Skip to Content
2-09-2010 @ 12:51AM
FUD, FUD, and more FUD. The technology behind the authenticator is sound, and is used on things far more valuable than WoW accounts. Can it be beaten? Yes. Would it be worth the time, effort, and resources required for a fold seller scanning for a mark? Not even close. Beating this token system would either require Intense, extended social engineering, or a targeted man-in-the-middle attack. Both simply aren't worth it to would be thieves. Keyloggers work (without an authenticator) because they're automated and scattershot...just pull the trigger and you'll hit something. Huge amounts of time and effort per target means less money per hour. It's just more lucrative to skip you and move on in search of an unprotected victim.On top of this, most if not all gold sellers simply do not have the expertise to successfully bypass the authenticator, even if they were so inclined.
2-09-2010 @ 3:29AM
There are other ways of beating them, but those would require a brute-force attack that may be feasible in principle but probably isn't worth it in reality. In particular, you *could* gather multiple codes over time from a machine that was compromised with a keylogger, and do a brute-force attack to try to work out the token's private key. Once you have the private key, you can clone the token.I've not checked what crypto is used on the tokens, but to reassure people here before the headless chicken impressions start, with "standard" crypto techniques this kind of attack should take years or centuries, even if running on many thousands of computers at once. It's only a problem if for some reason the cryptographic techniques used in the tokens are weak, and that seems very unlikely given what else they're used for.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.