About the Recent Authenticator Change

90 Troll Druid
10290
Also what happens if you get the option to require an authenticator code every time and then someone hacks your computer or Blizzard and changes it from yes to no? O.O

Also could God microwave a burrito so hot that even He Himself could not eat it? @.@



Edit: Adds O.O and @.@
Edited by Dreoid on 7/27/2011 5:41 PM PDT
Reply Quote
85 Worgen Druid
2725
signed and stuff
Reply Quote
3 Gnome Mage
0
We understand the concern many players have with the recent Battle.net authenticator changes. To that end, we’re exploring the idea of adding an “Opt Out” option within Battle.net Account Management, which would then force the prompt for an authenticator code whenever you log into World of Warcraft.

To be clear, we have gone to great lengths to ensure Battle.net accounts and authenticators provide players with a high level of security. Maintaining a safe and secure Blizzard gameplay environment remains a top priority for us.


Right. Thats just awesome. Instead of leaving a good system in place, you cater to people too lazy to type in a 6-digit code.

Ironically, the other nite i logged into my acct, glad i was promted for the authenticator, i then popped onto a TOTALLY different computer with that SAME acct, only to NOT be promted for my authenticator! So basically, if i was a hacker & getting into someone else acct on a totally different IP address, i woulda had it made. Oh yeah, guys...i feel "totally" secure >.>
Reply Quote
3 Gnome Mage
0
07/24/2011 11:54 AMPosted by Anii
As it appears the hackers need to get your authenticator, answer your security questions, change your password and then log in. And once they do that they can log in like any normal person. So what you're saying is, even with all that security manually putting in your authenticator is the only way to go.

no, I am saying that, that site will not likely prompt anymore

also the PW on change of location is MORE random than the authenticator
I did Bradley International -> Charlotte International > Wilmington Airport (for funeral) to Philly > to Bradley
over the course of about 3 days, I logged on at Bradley (Hartford CT), I logged on in Charlotte NC, I logged on in the hotel in Wilmington NC, I logged on in Philly and back home in CT
it NEVER had me do my security questions, that was 4 different sites from where I normally played in 3 different states(2 of which were not my normal state at the time)
I moved 10miles, it made me change(during my divorce)
I moved from CT to NC it made me change
see the issues yet? or do I need crayons?


Nor have i EVER seen such "questions" despite logging into a few different comupters to test this..but my favorite is "or do i need crayons?" That. Is just full of Epic Win.
Reply Quote
3 Gnome Mage
0


Blizzard has a tendency to respond to whiners and ragers and malcontents. The squeaky wheel gets the grease.

hence how we got this mess in the 1st place

someone whined about having to enter their code with all the disconnects... rather than fix the issue(the disconnects), we got lowered security
now all the people that like not having to enter the key are saying yeah, and all of us who want the security are saying WTF!(some of us have 2FA at work, and more)


This. You win.
Reply Quote
90 Troll Shaman
3500
... You log in next morning and you see that your toons were all transferred/deleted by your little brother, they'll probably fix that.. especially if you let them know immediately. However, if there is evidence that an account was being shared by two players, then they're most likely to going to leave it alone.

If you log in next morning and you see that your toons were all transferred/deleted by your little brother, they will not fix that, at least they have refused to in the past.

Good reason why they don’t; when the problems originated on your computer they have no way to know if you’re lying about the situation and were simply sharing an account, and if they did restore in such situations then everyone who got burned by someone they shared an account with would fabricate a story about a “little brother” or whatever.

Blizzards solution for this? Tell users on shared systems to get an authenticator and keep it secure so a sibling/roommate whatever, can’t cause such problems.

07/27/2011 05:07 PMPosted by Tiberias
And as a reminder, the authenticator was never designed to prevent personal attacks like that. They are designed to keep gold-sellers out of your account.

You should have told Blizzard employees this before they recommended the authenticator to prevent personal attacks like that, not having your superior knowledge on the topic they apparently have been mistaken with their recommendations a few times in the past.
Reply Quote
85 Blood Elf Paladin
4135
07/27/2011 09:02 AMPosted by Xanzul
It assumes you trust who you live and work with. Even with an authenticator you are still expected to practice safe internet practices in and out of your home. If people in your physical area can access your account you need to deal with that rather than whine about this issue.

Again you're wrong, and thank you for lining my pocketbook.

You completely missed the part about "remote control", didn't you?

Bad guy gets keylogger on your machine. Perhaps he uses an exploit in Flash so get it on your system when you go look up something on Wowpeida or wowhead. It's a nice example since it already happened once. They bad guys bought ad space on Google, and got served up on a ton of wow-related web sites.

Back when that happened, the authenticator protected you. While the attackers could log your "incredibly-secure" username and password, they would have to use the authenticator code in real-time. Since they got plenty of non-authenticator accounts, it was not worth the effort.

Now that this change has happened, the authenticator does not protect you from the above scenario. If they have sufficient access to install a keylogger, they can install remote control software. While you're asleep, they take control of your computer and log in to your account. Since your computer is trusted by Blizzard, there's no authenticator check and they don't need to hack you in real-time. You will also note they do not have to have physical access to your computer. So you can have angels for housemates and coworkers, and it won't protect you.

The reason you're making this mistake is developers and IT people tend to only look at their network and security from the perspective of what it's supposed to do instead of how it can be mis-used.
Edited by Texi on 7/27/2011 8:42 PM PDT
Reply Quote
85 Blood Elf Paladin
4135
07/27/2011 05:05 PMPosted by Dreoid
Second, Warcraft is constantly running an anti-hack program on your computer while you play WoW. It's called Warden.

You should know that disabling Warden is trivial.
Reply Quote
90 Troll Hunter
8690

where does it say they will not replace your gear if you are hacked while useing an authenticator?


I am under the impression that they review every compromise on a case by case basis. If they (or you) can't prove it was someone other than you at that particular computer logging in, then they will not restore. Correct me if I'm wrong about that.


I've been hacked before, and they replaced everything.. even gave back the stuff the hacker took from my guild bank.. I didn't have an authenticator at the time. they didnt give me any grief over it, basically all they said was that i would have all my stuff back in a few hours.. and i did..

I have an authenticator now. based off my dealing with gms and customer service with this game, in the event a hacker was able to break in my house get passed my computers log in password, just to hack my account because my computer doesnt require the use of a code every single time i log in.. I am more than possitive they would replace what was lost ( in game ).

I happen to like the changes made with the authenticator, it saves time..

Also, the authenticator doesnt cost any money.. its free.
Reply Quote
85 Draenei Paladin
3325
07/27/2011 08:13 PMPosted by Tomten
You should have told Blizzard employees this before they recommended the authenticator to prevent personal attacks like that


You keep saying that they said that, but they never did. When you said that you had proof, you and Ewing had to rummage for posts that were over 2 years old or were purged when they switched to the new forum format. Real convenient proof huh.. They've never said that officially, you're just making it out like they did. Besides if anyone made that kind of recommendation, it would have been a CS rep. They're going to offer suggestions that are relevant to the issue at hand but you shouldn't take what they say as official marketing.

If you log in next morning and you see that your toons were all transferred/deleted by your little brother, they will not fix that, at least they have refused to in the past.


They will indeed fix it. Shoot, you don't even have to make up a story about it. If either you or someone else "accidentally" deleted all of your characters, you can get them back IF you contact Blizzard right away. If they refused restorations, then it's because there was account sharing going on.

If you don't trust the people you live with, then you need to get better roommates, move, or do something. That was never Blizzard's problem, that's a personal problem.
Edited by Tiberias on 7/27/2011 9:01 PM PDT
Reply Quote
85 Blood Elf Paladin
4135
07/27/2011 05:16 PMPosted by Dreoid
I am under the impression that they review every compromise on a case by case basis. If they (or you) can't prove it was someone other than you at that particular computer logging in, then they will not restore. Correct me if I'm wrong about that.


So you often find yourself in situations where you are hacked and can't prove it?

You sound like a liar.

Nah, you just aren't creative enough.

1. Use something like the Flash exploit that installed keyloggers w/o user interaction when visiting legit wow web sites (ex: wowpedia, wowhead, allakhazam). The bad guys bought ad space from Google. If your defense is "noscript" or adblock, you will also have to remember that Flash is not the only vulnerable program on your computer.

2. Since you have sufficient access to install a keylogger, install remote control software while you are there.

3. Log username and password.

4. Attempt to use username/password on the computer in your lair. Discover account has an authenticator.

5. Wait until the inactivity timer shows that your victim is not using your computer, and has not been for a long time. Say, your victim is asleep.

6. Use the remote control software to mute your victim's speakers and put the monitor into S3 (blank screen, blinking light on most monitors...what it does when "power saving" is on).

7. Use remote control software to launch WoW client on your victim's computer. Log into account, shard away.

8. Laugh as victim attempts to get Blizzard to restore their items. Blizzard's logs show the victim logged in from their own computer, so they must have sharded everything themselves. Bonus points if you got the victim's gbank too, as Blizzard has already stated the only way to get those items restored is to ban the person who "stole" from the gbank..


You'll note this method does not require the 'bad guy' to know you nor have physical access to any computer or network you used to log into WoW.

This attack was not possible when the authenticator popped up each login. The only way you could hack an authenticator account then was to capture and use the authenticator code in real-time. That made the victim rather suspicious and left evidence of the hack (login from strange location). It wasn't very practical. Now that this change has gone through, it's quite practical to hack authenticator accounts again. As an added bonus, your tracks are better covered since Blizzard doesn't know where your evil lair is.
Edited by Texi on 7/27/2011 9:02 PM PDT
Reply Quote
Thank you Blizzard for listening to the cries to get this corrected and meeting us half way with an Opt-Out option.
Reply Quote
85 Blood Elf Paladin
4135
07/27/2011 08:47 PMPosted by Ispitonyou
in the event a hacker was able to break in my house get passed my computers log in password, just to hack my account because my computer doesnt require the use of a code every single time i log in.. I am more than possitive they would replace what was lost

There's some exciting new remote control software that's available for both commercial and open-source use. Products such as VNC and GoToMyPC allow you, or someone with nefarious intentions, to log into your system without having physical access to your system. Microsoft even thoughtfully included the software in your copy of Windows, where it's called "Remote Desktop".

These products were developed in the 1990's, and based on concepts from X Windows developed in the 1980's. Anyone who insists physical access is required to log into a computer is only about 30 years behind the times.
Reply Quote
MVP
86 Night Elf Priest
7720
07/27/2011 04:43 PMPosted by Caandi
I haven't read all of these posts, but do people realize that banks use a similar system for logging into their bank accounts?

Interestingly enough, my bank does have a way of "authenticating" my computer. Guess what? I ~still~ have to put in my online account name (unless I tell it to remember, which you'll NEVER catch me doing with any account) ... which then takes me to a new page that shows me a "sitekey". That is an image out of hundreds that I picked and a description I typed in for it - something no one but me would know is valid (which is more about recognizing a phishing site than my security on that site). Then I have to put in my password EVERY time. If I haven't logged in from that computer in a length of time (one or two months maybe), I even have to give the answer to one of four security questions, which one picked at random. Three fails locks me out of attempting to log in until I go to my email and get an unlock code. After that, I go back to the beginning of logging in.

So "similar" ... maybe. But every single step is pretty much always required. And if they offered and I applied an Authenticator, I'd want to enter it every single time even with all the above.
Reply Quote
85 Draenei Paladin
3325
That's an interesting concept, but you're forgetting that the authenticator's fingerprint variables are unknown to us. Several users have said that it has even prompted for the authenticator again after changing certain software. It's very likely that adding remote desktop software to the computer may be one of the things that set it off. Especially when connecting from outside the home network.

Another thing to mention is that attack is just as difficult and tedious to pull off as the Man-in-the-Middle attack, if not moreso. out of the 11 million people playing World of Warcraft right now, there is an abundant amount of people still falling for phishing scams and not using authenticators. Hackers would rather target those people.

Also: With any remote desktop software, it has to be enabled and configured on the host computer. I highly doubt anyone will be able to bundle both a keylogger and full remote desktop software in a flash vulnerability. Not saying it's impossible, but highly unlikely.
Edited by Tiberias on 7/27/2011 9:15 PM PDT
Reply Quote
85 Blood Elf Paladin
4135
07/27/2011 09:11 PMPosted by Tiberias
It's very likely that adding remote desktop software to the computer may be one of the things that set it off. Especially when connecting from outside the home network.

Because rootkits don't exist and can't be used to conceal software.

It's not like they're going to use the installation wizard to put it on your computer. WoW will have no idea that some random .exe is actually remote-control software.

Another thing to mention is that attack is just as difficult and tedious to pull off as the Man-in-the-Middle attack, if not moreso

The MitM attack required the hacker to be sitting at their computer, waiting for a victim to attempt to log in. That is what made it impractical.

My attack can be done at a time convenient to the hacker. It means authenticator accounts are as easy to hack as non-authenticator accounts.

out of the 11 million people playing World of Warcraft right now, there is an abundant amount of people still falling for phishing scams and not using authenticators. Hackers would rather target those people.

Such people generally have much less gold to steal.

Also: With any remote desktop software, it has to be enabled and configured on the host computer. I highly doubt anyone will be able to bundle both a keylogger and full remote desktop software in a flash vulnerability. Not saying it's impossible, but highly unlikely.

The vulnerability only needs to contain a small payload which then downloads the malware. Much like ZeuS and other botnets are typically installed.
Edited by Texi on 7/27/2011 9:18 PM PDT
Reply Quote
90 Troll Hunter
8690
07/27/2011 09:08 PMPosted by Texi
in the event a hacker was able to break in my house get passed my computers log in password, just to hack my account because my computer doesnt require the use of a code every single time i log in.. I am more than possitive they would replace what was lost

There's some exciting new remote control software that's available for both commercial and open-source use. Products such as VNC and GoToMyPC allow you, or someone with nefarious intentions, to log into your system without having physical access to your system. Microsoft even thoughtfully included the software in your copy of Windows, where it's called "Remote Desktop".

These products were developed in the 1990's, and based on concepts from X Windows developed in the 1980's. Anyone who insists physical access is required to log into a computer is only about 30 years behind the times.


Missed my point completely...

Blizzard, replaces stuff if you are hacked... They even replace boa's when people "accidently" vendor them..
Reply Quote
85 Draenei Paladin
3325
If it was really as you make it out to be, don't you think people would be getting hacked left and right? Well they're not. I'm sure that remote access was one of the first things on many hackers minds too if it were possible.

Here's some food for thought. Blizzard very likely spent many months planning this. They've also already had a month to analyze the results of the change, yet they haven't reversed it.

Now what if the statistics showed that there were actually less people getting hacked after the change was implimented? Then an opt-out feature would actually mean that some people using the authenticator are less secure than others. Its more practical as a business to stick with the most secure scheme whether it be prompting every time, or through the fingerprinting.

Now you can come up with every scenario you like about how you could get through the system, but at this point it's all just assumptions and guesses without any real empirical data. I've yet to see anyone in these forums say that they got hacked with the authenticator in place since the change, and it hasn't been reported on any of the other forums either.

So you have to trust Blizzard when they that it offers the same level of security as before the change. The fact account compromises have not risen, and that they haven't reversed it after a month should be the biggest testament to prove that it's working, because if it was truly less secure, then they would have reverted it in a heartbeat.
Edited by Tiberias on 7/27/2011 9:32 PM PDT
Reply Quote
85 Troll Druid
5290

I log in on any semi-public computer - library, computer lab, friend's laptop, w/e



Here's your problem. You are complaining about Blizzard's system being faulty, but you yourself are not practicing safe playing habits.

You do realize that's the entire purpose of an authenticator, right? It makes the assumption that NO computer is safe - not the one at your house, at work, none. These were invented so people accessing sensitive computer resources had an extra layer of security - google two-factor authentication some time. These aren't devices that were intended to improve convenience, or slightly improve security without being too intrusive - they were created with the sole purpose of improving on password-only protection.

If we trusted password only, why would we have an authenticator in the first place? The whole purpose of the authenticator is so that I am able to do these things and feel protected - that's what I signed up for when I bought it, that's what was advertised, and now that's what was taken away.

You people that blame the victim have a long, hard life lesson coming to you.
Reply Quote
90 Troll Shaman
13245
To those of you defending the new system:

I believe that you would get your point(s) across much better if you actually provided some form of evidence. During the 14 threads, many people did their own tests on various aspects of how the system worked and then posted the results. 'I attempted to do X and succeeded. I also attempted to do Y, but it didn't work. Based off of X and Y, I believe that the system looks at Z, but NOT W.' We also had people do searches and provide links to websites or posts providing support for their point(s). One thing these people tended to have in common was that they were opposed to the change for one reason or another. Oddly enough, most (though not all) of the people supporting the change made no effort to test the system to see if it actually performed as they claimed it did. They also made statements and for the most part made no effort to provide supporting links. It was not for a lack of opportunity. I, personally, made several posts that included compiled test results and specifically asked for others to do and post their own testing. So far as I can tell, no one took me up on it.

TL:DR If you would like to have a better chance to convert people to your way of thinking, I respectfully request that you provide evidence supporting your platform. Test results would be ideal, though even providing links to supporting forum evidence would go a long way to establishing credibility to your side. Thank you, and have a pleasant evening!
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]