Skip to Content
2-28-2010 @ 12:30PM
Ruu Roh.Will NOTHING stop these hackers? If a ferocious monstrous Core Hound doesn't faze them...I don't know what will.
2-28-2010 @ 1:03PM
Greed is the root of all evil. Reminds me of the John Lenin song "Imagine"
2-28-2010 @ 1:14PM
@ Razortooth"John Lenin" made me chuckle.
2-28-2010 @ 2:49PM
so let me get this straight, this man in the middle "thing" only works if im trying to log to WoW and enter my authentication code? so it doesnt work if im not log or if im already logged?
2-28-2010 @ 3:03PM
Greed is Good.
2-28-2010 @ 3:10PM
I don't understand it also. You can't have 2 people logged in at the same time, so basically if they try to use my authenticator code they have to kick me out of the account or not let me log in, which means that I will automatically be alerted of the hacking and just relog (possibly from a different PC) to kick them out. So..how?
2-28-2010 @ 3:57PM
@peter_vutovYou attempt to log in, inputting your authenticator code. This malware redirects the information to the hacker so they can log into your account right now.Meanwhile, the hacker's server responds to make your client think you put in the wrong information. You never even get through to Blizzard's authentication servers.You will continue to get "Incorrect information" errors until you locate and remove the malware, which is more than enough time for an efficient hacker to clean you out.
2-28-2010 @ 4:04PM
"Will NOTHING stop these hackers?"While people are stupid enough to let this kind of malware on to their computers?No.
2-28-2010 @ 4:08PM
@peterThe way this attack works, *you* never log in in the first place. The scumware alters how your computer handles your internet traffic and actively searches for those packets that would contain your login information. When it detects that WoW's trying to send them out, it *intercepts* them, sending them to a different computer entirely which then sends the log in info, letting whoever is at that computer log in to your account. *You* never log in, in fact you'll just keep getting an "unable to connect" error, rather than something more specific.Repetitious, I know, but I really wanna drive that point home. If it worked some other way, there's a chance you could bump off whoever's hijacking your stuff, *and they don't ever want you to have that chance.*Also, if they're stealing your WoW info, they're probably stealing anything else they can(even if they don't directly deal in identity theft, the way these places operate they likely know someone who does, and will happily sell *them* anything else they happen to pick up). Just so you don't go getting a false sense of security from this, or anything.
2-28-2010 @ 4:10PM
The article says you need to use the code within 30 seconds before it expires. So, press the button on your authenticator. Count to 25, then input the code. The attacker now only has up to 5 seconds to use your code, depending on how long it takes you to input it.This method isn't going to prevent these attacks entirely, just minimize them further.
2-28-2010 @ 7:35PM
The inputting code on the cracker's end is probably automated, so it should actually take less time than you take to simply press enter.If they are intercepting the code as it is typed, and not as it is sent over the network, they can effectively be logging before the true owner presses enter.Besides, the authenticator code is valid for at least 45 seconds. I've never intentionally measured it, but I can still use the previous code when the time bar for the next one is at the middle.
2-28-2010 @ 7:15PM
Ahh, I got down-rated. I guess people just don't like being told that they're just as responsible for their own computer security as they are for their bank account and everything else. If you get hacked it's your fault, it's not hard to use a computer safely on the internet, you just couldn't be bothered to learn.
2-28-2010 @ 9:00PM
@Avan: Yes, you could do that, but you would still not be able to get in anyway. You could try logging in a million times and EVERY TIME WOULD FAIL.
2-28-2010 @ 11:34PM
I just thought of another good way to do it to make it impossible to hack even with a trojan. Make you have to put in a unique authenticator code twice: once when you login, then again at character select. Since you would have to get to the character select screen to input the second code, and logging to that point would kick anyone else on your account, and an authenticator # can't be used twice, there is no way for the hacker to get and use the second authenticator code. Logging out would invalidate his first code, and you'd have to use each code to get to the next step, and there's no way a trojan can trick you into thinking you're at character select when you're not.
3-09-2010 @ 7:43AM
Security is not easy and as long as we have the valuable stuff hackers want, they won't stop. So it's important to understand what the authenticator does and does not do for you. Like in that Seinfeld episode, Seinfeld got robbed even though he has the most secure locks on his front door because Kramer forget to close it. -- The authenticator (multi-factor authentication) protects you from "replay attack", where the bad guys can no longer take their time to hack you two weeks later. ----> They need to take both your password and your auth-code to pretend to be you for a short time. Or they have to physically steal your authenticator.-- To defend against man-in-the-middle attacks, you need SSL or other end point authentication. Basically SSL protects your data *AFTER* leaving your computer and it promises the data will be unreadable in transist and truely reach it's intended destination unaltered before it can be read. ----> They need to get into your computer to mess with your data BEFORE it leaves the computer.The good news is that adding an authenticator raise the bar for the hackers to steal your account. But they can still do it if you are not careful... Like even if Kramer remember to close the door, he still has to turn the lock for it to work most effectively. Additionally, all of these protections are not reliable if the bad guys have malware IN THE COMPUTER. They can literally do anything they want. They can even alter your WoW client itself to connect to them instead of Blizzard to login. It's like locking the front door doesn't really protect you from the thief who's already inside the house.So we still need to be vigilant about it even with the authenticator.
3-12-2010 @ 7:35PM
Before downrating McCombs, please make sure you know the reference. I wouldn't be surprised if that line isn't uttered by some Goblin in Azeroth.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.