Debunking another hacked authenticator story
by Robin Torres 
Feb 8th 2010 at 10:00PM
We can't confirm any of the facts in this case. I am willing to believe that Anonymous is truly upset and believes the story he tells to be true, even though he is posting anonymously. There are some serious red flags, however, that seem to point to Anonymous not having all of the facts:
There are no confirmed cases of an Authenticator being removed from an account by a hacker.
The code from the Authenticator is based off of the serial number of the device or app and a date/time stamp. Because of this, a code is only good for
- Enter username and password at the account management login screen.
- Enter the current Authenticator code before it expires.
- Navigate to the Authenticator removal screen.
- Enter the new current Authenticator code.
- Enter the next Authenticator code, approximately 30 seconds later.
- Press the remove button.
Account thieves steal accounts for gold because it is time-efficient.
Goldsellers used to just roll hunters and farm their gold. But stealing accounts, stripping them bare and then using them to steal other accounts is much, much faster. Getting around an Authenticator is far too time consuming to be efficient and there are so many players without them. Rather than spend time that could be spent cleaning out another account, thieves will just skip over any accounts that have the extra protection.
Buying gold and/or accounts and getting hacked is embarrassing.
The other hacked authenticator story in this link ended up being debunked later by Blizzard. The victim in question had removed the authenticator in order to share his or her account. Sharing accounts is not only a big no-no according to the TOS, but also makes your account vulnerable to the practices of the people with whom the account is shared. It just isn't smart, unless you have complete control of the environment of your fellow account holder, such as within a family household. It also isn't smart to open up your account info to power-levelers and account sellers. Falling for scams does nothing to make you feel intelligent either and really, no one likes to be thought dumb. So people you normally would trust may be hiding a not-so-bright move solely due to embarrassment.
Blizzard restores accounts to account owners.
They may offer care packages to make the process easier for them; but if you are the account owner, and haven't done anything to get banned, you will get your account back. Now, you may get banned because you have a trojan, which isn't entirely your fault. (Tips for keeping your account safe are at this link.) But Blizzard will either ban you and tell you the reason or refuse to give you your account back because it wasn't originally your account. If Anonymous's friend purchased his account from someone else or was found to have bought gold, then Blizzard will not restore the account. If the friend is banned due to a program that is against the TOS, Blizzard may restore it after it is removed, but not before. And if the friend is banned for some other reason he would rather not divulge, Blizzard will not restore the account. It is not in their best interests to prevent paying account owners from continuing to pay and play.
You don't own anything on your character.
Amy Schley will be delving into this kind of thing in her new column, The Lawbringer, but the TOS clearly states that we don't actually own anything we have on our character. Even though we spend hours and hours acquiring really cool stuff, we don't have the same rights to it as something we go into a physical store and buy.
I am all for consumer advocacy and calling businesses out when they don't treat their customers as they should. But it would seem more on the side of consumers to encourage Authenticator use rather than post unsubstantiated stories such as this one. I invite Anonymous and his friend to contact me directly at Robin at WoW dot com with more details so that I can investigate further.
Please remember that account safety and computer security is your responsibility! While WoW.com has provided you with resources to additional information, do your homework and make sure you know what you're doing before installing any antivirus or other software. And if your account does get stolen, please see our guide on what to do next.Filed under: Analysis / Opinion, Account Security
Reader Comments (Page 1 of 5)
SaintStryfe Feb 8th 2010 10:09PM
The Consumerist is the dumping ground for every whiny bastard who deals with any corporate entity. Not being treated like a princess to some people (something small, like faxing paperwork) is enough cause to go on and create a sob story often. I don't believe anything I read there anymore.
Kylenne Feb 9th 2010 12:29AM
This. That site lost credibility a very long time ago, and went even further downhill once it left the Gawker network.
I like to call it whinyentitlementwhores.com. Or alternatively, bestbuykilledmyfamily.com.
Tribunal Feb 9th 2010 2:41AM
I have to disagree.. they have some very good stories sometimes, and sometimes people are just whiny, BUT, the staff almost always points out that in the intro, and if not, the comments do.
You're probably just one of the "Wh s ths n Cnsmrst?" guys, though :D
atlanna1 Feb 9th 2010 5:15AM
Quote: "but the TOS clearly states that we don't actually own anything we have on our character. Even though we spend hours and hours acquiring really cool stuff, we don't have the same rights to it as something we go into a physical store and buy. "
Does that include such things as the Panderan Monk which REAL money is paid for?
Eamara Feb 9th 2010 6:02AM
Yes, Atlanna1. I mean, you're paying real money to use the account yet still don't own the characters on it, why would it be any different for vanity pets?
atlanna1 Feb 9th 2010 6:53AM
I know what you meant, but the whole micro-economy thing starts moving things into a very grey area.
Kylenne Feb 9th 2010 9:28AM
I've never been disemvoweled on there for the record, because I stopped reading it a long time before then. I got tired of digging through OH MY GOD THE FASCISTS MADE ME SHOW MY RECEIPT AT THE DOOOOR posts to find legitimate ones.
epic Feb 9th 2010 9:59AM
so going from Gawker media(while entertaining, most of the sites cater to mostly gossip and speculation) to being bought by Consumer Reports parent company(one of the most trusted names and goto resources for consumers in North America); How is this a bad thing exactly?
Agony Feb 9th 2010 2:21PM
"disemvoweled"
A new word, created by the typo bug, meaning to have one's words cut out of your larynx with a spoon.
TonyMcS Feb 8th 2010 10:44PM
While my sympathies go out to anyone that was "hacked", it does not mean that some master hacker did some arcane things to their account. Far more prevalent is account sharing, leaving your password around for ex-friends/flatmates/partners/work colleaguers/schoolmates, using a computer not your own, believing an in-game offer, actually replying to any phishing email, downloading EXE files, clicking on attachments or very rarely, a drive-by because you didn't update your OS.
As for bypassing or removing an authenticator - good luck with that.
No it's not your fault if you get "hacked", that blame still lies with the evil bastards who did it, but taking responsibility for your own security will make it a lot harder for them.
James Feb 8th 2010 10:48PM
@SaintStryfe
While I disagree at how you choose to phrase your comment, I can not help but feel you have hit the perverbial nail on the head. There has never been a confermed wow account theft to an account with an authenticator. Unless they provided the account theif with the linked authenticator, or its codes, I can not come to belive that the account was just stolen "because he says so".
Mirantha Feb 9th 2010 12:21AM
James, more than likely what has happened is that the user (we'll call him A) bought the account from someone else (B), changed the billing details and put on an authenticator. A could not change the secret question/answer as that is not changeable. B then later on decided he wanted the account back and put in a request for account recovery with Blizzard. Since B was able to provide not only the secret question/answer, as well as possibly the cd codes used during install, Blizzard had no choice but to lock the account until such time as it was determined who the correct user of the account is. I won't say "owner" because Blizzard in fact owns all accounts, we just lease use of them and access to the servers each month with our subscription fee.
So, remember kiddies - sharing accounts is BAD, and buying accounts is BAD. Even if you buy an account, or use a friends account because they are no longer playing, the original user of that account can AT ANY TIME put in a request to take control over that account again and *poof* all your hard work is gone.
Mike Feb 8th 2010 10:55PM
The title, and indeed entire opening paragraph, read like an Onion article. No way that story is even remotely genuine, it's probably goldfarmers spreading propaganda about Authenticators to deter people from using them.
Keltrey Feb 8th 2010 11:00PM
It sounds like an attempt to discredit the authenticators in a bid to prevent people from paying the $6.50 so more accounts are vulnerable to be compromised.
EX: "Well Joe Snuffy got his account hacked and he had one of those authenticators. So why should I spend the money on it and still get hacked?"
Gorgondor Feb 8th 2010 11:53PM
Completely agree.
Those bastards will do anything to keep enough around that they can hack.
Honestly, i'm really hoping they ship cataclysm with authenticators, and make all accounts that are upgraded to cataclysm require an authenticator. and if you already have one and another is sent with your copy, who cares, deal with it, sell it to some1 else, hold onto it as a spare, also they have talked about being able to apply 2 authenticators to 1 account, so that could be coming some time soon.
I have complete faith in my authenticator to keep me free from being hacked, along with all other means of keeping my login details safe. Anybody that tries to blame someone else is just kidding themselves, or as you put it, they're more hacker trying to destroy that faith people have in account security.
The only people to blame for an account being stolen, are the hackers (for being the bastards they are for doing it), and the account owner, who obviously hasn't taken the necessary steps to protect themselves, and that includes buying an authenticator if you have to buy one.
Do you think the whole account security crap blizzard have posted is crap? No Point? Authenticator a complete waste of money?
I think blizzard would prefer to spend money on more development time, than spending it on departments to handle account theft, wouldn't you agree? So they will do what they can to help prevent it as best they can.
Bassamaphone Feb 9th 2010 6:50PM
"...also they have talked about being able to apply 2 authenticators to 1 account, so that could be coming some time soon."
Not one, but TWO authenticators! :D:D:D
Catacomb Kid Feb 8th 2010 11:12PM
Robin, I always appreciate your posts. Great tone, understanding, firm, and knowledgeable. Kudos!
danawhitaker Feb 8th 2010 11:20PM
"The code from the Authenticator is based off of the serial number of the device or app and a date/time stamp. Because of this, a code is only good for about 30 seconds."
While I am skeptical of the claims of the original article, and believe that authenticators are probably secure, I have found that codes *can* be good for longer than 30 seconds. I tested it when authentication servers were borked up around the time 3.3 dropped. Someone on another site I frequent claimed too their friend had had their account hacked and that they had an authenticator. Another person in the same thread claimed that they would use their authenticator to generate codes and then use them at a later date without having the authenticator in hand. I didn't believe the guy, so I made my authenticator spit out three codes, and then used each of them ten minutes apart. They all worked. I was able to log in to the game (though not do anything, because servers were so messed up). So is it possible there's some kind of vulnerability? I don't know enough about the technology to say. All I'm saying is that I have seen codes work for more than 30 seconds. Believe me or don't believe me, but I've had an authenticator since August, and I have no reason to make the claim up.
Jhestor Feb 8th 2010 11:42PM
I'm not trying to be inflammatory in any way in my response; if that really happened, it concerns me. On the flip-side, given the way I understand VPN technology works, it feels like a pretty wild claim.
I'd be very, very curious to see this feat repeated at any time (I've never been able to replicate this supposed problem) and have it documented in video, or something.
danawhitaker Feb 8th 2010 11:46PM
I've tried to replicate it when the login servers are functioning normally, and I haven't been able to. I plan to try next time the servers are screwed up again. I was as skeptical as you are, which was why I even tried in the first place. I was sitting there going, okay, there's no way that works. On a slightly unrelated note, the two people in my guild that had their accounts "hacked" both had them hacked when the servers were down for maintenance