Diablo® III

Battle.net® Account Security & Diablo® III

(Locked)

05/22/2012 12:40 AMPosted by Reinhart
I don't think Blizzard's authenticators use RSA.


I'm like 99% positive they do. Is there some other keyfob vendor that uses something else?
90 Worgen Druid
9505
That's not really what they said. What they said that they have not investigated any cases of hacking occurring when an authenticator was used. That doesn't mean it hasn't happened, just that they haven't encountered it yet.

However, I think this they won't ever find a "case" of this scenario occurring. I don't think what's going on is an actual, traditional hack. Mostly because of all the copy paste support tickets from Blizzard saying "We detected no account compromises". I wonder if Blizzard actually looks at the gold counter as well as the level counter for these characters when they investigate.

It's obviously unlikely a person at level 60 will have zero gold and items.


In regards to your first part of your post: That's what I said, just worded different.

In regards to the rest of your post: Stop trying to read between the lines, and stop believing forum posts. =P

05/22/2012 12:45 AMPosted by Wim
I don't think Blizzard's authenticators use RSA.


I'm like 99% positive they do. Is there some other keyfob vendor that uses something else?


They're Digipass security tokens.
Edited by Sophia#1244 on 5/22/2012 12:46 AM PDT
8 Blood Elf Paladin
0
My friend bought an authenticator two or three weeks ago and last night his WoW account was suspended for suspected hacking/hijacking. It may be coincidence but this occurred about 30 minutes after he joined his first public Diablo 3 game.

I've watched him entering his codes from the authenticator with my own eyes so I know for a fact he isn't misleading anyone about his security precautions.

This happened last night (Aus WST 10-11pm) and he immediately filled out the relevant web forms which told him it'd be 4-7 hours or some such until his account was restored.

If Blizz is looking to investigate an example where an authenticator was being used then this might be an ideal candidate. Please feel free to contact me and i'll provide you with my friends real id.
85 Draenei Shaman
2695
My brother has an authenticator attached to his account and before D3 came out we both did a full format and this morning his account was stripped of everything. I've been keeping up with what's going on and there are many people claiming to have an authenticator and still having been hacked. Had my brother not been playing right next to me I'd probably doubt them too, but whatever is happening isn't just someone getting a keylogger.


What's his BattleTag?
And the blue chimes in. =) Not to mention as it stands, even past whats been said, I still remain impartial to people hacking auth accounts. Until such time Blizzard says there has been.
Edited by Raven#1472 on 5/22/2012 12:47 AM PDT
Ty for the clarification Bashiok.

I believe Blizzard. I believe no one with an authenticator has reported a hack yet. I do not believe this is a case though of just so many people somehow doing something stupid to give away there password.

It was Wayyyy too many at once and at the same time. It seems the attack was very orchestrated and has been linked to joining a public game with these hackers.

I drop the theory of these all bring hijacks and spoofs if authenticator accounts are not being hit, but I by NO means accept that this onslaught of sudden hacks was because of people being phised or logged. Not every is that dumb, and there has been no instance of people using the info to ravage through the WoW account too. Its seems its a D3 centralized issue right now.


There isn't any evidence this attack is larger than normal. My guess is that keylogger spreading and phising attempts increased in the weeks prior to release and they are just now accessing the accounts.
Edited by Cyzthur#1872 on 5/22/2012 12:56 AM PDT
05/22/2012 12:44 AMPosted by Hukutus
Authenticator is free, if you have an existing device, like a smart phone, then you can just install it on there.

I have a smart phone, and it did cost over 500€. But no every smart phone has iOS or Android.

It should be called iOS and Android Authenticator if it does not support Win7, MeeGo nor Symbian.


WP7? People actually use that? lol
05/22/2012 12:37 AMPosted by IcE
Can anyone reference a CONFIRMED case of an authenticator - linked account being hacked? I'm not talking "lolz my friend said he had one" i mean something official and documented... because i'd love to know if they actually have happened.


Depends on your definition of confirmed. Regardless, it's going to be hard. The forum mentality seems to imply that people who don't have authenticators are morons, so I'm sure some people have been saying they used one when they haven't just to be taken more seriously.


This x10000000000000
Can I ask when or will restorations take progress? Many users have waited over 50 hours so far.
05/22/2012 12:46 AMPosted by Axm
If Blizz is looking to investigate an example where an authenticator was being used then this might be an ideal candidate. Please feel free to contact me and i'll provide you with my friends real id.

Except that his Diablo 3 items and gold weren't stolen, which is the case in here.
90 Pandaren Warrior
16785
05/22/2012 12:47 AMPosted by KOLZ

I have a smart phone, and it did cost over 500€. But no every smart phone has iOS or Android.

It should be called iOS and Android Authenticator if it does not support Win7, MeeGo nor Symbian.


WP7? People actually use that? lol


T-Moble and other off brands... You know, people who don't do their research and buy what the derp and Radio Shack tells them to.
That's not really what they said. What they said that they have not investigated any cases of hacking occurring when an authenticator was used. That doesn't mean it hasn't happened, just that they haven't encountered it yet.

However, I think this they won't ever find a "case" of this scenario occurring. I don't think what's going on is an actual, traditional hack. Mostly because of all the copy paste support tickets from Blizzard saying "We detected no account compromises". I wonder if Blizzard actually looks at the gold counter as well as the level counter for these characters when they investigate.

It's obviously unlikely a person at level 60 will have zero gold and items.


In regards to your first part of your post: That's what I said, just worded different.

In regards to the rest of your post: Stop trying to read between the lines, and stop believing forum posts. =P



I'm like 99% positive they do. Is there some other keyfob vendor that uses something else?


They're Digipass security tokens.


I have no choice but to believe forum posts. I have genuine fear of really getting into the game and building up my character only to have it stolen from me. There's an overwhelming number of "i've been hacked" posts. I can't simply write them all off as idiots.
Edited by IcEKuBe#1599 on 5/22/2012 12:49 AM PDT
THANK YOU BLIZZ FOR CONFIRMING !!!!

I've been sitting here, reading, posting a little and scared to death to log on in fear of losing everything..

publicly announcing not ONE single case so far has been anything other then Email + PW logins makes me much more comfortable. since I have Authenticator.. even if it's not 100% i'm sure i'm not keylogged i dont visit stupid sites or buy gold so I feel safe enough to play again with minimum risk of being hacked..
Thank you again guys and get the damn ppl responsible!!
=)
Community Manager
05/22/2012 12:40 AMPosted by MielTicket
It was Wayyyy too many at once and at the same time. It seems the attack was very orchestrated


It seems to me like it's the most logical way to go about it. Build up a list of accounts and passwords, and then hit them in a rapid succession before word can spread and people can change their passwords, add an authenticator, etc.
It was Wayyyy too many at once and at the same time. It seems the attack was very orchestrated


It seems to me like it's the most logical way to go about it. Build up a list of accounts and passwords, and then hit them in a rapid succession before word can spread and people can change their passwords, add an authenticator, etc.


Just like Nicholas Cage in Gone in 60 seconds

Edit: Here's my take on the situation over on reddit. http://www.reddit.com/r/Diablo/comments/txk1e/the_diablo_iii_hack_explained/c4qmmto

Ofcourse this too is just speculation, but I think it's far more accurate than what was said over at Gamefaqs.
Edited by Sammich#1797 on 5/22/2012 12:51 AM PDT
05/22/2012 12:49 AMPosted by Bashiok
It was Wayyyy too many at once and at the same time. It seems the attack was very orchestrated


It seems to me like it's the most logical way to go about it. Build up a list of accounts and passwords, and then hit them in a rapid succession before word can spread and people can change their passwords, add an authenticator, etc.


*gasp* is that a confession?!
From the EU here, I would like to speak for myself and my 3 friends who all play together in the EU.

We all HAVE authenticators
We all HAVE battlenet SMS
None of us have EVER been hacked before

Guess what, all our gold and gear is gone, and guess what we all have random lvl 2 players in our recent played list. This thing your trying to cover up is not user security issues, if it was all our wow accounts and SC2 accounts would have been effected, they wern't. This is clearly a security breach at your end, wether is session ID hacking, or SQL injection. Either way you need to take responsibility for whats happening, be honest and sort your house out.

Good Day to you.
60 Worgen Hunter
420
05/22/2012 12:40 AMPosted by Reinhart
I don't think Blizzard's authenticators use RSA.


::doh:: you're right. They look so much like my old SecurID I had for work I made a poor assumption. Looking it up they're from Vasco. Same premise though.
Authenticator is free, if you have an existing device, like a smart phone, then you can just install it on there.

I have a smart phone, and it did cost over 500€. But no every smart phone has iOS or Android.

It should be called iOS and Android Authenticator if it does not support Win7, MeeGo nor Symbian.


It is also available for Windows Phone 7, even BlackBerry.

Most smart phones now use any of the four.
Edited by Reinhart#1460 on 5/22/2012 12:51 AM PDT
I am afraid to play the game. I have a mobile authenticator but i dont want to get hacked.
I may be being nitpickish or petty, but I want to see Blizzard state a simple yes or no.

A. Our system does/may have a security flaw.

B. Our system does not have a security flaw.

It has to be one or the other. "We have yet to investigate", "We have yet to find any situations", etc. sound suspiciously like "We don't know.".


This is an unrealistic expectation. It just isn't possible for them to categorically deny even the possibility of a flaw, particularly considering that as time goes on and hardware/software capabilities evolve, a flaw could develop that did not exist before.

What they can do is what they've done - describe their security measures, state that to date no flaw has been found, and describe what they HAVE found. In particular, pay attention to this quote:

05/22/2012 12:21 AMPosted by Bashiok
Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.


Unless you want to simply accuse them of a flat out lie, what they are saying is that NO ONE who has actually bothered to report their hacking has been confirmed to have the authenticator in place prior to the alleged event.

How much more specific than that can they get?
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]