Support NeoGAF

[The Omega Man]

it is worth mentioning that once you add the authenticator, you should tick the option to ask you for a code every time you want to log in in your games, otherwise I think it just asks you to authenticate the first time you launch the game.

 

[marrec]

it is worth mentioning that once you add the authenticator, you should tick the option to ask you for a code every time you want to log in in your games, otherwise I think it just asks you to authenticate the first time you launch the game.

And anytime you try to log in from a different computer, so you'd still be protected.

 

[tci]

it is worth mentioning that once you add the authenticator, you should tick the option to ask you for a code every time you want to log in in your games, otherwise I think it just asks you to authenticate the first time you launch the game.

You need to confirm with a new code once a week I think.

 

[ZZMitch]

They could, but they don't. It's better for the consumer in the end, Blizzard is going to take it's lumps for the bad server issues, but I don't think any rational person in the long run will blame them for peoples accounts being compromised.

Keyloggers gunna Keylog.

How is it better for the consumer? This is a legit question, because I am still a little fuzzy on the issue as a whole.

 

[The Omega Man]

You need to confirm with a new code once a week I think.

yeah, but I just feel more secure authenticating in each session, is not that much of a trouble and I recommend it if you game on a laptop, from places where a lot of people come in out or if you just TRUST NO ONE, no even your family or friends lol

 

[marrec]

How is it better for the consumer? This is a legit question, because I am still a little fuzzy on the issue as a whole.

It makes it easier for players to connect to one another. It makes it idiot proof to update the game. It allows for Blizzard to track stats globally to analyze what DOES need changing. And yes it helps ensure stable prices on the Auction House which is also good for consumers because now they have access to these items without having to know someone who knows someone.

Half-Life 2 went through the same kind of terrible shit the first few weeks it was released, and now people consider it one of the best games ever made. Of course nobody knows how Diablo III will be looked at 10 years from now, but always Online has made it easier for Blizzard to give us the content we want with zero fuss.

Once they work out the server issues that is. (Which is terrible by the way, in no way am I saying it's not.)

 

[LiK]

yeah, but I just feel more secure authenticating in each session, is not that much of a trouble and I recommend it if you game on a laptop, from places where a lot of people come in out or if you just TRUST NO ONE, no even your family or friends lol

yea, i don't see the big deal in typing the code each time i log on. i log in, play for hours and hours and i don't log out until i'm done.

 

[ZZMitch]

It makes it easier for players to connect to one another. It makes it idiot proof to update the game. It allows for Blizzard to track stats globally to analyze what DOES need changing. And yes it helps ensure stable prices on the Auction House which is also good for consumers because now they have access to these items without having to know someone who knows someone.

Half-Life 2 went through the same kind of terrible shit the first few weeks it was released, and now people consider it one of the best games ever made. Of course nobody knows how Diablo III will be looked at 10 years from now, but always Online has made it easier for Blizzard to give us the content we want with zero fuss.

Once they work out the server issues that is. (Which is terrible by the way, in no way am I saying it's not.)

Okay, thanks for the input. It just sucks for consumers like me who do a lot of gaming in areas without a reliable internet connection.

 

[tci]

yeah, but I just feel more secure authenticating in each session, is not that much of a trouble and I recommend it if you game on a laptop, from places where a lot of people come in out or if you just TRUST NO ONE, no even your family or friends lol

I agree. There is really no excuse not to have it.

 

[Ferrio]

I'm confused as to why authenticators aren't packaged with the game.

Because I assume if you ship a ton of them out only a small percentage will actually be used. So now blizzard has to devote money/time to both shipping auths to every game, but also to the people calling who didn't use the damn thing they shipped.

 

[Slair]

Slair there is no accounting for how it actually happened, I know I talked about this yesterday but there are people getting hacked all the time that take the proper steps to protect themselves. Any security expert knows that the only way to remain 100% secure is to unplug your computer. There are ways to make yourself 99% secure though and one of them is to link your account to an Authenticator.

Yeah... I did ressurect my dead iphone to make it an authenticator now though, but this experience has left me pretty sour. If i did fuck up somewhere along the line they must've been sitting on my password for bnet for a couple years.

 

[-Pyromaniac-]

wrong topic lol

 

[Sophia]

I lawls at the post of Blizzard employees smacking players down with their liess and misinformation. All it usually takes it once person being made a fool of and those kinds of threads die down.

it is worth mentioning that once you add the authenticator, you should tick the option to ask you for a code every time you want to log in in your games, otherwise I think it just asks you to authenticate the first time you launch the game.

yeah, but I just feel more secure authenticating in each session, is not that much of a trouble and I recommend it if you game on a laptop, from places where a lot of people come in out or if you just TRUST NO ONE, no even your family or friends lol

Special scenarios (such as gaming on the go with a laptop) aside, it doesn't really matter if you have the option checked or not. It's largely peace of mind. Which a lot of people

 

[LDawg]

My theory is that this is a huge marketing stunt to sell more authenticators

 

[Forsaken82]

My theory is that this is a huge marketing stunt to sell more authenticators

... the Smartphone apps are free... i bet you they hardly sell any of the physical authenticators and when they do, they have them made per order.

 

[Alex]

People should have an auth, it's just the sad state of things with how incredibly targeted Blizzard's games are but I don't see why they (Blizzard) don't have a base Steam Guard like system in place. They have a dial-in gig, but that's kind of obnoxious, I wouldn't really want to use that.

My theory is that this is a huge marketing stunt to sell more authenticators

I don't believe they're sold at much of a profit and the apps are free and so is the dial in thing.

Not a stunt at all, either way, people don't seem to understand how targeted and how absurdly profitable World of Warcraft accounts and gold selling is. It basically became the new credit card theft with how much less reprisal there is.

 

[Treemonkeys]

Accounts getting "hacked" gets thrown around far too often. It is almost always someone getting keylogged on their PC and then their battle.net account is simply logged into and then the password is changed. That's your PC getting hacked, not your battle.net account. Thread title makes it sound like D3 has some big security problem when it's nonsense.

 

[StoppedInTracks]

For all the negative talk about always online DRM it has literally KILLED piracy. From my personal experience every single person who was interested in D3 and was a pretty fucking disgusting pirate - bought the game. Only because they could not be playing it otherwise.

I can imagine now other companies following suit for example id with Doom 4 or Bethesda with TES6.

It works like it or not.

 

[Sophia]

My theory is that this is a huge marketing stunt to sell more authenticators

Yes, totally a marketing stunt to sell authenticators that they can't even keep in stock, and totally ignoring that they sell them for almost no profit if you're in the US. Totally.

For all the negative talk about always online DRM it has literally KILLED piracy. From my personal experience every single person who was interested in D3 and was a pretty fucking disgusting pirate - bought the game. Only because they could not be playing it otherwise.

I can imagine now other companies following suit for example id with Doom 4 or Bethesda with TES6.

It works like it or not.

It certainly curbs day one piracy, at least. Which is why I have little problem with it.

I don't believe they're sold at much of a profit and the apps are free and so is the dial in thing.

Not a stunt at all, either way, people don't seem to understand how targeted and how absurdly profitable World of Warcraft accounts and gold selling is. It basically became the new credit card theft with how much less reprisal there is.

A good WoW account with lots of max level toons can fetch hundreds of dollars when sold through illegal third party sites. Then they can turn around and scam the person they just sold to for even more money...

 

[Mrbob]

It is crazy I didn't even know about the mobile app authenticator till this thread. Downloaded to my ipad and attached it to my account, it's pretty amazing how well it syncs while constantly changing codes.

 

[Treemonkeys]

For all the negative talk about always online DRM it has literally KILLED piracy. From my personal experience every single person who was interested in D3 and was a pretty fucking disgusting pirate - bought the game. Only because they could not be playing it otherwise.

I can imagine now other companies following suit for example id with Doom 4 or Bethesda with TES6.

It works like it or not.

I like it because they give you something back for it as a service. Achievements, download and install from anywhere, universal friends list, easy tools to make a party and join a game, characters essentially being cloud saved, website profiles, etc. I just don't like always on DRM when that's all it is.

 

[Raxus]

Still waiting on my restoration. This sucks. I really wanted to play Diablo tonight.

There is also a stranger on my friends list. :-/

 

[opticalmace]

For all the negative talk about always online DRM it has literally KILLED piracy. From my personal experience every single person who was interested in D3 and was a pretty fucking disgusting pirate - bought the game. Only because they could not be playing it otherwise.

I can imagine now other companies following suit for example id with Doom 4 or Bethesda with TES6.

It works like it or not.

Until D3 gets cracked.

 

[Blizzard]

Until D3 gets cracked.

My understanding is that it is literally impossible to crack since the game code itself is on Blizzard servers. It would require people to break into those servers and steal the code, or rewrite D3 server code on their own to simulate the way normal gameplay works.

If so, it's kind of like streaming Onlive -- you can never crack that because the game is somewhere else. I hope we never end up in a situation where everyone just sells streaming games because that's what they can have total control over.

 

[opticalmace]

My understanding is that it is literally impossible to crack since the game code itself is on Blizzard servers. It would require people to break into those servers and steal the code, or rewrite D3 server code on their own to simulate the way normal gameplay works.

If so, it's kind of like streaming Onlive -- you can never crack that because the game is somewhere else. I hope we never end up in a situation where everyone just sells streaming games because that's what they can have total control over.

Huh, link? That doesn't sound right to me..

 

[gatti-man]

For all the negative talk about always online DRM it has literally KILLED piracy. From my personal experience every single person who was interested in D3 and was a pretty fucking disgusting pirate - bought the game. Only because they could not be playing it otherwise.

I can imagine now other companies following suit for example id with Doom 4 or Bethesda with TES6.

It works like it or not.

If it stops ppiracy, really and truly, i will gladly live with the inconvenience.

 

[Blizzard]

If it stops ppiracy, really and truly, i will gladly live with the inconvenience.

Having all future releases only available over Onlive or Gaikai could 100% stop all piracy, unless I'm missing something, but I sure wouldn't want that as a consumer (or even as a game developer).

 

[AcceptableGhost]

Huh, link? That doesn't sound right to me..

Everything they could make server side they made server side - much like an MMO (like WOW). The only way to theoretically pirate D3 is for someone to make private server software which probably won't happen for a long time / will face legal pressure from Blizzard / will end up being shoddy and or inaccurate to the original (logic and calculations done server side that are not exposed explicitly to the client have to be effectively guessed or reverse engineered from what the client sees).

 

[Horsemama1956]

My understanding is that it is literally impossible to crack since the game code itself is on Blizzard servers. It would require people to break into those servers and steal the code, or rewrite D3 server code on their own to simulate the way normal gameplay works.

If so, it's kind of like streaming Onlive -- you can never crack that because the game is somewhere else. I hope we never end up in a situation where everyone just sells streaming games because that's what they can have total control over.

They emulated the servers for the Beta, so I'm sure it'll happen for retail at some point.

And lol at the people that think these hacks are the result of keyloggers.

 

[glaringradio]

I'm going to call it that within the next 2 weeks, Blizzard will require absolutely every single person to use an authenticator on every login to play any of their games. The amount of people on their forums right now who are kicking up a stink about being "hacked" but not actually mentioning whether they have an authenticator or not is completely silly.

To be fair, they should have done it in the first place. Shipped the collector's edition with an authenticator, then included a big bloody massive A3-sized poster with the standard edition reminding you to either get an authenticator program for Windows/OS or download an app for it.

Still though, people will learn the hard way. I'd rather Blizzard spend absolutely 100% of their time now sorting out the latency/game balance issues, as opposed to sorting out the people who thought that having an authenticator was unnecessary.

To quote a post which is a shining example of why Blizzard absolutely should make authenticators mandatory:

i just lost everything too lol

just some info if anyone would care to know

*never found virus or trojan did full scan*
*phishing not an option considering i rarely ever even check my email or go to gold/powerlevel sties*
*Did NOT have an authenticator*
*was level 60 inferno*
*did use AH*
*bought digital dl d3*
*Did not share password even with people i would and trust lol*

Also what does the authenticator do exactly to help prevent this?i just signed up for one

 

[Raxus]

Why stop at the collector's edition? Why not make installation of the authenticator mandatory when you install the game? You are playing a game that has to be online at all times so what is one more inconvenience.

 

[Mudkips]

SQL injections are the most common form of attack.
You can use an SQL injection to write to a database as well as dump shit out if the application has write privileges. Dump out the entries you want, note the salt and use it with a password of your choosing to generate a new hash to replace the old hash. A few exploratory attempts to figure out what crypto scheme they're using and you're golden.

 

[Raxum]

They emulated the servers for the Beta, so I'm sure it'll happen for retail at some point.

And lol at the people that think these hacks are the result of keyloggers.

I read about these servers somewhere myself, and a quick google search came up with a few apparently emulated D3 servers for retail. Not sure if real or not but it seems like the game may already be cracked.

I'd just like to add in my experience with the mobile authenticators, if you download the app, make sure you get the recovery code and store it somewhere safe. I lost my recovery code and recently had to wipe my phone, and it's taken me around 3 weeks total of errors from the submission page with no error code to waiting for replies from Blizzard to try and get my authenticator removed so that I can actually get into my account again. Bit of a nightmare really. So in short, don't lose your recovery code!

 

[marrec]

They emulated the servers for the Beta, so I'm sure it'll happen for retail at some point.

And lol at the people that think these hacks are the result of keyloggers.

What do you think they are the result of? An SQL dump? lol

 

[Mudkips]

What do you think they are the result of? An SQL dump? lol

SQL injection involves running SQL queries on a target when you shouldn't be able to. SQL injection will let you do anything the application has rights to do.

"lol"

And with that, Diablo 3 tops HL2 as the worst single player game launch ever.

You don't know about Sword of the Stars II.

My understanding is that it is literally impossible to crack since the game code itself is on Blizzard servers. It would require people to break into those servers and steal the code, or rewrite D3 server code on their own to simulate the way normal gameplay works.

The server is a black box, yes, but you can always reverse engineer it or plain ol' steal the code (they did a combination of both with WoW). Not impossible, it just takes a long time to get at the server communication (if it's encrypted / obfuscated) and then make sense of why it sends what it does when it does.

 

[Treemonkeys]

They emulated the servers for the Beta, so I'm sure it'll happen for retail at some point.

And lol at the people that think these hacks are the result of keyloggers.

I've played WoW since launch and never had any problems until earlier this year when I logged in on my friend's shady computer with outdated anti-virus, I knew better but I did it anyways, two days later my account was "hacked" or correctly put stolen via keylogger. I'd like to see *any* evidence that it's not keyloggers outside of victims insisting their computer is "clean".

 

[Raxus]

Sick of waiting to for Blizz to answer my ticket. I go to call them myself and after 3 tries I get into the que. I have to wait 41 minutes.


Fffffffuuu...

 

[Tylahedras]

lol at the stockholm syndrome in this thread.

 

[marrec]

SQL injection involves running SQL queries on a target when you shouldn't be able to. SQL injection will let you do anything the application has rights to do.

"lol"

SQL injections are the most common form of attack.
You can use an SQL injection to write to a database as well as dump shit out if the application has write privileges. Dump out the entries you want, note the salt and use it with a password of your choosing to generate a new hash to replace the old hash. A few exploratory attempts to figure out what crypto scheme they're using and you're golden.

Yes, SQL attacks are common because everyone uses it now. And the vulns found ages ago are still active for a lot of websites. Very few SQL attacks result in gaining full control on the application, in fact most of them don't. Everything that you said is indeed not strictly impossible, but just very unlikely. If there is a vuln on Blizzard it's much more likely that a dump was preformed of encrypted material that was salted because Blizzard, while they've proven they can't handle the launch of Diablo III they have never been stupid about protecting consumer information.

Compare all of that with the fact that Keyloggers specifically target people who use Battle.net because of the profitability. Which is more likely Mudkips?

 

[Mudkips]

Yes, SQL attacks are common because everyone uses it now. And the vulns found ages ago are still active for a lot of websites. Very few SQL attacks result in gaining full control on the application, in fact most of them don't. Everything that you said is indeed not strictly impossible, but just very unlikely. If there is a vuln on Blizzard it's much more likely that a dump was preformed of encrypted material that was salted because Blizzard, while they've proven they can't handle the launch of Diablo III they have never been stupid about protecting consumer information.

Compare all of that with the fact that Keyloggers specifically target people who use Battle.net because of the profitability. Which is more likely Mudkips?

If even a single person with an authenticator has been hacked, then SQL injection is almost certainly the cause.

If you can execute an SQL injection you have the same permissions to the database that the application does. If the exploitable code block uses a connection with write credentials to the user table (e.g., a connection/account used to update user information), prepare to get fucked.

How do you suppose "a dump was preformed of encrypted material that was salted" would be obtained? If you can dump out the SQL you have access you already shouldn't have - likely including write access.

With write access to the user table you can very easily overwrite user passwords. Salts are public and encryption schemes are standard. You don't need to crack anyone's password to do this, you just need to encrypt your own with the same method.

 

[marrec]

If even a single person with an authenticator has been hacked, then SQL injection is almost certainly the cause.

If you can execute an SQL injection you have the same permissions to the database that the application does. If the exploitable code block uses a connection with write credentials to the user table (e.g., a connection/account used to update user information), prepare to get fucked.

How do you suppose "a dump was preformed of encrypted material that was salted" would be obtained? If you can dump out the SQL you have access you already shouldn't have - likely including write access.

With write access to the user table you can very easily overwrite user passwords. Salts are public and encryption schemes are standard. You don't need to crack anyone's password to do this, you just need to encrypt your own with the same method.

It's not likely including write access, that's just wrong.

And if a single person with an authenticator has been hacked then it's likely due to a man-in-the-middle attack which has been a known vulnerability of OTP protection since OTP has been used.

Also, salts are a proven way to protect information.

 

[Sefirosu]

Blizzard have confirmed that all the accounts which have been hacked have been breached using the normal methods, so that's the whole "public games are bad" thing over.

If you don't already have an authenticator then either get one on your smartphone or try this http://code.google.com/p/winauth/, there's really no excuse for not having one.

 

[Metalmurphy]

Blizzard have confirmed that all the accounts which have been hacked have been breached using the normal methods, so Authenticated accounts should be safe.

If you don't already have an authenticator then either get one on your smartphone or try this http://code.google.com/p/winauth/, there's really no excuse for not having one.

Well, that wasn't exactly what they said.

 

[Sefirosu]

Well, that wasn't exactly what they said.

Apologies, I went back and re-read their post, I'll edit mine immediately, my bad.

However I stand by the point about there no excuse for not having an authenticator. They do say that they are yet to investigate a hacked D3 account that had an auth though.

 

[Silly.Mikey]

I dont get why people do this. The beauty is in the leveling up, but if you get an account already leveled, what the hell is the point?

Thats like downloading the end of a movie and not watching the rest.

 

[Mudkips]

It's not likely including write access, that's just wrong.

And if a single person with an authenticator has been hacked then it's likely due to a man-in-the-middle attack which has been a known vulnerability of OTP protection since OTP has been used.

Also, salts are a proven way to protect information.

If a page lets you update your name, address, email, password, etc. then that page has write access. If that page is vulnerable to SQL injection then an attacker has the same write access.

Salts? You don't know what you're talking about. Salts are NOT encrypted. Salts are plain-text strings prepended (or appended) to user-input before hashing. For security purposes they are as public as a username. Salts are simply used to deter brute forcing and pre-computed hash attacks (rainbow tables), and the ancient "set my password to password and see if my hash matches anyone else's" tomfoolery.

A successful man in the middle attack over the public internet is very involved. When you change your Battle.net password and remove an authenticator you have to put the authenticator code in TWICE. A simple man in the middle attack would only capture the single code a person used to log in, and you wouldn't be able to compromise the account.

A successful account would require you to own someone's box, watch their battle.net login attempts, fish out the authenticator code and use it within the valid window (about 45 seconds in my experience) to log in to battle.net, then suppress the legitimate login response and inject a falsified bad login message (or pass a falsified login attempt to blizzard and pass the legitimate response back to the victim) to get the victim to enter their authenticator code a second time, at which point you could change a password and remove the authenticator. If you're going to target an attack this specifically you may as well go straight for the bank accounts.

If the horde of people who have been hacked recently contain people who had authenticators, then SQL injection is the most likely scenario by far.

 

[ihearthawthats]

I dont get why people do this. The beauty is in the leveling up, but if you get an account already leveled, what the hell is the point?

Thats like downloading the end of a movie and not watching the rest.

obtaining rare items they can then sell in the rmah for profit without all the loot farming involved? a stolen account of which they can proceed to do illegal activities without fear of getting their main account banned?

for other games, it wasn't uncommon for gold sellers and bot farmers to use stolen accounts. luckily for d3 though, using bots may be easier to detect and ban do to the always-online, and the rmah removes incentives for buying gold from shady sellers.

 

[marrec]

If a page lets you update your name, address, email, password, etc. then that page has write access. If that page is vulnerable to SQL injection then an attacker has the same write access.

You are saying true things but it's simply not true that an successful injection of sql code into any of those prompts will automatically grant you full write access to the database.

Salts? You don't know what you're talking about. Salts are NOT encrypted. Salts are plain-text strings prepended (or appended) to user-input before hashing. For security purposes they are as public as a username. Salts are simply used to deter brute forcing and pre-computed hash attacks (rainbow tables), and the ancient "set my password to password and see if my hash matches anyone else's" tomfoolery.

Yes exactly, it stops the brute forcing that became easy a few years back because of the prevalence of these dumps. It's part of a good plan to protect consumer information. If you don't salt your tables then at this point you might as well NOT encrypt because your encryption will be broken.

A successful man in the middle attack over the public internet is very involved. When you change your Battle.net password and remove an authenticator you have to put the authenticator code in TWICE. A simple man in the middle attack would only capture the single code a person used to log in, and you wouldn't be able to compromise the account.

A successful account would require you to own someone's box, watch their battle.net login attempts, fish out the authenticator code and use it within the valid window (about 45 seconds in my experience) to log in to battle.net, then suppress the legitimate login response and inject a falsified bad login message (or pass a falsified login attempt to blizzard and pass the legitimate response back to the victim) to get the victim to enter their authenticator code a second time, at which point you could change a password and remove the authenticator. If you're going to target an attack this specifically you may as well go straight for the bank accounts.

The only reason it's involved is because it needs to be monitored by a live person. It's not very complicated at all really when compared to a group gaining full write access to some part of their database. It has been done in the past and is impossible to stop. Yes, it's more profitable at that point to target their bank accounts, but that doesn't mean it hasn't happened with Battle.net accounts.

If the horde of people who have been hacked recently contain people who had authenticators, then SQL injection is the most likely scenario by far.

If there are a large number of people with Authenticators that have been compromised then yes, I would agree with you. The likelyhood of a large scale MitM attack is very close to zero. I'm not saying that some kind of SQL attack against Blizz in impossible, what I'm saying is that there is ZERO evidence for it right now. The MUCH MORE likely situation is that keyloggers be keyloggin' as they have been doing for many years.

 

[ephemeral garbage]

There are so many people LOLing! This is such a cheerful thread!

 

[marrec]

There are so many people LOLing! This is such a cheerful thread!

I am above the fray.

*turned up nose*