About the Recent Authenticator Change

General Discussion
Prev 1 10 11 12 25 Next
07/26/2011 04:26 PMPosted by Xanzul
I don't have to believe anything you say because the simple fact of the matter is authenticators are meant to protect your account from people you don't even know from accessing it. Yet again they are not meant to shield your account from nosy people you live with. If they can access your account and do it behind your back that is the real issue not the security of your account. Get a real password and your own place.

CompTIA A+ and Network+ certified. Not sure how to verify my credentials with a board troll without violating ToS.

I don't have an issue with people I live with. I own my own home and my own internet access. I have multiple firewalls and AV and anit-malware. I have a strong, unassociated username email, and even stronger password. So I'm not sure where your "people you live with" and "password sharing" comments come from.
2 is more than 1. Added security is better than decresed security. I don't know why you can't wrap your head around a concept that should be so simple.

I refuse to respond to you after this, as you are objoiusly trolling. 9/10 though. Good job.
There has finally been a blue response. This should mean the thread is done and we can talk about kittens and eat cookies, right?

Nope. Instead, there is the usual griping that follows any blue post. Just as I predicted a couple of times in this thread already.

Sometimes, it's depressing to be cynical. Then again, at least I'm never disappointed.

Anyway, thanks for the update, Zarhym. That pretty much covered what most people in this thread wanted to hear. Have a cup & a cookie on me.

/cup of coffee
Again another half witted decision by your the team.
If it was thought out correctly giving people the option to go either way should be been done in the 1st place.

The person saying "by your the team" has no room calling anyone half witted. Really?
what? no proof that our concerns were answered early on by a blue? no surprise.

gtfo the forum you troll.

Please stop feeding the trolls. TY.
So how would your account be compromised because of this change? Oh right it wouldn't. Again more hot air.

How 'bout an example that actually happened?

A Flash exploit was used to distribute keyloggers to people who visited wow-related web sites. The "hackers" bought ad time through Google. So, go to Curse, Wowhead or Allakhazam and with no user interaction, a keylogger is installed.

Back when this was actually happening, the authenticator protected your account.

Now? Well, in order to install the keylogger, their malware got root access. So install the keylogger and a modified version of VNC. Once you've captured the username and password, wait for the inactivity timer to get very high. Then mute the sound card and turn off the video out. Then use your VNC client to log into WoW from the victim's computer. Since Blizzard thinks the computer is 'safe', no authenticator prompt. Use the keylogged username/password and clear out the account.

Gonna come back with something dumb like "use noscript" or disable flash? It's not like flash is the only vulnerable software on a computer.

Far fetched? Not really. None of the stuff I described is difficult to do. The hard part is finding an exploit. Once that's found, the payload is pretty easy. And you're gonna want that exploit for the non-authenticator accounts anyway.

Will 'hackers' go through the trouble? Maybe. Like all businesspeople, they'll do it if the ROI is high enough.
07/26/2011 03:51 PMPosted by Zarhym
Zarhym, out of pure curiosity, what happened to the original thread? There was some great reference material there!

I'm not sure. I just came across this one and wanted to get some visibility on the fact that we've been gathering player feedback on this change all along.

It would have been nice if you guys got feedback on a change like this before you pushed it live, un-announced. Since Cata launched communication from Blizzard has been as bad as I can remember it being. Too many un-announced changes with wide ranging impact.
Changes to security protocols like this should not be opt out. They should be opt in. Blizzard fundamentally reduced the security of the system without authorization from their customers. I paid to be prompted on every login, that's why I got the damn authenticator.

Honestly, I am disturbed that the flag whether you get prompted for authentication or not is stored client-side. Was anyone thinking when they did that?

Oh, while we're on it, I get locked out of my account any time my ADSL modem refreshes its IP address. Why are you enforcing IP lockouts for persons who have authenticators? As it stands, about 2-3 times a week I have to go through the account unlock process, and it always corresponds to my ADSL modem refreshing its IP. I can make it happen on demand.

And I get told by Blizzard support they can't disable that "feature" permanently because they won't do anything that reduces the security on my account, and then they introduce this bollocks with client-side registry keys controlling whether you're prompted for authentication?

What a joke.

Join the Conversation

Return to Forum