Skip to Content
8-05-2008 @ 3:30PM
@NeSuKuN: one-time access to the device does NOT render the device moot, nor does it compromise the security of the device itself. One could write down every number the token produced in a week and still have 0% of what was required to compromise the token, given that the token is designed securely.If the account was truly compromised by someone whom the account owner had no affiliation, then this would indicate only an opening in the security policies of Blizzard, specifically the telephonic methods of getting around the token requirement by providing other identifying information. I do not know if the authenticator must be removed from an account in order to log into the game client with an account with an authenticator associated with it; the customer service rep may have provided the number necessary to log into the account in lieu of an authenticator token in hand given successful identification.This may also indicate a software bug on the part of Blizzard; the original post i read stated that when the account owner logged into his/her account, they were not prompted for a token passphrase - yet Blizzard says that the token was never dissociated from the account. This points to a software bug somewhere along the line in my eyes.Note that this doesn't mean that Blizzard's security protocols were compromised; if the rep on the phone is given everything they need to authenticate someone on the other end of the line, then they've done their job, and the system has succeeded in its intent and remained secure, despite the pwnage.If a computer is compromised to a degree that a keylogger could have obtained the serial number of the token, and all other necessary account holder information, then the fault lies with the owner of the computer from which that information was obtained, plain and simple. Having an authenticator does not mean that you are immune from keyloggers.The bottom line here is that having an authenticator attached to your account *greatly* increases the security of the account. The authenticator itself cannot be hacked if it is based on a proven design that is less than 20 years old; saying that this is possible simply broadcasts one's lack of cryptographic expertise. One-way functions are truly one-way. Period. The humans at either end of the transaction however, are easily manipulated.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.