KernelPanic
Member
Vampire Baseball said:
I use the curse client ... there better not be some vulnerability or hack installed in it ......
-
Hey Guest. Check out your NeoGAF Wrapped 2025 results here!
Rumor: World of Warcraft Most Likely Getting Mandatory Authenticators
- Thread starter Nirolak
- Start date
I use the curse client ... there better not be some vulnerability or hack installed in it ......
Shrennin
Didn't get the memo regarding the 14th Amendment
Nikashi said:
I would consider that if I were likely to renew my subscription but WoW has gotten stale for me. I'm waiting for another MMO so the subs I don't use for WoW, I'll just save up and use for that MMO. Thanks for the suggestion anyway!
RPGCrazied
Member
I hope its true.
I say good for blizzard, and I hope this screws over the hackers/gold sellers business royally.
I say good for blizzard, and I hope this screws over the hackers/gold sellers business royally.
Hellsing321
Member
I got the iPhone Authenticator when it first came out. Never been hacked yet *Knocks on wood*, but it seems like a no brainer to use it especially since I have my other Blizzard games tied to my Battle.net account besides WoW.
MrNyarlathotep
Banned
Sciz said:
RuneScape has always had a problem with accounts being stolen through social engineering, keylogging and phishing, that's why there's been a 'you last logged in from this IP on this date' splash screen for years now.
Sciz said:
It was actually worse than that, as credit card companies offer punitive fees on chargebacks and if a certain level of fraud is consistently happening, eventually refuse to accept charges from that company.
I can't think of many businesses outside of the MMO sector where in the end your business responsibilities and credentials as a legitimate company boil down to how savvy your customers are about internet security.
Sciz said:
As someone mentioned before, it is an arms race, and eliminating RMT completely is unlikely ever to happen, and almost certainly never going to be financially viable for any company to be able to dedicate the resources required to make it impossible.
The best you can do is stamp down as hard as you can as often as you can, but there will always be some degree of RMT involved in MMOs, even if it is at the most basic 'selling account' level.
blizzard uses a one way hash for your password... you can tell this because they cannot tell you what your password was, either through support or through the automated system and require you to change your password without actually recovering it. Everything Blizzard does with your account is through admin access to your account. This is pretty standard for this type of security interface.Shrinnan said:
Hence blizzard will NEVER ask for your password, because everything they do on your account is without the password to begin with. Unless you are keylogged or give someone your password, the only other possible way to get ahold of it is to brute force it.
About the only way it could be someone inside of blizzard is if they are either doing it directly from inside blizzard (doubtful) or are changing your password from inside blizzard and then doing it externally (less doubtful, but still doubtful). If your account is hacked WITHOUT the password changing? Your account was then keylogged or brute forced, there is no way possible to get your actual password out of the system, hence why it's called a "one way" hash.
this would be practically impossible (actually near totally impossible, but not totally... like 0.0000000xx% chance though). The authenticator uses a 12 digit key to run a 256-bit encrypted hash on and changes every 30 seconds. That's 90M different combinations they would have to run in 30 seconds before it changes again just to brute force the code. And you can't really brute force the serial in the first place because it would require a known/working code which would change in 30 seconds anyway. and even if they DID brute force the serial, they would still need to figure out the internal clock offset as well to sync your codes.Hellsing321 said:
phew. So yeah... the whole authenticator setup is pretty slick and HIGHLY recommended for ANY system that offers it. The fact that they (that is companies in general) are finally making these downloadable for phones makes their use even more of a no brainer.
SirPenguin
Member
Never gets old
KernelPanic
Member
Shrinnan said:
Ugh I'm gonna take it off tonight then, just to be safe.
I ordered an authenticator a while back but Blizzard cancelled my order. Gonna try again.
Spire said:
Blizzard can't prevent stupid. It's not something passive like a keylogger in those situations, its social engineering and naivety/stupidity on the part of the person getting hacked.
Here's how the "hack" (which is really phishing as opposed to hacking) works:
Someone in game whispers you in game that Blizzard is testing out new mounts and that if you're interested in testing out some super cool mount, to go log into a website that looks an awful lot like a Blizzard website, but isn't. Mount testing is just one example, others include Friend's and Family Alpha invites for Cataclysm, trading card loot at stupid low prices, or anything "shiny" that attracts the average WoW player like flies to shit.
Once the person has gone to this website, they are presented with a login screen that is exactly the same as the Blizzard one as far as looks go. The person submits their login info which is then sent to the phisher in real time. The next screen asks for an authenticator number, which the person then gives and is sent to the phisher in real time.
The phisher now has a very, very small amount of time to log into your account. We're talking maybe 20-30 seconds on the high end. The log into your account in game to get into your account to liquidate your assets while simultaneously changing the password to your battle.net account so that you can't kick them out.
There is essentially nothing Blizzard can do about phishing. It just requires the end user to not be completely clueless.
IF, a huge IF here, they were hacked AND do in fact use authenticators, then as FLEABttn suggests they were subject to (and fell for) a phishing scam. There is absolutely NO WAY to hack the authenticator, and NO WAY to bypass it without contacting Blizzard technical support and jumping through account and security questions to get it removed. In this case I promise you it had nothing to do with the authenticator but more to do with sites they visited, mods they have installed, buying gold, etc. and those folks can tell people they are full of shit on these til they're blue in the face, but the bottom line is that somehow somewhere along the way they were majorly phished. If they do in fact have the authenticators, then at some point they offered up to the phishers all of their account information including addresses, security questions, etc. There is absolutely no other way to do it.Spire said:
Hellsing321
Member
I'd like to see Valve use authenticators for Steam. I've had my Steam Account hacked once in the past and it was fucking scary since I actually have hundreds of dollars worth of games on my account. Luckily Steam was quick to respond and got my account back.
I've had my WoW account for 4 years and I've never had my account hacked even once. But you can be sure as hell as when the free authenticator app was available on the iPhone I downloaded it. You can NEVER be too safe. Especially when you've invested hundreds of hours into your account. Sure, they might be able to get you all your stuff back but it takes time and isn't guaranteed.
As an example, I have small guild that's mainly just personal, real life friends and alts of online friends and stuff. My close friends have access to the guild bank since we just use it for stuff that everyone can use. But my one friend got hacked and I logged in and saw it wiped out, probably over 8K gold in enchanting mats and gems and the like. I sent in a ticket right away and it took about a week to get the items in my mailbox. Even then I was missing shit and had to petition it again and waited a few more days for it.
They will definitely start packaging authenticators in with Cataclysm. When they gave them away at Blizzcon then released an app then offered free shipping on the Blizzard store it's a sign of the times. It is much cheaper for them to lose a little money giving everyone an authenticator than it is spending hours and hours on every single account that gets hacked to restore everything.
As an example, I have small guild that's mainly just personal, real life friends and alts of online friends and stuff. My close friends have access to the guild bank since we just use it for stuff that everyone can use. But my one friend got hacked and I logged in and saw it wiped out, probably over 8K gold in enchanting mats and gems and the like. I sent in a ticket right away and it took about a week to get the items in my mailbox. Even then I was missing shit and had to petition it again and waited a few more days for it.
They will definitely start packaging authenticators in with Cataclysm. When they gave them away at Blizzcon then released an app then offered free shipping on the Blizzard store it's a sign of the times. It is much cheaper for them to lose a little money giving everyone an authenticator than it is spending hours and hours on every single account that gets hacked to restore everything.
Leatherface
Member
I haven't played WOW in like a year, but the other day I received an email stating that my account is closed due to exploiting and selling gold. lol
I just reached out to tBlizzard the other day and now have to go through the whole process of retrieving my in game assets and reactivating my account. I really have no idea how someone would have had access to my password. It was super secure and I've had no trojans or key loggers. *shrug*
It's a good thing I'm taking a break from the game though. I'd be pissed if tried to log in and I was locked out due to some dick hacking my account!! >_<
So yeah, I support this move to make the gaming environment for all players a better one.
I just reached out to tBlizzard the other day and now have to go through the whole process of retrieving my in game assets and reactivating my account. I really have no idea how someone would have had access to my password. It was super secure and I've had no trojans or key loggers. *shrug*
It's a good thing I'm taking a break from the game though. I'd be pissed if tried to log in and I was locked out due to some dick hacking my account!! >_<
So yeah, I support this move to make the gaming environment for all players a better one.
Houston3000
Member
Back when I used to play WoW my account got hacked twice. Each time it took a couple of weeks before my characters were fully restored with all their items mailed back. I bought an Authenticator from their store (eventually, you had to catch them when they were in-stock). I have no idea how Blizzard would be able to give everyone who plays one, there are too many people playing.
I haven't logged into my account in over a year but plan to check it out again when Cataclysm releases.
I haven't logged into my account in over a year but plan to check it out again when Cataclysm releases.
jim-jam bongs
Member
Spire said:
Get smarter friends. This move isn't because hackers are getting better, it's because people aren't getting smarter, and it's costing them money.
jim-jam bongs said:
You don't have to do anything stupid to get your account hacked. One banner ad keylogger trojan (which doesn't require you to even click on it) and you're fucked. I only use Firefox with ABP and NoScript and a ad trojan from worldofraids got me. A lot of these trojans show up on sites that have nothing to do with WoW as well. The only truly safe way to play WoW is to browse the internet on a separate computer but that's just not something I can afford to do.
or get an authenticator. with an authenticator attached to your account keylogging your password does nothing, and they can't get the authenticator removed without providing all of your account information and secret question to a blizzard tech support rep. which presumably they won't really be able to get with just a keylogger.Spire said:
jakershaker
Member
Spire said:
So in short you forgot to update flash?
Got the app on my iphone. It really is a good idea. My friend's girlfriend's account got hacked because she didn't have one. Keep in mind my friend is a system admin/programmer. So he makes sure his GF has a strong password, as well as checked his entire network for any trojans, or keyloggers. He didn't find anything, so no idea how it happened.
It keeps your account safe, and it probably will reduce Blizzard's costs overall. Good move on their part.
It keeps your account safe, and it probably will reduce Blizzard's costs overall. Good move on their part.
jakershaker
Member
Ferrio said:
She still managed to do something to compromise the account. As all the people in these stories have. Common sense makes it almost impossible to be hacked(ok and a bit of computer knowledge and paranoia ^^).
And as Blizzard has noticed people don't learn, or they get too many new customers doing the same mistakes as the old ones, so adding a layer of security would probably help them to combat this problem as the userbase grows/changes.
jakershaker said:
That's bullshit. I don't care how good you are, how careful. There's always a chance something can sneak by. With the amount of people trying to break accounts, it's extremely foolish not to have one of these things. If you're hooked to a network at all, you're vulnerable. I don't care how paranoid or tech savy you are. If you're really trying to be a proponent of security then you'd be all for them since it's an additional (and very good method) of security.
ClovingWestbrook
Banned
I wish Valve would do this with Steam.
I wouldn't have a problem with this if they opened up the iphone app to other devices. I play WoW at multiple locations. I will always have my android phone and my zune hd with me. They each have a dozen apps on them. Port the app over to one of them.
I don't want to carry around another device in the off-chance I want to play WoW at a different place.
I don't want to carry around another device in the off-chance I want to play WoW at a different place.
My account was hacked, a friend's account was hacked a year after he had quit playing, and again a few months after that.
I use NOD32, and I know I didn't fall for any BS email scam. I don't click on any of that crap. There is no reason Blizzard would email anyone asking for personal information, password, etc.
Authenticators should come packaged in their game boxes.
I use NOD32, and I know I didn't fall for any BS email scam. I don't click on any of that crap. There is no reason Blizzard would email anyone asking for personal information, password, etc.
Authenticators should come packaged in their game boxes.
Angelus Errare
Banned
I wish Blizzard would let me change my security question, because I totally forgot the answer :lol On the flip side I ordered an Authenticator, well my GF got it for me unknowingly.
jakershaker
Member
Ferrio said:
Of course there's always a chance. That goes without saying. But following the usual security measures and not falling for social engineering would make this a non issue for the large majority of the users, and for Blizzard.
The problem is that their userbase does not do this.
So the authenticator is a good idea. As I said.
FLEABttn said:
Yep. I'm convinced that 95% of hacked account cases are the user's fault. Either a trojan/keylogger or phishing/social-engineering.
For the record, I have never had any of my accounts ever hacked. Not in WoW, not my hotmail, not my gmail, not my forum accounts, not my webserver, etc... It's just common sense. Don't run ActiveX scripts from untrusted sources, don't click on banner ads, don't visit warez sites, don't use limewire, don't open unknown emails, make sure anything executable you download is from a trusted source, and don't fall for stupid social-engineering scams.
I'm sure most virus or trojan cases can be tracked to Limewire or warez sites. Piracy doesn't pay.
jakershaker
Member
TheExodu5 said:
Bring that up to 99,99% until there's some serious evidence of the contrary(in big numbers). All the cases we ever hear about are always human error.
theMrCravens
Member
I used to think exactly like you, until I heard storiies of paranoid people with safe proof comp (or basically a second comp for gaming) get hacked in WoW, and WoW only.TheExodu5 said:
One of my friend got hacked a few months ago and he's one of those who knows a lot about PCs, spywares and keyloggers. Runs all the anti-thingies weekly, and still got his account stolen.
WoW has really become that big and mainstream to a point where it attracts all those RMT hackers.
jakershaker
Member
theMrCravens said:
Has there been any case of accounts being stolen due to actual "hacking" or theft? Something the user themselves couldnt do anything about?
If so post the links and such, would be interesting.
It would be nice to see blizzard ship these with every box copy of a game they sell, Including the expansion, Starcraft 2 and diablo 3. All of these games will go through the same network (b.net) so it makes sense to have an authenticator not for your games but for your account, which is pretty much what the authenticator is now.
Hopefully blizzard will just buy a manufacturing company or three and churn these babies out in preparation for each games release. If you already have one then keep the new one as a backup. Unless they decide to offer a copy with or without the authenticator.
I like my mobile authenticator but i would like a physical one as well.
Hopefully blizzard will just buy a manufacturing company or three and churn these babies out in preparation for each games release. If you already have one then keep the new one as a backup. Unless they decide to offer a copy with or without the authenticator.
I like my mobile authenticator but i would like a physical one as well.
yankeeforever2
Member
ugh better check.
Me and my friends old accounts are fine it seems, pretty sure I spent all my gold before I quit anyways :lol :lol
Me and my friends old accounts are fine it seems, pretty sure I spent all my gold before I quit anyways :lol :lol
I've had 2 WoW accounts. One was the BC battlechest which I played the free month and then I sold the account. This was like last year. I started getting these emails after my account was sold so I found that really odd. I then got a different account, which I also sold and never had any problems or emails until I sold it lol.
EDIT: The guy who sold me his account (the second account I had) told me he got an email from blizzard asking him information and his account being compromised the day he sold it to me. We both work in IT departments and I would say we're pretty tech savvy and careful on what we click on. He then realized that it was not actually from blizzard after tracing it. That's 3/3 on accounts sold and emails saying accounts were compromised going out instantly.
I think blizzard is doing something when the email on the account changes. Maybe they wanted to compromise accounts, so they can push the authenticator to everybody. I still think people take this game WAY too seriously with the whole authenticator thing ,like it's a safe deposit or something :lol
EDIT: The guy who sold me his account (the second account I had) told me he got an email from blizzard asking him information and his account being compromised the day he sold it to me. We both work in IT departments and I would say we're pretty tech savvy and careful on what we click on. He then realized that it was not actually from blizzard after tracing it. That's 3/3 on accounts sold and emails saying accounts were compromised going out instantly.
I think blizzard is doing something when the email on the account changes. Maybe they wanted to compromise accounts, so they can push the authenticator to everybody. I still think people take this game WAY too seriously with the whole authenticator thing ,like it's a safe deposit or something :lol
SlipperySlope
Banned
Malfunky said:I've had an account for 5 years and it's still pristine. The only way they're getting passwords has to be from phishing or trojans.
Check out this e-mail I got recently.
It's from a Blizzard domain. Or it looks like it. I think it may just some ridiculous flaw in Hotmail's name display system. I can see how people would be fooled. But I know it's not legit because I don't have an account on that e-mail address and it's asking questions they're not supposed to ask.
It's easy to make an email look like it came from anywhere. I can send you an email from Microsoft.com. There's nothing special about the SMTP system to really track this stuff.
Jive Turkey
Unconfirmed Member
Same thing happened to me. I played for a while quit and then like 18 months later I get a letter from Blizzard saying I've been banned for damaging the economy. Guess some farmer hacked my account or something. :lolNirolak said:From personal experience I can see why this might actually be a ridiculous epidemic. I hadn't logged into my WoW account in over four years, but two days ago, apparently my account got hacked and shut down for gold selling, despite having a very secure password on it and not touching it for so many years. It seems that the account hackers at this point must be finding out account names and just brute forcing their passwords or getting a leak from inside Blizzard.
But anyway, assuming this is true, the main controversy over this would seem to be that all these authenticators cost money, and it's probably not money everyone is happy to part with.
Edit:
Since some people are asking whether I got phished or keylogged, I haven't responded to any WoW e-mails or even used that password in almost four years, so they would have had to keylog me four years ago and not used the password until now. Somehow I find this unlikely.
Hellsing321
Member
There was a free week given to deactivated accounts if you reactivated them in December. It seems Gold sellers took this opportunity to hack these accounts and took the free week to cause as much trouble as possible.
Finally got my account back. Now have an authenticator attached to it as well. Gold seller even attached one of their own to my account (didn't have one before) so I had to get that removed as well. Thankfully there is a free app on iTunes for as well if you have an iPhone or iPod Touch. This really pissed me off. However there is a nice positive to this. Found my account filled with crystals for some reason. My stuff was gone, all but my armor and weapons on my characters. Money cleared out except on a very low level alt I had. He was stripped as well but it seems they used that character to stash gold. 
Haven't touched it yet but it is more then I ever had. Plus each stack of these crystals will sell for a nice bit to vendors it seems. They also took my main up to level 75 so I can now enter Dalaran. I think I was at lvl 73 or 74 when I left. Got the account back in time as I'm seemingly in better shape before I was hacked. Also I have three free weeks on my account.
Haven't touched it yet but it is more then I ever had. Plus each stack of these crystals will sell for a nice bit to vendors it seems. They also took my main up to level 75 so I can now enter Dalaran. I think I was at lvl 73 or 74 when I left. Got the account back in time as I'm seemingly in better shape before I was hacked. Also I have three free weeks on my account.