Skip to Content
2-09-2010 @ 12:32AM
Has anyone stopped to think that an iphone or ANY smart phone for that matter is entirely hackable? it is nothing more than minicomputer that can still connect to the internet. if it connects to the internet, it can be hacked. so, how safe are those mobile authenticators if someone jacks your phone by hacking it?I'll stick with the real authenticator. it doesn't connect to the internet, and isn't hackable. someone would have to physically have it in their possession to access my account. I personally think the mobile one is a really dumb idea. just a gimmick to sell more iphones.
2-09-2010 @ 1:06AM
I really agree. The entire point of the authenticator is that it's a physical token you have to have in your hand in order to log into a WoW account. You can't remotely access it, no matter how hard you try. An iphone, on the other hand, is just a separate device you'd have to hack in order to access a WoW account...but you can do it all remotely. No gold seller on the planet is going to break into my house to steal my authenticator, but they might hack my iphone.What's worse, since the iphone authenticator is all in software, a hacker could basically COPY your authenticator. Rather than just stealing the temporary code, they could use their copy of your authenticator app to log into your WoW account at any time, or any number of times, or remove the authenticator from your account.I'll say that an authenticator app is better than nothing, but the physical authenticator token is MUCH better than the app.
2-09-2010 @ 3:28AM
This is true, and unfortunately the Blackberry/iPhone/Mobile app is the only option many of us have: Blizzard will not ship the physical authenticator to some locations. Those of us in U.S. territories such as Puerto Rico, the U.S. Virgin Islands, Guam, etc. are locations to which Blizzard will not ship the devices. At first I assumed it had something to do with security/encryption export laws, the same laws apply to the technology available in mobile phones. Blizzard will ship them to non-U.S. addresses but apparently not all domestic U.S. Postal Service areas. It makes Blizzard's recent struggles to get WoW in China very ironic considering China's stance on foreign encryption technology.
2-09-2010 @ 6:46AM
Yes indeed, iPhones and other smart-phones can be hacked.I was looking for a story where the ssh daemon was running with a standard password on iPhones with hacked firmware (http://www.theinquirer.net/inquirer/news/1561466/iphone-plagued-rick-astley), but also found http://mashable.com/2009/07/30/iphone-hack/ , which is just as bad.As other people say, an account secured by a stand-alone authenticator is impossibly hard to hack, as hackers need to know your account name and password and a short-lived 6-digit code as well - the code on its own would probably not be sufficient with roughly 10 million players world-wide.Even if you know someones' account details, with an authenticator chances you get in are only about 1 in a million (a little more to allow for time-skew as was explained in an earlier message). I wonder how many attempts you can brute-force in 30s?But even with an authenticator you should take basic account security seriously. If your account name or password are the same as the name of one of your characters for example, you make it that much easier for a hacker to get in. You have to realise they aren't hacking "your" account specifically, they just try to get in "any" account working with the information they have. You bet they have a dictionary of level 80 character names to work with.Earlier up-thread it was mentioned that some accounts got hacked during maintenance; That is actually an intriguing claim! A hacker can't do anything with your account during maintenance, so he can't take your gold or sell your gear either. So either we're talking about a very short window of opportunity just as maintenance starts or ends - more time for brute-force attacking token-numbers would probably be sufficient reason to prefer maintenance to hack accounts, and there's less chance the owner is logged in just before or after maintenance - or there's someone on the inside. I'm pretty sure Blizzard is aware of the latter possibility though, they're probably keeping a close eye on anyone with access during maintenance.There are some other channels through which a hacker might "get in" with all the web-services Blizzard provides outside the game, to manage your account you need to prove that you are the legitimate owner of the account though - I think the worst someone can do to your account by hacking into a web-service is to mess up your calendar.
2-09-2010 @ 6:52AM
I think most are aware that iPhones and the like are computers, and "hackable" in the sense that you can break their security when you have physical access to the device.That's not the same as you can invade any iPhone from across the internet at your leisure, extract people's authenticator serials and forge bogus login codes. That's completely unrealistic.A: iPhone apps are sandboxed, meaning they're essentially isolated from the phone itself, other apps on the phone, the internet and so on, except through authorized channels that Apple allows (by using the iPhone OS APIs). There's no way of knowing, or telling that there's an authenticator applet installed on any random iPhone.B: in fact, there's no way of telling that any random device connected to the internet is an iPhone, so how could hackers target them specifically? This is just paranoia.C: even if people COULD target iPhones, and COULD hack them to extract authenticator codes, there's no way of linking any random iPhone and its authenticator codes to any specific WoW account!D: even if you have hacked the iPhone authenticator and can tell which account the codes belong to (perhaps through telepathy), you still need the account name and password, none of which are entered into the iPhone applet. Again, you need to resort to telepathy to gather these.SO IN CONCLUSION, we can reliably conclude that the iPhone authenticator is QUITE SAFE AND SECURE. Howver, any solution is only as safe and secure as the person who uses it, which leads us back to PEBKAC. IE, if you have poor habits, leave your iPhone where others can access it, don't keep your login details, CD serials etc secret, then people can concievably access your account even with the authenticator. It's not the authenticator's fault it isn't idiot proof; it's you who is being an idiot. :)
2-09-2010 @ 8:27AM
@Faar:I was only using iPhones as an example because of their popularity and with that, the availability of articles about them being "hacked". I have nothing against iPhones. I admit that iPhones are relatively secure devices, but you're reasoning from the wrong end of the line.A: You say that iPhone apps are sandboxed. Although this does indeed improve security, once someone has access to your "computer" there's only so much you can do to prevent him from reading data he's not supposed to read. A compromised system can't be trusted.Now that does of course depend on what the compromised system is, if it's "just a sandbox" then there's probably not much a hacker can get to - he can play around with the available sand, but he can't go outside the sandbox. If the hacker gets into the "root"-system however, he can access anything. It depends a lot on what part of the system is vulnerable. Hackers don't use hacks that land them in a sandbox, unless they know they can get out of them somehow or unless it's a useful hack on some other system.B: You say you can't tell an iPhone apart from any other system connected to the internet, so you can't target them specifically. You're reasoning from the point of a single iPhone connected to the internet.Hackers don't work like that, they hack "a" system connected to the internet and then figure out what kind of system they hacked and what they can use it for. They don't target any system specifically, they just try a bunch of stuff that's known to work. Once they get in, they probably know you have an iPhone (or any other type of smart-phone) from the method that was successful to hack it, but if not they can see by looking around in the hacked system.C: Yes, you're definitely right about that, unless the owner of the phone is stupid enough to keep their WoW account information anywhere on it. That goes for any device connected to the internet. A scrap of paper isn't connected to the internet ;)D: That's actually the same point as you were making at C. Not that it's any less valid.Note that I'm not against using a smart-phone as an authenticator, I'm just putting forward that they aren't entirely as secure as a stand-alone authenticator.Provided you keep good account security otherwise (which can't be repeated enough), the chances you can get hacked through an authenticator on a smart-phone are still marginal at best. It is a secure method of authentication, but no security method is 100% air-tight.Even with a stand-alone authenticator your account can get hacked, chances are maybe 1 in several billions, but if enough people are trying some will succeed. If enough people have them though, the trouble of trying quickly outweighs their chances of success, which will reduce the number of people trying to hack them this way.Social hacking would become the more efficient approach ("Hi, I'm 's alt, can you give me access to the guild bank please?" for example).
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.