Patch 5.2 interview with Dave Kosak
Inside an old alt's vault
The latest patch 5.2 news
All of the latest Mists of Pandaria newsAuthenticator fails, removed from account without user's permission
by Mike Schramm 
Jul 24th 2008 at 2:00PM
Editor's Note: This entire situation has been debunked. The authenticator was not hacked, compromised, or forcefully removed. The account had been shared, and the authenticator along with it. Authenticators do not offer any security if you give it away. If you're worried about other account security myths, our own Michael Sacco has tackled them in a mythbusting series.Think a Blizzard Authenticator will keep your account from being hacked? Think again -- we've got our first known report of someone who was protecting their account with one of Blizzard's keys, and still got their character hacked down to their undies. Someone in this forum thread apparently logged out one night and logged on the next morning to find her account stripped of everything but PvP gear, and her Authenticator no longer connected to her account.
Supposedly, to deactivate an Authenticator from an account, you need to get in touch with Billing services, and reportedly they'll then ask for a notarized statement with a picture, like a driver's license, just to remove the Authenticator. But obviously, this one was removed even without that, and we're being told that all you might need to remove the Authenticator is the answer to the user's secret question and a CD key (or even less). In other words, the fault isn't with the technology, it seems to be with the support reps on Blizzard's side of the phone line -- if they can be convinced to remove the Authenticator, the account can then be hacked.
The little keys have been selling like hotcakes since they were released -- almost everyone has figured that $6.50 was cheap for peace of mind. But while an Authenticator still does provide an extra step in security, the sad truth is that it hardly makes an account impermeable.
[Via BRK]
Filed under: Analysis / Opinion, Blizzard, Forums, Account Security
Reader Comments (Page 4 of 6)
PsychoChris Jul 24th 2008 3:21PM
Who cares that the protocol was not followed….the protocol is what has and will fail! Does Blizzard know what you look like? Does blizzard have a single document with your signature? Answer: NO
You want a secure account….it starts and ends with a secure PC (or Mac).
If Blizzard really wants to stop hacks they need to start officially “supporting” the popular add-ons and providing a secure site to load them from. Until that happens accounts will forever be at risk.
Feldur Jul 25th 2008 10:26AM
Say what? Addons are incapable of doing I/O except to saved variables, and they don't load until well after you've typed the password and the authenticator code. Whatever happened in the case cited in the article, it wasn't the fault of an addon.
The *closest* your comment gets to being on topic is that there have and can be problems with the automatic updaters some sites promote, and some of the addon sites have had malware injected (such as through hosted advertising). If you use an autoupdater, which is an exe on a PC, you're an idiot asking to be owned. That exe could contain anything, and you have no way to know.
Beyond that, Blizz would only be better protected aginst malware injection if they're site staff is well trained in security procedures. There's nothing inherent in owning the game IP that would make their site more secure.
My vote for what happened is a combination of a keylogger and a mistake by a support rep.
PsychoChris Jul 25th 2008 11:32AM
Well, you say my thread is off point and then go ahead and exemplify exactly why it is in fact on point...thx
Anyway. To clarify, my point is that the authenticator was a poor attempt to bandaid a severed limb that is account security. The "add-ons" in WoW have and always will be the the "hackers" best friend and front door in. Every account that is or will be hacked starts with the user opening the door for key-loggers, etc, by downloading malicious addons or files.
I absolutley agree that users are 95% at fault by not knowing the source of their files and there contents. But, most WoW players are not coding geniuses and simply have to trust "unreliable" sources to get addons. Do you check the code and files in your Omen.zip when it comes across? Would you know a key logger exe if it where in there? I know I wouldn't. All I am suggesting is that Blizzard provides secure addons.
MechChef Jul 24th 2008 3:46PM
The impression I'm getting is this whole new system is more Shield-spec shaman than prot-warrior.
darian Jul 24th 2008 4:02PM
Eh, this is like a parity check. There's no guarantee it'll work 100% of the time, just 99.9% of the time.
If a support rep was social engineered or lazy, Blizzard will crack down on their staff. It doesn't pay to have bad PR about the Authenticators. If the hacker genuinely managed to get all of the information mentioned, there's absolutely nothing they could have done.
Nekrogasm Jul 24th 2008 3:49PM
I lol'd irl when i read this post. So basically this person is making this story up and is saying woe me now. The other alternative is that this person invited over a douche bag or made one of their friends mad that had access to their house. They got their account info by installing a keylogger locally or the hackee had their user/pass written down where anyone could see it. Maybe the hackee gave up their info to someone else who also played on the account? Then the hackee said "I gotta go poop" so the hacker wrote down their cd key and knew their name and address.
The problem is the user and not the system so much. I am not a fan of how you can change your info and not be logged out but being booted from a raid in the middle of a boss fight really sucks. The bright side is that you know something is wrong and you are gonna get all your stuff compromised.
Badger Jul 24th 2008 4:10PM
It's amazing that you know every single detail of the story, as viewed from the perspective of every party involved, without actually being involved in the slightest.
You have no idea what actually happened, nor do you know who is responsible, so don't bother stating your theory as a fact.
Quickshiv Jul 24th 2008 4:10PM
Once again people are not reading the article. I understand most bloggs are written at a 6th grade level so if you don't meet the requirements have someone explain it to you before you post. Here read it again.
"they'll then ask for a notarized statement with a picture,"
Notice the word "notarized"? That means you have to drag your butt to a notary and have them verify that you are who you say you are and they stamp your license copy and sign it. I would also guess the letter has to come from the notary. Then blizzard can verify you and the notary if they so choose. Now this seems kind of excessive to me but that is what the article says. Could the notary stamp be forged? Sure but now you have another layer of security. I highly doubt that if blizzard followed this practice any account thief would take the time to do all this. I also doubt that blizzard is going to require you to get a copy notarized but again thats what the article says they are doing and I am sure wowinsider does fact checking. Ok wowinsider probably doesn't but lets assume they do.
Badger Jul 24th 2008 4:12PM
I don't know where the whole "Notarized" thing comes from. A friend had her account hacked only a few short months ago, and all she had to do was fax in a signed letter from some template and provide a copy of her Military ID.
jtrain Jul 24th 2008 4:10PM
"#
I am asking that folks please refrain from blogging / posting / x-posting this until the investigation is complete. Until we know what happened there is no point in making accusations of what failed.. and indeed it is far more likely that it was something on my end than Blizz’s.
Comment by Falkara — July 24, 2008 #"
So before we all grab our pitchforks and march to the Blizzard offices, let's wait and see what actually happened. Sounds like the OP of this article thinks she was to blame....imagine that.
deviationer Jul 24th 2008 4:33PM
I smell some BS here. What I guess is the person that took control of the account used social engineering to get the blizzard rep to remove it. So the fault isn't of the device, it's of blizzards phone support staff.
Also, WoWInsider how about you find out for sure what happened, you know as blizzard for an official response, before posting crap like this. All their PR department, if you don't get a reply, then post crap.
deviationer Jul 24th 2008 4:34PM
All -> Call*
Metalmnky Jul 24th 2008 4:45PM
I didn't even know there was a secret question for WoW but It's been like four years since I set up my account didn't even think I would be playing this long lol, is there any way to change your secret question?
Ravenblight Jul 24th 2008 7:41PM
There is no way to change your secret question
Even if someones figures out your answer Blizzards refuses to change it
Metalmnky Jul 24th 2008 8:15PM
Well thats kinda of lame, but I probably should of kept track of that information
arcady0 Jul 24th 2008 5:18PM
If the CD key is stored in a file anywhere on your computer, that would be one way how they got it.
I don't know if that is the case for WoW, but it is for many if not most PC applications.
npm Jul 24th 2008 5:19PM
I'd say there are 3 likely scenarios.
1) The user was tricked out of her info that was used to remove the authenticator via social engineering.
2) The blizzard employee didn't follow proper procedures.
3) Someone inside Blizzard is hacking.
Either way it seems quite likely that Blizzard can track down #2 or #3 and handle it.
I agree it'd be neat if WoW Insider could do a little investigative reporting on this. Go interview someone at Blizzard. WI is highly read, I'd think this would be a wonderful opportunity to communicate with the public on this matter.
Naix Jul 24th 2008 5:45PM
People are the weakest link in any security system. Any professional security expert will tell you that.
Tyranor Jul 24th 2008 5:58PM
Sorry, but is this a suprise to anybody? Yes, if some hacker gets access to a piece of ID, you social security number, your adress, photo, CD key, and mother's maiden name, he can access your WoW account.
Also, on a possibly more relevant note, he can also access your bank account, your house, and your identity.
baudkarma Jul 24th 2008 6:28PM
Actually, this could have been a combination of failures. The account might have been compromised a couple of months ago with a keylogger. The hacker goes to account management, changes the contact info and secret question and stuff, but they don't harvest the account right away.
Then when it's time to take the keylogger off, the hacker knows everything but the CD key. Maybe they can talk the Bliz employee into letting them in, since they know everything else. Maybe they just spout off a random CD key and the employee doesn't bother to actually check it.
I've got another question, though. The person whose account was hacked is apparently female. Presumably they have a female name in their account info. So how does it work if the person on the other end of the line from tech support has a deep bass voice, but claims their name is "Laura" and they need help with their account?