Diablo® III

common fallacies about hacking/security

I keep seeing the following things being thrown about, so I want to try and provide information to address them and debunk them.

1. "Battle.net has crappy security because they make you use your email address as your username"

-To start, the hackers need to get your username and password. Whether your username is your email address or something you just make up, they obtain it the same way they get your password. Keylogger, phishing, etc. ALL of the methods used to get the password are just as effective at also getting a username. As for the email, you have to have an email attached to your account no matter what. The fact that the email is or is not the username makes no difference and won't make less people use that email for fan sites and other public places.

In addition, please see this post by discomatt:
http://us.battle.net/d3/en/forum/topic/5271503297?page=25#489

2. "Because the passwords aren't case sensitive, our accounts are less secure and people get hacked that way"

-This makes the assumption that someone is brute-forcing passwords. While it is true that currently diablo 3 does not lock out an account after X number of attempts, it DOES appear that it limits the number of attempts via some kind of logon attempt throttling. In other words, brute-forcing needs to be able to attempt thousands of passwords a second in order to be effective. But this isn't possible if the number of attempts per second is throttled/limited.

This means that brute-forcing would really only be able to be done for "easy" passwords that you could guess like "password". The catch 22 here though is that the addition of case-sensitive passwords isn't going to suddenly make people have an epiphany about account security and change their password from "password" to something stronger. So, it's not a magic bullet.

3. "Session-hijacking/spoofing is how people are getting hacked."

-Blizzard made a statement that such a form of hacking was "technically impossible". From what I can see in wireshark, and from joining public games with others, in order to "session-ID hijack" like what happened in RIFT, the data to do so simply doesn't exist, far as I can tell. It doesn't even look like they use session based communication (at least that I can tell, but I admit I'm a bit weaker in this area of expertise), which would in fact, make "session hijacking" a technical impossibility. But if some other such an exploit does exist, I hope someone finds it and offers up proof so blizzard can fix it. But until then, the existence of such an exploit is nothing more than conjecture and anecdotal.

Me and a couple other users tried an experiment of joining games with "hackers" that others had said took their stuff (was on their recently played with list after being compromised). In mine I even taunted these supposed hackers in an effort to get them to "exploit" my account. As expected, nothing bad ever happened to any of our accounts. I admit though this is just anecdote, but take it for anecdotal evidence since many here seem to enjoy doing so when it comes to trying to claim blizzard is the ones who are hacked and not them. :)

4. "Authenticators shouldn't be necessary just because blizzard has bad security."

-Authenticators enhance END USER security. If there was a security issue on blizzard's end, the authenticators would be useless. If they were able to compromise blizzard to get your password, they'd also be able to get the information (seeds, keys, etc) needed to generate or bypass authenticator codes.

And on that note, a bit about your passwords at blizzard. Understand that obtaining them is no easy feat. They are stored as hashes, and are not in plain text anywhere in any manner that blizzard or anyone else can obtain them. They would have to be cracked, and doing so in and of itself is not an easy feat. Credit card data is easier to obtain, because it is often stored in a form that can be unencrypted or easier to break encryption methods since there is need for that data to be available in some kind of plain text format, whereas your battle.net passwords are never in any kind of plain text format. (I'm being very basic here)

5. "Authenticators make your account unhackable".

-This isn't true either. There are nasty bits of malware out there that can help a hacker circumvent them, but they are incredibly rare. There was (possibly still is) one that worked for wow accounts, with a handful of accounts with authenticators being compromised and blizzard verified this. So far though blizzard has said no diablo 3 accounts with authenticators were hacked.

6. "diablo 3 accounts with authenticators have been compromised"

-The only way this will really be proven is if blizzard admits it. There is no way for someone to actually prove their account was protected with a keyfob or mobile app authenticator at the time of their compromise. And in fact, it would be to blizzard's BENEFIT to admit if such a thing occurred with diablo 3. Since such a compromise would be done via a nasty malware or virus, blizzard would want to alert the diablo 3 community to the verified threat.

Also, most of those threads you see about this are people who used the dial-in authenticator without realizing it doesn't work for D3.

7. "sony got hacked, so blizzard could be hacked too"

-Sony also told everyone what information was compromised. Blizzard would do the same should they discover such a scenario. (And chances are they'd know before we would) And, you're right, NO ONE is infallible, including blizzard. But realize that is an unlikely scenario, whereas a bunch of users falling for phishing scams and whatnot are a far more likely scenario. Especially when there is nothing but anecdote and conjecture to try and suggest otherwise.

8. "there's just too many accounts being hacked for it to not be some breach at blizzard"

-People have been claiming this for years. I have seen far more threads on hackings on wow forums in wow's heyday than what we have seen here. And this isn't unique to blizzard either. Every MMO has this stuff happen, and has threads about compromises, and there is always a big rabble about blaming the company and not the users. Blizzard is not unique to this.

9. "i dont go to fishy websites and i dont have any keyloggers, so how did i get hacked"

-Read these:
http://us.battle.net/d3/en/forum/topic/5271501737
http://us.battle.net/d3/en/forum/topic/5271602204

10. "this is just a conspiracy for blizzard to make even more money selling authenticators!"

-If this was a big money making conspiracy, then why would they offer the mobile authenticator for free? As for the keyfob, it's $6.50 with free shipping in the US. That is at or more likely, below cost. The authenticators are digipass go 6's made by vasco. The cost per keyfob in bulk from Vasco is around $20 typically on the cheap end, so $6.50 is a good deal. And even then, that doesn't factor in the infrastructure and backend cost. It requires at least one server to run the authentication, a database, licensing, and software to interface with battle.net, along with personnel to support and maintain all of that.

11. "but nothing is free, so they have to be making money on authenticators!"

-No, it's actually reducing a calculated loss. You see, for every account compromised, blizzard has to have staff to handle it and infrastructure to provide restores, etc. So there is a very real cost to blizzard for each account that gets compromised. They try to minimize that cost with a "cheaper" cost by offering the authenticators (again free or at cost). So, the more accounts that have authenticators, the more money they will save since it reduces the chance of a compromise.

12. "I'm in IT so I know I didn't get hacked"

-Most who say this are probably lying. For those that aren't lying, then they are not too good at security. Nothing is more dangerous to the infrastructure of a network than an IT guy who thinks they are infallible or they are so good that they are less likely to be hacked than blizzard. So in fact, people like that are more vulnerable to attack. Which brings me to my next point.

13. "blizzard cannot be hacked"

-No one is infallible. Not even blizzard. The difference, however, is this. No matter how good you think you are at securing your computer, blizzard is better. They have their entire company and livelihood at stake. They are also publicly traded, and have to contend with constant audits and security scans which are designed to find flaws and failures in their security. I guarantee you don't. So again, is it possible? Of course. It's just not likely.

And there is no evidence to suggest otherwise. A bunch of anecdotes on forums with tales of black helicopters in the night simply doesn't carry weight. And if you think this is a lot of threads about hackings, then you haven't been around online gaming much. And in fact with every game it's the same song and dance. In wow's heyday people swore up and down for years blizzard must have been hacked cus omg look at all the forum threads. Or omg look at all these threads it must be an exploit of wow or battle.net. Nothing ever came to fruition.

14. "blizzard is a greedy corporation who would do everything in their power to cover up a breach"

-This is unequivocally false. Just like other companies that were breached (including blizzard in 2001 !) blizzard would probably notify us of a breach within a couple weeks of occurring. Because the penalty and consequence of them covering it up and being discovered later would be FAR worse than admitting it in the first place. We're talking billions of dollars lost, including the possibility of them losing their ability to be publicly traded, etc.

15. "the hackers only stole my diablo 3 stuff, if it was a compromise on my end why wouldn't they have taken my banking info and paypal login, etc"

-Because, according to blues on the WOW forums, the most common form of compromise for battle.net accounts is phishing scams. In other words, keylogger compromises are more rare, and thusly why your banking and paypal info is safe. If you got hacked via one of the various methods that do not require any kind of keylogger to perpetrate, this explains why only your diablo account was hacked.
Edited by moojerk#1213 on 5/30/2012 10:05 AM PDT
In addition to this information, here's a few other threads that provide more.

Phishing emails:
http://us.battle.net/d3/en/forum/topic/5271602204

Other ways to get hacked:
http://us.battle.net/d3/en/forum/topic/5271501737

http://us.battle.net/d3/en/forum/topic/5575469543

And bashiok's latest response on the matter:

It's a little ridiculous to assume nothing has happened just because Blizzard hasn't given an official response when it's been barely a day. Chances are they have no idea what's wrong apart from the huge influx of reports.


We've made multiple statements, the latest of which is the bottom-most sticky in this very forum: http://us.battle.net/d3/en/forum/topic/5149181449

In addition to verifying all compromises have been through someone's password being stolen, and that no instances of a mobile/physical authenticator being attached before a compromise took place, we're seeing compromise claims on the same general scale as a World of Warcraft expansion launch. The fact that far more people are playing Diablo III that have never been exposed to the concept of an account theft likely correlates with the seemingly bigger impact. World of Warcraft players also, for example, have a CS forum where most compromise claims are posted (Diablo III does not have such a forum so most are posted here in General), which is in addition to World of Warcraft players just being more acquainted with the concept and steps to correct a compromise than... say StarCraft II players that picked up Diablo III.
Edited by moojerk#1213 on 5/30/2012 8:18 AM PDT
Good post, very informative. Hopefully gives some people insight about their situation. +1
Updated, added another part.
05/27/2012 03:56 PMPosted by snøwXz
Why do you act like d3 is a new secure service offered by Blizzard. You can come back to reality now bra ;].
I don't even know what this means...

Secondly these Chinese currency traders/sellers don't need to "keylogg" people, do you honestly think some random guy keylogged 200+ people from the forums in one week?
No, considering the most common method of compromise is phishing. Keyloggers are rare for compromises for blizzard accounts.

Do you think he had so many accts to strip, that he doesn't even take gear, just npcs it quickly, brings the next account in to empty to move gold out asap, and its a line of accounts, go view the videos of it happening, its not just a isolated one person gets stripped, their account is cleaned but majority still have the player on the list, and they can join the public/private game that person is in, stripping others while recording.
Congratulations, hackers use stolen accounts to mule gold and items back and forth. I'm not even sure of your point here...

Obviously the number is increasing steady,
And you base this upon....?

Yes it was a phishing site, trojan, and file sharing program that infected their computers and predicted what the authenticator was going to generate for a number, along with the number on the key chain itsself to log in, right; the keychain isn't even physically attached to the computer, only the web browser and the one time log in code. So the file sharing program, generic trojans ect took the one time generated code and logged in with it before the keychain owner or?Lol.
You have no idea what you're talking about. I can't even figure out what it is you're trying to say here... You clearly don't understand how the malware worked to allow the hackers to get into authenticator protected accounts in wow...


Plus the authenticators say "made in china", which is the exact place where all the security intrusions, virtual currency theft/selling/trading ect originate from. Overwhelming amount of integrity issues over there, and yet the vasco data security company manufactures out of china because of out sourcing to cheaper labor costs/parts I'm assuming.
Just when I think I've heard all the crazy conspiracy theories people can think of...

Absolutely silly to think needing a keychain authenticator for a online game is a practical standard, no it does nothing but protect your virtual items, while your pw/email can still be compromised universally because of the insecurity/ability of Chinese currency sites to empty accounts daily. Keylogging a few people is not emptying accounts daily in a constant stream one at a time moving the gold to another acct for later sale, plus its funny how I know people here who got "compromised with no authenticator" but carry thousands in USD on other mmos/rpg characters and whoop whoop only blizz accts seem to have problems with being data mined. Yea I honestly believe someone with 3k+ usd in gear on another mmo/rts/rpg would come here and download d3 compromise his own acct.
I can't even... what? I think in there somewhere you tried to say that only blizzard has this problem. Clearly you've never played another MMO or visited their forums.

+1, lol
Since you "+1'd" him, maybe you can translate for me. Cuz I couldn't even figure out what he was trying to say most of the time...

moojerk is a Blizzard employee or someone close to them otherwise he wouldn't invest so much time in trying to convince people their accounts are being hacked *entirely* because of them not because of Blizzard's poor security implementation(s).
He is investing a lot of time on these forums just to reply to my posts on various threads, trying to prove I am wrong (that Blizzard is not to blame for all those accounts being hacked recently).
Nope, I'm just a bored guy over a long holiday weekend. But I like to post and try to provide useful information, while trying to help stop bad information, because it only hurts others to convince them there is some big security breach at blizzard. When they believe that stuff, it makes them more vulnerable to attack since they continue to feel they are not at risk on their end and it's blizzard who has the problem.


I find that hard to believe.. I wouldn't even be here on these forums unless I had a solid reason to be here. In my case, my account was hacked and I find no good reason for it other than Blizzard's low security practices.
What is your reason to defend them so badly, moojerk? Do you have another reason other than the monthly paycheck?
See above.

My threads and my time are wasted on people like you. But there are those who read and reply to my threads and are glad to see the information and discover things they did not know. It makes them a less vulnerable user to being compromised.
Edited by moojerk#1213 on 5/27/2012 4:31 PM PDT
90 Draenei Priest
8665
05/27/2012 04:32 PMPosted by Maximus
sounds so much like a Blizzard fan-boy or Blizzard employee trying to protect their interest.. please stop trying so hard, it's embarrassing...


Actually,everything you wrote was pretty embarasing.You really proved you have no clue how these things worked but couldn't refrain from making sure we all understood how little you actually understand how complex IT security is.
90 Blood Elf Warrior
8705
05/27/2012 04:32 PMPosted by Maximus
I can't even... what? I think in there somewhere you tried to say that only blizzard has this problem. Clearly you've never played another MMO or visited their forums.


sounds so much like a Blizzard fan-boy or Blizzard employee trying to protect their interest.. please stop trying so hard, it's embarrassing...


I smells the trollying smell here! This could be entertaining.

He makes alot of good points that people should educate themselves on.

I'd not be surprised if most on the forum didn't know what Two Factor Authentication means without googling it. Which means most of this is helpful info.
Edited by Shatterstar#1231 on 5/27/2012 4:43 PM PDT
Plus the authenticators say "made in china", which is the exact place where all the security intrusions, virtual currency theft/selling/trading ect originate from. Overwhelming amount of integrity issues over there, and yet the vasco data security company manufactures out of china because of out sourcing to cheaper labor costs/parts I'm assuming.
.


Lol... From this statement itself, it's clear you have no idea what you're talking about. Don't sound so sure of yourself when you're not only generalizing, but spouting made-up facts as well.
05/27/2012 04:41 PMPosted by Triune
Moojerk, I went ahead and requested a sticky for this topic.
Thanks. Be sure to "like" the post too. I don't expect or even think this needs to be sticky, but I appreciate the sentiment. :)

If even only a few people read it and learn something, that's hopefully a few more people who will be a little bit harder for the hackers to compromise. :)
05/27/2012 04:44 PMPosted by Irmin
!!Do not trust the OP or this post!! the OP has been hijacked by hackers and is definitely the victim of phishing and keyloggers likely due to visiting 18+ websites and attempting to download hacks. He should've had an authenticator.
Ok I admit, this made me chuckle a bit. :p
90 Dwarf Hunter
14575
05/27/2012 03:56 PMPosted by snøwXz
Your generic post of nothing but re-iteration of the same nonsense really convinced me my account is safe without authenticators made in China where all the little spam sites you see in your chat are being operated from. Blizzard fanboy 101.

The physical device might be assembled there, but that means nothing. Anybody can buy an authenticator and tear it apart, it's the software used at the other end that's the important part of the equation.
Yet another informative post on security, +1

Thanks for clarifying the login throttling. I never tried to test it myself, but it would have been a huge oversight on Blizzard's part if logins weren't being throttled.

Too bad this thread will probably get swallowed up by enraged victims.
05/27/2012 04:32 PMPosted by Maximus
I can't even... what? I think in there somewhere you tried to say that only blizzard has this problem. Clearly you've never played another MMO or visited their forums.


sounds so much like a Blizzard fan-boy or Blizzard employee trying to protect their interest.. please stop trying so hard, it's embarrassing...
The troll is strong in this one.
+1

At first is was kind of interesting to watch the victims with their conspiracy theories, but now it's just a little sad.

Instead of getting defensive they need to just accept it happened and move on. If their experience didn't convince them to get an authenticator (and in some cases use authenticators FOR D3 i.e not the dial-in and SMS) then, fine, not like it affects my secure account.
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]