Diablo® III

Battle.net® Account Security & Diablo® III

(Locked)

Actually that makes 100% sens. If this is a zero days keylogger (meaning programmed from scratch and not yet known), then there is no way any scan will ever find it... on anybody's computer. Scans look for known code, so anything new goes right around them.
Blizzard, people that know what they are doing and have been online with WoW and SC2 for YEARS with no one hacking their accounts have been hacked. There is a very real concern here. Before you open that RMAH you better make SURE peoples accounts are safe or you better have your lawyers ready.

I am scared to even try to play this with random people or even my friends that have. Too many people reporting the exact same thing. Like the saying goes if it walks like a duck......you guys need to stop blaming the customers.
05/21/2012 11:05 PMPosted by YukariOro
That said, I don't believe the authenticator is flawless. I've known a friend that got hacked with one on WoW


RSA authentication - which the keyfobs and smart phone apps for blizzard authenticators use - has not been compromised in the real world to my knowledge. People write doctoral theses based on vulnerabilities that do exist in the math - but as far as I know nobody has ever been successful replicating them outside of a lab.
Oh. My. God.

This issue had already been researched, and conclusively shown to be a Session-ID spoof. FFS, you even had people getting kicked out of game the moment they popped an achievement, and immediately came back in to find their stuff gone. You had confirmed reports from CS staff telling customers that there was no login from a different IP.

And yet, this is what you do. Disregard the issue, and blame it on your customer, then try and sell them something that you know God-damned well will do nothing about this issue.

How can you do this and look at yourself in the mirror, you miserable liar?


You have a pretty funny definition of "conclusively."

That was sarcasm, by the way. Because no, nothing has been shown conclusively. People are still arguing about where the compromise came from. Some people think it's from playing the AH, some people think it's from public games, some people think it's from posting on a WoW avatar on the forums (seriously). Then there are as many people who haven't taken part in these but were still hacked. That's a pretty piss-poor definition of conclusive.
I am playing with two accounts on my computer, I am one of the victims that got hacked. The difference between the things that have been done with acc 1 and acc 2.

Acc 1: I have visited AH, placed bid on item and even placed out items for sale, I have joined Public Games.

Acc 2: Single mode all the way, no AH interaction or go public interaction.

Seeing the difference between the accounts and seeing how I play on 2 accounts but only 1 account that got hacked if the case is that I got keylogged, phished or whatever, the hacker would have hacked both of my accounts instead of just one? Why take one when you can take two?


Correlation is not causality.

still waiting for ANY one of you hacker victims to provide ANY EVIDENCE WHATSOEVER that the security exploit was on Blizzard's end and not yours. I'm not saying one way or the other. What I AM saying is:

Those who make the claims fall under the burden of proof. I'm not saying it didn't happen on Blizzard's end, I'm simply asking you to prove it.


Are you reading your own tripe? Seriously, how can anyone subscribe to the "you got phished/keylogged" nonsense. Who engineers a keylogger purely to steal Diablo 3 items and gold.

Nobody.

I have yet to see anyone complaining their WoW accounts have been accessed, Starcraft accounts, bank accounts, email, etc. All of those stuff are a hacker's dream to access, so the idea they're purely going after D3 stuff is ludicrous.
IIRC, they already delayed the AH due to all the disconnects players were having, apparently due to server capacity. So I don't know if this problem was any influence on the delay. So far, I'm only been experiencing a very infrequent disconnect, and occasional very bad lag. So I'm much luckier than these posters. We can hope Blizzard gets all this sorted out, so we can enjoy the game we bought.
05/21/2012 11:11 PMPosted by Nikijih
Actually that makes 100% sens. If this is a zero days keylogger (meaning programmed from scratch and not yet known), then there is no way any scan will ever find it... on anybody's computer. Scans look for known code, so anything new goes right around them.


This is very true, and it's happened before with WoW, multiple times. It should be a few more days before anything happens to identify this.
05/21/2012 11:12 PMPosted by Wim
RSA authentication - which the keyfobs and smart phone apps for blizzard authenticators use - has not been compromised in the real world to my knowledge. People write doctoral theses based on vulnerabilities that do exist in the math - but as far as I know nobody has ever been successful replicating them outside of a lab.


You failed to catch my point that although my friend had an authenticator, she also appeared to have a keylogger program on her computer. More than once her keyboard would start typing random stuff that she wasn't typing, all of us who saw this going on, would tell her about it. Yet repeated AV and even AV via valid websites, could not find the keylogger. So she was hacked not because the authenticator was hacked, but because her computer had a keylogger on it.


Correlation is not causality.

still waiting for ANY one of you hacker victims to provide ANY EVIDENCE WHATSOEVER that the security exploit was on Blizzard's end and not yours. I'm not saying one way or the other. What I AM saying is:

Those who make the claims fall under the burden of proof. I'm not saying it didn't happen on Blizzard's end, I'm simply asking you to prove it.


Are you reading your own tripe? Seriously, how can anyone subscribe to the "you got phished/keylogged" nonsense. Who engineers a keylogger purely to steal Diablo 3 items and gold.

Nobody.

I have yet to see anyone complaining their WoW accounts have been accessed, Starcraft accounts, bank accounts, email, etc. All of those stuff are a hacker's dream to access, so the idea they're purely going after D3 stuff is ludicrous.


The same people who engineer keyloggers purely to steal WoW items and gold? Maybe?

There's a reason these people stick to video game accounts. The legal repercussions should they be caught are significantly less than if they steal credit card information or anything else of real monetary value. They can earn a good living sticking to low-risk video games, so they do.
05/21/2012 11:15 PMPosted by Bul
Actually that makes 100% sens. If this is a zero days keylogger (meaning programmed from scratch and not yet known), then there is no way any scan will ever find it... on anybody's computer. Scans look for known code, so anything new goes right around them.


This is very true, and it's happened before with WoW, multiple times. It should be a few more days before anything happens to identify this.


All keyloggers are basically the same, as they have to run in the memory to work. They all have similar signatures and the heuristics on basically any AV will immediately pick one up. At the very latest, they will see it when it tries to phone home.
05/21/2012 11:10 PMPosted by Xodo
Blizzard still doesn't understand that when thousands of players are "hacked" on the very same day, it's most likely NOT a client side problem.


Yes it is. NCSoft/Guild Wars was accused of the same type of thing several years ago. People even said they knew of the methods used to hack accounts. After investigation, it turned out to all be bogus, helped along by trolls and paranoid gamers who pretended to be hacked in order to get the company to fully investigate the matter. At the end of the day, the reason for the spike in hacks was because a large French gaming community forum was hacked, and the emails + passwords were sold to a group of account thieves, and they were able to log in to some of the accounts using the exact same emails/passwords. If you want to actually see the facts on account hacking, you can read this post here, from one of the most famous game hackers around:

http://www.guildwarsguru.com/forum/2-million-ncsoft-accounts-stolen-t10439435.html?p=5161538#post5161538

In several hours over the course of a weekend, in my spare time, I gained access into 10,900 NCSoft accounts purely based on the stupidity of people using the same email/passwords on various fansites as their NCSoft account.
Edited by pug#1606 on 5/22/2012 4:53 AM PDT


Are you reading your own tripe? Seriously, how can anyone subscribe to the "you got phished/keylogged" nonsense. Who engineers a keylogger purely to steal Diablo 3 items and gold.

Nobody.

I have yet to see anyone complaining their WoW accounts have been accessed, Starcraft accounts, bank accounts, email, etc. All of those stuff are a hacker's dream to access, so the idea they're purely going after D3 stuff is ludicrous.


The same people who engineer keyloggers purely to steal WoW items and gold? Maybe?

There's a reason these people stick to video game accounts. The legal repercussions should they be caught are significantly less than if they steal credit card information or anything else of real monetary value. They can earn a good living sticking to low-risk video games, so they do.


Why aren't they using the opportunity to steal WoW items and gold too then?

Also, most of these hackers are in China. Do you really think American law affects them in the slightest? Do you really think the FBI can just go to China and charge people for internet crime? Get real.
Keep up the good work guys. :)
90 Human Warrior
9930
05/21/2012 08:18 PMPosted by Trip
I did not get hacked, but I will still defend everyone who did. With that said, what is being done for those who lost all of their stuff?


Why are you defending someone who put their account information in anothers hands by no fault of Blizzard? There is nothing to defend. You should take pity on these fools for being stupid enough to not care about the security of their personal information.
90 Night Elf Hunter
11360
Oh. My. God.

This issue had already been researched, and conclusively shown to be a Session-ID spoof. FFS, you even had people getting kicked out of game the moment they popped an achievement, and immediately came back in to find their stuff gone. You had confirmed reports from CS staff telling customers that there was no login from a different IP.

And yet, this is what you do. Disregard the issue, and blame it on your customer, then try and sell them something that you know God-damned well will do nothing about this issue.

How can you do this and look at yourself in the mirror, you miserable liar?


You have a pretty funny definition of "conclusively."

That was sarcasm, by the way. Because no, nothing has been shown conclusively. People are still arguing about where the compromise came from. Some people think it's from playing the AH, some people think it's from public games, some people think it's from posting on a WoW avatar on the forums (seriously). Then there are as many people who haven't taken part in these but were still hacked. That's a pretty piss-poor definition of conclusive.


You do realise that your name and battletag information are available through all these methods, so any of them lead to the same result, right? Player gets your info, adds you as a friend - which you cannot stop - and then gets your session ID.

And no, I didn't get this info from a blog; I don't read anyone's blog that talks about gaming, and would sooner kill myself than do so. This information is freely available from the various reports in these very forums, with confirmed responses from Blizzard CS staff - once a CS rep tells you there was no login from another IP address, you know perfectly well what happened, you wonderful ponce.

Which I'm sure you'll just reply with "well duh, they threw all their stuff on the ground, and then cried hack because it's all a conspiracy to make Blizzard look bad."
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]