Skip to Content
6-28-2008 @ 4:09AM
I fear it's only a matter of time before that will be cracked and keyloggers start to log the dongle code aswell. Then it will be only a matter of sending that same code along with the login and voila epix sharded.
6-28-2008 @ 4:15AM
Well, considering many small-frame companies use these security features (my fathers company for example), and they have yet to be hacked by anyone, especially competitors, I doubt that such a quality company like Blizzard would use some "cheap-o" brand of code that can be easy cracked.
6-28-2008 @ 6:41AM
Keyloggers won't defeat these little keyfobs. They give a different code every time you press the button, based on an initial "key" known to Blizzard and the breakdown of an isotope. Without knowing the initial key and the time the sequence started, there's currently no way around them.These dongles are used in high-security applications including secure network access and internet banking, it's quite surprising to see them rolled out for a computer game.
6-28-2008 @ 4:24AM
These people are software engineers making their living by stealing accounts. The motivation and skill for cracking these things is something completely different than on small businesses having a look at their competition. The only truly secure login would be a limited amount of codes on a piece of paper that only work once.
6-28-2008 @ 4:34AM
Due to the nature of One-Time Pad encryption, even a keylogger would only work if the person running the logger logged in within the couple of minutes before the password expired... and really, if that happened, you'd be able to notice (since you'd get kicked off) and could log in repeatedly until the password changed, thereby preventing the thief from making use of your password.
6-28-2008 @ 4:37AM
This type of security device can't exactly be keylogged. Sure your username and password can be, but as long as you have it and activated within your account, it would be extremely hard to break. Basically every 60 seconds the key dongle will generate a random number. The server will generate the same random number at the same time. So say they keylog your security code, in 60 seconds time, it will no longer be valid. Basically, unless they can come up with a way to brute force out all the possibilities of a 6 digit number in 60 seconds, then they are screwed. And even that can be limited by Blizzard. They can put a login attempt limit on the account. So if more then 5 attempts happen within any 60 second period it freezes the account for an hour.
6-28-2008 @ 4:38AM
Errr the whole point of these things is they do generate 1 time only keys, that, even with knowing all the previous keys, you cannot find out the next one. Thats the way they work, key gets generated, lasts 1 minute, can only be used once, once 1 min is gone, key is void, never created again. And knowing all the keys that have come before, you can't know what key is coming up next.
6-28-2008 @ 4:47AM
Thank you. It's a better system than I thought then. It seems then the only way to break it would be to solve the way the numbers are generated. Will definately be getting me one! :)
6-28-2008 @ 5:23AM
i don't know if these will be 100% secure... i've worked with encryption a bit and know that most successful attacks aren't against the encryption.that said, i'll probably buy one... but trust it without reservation? nope.
6-28-2008 @ 8:51PM
Similar devices have been defeated. One of the attacks is called man in the middle - it amounts to getting into the network flow between user and server, and letting you compromise things for yourself. It can be done, such as by a successful hack of the DNS servers.Likely? I don't know. Possible? Yes, and without compromising your computer itself. Don't ever think there's going to be uncrackable security.
6-29-2008 @ 10:53AM
You honestly have no idea what you're talking about Feldur. A man in the middle attack would do about the same as a keylogger: You log in to the fake server, pass them your info, and then they would use this info to log into your account.The problem with this is that they still can't generate your one-time code, which changes every 60 seconds. Unless they were sitting there, logging in THE MOMENT you gave them the info, they'd be SOL.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.