Diablo® III

Session Spoofing

06/05/2012 01:22 PMPosted by moojerk
It is shocking the number of people who think that an authenticator would prevent session spoofing/hijacking. lol


Thanks for agreeing with me. If session spoofing/hijacking were happening people with authenticators would be affected. Blizz has said time and time again that NO account with a physical or mobile authenticator attached to it has been compromised, this is all the proof I need that session spoofing/hijacking isn't happening...
90 Night Elf Druid
10565
06/05/2012 01:35 PMPosted by Applesoup
You think that? if 1 person dies from exposure, okay maybe he doens't have an immune system. if 100,000 people die, crap, we better do something about this.


As morbid as this example is going.

if I stick 7 billion trees on an island and a virus spreads killing 100,000, but 6,999,900,000 still manage to survive when they caught it. That's such a very insignificant number in comparison.

I doubt the number is that high either, but it is certainly higher than the 1% people here would have you believe. Perhaps the number would be closer to 15% of people without an authenticator...


The problem is you're thinking that 50% of all the players out there have an authenticator. I would beg to differ, and suggest that only about 20% of all players have one, max. And so 15% of that 20% is 3% of the total player base. Yes, 3% would be relevant, but think the number is still under 1%.
06/05/2012 01:35 PMPosted by Applesoup
You think that? if 1 person dies from exposure, okay maybe he doens't have an immune system. if 100,000 people die, crap, we better do something about this.
I hope you're never in charge of something.

Correlation is not causation. If 100,000 people were exposed something and died, and 9,900,000 were exposed but didn't die, then it is far more likely that those 100,000 people died due to something other than exposure.
06/05/2012 01:39 PMPosted by Dark
[I doubt the number is that high either, but it is certainly higher than the 1% people here would have you believe.
1% of 7 million people is 70,000. That's a lot of people.

At the same time, an older study from Trusteer put the effectiveness of phishing attempts at 40%, and a more recent study (http://lorrie.cranor.org/pubs/pap1162-sheng.pdf) found a success rate of 28% even after training against phishing. A Trusteer study says 73% reuse passwords, 65% reuse usernames, and 47% reuse both, and PandaLabs report that approximately 40% of computers are infected with malware, of which the majority are trojans.


A 40% success rate of phishing doesn't mean much if only 2% of your target has the information you want.

And yes, 70,000 people is alot of people, which is why this is a serious issue.


You think that? if 1 person dies from exposure, okay maybe he doens't have an immune system. if 100,000 people die, crap, we better do something about this.


tell me how the % is relevant.
Because the term "a lot" is a relative term.

I can't believe we're still even talking about this 4 pages later...
06/05/2012 01:43 PMPosted by Dark
You think that? if 1 person dies from exposure, okay maybe he doens't have an immune system. if 100,000 people die, crap, we better do something about this.
I hope you're never in charge of something.

Correlation is not causation. If 100,000 people were exposed something and died, and 9,900,000 were exposed but didn't die, then it is far more likely that those 100,000 people died due to something other than exposure.


rofl


You think that? if 1 person dies from exposure, okay maybe he doens't have an immune system. if 100,000 people die, crap, we better do something about this.


tell me how the % is relevant.


It's about tolerance. If the existing percentage affected is in line with other similar scenarios, there is going to be a certain amount of tolerance. For example, in any given year the number of people that die from the flu is 3,000 to a high of about 49,000 people. Yet there is not a public rampage about this and no significantly increased amount of funding is being diverted to quell flu outbreaks and advance research because as long as the numbers fall within the norm, it is meeting the tolerance level around that issue. That doesnt mean that the issue is forgotten, it just means it is not a primary focus because it is under control.

This also applies to account security. Each year x number of accounts are broken into. If what Blizzard is experiencing is similar to x, then Blizzard is at parity to what other account issuers are experiencing and because this number is shared across many categories and account types, there is going to be a certain amount of tolerance that goes along with it. The reason for this is simply because achieving 100% security is simply not possible.

Anyone using the internet that has any sort of account should be aware of this. If you as the individual are not accepting of this, your tolerance is below the social norm. The only way to insulate yourself more is to remove yourself from the equation.

The social norm is dictated by a constant tug-of-war between companies, technology and customers.
Edited by MutantMonkey#1724 on 6/5/2012 1:49 PM PDT
06/05/2012 01:40 PMPosted by Dark
Persistent connections has nothing to do with whether or not sessions exist. Persistent connection means it leaves the connection open to receive/send multiple request/response, rather than send a new connection request for every single request.


Mea culpa, were the two findings independent, then?
Just two different things, but yes persistent connections can be done via session (in fact I think technically a session is also a persistent connection).

That said, it doesn't detract from your point that session hijacking or MITM or whatever you want to call it simply aren't occurring.
06/05/2012 01:38 PMPosted by kweagle
The only thing that is limiting the number of hacks is the speed at which the hackers can work.
...what?
06/05/2012 01:49 PMPosted by Dark
The only thing that is limiting the number of hacks is the speed at which the hackers can work.
...what?


He is talking about demand on the "stolen" product and the number of people willing to get into that business. That is an issue of supply and demand, and while being a fair point, it is not the only variable in the equation.
06/05/2012 01:35 PMPosted by jubjub


Not true. I have Tlog backups that can take hours to complete on some of the fastest storage devices you can buy. It's all about the IOPS...


Yeah, I work for a mid-size company that manufactures storage equipment (~1.5 Billion in revenue) and our production systems don't have "instant" backups.


I suppose at my job we may have more mission critical systems than some places, but I would argue it is closer to Diablo's servers than typical business servers. We twice daily backup to offsite locations but our hpc, server farm and data center where I work we certainly have instant triple redundancy.
This may be a bit TL;DR, but I want to try to address as much here as possible...

We've investigated several reported claims of "session spoofing," as discussed both in these forums and elsewhere on the Web. We treat these kinds of reports very seriously -- however, to date, we have yet to identify a single case of compromise that was the result of a player joining or participating in a public game.

[url="http://us.battle.net/d3/en/forum/topic/5149181449"]Additionally[/url], as we mentioned before:

Regarding this specific example, we've looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we've determined the methods being suggested to do so are technically impossible.


For clarity, when we say "technically impossible" it means we determined (after many, many days of research) that session spoofing, as described in the claims we've seen, cannot occur within Diablo III. To avoid confusion, read "technically impossible" as "technologically impossible."

Even so, we're continuing to investigate related reports. If you believe you possess solid evidence of some sort of "hack," then please relay that information to our support representatives as soon as possible, or email hacks@blizzard.com. In the meantime, if you don't possess such evidence, we ask that you please refrain from spreading hearsay.

06/04/2012 05:55 AMPosted by Vadoff
There have been multiple reports of people being hacked while using their authenticators. Some of these are by credible journalists. This alone should be sufficient evidence.


We've stated this several times, but in all of the individual Diablo III-related compromise cases we've investigated thus far, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player's account.

While no security method is 100% fool-proof (even Authenticators), please note that it is possible that players reporting to have been compromised while an Authenticator was attached to their Battle.net account may have been using the Dial-in Authenticator. The Dial-in Authenticator does not provide the same level of protection as the Battle.net Authenticator or Battle.net Mobile Authenticator app, and -- more importantly -- is not currently supported for Diablo III.

It's important to remember there is no "silver bullet" guaranteeing complete protection against account compromise. The Authenticator offers players a highly valuable layer of added protection, but is not intended to replace the need for end-user computer and network security.

06/04/2012 12:37 AMPosted by ibchris
just happened to me..bunch of bs..


I'm very sorry to hear that your account may have been compromised. If you haven't already, please take a look at our [url="http://us.battle.net/support/en/article/compromised-diablo-iii-account"]restoration policy for Diablo III[/url] and contact customer support as soon as possible.

That said, there are a number of ways in which an account's information can be stolen, some of which you might not immediately be considering.

Sharing login information:
Sharing your account information with a family member, friend, or another player is an easy way to lose control of who has access to your account and increase the risk of compromise -- no matter how well you might know the person you're sharing your login information with. Keep in mind that even if you practice optimum Internet security at home, you can't control how another person will make use of your account information…or how secure their own computer system might be.

Email and password security:
Ensuring that your registered email address is secure is a very important part of keeping your Battle.net account secure. Your registered email address not only serves as a primary point of contact with Blizzard Entertainment, but it also functions as your Battle.net account name.

Because of this, you may want to consider creating a unique email address for your Battle.net account, and we *strongly* recommend using a password that you don’t use for any other online service.

Phishing scams:
Phishing scams are designed to trick you into giving out your account information, and they'll usually come in the form of "fake" websites or emails or that appear to be sent by Blizzard employees. Sometimes these emails encourage you to visit a malicious website (which might contain a web form for you to fill out or even embedded software that can steal your login information). In other cases, you may be asked to reply with your account name and password.

While most of these types of scams are easy to identify -- they'll frequently use poor grammar and spelling, or make outrageous threats about banning your account -- some can be difficult to distinguish from legitimate Blizzard correspondence, so it's important to be cautious of what you click on and when.

You can learn more about how to identify these kinds of scams [url="http://us.battle.net/en/security/theft"]here[/url].

Keyloggers:
You'll also want to make sure your computer is protected against malicious programs, including "keyloggers." Keyloggers are pretty serious, as they're capable of snagging information directly from your computer, either by monitoring your keystrokes or by gaining access to important applications like your clipboard.

To best protect your account against this kind of malware, you'll want to:
  • Install antivirus and anti-spyware software. If you're unsure of what software might be best for you, check out our [url="http://us.battle.net/support/en/article/account-and-computer-security"]support site[/url] for a list of recommendations. Please make sure that you regularly update any antivirus or anti-spyware programs you're using, so that they're able to identify the latest malware threats
  • Keep your browser up to date. In addition to providing more tools and functionality, browser updates can also include new security definitions and a more comprehensive phishing filter.
  • Keep your browser plug-ins up to date. Using the most recent versions of your browser plug-ins and applications (like [url="http://www.adobe.com/products/flashplayer/"]Adobe Flash Player[/url] and [url="http://www.adobe.com/products/reader/"]Adobe Reader[/url]) and regularly checking for security updates is also important, because they can sometimes become targets for certain types of malware. While most plug-ins will prompt you automatically when updates are available, it's a good idea to check the distributor wesite periodically to make sure you're running the latest versions.
  • Turn on your browser's phishing filter. Phishing filters work by comparing the websites you visit against a massive database of legitimate (secure) websites and websites that have been identified as potential security risks. If you happen to visit a website that's flagged by your browser's filter, you'll be alerted and given the opportunity to continue onto the page or -- in most cases -- navigate to another site completely. Most popular browsers have built-in phishing filters that are turned on by default, but you can always double-check filter settings/availability in the browser's Tools menu.


For more information on account security in Diablo III, be sure to check out the following resources:

[url="http://us.battle.net/d3/en/forum/topic/5149181449"]Diablo III Launch Update[/url]
[url="http://us.battle.net/d3/en/blog/6020037/Battlenet_and_Diablo_III_Account_Security-5_25_2012#blog"]Battle.net and Account Security[/url]
[url="http://us.battle.net/en/security/"]Account Security Homepage[/url]


This should be stickied. Well done and professionally executed post. Thank you.
06/05/2012 01:51 PMPosted by MutantMonkey
He is talking about demand on the "stolen" product and the number of people willing to get into that business. That is an issue of supply and demand, and while being a fair point, it is not the only variable in the equation.
Yes, saying the "only thing" that limits the amount of compromised accounts due to hackers not having the time to get around to it yet is just plain silly.
<insert RMAH/Moon Landing conspiracy theory.


All words from someone who does not understand the legal repercussions if Blizzard were found to be lying or hiding the truth.


What you said makes perfect sense...therefor you are not a real D3 forum poster and must leave immediately!
D3 is out to control your computer with RMAH and launch nuclear rockets at the Eskimos. I have proof! Read the fine print on the authenticator!


Yeah, I work for a mid-size company that manufactures storage equipment (~1.5 Billion in revenue) and our production systems don't have "instant" backups.


I suppose at my job we may have more mission critical systems than some places, but I would argue it is closer to Diablo's servers than typical business servers. We twice daily backup to offsite locations but our hpc, server farm and data center where I work we certainly have instant triple redundancy.
There is a difference between redundancy and backup. :p


More likely referral bias at play.

I'm not sure it's wholly correct to call posts on the forums "representative of the entire player base". More accurate to call them representative of the players on the forums.

You leave out the very real possibility that players who are not posting on the forums may have very different opinions and experiences.

Qualifying your sampling shouldn't be seen as weakening the results. If anything, it helps to properly scope your results and note potential bias. 8)

love,
shmoo


You are assuming that only only people with a negative opinion post here, and every other player does not. Fact is, most people who dislike the game with put it on the shelf and be done with it, never visiting a forum at all. Same goes for those who like the game. They will play it, and never visit a forum.

Forum percentages are still representative of over all player base. It may not be a 1:1 ratio, but it is pretty close. Close enough that if you have the majority of a forum posting a certain way, you can be sure the majority of people not posting feel the same way.


In fact, I'm not assuming that. I mentioned neither positive nor negative feedback. Only that, at best, the sampling is subject to referral bias because it only samples the percentage of the player base that posts to the forums.

8)

love,
shmoo
n fact, I'm not assuming that. I mentioned neither positive nor negative feedback. Only that, at best, the sampling is subject to referral bias because it only samples the percentage of the player base that posts to the forums.

8)

love,
shmoo


So you are suggesting that people who post on forums have different reactions to games than those who do not?
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]