About the Recent Authenticator Change

85 Draenei Paladin
8220
To those of you defending the new system:I believe that you would get your point(s) across much better if you actually provided some form of evidence. During the 14 threads, many people did their own tests on various aspects of how the system worked and then posted the results.


Speak for yourself. You haven't given any real evidence supporting your case at all. You posted a story about a kid who quit playing because he was worried his little brother would hack his account, then you said that you spoke to a GM discussing the circumstances of guild restorations. Yet in neither scenario did you prove the authenticator was less secure.

Your tests are extremely biased and fueled by your agenda. Biased tests are unreliable. Additionally, your "tests" haven't really proved anything. You've only demonstrated that the authenticators are working as intended. If you want a real test and you want to prove that this system is less secure, then you'll have to try applying your theories toward an outside party.

If you want evidence supporting the authenticator change, then you should have been listening to the majority of us have been saying this entire time..

No. One. With. Authenticators. Are. Getting. Hacked.

I don't see why you'd need anything more than that. It's evidence right in front of your face. You haven't gotten hacked, I haven't gotten hacked, nor anyone else posting here has gotten hacked since June 16th IF they've kept their authenticator on their account. Scour the forums, you won't find any reports of people getting hit while their authenticators are in place since the change was implimented. In fact, you are more likely to find people saying they haven't been hacked once since adding one.
Edited by Tiberias on 7/27/2011 11:08 PM PDT
Reply Quote
85 Worgen Druid
2195
Doesn't really matter to me, the bliz authenticator system can never tell I'm me anyway, I still have to use my authenticator every time I log in.
Reply Quote
100 Troll Shaman
5140
07/27/2011 08:47 PMPosted by Tiberias
When you said that you had proof, you and Ewing had to rummage for posts that were over 2 years old or were purged when they switched to the new forum format. Real convenient proof huh..

I never said I had “proof”, I never “rummaged for posts that were over 2 years old”, I’m not sure what you’re talking about.

07/27/2011 08:47 PMPosted by Tiberias
They've never said that officially, you're just making it out like they did. Besides if anyone made that kind of recommendation, it would have been a CS rep. They're going to offer suggestions that are relevant to the issue at hand but you shouldn't take what they say as official marketing.

I see, you’re a more official source than the CS reps, but Marketing is a more official source than even you.

Oh well, I’ve fed this troll too much already; Blizzard responded and the issue is now moot.
Reply Quote
90 Night Elf Hunter
13420

Well, I'll say that when I went on vacation and logged in at the hotel I was staying at one evening, not only did I have to put in my authenticator, I was required to go into Account Maintenance, answer security questions, and change my password before it would accept that it was really me.

I think the security is still working pretty well, though I'm not opposed to those wanting an option for it to ask for the authenticator every time.


now go back to that hotel, and log in

even money says it won't request an authenticator



I can answer that for you. I logged on at my boyfriends a few weeks ago. My account got locked and I had to reset my password. I tried to log on again at his house a couple days ago and my account was locked again. When I got a hold of support to ask about it, I was told that since I didn't log on at his house often it would be locked every time I tried.
Reply Quote
85 Blood Elf Paladin
4135
07/27/2011 09:29 PMPosted by Tiberias
If it was really as you make it out to be, don't you think people would be getting hacked left and right? Well they're not. I'm sure that remote access was one of the first things on many hackers minds too if it were possible.

Those of use concerned that such an attack may become common would like that "opt-out" checkbox before the attack becomes common.

If the ROI for my attack isn't currently high enough, the hackers won't use it. That doesn't mean the ROI is too low forever.

Here's some food for thought. Blizzard very likely spent many months planning this. They've also already had a month to analyze the results of the change, yet they haven't reversed it.

People spent years designing Internet Explorer 6. It's still riddled with security holes. People have been patching vulnerabilities in Flash and Acrobat for years. Yet there's still security fixes released for those products about 4x a year.

Level of effort != level of security

Now what if the statistics showed that there were actually less people getting hacked after the change was implimented? Then an opt-out feature would actually mean that some people using the authenticator are less secure than others. Its more practical as a business to stick with the most secure scheme whether it be prompting every time, or through the fingerprinting.

Fingerprinting is hard. It's very difficult to find something that is actually unique that you can use for every system which can not be duplicated by a malicious user. Considering entities such as Microsoft have failed at fingerprinting, I don't think Blizzard has invented a new way that is actually secure.

This is a developer who released an "anti-speedhacking" tweak in 4.2 that relies on a constant CPU frequency. CPU frequencies haven't been constant since Intel released SpeedStep in the '90s.

Now you can come up with every scenario you like about how you could get through the system, but at this point it's all just assumptions and guesses without any real empirical data

Yes, as far as I know nobody's using my attack at the moment. But Blizzard still hasn't implemented the "opt-out" after a month of people screaming at them on the forums. Do you really want to wait for the attacks to become common before Blizzard _starts_ working on an opt-out?

Security is all theoretical until someone is actually using the attack, at which point you are too late. You fix the holes when they are only theories.

If people want to reduce their level of security by not entering the code every time, that's fine. They are choosing to accept the additional risk. Many of us do not feel the very minor increase in convenience is worth the reduced security.

So you have to trust Blizzard when they that it offers the same level of security as before the change.

Actually, that's the point. I do not have to trust Blizzard. They sold me an authenticator, which if used every login means I don't have to trust them. Instead, I can trust Digipass, who has a much better record and philosophy when it comes to security.
Edited by Texi on 7/28/2011 5:36 AM PDT
Reply Quote
85 Blood Elf Paladin
4135
Missed my point completely...

Blizzard, replaces stuff if you are hacked... They even replace boa's when people "accidently" vendor them..

Blizzard doesn't always replace the stuff if you are hacked. If their investigation shows no evidence of a hack, then they do not always replace the stuff.

And Blizzard has said the only way they'd restore items stolen from a gbank after this change with no evidence of a hack would be to ban the player that stole from the gbank. So your guild gets it's stuff back and you lose your account.
Edited by Texi on 7/28/2011 5:41 AM PDT
Reply Quote
85 Blood Elf Paladin
4135
I can answer that for you. I logged on at my boyfriends a few weeks ago. My account got locked and I had to reset my password. I tried to log on again at his house a couple days ago and my account was locked again. When I got a hold of support to ask about it, I was told that since I didn't log on at his house often it would be locked every time I tried.

Unfortunately, there are plenty of reports where the reverse happened. Logins worked without an authenticator months after visiting a friend's house.

One flaw of Blizzard's system is their reliance on security through obscurity. We don't know yet what exactly they trigger on.

You'll note the "yet" in that sentence. Someone with sufficient motivation (say, they sell stolen gold) will figure it out quickly. Those of us posting on a forum in our spare time don't have the same level of motivation.
Reply Quote
100 Tauren Shaman
13270
I consider this feature to be much like Microsoft's Network Location Awareness system. For those of you not in IT, who don't have to deal with servers, NLA determines if you're connected to a Public, Private or Corporate network. It makes this determination using many little hints and applies the proper security settings to the network interface.

The problem is, it's often wrong, and you can't change it on many of the server versions of windows.

This change to the authenticator is in the same class....

Software used to make decisions for me is ok, as long as I have the ability to correct the software when I believe it's wrong.

In this case, I don't have to worry about anyone in my home logging into my account to do anything malicious. The authenticator system as it is works for me. However, others DO have that worry (siblings, etc..) that means they would like to have it ask EVERY TIME.

This is'nt technical security matter, it's a preference depending on YOUR situation. Those claming that people who want the opt-out feature are overreacting or are paranoid need to step back and walk a mile in the shoes of those who DO want the opt-out.


No two people playing this game have the exact same needs for security, claiming that you know an individual's situation and dismissing their concerns out of hand is at best disrespectful, and at worse, completely ignorant.
Reply Quote
85 Draenei Paladin
8220
And worrying about attacks that aren't happening is paranoid. You've got an idea of how someone could hack an account with remote access, but it hasn't happened yet, and I doubt it will. Like I said earlier, if it were so easy then people would be getting hacked left and right, and that's not happening.

One flaw of Blizzard's system is their reliance on security through obscurity. We don't know yet what exactly they trigger on.


I've heard someone say that before. Are you sure you're not an alt of one of the "opt-out trolls" from the tech forum authenticator change threads? It's not so much security through obscurity. They already told you how it works, they just didn't give you that many details. It's more like a need to know basis, and you don't need to know.

Besides, the authenticator system is a FREE service. You can get it for free if you happen to have a compatible mobile device. But if you don't have such a device, Blizzard offers a physical medium on which you can get the authenticator for a measly $6.50. So drop the "I paid for it, so I'm entitled to.." train of thought.

07/28/2011 05:46 AMPosted by Texi
You'll note the "yet" in that sentence. Someone with sufficient motivation (say, they sell stolen gold) will figure it out quickly. Those of us posting on a forum in our spare time don't have the same level of motivation.


There are very very few people in the world with that kind of motivation to hack an account. Most gold sellers work in cramped cubicles in 3rd world countries with on-the-job training. They want to hack as many accounts in a day as possible, but they are not going to do that if they are bending over backwards to hack an account with an authenticator. They would rather hack 10 accounts without authenticators in the same timespan.

The problem with your arguments is that they are all conspiracy theories, that are yet unproven. And I'm willing to bet that the security experts that Blizzard pays big bucks to have already tried to break the system in every way they can conceive. If there was a real concern, they would have reversed the change by now.
Edited by Tiberias on 7/28/2011 6:26 AM PDT
Reply Quote
85 Goblin Shaman
2995
I consider this feature to be much like Microsoft's Network Location Awareness system. For those of you not in IT, who don't have to deal with servers, NLA determines if you're connected to a Public, Private or Corporate network. It makes this determination using many little hints and applies the proper security settings to the network interface.

The problem is, it's often wrong, and you can't change it on many of the server versions of windows.

This change to the authenticator is in the same class....

Software used to make decisions for me is ok, as long as I have the ability to correct the software when I believe it's wrong.

In this case, I don't have to worry about anyone in my home logging into my account to do anything malicious. The authenticator system as it is works for me. However, others DO have that worry (siblings, etc..) that means they would like to have it ask EVERY TIME.

This is'nt technical security matter, it's a preference depending on YOUR situation. Those claming that people who want the opt-out feature are overreacting or are paranoid need to step back and walk a mile in the shoes of those who DO want the opt-out.


No two people playing this game have the exact same needs for security, claiming that you know an individual's situation and dismissing their concerns out of hand is at best disrespectful, and at worse, completely ignorant.


not even close, not by a long shot ...another "education" wasted
Reply Quote
85 Tauren Death Knight
2885
07/26/2011 03:00 PMPosted by Bbqbrisket
Is there currently, or will there be, a way to not get the "We've detected a change in your login patterns, please change your password"? I play both from my home where I work and go to school as well as take my laptop "home" with me to my hometown quite often. I've had to change my password some 4 or 5 times in the past couple weeks due to the "change in my login patterns" and would really like to stop having to jump through that hoop.

I ran into this problem a lot as a truck driver (I literally logged in from a different state each day usually). The system monitors what IP addy you are logging in from. If it sees changes, this is a flag for a hacked account (I've been "banned" twice because they figured my account was hacked). I resolved the issue by signing up for the dial in authenticator, but then it wasn't working one day so they sent me a free regular authenticator (thanks blizz btw!). The CSR also placed me on a list that they maintain of people that have let them know that their IP changes often (truck drivers and others that travel for work often) so that the system won't automatically ban them or force a password change...I had to change my p/w 4 times in one week once. Now, I really wish they would set it up so I can choose to always ask for my authenticator code soon. I have gotten a "local" job now driving so I log in from home each time, but would still like that added security.
To the poster that posted on page 9 I think it was that implied that people seeking an option to require the authenticator each login were wanting to be less secure...how so exactly? The authenticator is more secure. Unless he was talking about people against the idea, then nevermind, people against the idea aren't very smart.
Reply Quote
85 Undead Warrior
8140
07/27/2011 10:42 PMPosted by Tiberias
No. One. With. Authenticators. Are. Getting. Hacked.

True, but it's possible. There are those of us that would like to make it harder for this to happen, which is why we want the opt out.

07/27/2011 10:42 PMPosted by Tiberias
Your tests are extremely biased and fueled by your agenda. Biased tests are unreliable. Additionally, your "tests" haven't really proved anything.

Actually they have proved that it is possible to compromise an account, because if they couldn't, then they wouldn't have been able to.
Reply Quote
90 Tauren Druid
5095
I've been paying for two accounts for over five years, both have separate mobile authenticators. The authenticator on the "second account" was lost when the phone was destroyed. Since I never changed the name on the second account I will never be able to access it again per Blizzard who then happily offered to cancel the paypal agreement on the account. I had all the information access to the email, the serial # from the game, paypal agreement #, access to the email account, the addresses on the accounts are the same. I could have put the name as Santa Claus setting up the other account. Why doesn't Blizzard make you verify your info is correct when you add the mobile authenticator? I realize this whole debacle could have been prevented if I had done things differently. I'm not renewing this account either. Just going to wait for the next rift sale and go over there. Blizzard won't miss my $30 bucks a month and they definitely don't care.

The funny thing is I could access the account until I sent in my ID etc to have the mobile authenticator removed, always login from the same computer. I've been locked from trying to hack in to my own account.
Edited by Moorina on 7/28/2011 8:45 AM PDT
Reply Quote
85 Blood Elf Paladin
4135
07/28/2011 06:21 AMPosted by Tiberias
And worrying about attacks that aren't happening is paranoid. You've got an idea of how someone could hack an account with remote access, but it hasn't happened yet

Do you lock the doors on your car? Why? It hasn't been stolen yet. Worrying about auto theft is paranoid. Statistically, your car will never be stolen. Even if it is stolen, your insurance will pay for it. Yet you still lock the doors.

Waiting until after the attack is dumb, because you are being damaged by the attack. It's much, much smarter to avoid the attack in the first place.

It's not so much security through obscurity. They already told you how it works, they just didn't give you that many details

Let me summarize your statement: "They told you how it works. They just didn't tell you how it works".

Not giving all the details _IS_ security by obscurity.

Besides, the authenticator system is a FREE service. You can get it for free if you happen to have a compatible mobile device. But if you don't have such a device, Blizzard offers a physical medium on which you can get the authenticator for a measly $6.50. So drop the "I paid for it, so I'm entitled to.." train of thought.

I never complained about paying for anything. I said that this change makes the authenticator accounts less secure.

In fact I'm actually protected from this change because I know the registry key WoW uses to suppress showing the authenticator prompt. It's HKCU\Software\Blizzard Entertainment\Battle.net\Authenticator. I wrote a program to delete that key after every WoW session.

But the fact that I've got a work-around to fix what Blizzard broke doesn't make this change a good idea. There's a relatively small number of players who can delete a key out of the registry conveniently. Blizzard decided to reduce all of our security without asking, and a small number of us can claw our way back to how it should work.

Not making this an opt-in for people who hated typing the numbers was a monumentally dumb move. _THAT_ is my complaint. The lazy can go ahead and disable prompt-every-login and increase their risk. Those who want to remain at a higher level of security shouldn't have to write their own software to do so.

There are very very few people in the world with that kind of motivation to hack an account. Most gold sellers work in cramped cubicles in 3rd world countries with on-the-job training. They want to hack as many accounts in a day as possible, but they are not going to do that if they are bending over backwards to hack an account with an authenticator.

Which is why they pay someone with expertise to write the software to do it for them. Then they can use the trained monkeys in the cube farm to carry out the attacks.

Zero day exploits are worth between $10,000 and $500,000 each on the open market. They are created by experts and then sold to people running botnets or other nefarious enterprises. The botnet operators are not themselves skilled, so they buy expertise just like any other business.

So you only need 1 person with the knowledge and drive to write the hack software I described. Let's say the odds that such a person exists are 0.001%. That means there's 70,000 of them on the planet. Do you think all 70,000 will not want to take money from gold farmers?

The problem with your arguments is that they are all conspiracy theories, that are yet unproven. And I'm willing to bet that the security experts that Blizzard pays big bucks to have already tried to break the system in every way they can conceive. If there was a real concern, they would have reversed the change by now.

The problem with your argument is your blind faith in Blizzard. They have released software with security flaws in the past. There's little reason to believe they have gained magical powers to only release bug-free software. Given that even this latest patch has a long list of hotfixes, the evidence does not support your bug-free faith.

Heck, their entire architecture for WoW has a security flaw at the core. The WoW client is trusted by the server for many things. That's why speed hacks exist, for example. But they chose to produce a game with this flaw because it reduces server load.

And spending big bucks does not result in secure software. Microsoft has spent hundreds of millions on their security experts to break Windows, yet every month they still have "Patch Tuesday". Adobe spends tons of money to secure Acrobat and Flash, yet they keep coming out with patches to the security holes they missed.

The difference in our positions is experience. I started where you are. I believed that these giants of computer software would not release software with security holes. Then I got involved in software and hardware security. Now I know just how horribly bad software and hardware security actually is.

Want an example? Well, attend the Black Hat conference this year. You know those "unlock and start your car from your phone" features automakers are advertising? Well, turns out you can hack that.
http://it.slashdot.org/story/11/07/28/1736229/War-Texting-Lets-Hackers-Unlock-Car-Doors-Via-SMS

Also, someone's giving a presentation on how to make laptops catch fire. As in, burn-your-house-down fire:
http://asia.cnet.com/crave/your-apple-macbooks-could-be-rigged-to-explode-62210095.htm

The article talks about Mac laptops, and his proof of concept apparently involves Mac laptops. But every laptop on the market uses "smart" batteries.
Edited by Texi on 7/28/2011 11:26 AM PDT
Reply Quote
100 Tauren Druid
15940
I've been paying for two accounts for over five years, both have separate mobile authenticators. The authenticator on the "second account" was lost when the phone was destroyed. Since I never changed the name on the second account I will never be able to access it again per Blizzard who then happily offered to cancel the paypal agreement on the account. I had all the information access to the email, the serial # from the game, paypal agreement #, access to the email account, the addresses on the accounts are the same. I could have put the name as Santa Claus setting up the other account. Why doesn't Blizzard make you verify your info is correct when you add the mobile authenticator? I realize this whole debacle could have been prevented if I had done things differently. I'm not renewing this account either. Just going to wait for the next rift sale and go over there. Blizzard won't miss my $30 bucks a month and they definitely don't care.


If you put a fake name on an account, then you are not the account holder. It is not Blizzard's fault you decided to try to fool the system. Unfortunately now it's coming back to bite you.

Haven't you heard people say: "I don't see your name on it?" when trying to claim something is yours. Same deal with a World of Warcraft account. How do they know you didn't simply buy the other account from someone else? You say that is your account but it doesn't have your actual name on it. Everything else you've mentioned can easily be changed. Address, email account, credit card etc etc, all that can easily be changed. The only thing you can't really change is the original name on the account.

So sorry, it's not Blizzard's fault. Sucks that you are now unable to access your account but according to the agreement you've filled out, it wasn't yours to begin with.
Reply Quote
90 Human Warlock
9235
i was hacked a couple of times over a year ago. i got the authenticator and have not had any problems since. i think it is great to have one and haven't had any problems since the change.
Reply Quote
63 Draenei Shaman
840
I cant log in wow, says something about the authenticator having problems anyone know anything about it? is this the right forum :P
Reply Quote
90 Human Paladin
5530
Login server was down for a few. it's back up now. But made me panic for a minute.
Reply Quote
85 Draenei Paladin
8220
07/28/2011 08:28 AMPosted by Anshahak
Actually they have proved that it is possible to compromise an account, because if they couldn't, then they wouldn't have been able to.


No they did not prove that it was possible. They have unproven theories on how to hack an account through the authenticator. It'll be proven if it happens.

Do you lock the doors on your car? Why? It hasn't been stolen yet. Worrying about auto theft is paranoid. Statistically, your car will never be stolen. Even if it is stolen, your insurance will pay for it. Yet you still lock the doors.


Bad analogy. Cars are completely different. That's actual property. If you're going to be paranoid about virtual property in a video game that doesn't belong to you, then go for it. You're wasting your time though.

Edit: A closer comparison to that would probably comparing the authenticator to something like a brake pedal lock.

The rest... tl;dr
Edited by Tiberias on 7/28/2011 3:56 PM PDT
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]