Battle.net Authenticator Changes(Cont. #13)

(Locked)

90 Troll Shaman
3520
California was the first state with this law in 2002, with the California Data Breach Notification Law Cal. Civ. Code 1798.82 and 1798.29. This was way before World of Warcraft even existed.

Believe me, if Blizzard's security was ever breached, you'd know. Because if they didn't inform you, they'd be breaking a state law... and if a company's reputation is hurt by a security breach, it's obliterated by a criminal indictment.

I personally doubt that the data quoted below changes the results materially from what you're saying, but California may not be as strict as you seem to think.

http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf

You will note that the law in California has no civil or criminal penalties for failure to notify, only private right to action (you can sue them) and the law does not apply to encrypted data; that is if they use any encryption for the data the breach need not be reported. I don’t know for sure but I believe Blizzard encrypts all personal user data (and that’s a good thing).

In New York (where I am) there are criminal penalties, but you can’t sue them.
And there is no exemption for encrypted data, breaches have to be reported.

Texas, where Blizzard also has offices, is almost the same as New York.
85 Draenei Paladin
3325
Well here's the original bill for California:
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Under that, customers injured by the failure to notify can institute civil action to recover damages. So ya, Blizzard could still get indicted in a civil court according to this law. Per injury. That means you can bet it would hit the news stands faster than wildfire if Blizzard ever got hacked. Scott and Scott need to rework their chart.

Btw, Blizzard HQ is in Irvine, CA. So they'll be going by the California state laws.
Edited by Tiberias on 7/11/2011 8:56 PM PDT
90 Draenei Shaman
9040
anyone else notice, when you view your own posts
this and the other 13 threads no longer show up in your post history?

they don't for me, which tells me Blizzard/Activision is saying FU
85 Draenei Paladin
3325
07/11/2011 09:04 PMPosted by Anii
they don't for me, which tells me Blizzard/Activision is saying FU


If that really bothers you, then I'd be inclined to believe that you'd take anything Blizzard does as an "FU".
90 Troll Shaman
3520
07/11/2011 08:52 PMPosted by Tiberias
customers injured by the failure to notify can institute civil action to recover damages. So ya, Blizzard could still get indicted in a civil court according to this law.

No indictment, "civil action" simply means that they can be sued.
No criminal sanctions in that law at all.
Unless the state is among the injured parties no action by the government at all.

So if they don't notify you, and the database wasn't encrypted, and you somehow find out (remembering that the reason for all this is that they didn't notify you) then you can sue them for damages.

Not that Activision Blizzard wants any law suits, but the California state laws are some of the weakest of any state with such laws.



EDIT:
By the way, we are getting a bit off topic here as the authenticator has nothing at all to do with protecting Blizzard’s databases, it only protects your game account.

Getting into Blizzard’s customer information databases is a whole nother ball of wax; other than saying “I don’t trust the corporation’s commitment to security because of this” or something like that it is hard to come up with any connection between this topic and SONY et al.
Edited by Tomten on 7/11/2011 9:25 PM PDT
85 Draenei Shaman
3280
anyone else notice, when you view your own posts
this and the other 13 threads no longer show up in your post history?

they don't for me, which tells me Blizzard/Activision is saying FU


No posts in any thread I've made is showing up for me. However its been like that for awhile. A bug they claim but never fixed it....



07/11/2011 09:07 PMPosted by Tiberias
If that really bothers you, then I'd be inclined to believe that you'd take anything Blizzard does as an "FU".


Well seeing as in 3 weeks they haven't been able to say one word in all these 14 threads is what's giving the people an impression of a big ol FU!.

A few posts seem to have gotten off topic. Whether or not blizzard has been hacked does not matter. How they will handle it if they do does not matter. Those are concerns for another thread.

This thread is for the changes made to the authenticator system that they still will not address....

12 more days till my time runs out. It's a shame too. Been playing here for close to 5 years. Before the auth system went into place. If they had never gotten them then there would be no issue. The problem is the underhanded change. And the constant silence.

They are waiting for us all to go away. Well 12 more days and you will see me no more. A big ol FU to you to blizz....
90 Troll Shaman
3520
anyone else notice, when you view your own posts
this and the other 13 threads no longer show up in your post history?

They have broken the search function on these forums again, it happens from time to time and everything eventually comes back. Nothing specifically targeted at this forum or thread.
90 Draenei Shaman
9040
07/11/2011 09:23 PMPosted by Vallira
If that really bothers you, then I'd be inclined to believe that you'd take anything Blizzard does as an "FU".


Well seeing as in 3 weeks they haven't been able to say one word in all these 14 threads is what's giving the people an impression of a big ol FU!.

A few posts seem to have gotten off topic. Whether or not blizzard has been hacked does not matter. How they will handle it if they do does not matter. Those are concerns for another thread.

This thread is for the changes made to the authenticator system that they still will not address....

12 more days till my time runs out. It's a shame too. Been playing here for close to 5 years. Before the auth system went into place. If they had never gotten them then there would be no issue. The problem is the underhanded change. And the constant silence.

They are waiting for us all to go away. Well 12 more days and you will see me no more. A big ol FU to you to blizz....

weird, hadn't seen the forum bug before
I have 15 or 16days left(would have to look at the time it expires)

Tiberias at this point, 3 weeks of being ignored
any thread NOT in tech support(and this is NOT a tech support issue) being deleted, add in that the rest of my posts were orginally showing up when I asked, that is why I said it's a big FU
85 Draenei Shaman
3280
weird, hadn't seen the forum bug before
I have 15 or 16days left(would have to look at the time it expires)

Tiberias at this point, 3 weeks of being ignored
any thread NOT in tech support(and this is NOT a tech support issue) being deleted, add in that the rest of my posts were orginally showing up when I asked, that is why I said it's a big FU


Yeah the search function seems to break every other week or so. Longest I've seen where it stayed working constant was about 3 weeks. After that it seems to not want to work anymore. Whatever they are using for these forums really is a crappy setup.

And yes I agree 3 weeks and not a word. Any post not in these threads is locked and deleted with all due haste. There has even been an incident of a post in general just linking to these here. So that more people would know it exists that was not only deleted but the poster got a 3 day ban... And there was no more to it that that I saw the original post and all it did was link to these and tell people to come here and voice their opinion.
90 Blood Elf Hunter
15340
customers injured by the failure to notify can institute civil action to recover damages. So ya, Blizzard could still get indicted in a civil court according to this law.

No indictment, "civil action" simply means that they can be sued.
No criminal sanctions in that law at all.
Unless the state is among the injured parties no action by the government at all.

So if they don't notify you, and the database wasn't encrypted, and you somehow find out (remembering that the reason for all this is that they didn't notify you) then you can sue them for damages.

Not that Activision Blizzard wants any law suits, but the California state laws are some of the weakest of any state with such laws.



EDIT:
By the way, we are getting a bit off topic here as the authenticator has nothing at all to do with protecting Blizzard’s databases, it only protects your game account.

Getting into Blizzard’s customer information databases is a whole nother ball of wax; other than saying “I don’t trust the corporation’s commitment to security because of this” or something like that it is hard to come up with any connection between this topic and SONY et al.



There are a combination of several, State and Federal Laws and Regulations, that makes it to where Blizzard has to notify us and/or their stockholders of any security breach on Blizzard’s end. Both California and Texas, where Blizzard operates out of, has some of the strongest of these laws and regulations, in the world. While some of them may only apply to California/Texas residents, the rest of us will know very fast, thanks to the internet, if any notices ever goes out to them.

Also besides the SEC/FTC regulations where they have to notify us individually, of any breach of our personal information: they also must notify their stockholders, of any security breach as it could negatively affect the price of their stock, if it “leaked out,”. Since these filling/reports are public records, again thanks to the internet the rest of us would know very shortly as well.

In addition to have to notify their stock holders, They have to notify the general public as well of any security breach, to avoid any insider trading entanglements. That law is not ambiguous You can not keep that kind of thing a secret and take part in any of the company’s stock transactions, without going to jail.
Edited by Ewing on 7/12/2011 3:41 PM PDT
90 Human Warrior
12160
Just a heads up, it seem that the Blizz Eu responded to their much shorter thread on this issue yesterday

http://eu.battle.net/wow/en/forum/topic/2226156035?page=26#519

This isn't a money saving scheme since your not actually spending anything to generate the code, nor are you impacting bandwidth in anyway. While your concerns are noted, your account no less secure than it was before, the only change is that you will only be prompted once a week to enter unless you change IP address, from where you'll need to enter your authenticator code.

There are a lot of valid concerns, which our developers are aware about, however we cannot give a direct response to all posts made.

Never the less we are not ignoring any feedback posted, its read and noted.

As for authenticator information, this is managed server side not on your actual system.
85 Draenei Shaman
3280
Just a heads up, it seem that the Blizz Eu responded to their much shorter thread on this issue yesterday

<a href="http://eu.battle.net/wow/en/forum/topic/2226156035?page=26#519">http://eu.battle.net/wow/en/forum/topic/2226156035?page=26#519</a>

This isn't a money saving scheme since your not actually spending anything to generate the code, nor are you impacting bandwidth in anyway. While your concerns are noted, your account no less secure than it was before, the only change is that you will only be prompted once a week to enter unless you change IP address, from where you'll need to enter your authenticator code.

There are a lot of valid concerns, which our developers are aware about, however we cannot give a direct response to all posts made.

Never the less we are not ignoring any feedback posted, its read and noted.

As for authenticator information, this is managed server side not on your actual system.


Funny how they can post there but not here....

And the no less secure thing with absolutely no information is a load of crap. I'm not a sheep I don't blindly follow....
85 Blood Elf Death Knight
4940
Stupid point that's probably already been made, but coming from a programming background, there's obviously quite a few things many people don't know about programming. Blizzard hires programmers and security software engineers for this very reason. It is much safer to not have to enter your authenticator every time, as it's fewer possibilities of getting run stopped and hacked. Even a cloned IP CANNOT be read with same exact location as your own personal operating system, not to mention the personal footprint your computer has. All of this is being taken into account. Do you really think they'd do something that'd compromise their systems, thereby making it to where more people would have to be hired to fix the problems? So quit complaining and trust the company hiring the top programmers in the world to keep your video gaming safe.

As for those of you worried about the people you live with, you can change your personal password anytime you like. You don't have to tell them what it is. And you can also change your operating system's password for your personal account, because this authenticator cookie is affected by which personal account on your computer you are logged on to. So whine more, you have the power to keep your stuff safe which you're obviously not doing. Being lazy with your computer security has a price, and this won't be Blizzard's fault.
85 Draenei Shaman
2210


4. If I log in from the same ISP, I don't need to spend 6 seconds typing in an authenticator code, but you'll know it's me. Really?

5. If I log in from a different location, AND ENTER MY AUTHENTICATOR CODE, you'll lock my account because you don't believe it's me. Really?

6. If the ISP doesn't fit the pattern I can't log in to the game if I enter my password and authenticator code, but, that's the info you ask for to get into account management, and it doesn't matter what my ISP is. Really?


These are really where I have issue... I travel twice a week and work out of town, and let me tell you it is a tremendous pain in the ass to get to the city I'm working in, to have to go through the following process:

    Try to log into WoW
    Account locked, go to this website
    Check my e-mail, click the link
    Enter in security question
    Check my e-mail, click the link
    Enter a new password
    Log-in with said password
    Please enter Authenticator code


What?!?

I have held this job for 9 months now and ONLY recently did playing WoW on the road become a job in itself. It USED TO BE that I would show up at whatever hotel in whatever city and simply put in my Authenticator code (because that's what it is right, and AUTHENTICATOR?) and go on my merry way.

But now I have 3 options;

a completely un-secure (according to multiple Blizzard CSRs) dial-in authenticator
a preemptive weekly phone to Blizzard telling them i won't be home (?!?)
a 20 minutes of e-mail tag every week.

All three are tremendously fail IMO, and leaves me wondering.. isnt the point of the authenticator to AUTHENTICATE? Plan and simply why isnt that code the 100% guarantee that I am me, and I should be in my own account without a bunch of hassle?
90 Blood Elf Hunter
15340
07/12/2011 07:03 AMPosted by Sekineshny
It is much safer to not have to enter your authenticator every time, as it's fewer possibilities of getting run stopped and hacked.


Blizzard has made no claim that this change makes our account safer, the most they have said is just as secure.

If by "run stopped and hacked," you mean the "Man-in-the-Middle" attack, then you are sadly mistaken. This change does nothing to stop the MitM attack.

A “Man in the Middle Attack,” is a Trojan that works by blocking your access to the real log in server, and redirecting you to a spoof Log in screen/site. They then harvest all of your log in information, in real time, including your one time use Authenticator code. The hackers then very quickly uses this info to access your in game account, before the Authenticator code expires.

Now if we never have to use our authenticator again from our "Trusted" Computer, them maybe it would protect us from the MitM. However even with this new system we still have to use our authenticators: at least once per week; if we enter the wrong password; And if there is a wide chance in our IP, for any reason.

If we get prompted for our authenticator, we have no way of knowing it is Blizzard doing it, or a hacker with the MitM. Are we suppose to assume each time we are prompted for our authenticator, that it is a MitM attack? If so what are suppose to do them? Wipe our computers, call Blizzard, run around like chickens with our heads cut off? Only for it to turn out to be a periodic check by Blizzard.

In fact this change really weakens your protection, from the MitM. Before they only had a one time limited access to your account. Now the new system thinks that their computer/location is you Therefore they can keep accessing your account as many time as they want without being required to re-authenticate.

The MitM Trojan is no simple keylogger that you can pick up from a day one Flash exploit. It requires YOU to install a very large executable file to work. "Man In the Middle," Attacks were very, very rare. I have been following the CSF almost every day, for over 3 years now, and as far as I know there hasn't been a confirmed case of one in well over all most 2 years. In fact there has only a very small hand full of confirm cases at all. They require a very big hole in your internet security, and very good timing on the hackers part.

The main thing the handful of players that had their accounts hacked had in common were: They all went to a fake/spoof wowmatrix, curse, and other spoofed addon sites, and down loading the spoof site's auto addon updater; They hadn't up dated their Windows fire walls, and or running a bootleg copy of Windows. So if you are careful about the sites you visit, and keep your computer security up dated, including your firewall, there is a low risk that this happened to you.
Edited by Ewing on 7/12/2011 1:13 PM PDT
I just wanted to pop in and leave this here, I'm sure it's been mentioned already but with 13 threads I can't check.

When I went to log in the other day I accidentally typed my password in wrong. I did it again, correcting my password and it went right through, didn't pop my authenticator up. Personally I think, at the very least, if the password is entered in incorrectly, the next attempt to log in should force the authenticator to come up.
85 Draenei Shaman
3280
I just wanted to pop in and leave this here, I'm sure it's been mentioned already but with 13 threads I can't check.

When I went to log in the other day I accidentally typed my password in wrong. I did it again, correcting my password and it went right through, didn't pop my authenticator up. Personally I think, at the very least, if the password is entered in incorrectly, the next attempt to log in should force the authenticator to come up.


Actually there have been people that said if they entered it wrong it prompted for a code.

This is another one of them "is a bug" things that blizz wont tell us..
I just wanted to pop in and leave this here, I'm sure it's been mentioned already but with 13 threads I can't check.

When I went to log in the other day I accidentally typed my password in wrong. I did it again, correcting my password and it went right through, didn't pop my authenticator up. Personally I think, at the very least, if the password is entered in incorrectly, the next attempt to log in should force the authenticator to come up.


Actually there have been people that said if they entered it wrong it prompted for a code.

This is another one of them "is a bug" things that blizz wont tell us..



Hmmm. Weird. I remember scratching my head when it happened and being surprised at it. My account literally hasn't asked for my authenticator since the change went live, regardless of what I do. (But I always log in to the same computer.)

So who knows. Maybe my wow launcher is just super lazy. :)
90 Blood Elf Hunter
15340
Just wanted to add one more thing about the MitM attack. The Back in October of last year: Blizzard instituted a new security protocol; where if the system senses a change in our access patterns, it will lock you out of your account, until you reset your password. This "Change in Access Pattern" lockout will happen irregardless, if you have an authenticator or not.

It is this change that helps protect you from, or at least slows down the MitM attack, and not the new change to the authenticator system. A lot of people have confused, or do not understand, the 2 different changes, and think of them as being one and the same. They are not! They are 2 totally different systems, and occurred several months apart.

Lastly: The "Change in Access Pattern" lockout system does not protect, against a Hacker that uses a spoof IP that is in one of your IP's range. That is why it is wise to have a Authenticator too. However if the Hacker is using a MitM attack, as well as a Spoof IP, they got you.
Edited by Ewing on 7/12/2011 3:43 PM PDT
90 Draenei Shaman
9040
Just wanted to add one more thing about the MitM attack. The Back in October of last year: Blizzard instituted a new security protocol; where if the system senses a change in our access patterns, it will lock you out of your account, until you reset your password. This "Change in Access Pattern" lockout will happen irregardless, if you have an authenticator or not.

It is this change that helps protect you from, or at least slows down the MitM attack, and not the new change to the authenticator system. A lot of people have confused, or do not understand, the 2 different changes, and think of them as being one and the same. They are not! They are 2 totally different systems, and occurred several months apart.

Lastly: The "Change in Access Pattern" lockout system does not protect, against a Hacker that uses a spoof IP that is in one of your IP's range. That is why it is wise to have a Authenticator too. However if the Hacker is using a MitM attack, as well as a Spoof IP, they got you.

problem is that one is broken as hell too
if search was working, i'd find my post but

the long story short, AFTER the pattern lockout went live(late Nov, for a funeral)
I played in CT(I work weird hrs, so I am always up), went to my work/intern site, went to Bradley(Hartford airport), logged on at Bradley waiting for my flight
flew to Charlotte, NC. logged on at Charlotte airport waiting for my connecting flight
flew to Wilmington, NC. went to room, logged on there too
flew to Philly, logged on there
flew to CT, went home, played there

it had me change my pw exactly 0 times
Edited by Anii on 7/12/2011 4:24 PM PDT
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]