Battle.net Authenticator Changes(Cont. #13)

Technical Support
Prev 1 14 15 16 19 Next
07/17/2011 09:26 AMPosted by Shadowwind
(and jeez, had to go through fourteen darn threads just to be able to post this.. Have we even gotten a single reply form a blue about this yet?)


Nope. The closest we've gotten are a few vague responses from Bliz's Twitter account that have been saying 'working as intended', and a couple of responses on the EU forums. (One of which at least acknowledged there was a problem, if I recall rightly.) Here? Nada. Despite this being Technical Support, we were told that they were reading these threads, but they were not going to post anything in them. If you go and tried starting another thread in the more visible General (or anything else) forums, it got locked, deleted, moved right back to Tech Support, and if you were unlucky you got a temp ban on top. At this rate, the people threatening to ask Bliz directly at Blizcon in October ARE going to get their chance!



Guys. IP Addresses are not the only thing they check for.

That little guardian tool that WoW uses to scan your memory for hacks also takes note of your hardware configuration, Windows version, location of the WoW directory, and myriad other things. they use all this to make bloody sure it's the same computer. This is called System Fingerprinting.
I'm sure that if you swapped video cards or reinstalled windows, it would ask for your authenticator code again.

That's a LOT of info to spoof. I very much doubt that this is an issue.


Actually, I believe that most or all of that information can be spoofed via a virtual machine setup. Further, don't forget that the system counts a computer as safe after only a single use. That means that if you logged into a public/friend across the way/library/campus computer lab computer anytime in the past seven (now) months, that computer is marked as safe and is fair game for anyone with access to it. Doubly so if someone keylogged it (which is frighteningly easy). For obvious reasons we haven't been able to confirm the following, but it appears likely that if you were hacked anytime in the past seven months, THAT computer is now marked as safe since it successfully logged in once. Lovely! >.<

Further, don't forget that several people confirmed the possibility of a Remote Access hack, which goes through YOUR computer and is thus not asked for an auth because it IS your computer, simply relaying all of the information to the attacking computer. Think of a Remote Access hack as someone pulling money out of an atm because a mugger is standing behind him with a gun at his back. The guy is using his own card and pin to access his own money, BUT the attacker is the one who ordered the guy over to the atm, and is the one who is ending up with the money. As if that wasn't enough, someone affected by a Remote Access hack will likely NOT have their account restored since their own computer was the one committing the crime. (Not to mention that they will be penalized for theft if anything was taken from the guild bank, since 'they' were the attackers.) But yeah, a Remote Access hack? WoW starts right up, does NOT ask for an auth, and the attacker can do whatever he wants with the account. (And computer, to be fair.)

Pardon my tone of voice, but I'm running an enrage debuff at this point. This should have been corrected a bloody MONTH ago, the day after it got ninja-changed!


The funny thing is that even if people get hacked because of this system they would not be believed since it would appear they logged in thru their home and trusted computer.

Kind of a win-win for Blizzard since they can refuse to restore gear for those people and when the customer complains people will not believe them on the forums since it is "impossible" for them to be hacked with an authenticator from their own home so they must have shared their account information.
Shameless bump. Don't let this die! Give us an opt out option or give us death!
07/17/2011 09:00 AMPosted by Ganado
That little guardian tool that WoW uses to scan your memory

Warden

07/17/2011 09:26 AMPosted by Shadowwind
Actually, I believe that most or all of that information can be spoofed via a virtual machine setup. Further, don't forget that the system counts a computer as safe after only a single use.


I've actually already tested this and my test worked. I was able to log in using just a username and password to my account without ever entering an Authentication code using VirtualBox with Windows 7 and the Windows 7 registry entry from an entirely different machine. I had to modify a ton of code in VirtualBox drivers to get it to work but it did.

[edit] I was smart enough to not log into the VB copy of WoW I downloaded before trying it, it was a clean install of WoW and Windows 7 with the appropriate system driver combonations and the imported windows registry entry and thats it[/edit]

This "secure" system is flawed and needs to be reverted.
07/17/2011 12:48 PMPosted by Brawnie
Give us an opt out option or give us death!


My account is now inactive so I chose death :P
07/17/2011 12:24 PMPosted by Ariktu
Kind of a win-win for Blizzard since they can refuse to restore gear for those people
Uhhhh, what? You know gear is just virtual right? What does refusing to make restorations have to do with Blizzard "winning"?

I've actually already tested this and my test worked. I was able to log in using just a username and password to my account without ever entering an Authentication code using VirtualBox with Windows 7 and the Windows 7 registry entry from an entirely different machine. I had to modify a ton of code in VirtualBox drivers to get it to work but it did.

[edit] I was smart enough to not log into the VB copy of WoW I downloaded before trying it, it was a clean install of WoW and Windows 7 with the appropriate system driver combonations and the imported windows registry entry and thats it[/edit]This "secure" system is flawed and needs to be reverted.
So you're worried about someone cloning your entire computer and spending time to tune the virtual drivers to exactly match yours? In order to compromise one account? You haven't provided actual evidence that you did it but I guess maybe a hacker could try that.

Or they could just phish hundreds of accounts with the click of a 'Send' button.

Come on, now.
In order to compromise one account? You haven't provided actual evidence that you did it but I guess maybe a hacker could try that.


I did it as proof of concept that it can be done, granted its a lot of work, but it can be done.

A flaw does infact exist, if I where to send out a copy of the VirtualBox machine I made to something like bit torrent, any number of people could download it, brute force my username and password and log in without ever having to enter an authorization code. Granted I use very strong passwords so it won't be so easy to crack, but for people who do have weak passwords, its much easier.

[edit] And if someone is good enough to get your registry key from your system, they would have included a keylogger and the ability to get a profile of your system so they can replicate it if they need to.
As I mentioned in a previous post on here, I have been prompted for a code exactly twice since this change was made. Once due to a password error and then again as a random request. I would have to go back thru all my posts to find out when the random request was so I can start tracking that.

The interesting thing I pointed out before is that I log on using 3 different computers here at home. Both times I've been prompted for a code it's been on my main computer. I have NEVER been prompted for a code on any of the other computers I use.

Based on the post from the EU this is a bug.

I wonder if it would be addressed if you were to post it in the Bug Report forum, or if it would just be deleted or redirected to this forum.
07/17/2011 01:58 PMPosted by Argrenda
In order to compromise one account? You haven't provided actual evidence that you did it but I guess maybe a hacker could try that.


I did it as proof of concept that it can be done, granted its a lot of work, but it can be done.

A flaw does infact exist, if I where to send out a copy of the VirtualBox machine I made to something like bit torrent, any number of people could download it, brute force my username and password and log in without ever having to enter an authorization code. Granted I use very strong passwords so it won't be so easy to crack, but for people who do have weak passwords, its much easier.

[edit] And if someone is good enough to get your registry key from your system, they would have included a keylogger and the ability to get a profile of your system so they can replicate it if they need to.


B-Net passwords can not be brute forced, that is unless it can be guessed in the 1st 3 or 4 tries, After that that the system will lock up. Also even with this new system, after a few tries, the authenticator should kick in, and you will need to use it as well. Please note: I said "should;" There is a lot with this new system, where the Authenticator should prompt, but doesn't.
07/17/2011 07:24 PMPosted by Ewing
Also even with this new system, after a few tries, the authenticator should kick in, and you will need to use it as well. Please note: I said "should;" There is a lot with this new system, where the Authenticator should prompt, but doesn't.

Actually, other than the once a week statement from a Blizzard poster in the EU forums, we have no information at all on when it should or shouldn’t prompt.

Except that it doesn’t prompt “when we know it’s you” of course.

It seems logical that it might kick in after a few wrong password attempts, but nobody from Blizzard has said that it's supposed to as far as I know.
07/17/2011 08:43 PMPosted by Tomten
Actually, other than the once a week statement from a Blizzard poster in the EU forums, we have no information at all on when it should or shouldn’t prompt.


First post was 6-16-2011, its now 7-17-2011. My account expired 4 days ago, and at no point has it asked on my primary game system for the authentication code to log into WoW since the system was implemented.

Unfortunatly the laws concerning privacy in Europe are different then the US, they maybe required by law on the European servers to prompt 1 time per week.


07/17/2011 08:43 PMPosted by Tomten
It seems logical that it might kick in after a few wrong password attempts, but nobody from Blizzard has said that it's supposed to as far as I know.


The game client has a limited number of retries, however the only time I had my account locked from it was before we had the authenticators, and the lady I spoke to at the Customer Service number said the retry count was around 1000 times. That probably has changed since because that was back in BC pre-Hyjal.
Also even with this new system, after a few tries, the authenticator should kick in, and you will need to use it as well. Please note: I said "should;" There is a lot with this new system, where the Authenticator should prompt, but doesn't.

Actually, other than the once a week statement from a Blizzard poster in the EU forums, we have no information at all on when it should or shouldn’t prompt.

Except that it doesn’t prompt “when we know it’s you” of course.

It seems logical that it might kick in after a few wrong password attempts, but nobody from Blizzard has said that it's supposed to as far as I know.


Nothing "Official" on this, but some players have been prompted to authenticate after just one wrong password, and others haven't after several wrong password. This is another we don't know if it is working as intended, or if it a bug and needs to be reported, issue.





Actually, other than the once a week statement from a Blizzard poster in the EU forums, we have no information at all on when it should or shouldn’t prompt.


First post was 6-16-2011, its now 7-17-2011. My account expired 4 days ago, and at no point has it asked on my primary game system for the authentication code to log into WoW since the system was implemented.

Unfortunatly the laws concerning privacy in Europe are different then the US, they maybe required by law on the European servers to prompt 1 time per week.


Actually it has more to do with copyright and the way US courts are run. While US and EU copyright laws are uniform, the civil court systems are different. Here both sides pay for their own legal fees, with the loser maybe paying the Court's fees only. Here sometime if the plaintiff wins, the defendant may be ordered to pay the plaintiff's legal fees. However very very rarely does the plaintiff ever have to pay the defendant if the defendant wins.

Because of this we in the US are a bit sue happy. As there is no real risk, for someone bringing a frivolous lawsuit.

In the EU they have the loser pays system. If you lose your side of the case you pay for both sides legal fees as well as any court fees. That is why there are hardly any frivolous suits there. If you may have to pay out big bucks if you lose, you think twice before filing a lawsuit.

Now how does this apply here? If someone makes a suggestion on the forums, and Blizzard responds in anyway, and latter puts something even remotely similar in game. Some hotshot will try to sue saying it was their idea, and Blizzard owes them royalties for it. Nuisance lawsuits like this can cost companies tons of money, even if it is tossed out of court.
well, my acct expires in a few days, still no response
only way my acct asks for auth, is if I misspell my pw(on purpose)
the key has been spoofed

if anyone wants me, i'll be playing EVE, as Blizzard obviously doesn't care about security... where as CCP's response to a possible hack was to yank the server and figure it out
If someone makes a suggestion on the forums, and Blizzard responds in anyway, and later puts something even remotely similar in game. Some hotshot will try to sue saying it was their idea, and Blizzard owes them royalties for it. Nuisance lawsuits like this can cost companies tons of money, even if it is tossed out of court.

Don’t quite see how this would keep Blizzard from responding to these threads.

Any suggestion posted falls into the same category if it is responded to or not, having stated numerous times that the suggestions posted are read and considered it wouldn’t seem to make any difference if they were responded to or not. But who knows, I’m no a lawyer.

But all that aside the repeated suggestion for an opt out, although the main issue in these threads, is not the only issue, nothing is preventing Blizzard from telling us something like how often the authenticator should prompt, or if it should do so on all trusted systems or if only one can satisfy the token timeout for all systems. The response could be that the timeout is random, assuming it is, but a response to that question and others about what players with an authenticator should expect are necessary or reporting bugs in the system becomes impossible.

I think that anyone who is defiantly not seeing a prompt for much more than the seven days should post in the bug report forum as that would seem to be a bug based on the EU feedback; if the NA system is not the same, or if the CM in the EU forum was wrong, they could say so.

I know they haven’t allowed posts about the new system on other forums, but reporting a bug is not the same as expressing an opinion or suggestion so it would seem that such posts should at least be allowed on the bug report forum as long as you resist adding any opinions or anything beyond the fact that it is not working as a Blizzard employee stated it should.
As I mentioned in a previous post on here, I have been prompted for a code exactly twice since this change was made. Once due to a password error and then again as a random request. I would have to go back thru all my posts to find out when the random request was so I can start tracking that.

The interesting thing I pointed out before is that I log on using 3 different computers here at home. Both times I've been prompted for a code it's been on my main computer. I have NEVER been prompted for a code on any of the other computers I use.

Based on the post from the EU this is a bug.

I wonder if it would be addressed if you were to post it in the Bug Report forum, or if it would just be deleted or redirected to this forum.


After maintenance tomorrow I will start keeping a log of when I log on and when an authenticator code is requested. I will keep this log for all 3 computers I play on and see what happens. Right now considering any mention of this issue is immediately smacked down and treated as a crime I will not post my concerns on the bug forum. After a week of tracking my logins I will post over there if things are any screwier than they seem.
I hope Blizzard is implementing an opt out, and I hope that the creation of it doesn't take too long, but I don't want it to inadvertently create a bigger problem. I'm curious if the will announce the opt out if they do implement it seeing as how they never announced new authenticator method.
07/18/2011 10:11 AMPosted by Tomten
If someone makes a suggestion on the forums, and Blizzard responds in anyway, and later puts something even remotely similar in game. Some hotshot will try to sue saying it was their idea, and Blizzard owes them royalties for it. Nuisance lawsuits like this can cost companies tons of money, even if it is tossed out of court.

Don’t quite see how this would keep Blizzard from responding to these threads.

Any suggestion posted falls into the same category if it is responded to or not, having stated numerous times that the suggestions posted are read and considered it wouldn’t seem to make any difference if they were responded to or not. But who knows, I’m no a lawyer.

But all that aside the repeated suggestion for an opt out, although the main issue in these threads, is not the only issue, nothing is preventing Blizzard from telling us something like how often the authenticator should prompt, or if it should do so on all trusted systems or if only one can satisfy the token timeout for all systems. The response could be that the timeout is random, assuming it is, but a response to that question and others about what players with an authenticator should expect are necessary or reporting bugs in the system becomes impossible.

I think that anyone who is defiantly not seeing a prompt for much more than the seven days should post in the bug report forum as that would seem to be a bug based on the EU feedback; if the NA system is not the same, or if the CM in the EU forum was wrong, they could say so.

I know they haven’t allowed posts about the new system on other forums, but reporting a bug is not the same as expressing an opinion or suggestion so it would seem that such posts should at least be allowed on the bug report forum as long as you resist adding any opinions or anything beyond the fact that it is not working as a Blizzard employee stated it should.


I agree, but the copyright issue gives Blizzard an excuse not to respond to a "Feed Back" thread such as this. That said they don't have to respond in this thread at all as far as I am concerned. A locked clarification thread how the new system should be working, would suffice, on what is/isn't a bug.


Based on the post from the EU this is a bug.

I wonder if it would be addressed if you were to post it in the Bug Report forum, or if it would just be deleted or redirected to this forum.


After maintenance tomorrow I will start keeping a log of when I log on and when an authenticator code is requested. I will keep this log for all 3 computers I play on and see what happens. Right now considering any mention of this issue is immediately smacked down and treated as a crime I will not post my concerns on the bug forum. After a week of tracking my logins I will post over there if things are any screwier than they seem.


For myself and many others, we have been required to to use our Authenticators, exactly every 7 days down to the Minute, from the 1st time we logged in, after the change.
well, as Blizzard isn't listening/commenting yet

deleted 1 char
/gquit the 3 lvl 85s and the 1 lvl 75
If they wont listen here.. .blow up the customer service phone # 1-800-592-5499
why wait for blizzcon where u gotta pay to get an answer?

Would also suggest posting what answers u get in here so notes can be compared and see if they get caught in multiple stories.

If anything goes down at blizzcon it should be recorded and posted on Blizz's facebook (should also spam that as well) as well as youtube.

Watch them ban me for saying this. No skin off my nose tho.. my account has been inactive since the 8th of july.
You would think they would have said something by now.... At least addressed the concerns...

well, as Blizzard isn't listening/commenting yet

deleted 1 char
/gquit the 3 lvl 85s and the 1 lvl 75


Heh I did the same thing. Still trying to get rid of the guild I had that I was using as a guild bank. But noone wants it because its only a level 1 guild.... Sheesh...
I didn't get asked for an authenticator code last Friday until really late (like, 10PM EST-ish) even though I had logged in several times that day.
I just logged into WoW a couple minutes ago and was prompted for an authenticator code (same computer I always use, I didn't do anything with it since my last log in). All my toons, gold, and stuff is still here...

Join the Conversation

Return to Forum