About the Recent Authenticator Change

85 Human Hunter
2685
Oh good! I'm glad this got fixed! Thank you. I prefer to always use my authenticator. It's makes me feel safe.
Reply Quote
93 Troll Shaman
14350
Bad analogy. Cars are completely different. That's actual property. If you're going to be paranoid about virtual property in a video game that doesn't belong to you, then go for it. You're wasting your time though.
The rest... tl;dr

...wow. Just to check, are you implying that the reason you're not worried about possible security holes is because it is 'only' virtual property? Please tell me I interpreted that wrong.

07/28/2011 03:22 PMPosted by Tiberias
No they did not prove that it was possible. They have unproven theories on how to hack an account through the authenticator. It'll be proven if it happens.

Ahhh, so testing is completely worthless and the only results anyone needs to care about are real-world. Thanks, I never knew that! Oh wow, I guess that means that Blizzard should stop putting patches on the PTR! Since testing is worthless, why are they wasting their time with an impermanent realm where all they're doing is giving guilds a chance to practice their boss kills in advance? Wow! This is going to save Blizzard so much time and money!

And Macintosh can relax about that overheating battery hack! Why worry about it, no one's used it in the wild yet!

Forget about testing new drugs in a laboratory! You're only getting results from testing. Pharm companies need to go out and see what the real world results are from the get-go!

Do you see where I'm going with this? Just because 14 threads of test results haven't (yet) been used in the wild doesn't mean that they can or should be dismissed.


EDIT: Brb, getting dinner going. Apparently I'm crankier than I'd realized.
Edited by Shadowwind on 7/28/2011 3:54 PM PDT
Reply Quote
85 Draenei Paladin
3325
07/28/2011 03:53 PMPosted by Shadowwind
Ahhh, so testing is completely worthless and the only results anyone needs to care about are real-world. Thanks, I never knew that!


No, Your tests mean nothing because your motivation to run them are extremely biased. You want something to go a certain way, and you're putting every kind of spin on it to make it support your views. I'll leave the testing to the security experts that are hired to monitor the system and make it better. I don't trust "forum IT professionals" with that testing.

07/27/2011 04:21 PMPosted by Eilethalua
Over-generalizing can lead to all sorts of problems.


An example of putting your spin on things:

Bad analogy. Cars are completely different. That's actual property. If you're going to be paranoid about virtual property in a video game that doesn't belong to you, then go for it. You're wasting your time though. The rest... tl;dr...


wow. Just to check, are you implying that the reason you're not worried about possible security holes is because it is 'only' virtual property? Please tell me I interpreted that wrong.


No that's not the "only" reason I'm not worried about security holes. I'm not worried about them because I have not seen any reason to be. People with authenticators aren't getting hacked. I made that comment because it's silly to compare security concerns for real property to fake property, especially when that fake property belongs to Blizzard, not you. If you're going to be paranoid about something, then a car is understandable. Your tier 11 set is not.

Even if you did get hacked, Game Masters will restore your items very quickly, completely free of charge. It really amazes me how much people takes a company like Blizzard for granted.
Edited by Tiberias on 7/28/2011 5:22 PM PDT
Reply Quote
90 Human Paladin
5530
Posted by Wrathøfhell
I'm more curious as to why, almost what, two months after this feature was released, my authenticator STILL asks me for my code every single time I log in.



O.O Do you know how many people would kill to have that bug?! Wow. Out of curiosity, did you do any testing? Is it only that computer or any computer? Do you reset your modem a lot? Possibly your IP address changes so often that the system keeps prompting you. What about your Windows Registry? Perhaps the file that queues a prompt/not prompt got set to 'read only' or is being outright deleted by something? Is your computer 'frozen'? Aka: has a program that on shutdown reverts any changes made during the previous session.


This is where I stopped reading this inane, yet, somehow enthralling thread while I was at work.

So, thank you. For being clearly obsessed and overly concerned with this issue because once I read this response I knew it was 'time to go'.

I'm sorry, but seriously you sound like a hungry kitten with milk up on the counter in this post.

"MEOWMG!! MILK! MILK?? MILK?? MILK?? MEOWMG! MILKK? MIIIILLK*??"

It's not meant as a dig on you, but.. from your tone and desperation I'd think you were trapped on a desert island with only a volleyball for company and your imaginary friend just said there's food just over that hill. Delicious, greasy, cheesy food the likes you havent had in 2.7 years of being marooned.

Yeah that's right. 2.8. I get specific on this S*$&, I play to win.

*:Edit: reduced the final 'milllllk' to 1 k, as the forums dont like 3k's in succession. Amusing.


What?
Reply Quote
93 Troll Shaman
14350
@Sinoran /salute! If I helped you out, even by accident, then you're welcome! (Btw, I loled. I have a cat, and you are spot on with that impression! Much as I don't like to admit it, you're probably spot on with your impression of me, too.) :-)

A friend once described my habit of asking questions like those as 'inquisitive'. He was being polite at the time. 'Eff-ing annoying' is how someone else has described it.
I like to know how things work. I like to know even more why something is happening when it is NOT supposed to do whatever-it's-currently-doing. Wrath's authenticator (speaking of which, did you ever do any testing/speak to a Tech Support rep, Wrath?) is continuing to work the way it did a month ago, and I rather want to know what is triggering that behavior. Hence the questions, listing off some possible reasons that his auth might be triggering all of the time. If it was one of those then mystery solved, and if it's bugging him then he now knows what and how to fix. If it was NOT one of those, then it's something new and interesting to add to the list.

Good night all! MEOW! =^..^=
Reply Quote
85 Dwarf Hunter
2855
To those of you defending the new system:

I believe that you would get your point(s) across much better if you actually provided some form of evidence. During the 14 threads, many people did their own tests on various aspects of how the system worked and then posted the results. 'I attempted to do X and succeeded. I also attempted to do Y, but it didn't work. Based off of X and Y, I believe that the system looks at Z, but NOT W.' We also had people do searches and provide links to websites or posts providing support for their point(s). One thing these people tended to have in common was that they were opposed to the change for one reason or another. Oddly enough, most (though not all) of the people supporting the change made no effort to test the system to see if it actually performed as they claimed it did. They also made statements and for the most part made no effort to provide supporting links. It was not for a lack of opportunity. I, personally, made several posts that included compiled test results and specifically asked for others to do and post their own testing. So far as I can tell, no one took me up on it.

TL:DR If you would like to have a better chance to convert people to your way of thinking, I respectfully request that you provide evidence supporting your platform. Test results would be ideal, though even providing links to supporting forum evidence would go a long way to establishing credibility to your side. Thank you, and have a pleasant evening!

My evidence is the customer service forum...

Go take a look and tell me how many 'I got hacked and had an authenticator' or 'new system caused me to get hacked' threads you see.'

Oh wait, you won't see any... because no one has been hacked yet as a result of this system.

Honestly, the only reason I am happy that Blizzard is installing a opt-out is because it will shut you idiots up who somehow believe that not being prompted for a code removes the authenticator as an additional layer of security.
Edited by Dermach on 7/28/2011 8:19 PM PDT
Reply Quote
85 Gnome Mage
2295
why not add a list that we can add/remove computers to the list of computers to not require the authenticator and the option to opt out completely.
Reply Quote
62 Blood Elf Hunter
480
[quote="29128891340"][quote]
told her to enter my UN & PW(1factor), it did NOT ask for factor 2(the fob key) despite the fact I gave her the computer back in June

so obviously, either

1) it doesn't follow what you say should be true so I am lieing
or
2) I am telling the truth, you are trolling everyone who posts that you don't agree with on this, and it is BUGGED

I vote option 2


YOU gave away your Username and Password, which everyone everywhere will always and forever tell you is the best way to compromise account security.
Thats nothing to do with authenticator effectiveness, thats you opening your account up to people who arent you (so therefore unauthorised).
Reply Quote
90 Human Paladin
5530
[quote]
[quote]
told her to enter my UN & PW(1factor), it did NOT ask for factor 2(the fob key) despite the fact I gave her the computer back in June

so obviously, either

1) it doesn't follow what you say should be true so I am lieing
or
2) I am telling the truth, you are trolling everyone who posts that you don't agree with on this, and it is BUGGED

I vote option 2


YOU gave away your Username and Password, which everyone everywhere will always and forever tell you is the best way to compromise account security.
Thats nothing to do with authenticator effectiveness, thats you opening your account up to people who arent you (so therefore unauthorised).


That was a test, not an actual compromise.

No one would knowingly give their infor to a hacker. But if a hacker could get it, whether through phishing (shouldn't be clicking links, people) or keylogger or remote access software, then this would be the outcome.

The Authenticator is the second wall of defense. being prompted for the device the hacker doesn't physically posess to generate the random code prevents them from logging in. NOT BEING PROMPTED allows them in immediately without the need to generate that code (provided they can in one form or another fool the server into thinking they are "safe")
Reply Quote
90 Human Death Knight
8780
We understand the concern many players have with the recent Battle.net authenticator changes. To that end, we’re exploring the idea of adding an “Opt Out” option within Battle.net Account Management, which would then force the prompt for an authenticator code whenever you log into World of Warcraft.

To be clear, we have gone to great lengths to ensure Battle.net accounts and authenticators provide players with a high level of security. Maintaining a safe and secure Blizzard gameplay environment remains a top priority for us.


Finally, this is awesome! how long until its gonna be given the opt out function? i am highly excited to get my account safer again /digs authenticator out of trash can
Reply Quote
85 Draenei Paladin
5770
Sigh, your still all talking hog trosh. I havent been hacked under the new system.


Asking question again. Why would blizzard intentionally go and compromise account security. Seriously. Enough of the whinging. Your authenticator hasn't got up and said. Seeya i am leaving your account open to attack.'

You want to quit wow because of a small change go right ahead. Goodbye and goodluck in any other mmorpg,
Edited by Glorcinda on 7/28/2011 11:50 PM PDT
Reply Quote
85 Night Elf Druid
0

Do you live and/or share internet access with gold sellers or anyone that wants to do harm to your account? No? Ok then. Authenticators were never designed for "roommate" lock outs or any other such nonsense. That is what a secure password is for. The authenticator is meant to protect your account from those NOT in your home and NOT on your router from accessing your account. Period. The sooner people realize this the sooner the whining over this bs stops.


This is a fallacy. Authenticators were designed for the sole purpose of making sure you are the only person to log into your account, and were meant to carry out that purpose no matter where the threat is coming from. While you might be fine with relying on your password alone to protect your account, I am not. The authenticator was designed to be the last line of defense against an intruder, after the username and password, and I'd like it to remain a solid line, not a dashed line.

Analogies aside, the authenticator is no more vulnerable now than it was, as it still requires a man-in-the-middle approach to breach. If an opt-out feature is implemented, I probably will not sign up for it, but I would definitely be upset if one were not implemented.


The Authenticator is the second wall of defense. being prompted for the device the hacker doesn't physically posess to generate the random code prevents them from logging in. NOT BEING PROMPTED allows them in immediately without the need to generate that code (provided they can in one form or another fool the server into thinking they are "safe")


Previously, getting past the authenticator required a man-in-the-middle approach, far more complicated than a simple keylogger or trojan, and much more time-sensitive.

The new system still requires a man-in-the-middle approach. Fabricating the registry key to convince the server you are logging in from home is just an extra step in the process, and wouldn't make bypassing the authenticator any easier. Like I said, it's an extra, unnecessary step.

In short, if a hacker wants to bypass your authenticator, their method of choice has not changed. Your account security has not been compromised in any way by this change, unless the intruder gets direct, hands-on access to your home computer.

Ahhh, so testing is completely worthless and the only results anyone needs to care about are real-world. Thanks, I never knew that! Oh wow, I guess that means that Blizzard should stop putting patches on the PTR! Since testing is worthless, why are they wasting their time with an impermanent realm where all they're doing is giving guilds a chance to practice their boss kills in advance? Wow! This is going to save Blizzard so much time and money!


1.... 2...... 3... 4..........5 ..6 ......

Oh, sorry. Counting the number of unfounded conclusions you jumped to.
__________________________________________________________________

A lot of you are worried, saying it's better to prevent the attack before it happens, last line of defense, mean siblings/roomates, et cetera, et cetera......

But what are the odds your account is going to be hacked?

The odds your car will get stolen is influenced by a great number of factors (neighborhood you live in, value of the car, et cetera, et cetera), and every car is worth something.

Your epics are BoP with no sell price, JP, VP, honor and conquest cant be dropped (and if they spend it, congratz on the new epics). In the end, all that's left on your account is your gold.

I've been hacked, and my guess is they had the account for several days. Upon retrieving the account (which took no more than 45 minutes), I discovered the only change that had been made was to my low level rogue's talent spec. No items missing, characters deleted, no gold was on the account to be stolen anyways.

With no gold on my account, all a hacker can really use my account for is to take a resto druid for a spin in some heroics. If they want to do that for the 4 hours they'll have the account, more power to them. I have nothing on my account for them to steal, and I find it hard to believe anyone else has much to steal either. (If you're loaded with gold, you can't possibly have a use for all of it, so surely losing it wouldn't be the end of the world)
Edited by Anarri on 7/29/2011 1:07 AM PDT
Reply Quote
85 Draenei Paladin
5770
Opt out or not you WILL get hacked if someone around you wants to access your account. Again this is where personal accountability comes into play and whether you have an authenticator or not you are STILL obligated to keep your computer and various accounts secure to the best of your ability. The only way this change will allow anyone around you to hack your account is if you literally hand them your user name and password and you all damn well know it.


Second that.

Even if you had the opt out option you can still be hacked by said determined individual and like i have said on my death knight in the past i do not see this as an issue for myself (others might, that's your problem)
Reply Quote
85 Undead Warrior
8140
07/28/2011 03:22 PMPosted by Tiberias
No they did not prove that it was possible. They have unproven theories on how to hack an account through the authenticator. It'll be proven if it happens.

Yes they did. Try actually reading the 13 threads in the tech services forum.

edit: Also look up the definition of bias.
Edited by Anshahak on 7/29/2011 5:56 AM PDT
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]