Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsAuthenticator failure revisited, Blizzard responds
by Mike Schramm 
Aug 5th 2008 at 2:30PM
We created a lot of waves with this post about Blizzard's Authenticator key allegedly failing -- as you know if you've been listening to the podcast, lots of people have emailed us with their own input on the situation, alternately thanking us for making it known that the Authenticator wasn't 100% secure, and lambasting us for being "ignorant" about how Blizzard's security token works. At the base of the story, there are two things we know are true: that someone was using the Authenticator on their account, and then was subsequently hacked. For that reason, we've stood by the "Authenticator fails" story -- while having an Authenticator on your account is a helpful line of defense, it, like all other computer security measures, isn't a 100% guarantee against getting hacked.Most people agree on that. Where opinions differ are in how the account was hacked -- originally, we and a few other sources speculated that the Authenticator had been somehow removed from the account in question. But now Belfaire has responded (we believe to the incident in question, though a link to our story was removed from the original post), and says that as far as he can tell, the Authenticator was not removed from the account. In fact, after the password was changed back, the Authenticator's serial key was asked for and given, so the Authenticator remained attached to the account the whole time.
Of course, that just leaves the most important question: how did the account get hacked? We've heard all kinds of various insights as to how the Authenticator works (it only lasts for 60 seconds, supposedly each key can only be used once, so there's no way a keylogger could nab the Authenticator code and reuse it), but the fact remains that the person we're talking about was using the key, and still got hacked. One hack out of all the Authenticators sold so far is a terrific record, and could prove that, statistically, an Authenticator is good as 100% security. But the fact remains that this person got hacked while using the key (however it was done), and if security can be broken once, it will be broken again.
Filed under: Items, Analysis / Opinion, Blizzard, News items, Account Security
Reader Comments (Page 2 of 5)
jbodar Aug 5th 2008 4:14PM
*gives Maz a cookie & juice box and pats him on the head*
Rihlsul Aug 5th 2008 2:53PM
I maintain that the weakest link in security is in the Chair to Keyboard interface.
Yup, I said it. PEBKAC.
Hank Aug 5th 2008 2:56PM
The authenticator works like RSA's SecurID. There is only ONE way to break it, and that is to have the serial number. So the serial number on the affected authenticator was compromised.
No authenticator will display the same number twice, and no two authenticators will ever have the same number displayed. The serial number is tied to your login account in most cases. In older implementations, you had a dual login, first with your network account, and again with your SecurID (SN and random code)
These are used by major corporations and financial institutions, and to my knowledge, as long as the 'key' is in the possesion of the proper person, there has never been a breech.
Blake Aug 5th 2008 3:22PM
"No authenticator will display the same number twice, and no two authenticators will ever have the same number displayed."
Given it's a 6 digit number, both assumptions are patently false. Assuming 1,000,000 possible numbers, it would take 694 days for all numbers to be used up - and then what? The authenticator explodes?
Also assuming that there are more than 1,000,000 authenticators in use (maybe not yet, but there will be at some point), at any point in time, more than one authenticator will display the same code.
Given that, I still don't know how much we can 100% trust this "source" that says his account was hacked with an authenticator. Given that the authenticator was never removed from the account, you have to assume that whoever hacked the account had access to the authenticator.
jeremiah johnson Aug 6th 2008 3:52AM
@Blake: this is why tokens have expiration dates. Even so, sometimes the numbers repeat, but even knowing which numbers have been shown in the past gives you zero ability to predict what the next number will be.
Jam Aug 5th 2008 3:09PM
Has anyone considered the possibility that the person who was hacked is in cahoots with some notorious account stealing organisation. After all these is apparently millions if not billions of dollars in this virtual economy. Imagine if you will the person in question is in somehow linked to one of these organisations and they see these authenticators as a thread to their business.
Whats the best and cheapest way to get around the authenticator? - Obviously to lay seeds of doubt in the community that they actually offer no protection at all. Even the Moderators on the forum are saying that the Key was used in access of the account, its very unlikely the Keys were already hacked they haven't been out that long and there isn't that many available to test with anyway.
Again I'm not saying I know anything (cause I don't) but what I am saying is we should at least consider the possibility that this was a planned hack to discourage people from buying and linking these to there accounts.
Me personally as soon as one becomes available I'm buying one.
joggoms Aug 5th 2008 3:09PM
I think people forget to think about angry (neglected for WoW) spouses and jerk friends or relatives who hack people's accounts. Obviously if someone had access to the key fab it would be a meaningless line of defense.
Of course, we never get those details from the OMG I WAZ HAX stories, but I bet it is fairly common.
Jeremy Aug 5th 2008 3:27PM
Exactly; it looks like someone got a hold of the authenticator and used it to "hack" the account [if it even happened in the first place].
Now, it's possible that Blizzard messed something up, like logging in with an old version of the client, or somesuch, bypassed the need for the Authenticator code, and I would hope they are looking closely into this. Barring that, though, I think it's very naive of people to think the Authenticator was cracked.
dpoyesac Aug 5th 2008 3:12PM
Every hack ever can be attributable to (some degree of) human error. Where there is no human error -- AT ALL -- there can be no hacking and no security breaches.
Something like the Authenticator simply reduces the number of possible errors we fallible humans can make from 'several' to 'a few'. There is no possibility that any technological fix will ever reduce the number of possible human errors to 'none'. At best, there can be technological solutions that reduce the possible number of human errors to such a low number that it isn't worth the time or energy to find and exploit them.
So, to reiterate the valuable life lesson learned here: "statistically, an Authenticator is good as 100% security" and that is as good as you can hope for.
Arpz Aug 5th 2008 3:25PM
Used to actually 'phish' AOL internal staff accounts that used RSA SecurID, It's entirely possible to have someone tell you the result of something on a keyfob, even if it does change every 60 seconds. It's social engineering, I'm not saying it happened here, but it's really just an extension of the normal kind of web-form scams you see.
Verit Aug 5th 2008 3:29PM
What scary is customer service was contacted - they wanted the serial number off the back of the authenticator and it "was provided" - *blink* - how did these guys get this serial?
Only way I can think is either the customer did this and didn't own up to it, or ... the attacker got the serial somehow - which is far more frightening.
jeremiah johnson Aug 5th 2008 3:36PM
Allow me to point anyone who doesn't understand weaknesses of two-factor authentication to this:
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
Dringo Aug 5th 2008 3:44PM
this is all hush hush and absolute bs there is no proof yet shown in any of the "omg i had an authenticator linked to my account and was hacked"-threads...
Maz Aug 5th 2008 3:41PM
I actually spoke to a friend in the field awhile ago...
I have to check my notes, but off the top of my head... there are a few workarounds to the algorithm. Not a lot and it's not applicable to every key... but a few keys can be reverse engineered based on two keycode+time inputs.
The system's not perfect by a longshot. Just more secure.
Frank Aug 5th 2008 3:43PM
i'm still calling shenanigans. has anyone ever heard directly from the person who claimed to have been hacked? even this belfaire person says that as far as their investigation has shown so far, neither blizzard nor the authenticator are at fault.
thanks for spreading FUD, wowinsider.
.
Wowie Aug 5th 2008 4:10PM
Here's a thread where they comment on it to their guild (link found the first article about it here). They removed their original post, but there are comments from them further in the thread. Interesting that they say (of their authenticator) "It was active when I logged in last night, but doesn't appear to be tied to my account anymore." Belfaire says, "I can say with 100% certainty that the Authenticator was never removed from the account in question."
Peculiar. Did they make that part up, about the authenticator having been removed from their account? Were they just confused?
In any case, they most likely thing is they got hacked by someone with access to their authenticator. If they're the only one with access to the authenticator, as they seem to suggest, then I would hate to suggest they hacked themself, but I've heard stranger things.
Wowie Aug 5th 2008 4:13PM
Link html was removed, so here it is: http://aetherialcircle.com/forums/viewtopic.php?t=2266
Randy Aug 5th 2008 3:46PM
I'm calling my original theory when I first heard about this. I'm gonna say one of this person's friends or someone who knows him and his password (maybe the reason he got the thing in the firstplace) nabbed the authenticator and used it to quickly change his password. Since the serial key was provided, whoever did it had to have the authenticator or a picture of that particular one. This can be chalked to an WoW version of ID theft, and for anyone familiar with any identity theft, the person committing the act is usually a friend/relative of the victim. Thats just a documented fact.
mufee Aug 5th 2008 3:57PM
Paranoia
Wikipedia
wowinsider Aug 5th 2008 3:53PM
Mike, before you continue this asinine crusade, speak to a security expert. You're in way over your head here and you're dangerously close to libel. Seriously.