Battle.net Authenticator Changes (Cont. #8)

100 Blood Elf Hunter
16305

The argument that "Additionally, please note that there was a so-called "man-in-the-middle" compromise that would snatch an authenticator code after it was entered and then crash WoW's executable, submitting the valid code to someone hoping to break into your account. While this method will still function, it will be defunct on systems that are already affected by this change. No authenticator code to enter means no authenticator code to steal." is a sorry excuse to implement this change. A more elegant solution would be to prevent the authenticator code from being used more than once per successful login attempt. That way if you are logged out for any reason after using an authenticator you would need to wait for the next cycle to log in again.


That is not really the way nether the MitM Trojan works, nor the Authenticators work. However while this new system may slow hackers, that uses the MitM attack, up it does not really do anything to stop them. As sooner or latter the infected player will have to use their Authenticator.

In fact it really weakens your protection. As before they only had a one time limited access to your account. Now the new system thinks that their computer/location is you Therefore they can keep accessing your account as many time as they want without being required to re-authenticate.

A “Man in the Middle Attack,” is a Trojan that works by blocking your access to the real log in server, and redirecting you to a spoof Log in screen/site. They then harvest all of your log in information, in real time, including your one time use Authenticator code. The hackers then very quickly uses this info to access your in game account, before the Authenticator code expires. Because your Authenticator code is only good once, this attack use to only allows the hackers a one time access to your account. It use to be that once they log off, or were kicked off they could not re-access your account. However now since the Hacker's computer/location, is now Authenticated they have unlimited access to it.

Hackers can not use this attack to remove your Authenticator. In order to remove an Authenticator you have to: 1st go into your account administration page in which you have to enter one Authenticator code; You then have to enter 2 different Authenticator codes to remove it from your account. That is a total of 3 different code, and since the hacker only has one short term, one time use code, they just can’t do it.

"Man In the Middle," Attacks were very, very rare. I have been following this forum almost every day, for over 3 years now, and as far as I know there hasn't been a confirmed case of one in well over all most 2 years. In fact there has only a very small hand full of confirm cases at all. They require a very big hole in your internet security, and very good timing on the hackers part. The main thing the handful of players that had their accounts hacked had in common were: They all went to a fake/spoof wowmatrix, curse, and other spoofed addon sites, and down loading the spoof site's auto addon updater; They hadn't up dated their Windows fire walls, and or running a bootleg copy of Windows. So if you are careful about the sites you visit, and keep your computer security up dated, including your firewall, there is a low risk that this happened to you.

The MitM Trojan is no simple keylogger that you can pick up from a day one Flash exploit. It requires YOU to install a very large executable file to work. Frankly if my security habits are so bad and sloppy, that I get hit with a MitM attack, I deserve to be hacked, and never get my account back. In fact having my Blizzard account hack in this manner Would be a Blessing, it would let me know how much my other stuff id a risk. To contact my bank and everyone I pay online, and change all of my accounts.
Edited by Ewing on 6/20/2011 7:01 AM PDT
85 Night Elf Hunter
7205
06/20/2011 06:16 AMPosted by Wòrgasm
The only thing I really have a problem with is, I played on my work computer friday then I went home and play it asked for my auth code once then not again all week end. I come back into work and try and log in no auth code required. So it allows me to log in from any computer as long as I've logged in once.


THIS!

This is exactly the problem....log on ONCE somewhere and suddenly that place is safe? No! NO! NO!

let's say I have a security hole big enough to allow a MitM trojan....let's say the attacking person is smart and makes me punch in my authenticator code on their fake site I just got redirected to, and he will, because he's not stupid...now he has my username, password, and an authenticator code that while it only works once in the next 30 or so seconds, that's enough....he logs in from a location that is not in my normal area...but he has a valid code...so it let's him in....now that he is in(and this has been proven over and over and over) he now NO LONGER NEEDS AN AUTHENTICATOR TO LOG IN...now at my end, I think it's just a failed log in...I log in normally and go about my business...while Mr. Hacker just waits a few hours...he has all the time in the world because he no longer needs my code...he's already used it...so I log off...go to sleep...or work...or whatever...and by the time I return to the game everything I have is gone...

someone is gonna say that's pretty unlikely...well, yes, it is...my security is better than that...but the hackers are getting smarter...if I thought of this, they probably have as well...and are probably working out the code to make it possible...if they haven't already done so...

I'm not paranoid, someone IS out to get me...give my back my authenticator...

EDIT: as posted by others, MitM attacks are extremely rare...but I still don't like this...it's been proven, log in once from anywhere and that place is now considered part of your usual routine...someone somewhere is gonna find a way to use that to hack you...also given the extreme rarity of MitM attacks anyway...having to NOT punch in my code doesn't help with that anyway...

either give me a real valid reason why my code is no longer needed, or give me the option of continuing to use it...
Edited by Katardre on 6/20/2011 6:45 AM PDT
100 Blood Elf Hunter
16305
Jesus freakin' Christ! stop it! just stop! It's over! Done! DEAL WITH IT!

EDIT TO ADD: No seriously, this is stupid. 8 Threads for a simple change that doesn't affect your security if you maintain an updated and secured system? This whole train wreck needs to be destroyed...



No... for reals. its getting old. where are my funny forums..

oh wait, there being over run by useless forums..


Ugh.


This is the Tech Support Forum, it is not meant to be funny. In fact since they got rid of the Off Topic Forum, i don't think there is a funny forum any more. but you might want to check the General Forum, I think that is the close one to a funny forum.
Edited by Ewing on 6/20/2011 6:43 AM PDT
90 Night Elf Druid
9780
The people who are saying that the authenticator is not needed anymore, you need to wake up and smell the coffee. For the computer you use everyday no its not asking for the authenticator code but have you tried logging onto a totally different computer?? I have, I used a friend that I have never logged onto, and it asks for the authenticator code that you are all relying so much on. Plus to change anything on your actual account through the battle.net you still have to add the 6 digit code. The security is still the same and the authenticator is still needed. If any thieving happens then it would have to happen from someone in your own household using YOUR computer. The opt out option would be nice if you don't trust your family or roommates but you all are going to have to just deal with it. Blizzard made the game that you are playing and they made a decision (not well brought out) but still made a decision.
85 Draenei Paladin
7935
Just a note.

I live in New York. I play in New York. I have an authenticator, and I didn't mind punching in a code every time I wanted to play.

This change occurred while I was traveling. I am currently in California. I have logged on only twice since I got here, and that was after this change went through. Neither times was I asked for my code. I'm sorry, if playing from the opposite side of the country does not qualify for an ask of my auth code, what does?

I appreciate what they are trying to do here, but I'm not really a fan. It makes me decidedly uncomfortable that my account can log on from this far away from where I live and there's not a code prompt for that.

P.S. I didn't get asked to auth for the forums either. Go figure.
Edited by Katardre on 6/20/11 6:45 AM (PDT)



06/20/2011 06:16 AMPosted by WòrgasmThe only thing I really have a problem with is, I played on my work computer friday then I went home and play it asked for my auth code once then not again all week end. I come back into work and try and log in no auth code required. So it allows me to log in from any computer as long as I've logged in once.THIS!This is exactly the problem....log on ONCE somewhere and suddenly that place is safe? No! NO! NO!let's say I have a security hole big enough to allow a MitM trojan....let's say the attacking person is smart and makes me punch in my authenticator code on their fake site I just got redirected to, and he will, because he's not stupid...now he has my username, password, and an authenticator code that while it only works once in the next 30 or so seconds, that's enough....he logs in from a location that is not in my normal area...but he has a valid code...so it let's him in....now that he is in(and this has been proven over and over and over) he now NO LONGER NEEDS AN AUTHENTICATOR TO LOG IN...now at my end, I think it's just a failed log in...I log in normally and go about my business...while Mr. Hacker just waits a few hours...he has all the time in the world because he no longer needs my code...he's already used it...so I log off...go to sleep...or work...or whatever...and by the time I return to the game everything I have is gone...someone is gonna say that's pretty unlikely...well, yes, it is...my security is better than that...but the hackers are getting smarter...if I thought of this, they probably have as well...and are probably working out the code to make it possible...if they haven't already done so...I'm not paranoid, someone IS out to get me...give my back my authenticator...EDIT: as posted by others, MitM attacks are extremely rare...but I still don't like this...it's been proven, log in once from anywhere and that place is now considered part of your usual routine...someone somewhere is gonna find a way to use that to hack you...also given the extreme rarity of MitM attacks anyway...having to NOT punch in my code doesn't help with that anyway...either give me a real valid reason why my code is no longer needed, or give me the option of continuing to use it...


^^ my point also.. I think I was the first to prove that you can log in anywere... trying to get a hold of my friend in a different city to get him to Log in for me to get a timeline on this. Used his computer about 8 months ago.
85 Worgen Druid
7385
06/20/2011 06:33 AMPosted by Katardre
The only thing I really have a problem with is, I played on my work computer friday then I went home and play it asked for my auth code once then not again all week end. I come back into work and try and log in no auth code required. So it allows me to log in from any computer as long as I've logged in once.


THIS!

This is exactly the problem....log on ONCE somewhere and suddenly that place is safe? No! NO! NO!

let's say I have a security hole big enough to allow a MitM trojan....let's say the attacking person is smart and makes me punch in my authenticator code on their fake site I just got redirected to, and he will, because he's not stupid...now he has my username, password, and an authenticator code that while it only works once in the next 30 or so seconds, that's enough....he logs in from a location that is not in my normal area...but he has a valid code...so it let's him in....now that he is in(and this has been proven over and over and over) he now NO LONGER NEEDS AN AUTHENTICATOR TO LOG IN...now at my end, I think it's just a failed log in...I log in normally and go about my business...while Mr. Hacker just waits a few hours...he has all the time in the world because he no longer needs my code...he's already used it...so I log off...go to sleep...or work...or whatever...and by the time I return to the game everything I have is gone...

someone is gonna say that's pretty unlikely...well, yes, it is...my security is better than that...but the hackers are getting smarter...if I thought of this, they probably have as well...and are probably working out the code to make it possible...if they haven't already done so...

I'm not paranoid, someone IS out to get me...give my back my authenticator...

EDIT: as posted by others, MitM attacks are extremely rare...but I still don't like this...it's been proven, log in once from anywhere and that place is now considered part of your usual routine...someone somewhere is gonna find a way to use that to hack you...also given the extreme rarity of MitM attacks anyway...having to NOT punch in my code doesn't help with that anyway...

either give me a real valid reason why my code is no longer needed, or give me the option of continuing to use it...


So what this proves isn't that the authenticator change is bad--it's that you're trusting your WoW account details on a computer that isn't yours.

That's not a failure of the authenticator. That's a failure on your part. Entering your details into a system that you don't trust is pretty risky business, and even with one-time codes nobody in the industry would do it.
85 Draenei Death Knight
0
06/20/2011 06:33 AMPosted by Katardre
This is exactly the problem....log on ONCE somewhere and suddenly that place is safe? No! NO! NO!


So a MitM attack that mangles my registry key forcing me to use the authinticator once thus allowing them to login at their computer once then gives their computer login rights to no longer need the authinticator.

Nice, that is completely viable and would only require one edit to the existing MitM code to just up and delete all the registry keys under the Blizzard Key.
85 Night Elf Hunter
7205
06/20/2011 06:52 AMPosted by Zalindria
The people who are saying that the authenticator is not needed anymore, you need to wake up and smell the coffee. For the computer you use everyday no its not asking for the authenticator code but have you tried logging onto a totally different computer?? I have, I used a friend that I have never logged onto, and it asks for the authenticator code that you are all relying so much on. Plus to change anything on your actual account through the battle.net you still have to add the 6 digit code. The security is still the same and the authenticator is still needed. If any thieving happens then it would have to happen from someone in your own household using YOUR computer. The opt out option would be nice if you don't trust your family or roommates but you all are going to have to just deal with it. Blizzard made the game that you are playing and they made a decision (not well brought out) but still made a decision.


How many times did you have to log on using your friend's computer before his computer no longer asked for the code? If it was only once, then you should be as worried as the rest of us are...
85 Human Paladin
1990
06/20/2011 06:52 AMPosted by Zalindria
The people who are saying that the authenticator is not needed anymore, you need to wake up and smell the coffee. For the computer you use everyday no its not asking for the authenticator code but have you tried logging onto a totally different computer?? I have, I used a friend that I have never logged onto, and it asks for the authenticator code that you are all relying so much on. Plus to change anything on your actual account through the battle.net you still have to add the 6 digit code. The security is still the same and the authenticator is still needed. If any thieving happens then it would have to happen from someone in your own household using YOUR computer. The opt out option would be nice if you don't trust your family or roommates but you all are going to have to just deal with it. Blizzard made the game that you are playing and they made a decision (not well brought out) but still made a decision.


you said you used a freind you never logged into and it asked for you code. now go back and log into that friends comp it will no longer ask for your code. that is the problem we are having. once you log in somwhere with your authenticator that comp, wherever it may be, will no longer ask for your code.
90 Draenei Shaman
9040
Do you run your system with UAC off?

If so, shut it :)

no, and I run a domain at home so I have to log on the domain ID to do more than stare at a pretty screen :P
85 Blood Elf Death Knight
2495
my computer will probably stop working if I'm hacked again, I had great gear for two days in wrath, got hacked and became the worst dk in the game, (lol gear made it easymode fail blizz) my computer got ripped to shreds, had to get a new sound drive after completely rebuilding the computer's systems, all systems were rebuilt from scratch, from a single hacker, I got an authenticator to keep my account safe so that I wouldn't lose hard earned gear (crap gear) again, I payed for it! this nulls what I payed for, so I'm guessing you want us to be hacked, it's like philosophy on wikipedia, whatever I start with I always come to that
64 Blood Elf Hunter
460
Seems like there are 2 groups here, the ones who believe in this new way for Blizzard to keep thier accounts safe, and the ones who believe in thier authenticators.

To the first group: Your authenticator is no longer needed, remove it from your account and throw it in the trash, Blizzard has now taken responsibility for the security of your account.

To the rest of us: Let us keep our authenticators and use them everytime we log in!!!

Thank you.
Edited by Blueberry on 6/20/2011 7:11 AM PDT
85 Night Elf Hunter
7205

So what this proves isn't that the authenticator change is bad--it's that you're trusting your WoW account details on a computer that isn't yours.

That's not a failure of the authenticator. That's a failure on your part. Entering your details into a system that you don't trust is pretty risky business, and even with one-time codes nobody in the industry would do it.


My computer is safe....this is not the issue...the issue is there are millions of players who play this game and not all of them have computers that are as safe as mine...this change to the authenticator does not effect me and my ability to log on and be safe as I only use one computer...and I'm the only one who has access to it...my problem is not my account....my problem is other peoples...

my problem is I am driven to worry about people whose computers are not as safe as mine....who log on from multiple locations....who can be and/or already have been hacked...they got authenticators to protect them from further malicious activity...so far NO ONE in my guild who has an authenticator has been hacked...so far...but this new way of doing things does not prevent some of them from being hacked...they log on from multiple locations...they can get keylogged at those locations...therefore they can be hacked at those locations and I do want want to see this happen...

again...provide a REAL reason for this change and I will accept it...otherwise give me back my authenticator...

EDIT: reread this and I came off a little angrier than intended...so I reduced the number of fully capitalized words and fixed a spelling error...
Edited by Katardre on 6/20/2011 7:33 AM PDT
85 Worgen Druid
7385
Do you run your system with UAC off?

If so, shut it :)

no, and I run a domain at home so I have to log on the domain ID to do more than stare at a pretty screen :P


Ah, so you figured out dcpromo :P Good on you.

Do you log on with separate credentials for your domain admin versus your regular user?

Have you made sure to run the Microsoft EMET tool on your PC to help guard against exploits?

System-wide you can enable DEP and SEHOP protection. Per-application you can enable Heap Spray protection amongst a few other things. You can even force ASLR on applications that otherwise don't use ASLR.

Do you use a modern, up-to-date antivirus? Made sure all of your patches are up to date? This has been a nasty month for patching as Adobe has patched quite a few vulnerabilities across their range of applications including Reader, Flash, and AIR.

Using FF4/Chrome/IE9?
85 Human Paladin
1990
shhhhh dont tell em bout aour deal
90 Draenei Shaman
9040
06/20/2011 07:10 AMPosted by Ako
Adobe has patched quite a few vulnerabilities across their range of applications including Reader, Flash, and AIR

ya, every 5 freakin minutes I swear there is an update for adobe this month

yes split id's

it's the 2nd Tuesday again already for the EMET (I ran it weds morning, I usually only bother after "patch Tuesdays" ), being lazy there but i'm down to only 3 computers after the divorce

no I not a script kiddie who thinks they understand security, care to keep trying me?
Edited by Anii on 6/20/2011 7:33 AM PDT
85 Worgen Druid
7385
06/20/2011 07:33 AMPosted by Anii
Adobe has patched quite a few vulnerabilities across their range of applications including Reader, Flash, and AIR

ya, every 5 freakin minutes I swear there is an update for adobe this month

yes split id's

it's the 2nd Tuesday again already for the EMET (I ran it weds morning, I usually only bother after "patch Tuesdays" ), being lazy there but i'm down to only 3 computers after the divorce

no I not a script kiddie who thinks they understand security, care to keep trying me?


I really don't see your concern with this change then. Keeping everything updated, running EMET, and keeping your AVs up-to-date is by and large loads more than any single person on these forums.

People are acting like an authenticator allows them to get away with weaker password practices: (read: 123456 is a very common password) while giving them "higher security". That's not the kind of thing an authenticator is meant to block, just like SALTing your password hashes in your database isn't going to stop hackers from intercepting someone's login details and logging in.

Security is done in many layers with many different technologies. Each has things they guard against.

The authenticator token is simply to block attackers from intercepting your details and logging in from systems that you have never used. That's it, that's that.

Blizzard has a FAR clearer view of the threat landscape for their game than any single person on these forums. They know very well exactly what's going on.

The authenticator was never meant for you to be able to give your password to a friend/family member and "control" their login without giving them the authenticator code. If this is how any person was using it, they have been misusing it.

If anything, this change increases security for the very specific type of threat that the authenticator guards against.
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]