If you are still in the misguided camp of those thinking that OTPs (One Time Password) are the end-all be-all of online security then you may find this information interesting.  Of course this particular instance is not the first case of OTPs being successfully attacked, Citibank and Nordea Bank both had reasonably well covered attacks a couple years ago.  Now the same man-in-the-middle techique is being applied to the lucrative virtual gold / goods market of the game World of Warcraft.

You can read about it here if you want on the World of Warcraft related site, WoW.com:  “An Interview With a Scammer“.  You may not find the entire article interesting so you can cut right to the part of the article about OTPs by searching on “authenticator” as this is part of the branded name Blizzard (creators of WoW) has given to their OTP, “Blizzard Authenticator”.  If you’re uninterested in the article, here’s the money-quote:

Interviewer:  Do you have a way to get around the Authenticator?
Scammer:  Actually yes. For the very FIRST login, I can get around it. So I have to change the password then or make a quick clean sweep of the account.

Interviewer:  Ah, how do you do it?
Scammer:  Just enter the Authenticator code they put into my site.

So a couple of points I’d like to make that I’ve made in the past:

1. On the internet, where things happen in milliseconds, 30 or 60 seconds is a very long time.
2. Only one compromise of an account is needed to ruin your day and make the scammer richer.
3. Consequently, OTPs aren’t really all that good at protecting you when logging into a website.
4. OTPs can be a solid protection when used in conjunction with a thick client such as an IPSec VPN client or in this particular case, the WoW game client.  This is because it is much tougher to gain enough access to a PC to steal your keystrokes outside a browser in real time than from a field you type into inside a browser.

Which is why I bought ($6.50) a Blizzard Authenticator as soon as I could get my hands on one and why I try to never log into my account within a browser and when I do, I am very, very careful.  I only do so from a machine that I protect jealously and by typing in the worldofwarcraft.com URL myself.

Consequently, OTPs do have a place and can be of some value if you understand the risk, but do not fool yourself into thinking that because you are using an OTP that you are bulletproof.