Battle.net Authenticator Changes

100 Orc Hunter
11545
So if anyone takes over my comp and is able to log in with the credentials i keep on my desktop in a note pad file.. I am screwed? Or what about friends who come over or my pissed off girl friend?

The authenticator was my ace in the hole.. as it were.


Why on earth would you keep your password in a Notepad!??!?!?
Dude, memorize your password because you might as well not have one if you're keeping it in a note pad!
85 Troll Priest
12725
Thank you for the heads-up on this...I've been using an Authenticator since they were first offered, and today when I tried to log in and didn't get the prompt I got worried for a moment!
10 Dwarf Paladin
80
That scared the hell out of me for a moment there. Trying to figure out why it wasn't popping up...geez.

That aside, it'd be nice if we could opt out of this and still be able to put it in every time. I'd feel safer, for one.
85 Draenei Mage
10825
06/16/2011 04:52 PMPosted by Texi
Nice try. The problem with your static IP address approach is that I can't just go out and purchase your IP address. Static IPs are still assigned by your ISP.

Ok, let me lead you down the path then.

I find out your routable IP.

I use a computer directly connected to the Internet, instead of through a NAT.

I change my IP to yours.

My ISP is vaguely shady. After all, they've serving evil bastards like me. So they do nothing.

And now I am using your IP. A few broadcasts to tweak the relevant routing tables, and I get your packets.

Or if I happen to have the same ISP as you, it's even easier.


some pages ago I describe how this could be exploited if the developers are not careful enough (I understand that an army of developers from blizzard are more than likely to have more knowledge than me) but the method you wrote does not work. You can't hijack an IP like that, in a lan? i doubt it. in a wan I'm almost positively sure that you can't do it (that way)
85 Troll Druid
3625
I appreciate the change. Having a disadvantage of going through extra seconds every login after a d/c (when compared to other people who don't own an authenticator didn't seem perfectly fair.

I do get the concern of people who think they could get hacked from a nearby location or by someone who uses a similar IP address. Maybe players should get a prompt asking whether the authenticating system should always ask them for an authenticator code?
88 Blood Elf Warrior
4185
Blizzard wouldn't do this if it was a step backwards.
I am not a fan of this change and would prefer to have the option to OPT OUT or keep the previous log-in with always having an authenticator check.
85 Troll Druid
12380
I'm confident in my security, so I'm happy with this convenience, but...

1. Way to freak out a bunch of people by implementing this without warning. Surprised your servers didn't buckle under the tsunami of password resets people did in the past two hours.

2. Opt-out option please, I'm sure there are plenty of people with keyloggers, backdoors and malicious siblings who are going to be victimised by this.

While you're reading please implement an option to add multiple authenticators to one account, so I can take one to work.
I'd prefer if this was optional. I got an authenticator for a reason, and this really seems to defeat the purpose.
100 Draenei Shaman
10785
I want to be able to opt out of this 'improvement'.
1 Draenei Shaman
0
This is the dumbest thing EVER. I logged into my friends house and my account was blocked for different IP (he lives 2 miles away). Then the very very next morning my account was logged into from CHINA thousands of miles away and nothing happened... Please blizzard I bought this authenticator for a reason.
100 Draenei Shaman
15980
If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We’ve recently updated our authentication system to intelligently track your login locations, and if you’re logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we’re sure the person logging in to your account is you.

We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don’t already have a Battle.net Authenticator attached to your account, don’t wait until it’s too late - http://us.battle.net/en/security/checklist


What a horrible idea.

?Yes, i can see the convenience, but I did not get an authenticator for convenience, I got it for security. This now makes me worry about IP spoofing.

Is there a way to turn this so-called "feature" off? Because I would like to opt out ASAP.
85 Blood Elf Paladin
4135
Thank god there are people like you in the world. I make a lot of money doing things people like you say is absolutely not possible.


Alright, here is your challenge.

Change your IP address to the same IP address as Google. Put up a web server so I can see a message from you.

If you can accomplish that, come back here and I will gladly hand over the deed to my nice, but not overly lavish 5 bedroom home paid courtesy of my 10+ years at 3com.

Put up, or please please please, shut up.

Well, first you'd have to realize Google.com resolves to multiple IPs.

Second, I'd have to be dumb enough to want to go to prison.

Third, I'd need to know where your packets are coming from, so I can broadcast a route to the targetted IP that goes through me instead of their normal servers. Which is a security hole that is supposed to be fixed, but is not fixed in practice.

Btw, you guys should really fix the NAT on your SOHO routers. You need to check the source IP before blindly sending the packets on to the LAN. Comes in very handy when you want to directly connect 2 NATed IPs though.
Edited by Texi on 6/16/2011 5:09 PM PDT
100 Undead Warrior
20965
Ridiculous. IP address does not equal a person. The system you had in place provided at least a two-fold check (battlenet login/password and authenticator). Now you are reducing this to one based on "usual" place of use. Are you insane? Wave of hacks incoming. Welcome to a headache of your own doing.
85 Worgen Druid
1800
06/16/2011 02:32 PMPosted by Pozadin
I don't like this

could be my sister or my brother-in-law logging into my account. Then what?


Don't share your password and you should be fine.


If people didn't share passwords and followed all the tips for securing their account we wouldn't need authenticators now would we?
100 Dwarf Hunter
16535
I prefer a OPT out feature for this too.....too many folks that share homes...apts....college dorms are going to end up getting their stuff deleted...stolen what ever.....I know keep password secure...but you never know if your roommate or spouse is going to be fully honest with you or not and say they don't know your password....blizzard this is a bad idea for the many out there...lets us decide if we want to use this or not..with a opt out button.
85 Goblin Priest
5180
Now my brother can log in and take all my gold woooo. not.
94 Draenei Shaman
8635
I know this is just repeating what others have said, but just in case anyone is taking a tally, I wanted to add to the side that says NOOOOOOO!

Just because the computer hasn't moved, doesn't mean I'm the one logging in. GRRRRRRRR
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]