Battle.net Authenticator Changes

100 Blood Elf Death Knight
3120
I do hope Blizzard will read these comments. I do not like this idea at all, I don't care if the safety is the same, hackers could still figure something out. I LIKE putting in my authenticator code, and it takes me less than 4 seconds to do. It makes me feel more safe, like nobody else can figure out the code. I really do wish Blizzard will change it back to normal, it is not a hassle to put in the code. "It will make the Authenticator process less intrusive" ? Are you kidding me? I'm willing to lose 4 seconds of my life to ensure safety... This just make the lazy people more lazy... Come on Blizzard... :(
90 Human Paladin
6815
is there a way to opt out of this please?
85 Blood Elf Hunter
8090
Umm no. Please change the process back. There was a point to purchasing an authenticater, and this change was not it. IP spoofing anyone? Seriously, change the system back to what it was.
85 Blood Elf Paladin
5695
Please let me have the ability to remove this option. I don't care what your security team says, I was honestly in a panic mode once I started to experience this tonight and I thought "Oh dangit, someone hacked my account and has removed my authenticator"


100 Tauren Druid
8155
06/16/2011 04:52 PMPosted by Texi
Nice try. The problem with your static IP address approach is that I can't just go out and purchase your IP address. Static IPs are still assigned by your ISP.

Ok, let me lead you down the path then.

I find out your routable IP.

I use a computer directly connected to the Internet, instead of through a NAT.

I change my IP to yours.

My ISP is vaguely shady. After all, they've serving evil bastards like me. So they do nothing.

And now I am using your IP. A few broadcasts to tweak the relevant routing tables, and I get your packets.

Or if I happen to have the same ISP as you, it's even easier.


Your scenario gets more and more silly though. You're always going to be able to propose a hypothetical "well.... under these exact circumstances I could haxor your IP" scenario, but the likelihood of it realistically happening is going to decrease by an order of magnitude each time you do that.

You use a computer directly connected to the internet... so you're not some Joe Schmo hacker using a standard cable modem. You are paying for a connection that allows you to do this in the first place, or you have specialized hardware. You've just ruled out 99% of the people trying to hack WoW accounts.

Your ISP may be vaguely shady, but Tier 1 shady ISPs don't exist (for a certain definition of shady). Your hypothetical shady ISP is buying bandwidth from a Tier 2 or Tier 1 ISP.

Your "few broadcasts to tweak the relevant routing tables" are not guaranteed to work. If the person is actively using the internet, the best you can hope for is that the routing tables are temporarily updated to route packets to you. Even then, someone's going to notice something's wrong when routing tables start to freak out and TCP sequence numbers don't line up with the other client's, and that's if it even makes it that far. Most Tier 1 ISPs have network monitoring appliances that detect just this sort of thing. Heck, I work at a small company (200-300 employees) and we have that kind of stuff locally. It's quite simply not that easy.

If stealing someone else's IP address were this easy, then why isn't it done more often?
100 Orc Hunter
11605
06/16/2011 05:09 PMPosted by Elilithara
Umm no. Please change the process back. There was a point to purchasing an authenticater, and this change was not it. IP spoofing anyone? Seriously, change the system back to what it was.
It doesn't work like that.
85 Blood Elf Paladin
4135
06/16/2011 05:01 PMPosted by Animaneth
some pages ago I describe how this could be exploited if the developers are not careful enough (I understand that an army of developers from blizzard are more than likely to have more knowledge than me) but the method you wrote does not work. You can't hijack an IP like that, in a lan? i doubt it. in a wan I'm almost positively sure that you can't do it (that way)

Yes, I didn't bother giving excruciating step-by-step details.

But ISPs hate downtime. Security patches create downtime. Thus security patches do not get applied. Routing is supposed to be secure, and patches exist to make it secure so that I can't have arbitrary IPs routed where I'd like them to go. They are generally not applied until all the old hardware has been retired so that all their gear is running the same, "known" firmware image.
100 Blood Elf Hunter
18235
06/16/2011 04:57 PMPosted by Kulthor
Blizzard, Will you please explain EXACTLY how this works but don't use any big words because obviously these people can't handle it. It's secure folks please quit QQing blizzard gets enough of it.


Oh! Then just how did the accounts "protected" by the Dial-In-Authenticator get hacked then. The keyfob and cell phone Authenticators Were proactive, where as the Dial-In Authenticator is reactive. Now with the this change keyfob and cell phone Authenticators are now reactive as well.

With the keyfob and cell phone Authenticators, you were prompted to enter a code each and every time you access the game and account management. However with the Dial-In Authenticator , you were only prompted to enter a code, when it senses a change in your login pattern/location.

With a reactive system Like the Dial-in Authenticator if you have been hacked before, the hacker's location may now be part of your login pattern, therefore the dial-in Authenticator may not be any protection for you.

If you play, while traveling; Each time you successfully logs-in from a different location, you add that GeoIP range to your log-in pattern. This in turn weakens the effectiveness of a reactive Authenticator.

Lets say you travel through an area know as a hot bed of hackers, and logs into WoW from there. That area is now part of your log-in pattern, therefore any hacker trying to access your account from there, will not trigger the reactive Authenticator system. This makes Playing while traveling, or from any location other then home a very bad idea.




85 Worgen Priest
3420
To bring a bit of perspective. Many think that the authenticator makes an account impervious to compromise. However, there is a specific type of attack that can steal a valid authenticator code as a user tries to submit it from the client.

This change effectively will make those types of attacks, which are involved and are not common but they DO happen from time to time, much harder to carry out. By removing the need to always submit an authenticator code goes a long way to defeating the "man-in-the-middle" types of attacks.

That said, I do think an option to always prompt for an authenticator would be a nice option to have. And I do not think it would be too much to ask nor be significantly riskier even with the threat of MITM.


First piece of real good reaction to this ive seen. I guess people dont understand network security enough.

To everyone else, Blizzard is a massive company. You cant be a massive company making millions if you are ran by idiots. Instead of thinking "OH GAWD THIS CANT BE GOOD AT ALL, IM SMARTER THAN DEM." think "I wonder what caused them to add this feature. There has to be some good in it, otherwise they wouldn't have done it."

Im not some fanboi rearing to their defense. I am asking people to think logically.
85 Blood Elf Paladin
4135
06/16/2011 05:10 PMPosted by Deadbabyseal
You use a computer directly connected to the internet... so you're not some Joe Schmo hacker using a standard cable modem. You are paying for a connection that allows you to do this in the first place, or you have specialized hardware. You've just ruled out 99% of the people trying to hack WoW accounts.

RMT is big money for places with sufficient unemployment in the "software engineer" sector.

Your ISP may be vaguely shady, but Tier 1 shady ISPs don't exist (for a certain definition of shady). Your hypothetical shady ISP is buying bandwidth from a Tier 2 or Tier 1 ISP.

Because Pakistan didn't black-hole YouTube for most of the world two years ago.

Your "few broadcasts to tweak the relevant routing tables" are not guaranteed to work.

No, they're not. But they only have to work often enough to keep the accounts flowing.

And as mentioned before, spoofing IP is probably the hardest way to actually steal your account. If I've already rooted your box to install a keylogger, I'll just log in from there.
Edited by Texi on 6/16/2011 5:16 PM PDT
90 Human Mage
6190
Neat. How do I turn it off?
85 Tauren Warrior
5025
Any way to opt out so I can get the authenticator every time?
85 Orc Death Knight
1480
People seriously educate yourselves before you cry about this, it essentially changes nothing as long as you don't share your password.
Edited by Dryes on 6/16/2011 5:17 PM PDT
98 Draenei Shaman
8965
06/16/2011 05:02 PMPosted by Hybridiction
Blizzard wouldn't do this if it was a step backwards.


HAHAHA
For people who still do not understand and make a fit I think it works like this.

If you log into wow a lot on one computer the new authentication system will see that you are doing that and not make you type in the authentication code because in all reality unless your roommate is a gold farmer you will be fine.

While noticing that you log in frequently at that location will conveniently bypass the authentication system this will not remove the authentication code pop up part of the login for any other computer that is used with your login information becuase you do not frequently log in at a location one mile, one state, or even one country away because the one time some anonymous no-do-gooder tries to log in(and log in successfully) is not in the definition of frequently.

If you have a problem with having people that live with you knowing your account information change your login information, if you are that worried do not give it out(at your own risk)and you will not need to worry about anything.

Now the only flaw in this is if a gold farmer or someone knows you account info they can break into your house and log in to your account. Are you guys seriously worried about some guy traveling maybe a couple hundred miles to your house to clear your bags.
5 Orc Hunter
0
Well, first you'd have to realize Google.com resolves to multiple IPs.

Second, I'd have to be dumb enough to want to go to prison.

Third, I'd need to know where your packets are coming from, so I can broadcast a route to the targetted IP that goes through me instead of their normal servers. Which is a security hole that is supposed to be fixed, but is not fixed in practice.

Btw, you guys should really fix the NAT on your SOHO routers. You need to check the source IP before blindly sending the packets on to the LAN. Comes in very handy when you want to directly connect 2 NATed IPs though.


You are hopelessly clueless. And you make a LIVING in an IT field of some kind? You can not change your routable network address to any IP address you wish and get traffic. The very first router in the chain would send packet traffic to its proper destination.

Please stop posting.
85 Night Elf Druid
0
06/16/2011 05:08 PMPosted by Ohtee
Now my brother can log in and take all my gold woooo. not.


Change your password.
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]