e-Mail address to log into WoW. It is highly recommended that you set up a separate eMail address to use for, and only for, logging into WoW and getting eMails from Blizzard.


 * For your paid for service, create a separate alternative e-Mail with a nonsensical extension such as JSmith_altmail_dffduh@virgin.net
 * For free mail services such as GMail, CryptoMail (secure), HushMail (secure), MSN Hotmail, S-Mail (secure, but Windows/Linux only), or Yahoo, create a unique but nonsensical address such as Bubba196Huggle@yahoo.com or This1IsNin@live.co.uk
 * Set the Secret Question to a custom question (where possible) and treat this like you would a password
 * Do not use an email service where you cannot choose a custom question (names are easily guessable)
 * Un-check "Remember Me On This Computer" whenever you log in
 * Set the Secondary Account field to another new email address that you do not use, ever, except when you have forgotten your password. If you have to use it to recover the password, then delete the account and create a new one

Clear Stored Fields and Files
Be aware that this e-Mail address may be recorded if you use a public computer, so if you HAVE to use one to read Blizzard eMails or run WoW, (or you use a laptop that might be stolen) then:
 * Turn off the browser Auto-Complete function, or remove the field from the list :
 * Navigate to the form containing the field that has a saved value that you want to delete
 * Click on the field so that your cursor is in the text field
 * Press the down arrow until the value is highlighted
 * For Microsoft Internet Explorer - press Delete and the value will be removed from the saved form history
 * For Mozilla FireFox - press Shift and Delete together
 * When done:
 * Remove any cookies on the PC
 * Clear down any Temporary Internet files
 * On IE, Tools > Internet Options > Advanced > Security > Check "Empty Temporary Internet Files folder when browser is closed"
 * On Firefox, Tools > Options >Privacy > check Always Clear My Private Data

Use Real ID sparingly
The only exception to the "never tell anyone your e-Mail address for log-in" is that Blizzard have decided this is what you have to share to use the Real ID feature. This removes one level of security for your account log-in so ONLY share it with people you know in the real world (and trust) as it is ALSO your account ID.

Install Blizzard Updates via the Launcher
Blizzard have supplied a launcher which should automatically download and install updates for you. This is particularly useful when there is a large patch as they typically make it available in sections which can be downloaded over several days, thus reducing the impact on your PC and their server. More information is at the Blizzard Background Downloader FAQ and Blizzard Downloader FAQ.

However there are times when the background downloader does not work. This seems to be an issue with Windows Vista users who allowed Blizzard to automatically create the Public > Games > World of Warcraft directory, though it also occurs with Windows XP users. Blizzard believe it could be conflicting background applications, though its advice on closing background services requires more technical knowledge of Windows XP or Vista to carry out safely than most non-expert PC people have. The advice on updating Windows is relatively sound. Or it could be a problem with security software conflicts, or the downloader itself. One option to try is to backup the entire directory to a removable hard drive, delete the original and create a new c:\users\public\games\World of Warcraft directory from the administrator account. There are other issues and solutions scattered through the US and EU support pages and EU Technical Support Forum.

If you find you are still unable to download the patches, having followed all the forum advice, then the best option is to copy the WoW-n.n.n.nnnn-to-m.m.n.mmmm-enGB-downloader.exe file from a computer or user you trust to have a "clean" PC. Run your own virus checking software on the download media or email before your copy it across. Running this should download the patch direct. There are many mirror sites listed (including those on Wowpedia) but these have frequently been attacked by crackers, with the purpose of installing malware to capture account information. Use these only as a last resort, and check any listed URL by copying it and running a Who-Is query at a reputable site, such as Network Tools.com. Note that you may have to remove the "http://" part if the site requires it and leave just the first main part (up to and including, for example .com or .org or .co.uk). The second complication is obfuscated URLs. If the URL contains the "@" character or "%40" then it will redirect you to the site after those characters. In short, if you are not sure it is safe, do not use it and contact Blizzard Technical Support for help.

Never Share Your Account
Blizzard is very strict on this : "'Blizzard does not recognize the transfer of WoW Accounts or Blizzard Accounts (each an 'Account'). You may not purchase, sell, gift or trade any Account, or offer to purchase, sell, gift or trade any Account, and any such attempt shall be null and void.'" and "'You are responsible for maintaining the confidentiality of the Login Information, and you will be responsible for all uses of the Login Information, whether or not authorized by you.'"

This includes the use of "power levelling" services, sharing with a friend or spouse, etc due to the risk of the account being compromised, the contents sold and emptied (either to earn real-life money or for revenge). This costs Blizzard time and money to resolve and takes away time from legitimate users of the game who have to wait longer for legitimate issues to be resolved. The consequence of Blizzard finding you responsible for account sharing ranges from a temporary ban through to deletion and permanent closure of the account with no restitution. Gold buying may also result in account compromise, banning when discovered, or, worse, mis-use of your credit card, or even identity theft.

Exception for Minors
The ONLY exception allowed is if you are an adult, you are allowed to open account on behalf of a minor child (in the UK this is below age 18, may vary by country).

"'You agree to these Terms of Use on behalf of yourself and, at your discretion, for one (1) minor child for whom you are a parent or guardian and whom you have authorized to use the account you create on the Service.'"

Be wary of in-game whispers from Blizzzard etc
Scammers will try and direct you to sites with malware on them by promising free mounts or cheap gold or telling you your account will be banned.

"I was just contacted in-game by a Game Master for my password!" Games Master whispers ALWAYS appear in a separate chat window, and you will see the Chat Request flashing in the top right of your screen.

If anyone whispers you more than once claiming to be a GM, or offering paid-for services, right click on their name and report them for spam.

Also be wary of:
 * "girls" chatting you up and sending you links to sites that LOOK like a Facebook page
 * characters bragging about their achievements, or whispering to join your pug, and posting links to fake armory profiles
 * links to jokes and downloads in Trade chat - if you "must check it out" then install McAffee site adviser and search for the site first
 * Fixed searches in google ad-words to send you to wwww.bl1zzard.net or www.curses.com if you try googling the site instead of blindly copying the link

They often copy the site, such as the battlenet login page, to make it look like one, then exploit any vulnerabilities in your browser to download malware, so ALWAYS check the site name carefully. If you "must check it out" then install McAffee site advisor and search for the site first.

Surf the Web Safely
The internet has been likened to the Wild West, travel at your own risk. So how do you protect yourself better?

Look Where You are Going
Not all web page links point to where you think they are heading. Take for example Thís Link to a joke.

Hands up if you clicked on it?

Always:
 * check in the status bar, or when you hover over it that the link matches the site it says it lists
 * watch out for unusual characters like í instead of i
 * check the file extension on the link, for example, be careful or, or avoid, any file format that does not end in .htm or .html unless you are actually planning to download a file.

File Extensions
Information is held on computers in files. Under Windows, each of these will have three or more letters at the end after a dot such as file.htm or file.html. This file extension is used to tell the computer what to do with the file, and which program to use to open it. By default, Microsoft hides file extensions on files, but this can be easily changed. This default is dangerous, because if someone sends you a file called IKilledYou.jpg, you may think it is a picture, but if file extensions are hidden, and it is really IkilledYou.jpg.exe, it may contain malware which will be automatically run as soon as you open it.

In particular be careful of files sent to you, or links with, the following extensions:
 * Executables (.exe) such as http://download.microsoft.com/download/C/C/0/CC0BD555-33DD-411E-936B-73AC6F95AE11/IE8-WindowsXP-x86-ENU.exe
 * Compressed files such as .cab, .arj, .zip, or .dmg
 * Scripts such as Visual Basic (.vbs) or Javascript (.js)
 * Installation packages such as .msi or .msu

Get a Look-Out
Consider installing anti-phishing software that warns you if a link may lead to a known "dodgy" page. Examples include:
 * IE or FireFox: Netcraft toolbar (free)
 * McAfee SiteAdvisor (free) or SiteAdvisor Plus (paid for)
 * FireFox: NoScript add-on to prevent cross-site scripting

Beef up Your Browser
Consider changing to another web-browser that has a better record of preventing and fixing issues than Internet Explorer, the default browser supplied with your PC. Examples are Mozilla FireFox for Windows and Linux and Camino for Mac.

For e-Mail and newsgroups, you may want to look at Mozilla Thunderbird, or SeaMonkey which will also integrate your instant messaging.

Internet Explorer
If you must use IE, make the following changes to IE to improve on the default security :
 * Open IE
 * Go to Internet Options > Security > Internet, then press "Default Level", then OK.
 * Press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

From now on, you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.

Sites that you are sure are safe can be moved to the Trusted Zone in Internet Option > Security. Though as servers can be hacked and defaced, it is better NOT to add any sites to this zone, but always prompt.

Is that e-Mail REALLY from Blizz?
"You have been reported for spamming and your account is now on a three day ban. Please click on this link if you wish to dispute this decision"

Now the message "from" says it comes from noreply@blizzard.com but the "from" can VERY easily be spoofed so how can you tell if the message is genuine ... or not?

There are several technical ways of doing it, but firstly, simply try logging in to your account. No ban? The message was not genuine. If you have been banned, then ignore the e-Mail and go DIRECTLY to the Blizzard Account Support pages |US|EU|Asia. If you really must follow the link, then right click on it and COPY the link and paste it into your address bar. Does the link have funny characters or extra ones? Does it have a Tiny URL - in which case copy it and use the preview facility: instead of going to http://fat.ly/jdmf32 go to http://preview.fat.ly/jdmf32 for example. However, opinion is divided on the security and privacy of these shortened links, so use with care.

If the link is malware, and you want to take a step further report the spammer, then consider joining SpamCop |spamcop.net.

Hackers use clever "social engineering" techniques to make you feel worried ("account banned") or clever ("get ahead with this hack") and do things in a panic that you would otherwise stop and think about. Other types of e-Mails (or in-game whispers) you may receive include:
 * Buy gold, no more grinding, get ahead
 * Clever flying hack
 * Automate your fishing/mining/other boring repetitive stuff

ALL of these (even if not infested with malware) would break Blizzard's terms and conditions of fair play. They could (and have for other players) resulted in bans or out-right account termination (no more World of Warcraft, bye-bye Level 80 characters...).

Also be wary of "girls" who woo you in-game, or characters who brag about their achievements, and send you a link to their armory profile, only it isn't the armory, even if the site looks like it.

Make your e-Mail client safer
If you use Outlook, then turn off Mail Preview for your Inbox folder and right-click on genuine messages to set up Rules to automatically move them to Folders and on the address to add it to your address book. Treat all other e-Mails with caution.

Consider using a different e-Mail client to Microsoft's.

Turn off HTML viewing. This will depend on your e-Mail client. Read the Help file.

Check that Instant Message
Apply the same caution when using instant messaging.

How do you know it is your friend on the other end, and not his spiteful kid brother who is using his logged in account whilst he is out, or your worst enemy who has found out the password, or even a hacker from Russia or China? One of the most successful social engineering hacks is being carried out by a "Rasputin bot" or "SlutBot", that pretends to be a lovelorn human male or female.

When using Instant Messaging software (IM, Yahoo! Messenger, IRC, mIRC, ICQ, AIM, WLM etc):
 * Configure it using Tools > Options (or similar) to require contacts to be approved
 * Share the minimum of personal data (especially your birthdate) with "everyone"
 * Set it to prompt you to check links, approve video requests etc
 * If you use IM on any other computer, change your password when you return, as you don't know that your friend, or neighbourhood internet cafe, has not unknowingly installed a keylogger. (This is also good advice if you play WoW at a friend's house, change the password when you get home).

You may prefer to switch to a different multiple-access IM (readers are strongly advised to check for security issues and reviews before installation!) and change all your passwords regularly. These include:
 * Miranda-IM
 * Windows: Pidgin (formerly gaim), Trillian, Instan-t, or Kopete
 * Macintosh: Adium or Proteus

Safer Websites
Note that some of these websites have also been known to have been hacked, and no website can ever be considered truly safe. However when they are, due to their popularity, news of the hack gets out sooner. This list should help you identify real versus spoof sites (check the history page to ensure this page has not been edited!):
 * Blizzard US: www.blizzard.com/us, www.worldofwarcraft.com
 * Blizzard Europe: eu.blizzard.com, www.wow-europe.com, eu.wowarmory.com
 * Add-ons: www.curse.com, www.wowinterface.com
 * pictures: Imageshack.us, www.photobooth.net, photobucket.com
 * Movies: Youtube.com, video.Google.com, Warcraftmovies.com
 * Quest and item information: Allakhazam.com, Thottbot.com, www.wowhead.com, Wow.Stratics.com, WoWHead.com, WoWvault.IGN.com, wow.Warcry.com, www.guildox.com/wr.asp
 * News: www.mmo-champion.com, www.wowjuju.com, www.wow.com
 * Tactics: www.bosskillers.com
 * Character improvement: be.imba.hu, wow-heroes.com, elitistjerks.com
 * Raid voice chat: www.ventrilo.com, www.teamspeak.com
 * Druids: thedailydruid.com
 * Druids, Balance: www.themoonkinrepository.com
 * Mages: l2dps.com
 * Paladins, Holy: www.bananashoulders.com
 * Paladins, Retribution: www.retpaladin.com
 * Combat log parsers: www.gurre.eu/wowlogparser/forum/, code.google.com/p/stasiscl/

Blizzard Forum Links

 * Free security software
 * Guide: Virusses & Keyloggers - It stops here
 * World of Warcraft Forum sticky on Trojans
 * How to recover a compromised account
 * Guide: How to make a ticket
 * Guide: How to CLEAN your PC from Keyloggers
 * Guide: How to CLEAN your MAC from Keyloggers
 * Guide: How to REALLY avoid getting hacked
 * Guide: How to spot real Blizzard emails
 * Guide: How to call Blizzard
 * WoW Europe Scam Policy