Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsAuthenticator failure revisited, Blizzard responds
by Mike Schramm 
Aug 5th 2008 at 2:30PM
We created a lot of waves with this post about Blizzard's Authenticator key allegedly failing -- as you know if you've been listening to the podcast, lots of people have emailed us with their own input on the situation, alternately thanking us for making it known that the Authenticator wasn't 100% secure, and lambasting us for being "ignorant" about how Blizzard's security token works. At the base of the story, there are two things we know are true: that someone was using the Authenticator on their account, and then was subsequently hacked. For that reason, we've stood by the "Authenticator fails" story -- while having an Authenticator on your account is a helpful line of defense, it, like all other computer security measures, isn't a 100% guarantee against getting hacked.Most people agree on that. Where opinions differ are in how the account was hacked -- originally, we and a few other sources speculated that the Authenticator had been somehow removed from the account in question. But now Belfaire has responded (we believe to the incident in question, though a link to our story was removed from the original post), and says that as far as he can tell, the Authenticator was not removed from the account. In fact, after the password was changed back, the Authenticator's serial key was asked for and given, so the Authenticator remained attached to the account the whole time.
Of course, that just leaves the most important question: how did the account get hacked? We've heard all kinds of various insights as to how the Authenticator works (it only lasts for 60 seconds, supposedly each key can only be used once, so there's no way a keylogger could nab the Authenticator code and reuse it), but the fact remains that the person we're talking about was using the key, and still got hacked. One hack out of all the Authenticators sold so far is a terrific record, and could prove that, statistically, an Authenticator is good as 100% security. But the fact remains that this person got hacked while using the key (however it was done), and if security can be broken once, it will be broken again.
Filed under: Items, Analysis / Opinion, Blizzard, News items, Account Security
Reader Comments (Page 5 of 5)
jbodar Aug 6th 2008 7:05AM
I'm fairly sure that Authenticator keys are single-use and they expire in 60 seconds. So wouldn't the attacker have to be using some type of man in the middle attack to prevent the credentials from reaching the login server if he was keylogging? In addition, there is no discernible pattern to the codes, since it is a list of codes, not an algorithm.
The more likely answer, as you said, is physical security failure. It could have been a combination of both -- a keylogger to steal login/pass, and "borrowing" the Authenticator for the code. Still only a guess though...
Ian Aug 6th 2008 7:29AM
Mike,
Please take the time to read about security before spreading this FUD.
The only way that account could have been compromised is either by social engineering (someone managed to get physical access to the "hacked" person's authenticator to log in) or from a "man in the middle" vector; such as for example a poisoned DNS cache that redirects the WoW login to a fake server, capturing details before passing it onto the real Blizzard servers, but even in that case (a) it would have to be a very fast one-time attack as the authenticator token would rotate within the minute and (b) it would require a trojan to have been installed on the client computer in the first place. Either situation still points to the user being at fault, either for passing on their account and fob to a "trusted" colleague or for nto being vigilant on the malware front. The problem is most definitely not with Blizzard or the Authenticator system which you so clearly show little to no knowledge of understanding.
These keyfobs have been around for a long time and there is little to no evidence of them being circumvented without MiM or Trojans, which is probably why they are used by a lot of government agencies as part of their VPN authentication (e.g. my mate's dad who is an FBI agent uses an RSA fob). They are hardware-oriented and as such very difficult to tamper with.
Dean Aug 6th 2008 11:56AM
Yeah this is getting ridiculous. The authenticator isn't 100% safe. No shit. Nothing is. You leave it out on your desk or someone nicks it of course there's any issue. Yes, the article isn't libellous and it does stick to the facts but the selective choice of facts make it seem like very lazy journalism. The fact that not once it the article is it suggested that one possibility was a 'friend' borrowing it, and instead suggesting it was done with some clever hacking sounds misleading.
It's like if bank robber holds a cop at gunpoint and tells them to remove their bullet proof vest or they'll shoot them in the head. The cop does, and the robber shoots them in the chest. WoWInsider: "Bullet proof vest fails to stop bullet".