About the Recent Authenticator Change

90 Blood Elf Hunter
15265
This system will in NO WAY affect your accounts security from outside sources.

*Please note that man in the middle will not work either, no code means no code to steal*

They try to make it easier for you to log in after D/Cing, and you complain.

w...t...f


This change does nothing to stop the MitM attack.

A “Man in the Middle Attack,” is a Trojan that works by blocking your access to the real log in server, and redirecting you to a spoof Log in screen/site. They then harvest all of your log in information, in real time, including your one time use Authenticator code. The hackers then very quickly uses this info to access your in game account, before the Authenticator code expires.

Now if we never have to use our authenticator again from our "Trusted" Computer, them maybe it would protect us from the MitM. However even with this new system we still have to use our authenticators: at least once per week; if we enter the wrong password too many times; And if there is a wide chance in our IP, for any reason.

If we get prompted for our authenticator, we have no way of knowing it is Blizzard doing it, or a hacker with the MitM. Are we suppose to assume each time we are prompted for our authenticator, that it is a MitM attack? If so what are suppose to do them? Wipe our computers, call Blizzard, run around like chickens with our heads cut off? Only for it to turn out to be a periodic check by Blizzard.

In fact this change really weakens your protection, from the MitM. Before they only had a one time limited access to your account. Now the new system adds their computer/location to your "Trusted" list. Therefore they can keep accessing your account as many time as they want without being required to re-authenticate.

The MitM Trojan is no simple keylogger that you can pick up from a day one Flash exploit. It requires YOU to install a very large executable file to work. "Man In the Middle," Attacks were very, very rare. I have been following the CSF almost every day, for over 3 years now, and as far as I know there hasn't been a confirmed case of one in well over all most 2 years. In fact there has only a very small hand full of confirm cases at all. They require a very big hole in your internet security, and very good timing on the hackers part.

The main thing the handful of players that had their accounts hacked had in common were: They all went to a fake/spoof wowmatrix, curse, and other spoofed addon sites, and down loading the spoof site's auto addon updater; They hadn't up dated their Windows fire walls, and or running a bootleg copy of Windows. So if you are careful about the sites you visit, and keep your computer security up dated, including your firewall, there is a low risk that this happened to you.

Frankly if my security habits are so bad and sloppy, that I get hit with a MitM attack, I deserve to be hacked, and never get my account back. In fact having my Blizzard account hack in this manner Would be a Blessing, it would let me know how much my other stuff id a risk. To contact my bank and everyone I pay online, and change all of my accounts.

One more thing about the MitM attack. The Back in October of last year: Blizzard instituted a new security protocol; where if the system senses a change in our access patterns, it will lock you out of your account, until you reset your password. This "Change in Access Pattern" lockout will happen irregardless, if you have an authenticator or not.

It is this change that helps protect you from, or at least slows down the MitM attack, and not the new change to the authenticator system. A lot of people have confused, or do not understand, the 2 different changes, as being one and the same. They are not! They are 2 totally different systems, and occurred several months apart.

Lastly: The "Change in Access Pattern" lockout system does not protect, against a Hacker that uses a spoof IP that is in one of your IP's range. That is why it is wise to have a Authenticator too. However if the Hacker is using a MitM attack, as well as a Spoof IP, they got you.
Edited by Ewing on 7/24/2011 5:53 PM PDT
Reply Quote
90 Troll Shaman
3520
07/24/2011 04:29 PMPosted by Tiberias
Jeez you guys are really desperate for attention aren't you? Pathetic.

Pot vs. Kettle or what?

07/24/2011 04:29 PMPosted by Tiberias
If you take a step back and look, you'll see that 50% of the discussion in those 13 threads have been generated by the same 15 individuals that have been crying since day one. Also, despite how bad you think the authenticator security is, people with authenticators still aren't getting hacked a month after the fact.

Well to test this theory I opened the second thread and counted how many unique individuals requested an opt-out in the first three of the twenty six pages
I see 36. I also see four individuals saying they like the change and two expressing surprise at the stealth introduction but offering no opinion about the change itself.

I believe this is typical of the first few thousand posts on the subject.

Obviously only a handful of people are continuing to post in those threads as few new facts are going to come to light at this late stage if Activision Blizzard choose not to offer any information; the topic has degraded into; more of a discussion of the lack of communication than anything.

07/24/2011 04:29 PMPosted by Tiberias
So you reached out to another forum to see opinions from other players, and you've been greeted almost exclusively by people who are telling you that this is a non-issue, but you're not listening. That should be a glaring indication that the rest of the WoW community either finds it logical that if people aren't complaining about getting hacked with authenticators, then the authenticators are probably working fine. Either that, they can care less. No but instead, you go back to your cherished "13th thread" and call everyone here "trolls, blizz alts and fanbois" and then go on grumbling to yourselves.

I have never used the terms "trolls, blizz alts” or “fanbois" in any thread in any forum.

07/24/2011 04:29 PMPosted by Tiberias
It's about time that you wake up and realize that no one else really cares about this anymore except for you. I've reported this thread as trolling, because that's all it really is at this point.

You use an odd definition of trolling, but if you believe the OP is a troll post by all means report it and the moderators will decide.
Reply Quote
90 Troll Shaman
3520
This system will in NO WAY affect your accounts security from outside sources.

Leaving my front door unlocked will in NO WAY affect the security of my back entrance.

If attacks from outside sources accounted for 100% of the disruption of my gamming environment I would perhaps see your point.

Although some players believe that security is degraded overall I don’t have sufficient information to come to any conclusion about that one way or the other; but I do know without a doubt that accounts in shared computing environments are now less secure from disruption.

07/24/2011 05:35 PMPosted by Pamarack
*Please note that man in the middle will not work either, no code means no code to steal*

Sorry, not only can a Trojan sleep until the code is entered, as it must be at some time, but it is trivial to force an authentication.

07/24/2011 05:35 PMPosted by Pamarack
w...t...f

The use of masked profanity is a violation of the forum CoC.
Reply Quote
07/24/2011 11:14 AMPosted by Æza
Blizzard is not obligated in any way to you.


I disagree. True, they have no obligation to comply with my demands, regardless of merit. However, they do have an obligation to reply to customer concerns. Thirteen separate threads at max cap, constitutes some sizable concerns. Any corporation that ignores it's customers so completely, does so at it's peril.

Personally, I think the new system is operating just fine. Security holes that we may not have known about have been closed. Those that remain, seem an extremely unlikely avenue of attack. I believe that the overall odds of getting hacked have been reduced, as long as you take basic precautions with your computer security. The risks can never be eliminated, only reduced.

However, those that have concerns, deserve a response. I am not a programmer and I don't work for Blizzard, so I can't say if their concerns are valid or vapor. Only Blizzard can give them the reassurrances they seek. If they still choose to believe in the electronic bogeyman, after being shown that the closet is empty & that there is nothing under the bed, only then can it be accurately stated:

Chill bro, you're damaging my calm.

At that point, Blizzard has upheld their obligation to address our concerns and can ignore this issue with a clean conscience.
Reply Quote
85 Gnome Warlock
7950
It has been a while since the change.

I have not been hacked.

I have not seen any increase in the number of people complaining they have been hacked.

After a few weeks, the frequency of these posts have gone down as people realized they weren't getting hacked.

Only a few stubborn individuals hang on and worry this bone to death.

I think the non-answer is the best answer.
Reply Quote
07/24/2011 07:18 PMPosted by Morley
I think the non-answer is the best answer.


The problem is, the issue was never addressed in the first place. I haven't been hacked either, but I'm not in a shared computer environment. I have my own computer, that only I use. I try to use good computer security procedures. Not everyone is in the same situation as myself, and everybody makes a mistake sometime. That is what the authenticator is there for. To help protect you against mistakes.

If, the new system is as secure as Blizzard says it is, then ther shouldn't be a problem saying so. At which point, a sizable majority of the posts in this thread become irrelevant, and we can let the issue die of natural causes. Continued silence on Blizzard's part, at this point, creates a perception that:

A. They don't care what their customers think.

or,

B. There actually is a problem.

Unfortunately, they've waited far too long to speak up. Even if they said something today, it would only fan the flames. People would start new threads complaining about how long it took to respond. Inevitably, someone would post about how Blizz want us to get hacked, or that they are covering something up, et cetera. At which point, the whole conversation falls apart.

It's a shame, really. I think the people who are concerned, deserve a response. Unfortunately, they deserved it about 12-13 threads ago.

-_-
Reply Quote
90 Troll Shaman
13650
This isn't the first time they've ignored a huge gaping security breach. Remember the RealID fiasco? It took the general media getting involved (and a CM attempting to prove it was safe and getting shown how badly it WASN'T) before Bliz backed down. Sadly, we've not been able to get either on this particular issue. Point is, Blizzard has been shown to have a track record of overlooking the obvious on safety.
Reply Quote
90 Human Paladin
5530

BTW pumpkin, I was refer to the op who was telling us he cancelled his account but it only ends in for days, so he has to DEAL WITH IT - meaning the logging in without inputting his code. I just simple said if he had really cancelled his account with the intent to truly stay away he wouldn't have to deal with anything, why does it matter if you cancel today but sub ends in 4 days? cant you just cancel today and never look back regardless of those 4 days?

We will see the op again soon.


Perhaps, and perhaps not. If it were me, I would not be back. This is coming from someone who had devoted years to previous mmo's and was more than able to "move on".
Reply Quote
88 Night Elf Druid
6065
I dont mind the change, but i understand why some hate it.

Blizz should be polite and give people a reply.
Reply Quote
85 Draenei Paladin
3325
Or:

C: They've already given an answer, but a few stubborn individuals aren't satisified with the answer they got.

Blizzard already said at the beginning that the authenticator still offers the same level of security that it always has. Whether some want to believe that or not, it doesn't really matter. That's the answer they've given, and so far, there hasn't really been a reason to give anything more. If you're hoping that they'll reveal the details on how the authenticators fingerprinting process works to put peoples minds at ease, well I hope you're not holding your breath.

Logic says that if people aren't complaining about getting hacked with authenticators, then it's not happening. The people that are still complaining so adamantly are scared witless by their own perceptions and are quick to put full stock into anything that supports their worldview.

The threads in the tech forums have gotten as long as they have because the same 15-20 posters (such as Anii, Gallante, Tomten, etc..) have been bumping it desperately for the past 3 or 4 threads. The darn thing falls to the 3rd or 4th page before they bump it again. If you took those people out of the equation, this issue would already be dead like it should have been half a month ago.
Edited by Tiberias on 7/24/2011 8:28 PM PDT
Reply Quote
Why in the world would you quit over the authenticator change? that makes no sense.
Reply Quote
85 Night Elf Mage
3160
07/24/2011 11:33 AMPosted by Sarovar
This isn't even a big deal, mostly paranoid people upset. Your account is still secure, the chance of you getting 'hacked' hasn't skyrocketed. You'll be fine as long as you don't do dumb things like go to bad sites or open suspicious emails.


People paid for the service. No that service is rendered useless.

This is because even without an authenticator if I log into WoW on my girl friends computer my account is immediately locked. So, tell me, is my account as safe as if I had an authenticator now? I sure think so and I feel no need to buy one because of the change to their log in security policy.
Reply Quote
85 Gnome Warlock
7950
The answer was addressed. In their silence I think Blizzard spoke volumes.

The sky didn't fall. Armageddon is a no-show. The fat lady hasn't sung.

There has been ample time for people to have posted on the various forums saying they got hacked because of this change...and it hasn't happened.

I doubt we will see it either. Every last complaint is filled with supposition on how the system works when, in fact, only Blizzard knows how it works.

In truth, Blizzard as a company has been extremely vigilant in account protection and I have no doubts that they would never let a system go live that would reduce that protection. All of the negatives are hearsay rants without one bit of proof that the system is weaker than before.

All said, the proof is in the fact that after a month or so there has been no rampant outbreak of hacked accounts.
Reply Quote
85 Draenei Paladin
3325
07/24/2011 08:33 PMPosted by Manwê
No that service is rendered useless.


The authenticator is useless? lol, ya right. Keep telling yourself that.
Edited by Tiberias on 7/24/2011 8:43 PM PDT
Reply Quote
90 Human Paladin
5530
Not completely useless. It still prompts once a week if you're lucky.
Reply Quote
85 Blood Elf Death Knight
6080
Are you really such a mindless flock of sheep that u need blizzard to actually come to you and say "Hey we hear ur request and were working on it." Seems to me you dont even think to consider the vast majority of players who post on the forums to hear directly from the blues. If you made the post 13 times and it was capped, i am positive that blizzard saw it, they dont need to reply to EVERY SINGLE POST ON THE FORUMS. If theres a problem blizz will fix it, its pritty much a given considering their past...

Stop tryign to act like your problems are more important than EVERYONE elses problems. Simple fact is if u buy an authenticator your account will be FINE. I got hacked all the time because i went to bad websites. i got the authenticator and have yet to get hacked, and u wanna know when the hacking and suspicious charachter creations stoped? right when i installed my authenticator. i can still tell i get hackign attempts hwen i have the authenticator pop up 2 or 3 times a week...
Reply Quote
90 Troll Shaman
13650

I doubt we will see it either. Every last complaint is filled with supposition on how the system works when, in fact, only Blizzard knows how it works.


Supposition? Not for the most part. We've been using the scientific method off in our lonely little threads. There was and still is quite a bit of testing, and between the bunch of us, we've come up with quite a bit of data on how it works.
Can an account be accessed via Remote Access without triggering an auth prompt? It can, multiple people have tried it and succeeded.
Can a virtual computer setup be used to spoof your hardware setup and use the hash codes in order to spoof your computer? Apparently it can, according to testing only a few days ago.
What triggers an authenticator prompt in the first place? A hash code placed in your computer's registry (or another point for Mac/Linux users). Remove the code and you're prompted again ON THAT COMPUTER. No others. This one has been tested by many, MANY people via the addon.

We don't have the complete details, no. But we DO have enough data accumulated over the past month that we can safely say that we know generally how it works. And the results we've gotten are what has been bothering us.


In truth, Blizzard as a company has been extremely vigilant in account protection and I have no doubts that they would never let a system go live that would reduce that protection. All of the negatives are hearsay rants without one bit of proof that the system is weaker than before.


*coughRealIDOnTheForumscough* And don't forget that the authenticator USED to protect against domestic attacks. It no longer does so. Even IF it can be proved that the Chinese are protected against, the new system is weaker simply because it no longer protects against the domestic angle.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]