Battle.net® Account Security & Diablo® III

Blizzard Archive
Prev 1 9 10 11 209 Next
Why the hell aren't the authenticators required? You should warn every new Diablo user that your user/pass system sucks and they MUST use an authenticator. You should also mention that the Dial-in authenticator doesn't prevent the loss of items/gear ("getting hacked"), as I had that form of auth but still fell victim.

Very disappointing response from Blizzard.
Also, an interesting note, the Blue post mentions the security asks you to change your password as a way to protect your account. Could this be the reason that people have to go in and change their password after being booted? Sounds like a strong possibility.
who cares fix the lag and high latency problem first
<blockquote/>


I'm a year into my PhD. No not same thing lol. It still has no place in the conversation seeing as Bipolars aren't used outside of analog electronics and just comes across as trying to show off an education that you don't appear to have.


Sigh. Sure I have no education. I am just a dumb ole country boy that knows the basis of every CPU is developed upon the founding principles of millions of transistors doing the simple boolean algebra stuff based upon the logic of j-k flip flops. I digress though since you know far more than I do.

Like how Blizzard is saying it is my fault for my logon credentials and yet their log files show NO unusual logins from the time I legitimately logged off to take my geritol and sleep to my legitimate logon after work the next day.

Yet CPUs don't use BJTs lol! And J-K flip-flops have very few applications in CPUs as they are far more complex than generally required. Latches or D-FFs are used far more often.
What I want to know is, is it safe to go into public games again?
Um, you realize that withholding this information is a VERY severe crime that would result in millions of dollars in fines and possibly the company getting shut down? To keep something like this secret would involve HUNDREDS of people conspiring, not only risking their jobs but also JAIL TIME, to keep something secret that would be found out anyway.


yeah, because everyone knows major companies NEVER do anything illegal. I mean, it's not like Enron broke the law right? lol..... seriously, major companies do illegal things all the time for the money. most get away with it, some dont.


No one with an authenticator has been hacked, anyone who says so is lying.


Wow, somebody sure is in denial. Since you've made the claim, the burden of proof is on you, and you need to show everybody that they are lying.


Are, perhaps you're in denial. Those people have just as much "burden of proof". You're just blindly believing. I'm willing to back up; though. Maybe they really do have one, that doesn't stop a man in the middle attack.


I wouldn't go that far. If someone has access to YOUR machine, and you set up the Authenticator such that it only asks you once ever week or so, it's completely possible for them to just log in through your machine.

For the Authenticator to be 100% effective you have to set it so that it asks for the log in every time. This reduces the attack opportunity from days to seconds.


Except that session hijacking completely bypasses the need to enter authenticator, or even knowing the password or email. Once you are signed onto a game your session-id is the confirming of having made it past security features.. it's the pass that says you're legit.

And this pass is easily copied. It's why people that have been hacked suddenly find themselves disconnected or hacked only after a public game.


It sure explains why people are complaining that they get hacked when they haven't played in public gamaes.

But that would debunk your entire theory, how convenient of you to neglect it.
I call BS. Let's be realistic Blizzard, there's no way suddenly a whole ton of people are getting randomly hacked and then you blame it on their own security. I know people that have knowledge of computers plus they run good protection software and are careful about what they open, and still fell victim to this. Everyone with a brain knows it's easily possible to find a security exploit in any game, not just Diablo 3.

There's way too many reports in too short of a time span for this to be blamed on people's own security. But for a company it's always easy to put the blame on the consumer rather than dealing with it and being honest about it.

There's definitely something else at play here.
05/21/2012 09:09 PMPosted by Dalomar
My lvl 60 wizard who was clearing Inferno well is now naked, and over 1 mil gold is missing, after just 1 minute of them logging in (they booted me off while I was playing so I immediately tried to search forums for answers).


This is exactly how a session hijacking goes. They copy'n'paste your session ID after seeing you in a public game, which of course boots the original off.
Come on Blizzard, directly address the session spoofing issue. Are all these people saying that they got compromised with an authenticator in place lying?


There was no confirmation of spoofing, only speculation by frustraited players.

And people have been easily confusing "authenticator" with "SMS alerts" or the dial in authenticator, which is not the same thing. OR they didn't have "require code for every login" checked either. Yes theres a possibility of them lying since they dont want to admit they screwed up.
Can I get a refund for the game? I just got hacked/lost all my money and feel like garbage. I have been a blizzard fan since warcraft 2 and feel betrayed by this post. WAKE THE HELL UP AND FIND OUT WHY SO MANY PEOPLE ARE GETTING HACKED AT ONCE? Don't feed me this garbage about security. If no one addresses this issue, I will never buy a blizzard game again.

This really feels like a knife in the back. Who cares if I roll back my character? They are just gonna hack me again. That's the scary thing.
I call BS. Let's be realistic Blizzard, there's no way suddenly a whole ton of people are getting randomly hacked and then you blame it on their own security. I know people that have knowledge of computers and fell victim to this. Everyone with a brain knows it's easily possible to find a security exploit in any game, not just Diablo 3.

There's way too many reports in too short of a time span for this to be blamed on people's own security. But for a company it's always easy to put the blame on the consumer rather than dealing with it and being honest about it.


No, it's easy for the consumer to blame the scapegoat.

You have it all backwards, you fool.


I wouldn't go that far. If someone has access to YOUR machine, and you set up the Authenticator such that it only asks you once ever week or so, it's completely possible for them to just log in through your machine.

For the Authenticator to be 100% effective you have to set it so that it asks for the log in every time. This reduces the attack opportunity from days to seconds.


Except that session hijacking completely bypasses the need to enter authenticator, or even knowing the password or email. Once you are signed onto a game your session-id is the confirming of having made it past security features.. it's the pass that says you're legit.

And this pass is easily copied. It's why people that have been hacked suddenly find themselves disconnected or hacked only after a public game.


This session hijacking thing is just a "theory", a theory of a possible exploit in a very poorly designed system. Sessions are usually signed to prevent this.
lmao nice copy/paste bashiok
So is there anyone that can Hijack the hijacker?? lol that would be some funny stuff

We also have other measures built into Battle.net to help protect players. Occasionally, when Battle.net detects unusual login activity that differs from your normal behavior -- such as logging in from an unfamiliar location -- we may prompt you for additional information.


I don't know about the rest of you but does anyone else see a something fishy about the words used in this post? "Occasionally" and "May" having big rolls in account security.... Not two words I want to hear when dealing with a game I can only play online.
05/21/2012 09:15 PMPosted by Probability
My lvl 60 wizard who was clearing Inferno well is now naked, and over 1 mil gold is missing, after just 1 minute of them logging in (they booted me off while I was playing so I immediately tried to search forums for answers).


This is exactly how a session hijacking goes. They copy'n'paste your session ID after seeing you in a public game, which of course boots the original off.


I'm sure this explains those who never joined public games, right?

Join the Conversation

Return to Forum