Session Spoofing

General Discussion
Prev 1 13 14 15 26 Next
06/05/2012 11:53 AMPosted by Gnomeland
The underlined part was never a part of the last few answers like this, in which i've seen this post 3 times now i think?


We've been clarifying information regarding the Dial-in Authenticator for some time now. Just for reference, here are a few recent posts:

http://us.battle.net/d3/en/forum/topic/5149540487#3

http://us.battle.net/d3/en/forum/topic/5270830422#2

http://us.battle.net/d3/en/forum/topic/5271780665?page=3#50

(This information is also in the Dial-in Authenticator FAQ.)
I am sorry, but how pathetic does your computer knowledge have to be that you get hacked in the first place?

If you aren't intelligent enough to know how to protect your computer from viruses and malware then you should probably not even own one. That being said, I have an authenticator because it cost me 5 bucks and is just another step in protecting myself. If you don't have an authenticator and you get hacked then you're an idiot, plain and simple.

Avast anti virus is free, get it, its awesome and uses relatively low system resources.

Are you using MS Internet explorer to browse web pages? If so you should shoot yourself. Use Firefox (mozilla) or Chrome (google) with their respective no script apps.

Those 2 things make you golden. If you aren't intelligent enough to do those 2 things and you are complaining about getting hacked I think Blizzard should tell you to sod off and ignore you.

As to getting hacked with a physical or mobile device authenticator, I call bull!@#$. The hacker would have to keylog you and access your account within 10 seconds of you punching in your information, literally. Impossible? No. Improbable? Yes. And if they do manage it then its your own fault for not properly protecting your PC in the first place.

@Blizzard:

You all have done a great job helping your community to secure their accounts. You have gone above and beyond every other MMO company in the world and set a new standard for player protection. Unfortunately the vocal minority will do nothing but piss and moan and spread false information thus making this tinfoil hat conspiracy theory seem factual when it obviously is not. You all do a great job and I hope you take the words of the whiners with a grain of salt. I and every other intelligent member of the nonvocal majority thanks you for all your time and effort.
06/05/2012 12:03 PMPosted by Dekra
The dial in one sends SMS texts to your phone.


Nope.

http://us.battle.net/support/en/article/battle-net-dial-in-authenticator-faq

If you sign up for the Battle.net Dial-in Authenticator, you will be asked to make a toll-free phone call from a specific phone of your choosing to authorize login attempts with the associated Battle.net account.

The SMS tool sends you SMS messages on account changes.
"k guys, this may be a little too long didnt read"
I totally believe hacking isnt the problem. Here is my theory.
1. Blizz is just losing character data from a bad HDD/SAN setup. In a datacenter as large as whats required for D3 you're going to get defective parts,
Any sysadmins out there?


Yes, and there is no way this is the problem. Without going into all of the technical details, mostly because i dont feel like it atm.

Our small business couldn't even have that happen, basically all data is replicated to 3 different places ( and 3 different physical locations as well)

Were not THAT robust or sophisticated, and we only have a few thousand users that connect to our servers, there is no way blizzard isnt 10x this redundant and sophisticated.

*Edit

Id like to add that I dont believe the session spoofing is possible, either


All words from someone who does not understand the legal repercussions if Blizzard were found to be lying or hiding the truth.


Oh I completely understand the legal implications, there is none. Why? Because they are not required to tell you the truth, they only have to tell you if their servers were compromised.

Also, do you read the news at all? I know it may be hard to believe but companies lie all the time to protect their interests or to make money. The more money the company has, the more they are willing to go outside the law because the fine is irrelevant considering how much money the illegal activity will net them.

Look at Apple and their e-book price fixing, all the patent stealing, all the data snooping. If you seriously think corporations are going to be all truthful about everything even if it is not ethical or legal then you sir are a sucker.


You are wrong. The reason you are wrong is because that information directly links to payment info.

On top of that, these types of cover-ups do not sit well with publicly traded companies. The customer backlash would be bad enough, but it would pale in comparison to the stock holder backlash.

Two very good recent examples are Sony and Valve. Sony delayed their response and was met with massive customer and stockholder backlash, in part due to their delayed announcement that accounts were compromised. It would be significantly worse for Blizzard(Activision) as Blizzard has made public statements flatout saying it hasn't happened.

While Valve is not a public company, you really need to look no further than the minuscule customer backlash they experienced simply because they made people aware what was going on as soon as it happened.

There is precedence that exists that shows us what to expect; precedence that Blizzard and Activision are well aware of.

Do not allow your ignorance based fears to cause you to make silly statements. Research the world around you and make logical conclusions.
Yep. You could also explain how someone was able to change my password without loggin into my email account. I have checked with google and the only IP's accessed on that account are my home IP/Work IP and cell phone IP. The email was left unread so how did they change my password BLUE? Customer service couldn't answer me that either.

So until the RMAH goes up I shall continue making millions off 12 year olds that don't know prices :)


They have access to your email account as well, and are deleting or forwarding the confirmation emails. In fact in most B-Net account compromise, they player;s email account has been compermised first.

This is also why a "coin lock" system is not really that wise, as the hackers can intercept the unlock code.
06/05/2012 11:18 AMPosted by Lylirra
We've stated this several times, but in all of the individual Diablo III-related compromise cases we've investigated thus far, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player's account.


Blizzard crits FUD for 1 billion. It's a shame there will always be those who will still believe in it so it will continue to live on...
TLDR: "we don't think we've been hacked."

Reality: They've been hacked and can't figure out how to stop it.
06/05/2012 12:03 PMPosted by Dekra
So how do you know what kind of authenticator you have? What is the dial in one?


The dial in one sends SMS texts to your phone. The ones that work with D3 are the keyfob one, and the one where you have to download an app to your phone that generates codes. That can seem very similar, but I expect most people can tell the difference on their phone between getting an SMS text and using an app.


I had never heard of the dial-in authenticator til people started posting saying they were hacked wile using it. I am not sure how it works, but what you just described sounds like the SMS mobile alerts which only tell you if your account has suspicious login activity. If that is indeed all the same thing then it better damn well work with D3 considering that it is a requirement to have to use the RMAH (if you want to "cash out" to pay pal).
I find it hard to believe that Blizzard actually thinks all the cases of hacking are due to the ignorance of its customers. Sure, some people may get phished or keylogged. But for those who are mindful of it, and know how to prevent it, it is next to impossible for that to happen.
Just an FYI, we've been clarifying information regarding the Dial-in Authenticator for some time now. Here are a few recent posts:

http://us.battle.net/d3/en/forum/topic/5149540487#3

http://us.battle.net/d3/en/forum/topic/5270830422#2

http://us.battle.net/d3/en/forum/topic/5271780665?page=3#50

(This information is also in the Dial-in Authenticator FAQ.)

Lylirra, the dial-in needs to say in BIG RED LETTERS on the account page that it doesn't apply to Diablo3. There are still a lot of players making the mistake.

Also, has Blizzard considered putting a note about authenticators on the in-game breaking news? I think there are still a lot of players confused about what authenticators are and why they are so good.
06/05/2012 12:12 PMPosted by kweagle
I find it hard to believe that Blizzard actually thinks all the cases of hacking are due to the ignorance of its customers. Sure, some people may get phished or keylogged. But for those who are mindful of it, and know how to prevent it, it is next to impossible for that to happen.


Consider their customer base size and the relatively few instances of account compromises.
TLDR: "we don't think we've been hacked."

Reality: They've been hacked and can't figure out how to stop it.

Yeah it's a good thing you don't work in the world of network security, you know where the law requires you to report intrusion attempts and requires you to disclose any data security breaches.
06/04/2012 05:44 AMPosted by Entropy
Stop spreading this rumor, it's not true and it's scaring people away from public games and harming their enjoyment of the game. Stop being douchebags.


I just want people to join public games from now on. Please.
TLDR: "we don't think we've been hacked."

Reality: They've been hacked and can't figure out how to stop it.

Yeah it's a good thing you don't work in the world of network security, you know where the law requires you to report intrusion attempts and requires you to disclose any data security breaches.


Yeah, and it's a good thing you're not a hacker. If blizzard knows I'm hacking them, I'm not much of a hacker then am I?
I totally believe hacking isnt the problem. Here is my theory.
1. Blizz is just losing character data from a bad HDD/SAN setup. In a datacenter as large as whats required for D3 you're going to get defective parts,
Any sysadmins out there?


Yes, and there is no way this is the problem. Without going into all of the technical details, mostly because i dont feel like it atm.

Our small business couldn't even have that happen, basically all data is replicated to 3 different places ( and 3 different physical locations as well)

Were not THAT robust or sophisticated, and we only have a few thousand users that connect to our servers, there is no way blizzard isnt 10x this redundant and sophisticated.

*Edit

Id like to add that I dont believe the session spoofing is possible, either


Agreed on both counts. We have a few hundred thousand users, peaking at about 50k at once but still nowhere near Diablo's numbers and we use many virtual, physical and geographic redundancy systems. I also don't believe that session spoofing in Diablo III is possible.
06/05/2012 12:12 PMPosted by kweagle
I find it hard to believe that Blizzard actually thinks all the cases of hacking are due to the ignorance of its customers. Sure, some people may get phished or keylogged. But for those who are mindful of it, and know how to prevent it, it is next to impossible for that to happen.


I think by 'mindful' you mean cocky. The people who think everyone who gets hacked is an idiot. But really, it's not just sex leg and baggle.net. It's infected ads on legit sites and popular fan sites. It was months or years ago, when you last changed your password. I know plenty of people who got hacked in WoW after months of making fun of people who got keylogged, thinking they were above it.

Just takes one slip up and it's not as obvious as we like to joke about. You don't know you did something wrong, otherwise you would clean up your computer and change your password.

And really? You think your computer security is better than a huge company who pays people to make sure their security is baller? Probably not.
06/05/2012 12:17 PMPosted by claniraq
Even so, we're continuing to investigate related reports. If you believe you possess solid evidence of some sort of "hack," then please relay that information to our support representatives as soon as possible, or email hacks@blizzard.com. In the meantime, if you don't possess such evidence, we ask that you please refrain from spreading hearsay.


This sounds strangely like a plea for help


It sounds more like they're trying to make sure people are aware that they really do care if they were being hacked, but they're not at this moment. But if they are and you find out, hit them up bro.

Everything is a conspiracy to some people.

Join the Conversation

Return to Forum