Skip to Content
6-10-2009 @ 4:14PM
And how hard is it for a phisher (this particular attack is phishing, not hacking) to get enough info to ring up Blizzard and say "my Authenticator broke /sadface please disable it on this account"? Most likely they are just going to ask for your full name, or address, or secret question, all things that any phishing site is likely to attempt to harvest.Also it wouldn't be hard to write a "keylogger" that intercepted login attempts and redirected the info to the badguys instead of Blizzard. It would be easy to capture multiple 'good' authenticator codes via this method. The reality of any type of security is that if what it is hiding is valuable it will be broken. Locks on doors don't stop burglars, they just make them look for the easier targets.
6-10-2009 @ 4:18PM
Once an authenticator code is used, it can't be used again. So no, a keylogger which redirected the login to a badguy would not work at all. That's the point.
6-10-2009 @ 4:24PM
@Tom"redirected the info to the badguys instead of Blizzard"The code is never used by the real user because the info is never sent to Blizzard. This is a "man in the middle" attack. The user just keeps seeing "authentication failed try again" or "connecting" and is then dumped back at the log in page.Warden™ tries to prevent this stuff but it is a well known 'secret' that each version of Warden™ is disassembled and analyzed before the servers come back up on patchday.
6-10-2009 @ 4:36PM
It is not as easy as you think to call Blizzard and ask to disable the authenticator. I was travelling for work and left mine at home. I called to get it diabled temporarily and they said the only way they could do that for me is with the identification number that is on the authenticator. (so if this forgetting when travelling is a risk, write that number down somewhere safe and bring it with you)
6-10-2009 @ 4:39PM
Actually, Despite what Blizzard says, the authenticator code is NOT a one time use. My wife and I share one for our accounts, and we often log in at the same time and use the same code as each other, and it works perfectly. Each code seems to be valid for approximately 30 seconds, for an unlimited amount of uses. A clever scammer would therefore have the login screen up in game and at the website and use the information in both places immediately and therefore have access to change the password (keeping the player from booting them from game), while being logged in as far as the character select screen. Then they proceed to log in and do their damage, while having only one code.
6-10-2009 @ 4:49PM
It definitly isn't even close to as easy as that. Recently my authenticator stopped working and I called support to have it removed from the account, they of course asked for the answer to the secret question, but also for the cd key and the key physically on the back of the authenticator. Since I didnt have my cd key, they emailed a form that I had to print out, fill out, and sign with a photo copy of my ID as proof of my identity.
6-10-2009 @ 4:59PM
The only things that let them remove an authenticator are the authenticator's serial number, OR the cd-key used to create your account originally. It's not a simple matter for a scammer to do.
6-10-2009 @ 6:34PM
@Ulurjah - You seem to have misunderstoof the concept of 'one-time use'. It means the authenticator will produce that code once (and not repeat for a very long time), not that the code can only be entered in one box. The concept relates to the authenticator, not to what you do with it.
6-10-2009 @ 8:41PM
I'd assume if someone phoned up and did the "Authenticator broke /sadface please disable it" the person on the other end would ask for the serial code on the back of the authenticator.
6-10-2009 @ 8:47PM
@JanaaRobin asserts in the article that you'd need separate codes to log into Acct Management, change password, then log into the game itself. That's why Ulurjah is questioning the "one use" claim, assuming both "uses" are done in the proper time window. He's not questioning the fact that each code in the list is unique. I think if it could be scripted, it might work, but don't you have to log into your email or something to accept a password change? It's been a while.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.