Patch 5.4 patch notes
Virtual Realms feature revealed
The Proving Grounds are coming
The latest patch 5.4 newsDebunking another hacked authenticator story
by Robin Torres 
Feb 8th 2010 at 10:00PM
We can't confirm any of the facts in this case. I am willing to believe that Anonymous is truly upset and believes the story he tells to be true, even though he is posting anonymously. There are some serious red flags, however, that seem to point to Anonymous not having all of the facts:
There are no confirmed cases of an Authenticator being removed from an account by a hacker.
The code from the Authenticator is based off of the serial number of the device or app and a date/time stamp. Because of this, a code is only good for
- Enter username and password at the account management login screen.
- Enter the current Authenticator code before it expires.
- Navigate to the Authenticator removal screen.
- Enter the new current Authenticator code.
- Enter the next Authenticator code, approximately 30 seconds later.
- Press the remove button.
Account thieves steal accounts for gold because it is time-efficient.
Goldsellers used to just roll hunters and farm their gold. But stealing accounts, stripping them bare and then using them to steal other accounts is much, much faster. Getting around an Authenticator is far too time consuming to be efficient and there are so many players without them. Rather than spend time that could be spent cleaning out another account, thieves will just skip over any accounts that have the extra protection.
Buying gold and/or accounts and getting hacked is embarrassing.
The other hacked authenticator story in this link ended up being debunked later by Blizzard. The victim in question had removed the authenticator in order to share his or her account. Sharing accounts is not only a big no-no according to the TOS, but also makes your account vulnerable to the practices of the people with whom the account is shared. It just isn't smart, unless you have complete control of the environment of your fellow account holder, such as within a family household. It also isn't smart to open up your account info to power-levelers and account sellers. Falling for scams does nothing to make you feel intelligent either and really, no one likes to be thought dumb. So people you normally would trust may be hiding a not-so-bright move solely due to embarrassment.
Blizzard restores accounts to account owners.
They may offer care packages to make the process easier for them; but if you are the account owner, and haven't done anything to get banned, you will get your account back. Now, you may get banned because you have a trojan, which isn't entirely your fault. (Tips for keeping your account safe are at this link.) But Blizzard will either ban you and tell you the reason or refuse to give you your account back because it wasn't originally your account. If Anonymous's friend purchased his account from someone else or was found to have bought gold, then Blizzard will not restore the account. If the friend is banned due to a program that is against the TOS, Blizzard may restore it after it is removed, but not before. And if the friend is banned for some other reason he would rather not divulge, Blizzard will not restore the account. It is not in their best interests to prevent paying account owners from continuing to pay and play.
You don't own anything on your character.
Amy Schley will be delving into this kind of thing in her new column, The Lawbringer, but the TOS clearly states that we don't actually own anything we have on our character. Even though we spend hours and hours acquiring really cool stuff, we don't have the same rights to it as something we go into a physical store and buy.
I am all for consumer advocacy and calling businesses out when they don't treat their customers as they should. But it would seem more on the side of consumers to encourage Authenticator use rather than post unsubstantiated stories such as this one. I invite Anonymous and his friend to contact me directly at Robin at WoW dot com with more details so that I can investigate further.
Please remember that account safety and computer security is your responsibility! While WoW.com has provided you with resources to additional information, do your homework and make sure you know what you're doing before installing any antivirus or other software. And if your account does get stolen, please see our guide on what to do next.Filed under: Analysis / Opinion, Account Security
Reader Comments (Page 2 of 5)
Gorgondor Feb 9th 2010 12:05AM
I had done some testing myself with my mobile authenticator on my iPhone, i have not tested this is my new Key-Fob device.
It turned while each number was displayed for around 30 seconds, it was then still valid for another 30 seconds after it disappeared from the screen, but only 30 more seconds.
I Wrote down a code, after it disappeared, tried it a minute later and it didn't work.
I suggest anybody reading this person's comments tries this for themselves before you take this commenters findings as fact.
In my conclusion, the iPhone moblie authenticator, each codes was valid for approx 60 seconds, overlapping with the codes either side of it.
danawhitaker Feb 9th 2010 12:25AM
I admitted that my findings were under very specific conditions and didn't apply when servers were functioning regularly. I'd hope no one takes it as fact that it works that way all the time. I have an authenticator, I have pestered everyone in my guild to get authenticators. I think they're a great investment. I don't want to try and stop anyone from getting or using one. That's not my intention.
That being said, if there *is* some sort of a vulnerability with them, I'm just pointing out an area that maybe needs a look.
Ozzard Feb 9th 2010 3:23AM
The authenticator codes are generated from the clock that's embedded in the device. Not all clocks run at the same speed, so the login system has to account for a condition known as "clock skew" - where your token's clock gradually runs ahead of or behind the clocks on the Battle.net login servers, which will probably be synchronised to within a few milliseconds of one of the world's atomic clocks using the Network Time Protocol. Your token can't sync with the atomic clocks, so it'll gradually drift from the "correct" time. Mobile phone authenticators suffer less from this problem, by the way, as the phone's clock is often kept correct by the phone network.
The result of this is that the login servers have to accept any code that they think might have been generated by your token at the current time. I suspect that as a token gets older and the battery runs down, the skew between real time and "token time" may increase, though I've not taken one apart to find out! Certainly I'd expect more than one code to be valid at any one time, though a code still being valid 10 minutes after generation surprises me.
Lissanna Feb 9th 2010 9:49AM
At the very least, we do know that once you use a code, all previous codes become unusable. You need 3 codes to remove an authenticator from an account.
Rialyn Feb 9th 2010 10:14AM
Hmmm... Your post makes me curious. I have been using this same time of authentication for years on more security sensitive sites. (Mostly corporate banking.) I have never experienced what you describe.
When you said the codes were good for an extended period of time... Did you try the same code more then once? (ie. Login with a code. logoug. Wait 5 mins or so, then log back in with the same code.)
When you said you couldn't do anything because the servers were so screwed up, does that mean you were able to load a toon, but couldn't do anything in realm? Or do you mean you couldn't load a toon because the servers were screwed up?
Obviously, what you describe isn't optimal, but it sounds like you still needed a vaild code generated by your authenticator. If you were able to reuse the codes, it would be much worse. Provided you were able to load your toons. Though clearly Blizzard had borked the authentication servers as a whole at that time. My brain isn't working all that well this week, but isn't that also when Blizzard moved to requiring Battle Net logins as well?
Scully Feb 9th 2010 1:06PM
If you tested when authentication servers were "borked" as you say, then it wasn't a true test - you can't test an authenticator when the authentication servers are down, right? This is the logic part of testing/troubleshooting.
These debates about authenticators tire me. Tokens of this sort have been used as a second form of authentication for VPN services by major corporations for years. Additionally, token authentication removes the necessity of discussing remote access policies with auditors at length for HIPAA/PCI compliance. It's an industry standard for 2-factor authentication. While the soft-tokens are a relatively new player in the space, they are also accepted as the second form of authentication.
If they were as vulnerable as all the tin-foil hat folks would like to claim, they wouldn't have lasted as long as they have in the compliance space.
danawhitaker Feb 9th 2010 3:08PM
No, I wasn't able to use the same code more than once. I was still bothered by the fact i was able to punch the button on my authenticator three times in a minute, get three codes, and then use them over the course of 30 minutes though, when the device *isn't* supposed to work that way. It's one of the Starcraft II fobs, which I purchased in August, so I'd really hope that battery clock de-synching, which someone mentioned earlier, would be the culprit. Plus, how could it be, since I haven't been able to replicate it since that time?
Servers being borked isn't perhaps an optimal test, but I'm still suspicious of the fact that the two people I know personally who had their accounts compromised had clean system scans and their accounts were compromised during server reboots/downtime on non-normal maintenance days. Neither had authenticators. Again, I'm not saying anyone with an authenticator has had their account hacked. I'm just not discounting the potential of some security issue. And I was disputing the original claim by Robin that codes are only good for 30 seconds.
Like I said, our guild requires them for guild bank access at this point. I'm not an authenticator-hater. But I don't believe in blind trust of a security device just because it's not supposed to crackable either.
Rialyn Feb 10th 2010 10:12PM
My comment about optimal, wasn't about your test being during a time of server issues. Hopefully, I didn't make you think that! My reference to not being optimal was in regards to the code not expiring in 60 seconds. It sounds like you still needed a valid code and it expired on use, so there was a significant amount of protection still in place. More then enough to foil a hacker, even in those circumstances.
I'm the IT Director for a good sized CPA firm, so you can be sure of three things... I take computer security very seriously, I tend to be very analytical and I am paranoid about security because I am paid to be. LOL
The fact that you couldn't use a code twice, is a point in favor of it being properly setup. If you were able to actually load a Toon with a code that was older then 2 mins, would be a point in favor of saying Blizzard needs to be sure they implemented the authentication properly on their end. (Which IS the case you are describing, and I am sure Blizzard has done just that.) The tokens are only as good as the processing program on Blizzards' servers, so there is always room for scepticism. I have seen with my own eyes, token systems that were NOT implemented properly. Clearly, at the point in time you are describing, there were issues throughout their servers. Even with the issues a code was still needed, and without the fob, you still wouldn't be able to login.
The bottom line is that with Technology nothing is 100% perfect, but the token system is light years ahead of the simple user/password arrangement when it comes to internet security. The De-Syncing/Battery issue would prevent a valid code from being given, so that is definitely not the case for you. (I have a client that is still using a similar fob by the same manufacturer that is 3 years old.)
zurkka Feb 8th 2010 11:29PM
a great post, using facts to desprove the history told, im trying to get one of those for weeks but something isnt working on the blizz store, somethings are harder to get when you live in shouth america, here some third party stores sell those authenticators for like 60 bucks EACH ¬¬
totemdeath Feb 8th 2010 11:30PM
If a process was developed that can reliably break the 6 digit random coding of the current Authiticator system, the implecations would be such that it would very likley make mainstream news channels. I make it a point not to believe stories like this unless I hear it on say CNN or FOX news.
Tori Feb 9th 2010 12:25AM
I'll have to agree with this poster. Many places that are of far higher concern than just a video game account use this technology, so I feel pretty damn safe with an authenticator alongside an incredibly difficult password and unknown email address used only for battle.net
talkingmike Feb 9th 2010 3:16AM
And this may be the first and only time in history that someone has equated Fox News and CNN as the same legitimate and reliable source for a single news story.
Hey, if you say media bias exists, then it sure does, gosh darn it!
BubblePriest Feb 9th 2010 6:14PM
My dad forwarded me a link from the local FOX station not terribly long ago about the dangers of riding elevators. Supposedly there were criminals riding elevators that had scanners that would scan the credit card numbers from your wallet while you were in close quarters. (Yes, sadly my father is that gullible.)
The point being: just because it's on the news doesn't mean it's true.
Joseph Becher Feb 8th 2010 11:49PM
Wasn't what I was looking for, but the more techy types may enjoy taking a look at http://docs.google.com/viewer?url=http://www.signify.net/uploads/How_RSA_Tokens_Compare_to_Vasco.pdf
Ozzard Feb 9th 2010 6:31AM
Oh look, an RSA publicity puff stating that their tokens are more resistant to being dropped, drowned, hit and zapped than Vasco's :-). Tests were carried out by an independent lab... to RSA's pass criteria, so they could choose criteria that the RSA tokens would pass and the Vasco ones would not.
Don't get me wrong - I have RSA tokens as well as Vasco ones*, and I much prefer the build quality of the RSA ones. But you don't get an RSA token, shipped, for $6; and cost is a key consideration for protection of what is, when all's said and done, a game.
* I do a chunk of work for healthcare organisations - they're understandably rather paranoid about who has access to their systems.
Joseph Becher Feb 9th 2010 11:47AM
Very true. I was looking more for a technical paper stating how they worked and if they used the same tech in so far as hack-ability, but that seems rather scarce. Not even sure why I linked it.
plantllover420 Feb 8th 2010 11:54PM
wish i had an authenticator my account was just hacked a few days ago im going to buy one if i ever get all my BoP gear back they sold
Fairlane Feb 9th 2010 12:02AM
Robin, I'll be sending you an email in the coming days regarding my own Authenticator-secured account being hacked. I think it's very important that people realize that while Authenticators are the best account security option available and EVERYBODY should have one, they are by no means bulletproof.
Muse Feb 9th 2010 6:10AM
Authenticators are like seat belts in cars. Under the best circumstances you will never ever need it. And by the time you do, the worst has already happened. It's the last line of defence, not the first.
Ozzard Feb 9th 2010 7:12AM
Fairlane - I'm fascinated. I can think of many ways round an authenticator-secured account, but most of them require either incredibly good luck or some attack on the account (either via keylogging or via social engineering).
Are you willing to share the details more widely than just with Robin?