Account security mythbusting, part 4
by Michael Sacco 
Dec 31st 2008 at 1:00PM
Ah, but I don't need an Authenticator, you're saying to yourself. I know a great way to beat keyloggers. MYTH: Copying and pasting your account name and password from a text file will make it impossible for a keylogger to steal your login information.
Sorry, MacGyver. It's a fairly trivial matter for many keylogging programs to check your clipboard. This is not an effective way to keep your information secure.
Myth Status: BUSTED
Saving the best for last on this one.MYTH: Blizzard is in cahoots with gold sellers and they use them to make money off of RMT while maintaining a good public face by denouncing such transactions.
I used to see this one a lot on the forums and I think any reasonable person knows this is about as true as me being an actual talbuk.
Myth Status: Not even worth addressing.
Hope you guys can use this information, and if you have any questions of this nature (or any common myths about Blizzard), I pretty much guarantee I can give you an answer provided it won't cause any legal snafus.
Reader Comments (Page 1 of 6)
Ferarro Dec 31st 2008 1:11PM
I think if Blizzard truly cared about it, the Authenticator should come standard in every box.
Veilus Dec 31st 2008 4:17PM
Oh give me a break. STFU, pay the 6 bucks and get the authenticator.
If your mom really cared about you... If the world really cared about you...
Take responsibility. Do what you need to do to protect yourself. It's not everyone else's job to take care of you.
Ug Dec 31st 2008 2:30PM
I am with you on that. They could make a good first step by putting them in with collector editions or other boxed sets.
One thing I expected to see but did not was that the whole thing is a campaign to sell authenticators. Not that there would be much profit in it but even if they made $1 each it could be millions.
Drakkenfyre Dec 31st 2008 2:56PM
"and I think any reasonable person knows this is about as true as me being an actual talbuk."
No, say it's not true! You really are a Talbuk! Lol, j/k.
As for the people saying copying and pasting works. You already have replies. Not only do good keyloggers check your clipboard, but like someone up there said, you need to look up packet-sniffing, lol.
JayCanuck Dec 31st 2008 4:10PM
One interesting thing is shipping a single, inexpensive authenticator costs $50+ for shipping to Canada! USA to Canada, $50...gg
Amaxe Dec 31st 2008 4:46PM
I keep hearing the Authenticator is out of stock. Don't know what Blizz production ability is, but it is a bit annoying not to be able to get this when they recommend it
Malkeior Dec 31st 2008 6:06PM
AKA Charge 6 bucks more per game and keep accounts safe from the start. I believe that is what Ferarro meant. Not "Gimme free crap".
Guapa Jan 5th 2009 9:53AM
I work for a huge global bank in the area of corporate customers online banking. We offer solutions very similar to the Authenticator to our customers to secure their multi million euro payments. In fact, the come from the same company, they only look a bit more serious and don't have a button, but the basic function and probably the algorithm behind are exactly the same.
But still, we offer this not as default but as as an optional layer of security and we charge 30€ per piece.
So why should Blizz give out something for free which is charged (at a much higher rate) in areas where it really makes sense.
Authorization of salary payments worth 300 Mill. USD are more important and sensitive than your WoW Account,
believe it or not :-)
So, I think this is a really, really great offer that Blizz has for us and it shows that they do care for account security.
But it's just an additional layer of security that can be easily countered by a user's stupidity or carelessness.
Emanon Dec 31st 2008 1:12PM
How 'bout this: Blizzard just trys to panic the users to sell more of their Blizzard Authenticators.
Orenus Dec 31st 2008 1:19PM
Utter bunk. Similar devices typically sell for $20 and up. Even if Blizz isn't selling them at a loss, they aren't making any money on them. Unless you count the savings from having to process fewer account compromise complaints.
heath Dec 31st 2008 1:20PM
"MYTH: Copying and pasting your account name and password from a text file will make it impossible for a keylogger to steal your login information."
uhh, but copying and pasting your password makes it impossible for a keylogger to steal your login information.
Cheesy McGreasy, I think you over-simplified the myth for anyone who is taking your post to heart (which is the security noobs out there).
a password is useless without the login ID..and if the 'remember' login ID' box is checked, the only thing that gets transmitted by a keylogger is the password.
you should be a little more thorough on this myth imo.
zappo Dec 31st 2008 1:25PM
If they have access to your computer, it's trivial to see what accounts have been on it by looking in your WoW program directory. That's less complicated then reading the clipboard for that matter.
Ed (Sindarin, Hydraxis US) Dec 31st 2008 1:30PM
True, but I believe that most keylogging programs can be set to take screenshots on certain triggers, such as pasting in information.
The article was a very interesting read - as a related anecdote, I have a computer with anti-virus, firewall and anti-malware, I'm pretty net savvy and don't click on anything I'm not 100% sure on, I use Firefox with NoScript and keep them both regularly updated.
But I still got hacked - and I believe the reason why is that I installed WoW on my step-brother's computer when my laptop was out of service, not realising how much utter crap he had on that thing. Not wanting to make such a stupid mistake again, I realised I couldn't trust myself in a situation like that and just went out a bought an authenticator.
The conclusion I've drawn is that technological security solutions are brilliant and numerous, but useless if you have a moment of stupidity. You can never be too careful!
toress Dec 31st 2008 1:33PM
use a virtual keyboard to defeat such programs. point and click no keylogs, no clipbard
GoldenWyvern Dec 31st 2008 1:33PM
"a password is useless without the login ID..and if the 'remember' login ID' box is checked, the only thing that gets transmitted by a keylogger is the password."
If you have the "Remember Login ID" box checked, then the login ID is never entered, so a manually typed password is just as secure as a copy-and-pasted password, right? You're saying that typing in the password is perfectly safe.
The problem is, in my experience, that most security minded people are used to secure passwords and insecure user names. The user name is something easy to remember because it's a forum login, or something like that, while the password is more secure.
In other words, logging ANYTHING from your machine may give a hacker an easy time putting together a user name and a password, because they can brute force your user name fine.
So, unless your login name is as cryptic as your password should be, this isn't necessarily accurate information; having half the login information, whether it's the user ID or the password, is often the key to brute forcing an account.
Whether oversimplified or not, "don't assume that there's a safe way to log in, and be very, very careful" is good advice for security.
Random Cow Dec 31st 2008 1:37PM
Heath:
Contents of your clipboard are just as available as keystrokes.
Also, you should look up packet sniffing. You have no clue, and are a danger to yourself and others. For the love of God, please nobody listen to this fool.
Eisengel Dec 31st 2008 1:39PM
How does a keylogger get your information? It runs some computer code on your computer without your permission. The clipboard area is easily addressable through the Windows internals (VB hooks, and as I recall it has a registry entry). It really is not hard to look up the clipboard contents once I have code running on your machine
Here's a little freeware tool I found after googling for about 15 seconds:
http://www.softpedia.com/get/Office-tools/Clipboard/Clipboard-Inspector.shtml
If I was a cracker, I could download the tool (for free), then hexedit the executable to see try to see what keys or COM entries it's using, and then I'd look those up to build up code that does the same thing.
Bottom line, if someone has enough access to your machine to get a keylogger on, they have enough access to grab anything on your clipboard in any format.
Does a keylogger by default record your clipboard? No. Can it be made to? You bet. Windows XP is all or nothing. Once someone is on the inside, they pretty much have it all.
hold up Dec 31st 2008 2:42PM
Any good hacker creating a keylogger knows to read the clipboard when ctrl-c has been pressed.
Not that i would know or anything...
Plus, I'm pretty sure that your WoW folders have your account name and characters names as their titles. If someone was going after your WoW account specifically pretty sure that would be in the virus you downloaded. And the message behind the simplicity of the explanation is don't think copy/paste is going to save you. It's not.
Especially if the virus was created explicitly for getting WoW passwords... because the virus is hosted at zomg-free-wow-gold-4-u.com or SusanExpress.com
=P
Disclaimer: I don't know if viruses actually are housed at those locations. But gold buying is bad. Dont do it.
turtlehead Dec 31st 2008 3:34PM
Heath: everything you said is wrong, as others explained.
Toress: I can think of a half dozen ways to get around that. Is it better than the totally useless clipboard method? Sure. Is it real security? Not on your life.
jurandr Dec 31st 2008 3:46PM
@Toress
"use a virtual keyboard to defeat such programs. point and click no keylogs, no clipbard"
EL OH EL DONT U WISH.
Whether your pushing a button or clicking one, it still counts as a keystroke. Anybody who thinks that using a virtual keyboard, or copy+paste or w/e probably thinks their clever because their password is 'password'.
>.>