only ever been hacked once..that was lotro a few yrs back,and they got at me thru the forums..took the GM 30 mins to reinstate everything.i guess the more you put yourself about the more you become a target for these scumbags.i just hope there is such a thing called karma where they get what is coming to them for doing stuff like that.

Originally posted by lickm3

Originally posted by Kendane

Thats rather arrogant to blame every user. I never bought gold, nor did I fall for any of those painfully obvious philsing emails. I even regularly scan my computer for viruses. Most likely it went to wowwiki(didn't realize it was a bad site, shame on me) and they got in sometime between my virus scans. Most likely, you were just not unlucky,

Don't forget to remind addons with phishing script inside

The thing is that it is often the users fault but far from always and people tend to assume that everyone is a moron just because 90% of the players who got hacked bought gold or were scammed (90% is a guess without any fact to back it up but it is a large percentage).

Diablo 3 will be the mostly hacked game ever since the hackers can sell the stuff for real money within the game. Every hacker in the world would like to get in on that.

If indeed someone with a physical auth got hacked it is very bad news for Blizz.

On the plus side is all your other games safe since they will focus on D3, but be sure to not have the same password for D3 as your MMOs.

Any security measure is only as useful as the user of it is intelligent.

I don't use any authenticator and never got hacked in any game. In 99% of all cases, the person who got hacked simply did something stupid. I doubt this is any different in the mentioned case.

... I love the user blame going on here.   Go back and read my post.   Sure, many users are stupid, I'm sure many of them have bought/ sold gold or something shady, HOWEVER - there is a legitimate problem present, and it all started with Diablo 3.

 

Hell, they even acknowledged in the ticket response that they see all my logins and transactions are done on a Mac, so their suggestions of Malware scanning were not valid in my case.   

 

They didn't really answer my question as to why a completely inactive account and character was accessed, stolen from and banned.   It seems they don't want to try to explain the logistics of that impossibility.  

 

Regardless, I'll give them a +10 points for the speed and ease of resolution of this issue.  (start to finish in 6 hours)

 

So blame whoever you want for whatever you want,  but this recent security breech is a Blizzard failing, having something to do DIRECTLY with Diablo 3 - end of discussion.

Originally posted by sigurd57

Hell, they even acknowledged in the ticket response that they see all my logins and transactions are done on a Mac, so their suggestions of Malware scanning were not valid in my case.   

 .

Mac has malware too! Look up flashback.

Originally posted by sigurd57

 

So blame whoever you want for whatever you want,  but this recent security breech is a Blizzard failing, having something to do DIRECTLY with Diablo 3 - end of discussion.

 You'll have to provide some sort of proof of that before I believe a word of it.

In addition to having an authenticator, you can take other precautions.

 

For example, (1) create a unique battlenet email address that you never use anywhere else for any other purpose, (2) change your password frequently and make it unique and random, and (3) use the on-screen keyboard to log in.

This is clearly a failure on blizzards end somewhere. there are just too many reports of people that are knowledgeable about computer security and have physical authenticators that are getting hacked.
I find it interesting that the hackers are able to access accounts that are inactive and have been for some time and still managed to rape the account. That suggests a larger underlying problem than a few individual users with stupid passwords being hacked

Laughing my ass off at the guy who thinks his Mac is immune to malware.

If you believe that, I've got a .DMG file to sell you.


Macs are, in my opinion, MORE vulnerable but LESS targeted. Most Mac users dot run AV software because they think they are invulnerable.


Do yourself a favor and get some av and a firewall on that Mac.



As far as on-topic discussion. It has been known for some time that there are weaknesses in a two factor authentication like the blizzard authenticator. If your machine is infected with a rootkit or A MITM attack is used (yes there are Mac rootkits please stuff that my Mac is invincible crap right now).


Beyond that, wow authenticators have been compromised before, usually because of malware though.


The authenticator uses RSA technology which has been compromised before (at the RSA end).

Beyond that, an attacker can acquire your token through a simple man in the middle attack. This would require access to the users network (either home, Internet cafe, public network, etc) or through malware.


An attacker could intercept the authenticator code and quickly use it themselves. It is not hard to accomplish if the user is already compromised.


This is a different attack, but can detail what is possible. This method has worked for years and is still active today:

I know of a method to defeat SSL secure logins without compromising the ssl encryption. In a MITM attack all data from the user is intercepted on it's way to or from the server. If you are using a secure ssl login, the attacker would be able to intercept your encrypted login details on the way to the server and pass it on. They would not be able to crack it, however.

What they can do is spoof your session certificate. This would throw up red flags for someone that really understands certificates, but most would not understand what was happening.

So, you go to the site and log in. I send you a fake certificate that I know the encryption key for, I also receive the real certificate from the server.

Your password is encrypted with the fake encryption key which I easily decrypt. I now have your password. I encrypt the password with the real encryption key and send it on to the server. You login fine and everything works, but I was able to steal your password.


This all happens almost instantaneously and is automated. It's honestly something your average script kiddie could pull off with ease. It doesn't even take much knowledge.


An authenticator is vulnerable to the same attack. It would be a simple matter to accomplish on a compromised system/network.



Just to be clear, I have never claimed that the authenticator is an impenetrable security fortress. Two factor authentication is not the be all end all of security. It reduces the likelihood of being the victim of an attack greatly. The problem is that of it is not used in tandem with other good security practices it is possible to compromise.


The authenticator itself is not a weak security tool, it is actually quite strong, but it's effectiveness can and has been compromised through indirect means.

An attack on the authenticator is likely not a direct attack on RSA secureid security, but an end-around attack that reveals the data from the authenticator.


Also, the smartphone versions are, theoretically, vulnerable to software attacks on the phone itself. Software authenticators do contain files that can compromise the security of the token.

Originally posted by Loke666

Originally posted by lickm3

Originally posted by Kendane

Thats rather arrogant to blame every user. I never bought gold, nor did I fall for any of those painfully obvious philsing emails. I even regularly scan my computer for viruses. Most likely it went to wowwiki(didn't realize it was a bad site, shame on me) and they got in sometime between my virus scans. Most likely, you were just not unlucky,

Don't forget to remind addons with phishing script inside

The thing is that it is often the users fault but far from always and people tend to assume that everyone is a moron just because 90% of the players who got hacked bought gold or were scammed (90% is a guess without any fact to back it up but it is a large percentage).

Diablo 3 will be the mostly hacked game ever since the hackers can sell the stuff for real money within the game. Every hacker in the world would like to get in on that.

If indeed someone with a physical auth got hacked it is very bad news for Blizz.

On the plus side is all your other games safe since they will focus on D3, but be sure to not have the same password for D3 as your MMOs.

That's the thing. This game is basically a wet dream for hackers. You have:

1) One of the most popular games in history

2) Made by a developer who has openly stated that it 'cannot be hacked'

3) Has a system in place for selling items for real money

There have already been multiple accounts of people getting hacked inspite of having authenticators. It's not a majority, but it isn't an isolated incident either. The game is also already being flooded by goldsellers, and there are groups working on private releases already. Basically everything Blizzard promised wouldn't happen is happening.

Another unfortunate bit of reality, is people assume that 'phishing' is the only way that hackers steal accounts, simply because it was the most popular method used in WoW. However, it's simply not true. There are a number of different ways to hijack an account. Some of which can steal your info directly, regardless of how complex your password / authenticator / encryption is. It's simply a falacy to assume that anything is hack proof, and D3 is a prime example of this.

Other interesting possibilities concerning the case in the op link:


The user is in Taiwan. Do we know if they are using a pirated copy of windows? I'd give even odds that they are, at that point they are absolutely rootkitted. No virus scan will ever detect it. Using a pirated version of windows means you are permanently compromised. Period.

If your OS is pirated, you have an undetectable rootkit on your machine. Have fun with that as your box is officially a zombie in a botnet.



This could tie in with my first guess, but also be applicable to other forms of compromise on the users end:

The attacker could use your machine as a proxy to log into the server. If your authenticator is set to detect your ip and not ask for the token every time, this is a very viable vector for bypassing the authenticator.

Blizzards servers would see the login as coming from your machine. In other words, set the authenticator to ask every single time.


There are a thousand other possibilities that don't involve compromising Blizzard at all.



I wish I could invite all of you that don't understand this stuff over to my house and show you exactly how wrong you are. Haha.

Originally posted by dubyahite


What they can do is spoof your session certificate. This would throw up red flags for someone that really understands certificates, but most would not understand what was happening.

So, you go to the site and log in. I send you a fake certificate that I know the encryption key for, I also receive the real certificate from the server.
 

 

Isn't that what Blizzard claims is currently impossible?

I think that implication is what is worrying a lot of people. Since the mass hackings imply some kind of new widespread, unknown vulnerability for flash/winodws etc., or something on Blizzards end, their silence on WHAT exactly it is, is not exactly comforting. 

What if there was a leak?

Originally posted by simplyawful

Originally posted by dubyahite


What they can do is spoof your session certificate. This would throw up red flags for someone that really understands certificates, but most would not understand what was happening.

So, you go to the site and log in. I send you a fake certificate that I know the encryption key for, I also receive the real certificate from the server.
 

 

Isn't that what Blizzard claims is currently impossible?

I think that implication is what is worrying a lot of people. Since the mass hackings imply some kind of new widespread, unknown vulnerability for flash/winodws etc., or something on Blizzards end, their silence on WHAT exactly it is, is not exactly comforting. 

What if there was a leak?

 My understanding is they can't do it on the game itself. However the forums and the game use the same password/authenticator combination. It's all lovely theory but the fact is unless your account is known to be especially valuable these scumbags overwhelmingly go for the low hanging fruit. The majority of people who do essentially nothing to protect themselves The chances of being compromised while using an authenticator and a decent antivirus are vanishingly rare.

No one who has been hacked has proven that they did not have an authenicator on the account that got hacked. Blizzard says no one got hacked that had an authenicator. It is probably just people trolling. Most of the hacked accounts were accounts that were hacked previously and the information of the user was unchanged when Diablo 3 came out. The hackers just had a field day with all the accounts with the info they had available to them.

@simplyawful

I know that it sounds similar but what I described is not, in fact, the same as the session hijacking exploit that people are claiming the game is vulnerable to.


Also, what I described is not a vulnerability within the game, but the entire thing relies on the fact that the attacker has gotten access to the user's network or system not the other way around.


The point is that this is not a server side vulnerability but a client side weakness in security.


Even IF the session hijacking thing was true (which it isn't) it would most likely be executed by gaining control over the users system not the servers. That's the part I find most funny about the session hijacking claims, it's a client side issue not a server side one.


All that aside, I am not describing session hijacking and the game client is not susceptible to such an attack. The purpose of the explanation was to describe how an authenticator might be bypassed in a similar way.

It's probably already been pointed out, but if your computer is compromised, then bypassing an authenticator is not hard to do.

Originally posted by sigurd57

Hell, they even acknowledged in the ticket response that they see all my logins and transactions are done on a Mac, so their suggestions of Malware scanning were not valid in my case.  

As said above, Mac is not immune to malware, exploits, viruses, etc.  Even the unix OS it was based on(FBSD 4.x) is not immune.  Not even hardened OS's are immune.  No OS is immune.  They are just less likely to be easily exploited.  That is, until you add vulnerable software to it, don't maintain it, or get so confident in it that you forsake good practices.  There are so many attack vectors it would be insane to ever claim immunity.  The only thing that lead to less Mac malware/viruses/worms/etc was population.  Less people using it, made it a smaller and less profitable target.  That is no longer the case.  Security is layers and good procedures/practices.  And, not even that will protect you every time.

@jesike


You realize that all of the exploits you listed in that post are client side vulnerabilities not server side right?

What was that you were saying about people here not knowing anything about security? Yeah... Thought so.


Ah who am I kidding, you've got 4 posts you won't be responding to this. Haha.

Originally posted by aesperus

The game is also already being flooded by goldsellers, and there are groups working on private releases already. Basically everything Blizzard promised wouldn't happen is happening.

When did Blizzard promise there would be no gold sellers or private server emulators?

The problem with authenticator hacks is you have to have a really sophisticated rig to handle it. You have to have such a good virus in place to spoof the client screen and grab the authenticator code which gives you the 30 second window to log into the account. Yeah it's possible, and was done before on WoW, but it isn't common. I am not sure why they have not created the registered PC or input PIN when trying to do stuff involving gold or items.