World of Warcraft isn't just a game, it's a money-making empire for both Blizzard and an army of criminals that would love nothing more than to make real money from your virtual gold. You might think you're safe, but the techniques they use to get their hands on it go far beyond guessing your password.
The basic rules are obvious. Don't give anyone access to your account. Don't use a dictionary word as your password. Use numbers and symbols as well as letters to make your password harder to guess. Don't reuse passwords across accounts and services. If your password is 'password', slap yourself now. Blizzard staff will never ask you for your password. Never follow a link in an e-mail to a website that looks like a Blizzard site and enter your account information - always go there directly by typing the address into your browser.
Unfortunately, it's not that easy to ensure your security, which is where the Blizzard Authenticator comes in. You can buy a dedicated unit from the Blizzard store , but if you have an iPhone or Android phone, or a handful of others - you'll find a full compatibility list here - it's easier and cheaper to just download the free app. It's just as secure, and much more convenient, especially if you play the game on more than one PC.
Even if you're a casual player, we recommend getting or downloading one of these. Remember, your Battle.net account isn't just World of Warcraft, it's Starcraft II and will eventually be Diablo 3. If you're not using an Authenticator and your account gets hacked, one of the first things the scammers will do is add one to your account, locking you out. This slows down your ability to get your account back, forcing you to prove your identity to Blizzard, and prevents you from even changing your password while you wait.
Setting it up couldn't be easier. Once you've downloaded it, you simply enter a code given to you by the website, and run the game like normal. The only difference is that as well as your username and password, Blizzard games and websites will also ask you to enter the code displayed on your screen before they give you access. This changes every 30 seconds, giving you a one-time code unique to your Authenticator and your login time. You can remove an Authenticator from your account at any time, but be careful - if you lose or reset it, you'll have to contact Customer Support to get back into both your games and account information.
In an ideal world, you'd now be safe. In practice, an Authenticator on your account is the minimum level of security you require. A guild for instance is only as strong as its weakest link, which is why most now require proof that everyone with access to the Guild Bank has an Authenticator on their account. When you add one, Blizzard gives you a special pet, the Core Hound Pup , which is removed if you disconnect the Authenticator from your account. Summoning this pet demonstrates that your account is, at least in theory, secure.
The problem is that even with an Authenticator, you're at risk from malware. This can infect your machine in a number of ways, and rarely because you've done something as silly as running a dodgy app from your mail inbox. You're clearly at risk if you download hack programs or other morally dubious apps to help your play, but assuming you don't do that, the problem is most likely to come from a dodgy banner advert or similar drive-by attack from an infested website. If this happens, don't expect the malware to announce its presence.
Instead, it's likely to pull off what's called a Man In The Middle attack. You think you're logging into Blizzard's servers, but really your username, password and authenticator code are being sent to the scammers, who promptly log into your account instead. Once in, they'll strip your character of anything sellable, empty out any guild banks you have access to, or make your character part of a transaction - for instance, copying across a stack of gold from another character to sell to someone else. This not only risks your equipment, but your account itself - especially if you don't report it. This is especially true if you log in to find that one of your characters is suddenly incredibly rich and decide to try and keep the gold.
To keep your system clean of malware, you need dedicated antivirus software running. You can get a free one, such as AVG Free Edition (EDIT: Dissent in the ranks over that one. If you have a preferred free AV tool, let us know underneath) , or commercial packages from McAfee, Norton, Sunbelt and many others, and most of them should be fine. The key is to actually keep it running. If you end up switching off your antivirus protection on a regular basis because it slows down your gaming, look for one with better resource management, like Sunbelt's VIPRE . A few have dedicated Gaming Modes, but this shouldn't be needed for WoW.
Once you've done all this, you're as secure as you can reasonably hope to be. It goes without saying that you should keep away from the dodgy players, and never under any circumstances do anything as silly as paying someone to log into your account and level up characters for you. You'll also want to follow sites like this one to keep track of any new attacks as they emerge, because the one guarantee we can give you is that the criminals won't stop attacking until the game isn't popular enough to justify their time. Don't hold your breath, especially with Cataclysm and a whole new surge of players on the way.
Finally, if you do find yourself a victim of the scammers, the quicker you can report it, the better. Log out immediately, run a full antivirus sweep on your PC, change your password (just to be on the safe side) and if you're not using one already, add an Authenticator to your phone, even if only until the official one arrives. At the very least, you'll be able to say with hand on heart that you did your best.