Patch 5.2 interview with Dave Kosak
Inside an old alt's vault
The latest patch 5.2 news
All of the latest Mists of Pandaria newsAuthenticator fails, removed from account without user's permission
by Mike Schramm 
Jul 24th 2008 at 2:00PM
Editor's Note: This entire situation has been debunked. The authenticator was not hacked, compromised, or forcefully removed. The account had been shared, and the authenticator along with it. Authenticators do not offer any security if you give it away. If you're worried about other account security myths, our own Michael Sacco has tackled them in a mythbusting series.Think a Blizzard Authenticator will keep your account from being hacked? Think again -- we've got our first known report of someone who was protecting their account with one of Blizzard's keys, and still got their character hacked down to their undies. Someone in this forum thread apparently logged out one night and logged on the next morning to find her account stripped of everything but PvP gear, and her Authenticator no longer connected to her account.
Supposedly, to deactivate an Authenticator from an account, you need to get in touch with Billing services, and reportedly they'll then ask for a notarized statement with a picture, like a driver's license, just to remove the Authenticator. But obviously, this one was removed even without that, and we're being told that all you might need to remove the Authenticator is the answer to the user's secret question and a CD key (or even less). In other words, the fault isn't with the technology, it seems to be with the support reps on Blizzard's side of the phone line -- if they can be convinced to remove the Authenticator, the account can then be hacked.
The little keys have been selling like hotcakes since they were released -- almost everyone has figured that $6.50 was cheap for peace of mind. But while an Authenticator still does provide an extra step in security, the sad truth is that it hardly makes an account impermeable.
[Via BRK]
Filed under: Analysis / Opinion, Blizzard, Forums, Account Security
Reader Comments (Page 6 of 6)
Erikr Jul 25th 2008 5:40PM
I recently had a friend that re-enabled his account. After logging in for the first time in many months he found that all his gear on all 9 characters (some on different servers) was gone. He discussed this
with Blizzard and they returned it saying that it must have been removed based on the account being de-activated for nearly a year.
About two weeks later he recieved a second email stating that an additional charge had been placed on his credit card due to a charge back that happened in March when the account was re-activated. The problem with this is he had not activated the account in March. the last time it was activated was last August and not re- opened till the begining of July. After a couple emails back and forth Blizzard had explained that someone activated his account back in March with false Credit card info. They apoligized for any inconvienance and returned the money from the charge back.
Both my friend and I are IT Security and Networking professionals, and we have come to some startleing conclusions based on the evidence.
Blizzards Login servers have been hacked and are continueing to be hacked on a regular basis. My friend and I both play on a Mac, so we can absolutely rule out Virus/Spyware/other methods of attacking the
client via either Hardware, OS, Software. Given also that he de-activated the account almost a year ago (six months before being hacked) and therefore there would have been no data stream for a "man in the middle" hack back in March to glean the password. Based on the evidence of his situation, and given the shear amount of hacked accounts in recent months it is clear that Blizzard is the party that has been hacked, not the Tens/Hundreds of thousands of accounts holders that have been hacked already.
My guild is one of of the largest on the Durotan server and in the last 2 months we have had 12-15 accounts hacked, so many in fact that we have been in contact with Blizzard to get re-assurances that we were not being targeted somehow. Given that there are over 10 million accounts and out of the sample of 300 or so accounts in my guild I would base that aproximately 5-6% of the accounts have already been hacked. A number that Im sure Blizzard will not want getting
arround.
Now with the above SecurID dongles being proven to be able to be worked arround, Im sure that many, like myself, will be switching from Monthly credit card withdrawls to purchaceable game cards so to minimize the posibility of loss.
Put another way, the biggest loss of personal and credit card informantion that I know of to date was somewhere near the 1 million mark(TJX corp). If what some suspect is true, and Blizzard does not come clean and tell us exactly what happened/is happening, Blizzards suspected loss of personal and credit information could be 10 times the TJX loss.
slimj091 Jul 25th 2008 7:01PM
"My friend and I both play on a Mac, so we can absolutely rule out Virus/Spyware/other methods of attacking the
client via either Hardware, OS, Software."
just because you play on a Mac does not make you invulnerable to hackers. you would think that an "IT Security and Networking professional" would know that any system is not 100% secure no matter what the OS manufacturer says otherwise.
SolidStateMind Jul 26th 2008 11:09AM
Got something for your viewing enjoyment:
http://www.ctrlaltdel-online.com/comic.php?d=20060513
THJ Jul 28th 2008 9:46AM
riiiiiiiiiiiiiiiight.......
Nekrogasm Jul 25th 2008 8:14PM
@Badger
I never said I knew the entire you facts you tool.
Kettric Jul 26th 2008 11:28AM
I think everyone is overlooking one very important aspect of this situation: This hack required a very large investment of time and effort on the part of the hacker. Why, exactly, would an asian gold-farming operation invest the time and effort in calling Blizzard Customer Service and getting an authenticator removed? Why wouldn't they just skip that name on the list that their keylogger harvested? Was she bragging in the trade channels about how she had ten thousand gold or something? If not, I'm not buying that the proceeds from her gear would net enough money for hackers to expend the time and effort they did to get into her account.
Sorry Mr. "GM of the guild of the woman who this happened to is a member of", she may live alone with a bunch of cats, but apply Occam's Razor to simple investigative procedure: since the effort/benefit ratio was out of whack in regards to in-game gold, it is reasonable to conclude that there was a motivation at work beyond simple profit motive, and it was probably personal. And with the motive most likely being personal, this was probably perpetrated by someone she knew and who had fairly easy access to the required information.
If people want to blame 'big, bad Blizzard', then blame them for having requirements to remove the authenticator that are too weak. Either they aren't detailed enough, or a customer service rep can override them too easily, but aside from that, I think it's pretty clear that responsibility for this can be laid at the feet of the account holder, as usual.
(Oh, and crackpot theories about Blizzard's databases being hacked don't count. Trust me on this: if hackers got into Blizzard's DBs, they wouldn't be harvesting gold from players, they'd be using their credit cards and engaging in wide-spread credit card fraud.)
Pyra Jul 30th 2008 6:06PM
TBH I don't belive any of this actually happened, no gold seller is going to go to this much trouble when there are plenty of foolish insecure fish in the sea.
And if I had annoyed a friend so much they wanted to put this much effort to get back at me, I'd hope they'd try and have my cards cancelled or buy stuff of ebay rather than make me have no gear on WoW for a week or so while it gets restored.
Attention seeking victim who doesn't have an authenticator/didn't even get hacked sounds most likely, although if anyone would have all the details stolen to have an authenticator removed it's probably going to be the lady that lives alone with cats, and tells people this over the internet
Asgaroth Jul 26th 2008 4:57PM
Dont believe the hype...It sounds like a tactic to prevent people from getting one.
THJ Jul 28th 2008 12:11AM
Here's a great article that describes the pitfalls of relying blindly on cryptography. TLDR: It's rarely brute-forced, social engineering is much faster and easier.
http://www.schneier.com/essay-028.html