Session Spoofing

General Discussion
Prev 1 9 10 11 26 Next
BUT I BEEN SPOOFED

SPOOFED SO HARD
Lylirra for the love of god please suggest this as an authetication method :

Rift's Coin-Lock system for D3

Basically, Blizz records system stats/IP address location of the player. If a different computer or wildly different IP address connects to battle.net using the account credentials, the account becomes "locked" and can only be unlocked via a code sent to the persons email.

This way, if a Mac user from New York gets compromised by some Dell computer user in China, the account will lock and can only be unlocked via a code sent to the persons email.
1.Take into account the intelligence of the average person with a full brain.
2. Now take into account the average intelligence of a Battle.Net forum poster (Across all 3 forums)
3. Divide it into quarters.
4. Now realize that about 4-5 people cling to each quarter, so you cut the quarter into fifths.
5. That's the average intelligence of these forums.

Want proof?

This thread. And the next 10 you click on.
Thing is, if you did know there was session spoofing or people with an authenticator was hacked, you would be forced to lie anyways and would deflect the truth.

So while what you said may be true, it really holds no water considering your primary goal is to protect the interests of Blizzard and their primary interest with Diablo 3 is the RMAH.

If it has been found that session spoofing was happening, or people hacked with an authenticator it would put a serious damper on the RMAH, possibly destroy it if people cannot trust that their hard earn money used to buy content would not be hacked away even with every precaution.

The RMAH is set to make Blizzard a lot of money, so again, what you say may very well be true, it cannot be taken as fact considering the truth could cost Blizzard lots of money.

It has become standard for Corporations to protect their revenue streams by deflecting the truth, redirecting blame or straight up misrepresenting the truth.

To sum, up, probably not worth spending too much time defending your position. It would be like McDonalds trying to initiate a get healthy program.


All words from someone who does not understand the legal repercussions if Blizzard were found to be lying or hiding the truth.
Lylirra for the love of god please suggest this as an authetication method :

Rift's Coin-Lock system for D3

Basically, Blizz records system stats/IP address location of the player. If a different computer or wildly different IP address connects to battle.net using the account credentials, the account becomes "locked" and can only be unlocked via a code sent to the persons email.

This way, if a Mac user from New York gets compromised by some Dell computer user in China, the account will lock and can only be unlocked via a code sent to the persons email.


This is actually, the best suggestion, by far, that I've read on these forums.

+1 to intelligence.
06/05/2012 11:27 AMPosted by xbobx
Thing is, if you did know there was session spoofing or people with an authenticator was hacked, you would be forced to lie anyways and would deflect the truth.


Yea, because there is zero possible negative consequences to that.
Lylirra,

Are there any plans in the works to have the Authenticator Advertised Up In Your Face on either the Launch or Log In screens?

Picture of the phone with app and/or the physical keybob maybe floating next to your characters on the select screen?

Many of the player base who did not play WoW have never heard of the Authenticator.
Many people who have yet to have their account comprimised don't come to the forums, so also may not know about it.
Many people rush right to the game and don't care about the info on the way in.

I know it is not Blizzards/Battle.net's responsibility to get up in our face to ensure our own person security habits, but I feel it would go a long way in getting people to stand up and take notice of the Authenticator.

Edit: did I really spell feel with an a?
This may be a bit TL;DR, but I want to try to address as much here as possible...

We've investigated several reported claims of "session spoofing," as discussed both in these forums and elsewhere on the Web. We treat these kinds of reports very seriously -- however, to date, we have yet to identify a single case of compromise that was the result of a player joining or participating in a public game.

[url="http://us.battle.net/d3/en/forum/topic/5149181449"]Additionally[/url], as we mentioned before:

Regarding this specific example, we've looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we've determined the methods being suggested to do so are technically impossible.


For clarity, when we say "technically impossible" it means we determined (after many, many days of research) that session spoofing, as described in the claims we've seen, cannot occur within Diablo III. To avoid confusion, read "technically impossible" as "technologically impossible."

Even so, we're continuing to investigate related reports. If you believe you possess solid evidence of some sort of "hack," then please relay that information to our support representatives as soon as possible, or email hacks@blizzard.com. In the meantime, if you don't possess such evidence, we ask that you please refrain from spreading hearsay.

06/04/2012 05:55 AMPosted by Vadoff
There have been multiple reports of people being hacked while using their authenticators. Some of these are by credible journalists. This alone should be sufficient evidence.


We've stated this several times, but in all of the individual Diablo III-related compromise cases we've investigated, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player's account.

While no security method is 100% fool-proof (even Authenticators), please note that it is possible that players reporting to have been compromised while an Authenticator was attached to their Battle.net account may have been using the Dial-in Authenticator. The Dial-in Authenticator does not provide the same level of protection as the Battle.net Authenticator or Battle.net Mobile Authenticator app, and -- more importantly -- is not currently supported for Diablo III.

It's important to remember there is no "silver bullet" guaranteeing complete protection against account compromise. The Authenticator offers players a highly valuable layer of added protection, but is not intended to replace the need for end-user computer and network security.

06/04/2012 12:37 AMPosted by ibchris
just happened to me..bunch of bs..


I'm very sorry to hear that your account may have been compromised. If you haven't already, please take a look at our [url="http://us.battle.net/support/en/article/compromised-diablo-iii-account"]restoration policy for Diablo III[/url] and contact customer support as soon as possible.

That said, there are a number of ways in which an account's information can be stolen, some of which you might not immediately be considering.

Sharing login information:
Sharing your account information with a family member, friend, or another player is an easy way to lose control of who has access to your account and increase the risk of compromise -- no matter how well you might know the person you're sharing your login information with. Keep in mind that even if you practice optimum Internet security at home, you can't control how another person will make use of your account information…or how secure their own computer system might be.

Email and password security:
Ensuring that your registered email address is secure is a very important part of keeping your Battle.net account secure. Your registered email address not only serves as a primary point of contact with Blizzard Entertainment, but it also functions as your Battle.net account name.

Because of this, you may want to consider creating a unique email address for your Battle.net account, and we *strongly* recommend using a password that you don’t use for any other online service.

Phishing scams:
Phishing scams are designed to trick you into giving out your account information, and they'll usually come in the form of "fake" websites or emails or that appear to be sent by Blizzard employees. Sometimes these emails encourage you to visit a malicious website (which might contain a web form for you to fill out or even embedded software that can steal your login information). In other cases, you may be asked to reply with your account name and password.

While most of these types of scams are easy to identify -- they'll frequently use poor grammar and spelling, or make outrageous threats about banning your account -- some can be difficult to distinguish from legitimate Blizzard correspondence, so it's important to be cautious of what you click on and when.

You can learn more about how to identify these kinds of scams [url="http://us.battle.net/en/security/theft"]here[/url].

Keyloggers:
You'll also want to make sure your computer is protected against malicious programs, including "keyloggers." Keyloggers are pretty serious, as they're capable of snagging information directly from your computer, either by monitoring your keystrokes or by gaining access to important applications like your clipboard.

To best protect your account against this kind of malware, you'll want to:
  • Install antivirus and anti-spyware software. If you're unsure of what software might be best for you, check out our [url="http://us.battle.net/support/en/article/account-and-computer-security"]support site[/url] for a list of recommendations. Please make sure that you regularly update any antivirus or anti-spyware programs you're using, so that they're able to identify the latest malware threats
  • Keep your browser up to date. In addition to providing more tools and functionality, browser updates can also include new security definitions and a more comprehensive phishing filter.
  • Keep your browser plug-ins up to date. Using the most recent versions of your browser plug-ins and applications (like [url="http://www.adobe.com/products/flashplayer/"]Adobe Flash Player[/url] and [url="http://www.adobe.com/products/reader/"]Adobe Reader[/url]) and regularly checking for security updates is also important, because they can sometimes become targets for certain types of malware. While most plug-ins will prompt you automatically when updates are available, it's a good idea to check the distributor wesite periodically to make sure you're running the latest versions.
  • Turn on your browser's phishing filter. Phishing filters work by comparing the websites you visit against a massive database of legitimate (secure) websites and websites that have been identified as potential security risks. If you happen to visit a website that's flagged by your browser's filter, you'll be alerted and given the opportunity to continue onto the page or -- in most cases -- navigate to another site completely. Most popular browsers have built-in phishing filters that are turned on by default, but you can always double-check filter settings/availability in the browser's Tools menu.


For more information on account security in Diablo III, be sure to check out the following resources:
[url="http://us.battle.net/d3/en/forum/topic/5149181449"]Diablo III Launch Update[/url]
[url="http://us.battle.net/d3/en/blog/6020037/Battlenet_and_Diablo_III_Account_Security-5_25_2012#blog"]Battle.net and Account Security[/url]
[url="http://us.battle.net/en/security/"]Account Security Homepage[/url]


It's not that I don't believe that all the reports you have investigated have been compromised the traditional way. I do believe that. However, there were quite a few people who reported that their accounts were stripped and when they requested a rollback they were told their accounts had not been compromised so no rollback would be done.

Unless Blizzard is trying to suggest all these people got really drunk and dropped all their stuff on the ground then I would say stripped characters mean an account was compromised. Seeing as how your company told these people their accounts were not compromised I find it hard to believe that the reports were investigated to find out how their accounts were attacked.

In short, I think someone should look in to all those accounts who were told that no rollback would be done because their accounts were not compromised (meaning that there was no evidence of them being compromised by traditional means). It might be possible that something is amiss here and that some people were compromised in a different fashion. I am not saying it as session spoofing I am simply saying that maybe it was done some other way.
Really? All they have to do is say they really didn't know they'd been compromised and that the hackers were somehow one step ahead. No one would be able to prove otherwise.
Blizzard may want to think about adding a note to the login screen that says, in effect:

"You should really consider attaching an authenticator to your account. Here is how to get one."

Might prevent some of these posts.
Lylirra for the love of god please suggest this as an authetication method :

Rift's Coin-Lock system for D3

Basically, Blizz records system stats/IP address location of the player. If a different computer or wildly different IP address connects to battle.net using the account credentials, the account becomes "locked" and can only be unlocked via a code sent to the persons email.

This way, if a Mac user from New York gets compromised by some Dell computer user in China, the account will lock and can only be unlocked via a code sent to the persons email.


This is actually, the best suggestion, by far, that I've read on these forums.

+1 to intelligence.


If someone got keylogged they likely have their email password as well. Not as good as you think.
Lylirra for the love of god please suggest this as an authetication method :

Rift's Coin-Lock system for D3

Basically, Blizz records system stats/IP address location of the player. If a different computer or wildly different IP address connects to battle.net using the account credentials, the account becomes "locked" and can only be unlocked via a code sent to the persons email.

This way, if a Mac user from New York gets compromised by some Dell computer user in China, the account will lock and can only be unlocked via a code sent to the persons email.


Rift is moving on and adding the Authenticator.
06/03/2012 09:54 PMPosted by Set
People also doubt moon landing but believe wrestling is real.


Who above the age of 8 believes wrestling is still real?
The coin lock idea is good. It's basically what Valve does with Steam, when you try and log in from a different IP you need an e-mail confirmation code. While if you get Keylogged like an idiot because lolbangbros or whatever dark corner of the Internet you visit isn't safe or you enjoy drinking antifreeze it won't help much if they get your e-mail password. Make an option to send it to your Cell cause odds are ping-pong in China won't have your phone and as of right now Mobile Alerts are useless.
Basically, Blizz records system stats/IP address location of the player. If a different computer or wildly different IP address connects to battle.net using the account credentials, the account becomes "locked" and can only be unlocked via a code sent to the persons email.


They already do this if I am not mistaken because it happen to me.

Home ISP was down needed to log in and at least let my guild know why connection was down and I might not make raid tonight. Whipped out my phone turned on my hotspot, connect my pc to my phone jumped on vent to let everyone know. Figured hey lets see how bad the latency is? Log into wow and the account locked!

Reason you ask? The phones IP was shown to be in Ohio even though I live in Florida makes sense right phone in Florida gets an IP listed in Ohio anyway. The only difference was my connection, IP and the location of the IP. Had to log into the Bnet site with username/password and prove who I was to unlock the account.

So to the best of my knowledge they already to lock the account if you log in from an abnormal place.

Join the Conversation

Return to Forum