About the Recent Authenticator Change

85 Dwarf Warrior
13030
You have 13 pages of threads, and over half the posts are yours.

my 2c - I haven't seen a single Authenticator compromised since the change, I saw several with the old system, granted this is only anecdotal evidence. I'm sure Blizzard has the hard #'s on how many accounts are compromised, when they were, how they were, if they had an Auth linked, etc... I almost guarantee there's someone internally who's sole job is to monitor security statistics.
Edited by Asane on 7/24/2011 9:12 PM PDT
Reply Quote
85 Draenei Paladin
3325
07/24/2011 09:01 PMPosted by Shadowwind
coughRealIDOnTheForumscough*


Stop using the RealID thing as an argument for your case. If anything it should tell you that there isn't an issue. With the RealID situation there were legitimate concerns. Blizzard realized this and reversed it within a week after it going live. Blizzard is willing to admit to a mistake when they make one.

Now you compare it to this, where the authenticator system - for all we know - is working as intended, and there has not been an increase in account compromises. The fact that Blizzard didn't come out and say "Sorry, we screwed up. We're changing it back now" then reverse it after a week let alone a month, should indicate that they are confident in the system and that it is working.
Edited by Tiberias on 7/24/2011 9:21 PM PDT
Reply Quote
90 Troll Shaman
13750
My point is that Blizzard has a proven record of not thinking of security issues ahead of time. RealID they did acknowledge and reverse. This they haven't, nor have they with the 'email addresses for logins' change back in Wrath, which was also a backwards step with security. Let me also point out that there is an opt-out for RealID if you look under Parental Controls. As of Friday, there is no checkbox for opting out of this. Let me also point out there while there doesn't appear to have been an INcrease in compromises (much to my surprise, I'll admit), there has not been a DEcrease, either. Which says right there that this new system isn't 'all that'. This new system has been in place for seven months, six of those working alongside the authenticator. What was wrong with leaving it at that?

I'll leave you with a thought from Crom, from thread #5. "TLDR - If I didn't WANT the extra security, I would not have BOUGHT the AUTHENTICATOR from you."
Reply Quote
100 Blood Elf Hunter
15605
07/24/2011 08:26 PMPosted by Tiberias
If you're hoping that they'll reveal the details on how the authenticators fingerprinting process works to put peoples minds at ease, well I hope you're not holding your breath.


We don't need the exact Technical details on how it works. However we do need enough information, to know when and where, we should get prompted for our Authenticators. We need to know this: so when we notice something odd; if it is working as intended, or if it is a bug/glitch. If it is a bug/glitch do we report it in the Bug Report forum, where everyone can read it, or do we need to send a private report, and to whom?

Are all of the Computers and IPs, we ever logged in from now trusted, and does using our authenticator at one, Unlock them all? Or is only the last PC and IP the one currently trusted?

Several players have tested this system, and it appears that in many cases that Computers/locations/Ips that they have logged in the recent past(Weeks even Months ago) have been saved as “Trusted.” They have Signed in and Authenticated from just one locations, and have not be prompted from anyone of the others, until their next weekly/ random prompt.

It is one thing to announce: From this day forward any Computer/location/IP you ever log in from, using your authenticator, will be saved as safe and you will never have to use your authenticator from it or there again. It is another thing for it to be retroactively be applied to any computer/IP you accessed, your account from before the announcement. Just how back does the Approved access sites go? One week, two weeks 6 months?

Many players are not in ideal living situations. They have to share computers, use public or simi-public computers. They have untrustworthy roommates, bunk-mates, and/or household members. These are people who are collage students, military personnel, still live with mischievous siblings, or spiteful wives/girlfriends. Some are players whom for some reason or the other currently don’t own their own computer and must play an internet cafe. Many of these players were actively sold the Authenticators, by blizzard personnel. As insurance in case someone is able to get a hold of their log in information, regardless it a gold farmer in China or a household member. These players did the responsible thing, by adding one for the added layer of security.

These players need some other way to help secure their accounts. It doesn't matter how secure your password is, if someone knows you well enough they can guess SQ&A to not only your Wow account, but to your email account as well.

Also this change weakens the protection that Guild banks with Authenticator required ranks with Bank access. If someone is able to gain access to a guild officers computer and account information, can strip the guild bank as well as his individual account.

Because the compromise is from his computer, it is doubtful that Blizzard will restore the Guild Bank. Or if they do a restoration, it would on the bases of a Guild Bank Theft. In which case the guild member in question could get his account suspended, or even banned.

Also if he is one of the guilds key members(like only raid ready tank) the GL might be very reluctant to report it. As the player may get suspend and or gear stripped, leaving him and the guild unable to raid. In ether case the guild will most likely have to eat the loss. guild leaders need a tool to let them know if a player has op in or out of this. While the player may have a trusted computer/location the guild leader shouldn't have to trust it too.

Guilds can no longer trust that requiring Authenticators for GBank access Will protect them from "Domestic" Hacks(little brother). In fact a Dishonest members, now have a "Excuse/Way out" for robbing the GBank, by blaming it on a "Domestic Hack," when confronted By the Guild Leadership.
Edited by Ewing on 7/25/2011 2:16 AM PDT
Reply Quote
85 Dwarf Warrior
13030
So, I had to use my Authenticator, and change my password twice while logging in at a friend's house just 1 zip code away, I feel safer now than I did before.
Reply Quote
100 Blood Elf Hunter
15605
Are all of the Computers and IPs, we ever logged in from now trusted, and does using our authenticator at one, Unlock them all? Or is only the last PC and IP the one currently trusted?


You know, this is the sort of thing that's incredibly easy to test for yourself. I did.


Yes it is. However For some people that tested it it has worked one way, but others who also tested it, it worked differently. That is why were need to know what is and what is not a bug.
Edited by Ewing on 7/25/2011 2:51 AM PDT
Reply Quote
07/24/2011 10:06 PMPosted by Shadowwind
I'll leave you with a thought from Crom, from thread #5. "TLDR - If I didn't WANT the extra security, I would not have BOUGHT the AUTHENTICATOR from you."


Yeah, I still want to enter it every time. New system or not. Why can't we have both? Like security questions or something? Authenticator every time we log in, and if we change IPs or location, or whatever it tracks, prompt us for answers or a secondary password or something.
Reply Quote
90 Troll Shaman
13750
hmm, still not deleted
still not forum banned


Still ignored. ;-P

Hey guys? I have a challenge for you. Try taking the evidence and scenarios we've presented and test one for yourself. Then come back and report what happened.
Log into a computer that you are about to throw away (and have never logged into from before), get prompted for your authenticator, and then log back out. Put the computer aside for a day. Come back tomorrow and see if it still asks you for an authenticator. A public computer would be a better test, but I don't recommend actually using one for obvious security reasons. I suppose if you are absolutely positive that the new system works, you could, but I still don't recommend it.
Download one of the legal keyloggers and put it onto your computer, or use a hardware keylogger if you happen to have one laying around. After logging into your computer/WoW, log back out, get the data from the keylogger, and use it to log back in. This is simulating a domestic compromise.
Set up Remote Access on your computer. Go to another computer and remote log into your computer. Start WoW. See what happens.
For the really tech-savvy, try Argrenda's virtual machine spoofing hack. See if it works for you.
Happy Monday!
Reply Quote
Well, I'll say that when I went on vacation and logged in at the hotel I was staying at one evening, not only did I have to put in my authenticator, I was required to go into Account Maintenance, answer security questions, and change my password before it would accept that it was really me.

I think the security is still working pretty well, though I'm not opposed to those wanting an option for it to ask for the authenticator every time.


I cry BS.

I went on vacation 1000 miles south of my home, 5 states away, at a hotel, and didn't once have to enter my authenticator or even go to the website to change my PW. Either you are outright lying, or the system is seriously flawed with "randomized checks".
If you used the same laptop, of course you wouldn't need an authenticator. You are still using the SAME COMPUTER. All you changed was IP.

That is what many of you can't seem to see.
Edited by Clyamidius on 7/25/2011 5:39 AM PDT
Reply Quote
22 Blood Elf Warrior
70
Asking for blue posts is the fastest and easiest way to not get them.


Fasts way to get a blue post is with massive cancel accounts.
Reply Quote
07/25/2011 02:11 AMPosted by Ewing
If you're hoping that they'll reveal the details on how the authenticators fingerprinting process works to put peoples minds at ease, well I hope you're not holding your breath.


We don't need the exact Technical details on how it works. However we do need enough information, to know when and where, we should get prompted for our Authenticators. We need to know this: so when we notice something odd; if it is working as intended, or if it is a bug/glitch. If it is a bug/glitch do we report it in the Bug Report forum, where everyone can read it, or do we need to send a private report, and to whom?

Are all of the Computers and IPs, we ever logged in from now trusted, and does using our authenticator at one, Unlock them all? Or is only the last PC and IP the one currently trusted?


Blizzard can't give out any information because that defeats the purpose of the security system changes.
Reply Quote
85 Dwarf Hunter
2855
The system is working as intended, considering how I have seen no 'I got hacked I had an authenticator your system is flawed!' posts since the change went live, I can say with certainty that it is rather successful.

Sorry to all of you that like pressing numbers every time you log in, but for myself and while I can't directly speak for them, those of us that like the convenience of being able to log right in without searching for the authenticator, I say we'd like to keep the system as is.

Also, Blizzard posters are not required nor obligated to respond to any thread, if they chose to respond they will. Fishing for a blue will get this thread deleted quickly.
Reply Quote
85 Dwarf Warrior
13030
hmm, still not deleted
still not forum banned


Still ignored. ;-P

Hey guys? I have a challenge for you. Try taking the evidence and scenarios we've presented and test one for yourself. Then come back and report what happened.
Log into a computer that you are about to throw away (and have never logged into from before), get prompted for your authenticator, and then log back out. Put the computer aside for a day. Come back tomorrow and see if it still asks you for an authenticator. A public computer would be a better test, but I don't recommend actually using one for obvious security reasons. I suppose if you are absolutely positive that the new system works, you could, but I still don't recommend it.
Download one of the legal keyloggers and put it onto your computer, or use a hardware keylogger if you happen to have one laying around. After logging into your computer/WoW, log back out, get the data from the keylogger, and use it to log back in. This is simulating a domestic compromise.
Set up Remote Access on your computer. Go to another computer and remote log into your computer. Start WoW. See what happens.
For the really tech-savvy, try Argrenda's virtual machine spoofing hack. See if it works for you.
Happy Monday!


Or I'll just be content not worrying about the sky falling.
Reply Quote
85 Draenei Shaman
0
07/25/2011 05:51 AMPosted by Asane
Or I'll just be content not worrying about the sky falling.


Yes but then the sale of aluminum foil would drop so much that the industry would fail.
Reply Quote
85 Draenei Paladin
3325
Geez Ewing, you've gotta stop cutting and pasting those ridiculous essays from one thread to another. I didn't read it, and I'm sure a lot of others didn't either. It doesn't make you look any smarter or "more right" either because your theory is wrong. When the authenticators/passwords reset, it wipes ALL records of previous login locations. Your basing what you think you "know" on other peoples tests that you did not witness, and even then, these people aren't really even proving anything in their tests. They're just demonstrating that the system is working correctly. If someone resets their password, then logs in from a location they've been before, they'll get prompted.. They log out, then log back in, they don't get prompted.. WAI..

That aside, you guys seem to still be ignoring the fact that almost else posting here from the general forums are telling you that this is a non-issue. Your attempt to convert more people to your cause has failed because either no one else agrees with you or no one else cares.(BTW notice how the only people really supporting the OP in this thread are about 5 people.. Anii, Gallante, Tomten, Shadowwind, and Ewing.. They're responsible for almost 50% of the conversation in the tech forum authenticator change threads..)

Either way, what your doing is little more than trolling the general forums because either you know you're going to get flamed here or you're looking for a ban. And Anii is most definitely fishing for a ban. This thread should get locked/deleted sometime today and for good reason. Maybe Anii will get the forum ban that she's looking for.
Edited by Tiberias on 7/25/2011 7:29 AM PDT
Reply Quote
85 Human Mage
9800
I know Authenticators are for people who aren't very good at securing their computers but if you know even the very basics of computer security you would know that Blizzard has some extremely intelligent software to determine if you are logging in from somewhere other than your default machine...and if someone is hacking your computer seriously enough to get access to your account while you're on your machine you are going to have far more serious troubles than your WoW account getting hacked
Reply Quote
85 Undead Warrior
3010
Opt out would mean Blizzard will have to refund everybody their money.

Are you crazy?
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]