Skip to Content
8-05-2008 @ 2:41PM
Please read the entire thread when making posts like this. The rediculous bias by Wowinsider is getting sickening these days:"Belfaire: This is a very, very zig-zaggy "compromise". Pieces are falling into place with my investigation but I think it's pretty safe to say that Blizzard's security nor the security of the Authenticator are at fault. "Person probably had a keylogger on his computer when he was first registering the fab, and the hacker got the serial number.Or it isn't a hack at all, and it's the owners friend. (Yay double of everything on the account).Stop jumping to conclusions that the Authenticator got "Hacked". Any knowledge on how the authenticator works would prove this to be near impossible. (nor worth anyone's time)
8-05-2008 @ 3:13PM
Authentificators are a known product used in many places, most developers that work for any large company have one (I do) and in fact the ARE vulnerable. as long as you have one time access to the device you are able to mimic it via software.
8-05-2008 @ 3:30PM
@NeSuKuN: one-time access to the device does NOT render the device moot, nor does it compromise the security of the device itself. One could write down every number the token produced in a week and still have 0% of what was required to compromise the token, given that the token is designed securely.If the account was truly compromised by someone whom the account owner had no affiliation, then this would indicate only an opening in the security policies of Blizzard, specifically the telephonic methods of getting around the token requirement by providing other identifying information. I do not know if the authenticator must be removed from an account in order to log into the game client with an account with an authenticator associated with it; the customer service rep may have provided the number necessary to log into the account in lieu of an authenticator token in hand given successful identification.This may also indicate a software bug on the part of Blizzard; the original post i read stated that when the account owner logged into his/her account, they were not prompted for a token passphrase - yet Blizzard says that the token was never dissociated from the account. This points to a software bug somewhere along the line in my eyes.Note that this doesn't mean that Blizzard's security protocols were compromised; if the rep on the phone is given everything they need to authenticate someone on the other end of the line, then they've done their job, and the system has succeeded in its intent and remained secure, despite the pwnage.If a computer is compromised to a degree that a keylogger could have obtained the serial number of the token, and all other necessary account holder information, then the fault lies with the owner of the computer from which that information was obtained, plain and simple. Having an authenticator does not mean that you are immune from keyloggers.The bottom line here is that having an authenticator attached to your account *greatly* increases the security of the account. The authenticator itself cannot be hacked if it is based on a proven design that is less than 20 years old; saying that this is possible simply broadcasts one's lack of cryptographic expertise. One-way functions are truly one-way. Period. The humans at either end of the transaction however, are easily manipulated.
8-05-2008 @ 4:27PM
All authenticators use "read ahead", so if you press the fob in your pocket, you can still generate usable codes. How far does the blizz one read ahead? 512 keys? 1024? 8?What happens if you generate that many codes without using one (thereby not resynching the code generated with the acceptable codes)? If this were a keyless entry system on a car, you would have to use the key to open the door and perform an elaborate series of actions described in the manual to resynch the key. Since this is an online game, you probably have to call customer support and have them resynch the expected codes to your fob. This process could be exploited.Next question- if your machine is compromised by a keylogger, how does having a fob prevent a man-in-the-middle attack? The software could intercept your code (and enter an incorrect one on your behalf), and use it to access your account while you're staring at an "incorrect code" error message.Another layer of protection is good, but don't assume that this means you can stop worrying about hacking.
8-05-2008 @ 4:48PM
I don't have much to add to this topic and agree with the poster above. Tokens are another layer of security and do nothing more than *add* to a user's security. If it exposed an additional means of hacking an account, then it would be a risk, but not blocking existing hacking attempts just makes it less effective.Until a full release of the facts (not likely to happen) are released, we just one side of the story and no way to corroborate or exonerate the user's story.Articles such as this should try to stick to the facts, regardless of how sparse they may be, rather than jumping to conclusions based on little or no information.
8-05-2008 @ 5:05PM
Harnum. Stop. You don't understand how these work. Go read some more.
8-06-2008 @ 9:27AM
meh, not sure if the above comment is an official wowinsider comment, but it seems somewhat ironic and hypocritical if it is. alas, the average wow player is not an IT security expert, does not understand encryption, two factor authentication, or how the blizzard authenticator (or even off-the-shelf-vasco fob) works, or is configured specifically at blizzard's end. as such pretty much every comment here is hearsay, speculation, and worthless. That sounds arrogant/patronising, but it's true. Yes, it's easy to say "it's blizzard's fault" or "it's the user's fault" and assign blame and insults to them accordingly, but that doesn't achieve anything.blizzard really should find the facts out about this incident from its authentication, and realm logs, and make them fully public, and stop the rampant uninformed hearsay that's going on.Was the account even "hacked"? Is there proof of access and authentication from multiple IP ranges / ISPs?Is there proof of monies being transferred, and who to?Were phone calls or emails sent to blizzard support?of course, the same could be said of every account hacking incident, although i suspect blizzard just doesn't have the ability to log and look back through some of this information.Personally, i think people need to start asking the following question. Which is worse? The people hacking accounts and stealing gold, or the people buying it? IMHO blizzard need to start cracking down the buyers, as without them there would be no market for account hacks, and farmers.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.