Authenticator failure revisited, Blizzard responds
by Mike Schramm 
Aug 5th 2008 at 2:30PM
We created a lot of waves with this post about Blizzard's Authenticator key allegedly failing -- as you know if you've been listening to the podcast, lots of people have emailed us with their own input on the situation, alternately thanking us for making it known that the Authenticator wasn't 100% secure, and lambasting us for being "ignorant" about how Blizzard's security token works. At the base of the story, there are two things we know are true: that someone was using the Authenticator on their account, and then was subsequently hacked. For that reason, we've stood by the "Authenticator fails" story -- while having an Authenticator on your account is a helpful line of defense, it, like all other computer security measures, isn't a 100% guarantee against getting hacked.Most people agree on that. Where opinions differ are in how the account was hacked -- originally, we and a few other sources speculated that the Authenticator had been somehow removed from the account in question. But now Belfaire has responded (we believe to the incident in question, though a link to our story was removed from the original post), and says that as far as he can tell, the Authenticator was not removed from the account. In fact, after the password was changed back, the Authenticator's serial key was asked for and given, so the Authenticator remained attached to the account the whole time.
Of course, that just leaves the most important question: how did the account get hacked? We've heard all kinds of various insights as to how the Authenticator works (it only lasts for 60 seconds, supposedly each key can only be used once, so there's no way a keylogger could nab the Authenticator code and reuse it), but the fact remains that the person we're talking about was using the key, and still got hacked. One hack out of all the Authenticators sold so far is a terrific record, and could prove that, statistically, an Authenticator is good as 100% security. But the fact remains that this person got hacked while using the key (however it was done), and if security can be broken once, it will be broken again.
Filed under: Items, Analysis / Opinion, Blizzard, News items, Account Security
Reader Comments (Page 1 of 5)
Necrotica Aug 5th 2008 2:39PM
Not much of a response... In fact, I'd say that answers absolutely nothing.
yo dizzle my bizzles Aug 5th 2008 6:34PM
I would have to file this under the "freak accident" category. Cant picture a gold farmer going through all these loop holes just to get someones account. All the fault lies with the user. He probably had some less than scrupulous people around who could've wrote down the serial numbers, knows his personal information, etc. I am a little saddened that wowinsider is trashing the authenticator so much when this is clearly user error.
There aint' no technology that can fix stupid, stupid.
Doubtful that many authenticator owners will get hacked unless you stand on the busiest street in town with a sign around your neck giving people all your personal info including serial number on your authenticator and the fact you have 50k gold stockpiled. Which apparently is what the victim in this story must have done.
problem solved!
Aichon Aug 5th 2008 7:43PM
As a later poster here says, WoWInsider's reporting seems to leave a little to be desired on this particular topic.
What Belfaire actually said, if you read the original topic and all of his posts, not just the linked one, is that when the password was changed on the account, the "hacker" had to provide the serial number from the backside of the Authenticator, which means that THE HACKER HAD PHYSICAL ACCESS TO THE AUTHENTICATOR. That's like giving away your car key and then being surprised when it gets stolen later, and to hear WoWInsider's reporting, it sounds like they're willing to entertain the idea that it might somehow be the car maker's fault that the car owner gave away their key.
There is NOTHING Blizzard can do if someone compromises physical access to their computer and other resources. The way this article should be reading is that the person's idiocy was finally exposed by Belfaire, in as gentle a way as possible.
Suvega Aug 5th 2008 2:41PM
Please read the entire thread when making posts like this. The rediculous bias by Wowinsider is getting sickening these days:
"Belfaire: This is a very, very zig-zaggy "compromise". Pieces are falling into place with my investigation but I think it's pretty safe to say that Blizzard's security nor the security of the Authenticator are at fault. "
Person probably had a keylogger on his computer when he was first registering the fab, and the hacker got the serial number.
Or it isn't a hack at all, and it's the owners friend. (Yay double of everything on the account).
Stop jumping to conclusions that the Authenticator got "Hacked". Any knowledge on how the authenticator works would prove this to be near impossible. (nor worth anyone's time)
NeSuKuN Aug 5th 2008 3:13PM
Authentificators are a known product used in many places, most developers that work for any large company have one (I do) and in fact the ARE vulnerable. as long as you have one time access to the device you are able to mimic it via software.
jeremiah johnson Aug 5th 2008 3:30PM
@NeSuKuN: one-time access to the device does NOT render the device moot, nor does it compromise the security of the device itself. One could write down every number the token produced in a week and still have 0% of what was required to compromise the token, given that the token is designed securely.
If the account was truly compromised by someone whom the account owner had no affiliation, then this would indicate only an opening in the security policies of Blizzard, specifically the telephonic methods of getting around the token requirement by providing other identifying information. I do not know if the authenticator must be removed from an account in order to log into the game client with an account with an authenticator associated with it; the customer service rep may have provided the number necessary to log into the account in lieu of an authenticator token in hand given successful identification.
This may also indicate a software bug on the part of Blizzard; the original post i read stated that when the account owner logged into his/her account, they were not prompted for a token passphrase - yet Blizzard says that the token was never dissociated from the account. This points to a software bug somewhere along the line in my eyes.
Note that this doesn't mean that Blizzard's security protocols were compromised; if the rep on the phone is given everything they need to authenticate someone on the other end of the line, then they've done their job, and the system has succeeded in its intent and remained secure, despite the pwnage.
If a computer is compromised to a degree that a keylogger could have obtained the serial number of the token, and all other necessary account holder information, then the fault lies with the owner of the computer from which that information was obtained, plain and simple. Having an authenticator does not mean that you are immune from keyloggers.
The bottom line here is that having an authenticator attached to your account *greatly* increases the security of the account. The authenticator itself cannot be hacked if it is based on a proven design that is less than 20 years old; saying that this is possible simply broadcasts one's lack of cryptographic expertise. One-way functions are truly one-way. Period. The humans at either end of the transaction however, are easily manipulated.
Harmun Aug 5th 2008 4:27PM
All authenticators use "read ahead", so if you press the fob in your pocket, you can still generate usable codes. How far does the blizz one read ahead? 512 keys? 1024? 8?
What happens if you generate that many codes without using one (thereby not resynching the code generated with the acceptable codes)? If this were a keyless entry system on a car, you would have to use the key to open the door and perform an elaborate series of actions described in the manual to resynch the key. Since this is an online game, you probably have to call customer support and have them resynch the expected codes to your fob. This process could be exploited.
Next question- if your machine is compromised by a keylogger, how does having a fob prevent a man-in-the-middle attack? The software could intercept your code (and enter an incorrect one on your behalf), and use it to access your account while you're staring at an "incorrect code" error message.
Another layer of protection is good, but don't assume that this means you can stop worrying about hacking.
Sorcefire Aug 5th 2008 4:48PM
I don't have much to add to this topic and agree with the poster above. Tokens are another layer of security and do nothing more than *add* to a user's security.
If it exposed an additional means of hacking an account, then it would be a risk, but not blocking existing hacking attempts just makes it less effective.
Until a full release of the facts (not likely to happen) are released, we just one side of the story and no way to corroborate or exonerate the user's story.
Articles such as this should try to stick to the facts, regardless of how sparse they may be, rather than jumping to conclusions based on little or no information.
wowinsider Aug 5th 2008 5:05PM
Harnum. Stop. You don't understand how these work. Go read some more.
jrb Aug 6th 2008 9:27AM
meh, not sure if the above comment is an official wowinsider comment, but it seems somewhat ironic and hypocritical if it is.
alas, the average wow player is not an IT security expert, does not understand encryption, two factor authentication, or how the blizzard authenticator (or even off-the-shelf-vasco fob) works, or is configured specifically at blizzard's end. as such pretty much every comment here is hearsay, speculation, and worthless. That sounds arrogant/patronising, but it's true. Yes, it's easy to say "it's blizzard's fault" or "it's the user's fault" and assign blame and insults to them accordingly, but that doesn't achieve anything.
blizzard really should find the facts out about this incident from its authentication, and realm logs, and make them fully public, and stop the rampant uninformed hearsay that's going on.
Was the account even "hacked"?
Is there proof of access and authentication from multiple IP ranges / ISPs?
Is there proof of monies being transferred, and who to?
Were phone calls or emails sent to blizzard support?
of course, the same could be said of every account hacking incident, although i suspect blizzard just doesn't have the ability to log and look back through some of this information.
Personally, i think people need to start asking the following question. Which is worse? The people hacking accounts and stealing gold, or the people buying it?
IMHO blizzard need to start cracking down the buyers, as without them there would be no market for account hacks, and farmers.
Suvega Aug 5th 2008 2:44PM
Some clarity to my comment:
1) Serial nubmer is a single number affixed to the key fab. It is asked for when attaching it to an account (to identify which fab you have).
2) This is not the generatred number that the fab creates
happykansas Aug 5th 2008 2:57PM
Thats what I was thinking. It would be a good assumption to assume that blizzard uses the same algarithem(sp) in the chip and just uses the serial as the unique input. Hacker probably pulled the chip from a fab, dumped the chips program. and just rewrote a simple script. To input any serial.
Suvega Aug 5th 2008 3:11PM
1) Woo at censorship of comments on wowinsider.
2) According to the company who makes these keys, the serial number corresponds to a RSA private key in a database only accessible from Blizzard and the Company who makes them.
Chances that this 'hacker' got that database are about the same liklihood that he hitup NSA as well.
(the company that makes Blizzard keys, also makes them for several hiprofile company / goverment agencies)
Wimpkin Aug 5th 2008 3:13PM
This is only happened to 1# person so far, to my knowledge, it's not as though this is a world wide panic of easy mode account hacking. As long as there are smart intelligant clever minded individuals out there, secruity will be an issue. If somone wants to get some information they will seize it.
Why anyone thought that by buying one it would make them 100% hack proof is beyond me. The people who thought this, seem to be very nieve to the way the world works then.
A man from england is being extroditend to America for hacking into the FBI, Pentagon etc. on a £200 computer in his bedroom and messing around with their files.
So that really proves my point on how no one is going to be 100% safe & Secure in the digital or real world.
We can only put up extra lines of defence to protect our selves.
Yours Knowledgably
Arch Mage Wimpkin (the 3rd)
volborg Aug 5th 2008 2:47PM
i do have a question regarding this story.
how do you know that this have even happen? imo a post on the foums in particular the wow froum can not be taken as a true. what is your sorce other then the wowfroums that this have even happen?
how do you know that this post was not made by a key logger that just what to spret disbelieve abudt the authenticator?
it is not to flame your or any ting, i just would like to hear your sources.
hope you can help
regards
Unknow
Eu dranor
Rihlsul Aug 5th 2008 2:52PM
It allegedly happened to the guild mate of a WI.com author. I believe the original link to the guild forum thread talking about it was in the original article.
Justyna Aug 5th 2008 7:22PM
Yes, it did happen. An account was hacked while the player had a working authenticator tagged on their account. The sad thing about all this was that this person recieved many horrible in game tells and mail pretty much calling then a liar. If everyone would like to go on living in la-la land thinking this little device is 100% full proof than go ahead. But for those who chose to live in reality please continue to be cautious with account info.
Maz Aug 5th 2008 2:50PM
I did a podcast about this like... weeks ago.
Berethed Aug 5th 2008 3:00PM
Well done, you!
Sylvanra Aug 5th 2008 3:48PM
@ Berethed
You win.