Battle.net Authenticator Changes(Cont. #13)

(Locked)

100 Night Elf Hunter
4530
I totally agree..... Blizzard and their rocket scientists really screwed the pooch on this one. If I really look at the terms of the authenticator, I believe we can see a breach of user agreement. So when I reinstated my account and found that they are no longer performing proper security, I quit, told my card company to refuse payment, and went to DDO.

BTW,,, they are now tracking you..... IP based logins to show when to apply authentication.... They know where you are...

If you still agree with this policy please continue playing WoW... at least I will know where you are. :)

60 Gnome Death Knight
620
BTW,,, they are now tracking you..... IP based logins to show when to apply authentication.... They know where you are...



Umm, when you created your World of Warcraft account, you put in your address back then.

Derp?
100 Blood Elf Hunter
17725
Again: We don't need the exact Technical details on how it works. However we do need enough information, to know when and where, we should get prompted for our Authenticators. We need to know this: so when we notice something odd; if it is working as intended, or if it is a bug/glitch. If it is a bug/glitch do we report it in the Bug Report forum, where everyone can read it, or do we need to send a private report, and to whom?

Are all of the Computers and IPs, we ever logged in from now trusted, and does using our authenticator at one, Unlock them all? Or is only the last PC and IP the one currently trusted?

Several players have tested this system, and it appears that in many cases that Computers/locations/Ips that they have logged in the recent past(Weeks even Months ago) have been saved as “Trusted.” They have signed in and Authenticated from just one locations, and have not be prompted from any of the others, until their next weekly/ random prompt.

It is one thing to announce: From this day forward any Computer/location/IP you ever log in from, using your authenticator, will be saved as safe and you will never have to use your authenticator from it or there again. It is another thing for it to be retroactively be applied to any computer/IP you accessed, your account from before the announcement. Just how back does the Approved access sites go? One week, two weeks 6 months?

Many players are not in ideal living situations. They have to share computers, use public or simi-public computers. They have untrustworthy roommates, bunk-mates, and/or household members. These are people who are collage students, military personnel, still live with mischievous siblings, or spiteful wives/girlfriends. Some are players whom for some reason or the other currently don’t own their own computer and must play an internet cafe. Many of these players were actively sold the Authenticators, by blizzard personnel. As insurance in case someone is able to get a hold of their log in information, regardless it a gold farmer in China or a household member. These players did the responsible thing, by adding one for the added layer of security.

These players need some other way to help secure their accounts. It doesn't matter how secure your password is, if someone knows you well enough they can guess SQ&A to not only your Wow account, but to your email account as well.

Also this change weakens the protection that Guild banks with Authenticator required ranks with Bank access. If someone is able to gain access to a guild officers computer and account information, can strip the guild bank as well as his individual account.

Because the compromise is from his computer, it is doubtful that Blizzard will restore the Guild Bank. Or if they do a restoration, it would on the bases of a Guild Bank Theft. In which case the guild member in question could get his account suspended, or even banned.

Also if he is one of the guilds key members(like only raid ready tank) the GL might be very reluctant to report it. As the player may get suspend and or gear stripped, leaving him and the guild unable to raid. In ether case the guild will most likely have to eat the loss. guild leaders need a tool to let them know if a player has op in or out of this. While the player may have a trusted computer/location the guild leader shouldn't have to trust it too.

Guilds can no longer trust that requiring Authenticators for GBank access Will protect them from "Domestic" Hacks(little brother). In fact a Dishonest members, now have a "Excuse/Way out" for robbing the GBank, by blaming it on a "Domestic Hack," when confronted By the Guild Leadership.
100 Blood Elf Priest
17390
Still waiting to be able to opt-out......
90 Human Paladin
5530
Still waiting for people to understand the current lack of full time two-factor authentication.
90 Human Paladin
5530
Someone made the suggestion that as long as no one knows your pw, it doesn't matter. Don't these people know about Brute Force attacks? With the authenticator in place and prompting every time, it made those attacks near (not totally) impossible (Unless you had the device entring a correct code every login attempt).

I want My security back.
60 Gnome Death Knight
620
Brute Force attacks = Spamming different passwords.
after 5 failed attempts (even if you DON'T have an authenticator on your account) the account gets automatically locked.

Would you like to try again?
90 Human Paladin
5530
You unlock your account, even change your pw, and the attack continues in that cycle until they get lucky?

Only thing i want to "try again" is to get TRUE TWO-FACTOR AUTHENTICATION. IDC if everyone else wants to stay on this once in a blue moon system, let 'em. Give me an option. All I ask.
93 Troll Shaman
14350
Ok, got some info for you all! Spent 45 minutes on the phone with Tech Support during my lunch break today (roughly 20 minutes talking to the rep and 25 minutes on hold waiting to speak to a rep). First of all, if there are any plans to add an opt-out, she sure hadn't heard of them. However, she also said that most likely she would only be told of any changes at the moment they went live, so apparently they don't give Tech reps advance notice. Anyway, on to the juicy stuff!

During the conversation she actually gave me a few tidbits on how the system is supposed to work! And for the record, judging by the difference between what she was saying and what we've observed, the system is buggy as heck. If your experience is different from what I'm about to say below, please report it to Tech Support because it is not working as intended on your account! (Always assuming her information is correct, but if it isn't, that's the security department's fault for giving her incorrect or insufficient info.)

A: The system is only supposed to remember the very last computer you logged in from. This means that if I logged in and out from my computer, walked over to my boyfriend's computer and logged in/out, and then walked back to mine and logged in/out, I am supposed to get an authenticator prompt on his computer and again when I go back and log into mine. If you are not getting an authenticator prompt when you go from one computer to another, the system is not working as it is supposed to! Put in a ticket and see what they have to say. On the plus side, it does mean that apparently the 'hacker's computer is now permanently saved in the system as safe' scenario is a boogeyman. Assuming that the system is working correctly on your account, of course.

B: Due to large amounts of conflicting data during the past month, one theory we'd floated was that it randomly picked...oh, five or so things out of a pool of 10 or something to use for computer authentication. This is incorrect. Whatever data it uses to confirm 'your' identity, it is uniform on every account. Btw, the information does include your IP address. It's possible that it may be classifying a change of IP as a lower priority than the other data, but it is supposed to notice when your IP changes and prompt you. Again, if the system is not prompting you, put in that ticket.

C: She'd never heard of the addon that deletes the registry entry, and her reaction to my attempts to explain it hint that either there is a server-side component as well (which might just be the system that remembers your last login), or that the registry entry belongs to a different system. Yeah, I'm confused, too. Couldn't get her to clarify.


Oh, and for the record? I just tested A on my account. I just went back and forth from my b-friend's computer to mine, logging into each multiple times. I got prompted exactly once, and that once appears to have only happened because I'd never used his computer before. After that, I was able to alternate between our computers with 0 difficulty.
60 Gnome Death Knight
620
use a keylogger on the PC you were at in a cyber cafe and bamm theyre in your acct WITHOUT being prompted for your authenticator


which is why you should NEVER NEVER NEVER use a cyber cafe PC to play wow.

EVER.
93 Troll Shaman
14350
I'm about to call Tech Support again, both as a bug report and as a check to see if another rep says the same thing the girl did this afternoon. Wish me luck on a shorter hold time this time around. :-(
90 Human Paladin
5530
07/25/2011 04:35 PMPosted by Cupcaké
use a keylogger on the PC you were at in a cyber cafe and bamm theyre in your acct WITHOUT being prompted for your authenticator


which is why you should NEVER NEVER NEVER use a cyber cafe PC to play wow.

EVER.


I like gnomes. That's why I'm going to explain it again instead of getting frustrated.

There are people out there that have no choice but to use public access computers to play. The alternative is to never play at all. That includes college students and military personnel. Nothing is ever 100% safe, but why reduce the security you already have, especially if you have no other means to log in? This isn't just the snoopy sibbling situation. It affects people who just can't or don't have private access to the internet.
14 Goblin Mage
40
A friend of mine was recently hacked, got her account back about a week ago. Has had an authenticator (keyfob) attached to it since June 2010. Funny thing is, she quit around the first of April.


Working as intended?
93 Troll Shaman
14350
A: The system is only supposed to remember the very last computer you logged in from. This means that if I logged in and out from my computer, walked over to my boyfriend's computer and logged in/out, and then walked back to mine and logged in/out, I am supposed to get an authenticator prompt on his computer and again when I go back and log into mine. If you are not getting an authenticator prompt when you go from one computer to another, the system is not working as it is supposed to! Put in a ticket and see what they have to say. On the plus side, it does mean that apparently the 'hacker's computer is now permanently saved in the system as safe' scenario is a boogeyman. Assuming that the system is working correctly on your account, of course.

B: Due to large amounts of conflicting data during the past month, one theory we'd floated was that it randomly picked...oh, five or so things out of a pool of 10 or something to use for computer authentication. This is incorrect. Whatever data it uses to confirm 'your' identity, it is uniform on every account. Btw, the information does include your IP address. It's possible that it may be classifying a change of IP as a lower priority than the other data, but it is supposed to notice when your IP changes and prompt you. Again, if the system is not prompting you, put in that ticket.

C: She'd never heard of the addon that deletes the registry entry, and her reaction to my attempts to explain it hint that either there is a server-side component as well (which might just be the system that remembers your last login), or that the registry entry belongs to a different system. Yeah, I'm confused, too. Couldn't get her to clarify.



07/25/2011 04:40 PMPosted by Shadowwind
I'm about to call Tech Support again, both as a bug report and as a check to see if another rep says the same thing the girl did this afternoon. Wish me luck on a shorter hold time this time around. :-(


Ok, update time! According to the guy I just got done talking to, some of the earlier information is incorrect. He wouldn't tell me exactly how a system was deemed safe or not (understandable, Bliz doesn't want too many details on the system being given out), but the info that only the last system is remembered is false. He DID seem to think that there were measures in place that would lock out a hacker's computer if they tried to log into your account again. Fair enough. We've not (yet) seen a wave of re-hacked computers, so it seems likely that the system does its job in that regard. During the conversation, I passed along several of the most common concerns/possible bugs and while most of them it seems Blizzard is well aware of, there were one or two that he seemed concerned about and said he'd pass along. I didn't ask about B since I don't think he would have been allowed to tell me.

One thing that DID come up (regarding domestic compromises) is that Blizzard is again taking the stance that security lies on the user's end. Regardless of what your living circumstances are, responsibility for your account's safety lies on your end and an authenticator will no longer give you any protection unless and if Blizzard chooses to change the system in the future. Those of you who were using it as a method of protection are SoL and need to figure out another security measure.


Edit. I just remembered which piece of info he thought was a bug. It was the news that authenticating your account on one computer grandfathered in all of the OTHER 'safe' computers as well, instead of having to enter an auth code on each one.
Edited by Shadowwind on 7/25/2011 6:01 PM PDT
90 Human Paladin
5530
Thank you for doing this.

I do hope they take a closer look at the issues and come up with a solution everyone will be happy with.
90 Human Paladin
5530
Exactly. I'm not asking for a rollback, just an option.
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]