Diablo® III

Session Spoofing

90 Human Paladin
8335
Posts: 12
06/05/2012 11:34 AMPosted by Falic
Basically, Blizz records system stats/IP address location of the player. If a different computer or wildly different IP address connects to battle.net using the account credentials, the account becomes "locked" and can only be unlocked via a code sent to the persons email.


They already do this if I am not mistaken because it happen to me.

Home ISP was down needed to log in and at least let my guild know why connection was down and I might not make raid tonight. Whipped out my phone turned on my hotspot, connect my pc to my phone jumped on vent to let everyone know. Figured hey lets see how bad the latency is? Log into wow and the account locked!

Reason you ask? The phones IP was shown to be in Ohio even though I live in Florida makes sense right phone in Florida gets an IP listed in Ohio anyway. The only difference was my connection, IP and the location of the IP. Had to log into the Bnet site with username/password and prove who I was to unlock the account.

So to the best of my knowledge they already to lock the account if you log in from an abnormal place.


Yes they do lock your account if logged on from a different region or IP band. I've been as little as 90 miles away from my home computer and gotten the "account locked" error due to location, when trying to log into WoW via my laptop. Also, like you, I switched from wifi to phone hotspot and got the lock due to region/IP discrepancies. Furthermore, as stated by a Blue in another thread, they (Blizzard) can view the region/location of logins through their system. As for the subject of "Session Spoofing", I have yet to see any valid evidence to contradict what Blizzard has said. Like others, I've used Wire Shark and other programs to packet sniff and found nothing of importance. All I can say is, get an Authenticator for the added level of security, be mindful of root-kits and other nasty stuff, and watch out for those Vortex+Desecrator+Plauged+Electrified champion packs :)
Yep. You could also explain how someone was able to change my password without loggin into my email account. I have checked with google and the only IP's accessed on that account are my home IP/Work IP and cell phone IP. The email was left unread so how did they change my password BLUE? Customer service couldn't answer me that either.

So until the RMAH goes up I shall continue making millions off 12 year olds that don't know prices :)
They don't need access to your email account to change your password...
Posts: 266
Thing is, if you did know there was session spoofing or people with an authenticator was hacked, you would be forced to lie anyways and would deflect the truth.

So while what you said may be true, it really holds no water considering your primary goal is to protect the interests of Blizzard and their primary interest with Diablo 3 is the RMAH.

If it had been found that session spoofing was happening, or people were hacked with an authenticator it would put a serious damper on the RMAH, possibly destroy it if people cannot trust that their hard earn money used to buy content would not be hacked away even with every precaution.

The RMAH is set to make Blizzard a lot of money, so again, what you say may very well be true, it cannot be taken as fact considering the truth could cost Blizzard lots of money.

It has become standard for Corporations to protect their revenue streams by deflecting the truth, redirecting blame or straight up misrepresenting the truth.

To sum, up, probably not worth spending too much time defending your position. It would be like McDonalds trying to initiate a get healthy program.


Actually McDonalds has done a pretty reasonable job of "healthifying" their menu over the last 5 years. I can actually go and have a good salad (I generally don't like salad) although you have to watch the dressing and the nuts for sugars...
85 Night Elf Warrior
0
Posts: 282
im just waiting for someone to call Lylirra a 'fanboi' and brush off the factual evidence in favor of unproven popular theory that has no supporting evidence.
Posts: 200
Throughout all the years of World of Warcraft in which authenticators where available, we saw literally dozens of people get hacked on our server, many in our own guild.

Absolutely zero that owned an authenticator where among this number. Very nearly every single person without one was hacked at one point or another. In fact, no names come to mind of people that I knew personally without an authenticator that DIDN'T get hacked.

Frankly, it's deplorable that the authenticator doesn't come in the game boxes because you WILL get hacked without one, and the odds are very much against it if you have one. They are not exactly an expensive item to make, one look at these cheap little gizmos tells you that five and a half dollars of the six that they cost is shipping, handling, and profit.

But they don't come in the box, and you do need one. So get one already and stop being victims, folks.
06/05/2012 11:41 AMPosted by Drumith
Accusing you customers of lying. Thats smart.


notalwaysright.com


Phishing site detected.

The cyber police are on their way, hacker scum.
90 Tauren Paladin
5425
Posts: 82
Here is the link, it contains everything you need to know, read before it is taken down.

http://www.cinemablend.com/games/Diablo-3-Session-Spoofing-Real-Do-Join-Public-Games-43162.html


Ate oranges and it was k. I think you should eat oranges.
the blogger doesn't even provide evidence to back up his claim.

Also, its impossible for such a thing to happen because of the way that D3 was created. I'm not a ITT techy guy, but I've been told a rough version of how it works.
.


Please actually learn some things before posting. A rough idea? wow your going to defend off of that? I am an IT guy and this is entirely possible if they have not built the game correctly.


Battlenet destroys session when you attempt to use them from an ip address other than the one that created it.

It is 100% impossible for session spoofing to work unless that hacker has full full control of you. If they are at the point where a session spoof will work for them against you, then they probably already have your info anyway.

Read again. A session spoof hack is impossible. Regardless if the trade window passes info that could be used to spoof your id, you still need to match the originator ip address, which is a highly unlikely scenario.

It is also funny that the blog poster takes what this guy says as 100% fact but dismisses all of the people who are proving him wrong.

Also, there is no way, NO WAY, that this user could possibly know what info blizzard is using to create a session id. He says pieces of info are sent that could be used to generate a session. While that is probably true, those pieces are just that, pieces. You need the whole id in order for this to work and there is absolutely no way to get all of these pieces without brute forcing some of it. How long does it take to brute force a 10 character password worst case? Your typical session id will be over 6 times that size. 10 lifetimes will have passed by the time you brute force a single session id.

Now get off of this bull. It is false. There is 0 truth to it.
I've posted this before, but let's look at reports of account compromises and how they may or may not be related to so-called "session spoofing":

1. User is kicked off and told that somebody else is logging in. This occurs only during an actual login, which means that the attacker has your username and password, and is creating a NEW session while simultaneously destroying yours. Not session spoofing.

2. User has logged off for the night, and comes back the next morning to discover their account has been compromised. When you log off your session is destroyed...so again, not session spoofing.

3. User finds that their password has been changed in addition to gold and items stolen end game. That's actually TWO separate sessions, one on the web and one in-game. Somebody hijacking your in-game session would not be able to then log in on the web (and vice versa).

Bottom line: based on the reports from the front lines (stories from actual victims) session spoofing is not happening. Everybody should follow the great advice in this thread and elsewhere for protecting your account. And get an authenticator. If worse comes to worse and somebody DOES get your email and password, they'll be stymied at the authentication step.
Throughout all the years of World of Warcraft in which authenticators where available, we saw literally dozens of people get hacked on our server, many in our own guild.

Absolutely zero that owned an authenticator where among this number. Very nearly every single person without one was hacked at one point or another. In fact, no names come to mind of people that I knew personally without an authenticator that DIDN'T get hacked.

Frankly, it's deplorable that the authenticator doesn't come in the game boxes because you WILL get hacked without one, and the odds are very much against it if you have one. They are not exactly an expensive item to make, one look at these cheap little gizmos tells you that five and a half dollars of the six that they cost is shipping, handling, and profit.

But they don't come in the box, and you do need one. So get one already and stop being victims, folks.


I believe they can't actually ship them in the game boxes or to retail stores due to encrypted data laws.

And while it may not cost that much to make them, Blizzard doesn't make them. They come from Vasco. They're the ones that profit from these. Blizzard must get a special rate because the cheapest I could find them in bulk was like 20/pc
lol will this ever end? you people are presented with the fact over and over and over again this has never happened yet continue to try and convince people it has. Whats your agenda here? are you so brainwashed by the liberal anti-business left that even with the evidence right in front of you you still cant bring yourselves to accept the truth? Being suspicious of a problem is one thing but at this point its just sad and pathetic that you people cant admit you were wrong
Posts: 77
I totally believe hacking isnt the problem. Here is my theory.
1. Blizz is just losing character data from a bad HDD/SAN setup. In a datacenter as large as whats required for D3 you're going to get defective parts,
Any sysadmins out there?
96 Orc Shaman
15535
Posts: 183
Guys, be careful on the sites you visit, don't ever use the same password for sensitive accounts and most of all.. BAD sites, Sketchy sites are how most people lose em...
Posts: 13,814
View profile
06/05/2012 11:49 AMPosted by xbobx
Yea, because there is zero possible negative consequences to that.


Companies are run by the finance department, not by the creative people. If the finance department feels that the risk and cost of lying is less then the loss of damaging the RMAH -yes they would be told to lie.

it is that simple.


Considering the rick and cost of lying about a data breach, the chances of that conditional being reached are unlikely.
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]