Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsAuthenticator fails, removed from account without user's permission
by Mike Schramm 
Jul 24th 2008 at 2:00PM
Editor's Note: This entire situation has been debunked. The authenticator was not hacked, compromised, or forcefully removed. The account had been shared, and the authenticator along with it. Authenticators do not offer any security if you give it away. If you're worried about other account security myths, our own Michael Sacco has tackled them in a mythbusting series.Think a Blizzard Authenticator will keep your account from being hacked? Think again -- we've got our first known report of someone who was protecting their account with one of Blizzard's keys, and still got their character hacked down to their undies. Someone in this forum thread apparently logged out one night and logged on the next morning to find her account stripped of everything but PvP gear, and her Authenticator no longer connected to her account.
Supposedly, to deactivate an Authenticator from an account, you need to get in touch with Billing services, and reportedly they'll then ask for a notarized statement with a picture, like a driver's license, just to remove the Authenticator. But obviously, this one was removed even without that, and we're being told that all you might need to remove the Authenticator is the answer to the user's secret question and a CD key (or even less). In other words, the fault isn't with the technology, it seems to be with the support reps on Blizzard's side of the phone line -- if they can be convinced to remove the Authenticator, the account can then be hacked.
The little keys have been selling like hotcakes since they were released -- almost everyone has figured that $6.50 was cheap for peace of mind. But while an Authenticator still does provide an extra step in security, the sad truth is that it hardly makes an account impermeable.
[Via BRK]
Filed under: Analysis / Opinion, Blizzard, Forums, Account Security
Reader Comments (Page 5 of 6)
slimj091 Jul 24th 2008 11:54PM
there is no way for someone to change their account secret question. not even a blizzard phone rep will do it for you.. the same goes for the name of the person attached to the account. in fact i was told by a GM that was recovering my toons items after i caught a hacker in the process of vendoring my gear that the only way i could change it was to get another copy of WoW and TBC, and transfer my toons over to the new account.
the only thing that can be changed via the account management page is the password, email address (which needs to be confirmed through the previous email address before it takes), and subscription information.
Jacob Jul 24th 2008 6:31PM
At least the person that this happened to received their authenticator. I still haven't received it.
I agree with a lot of the other posters here....apparently, the system to verify a person's identity as the owner of the account to remove the token is broken and is going to require a fix.
uncaringbear Jul 24th 2008 6:38PM
Any security system is only as strong as its weakest link. Once you bring the human equation into it, any system can be compromised. It would be folly to think that the authenticator key system is 99% secure.
Glen S Schmidt Jul 24th 2008 9:22PM
I knoew those authenticators were just a gimmick. Bog waste of money man...
Nightshifter Jul 24th 2008 10:48PM
They make a book so you can verify identification from other states/countries with color pictures and descriptions of the security features. Last time i saw one was 1994 though.
Cathra Jul 24th 2008 10:50PM
Why would you want to remove the Authenticator from your account anyway? Shouldn't that be the first question the Blizzard rep asks? This person did order the Authenticator for a reason, and that's security so why take it off?
There is no real logical reason for doing so. I guess if you lose it you need to remove it for a short time, but even then if you lose it im sure Blizzard can do something for you without gimping playtime by having to wait for shipping etc.
Any other reason I may not be thinking of atm?
slimj091 Jul 25th 2008 12:00AM
could be any number of reasons.
1. the authenticator stopped working all of a sudden.
2. it was broken by the user (dropped, stepped on, sent through the washer)
3. the authenticator was out of sync with the blizzard servers preventing the user from logging on to his/her account.
those reasons are reason enough for a blizzard rep to remove an authenticator from the account if asked to by the account holder or someone posing as the account holder.
Jessierockeron Jul 24th 2008 10:55PM
Although the weakest links in a security system are people, that wont change the fact that consumers would rather interact with a person other than a machine most of the time. So its like 0.(a lot of zeroes)1 percent our fault.
Cacheelma Jul 25th 2008 12:07AM
I have a noob question about the authenticator.
If a keylogger logs your username, password, AND the key (or 2+ keys from multiple loggings) you put in from the authenticator (I'm assuming a keylogging program can log that, too, as you have to type it in), can the hacker then gain access to your account?
danielwest Jul 25th 2008 7:43AM
Only if they log on within the minute or so that the particular code key is valid.
Cynra Jul 25th 2008 7:45AM
The thing about the Authenticator is that the six numbers that appear on the screen are not always consistent. They sync up numbers in a Blizzard database somewhere and refreshes on a regular basis. I haven't sit down with mine and watched it to see how long, but I'm guessing that the number remains current for about thirty seconds or so.
So, even if a keylogger somehow manages to capture all of that information -- username, password, and the six-digit Authenticator number -- it would only be current until the number was refreshed. Unless the potential account thieves immediately got that information and then used it, they would find the Authenticator number out of date.
I also discovered that the Authenticator ties into accessing my account information on the official World of Warcraft website. I tried to log in from a computer other than my own (next to which sits my Authenticator) and found that I couldn't log in without that number on hand. Assuming that the Authenticator remains tied to my account that's pretty good!
baudkarma Jul 25th 2008 7:27PM
Short answer is no, even if someone keylogs a few dozen or hundred of your auth codes, that won't help them log into your account.
The code is generated using a big 'ol random number stored on a chip inside the BA, and a time value generated when you push the button. The time value changes at fairly short intervals, usually 30 seconds or one minute. The code you generated five minutes ago is no longer valid. In addition, once a code is used, it's disabled for the rest of that time cycle. If I use 123456 to log in, and some hacker grabs that code and immediately tries to use it to break into my account, the authentication server won't take it because it's already been used.
The code generation algorithm is one way - even if you have the end code and you know all of steps involved in the process, you can't reverse them to figure out the starting numbers. The analogy security people like to use is a meat grinder. You can drop a hunk of beef into a grinder and turn it into hamburger, but you can't turn the hamburger back into ground beef no matter what you do.
Sylythn Jul 25th 2008 12:23AM
User's Secret Question - no problem, very often these are simple unsecure answers that can be guessed
CD-Key - again no problem, there's probably key-gens that'll give you valid ones.
Address - please...like this isn't stored on half a million servers worldwide.
Now here's the thing that's got me going WTF? - How in his noodly appendage's name did someone manage to get those three pieces of information to match up for the same account without the user providing all of it? Note: if the user provided all this, then it's their own damn fault and I chalk it up to stupidity
Regardless of all that - technology can only protect so much, people seem to forget that good ol social engineering is still one of the best ways to crack a system.
Anon Sep 14th 2008 9:13AM
They probably got the address information by keylogging and logging into the website for the info.
DirtyPriest Jul 25th 2008 1:57AM
WHAAAAAT!?!?!? Blizzard customer service sucks!? WTF!? NO WAI!
Ktok Jul 25th 2008 2:33PM
Ever play an SOE MMO? I did for years... Blizzard's service is, swear to god, so much better than Sony's that they could pretty much knock on my door, kick me in the junk, and I'd still think they were doing a great job... just from all the crap I got use to with Sony. ><
Better than being set on fire and billed for it, of course, still has a lot of room to be pretty horrible... but... OK, for example? 10 days to get an in-game reply from a GM. 10 days! And to think people ask me to come back to EQ.
Thrush Jul 25th 2008 9:35AM
I also have an authenticator on my account and so far its been fine, but it makes me a little nervous. Before I just had to remember a secure password and change it regularly. Now if I lose this little fob or it somehow gets destroyed I have to come up with my cd key (who knows where that is) and my secret question (which I dont even remember) or else I'm locked out of the game permmanantly.
Bynde Jul 25th 2008 9:50AM
"Sorry, but is this a suprise to anybody? Yes, if some hacker gets access to a piece of ID, you social security number, your adress, photo, CD key, and mother's maiden name, he can access your WoW account.
Also, on a possibly more relevant note, he can also access your bank account, your house, and your identity. "
What he/she said.
If someone knows your the cd number and your secret answer and has your authent key....you got more problems then just getting all your nifty gear stolen. I dunno, like maybe your r/l bank account.
Aigarius Jul 27th 2008 8:45AM
Not in any country with secure banking systems that require the person to show up in the bank with a valid passport to make any changes that would influence the account in any real way.
All other ways to access the bank require a have/know combination (card+PIN, code calculator+PIN, ...).
In any real country personal information (address, mother's maiden name, ...) never plays any significant role in identifying a person. Only verifiable documents do.
Bynde Jul 28th 2008 8:41AM
I live in the the US, which many feel to be a "real country". In fact, I know of no "unreal countries", except for places like Azeroth and Narnia. Unless I am mistaken, neither employs a CD ID Key to access their computer games. YMMV.
My point was that if they can get such personal info as the cd key, off the cd itself, which is assumably in their house, then maybe they gotten access to a lot more than just computer game.