Diablo® III

Battle.net® Account Security & Diablo® III

(Locked)

I call BS. Let's be realistic Blizzard, there's no way suddenly a whole ton of people are getting randomly hacked and then you blame it on their own security. I know people that have knowledge of computers plus they run good protection software and are careful about what they open, and still fell victim to this. Everyone with a brain knows it's easily possible to find a security exploit in any game, not just Diablo 3.

There's way too many reports in too short of a time span for this to be blamed on people's own security. But for a company it's always easy to put the blame on the consumer rather than dealing with it and being honest about it.


No its totally possible.

my **speculation** of what happening is exactly what happened when they forced everyone to merge their WoW accounts to BNET accounts. Lots of people had viruses or trojans, keyloggers or whatever on their computer so hackers had their password but "Remember account name" checked. When they merged, they had to type in their account name and password, and thus hackers got their info. Suddenly the forums are filled with "Blizzard has been compromised!" posts when there was no compromise on blizzards end.

So perhaps same thing happened here, lots of people logging in at once, typing in their account info for the first time on d3, hackers get all this information from lots of people, wait a few days, then strip as many people as possible.

I say this because ive been tailing the official forums all day and havent seen anyone who was hacked flat out say they had a mobile/physical authenticator with "ask for code every login" checked. Everyone either doesn't answer or confuses SMS alerts/Dial in authenticator with the mobile/physical one.

I realize the alleged exploit doesn't need password but Im highly skeptical this is blizzard error and not user error. However Im fully prepared to admit Im wrong when Blizzard addresses this.
1000s of people, many with Authenticators and years of hack-free WoW/SC2 play, all fell victim to phishing attempts, coincidentally the same week that Diablo III came out

or

Blizzard's servers were compromised

Apply Occam's Razor.
If Blizzard were to admit fault, then they would also be taking responsibility for everyone's information that was stolen to include credit card numbers and personal information. Admitting liability would be a tremendous wound, much like Sony suffered last year...at least they admitted it to their customers.
So how exactly does this explain the "hacked accounts" for those of us complaining where there are no logs/history showing someone else actually "logging in" to the account? These instances are occurring where people are kicking us off the accounts while we are actively playing... stealing the items... and then making out like a bandit. I was told it is against the ToS to call out a user for "hacking" in the forums, but the same names of accounts have been brought up in other threads for performing what appears to be a session state hijack exploit, NOT a password/account theft.

This blue post does not address any of the above.... very disappointed.


My guess is, when you talk to the authentication server to get a "session id", this activity is logged.
This is the "log in event" that they stored, that you see.
Talking to the game server, or web server wouldn't log (or won't show)

Since the latest speculation is that the hackers has already possessed a session id representing "you",
no talk to authentication server is necessary, thus NO log, and
ALL measures that prevents them from obtaining a "you" session id is for nothing.
Edited by TheNevers#1401 on 5/21/2012 9:20 PM PDT
Security Expert: "I won't believe that there isn't a compromise on Blizzard's end until we hear it from them!"

Blizzard: "It's on your end."

Security Expert: "Lies!"

This is truly my favorite part of the process. People think that this time must have been unique, because they were compromised. When they're proven wrong, then they fall back on the old (and unsubstantiated) argument that Blizzard must be part of a global conspiracy to take away their hard earned virtual money.
I don't feel Blizzard is addressing the issue here.

I would appreciate an official post from Blizzard about the server security issues going on, or did I miss it somewhere? I looked around and couldn't find it.

I just want to play D3..... :(

Fresh Windows 7 install, Radeon drivers, Diablo 3, and Google Chrome.

That's all I have on here so far. Definitely no key loggers. No flash sites have been visited, not even FB on this computer, and I have not signed in on any other computer.

My lvl 60 wizard who was clearing Inferno well is now naked, and over 1 mil gold is missing, after just 1 minute of them logging in (they booted me off while I was playing so I immediately tried to search forums for answers).

If anyone was wondering the person who was on my recent played list is named:
skts#3354
char name is: sdffghfg
A lvl 2 barb with 15 hours played haha, bet he has over 500 million gold easy :P


I too was assailed by the same person!
No offense but when your own logs show that nobody has logged in between me logging out for the night and logging in after work and my account is stripped then don't try and peddle any addon.

When one of your astute coworkers can tell me the difference between a pnp and an npn common emitter and common base collector on a transistor then I will be inclined to listen.


Really dude...?! These people are computer programmers...not computer engineers...there is a difference.


Slow down Sherlock.

That would REQUIRE a digital footprint upon the sacred log files of Blizzard. Only....Blizzard shows NO log of the aforementioned supposed hack of your logon credentials.


That wouldn't show up as anything unusual. It would just show up as you…logging in, from your computer.

In order to trace the "digital footprint" they would need access to your machine. That's where the log is.


Blizzard has a log of everything you do with your account.

Excuse me for a second while I refer to my log of last logout and last login. Now I ask Blizzard to do the same. Wait, what? There is NO unusual activity between the last logout before sleep and the last logon after work? So in other words my logon credentials have not been compromised.

That leaves us with two scenarios.

Exploit on Blizzard side. Massive loophole that eventually will be traced and patched.

OR

Corrupt Data. DB lost primary keys/indexes are shot/pathways are incorrect...etc etc etc....meaning some nerd/geek smarter than I will point it out, it will be fixed and things will move forward and the poor geek/nerd will never get credit while some middle management bureaucrat will take all the glory and get a raise.


Except that session hijacking completely bypasses the need to enter authenticator, or even knowing the password or email. Once you are signed onto a game your session-id is the confirming of having made it past security features.. it's the pass that says you're legit.

And this pass is easily copied. It's why people that have been hacked suddenly find themselves disconnected or hacked only after a public game.


It sure explains why people are complaining that they get hacked when they haven't played in public gamaes.

But that would debunk your entire theory, how convenient of you to neglect it.


Please link me to a single post (by someone that isn't your alt or made after this post), from anyone who claims to have been hacked and never clicked the public game button even once since d3 has been out.

/tap

/yawn

spoiler: White-Knighting Blizzard won't get you MVP status. They done goofed.
05/21/2012 09:13 PMPosted by Girlrage
Is there any actual proof of session spoofing? I would think that if there was a security flaw there, Blizz would have taken the servers down and fixed it. All I've seen so far is one guy who said his friend told him that it's possible to do that.


no actual proof of it, its just theory. however, if you really think about it.... the number of people getting hacked compared to the number of players means that taking down the servers wouldn't be cost effective. They have already received a ton of flak for having lag, servers going down, people not being able to get logged in, etc. What do you think would happen if they took the servers down now? it would be worse for them than preventing the hacks since in the broad scheme of things, its not a very large percentage of players getting hacked.

PS just for the record, i got hacked.
Edited by AnotherAnon#1442 on 5/21/2012 9:20 PM PDT
05/21/2012 09:14 PMPosted by AnotherAnon
Um, you realize that withholding this information is a VERY severe crime that would result in millions of dollars in fines and possibly the company getting shut down? To keep something like this secret would involve HUNDREDS of people conspiring, not only risking their jobs but also JAIL TIME, to keep something secret that would be found out anyway.


yeah, because everyone knows major companies NEVER do anything illegal. I mean, it's not like Enron broke the law right? lol..... seriously, major companies do illegal things all the time for the money. most get away with it, some dont.
'

Straw man argument. You can't assume the worst-case when it's so ridiculous and illegal and then pretend it's true. Try using something that's not a logical fallacy.
1000s of people, many with Authenticators and years of hack-free WoW/SC2 play, all fell victim to phishing attempts, coincidentally the same week that Diablo III came out

or

Blizzard's servers were compromised

Apply Occam's Razor.
It's possible their accounts/computers were compromised months or even YEARS ago.
This might be the greatest cover up in gaming history! I'd knew that the RMAH was going to cause trouble but this !@#$ is just pure madness.
It sure explains why people are complaining that they get hacked when they haven't played in public gamaes.

But that would debunk your entire theory, how convenient of you to neglect it.


You don't need to join any games for people to get your session ID.

You can add ANYONE to your friends list without their consent. When one of those people get an achievement it is broadcasted to anyone that has them on their friends list. They can get your session ID from that.

You don't know what you are talking about.
http://us.battle.net/d3/en/forum/topic/5149538944?page=6#102
It's super ironic that you tout your home personal security and how you're this security guru who knows they are secure.

What do you think blizzard spends on security and what kind of security do you think they have? Do you think they have a monkey working their security department? Consider that blizzard has credit card data (I gaurantee your home setup isn't PCI compliant), intellectual property, etc, millions of dollars at stake.

And yet you can't fathom how someone got through YOUR security, and so it must be blizzard. Nevermind the fact that anyone who had the resources and ability to hack into blizzard isn't going to risk it all and their freedom to take your diablo virtual items. They're going to be there for credit cards and IP data.
If customer service was so "dedicated" to our accounts and their security, then rollbacks shouldn't be the sole means of restoring losses our characters accrue at the expense of poor networking and lax security.

Just saying.
Security Expert: "I won't believe that there isn't a compromise on Blizzard's end until we hear it from them!"

Blizzard: "It's on your end."

Security Expert: "Lies!"

This is truly my favorite part of the process. People think that this time must have been unique, because they were compromised. When they're proven wrong, then they fall back on the old (and unsubstantiated) argument that Blizzard must be part of a global conspiracy to take away their hard earned virtual money.


It's even better when most of these "security experts" are really just people halfway through an IT AA degree or someone doing low level IT work for a small company. Which is what most of these people are.
Is there any actual proof of session spoofing? I would think that if there was a security flaw there, Blizz would have taken the servers down and fixed it. All I've seen so far is one guy who said his friend told him that it's possible to do that.


no actual proof of it, its just theory. however, if you really think about it.... the number of people getting hacked compared to the number of players means that taking down the servers wouldn't be cost effective. They have already received a ton of flak for having lag, servers going down, people not being able to get logged in, etc. What do you think would happen if they took the servers down now? it would be worse for them than preventing the hacks since in the broad scheme of things, its not a very large percentage of players getting hacked.

PS just for the record, i got hacked.


Do you have any inkling of how many WoW accounts have been compromised? Plenty of those users were convinced that Blizzard was somehow at fault for that, too.

Guess where the compromise ended up being? Hint: It rhymes with "Shmient Shmide".
Edited by Nerevarine#1724 on 5/21/2012 9:23 PM PDT
If customer service was so "dedicated" to our accounts and their security, then rollbacks shouldn't be the sole means of restoring losses our characters accrue at the expense of poor networking and lax security.

Just saying.


Didn't you read the post? It's not on Blizzard's end, their networking and security is fine. It's yours that's the problem, and I think right about now you should be thanking your lucky stars that they're willing and able to do any sort of a restoration.
If customer service was so "dedicated" to our accounts and their security, then rollbacks shouldn't be the sole means of restoring losses our characters accrue at the expense of poor networking and lax security.

Just saying.


Blizzard doesn't even have to offer account restorations, much less character rollbacks, since the compromises are all happening on the user's end. Most companies don't even get your account back for you.
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]