And worrying about attacks that aren't happening is paranoid. You've got an idea of how someone could hack an account with remote access, but it hasn't happened yet
Do you lock the doors on your car? Why? It hasn't been stolen yet. Worrying about auto theft is paranoid. Statistically, your car will never be stolen. Even if it is stolen, your insurance will pay for it. Yet you still lock the doors.
Waiting until after the attack is dumb, because you are being damaged by the attack. It's much, much smarter to avoid the attack in the first place.
It's not so much security through obscurity. They already told you how it works, they just didn't give you that many details
Let me summarize your statement: "They told you how it works. They just didn't tell you how it works".
Not giving all the details _IS_ security by obscurity.
Besides, the authenticator system is a FREE service. You can get it for free if you happen to have a compatible mobile device. But if you don't have such a device, Blizzard offers a physical medium on which you can get the authenticator for a measly $6.50. So drop the "I paid for it, so I'm entitled to.." train of thought.
I never complained about paying for anything. I said that this change makes the authenticator accounts less secure.
In fact I'm actually protected from this change because I know the registry key WoW uses to suppress showing the authenticator prompt. It's HKCU\Software\Blizzard Entertainment\Battle.net\Authenticator. I wrote a program to delete that key after every WoW session.
But the fact that I've got a work-around to fix what Blizzard broke doesn't make this change a good idea. There's a relatively small number of players who can delete a key out of the registry conveniently. Blizzard decided to reduce all of our security without asking, and a small number of us can claw our way back to how it should work.
Not making this an opt-in for people who hated typing the numbers was a monumentally dumb move. _THAT_ is my complaint. The lazy can go ahead and disable prompt-every-login and increase their risk. Those who want to remain at a higher level of security shouldn't have to write their own software to do so.
There are very very few people in the world with that kind of motivation to hack an account. Most gold sellers work in cramped cubicles in 3rd world countries with on-the-job training. They want to hack as many accounts in a day as possible, but they are not going to do that if they are bending over backwards to hack an account with an authenticator.
Which is why they pay someone with expertise to write the software to do it for them. Then they can use the trained monkeys in the cube farm to carry out the attacks.
Zero day exploits are worth between $10,000 and $500,000 each on the open market. They are created by experts and then sold to people running botnets or other nefarious enterprises. The botnet operators are not themselves skilled, so they buy expertise just like any other business.
So you only need 1 person with the knowledge and drive to write the hack software I described. Let's say the odds that such a person exists are 0.001%. That means there's 70,000 of them on the planet. Do you think all 70,000 will not want to take money from gold farmers?
The problem with your arguments is that they are all conspiracy theories, that are yet unproven. And I'm willing to bet that the security experts that Blizzard pays big bucks to have already tried to break the system in every way they can conceive. If there was a real concern, they would have reversed the change by now.
The problem with your argument is your blind faith in Blizzard. They have released software with security flaws in the past. There's little reason to believe they have gained magical powers to only release bug-free software. Given that even this latest patch has a long list of hotfixes, the evidence does not support your bug-free faith.
Heck, their entire architecture for WoW has a security flaw at the core. The WoW client is trusted by the server for many things. That's why speed hacks exist, for example. But they chose to produce a game with this flaw because it reduces server load.
And spending big bucks does not result in secure software. Microsoft has spent hundreds of millions on their security experts to break Windows, yet every month they still have "Patch Tuesday". Adobe spends tons of money to secure Acrobat and Flash, yet they keep coming out with patches to the security holes they missed.
The difference in our positions is experience. I started where you are. I believed that these giants of computer software would not release software with security holes. Then I got involved in software and hardware security. Now I know just how horribly bad software and hardware security actually is.
Want an example? Well, attend the Black Hat conference this year. You know those "unlock and start your car from your phone" features automakers are advertising? Well, turns out you can hack that.
Also, someone's giving a presentation on how to make laptops catch fire. As in, burn-your-house-down fire:
The article talks about Mac laptops, and his proof of concept apparently involves Mac laptops. But every laptop on the market uses "smart" batteries.